From 30d20b716e66b1f85838cb182cf559a5dbb74f8d Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Tue, 10 Feb 2015 06:40:09 +0000 Subject: Add support for "constraints": when configured, ntpd(8) will query the time from HTTPS servers, by parsing the Date: header, and use the median constraint time as a boundary to verify NTP responses. This adds some level of authentication and protection against MITM attacks while preserving the accuracy of the NTP protocol; without relying on authentication options for NTP that are basically unavailable at present. This is an initial implementation and the semantics will be improved once it is in the tree. Discussed with deraadt@ and henning@ OK henning@ --- usr.sbin/ntpd/config.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'usr.sbin/ntpd/config.c') diff --git a/usr.sbin/ntpd/config.c b/usr.sbin/ntpd/config.c index e2443e65445..35d7b31f742 100644 --- a/usr.sbin/ntpd/config.c +++ b/usr.sbin/ntpd/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.25 2015/02/08 04:54:15 reyk Exp $ */ +/* $OpenBSD: config.c,v 1.26 2015/02/10 06:40:08 reyk Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -33,6 +33,7 @@ struct ntp_addr *host_v4(const char *); struct ntp_addr *host_v6(const char *); static u_int32_t maxid = 0; +static u_int32_t constraint_maxid = 0; void host(const char *s, struct ntp_addr **hn) @@ -193,3 +194,16 @@ new_sensor(char *device) return (s); } + +struct constraint * +new_constraint(void) +{ + struct constraint *p; + + if ((p = calloc(1, sizeof(struct constraint))) == NULL) + fatal("new_constraint calloc"); + p->id = ++constraint_maxid; + + return (p); +} + -- cgit v1.2.3