static int nts_server_connections = 100;
static int nts_refresh = 2419200; /* 4 weeks */
static int nts_rotate = 604800; /* 1 week */
-static ARR_Instance nts_trusted_certs_files; /* array of (char *) */
+static ARR_Instance nts_trusted_certs_paths; /* array of (char *) */
/* Number of clock updates needed to enable certificate time checks */
static int no_cert_time_check = 0;
nts_server_cert_files = ARR_CreateInstance(sizeof (char *));
nts_server_key_files = ARR_CreateInstance(sizeof (char *));
- nts_trusted_certs_files = ARR_CreateInstance(sizeof (char *));
+ nts_trusted_certs_paths = ARR_CreateInstance(sizeof (char *));
rtc_device = Strdup(DEFAULT_RTC_DEVICE);
hwclock_file = Strdup(DEFAULT_HWCLOCK_FILE);
Free(*(char **)ARR_GetElement(nts_server_cert_files, i));
for (i = 0; i < ARR_GetSize(nts_server_key_files); i++)
Free(*(char **)ARR_GetElement(nts_server_key_files, i));
- for (i = 0; i < ARR_GetSize(nts_trusted_certs_files); i++)
- Free(*(char **)ARR_GetElement(nts_trusted_certs_files, i));
+ for (i = 0; i < ARR_GetSize(nts_trusted_certs_paths); i++)
+ Free(*(char **)ARR_GetElement(nts_trusted_certs_paths, i));
ARR_DestroyInstance(init_sources);
ARR_DestroyInstance(ntp_sources);
ARR_DestroyInstance(nts_server_cert_files);
ARR_DestroyInstance(nts_server_key_files);
- ARR_DestroyInstance(nts_trusted_certs_files);
+ ARR_DestroyInstance(nts_trusted_certs_paths);
Free(drift_file);
Free(dumpdir);
static void
parse_ntstrustedcerts(char *line)
{
- char *file = NULL;
+ char *path = NULL;
- parse_string(line, &file);
- ARR_AppendElement(nts_trusted_certs_files, &file);
+ parse_string(line, &path);
+ ARR_AppendElement(nts_trusted_certs_paths, &path);
}
/* ================================================== */
/* ================================================== */
int
-CNF_GetNtsTrustedCertsFiles(const char ***files)
+CNF_GetNtsTrustedCertsPaths(const char ***paths)
{
- *files = ARR_GetElements(nts_trusted_certs_files);
+ *paths = ARR_GetElements(nts_trusted_certs_paths);
- return ARR_GetSize(nts_trusted_certs_files);
+ return ARR_GetSize(nts_trusted_certs_paths);
}
/* ================================================== */
seconds) in order to refresh the keys authenticating NTP packets. The default
value is 2419200 (4 weeks).
-[[ntstrustedcerts]]*ntstrustedcerts* _file_::
-This directive specifies a file containing certificates (in the PEM format) of
-trusted certificate authorities (CA) that should be used to verify certificates
-of NTS servers in addition to the system's default trusted CAs (if the
-*nosystemcert* directive is not present).
-+
-This directive can be used multiple times to specify multiple files with
-trusted certificates.
+[[ntstrustedcerts]]*ntstrustedcerts* _file_|_directory_::
+This directive specifies a file or directory containing certificates (in the
+PEM format) of trusted certificate authorities (CA) that should be used to
+verify certificates of NTS servers in addition to the system's default trusted
+CAs (if the *nosystemcert* directive is not present).
++
+This directive can be used multiple times to specify multiple files and/or
+directories with trusted certificates.
[[nosystemcert]]*nosystemcert*::
This directive disables the system's default trusted CAs.
if (trusted_certs) {
for (i = 0; i < n_trusted_certs; i++) {
- r = gnutls_certificate_set_x509_trust_file(credentials, trusted_certs[i],
- GNUTLS_X509_FMT_PEM);
+ struct stat buf;
+
+ if (stat(trusted_certs[i], &buf) == 0 && S_ISDIR(buf.st_mode))
+ r = gnutls_certificate_set_x509_trust_dir(credentials, trusted_certs[i],
+ GNUTLS_X509_FMT_PEM);
+ else
+ r = gnutls_certificate_set_x509_trust_file(credentials, trusted_certs[i],
+ GNUTLS_X509_FMT_PEM);
if (r < 0)
goto error;
+
+ DEBUG_LOG("Added %d trusted certs from %s", r, trusted_certs[i]);
}
}
}
projects / thirdparty / chrony.git / commitdiff
