FS#64050 - [openntpd] build against libressl

Attached to Project: Community Packages
Opened by nl6720 (nl6720) - Monday, 07 October 2019, 09:56 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 21 January 2021, 01:28 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

Description:
OpenNTPD's "constraint" feature requires it being built against LibreSSL.
Since libressl will be moved to community (at the time of writing it is in community-testing), please build openntpd against libressl.


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
openntpd 6.2p3-3


Steps to reproduce:
https://jlk.fjfi.cvut.cz/arch/manpages/man/ntpd.conf.5#CONSTRAINTS
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 21 January 2021, 01:28 GMT
Reason for closing:  Fixed
Additional comments about closing:  6.8p1-1
Comment by T.J. Townsend (blakkheim) - Sunday, 24 May 2020, 15:19 GMT
Anyone still considering this?

The default ntpd.conf in the Arch package uses the "constraints" feature, but it doesn't work with OpenSSL.
Comment by Pekka Helenius (Fincer) - Saturday, 15 August 2020, 10:09 GMT
This is a valid bug.

Correct CFLAGS for LibreSSL support on Arch Linux systems are (PKGBUILD's build() section):

CFLAGS+=' -fcommon -L/usr/lib/libressl/ -Wl,-rpath,/usr/lib/libressl/'

Obviously, 'openssl' dependency should be replaced with 'libressl'.

Unfortunately, another issue may still arise in certificate validation process during constraint checks: OpenBSD kernel implements functions 'unveil' and 'pledge' which are used in OpenNTPD to ease very strict daemon process permissions. Since Linux hasn't such functions, easing permissions does not happen. However, this is still required for reading certificate file (/etc/ssl/cert.pem), needed by OpenNTPD constraint checks. Ultimately, reading the certificate file fails on Linux systems because needed permissions (read) couldn't be altered (due to missing kernel functionality/OpenNTPD code implementation), and therefore constraint checks fail even if OpenNTPD is successfully linked against LibreSSL library.

--------------------

I have implemented an experimental OpenSSL support to OpenNTPD, and circumvented failed CA checks. For details, see:

https://github.com/Fincer/openntpd-openssl

Short blog post: https://fjordtek.com/categories/news/2020/openntpd-now-with-openssl-support/
Comment by T.J. Townsend (blakkheim) - Saturday, 15 August 2020, 14:29 GMT
It may be worth asking the OpenNTPD portable maintainer (Brent Cook) about a newer release. The code in OpenBSD has changed significantly since the last portable release. The situation you describe may be better or may need a different workaround now.
Comment by Pekka Helenius (Fincer) - Saturday, 15 August 2020, 15:05 GMT
Yeah, might be worth it. The code has changed in some parts, I agree.

OpenNTPD internal code structure (src/constraint.c) has never had implementation for OpenSSL, so Arch Linux openssl dependency is simply misleading and invalid.

If the certificate read permission issue I mentioned is valid on Linux, I think it is something Brent Cook might have a word for. And actual solution.

My PKGBUILD (on linked GitHub repo above) fetches and compiles git sources for portable OpenNTPD version. If you want to use the latest & official portable OpenNTPD version but without my patches, just delete all my patch stuff in PKGBUILD, delete #commit hash from source array and compile OpenNTPD using mentioned LibreSSL CFLAGS, and it should be ok.
Comment by T.J. Townsend (blakkheim) - Friday, 01 January 2021, 20:14 GMT
This appears to be fixed in the 6.8p1 release for me. Building against LibreSSL results in working constraints. Can anyone else confirm with this diff?
Comment by Levente Polyak (anthraxx) - Sunday, 10 January 2021, 20:05 GMT
please test openntpd-6.8p1-1, feedback welcome
Comment by T.J. Townsend (blakkheim) - Sunday, 10 January 2021, 20:27 GMT
The community-testing package works fine for me.
Comment by nl6720 (nl6720) - Monday, 11 January 2021, 10:29 GMT
Using openntpd-6.8p1-1, the constraint feature doesn't work for me.

With:

constraints from "https://www.google.com/"

I get:

constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraints configured but none available

It looks like openntpd needs to be built with '--with-cacert' and depend on ca-certificates, but even when rebuilding it with that option, it still didn't work.
Comment by T.J. Townsend (blakkheim) - Monday, 11 January 2021, 16:21 GMT
Can't reproduce the issue mentioned above with the package in community-testing. Constraints work fine here:

/etc/ntpd.conf:
server 172.16.1.1
constraint from "https://google.com"

# ntpd -dv
ntp engine ready
constraint reply from 142.250.68.46: offset -3.904563
cancel settime because offset is negative or close enough
peer 172.16.1.1 now valid
adjusting local clock by -3.788529s
[...]
Comment by nl6720 (nl6720) - Monday, 11 January 2021, 17:16 GMT
Ok, my issue is because of AppArmor:

kernel: audit: type=1400 audit(1610382970.506:1110): apparmor="DENIED" operation="open" profile="ntpd" name="/etc/libressl/cert.pem" pid=118996 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I can solve it by editing /etc/apparmor.d/local/usr.sbin.ntpd and adding:

/etc/libressl/ r,
/etc/libressl/cert.pem r,

I will submit a fix upstream to AppArmor.

Now my question is, should openntpd really use /etc/libressl/cert.pem? Building it with '--with-cacert=/etc/ssl/cert.pem' doesn't change the file it tries to access.


Comment by Levente Polyak (anthraxx) - Thursday, 14 January 2021, 00:55 GMT
if --with-cacert doesn't do what it should, that would be an upstream issue. But i dont see why using /etc/libressl/cert.pem would be the wrong thing to do.
Comment by nl6720 (nl6720) - Thursday, 14 January 2021, 05:21 GMT
I just find it odd that libressl ships with its own certs. I opened  FS#69298  for that issue.
Anyway, openntpd-6.8p1-1 seems to work fine.

Loading...