FS#64050 - [openntpd] build against libressl
Attached to Project:
Community Packages
Opened by nl6720 (nl6720) - Monday, 07 October 2019, 09:56 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 21 January 2021, 01:28 GMT
Opened by nl6720 (nl6720) - Monday, 07 October 2019, 09:56 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 21 January 2021, 01:28 GMT
|
Details
Description:
OpenNTPD's "constraint" feature requires it being built against LibreSSL. Since libressl will be moved to community (at the time of writing it is in community-testing), please build openntpd against libressl. Additional info: * package version(s) * config and/or log files etc. * link to upstream bug report, if any openntpd 6.2p3-3 Steps to reproduce: https://jlk.fjfi.cvut.cz/arch/manpages/man/ntpd.conf.5#CONSTRAINTS |
This task depends upon
Closed by Levente Polyak (anthraxx)
Thursday, 21 January 2021, 01:28 GMT
Reason for closing: Fixed
Additional comments about closing: 6.8p1-1
Thursday, 21 January 2021, 01:28 GMT
Reason for closing: Fixed
Additional comments about closing: 6.8p1-1
The default ntpd.conf in the Arch package uses the "constraints" feature, but it doesn't work with OpenSSL.
Correct CFLAGS for LibreSSL support on Arch Linux systems are (PKGBUILD's build() section):
CFLAGS+=' -fcommon -L/usr/lib/libressl/ -Wl,-rpath,/usr/lib/libressl/'
Obviously, 'openssl' dependency should be replaced with 'libressl'.
Unfortunately, another issue may still arise in certificate validation process during constraint checks: OpenBSD kernel implements functions 'unveil' and 'pledge' which are used in OpenNTPD to ease very strict daemon process permissions. Since Linux hasn't such functions, easing permissions does not happen. However, this is still required for reading certificate file (/etc/ssl/cert.pem), needed by OpenNTPD constraint checks. Ultimately, reading the certificate file fails on Linux systems because needed permissions (read) couldn't be altered (due to missing kernel functionality/OpenNTPD code implementation), and therefore constraint checks fail even if OpenNTPD is successfully linked against LibreSSL library.
--------------------
I have implemented an experimental OpenSSL support to OpenNTPD, and circumvented failed CA checks. For details, see:
https://github.com/Fincer/openntpd-openssl
Short blog post: https://fjordtek.com/categories/news/2020/openntpd-now-with-openssl-support/
OpenNTPD internal code structure (src/constraint.c) has never had implementation for OpenSSL, so Arch Linux openssl dependency is simply misleading and invalid.
If the certificate read permission issue I mentioned is valid on Linux, I think it is something Brent Cook might have a word for. And actual solution.
My PKGBUILD (on linked GitHub repo above) fetches and compiles git sources for portable OpenNTPD version. If you want to use the latest & official portable OpenNTPD version but without my patches, just delete all my patch stuff in PKGBUILD, delete #commit hash from source array and compile OpenNTPD using mentioned LibreSSL CFLAGS, and it should be ok.
With:
constraints from "https://www.google.com/"
I get:
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraint: failed to load constraint ca
constraints configured but none available
It looks like openntpd needs to be built with '--with-cacert' and depend on ca-certificates, but even when rebuilding it with that option, it still didn't work.
/etc/ntpd.conf:
server 172.16.1.1
constraint from "https://google.com"
# ntpd -dv
ntp engine ready
constraint reply from 142.250.68.46: offset -3.904563
cancel settime because offset is negative or close enough
peer 172.16.1.1 now valid
adjusting local clock by -3.788529s
[...]
kernel: audit: type=1400 audit(1610382970.506:1110): apparmor="DENIED" operation="open" profile="ntpd" name="/etc/libressl/cert.pem" pid=118996 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I can solve it by editing /etc/apparmor.d/local/usr.sbin.ntpd and adding:
/etc/libressl/ r,
/etc/libressl/cert.pem r,
I will submit a fix upstream to AppArmor.
Now my question is, should openntpd really use /etc/libressl/cert.pem? Building it with '--with-cacert=/etc/ssl/cert.pem' doesn't change the file it tries to access.
FS#69298for that issue.Anyway, openntpd-6.8p1-1 seems to work fine.