Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Recompiling ntp with FIPS openssl

72 views
Skip to first unread message

Gellatly, Anna

unread,
Dec 10, 2009, 12:26:09 PM12/10/09
to
Hello all -

I am recompiling ntp with a FIPS compliant openssl.

I have compiled and installed the fips compliant openssl to
/tmp/openssl.

I have checked out ntp version 4.2.4p7-1

I have configured/installed ntp in the following fashion

bootstrap

configure -with-openssl-libdir=/tmp/openssl/usr/local/ssl/fips/lib
-with-openssl-incdir=/tmp/openssl/usr/local/ssl/fips/include/openssl

make

make intsll prefix=/tmp/ntp

I have packaged what was placed in /tmp/ntp and installed it on a system
with the fips compliant openssl installed

When I launch ntpd with the following command line

/usr/sbin/ntpd -c /etc/ntp.conf.vmware -u ntp:ntp -p /var/run/ntpd.pid

The ntpd.pid file is created but the process does not launch (the pid in
the .pid file does not exist when running ps -ef | grep ntp).

Is there a place I can look to find out what might be happening?
Thanks,

Anna.

Dave Hart

unread,
Dec 14, 2009, 10:44:54 AM12/14/09
to
On Thu, Dec 10, 2009 at 17:26 UTC, Gellatly, Anna wrote:
> I have compiled and installed the fips compliant openssl to
> /tmp/openssl.
[...]

> configure -with-openssl-libdir=/tmp/openssl/usr/local/ssl/fips/lib
> -with-openssl-incdir=/tmp/openssl/usr/local/ssl/fips/include/openssl
>
> make
> make intsll prefix=/tmp/ntp
>
> I have packaged what was placed in /tmp/ntp and installed it on a system
> with the fips compliant openssl installed
>
> When I launch ntpd with the following command line
>
> /usr/sbin/ntpd -c /etc/ntp.conf.vmware -u ntp:ntp -p /var/run/ntpd.pid
>
> The ntpd.pid file is created but the process does not launch (the pid in
> the .pid file does not exist when running ps -ef | grep ntp).

Presumably the resulting ntpd binary has a reference to a
libcrypto*.so. I'm betting that reference is to
/tmp/openssl/.../libcrypto*.so, and that file is not present in that
location on the target system.

Cheers,
Dave Hart

Gellatly, Anna

unread,
Dec 15, 2009, 12:41:18 PM12/15/09
to
Thanks Dave for pointing me in a direction (I hate being directionless)

Hello Dave and all -

Regarding the potentially missing libcrypto.so ...
I have run ldd on a ntpd versions I have (pre-upgraded/non openssl fips and upgraded/openssl FIPS) and see this list

Working ntpd version 4.2.2p1-9
Libm.so.6
Libcrypto.so.6
Libcap.so.1
Libc.so.6
Libdl.so.2
Libz.so.1
Ld-linux-x86-64.so.2

Non-working nptd version 4.2.4p7
Libm.so.6
Libc.so.6
Ld-linux-x86-64.so.2

I don't understand why libcrypto is not included in my newly built ntpd? All libs in my newly created ntpd are found.
I am in experimental mode and have changed my configure line to this
./configure --with-openssl-libdir=/tmp/openssl/lib --with-openssl-incdir=/tmp/openssl/include/openssl --with-crypto=openssl CPPFLAGS="-I/tmp/openssl/include -L/tmp/openssl/lib" LDFLAGS=-L/tmp/openssl/lib
I get the same library results with this configure line.

Any further ideas you might have would be greatly appreciated.

Anna.

Dave Hart

unread,
Dec 16, 2009, 5:36:30 AM12/16/09
to
On Dec 15, 17:41 UTC, Gellatly, Anna wrote:
> Regarding the potentially missing libcrypto.so ...
> I have run ldd on a ntpd versions I have (pre-upgraded/non openssl fips and upgraded/openssl FIPS) and see this list
>
> Working ntpd version 4.2.2p1-9
> Libm.so.6
> Libcrypto.so.6
> Libcap.so.1
> Libc.so.6
> Libdl.so.2
> Libz.so.1
> Ld-linux-x86-64.so.2
>
> Non-working nptd version 4.2.4p7
> Libm.so.6
> Libc.so.6
> Ld-linux-x86-64.so.2
>
> I don't understand why libcrypto is not included in my newly built ntpd? All libs in my newly created ntpd are found.

Take a look at the gcc command line that links ntpd. My hunch is it
is referencing libcrypto.a instead of libcrypto.so, so OpenSSL is
being linked in statically. If so, you need to rebuild OpenSSL for
shared instead of static libs.

Cheers,
Dave Hart

0 new messages