Recompiling ntp with FIPS openssl

Recompiling ntp with FIPS openssl

Post by anna.gella » Sat, 12 Dec 2009 02:26:09


Hello all -



I am recompiling ntp with a FIPS compliant openssl.

I have compiled and installed the fips compliant openssl to
/tmp/openssl.

I have checked out ntp version 4.2.4p7-1



I have configured/installed ntp in the following fashion

bootstrap

configure -with-openssl-libdir=/tmp/openssl/usr/local/ssl/fips/lib
-with-openssl-incdir=/tmp/openssl/usr/local/ssl/fips/include/openssl

make

make intsll prefix=/tmp/ntp



I have packaged what was placed in /tmp/ntp and installed it on a system
with the fips compliant openssl installed



When I launch ntpd with the following command line

/usr/sbin/ntpd -c /etc/ntp.conf.vmware -u ntp:ntp -p /var/run/ntpd.pid



The ntpd.pid file is created but the process does not launch (the pid in
the .pid file does not exist when running ps -ef | grep ntp).



Is there a place I can look to find out what might be happening?
Thanks,

Anna.
 
 
 

Recompiling ntp with FIPS openssl

Post by maye » Wed, 16 Dec 2009 00:01:15


Can you provide a reference to the FIPS compliance information and where
you got this version of openssl. I've never heard of a FIPS compliant
openssl.


Please upgrade to either 4.2.4p8 or get the new stable release 4.2.6.
There's a security bug fix in those versions.


Are you sure no other version of ntpd is running? Are you launching this
with privileges? What does the syslog say? What O/S and version are you
running?


The first place to look is the syslog.

Danny


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

 
 
 

Recompiling ntp with FIPS openssl

Post by davehar » Wed, 16 Dec 2009 00:44:54


[...]

Presumably the resulting ntpd binary has a reference to a
libcrypto*.so. I'm betting that reference is to
/tmp/openssl/.../libcrypto*.so, and that file is not present in that
location on the target system.

Cheers,
Dave Hart
 
 
 

Recompiling ntp with FIPS openssl

Post by anna.gella » Thu, 17 Dec 2009 02:41:18

Thanks Dave for pointing me in a direction (I hate being directionless)

Hello Dave and all -

Regarding the potentially missing libcrypto.so ...
I have run ldd on a ntpd versions I have (pre-upgraded/non openssl fips and upgraded/openssl FIPS) and see this list

Working ntpd version 4.2.2p1-9
Libm.so.6
Libcrypto.so.6
Libcap.so.1
Libc.so.6
Libdl.so.2
Libz.so.1
Ld-linux-x86-64.so.2

Non-working nptd version 4.2.4p7
Libm.so.6
Libc.so.6
Ld-linux-x86-64.so.2

I don't understand why libcrypto is not included in my newly built ntpd? All libs in my newly created ntpd are found.
I am in experimental mode and have changed my configure line to this
./configure --with-openssl-libdir=/tmp/openssl/lib --with-openssl-incdir=/tmp/openssl/include/openssl --with-crypto=openssl CPPFLAGS="-I/tmp/openssl/include -L/tmp/openssl/lib" LDFLAGS=-L/tmp/openssl/lib
I get the same library results with this configure line.

Any further ideas you might have would be greatly appreciated.

Anna.



-----Original Message-----
From: Dave Hart [mailto: XXXX@XXXXX.COM ]
Sent: Monday, December 14, 2009 8:45 AM
To: Gellatly, Anna
Cc: XXXX@XXXXX.COM
Subject: Re: Recompiling ntp with FIPS openssl


[...]

Presumably the resulting ntpd binary has a reference to a
libcrypto*.so. I'm betting that reference is to
/tmp/openssl/.../libcrypto*.so, and that file is not present in that
location on the target system.

Cheers,
Dave Hart
 
 
 

Recompiling ntp with FIPS openssl

Post by Dave Har » Thu, 17 Dec 2009 19:36:30


Take a look at the gcc command line that links ntpd. My hunch is it
is referencing libcrypto.a instead of libcrypto.so, so OpenSSL is
being linked in statically. If so, you need to rebuild OpenSSL for
shared instead of static libs.

Cheers,
Dave Hart