[ntp:hackers] No OpenSSL in ntpq and ntpdc?

mayer at gis.net mayer at gis.net
Thu Apr 21 05:55:20 PDT 2005


----- Original Message Follows -----
> Danny,
> 
> >>I don't care either, my projects builds just fine after adding all 
> >>necessary parts from libntp.
> >>
> >What you are missing here is that some of the data structures
> >defined in the header files conditionally add variables that are
> >specific to using OpenSSL. The obvious example is the peer structure
> >in ntp.h. There are a lot of variables that get added when compiled
> >with SSL. The only reason to do it this way is to reduce the amount
> >of memory required. Since libntp is built for ntpd and ntpq and ntpdc
> >you get SSL included or not included based on the way you built it.
> >Building ntpd with OpenSSL and ntpq without OpenSSL requires two
> >separate libntp libraries. Why bother, memory is cheap these days.
> >  
> >
> I'm not quite sure that we understand each other. I know that ntpq
> needs  the openssl includes in order to compile and that's just
> because the  overall config.h controls whether openssl should be used
> and therefore  if ntpd needs to be compiled with openssl support, all
> the rest has to  follow (and vice versa).
> 
> I want ntpq to use openssl, and I want ntpdc to use openssl as well. 
> Therefore for me its the desired behaviour that ntpq is build with 
> openssl support enabled, just like the rest of the crew.
> 

That's an entirely different matter. Currently ntpq is a readonly
client and does not require authentication to get information from
the server. For that reason it does not need authentication at all.
Let's leave aside the discussion on whether or not to require
authentication to get certain types of information.

> >It's the headers, that's the problem. See above.
> >  
> >
> Nope, the headers are just needed to provide definitions for data 
> structures etc. needed for openssl, and that's what I want. So no 
> problem here.
> 

You misunderstood me. ntpq without SSL can make queries of an SSL
enabled ntpd server just as easily as ntpq with SSL. The headers
are not currently set up to segregate the server-only headers from
the rest or the structures get reused on the client side but the
client ignores those fields.

> >> [...]
> >>
> >>never  get called during the normal execution of the program.
> >>    
> >>
> >
> >I thought this got changed recently. There is no need to check since
> >the OpenSSL code is included in the binary and it will used whatever
> >version is built in. Such a check is only necessary if you are using
> >an external binary like Windows DLL's or VMS's shareable libraries
> >but ntp is not built with a separate OpenSSL binary. I had thought
> >of changing this at least for Windows, but I currently don't want
> >to deal with the issues involved in doing this.
> >  
> >
> OK, that's true for ntpd. It is statically linked against the openssl 
> libraries. But ntpq is not (and ntpdc is not linked statically, too).
> 
The clients are not dynamically linked against OpenSSL libraries either.
We include no DLL's in the Windows binaries so it makes no difference.
You only need to worry about OpenSSL versioning if it's dynamically
linked.

> So, my question is:
> 
> - Is ntpq capable of using OpenSSL at all? Or is it only using its own
> routines to provide authentification?

Capable yes. Does it? No, not as far as I know. As I said earlier
ntpq is a readonly client. ntpdc is different in that it can issue
commands to the server and requires authentication. 

> - If yes, I understand that this is limiting the auth capabilities to 
> MD5 and DES. This may result in a situation where a ntpd using
> different  key types (provided by the openssl libraries) cannot be
> queried by ntpq  or accessed by ntpdc at all, true?
> 

For ntpq the answer is no. For ntpdc you need to look at the
authentication
code.  I don't know what you mean by different key types. The keys MUST
be agreed upon by both sides. The server provides (via an out-of-channel
process) the key to the client for it to use. If the client doesn't have
the right key then it can't authenticate. This is a very normal
situation.
It has nothing to do with OpenSSL.

Danny




More information about the hackers mailing list