Created attachment 159041 [details] Remove stray -lmd from LDADD assignment i386 FreeBSD 10.2-BETA2 r285662 Testing base system ntpd with old keys in /etc/ntp. Saw syslog entries every couple of minutes like the following but the server seemed to operate OK otherwise - as a client of unauthenticating servers. Jul 21 16:16:53 rwsrv04 ntpd[2169]: crypto_encrypt: error:00000000:lib(0):func(0):reason(0) Generated new host keys with ntp-keygen. Now ntpd failed to start. Jul 21 16:55:42 rwsrv04 ntpd[91910]: crypto_key: error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure An independent build of ntp 4.2.8p3 on 10.2-BETA2 worked fine. ldd(1) revealed that the base system ntpd was linked to libmd but the working ntpd was not. Also the base system ntp-keygen was not linked to libmd. All were linked to libcrypto. Checked the usr.sbin/ntp/ntpd/Makefile and saw what appeared to be a stray -lmd in the LDADD= assignment at Line 31. Conditional code follows at Line 42 to inclide libmd ONLY if OpenSSL has been disabled. I removed the -lmd from Line 31 and rebuilt ntpd. All is good :-)
Just noticed ${LIBMD} in the DPADD= assignment in Line 30 of ntpd/Makefile. It also seems spurious. I won't be able to test removing it until sometime tomorrow.
Created attachment 159131 [details] Modified patch also removes LIBMD from DPADD line Built 10.2-BETA2 with this second patch (spurious LIBMD removed from both LDADD and DPADD lines) on two servers and two clients. ntpd crypto works fine for me now. The particular scenario is two NTP servers providing authenticated time via IPv6 multicast (with Autokey) to a multiple-segment LAN. All host keys were built with ntp-keygen using default settings (RSA-MD5) and IFF parameter files generated on the servers were copied to the keys directory on each of the clients. The clients were configured to use their host keys and listen on the IPv6 multicast address (multicastclient). ntpq> hostnames no ntpq> apeers remote refid assid st t when poll reach delay offset jitter ============================================================================== *2001:8000:1000: ca068376 1069 2 b 2 64 377 0.655 0.721 0.035 +2001:8000:1000: dffc2009 1070 2 b 12 64 376 0.589 -0.165 0.153 ntpq> associations ind assid status conf reach auth condition last_event cnt =========================================================== 1 1069 761a no yes ok sys.peer sys_peer 1 2 1070 741a no yes ok candidate sys_peer 1 ntpq>
To re@: this needs our attention, the patch proposed seems reasonable to me.
A commit references this bug: Author: delphij Date: Fri Jul 24 19:51:53 UTC 2015 New revision: 285856 URL: https://svnweb.freebsd.org/changeset/base/285856 Log: MFC r285701: Use fixed date/time (the time choosen was the time the import was done on -HEAD) in libntp so we can make reproducible build. PR: bin/201661 Differential Revision: https://reviews.freebsd.org/D3122 While I'm there also remove libmd from linkage as reported in bin/201738 PR: bin/201738 Submitted by: John Marshall Changes: _U stable/10/ stable/10/usr.sbin/ntp/config.h stable/10/usr.sbin/ntp/ntpd/Makefile
A commit references this bug: Author: delphij Date: Fri Jul 24 22:08:58 UTC 2015 New revision: 285861 URL: https://svnweb.freebsd.org/changeset/base/285861 Log: MFS r285856: MFC r285701: Use fixed date/time (the time choosen was the time the import was done on -HEAD) in libntp so we can make reproducible build. PR: bin/201661 Differential Revision: https://reviews.freebsd.org/D3122 While I'm there also remove libmd from linkage as reported in bin/201738 PR: bin/201738 Submitted by: John Marshall Approved by: re (gjb) Changes: _U releng/10.2/ releng/10.2/usr.sbin/ntp/config.h releng/10.2/usr.sbin/ntp/ntpd/Makefile
Thanks for your submission, this have been committed to stable/10 and releng/10.2.