From jamesb192 at jamesb192.com  Thu Mar  2 14:26:14 2023
From: jamesb192 at jamesb192.com (James Browning)
Date: Thu, 2 Mar 2023 06:26:14 -0800 (PST)
Subject: Here are a couple of patches related to seccomp,
In-Reply-To: <142781728.632455.1677578075277@privateemail.com>
References: <142781728.632455.1677578075277@privateemail.com>
Message-ID: <1224159666.847146.1677767174144@privateemail.com>

I wrote and tested these on a bleeding-edge Ubuntu box. I have yet to
try this on other Linux flavors. First is a patch to make the secomp
trap handler on Linux more helpfully verbose. Then a patch that can
incrementally tighten the syscall filter to calls listed in a text
file.

The patch in the previous mail had the arguments backward for the
syscall resolving function
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Attempt-to-make-seccomp-errors-useful-not-Lassie.patch
Type: text/x-patch
Size: 1048 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20230302/dae46ae8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Remove-seccomp-code-from-sandbox-parsing-a-fixed-tex.patch
Type: text/x-patch
Size: 14994 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20230302/dae46ae8/attachment-0001.bin>

From jamesb192 at jamesb192.com  Wed Mar 22 12:17:42 2023
From: jamesb192 at jamesb192.com (James Browning)
Date: Wed, 22 Mar 2023 05:17:42 -0700 (PDT)
Subject: Be very quiet, the project is dozing off.
Message-ID: <1883147918.273735.1679487462611@privateemail.com>

This is the second post this month, and it's three weeks after my dropped patches on the first.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20230322/8ebea544/attachment.htm>

From halmurray at sonic.net  Thu Mar 23 07:46:45 2023
From: halmurray at sonic.net (Hal Murray)
Date: Thu, 23 Mar 2023 00:46:45 -0700
Subject: I've broken something
Message-ID: <20230323074645.2401728C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>


The pipeline fails on:
  Name: ubuntu-latest-basic
  Name: ubuntu-latest-refclocks
  Name: macos-basic
  Name: macos-refclocks

All 4 get the same clump of errors:

TEST(macencrypt, CMAC_Encrypt)../../tests/libntp/macencrypt.c:109::FAIL: 
Expected TRUE Was FALSE
TEST(macencrypt, CMAC_Encrypt)../../tests/libntp/macencrypt.c:109::FAIL: 
Expected TRUE Was FALSE
TEST(macencrypt, DecryptValidCMAC)../../tests/libntp/macencrypt.c:133::FAIL: 
Expected TRUE Was FALSE
TEST(macencrypt, DecryptInvalidCMAC) PASS
TEST(macencrypt, IPv4AddressToRefId) PASS
TEST(macencrypt, IPv6AddressToRefId) PASS
TEST(macencrypt, null_trunc) PASS
TEST(macencrypt, CMAC_TestVectors)../../tests/libntp/macencrypt.c:297::FAIL: 
Memory Mismatch. Byte 0 Expected 0x07 Was 0xE5

This code area isn't wonderful.  It leaves a lot of stuff in global variables 
so it can decrypt stuff it just encrypted.  The code works on all my test 
cases.

Anybody know what version of OpenSSL macos or ubuntu-latest are using?  There 
was a new version released recently: 3.0 => 3.1, I think.  None of the other 
distros I test with are using 3.1 yet.

Where/how do I get ubuntu-latest?

----

We should patch the configure stuff to print out the version of OpenSSL that 
it finds.


-- 
These are my opinions.  I hate spam.




From jamesb192 at jamesb192.com  Thu Mar 23 10:48:58 2023
From: jamesb192 at jamesb192.com (James Browning)
Date: Thu, 23 Mar 2023 03:48:58 -0700 (PDT)
Subject: I've broken something
In-Reply-To: <20230323074645.2401728C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
References: <20230323074645.2401728C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Message-ID: <2064388459.350681.1679568538425@privateemail.com>

> On 03/23/2023 12:46 AM PDT Hal Murray via devel <devel at ntpsec.org> wrote:
> 
> 
> The pipeline fails on:
> Name: ubuntu-latest-basic
> Name: ubuntu-latest-refclocks
> Name: macos-basic
> Name: macos-refclocks
> 
> All 4 get the same clump of errors:
> 
:::snip:::
> 
> This code area isn't wonderful. It leaves a lot of stuff in global variables
> so it can decrypt stuff it just encrypted. The code works on all my test
> cases.
> 
> Anybody know what version of OpenSSL macos or ubuntu-latest are using? There
> was a new version released recently: 3.0 => 3.1, I think. None of the other
> distros I test with are using 3.1 yet.

ubuntu-latest runs 3.0.2 [1], and my Ubuntu box with 3.0.8 passes.

> Where/how do I get ubuntu-latest?

I would suggest `docker push registry.gitlab.com/na280/ntpsec`,
but it seems that it rarely is acceptable, or go to the Ubuntu
website and download Jammy.

> We should patch the configure stuff to print out the version of OpenSSL that
> it finds.

I have a branch that does that badly. [2]

[1] https://gitlab.com/na280/ntpsec/-/jobs/3987240899

[2] https://gitlab.com/na280/ntpsec/-/commits/tlscheck

From halmurray at sonic.net  Thu Mar 23 23:55:26 2023
From: halmurray at sonic.net (Hal Murray)
Date: Thu, 23 Mar 2023 16:55:26 -0700
Subject: I've broken something
In-Reply-To: Message from James Browning via devel <devel@ntpsec.org> of "Thu,
 23 Mar 2023 03:48:58 -0700."
 <2064388459.350681.1679568538425@privateemail.com>
Message-ID: <20230323235526.E556028C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>


James Browning said:
>> Where/how do I get ubuntu-latest?
> I would suggest `docker push registry.gitlab.com/na280/ntpsec`, but it seems
> that it rarely is acceptable, or go to the Ubuntu website and download Jammy.

Are you sure about Jammy?  Where did that come from?

I found a download page for Ubuntu 22.04.2 LTS (Jammy Jellyfish)
But 22.04 is almost a year old which doesn't match my expectations for 
"latest".
It is the latest for their LTS.

I have 22.10 (Kinetic Kudu)
It works.

I have 20.04.6 LTS (Focal Fossa), but that's running on a Raspberry Pi rather 
than a PC.
It works.

I guess I'll settup Jammy on a PC.


-- 
These are my opinions.  I hate spam.




From jamesb192 at jamesb192.com  Fri Mar 24 00:53:18 2023
From: jamesb192 at jamesb192.com (James Browning)
Date: Thu, 23 Mar 2023 17:53:18 -0700 (PDT)
Subject: I've broken something
In-Reply-To: <20230323235526.E556028C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
References: Message from James Browning via devel <devel@ntpsec.org> of
 "Thu, 23 Mar 2023 03:48:58 -0700."
 <2064388459.350681.1679568538425@privateemail.com>
 <20230323235526.E556028C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Message-ID: <366291008.398103.1679619198662@privateemail.com>

> On 03/23/2023 4:55 PM PDT Hal Murray <halmurray at sonic.net> wrote:
>  
> James Browning said:
> >> Where/how do I get ubuntu-latest?
> > I would suggest `docker push registry.gitlab.com/na280/ntpsec`, but it seems
> > that it rarely is acceptable, or go to the Ubuntu website and download Jammy.
> 
> Are you sure about Jammy?  Where did that come from?

I am reasonably sure about it. Jammy
comes from [1] which come after looking at
./dockerfiles/ubuntu-latest to get ubuntu:latest

> I found a download page for Ubuntu 22.04.2 LTS (Jammy Jellyfish)
> But 22.04 is almost a year old which doesn't match my expectations for 
> "latest".
> It is the latest for their LTS.
> 
> I have 22.10 (Kinetic Kudu)
> It works.
> 
> I have 20.04.6 LTS (Focal Fossa), but that's running on a Raspberry Pi rather 
> than a PC.
> It works.
> 
> I guess I'll settup Jammy on a PC.

[1] hub.docker.com/_/ubuntu

Seriously though, docker works great for this,
and you don't need to glass wipe a machine.

From halmurray at sonic.net  Fri Mar 24 05:37:23 2023
From: halmurray at sonic.net (Hal Murray)
Date: Thu, 23 Mar 2023 22:37:23 -0700
Subject: I've broken something
In-Reply-To: Message from James Browning via devel <devel@ntpsec.org> of "Thu,
 23 Mar 2023 17:53:18 -0700." <366291008.398103.1679619198662@privateemail.com>
Message-ID: <20230324053723.65AE528C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>


> I am reasonably sure about it. Jammy comes from [1] which come after looking
> at ./dockerfiles/ubuntu-latest to get ubuntu:latest 

Thanks.


> Seriously though, docker works great for this, and you don't need to glass
> wipe a machine. 

But I don't know anything about docker and I do know how to install Ubuntu.

Is there a getting started HOWTO for docker?


-- 
These are my opinions.  I hate spam.




From halmurray at sonic.net  Fri Mar 24 11:32:53 2023
From: halmurray at sonic.net (Hal Murray)
Date: Fri, 24 Mar 2023 04:32:53 -0700
Subject: CI happy now
Message-ID: <20230324113253.4E3FA28C209@107-137-68-211.lightspeed.sntcca.sbcglobal.net>


I was thinking that "latest" suggested newer.  3.1 is out, but none of the 
distros I test with are using it yet.  I was expecting a bug in that area.

It turns out that ubuntu-latest has an older version of OpenSSL 3.  It's using 
3.0.2.  The oldest 3.0 I have is 3.0.3.  Many distros are using 3.0.8

We still support 1.1.1, but that uses an API that is now deprecated.  Cleaning 
that up was what broke things.

-----------

If I/we want to test this, I think I have to grab the source for all the 
versions we want to test, build/test them.  Then setup a script that will
  for each version of OpenSSL
    install $version
    build/check ntpsec
    uninstall $version
Our build stuff is already setup to look in /usr/local/ and friends.

That only tests the NTP packet level crypto part of OpenSSL.  To test the 
NTS-LE part, we would have to install and run each built version.  Restarting 
the local ntpd could test the client side.  We would need to restart other 
servers so their client side would test our server side.

So plan B would be to setup an array of servers, each using a different 
version of OpenSSL.

-- 
These are my opinions.  I hate spam.