File ntp-fips-reenablemd5.patch of Package ntp.235
Index: ntp-4.2.6p5/libntp/a_md5encrypt.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/a_md5encrypt.c
+++ ntp-4.2.6p5/libntp/a_md5encrypt.c
@@ -31,6 +31,7 @@ MD5authencrypt(
u_char digest[EVP_MAX_MD_SIZE];
u_int len;
EVP_MD_CTX ctx;
+ EVP_MD *md;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -38,7 +39,22 @@ MD5authencrypt(
* was creaded.
*/
INIT_SSL();
- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ /* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+ if (type == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(type);
+
+ if (!md || !EVP_DigestInit_ex(&ctx, md, NULL)) {
+ msyslog(LOG_ERR,
+ "MAC encrypt: digest init failed");
+ return (0);
+ }
EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
EVP_DigestFinal(&ctx, digest, &len);
@@ -64,6 +80,7 @@ MD5authdecrypt(
u_char digest[EVP_MAX_MD_SIZE];
u_int len;
EVP_MD_CTX ctx;
+ EVP_MD *md;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -71,7 +88,23 @@ MD5authdecrypt(
* was created.
*/
INIT_SSL();
- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ /* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+ if (type == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(type);
+
+ if (!md || !EVP_DigestInit_ex(&ctx, md, NULL)) {
+ msyslog(LOG_ERR,
+ "MAC decrypt: digest init failed");
+ return (0);
+ }
+
EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
EVP_DigestFinal(&ctx, digest, &len);
@@ -101,7 +134,16 @@ addr2refid(sockaddr_u *addr)
return (NSRCADR(addr));
INIT_SSL();
- EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
+ msyslog(LOG_ERR,
+ "MD5 init failed");
+ exit(1);
+ }
EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
sizeof(struct in6_addr));
EVP_DigestFinal(&ctx, digest, &len);
Index: ntp-4.2.6p5/libntp/authreadkeys.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/authreadkeys.c
+++ ntp-4.2.6p5/libntp/authreadkeys.c
@@ -142,7 +142,7 @@ authreadkeys(
"authreadkeys: invalid type for key %d", keyno);
continue;
}
- if (EVP_get_digestbynid(keytype) == NULL) {
+ if ((keytype != NID_md5) && (EVP_get_digestbynid(keytype) == NULL)) {
msyslog(LOG_ERR,
"authreadkeys: no algorithm for key %d", keyno);
continue;
Index: ntp-4.2.6p5/ntpd/ntp_config.c
===================================================================
--- ntp-4.2.6p5.orig/ntpd/ntp_config.c
+++ ntp-4.2.6p5/ntpd/ntp_config.c
@@ -1748,6 +1748,7 @@ config_auth(
u_char digest[EVP_MAX_MD_SIZE];
u_int digest_len;
EVP_MD_CTX ctx;
+ EVP_MD *md;
#endif
int item;
#endif
@@ -1861,7 +1862,17 @@ config_auth(
#ifndef OPENSSL
req_hashlen = 16;
#else /* OPENSSL follows */
- EVP_DigestInit(&ctx, EVP_get_digestbynid(req_keytype));
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ /* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+ if (req_keytype == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(req_keytype);
+ EVP_DigestInit_ex(&ctx, md, NULL);
EVP_DigestFinal(&ctx, digest, &digest_len);
req_hashlen = digest_len;
#endif
Index: ntp-4.2.6p5/ntpd/ntp_crypto.c
===================================================================
--- ntp-4.2.6p5.orig/ntpd/ntp_crypto.c
+++ ntp-4.2.6p5/ntpd/ntp_crypto.c
@@ -197,6 +197,7 @@ session_key(
)
{
EVP_MD_CTX ctx; /* message digest context */
+ EVP_MD *md;
u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
keyid_t keyid; /* key identifer */
u_int32 header[10]; /* data in network byte order */
@@ -229,7 +230,15 @@ session_key(
hdlen = 10 * sizeof(u_int32);
break;
}
- EVP_DigestInit(&ctx, EVP_get_digestbynid(crypto_nid));
+ if (crypto_nid == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(crypto_nid);
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ EVP_DigestInit_ex(&ctx, md, NULL);
EVP_DigestUpdate(&ctx, (u_char *)header, hdlen);
EVP_DigestFinal(&ctx, dgst, &len);
memcpy(&keyid, dgst, 4);
@@ -1958,7 +1967,11 @@ bighash(
len = BN_num_bytes(bn);
ptr = emalloc(len);
BN_bn2bin(bn, ptr);
- EVP_DigestInit(&ctx, EVP_md5());
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
EVP_DigestUpdate(&ctx, ptr, len);
EVP_DigestFinal(&ctx, dgst, &len);
BN_bin2bn(dgst, len, bk);
Index: ntp-4.2.6p5/sntp/crypto.c
===================================================================
--- ntp-4.2.6p5.orig/sntp/crypto.c
+++ ntp-4.2.6p5/sntp/crypto.c
@@ -17,6 +17,7 @@ make_mac(
u_int len = mac_size;
int key_type;
EVP_MD_CTX ctx;
+ EVP_MD *md;
if (cmp_key->key_len > 64)
return 0;
@@ -25,7 +26,17 @@ make_mac(
INIT_SSL();
key_type = keytype_from_text(cmp_key->type, NULL);
- EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
+ if (key_type == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(key_type);
+
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ EVP_DigestInit_ex(&ctx, EVP_get_digestbynid(key_type), NULL);
EVP_DigestUpdate(&ctx, (u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len);
EVP_DigestUpdate(&ctx, (u_char *)pkt_data, (u_int)pkt_size);
EVP_DigestFinal(&ctx, (u_char *)digest, &len);
Index: ntp-4.2.6p5/libntp/ssl_init.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/ssl_init.c
+++ ntp-4.2.6p5/libntp/ssl_init.c
@@ -69,6 +69,7 @@ keytype_from_text(
char * upcased;
char * pch;
EVP_MD_CTX ctx;
+ EVP_MD *md;
/*
* OpenSSL digest short names are capitalized, so uppercase the
@@ -94,7 +95,16 @@ keytype_from_text(
if (NULL != pdigest_len) {
#ifdef OPENSSL
- EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
+ if (key_type == NID_md5)
+ md = EVP_md5();
+ else
+ md = EVP_get_digestbynid(key_type);
+ EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* MD5 is not used as a crypto hash here. */
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+ EVP_DigestInit_ex(&ctx, md, NULL);
EVP_DigestFinal(&ctx, digest, &digest_len);
if (digest_len + sizeof(keyid_t) > MAX_MAC_LEN) {
fprintf(stderr,
