File ntp-fips-reenablemd5.patch of Package ntp.500

Overview Repositories Revisions Requests Users Attributes Meta

File ntp-fips-reenablemd5.patch of Package ntp.500

Index: ntp-4.2.6p5/libntp/a_md5encrypt.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/a_md5encrypt.c
+++ ntp-4.2.6p5/libntp/a_md5encrypt.c
@@ -31,6 +31,7 @@ MD5authencrypt(
 	u_char	digest[EVP_MAX_MD_SIZE];
 	u_int	len;
 	EVP_MD_CTX ctx;
+	EVP_MD	*md;
 
 	/*
 	 * Compute digest of key concatenated with packet. Note: the
@@ -38,7 +39,22 @@ MD5authencrypt(
 	 * was creaded.
 	 */
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* MD5 is not used as a crypto hash here. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	/* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+	if (type == NID_md5)
+		md = EVP_md5();
+	else
+		md = EVP_get_digestbynid(type);
+
+	if (!md || !EVP_DigestInit_ex(&ctx, md, NULL)) {
+		msyslog(LOG_ERR,
+		    "MAC encrypt: digest init failed");
+		return (0);
+	}
 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
 	EVP_DigestFinal(&ctx, digest, &len);
@@ -64,6 +80,7 @@ MD5authdecrypt(
 	u_char	digest[EVP_MAX_MD_SIZE];
 	u_int	len;
 	EVP_MD_CTX ctx;
+	EVP_MD	*md;
 
 	/*
 	 * Compute digest of key concatenated with packet. Note: the
@@ -71,7 +88,23 @@ MD5authdecrypt(
 	 * was created.
 	 */
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* MD5 is not used as a crypto hash here. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	/* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+	if (type == NID_md5)
+		md = EVP_md5();
+	else
+		md = EVP_get_digestbynid(type);
+
+	if (!md || !EVP_DigestInit_ex(&ctx, md, NULL)) {
+		msyslog(LOG_ERR,
+		    "MAC decrypt: digest init failed");
+		return (0);
+	}
+
 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
 	EVP_DigestFinal(&ctx, digest, &len);
@@ -101,7 +134,16 @@ addr2refid(sockaddr_u *addr)
 		return (NSRCADR(addr));
 
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* MD5 is not used as a crypto hash here. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
+		msyslog(LOG_ERR,
+		    "MD5 init failed");
+		exit(1);
+	}
 	EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
 	    sizeof(struct in6_addr));
 	EVP_DigestFinal(&ctx, digest, &len);
Index: ntp-4.2.6p5/libntp/authreadkeys.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/authreadkeys.c
+++ ntp-4.2.6p5/libntp/authreadkeys.c
@@ -142,7 +142,7 @@ authreadkeys(
 			    "authreadkeys: invalid type for key %d", keyno);
 			continue;
 		}
-		if (EVP_get_digestbynid(keytype) == NULL) {
+		if ((keytype != NID_md5) && (EVP_get_digestbynid(keytype) == NULL)) {
 			msyslog(LOG_ERR,
 			    "authreadkeys: no algorithm for key %d", keyno);
 			continue;
Index: ntp-4.2.6p5/ntpd/ntp_config.c
===================================================================
--- ntp-4.2.6p5.orig/ntpd/ntp_config.c
+++ ntp-4.2.6p5/ntpd/ntp_config.c
@@ -1748,6 +1748,7 @@ config_auth(
 	u_char		digest[EVP_MAX_MD_SIZE];
 	u_int		digest_len;
 	EVP_MD_CTX	ctx;
+	EVP_MD		*md;
 #endif
 	int		item;
 #endif
@@ -1861,7 +1862,17 @@ config_auth(
 #ifndef OPENSSL
 		req_hashlen = 16;
 #else	/* OPENSSL follows */
-		EVP_DigestInit(&ctx, EVP_get_digestbynid(req_keytype));
+		EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+		/* MD5 is not used as a crypto hash here. */
+		EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+		/* in FIPS mode EVP_get_digestbynid won't give us back the md5 evp */
+	        if (req_keytype == NID_md5)
+			md = EVP_md5();
+		else
+			md = EVP_get_digestbynid(req_keytype);
+		EVP_DigestInit_ex(&ctx, md, NULL);
 		EVP_DigestFinal(&ctx, digest, &digest_len);
 		req_hashlen = digest_len;
 #endif
Index: ntp-4.2.6p5/ntpd/ntp_crypto.c
===================================================================
--- ntp-4.2.6p5.orig/ntpd/ntp_crypto.c
+++ ntp-4.2.6p5/ntpd/ntp_crypto.c
@@ -197,6 +197,7 @@ session_key(
 	)
 {
 	EVP_MD_CTX ctx;		/* message digest context */
+	EVP_MD	*md;
 	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
 	keyid_t	keyid;		/* key identifer */
 	u_int32	header[10];	/* data in network byte order */
@@ -229,7 +230,15 @@ session_key(
 		hdlen = 10 * sizeof(u_int32);
 		break;
 	}
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(crypto_nid));
+	if (crypto_nid == NID_md5)
+		md = EVP_md5();
+	else
+		md = EVP_get_digestbynid(crypto_nid);
+        EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	EVP_DigestInit_ex(&ctx, md, NULL);
 	EVP_DigestUpdate(&ctx, (u_char *)header, hdlen);
 	EVP_DigestFinal(&ctx, dgst, &len);
 	memcpy(&keyid, dgst, 4);
@@ -1958,7 +1967,11 @@ bighash(
 	len = BN_num_bytes(bn);
 	ptr = emalloc(len);
 	BN_bn2bin(bn, ptr);
-	EVP_DigestInit(&ctx, EVP_md5());
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
 	EVP_DigestUpdate(&ctx, ptr, len);
 	EVP_DigestFinal(&ctx, dgst, &len);
 	BN_bin2bn(dgst, len, bk);
Index: ntp-4.2.6p5/sntp/crypto.c
===================================================================
--- ntp-4.2.6p5.orig/sntp/crypto.c
+++ ntp-4.2.6p5/sntp/crypto.c
@@ -17,6 +17,7 @@ make_mac(
 	u_int		len = mac_size;
 	int		key_type;
 	EVP_MD_CTX	ctx;
+	EVP_MD		*md;
 	
 	if (cmp_key->key_len > 64)
 		return 0;
@@ -25,7 +26,17 @@ make_mac(
 
 	INIT_SSL();
 	key_type = keytype_from_text(cmp_key->type, NULL);
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
+	if (key_type == NID_md5)
+		md = EVP_md5();
+	else
+		md = EVP_get_digestbynid(key_type);
+
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* MD5 is not used as a crypto hash here. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	EVP_DigestInit_ex(&ctx, EVP_get_digestbynid(key_type), NULL);
 	EVP_DigestUpdate(&ctx, (u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len);
 	EVP_DigestUpdate(&ctx, (u_char *)pkt_data, (u_int)pkt_size);
 	EVP_DigestFinal(&ctx, (u_char *)digest, &len);
Index: ntp-4.2.6p5/libntp/ssl_init.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/ssl_init.c
+++ ntp-4.2.6p5/libntp/ssl_init.c
@@ -69,6 +69,7 @@ keytype_from_text(
 	char *		upcased;
 	char *		pch;
 	EVP_MD_CTX	ctx;
+	EVP_MD		*md;
 
 	/*
 	 * OpenSSL digest short names are capitalized, so uppercase the
@@ -94,7 +95,16 @@ keytype_from_text(
 
 	if (NULL != pdigest_len) {
 #ifdef OPENSSL
-		EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
+		if (key_type == NID_md5)
+			md = EVP_md5();
+		else
+			md = EVP_get_digestbynid(key_type);
+		EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+		/* MD5 is not used as a crypto hash here. */
+		EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+		EVP_DigestInit_ex(&ctx, md, NULL);
 		EVP_DigestFinal(&ctx, digest, &digest_len);
 		if (digest_len + sizeof(keyid_t) > MAX_MAC_LEN) {
 			fprintf(stderr,

Places

File ntp-fips-reenablemd5.patch of Package ntp.500

Places