[people/ms/ipfire-3.x.git] / ntp / patches / ntp-4.2.6p5-fipsmd5.patch

diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c
--- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5	2011-12-01 03:55:17.000000000 +0100
+++ ntp-4.2.6p5/libntp/a_md5encrypt.c	2012-10-24 16:24:04.972358878 +0200
@@ -38,7 +38,11 @@ MD5authencrypt(
 	 * was creaded.
 	 */
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+	if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+		msyslog(LOG_ERR,
+		    "MAC encrypt: digest init failed");
+		return (0);
+	}
 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
 	EVP_DigestFinal(&ctx, digest, &len);
@@ -71,7 +75,11 @@ MD5authdecrypt(
 	 * was created.
 	 */
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
+	if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+		msyslog(LOG_ERR,
+		    "MAC decrypt: digest init failed");
+		return (0);
+	}
 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
 	EVP_DigestFinal(&ctx, digest, &len);
@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr)
 		return (NSRCADR(addr));
 
 	INIT_SSL();
-	EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
+	EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+	/* MD5 is not used as a crypto hash here. */
+	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+	if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
+		msyslog(LOG_ERR,
+		    "MD5 init failed");
+		exit(1);
+	}
 	EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
 	    sizeof(struct in6_addr));
 	EVP_DigestFinal(&ctx, digest, &len);
Commit	Line	Data
5af29fb3 MT	1	diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c
	2	--- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 2011-12-01 03:55:17.000000000 +0100
	3	+++ ntp-4.2.6p5/libntp/a_md5encrypt.c 2012-10-24 16:24:04.972358878 +0200
	4	@@ -38,7 +38,11 @@ MD5authencrypt(
	5	* was creaded.
	6	*/
	7	INIT_SSL();
	8	- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
	9	+ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
	10	+ msyslog(LOG_ERR,
	11	+ "MAC encrypt: digest init failed");
	12	+ return (0);
	13	+ }
	14	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
	15	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
	16	EVP_DigestFinal(&ctx, digest, &len);
	17	@@ -71,7 +75,11 @@ MD5authdecrypt(
	18	* was created.
	19	*/
	20	INIT_SSL();
	21	- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
	22	+ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
	23	+ msyslog(LOG_ERR,
	24	+ "MAC decrypt: digest init failed");
	25	+ return (0);
	26	+ }
	27	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
	28	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
	29	EVP_DigestFinal(&ctx, digest, &len);
	30	@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr)
	31	return (NSRCADR(addr));
	32
	33	INIT_SSL();
	34	- EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
	35	+ EVP_MD_CTX_init(&ctx);
	36	+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
	37	+ /* MD5 is not used as a crypto hash here. */
	38	+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
	39	+#endif
	40	+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
	41	+ msyslog(LOG_ERR,
	42	+ "MD5 init failed");
	43	+ exit(1);
	44	+ }
	45	EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
	46	sizeof(struct in6_addr));
	47	EVP_DigestFinal(&ctx, digest, &len);