hash: drop support for RIPEMD hash functions

An analysis by Tim Ruffing [1] shows that a length extension attack
adding valid extension fields to NTPv4 packets is possible with some
specific key lengths and hash functions using little-endian length like
MD5 and RIPEMD160.

chronyd currently doesn't process or generate any extension fields, but
it could be a problem in future when a non-authentication extension
field is supported.

Drop support for all RIPEMD functions as they don't seem to be secure in
the context of the NTPv4 MAC. MD5 is kept only for compatibility.

[1] https://mailarchive.ietf.org/arch/msg/ntp/gvibuB6bTbDRBumfHNdJ84Kq4kA

diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index cf9468956505efcbd919bba3d736f5f898a94409..1516d7e3d8473350b7e3f460515d79e04b4018c4 100644 (file)
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -2045,8 +2045,7 @@ If *chronyd* was built with enabled support for hashing using a crypto library
 (nettle, nss, or libtomcrypt), the following functions are available: *MD5*,
 *SHA1*, *SHA256*, *SHA384*, *SHA512*. Depending on which library and version is
 *chronyd* using, some or all of the following functions may also be available:
-*SHA3-224*, *SHA3-256*, *SHA3-384*, *SHA3-512*, *RMD128*, *RMD160*, *RMD256*,
-*RMD320*, *TIGER*, *WHIRLPOOL*.
+*SHA3-224*, *SHA3-256*, *SHA3-384*, *SHA3-512*, *TIGER*, *WHIRLPOOL*.
 +
 The password can be specified as a string of characters not containing white
 space with an optional *ASCII:* prefix, or as a hexadecimal number with the

diff --git a/hash_nettle.c b/hash_nettle.c
index 2c3501d8e97ee97c2d19b479596aeec1d9abc6cc..2622f76977262d328bb5cc734f07484791421f24 100644 (file)
--- a/hash_nettle.c
+++ b/hash_nettle.c
@@ -43,7 +43,6 @@ struct hash {
 
 static struct hash hashes[] = {
   { "MD5", "md5", NULL, NULL },
-  { "RMD160", "ripemd160", NULL, NULL },
   { "SHA1", "sha1", NULL, NULL },
   { "SHA256", "sha256", NULL, NULL },
   { "SHA384", "sha384", NULL, NULL },

diff --git a/hash_tomcrypt.c b/hash_tomcrypt.c
index 4326c9ef80bc8b3acb45bc9fd3a6ac3fa5bbba53..8ee04909b252f30306018927d9d0d523cee1f23a 100644 (file)
--- a/hash_tomcrypt.c
+++ b/hash_tomcrypt.c
@@ -39,18 +39,6 @@ struct hash {
 
 static const struct hash hashes[] = {
   { "MD5", "md5", &md5_desc },
-#ifdef LTC_RIPEMD128
-  { "RMD128", "rmd128", &rmd128_desc },
-#endif
-#ifdef LTC_RIPEMD160
-  { "RMD160", "rmd160", &rmd160_desc },
-#endif
-#ifdef LTC_RIPEMD256
-  { "RMD256", "rmd256", &rmd256_desc },
-#endif
-#ifdef LTC_RIPEMD320
-  { "RMD320", "rmd320", &rmd320_desc },
-#endif
 #ifdef LTC_SHA1
   { "SHA1", "sha1", &sha1_desc },
 #endif

diff --git a/test/unit/hash.c b/test/unit/hash.c
index 5cde039293b3f706ac0254cfc79a51e9fc3ee9de..f1e44bc49eb3f141dd34629e29f613c52e89bd9a 100644 (file)
--- a/test/unit/hash.c
+++ b/test/unit/hash.c
@@ -60,14 +60,6 @@ test_unit(void)
                    "\x39\xfc\xcb\xc1\x29\xe1\x23\x7d\x8b\x56\x54\xe3\x08\x9d\xf9\x74"
                    "\x78\x69\x2e\x3c\x7e\x51\x1e\x9d\xab\x09\xbe\xe7\x6b\x1a\xa1\x22"
                    "\x93\xb1\x2b\x82\x9d\x1e\xcf\xa8\x99\xc5\xec\x7b\x1d\x89\x07\x2b", 64 },
-    { "RMD128",    "\x6f\xd7\x1f\x37\x47\x0f\xbd\x42\x57\xc8\xbb\xee\xba\x65\xf9\x35", 16 },
-    { "RMD160",    "\x7a\x88\xec\xc7\x09\xc5\x65\x34\x11\x24\xe3\xf9\xf7\xa5\xbf\xc6"
-                   "\x01\xe2\xc9\x32", 20},
-    { "RMD256",    "\x59\xdf\xd4\xcb\xc9\xbe\x7c\x27\x08\xa7\x23\xf7\xb3\x0c\xf0\x0d"
-                   "\xa0\xcf\x5b\x18\x16\x51\x56\x6d\xda\x7b\x87\x24\x9d\x83\x35\xe1", 32 },
-    { "RMD320",    "\x68\x98\x10\xf4\xb6\x79\xb6\x15\xf1\x48\x2d\x73\xd0\x23\x84\x01"
-                   "\xbf\xaa\x67\xcf\x1e\x35\x5c\xbf\xe9\xb8\xaf\xe1\xee\x0d\xf0\x6b"
-                   "\xe2\x3a\x9a\x3a\xa7\x56\xad\x70", 40},
     { "TIGER",     "\x1c\xcd\x68\x74\xca\xd6\xd5\x17\xba\x3e\x82\xaf\xbd\x70\xdc\x66"
                    "\x99\xaa\xae\x16\x72\x59\xd1\x64", 24},
     { "WHIRLPOOL", "\xe3\xcd\xe6\xbf\xe1\x8c\xe4\x4d\xc8\xb4\xa5\x7c\x36\x8d\xc8\x8a"