From: Juergen Perlinger <perlinger@ntp.org>
Date: Wed, 7 Feb 2018 07:14:35 +0000 (+0100)
Subject: [Bug 3457] OpenSSL FIPS mode regression
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ce1b26253a43e249f66a4aaaea52f8cba386066;p=thirdparty%2Fntp.git

[Bug 3457] OpenSSL FIPS mode regression

bk: 5a7aa75bVAENRhCqqTrIb9Ky4frLYg
---

diff --git a/ChangeLog b/ChangeLog
index e0086e014..48d965f1c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,7 @@
   - initial patch by <stenn@ntp.org>, extended by <perlinger@ntp.org>
 * [Sec 3412] ctl_getitem(): Don't compare names past NUL. <perlinger@ntp.org>
 * [Sec 3012] Sybil vulnerability: noepeer support.  HStenn, JPerlinger.
+* [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
 * [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
 * [Bug 3450] Dubious error messages from plausibility checks in get_systime()
  - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c
index b90170aae..7dc7e7ecf 100644
--- a/libntp/a_md5encrypt.c
+++ b/libntp/a_md5encrypt.c
@@ -114,8 +114,9 @@ make_mac(
 		/* make sure MD5 is allowd */
 		EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
            #endif
-		
-		if (!EVP_DigestInit(ctx, EVP_get_digestbynid(ktype))) {
+		/* [Bug 3457] DON'T use plain EVP_DigestInit! It would
+		 * kill the flags! */
+		if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(ktype), NULL)) {
 			msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Init failed.",
 				OBJ_nid2sn(ktype));
 			goto mac_fail;
@@ -265,10 +266,12 @@ addr2refid(sockaddr_u *addr)
 	INIT_SSL();
 
 	ctx = EVP_MD_CTX_new();
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+#   ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
 	/* MD5 is not used as a crypto hash here. */
 	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-#endif
+#   endif
+	/* [Bug 3457] DON'T use plain EVP_DigestInit! It would kill the
+	 * flags! */
 	if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) {
 		msyslog(LOG_ERR,
 		    "MD5 init failed");
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 756a874c1..182dd0d8e 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -3643,7 +3643,13 @@ static u_int32 derive_nonce(
 	}
 
 	ctx = EVP_MD_CTX_new();
+#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+	/* [Bug 3457] set flags and don't kill them again */
+	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	EVP_DigestInit_ex(ctx, EVP_get_digestbynid(NID_md5), NULL);
+#   else	
 	EVP_DigestInit(ctx, EVP_get_digestbynid(NID_md5));
+#   endif
 	EVP_DigestUpdate(ctx, salt, sizeof(salt));
 	EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
 	EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
index 11d087a5a..f2df4da8f 100644
--- a/ntpd/ntp_crypto.c
+++ b/ntpd/ntp_crypto.c
@@ -268,7 +268,13 @@ session_key(
 		break;
 	}
 	ctx = EVP_MD_CTX_new();
+#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+	/* [Bug 3457] set flags and don't kill them again */
+	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	EVP_DigestInit_ex(ctx, EVP_get_digestbynid(crypto_nid), NULL);
+#   else
 	EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid));
+#   endif
 	EVP_DigestUpdate(ctx, (u_char *)header, hdlen);
 	EVP_DigestFinal(ctx, dgst, &len);
 	EVP_MD_CTX_free(ctx);
@@ -2087,7 +2093,13 @@ bighash(
 	ptr = emalloc(len);
 	BN_bn2bin(bn, ptr);
 	ctx = EVP_MD_CTX_new();
+#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+	/* [Bug 3457] set flags and don't kill them again */
+	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+	EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+#   else
 	EVP_DigestInit(ctx, EVP_md5());
+#   endif
 	EVP_DigestUpdate(ctx, ptr, len);
 	EVP_DigestFinal(ctx, dgst, &len);
 	EVP_MD_CTX_free(ctx);
diff --git a/sntp/crypto.c b/sntp/crypto.c
index daba425be..ce5d136fc 100644
--- a/sntp/crypto.c
+++ b/sntp/crypto.c
@@ -86,21 +86,30 @@ compute_mac(
 		if (!(ctx = EVP_MD_CTX_new())) {
 			msyslog(LOG_ERR, "make_mac: MAC %s Digest CTX new failed.",
 				macname);
+			goto mac_fail;
 		}
 #ifdef OPENSSL	/* OpenSSL 1 supports return codes 0 fail, 1 okay */
-		else if (!EVP_DigestInit(ctx, EVP_get_digestbynid(key_type))) {
+#	    ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+		EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#	    endif
+		/* [Bug 3457] DON'T use plain EVP_DigestInit! It would
+		 *  kill the flags! */
+		if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) {
 			msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
 				macname);
+			goto mac_fail;
 		}
-		else if (!EVP_DigestUpdate(ctx, key_data, key_size)) {
+		if (!EVP_DigestUpdate(ctx, key_data, key_size)) {
 			msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.",
 				macname);
+			goto mac_fail;
 		}
-		else if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) {
+		if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) {
 			msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.",
 				macname);
+			goto mac_fail;
 		}
-		else if (!EVP_DigestFinal(ctx, digest, &len)) {
+		if (!EVP_DigestFinal(ctx, digest, &len)) {
 			msyslog(LOG_ERR, "make_mac: MAC %s Digest Final failed.",
 				macname);
 			len = 0;
@@ -111,7 +120,7 @@ compute_mac(
 		EVP_DigestUpdate(ctx, pkt_data, pkt_size);
 		EVP_DigestFinal(ctx, digest, &len);
 #endif
-		
+	  mac_fail:
 		EVP_MD_CTX_free(ctx);
 	}