[ntp/f18] fix crash in FIPS mode (#839280)

Wed Oct 24 16:33:19 UTC 2012

commit fb21010cea2ca389a80e4db6aae4118bd9a11b7c
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date:   Wed Oct 24 16:24:43 2012 +0200

    fix crash in FIPS mode (#839280)

 ntp-4.2.6p5-fipsmd5.patch |   47 +++++++++++++++++++++++++++++++++++++++++++++
 ntp.spec                  |    3 ++
 2 files changed, 50 insertions(+), 0 deletions(-)
---

diff --git a/ntp-4.2.6p5-fipsmd5.patch b/ntp-4.2.6p5-fipsmd5.patch
new file mode 100644
index 0000000..b6d8889
--- /dev/null
+++ b/ntp-4.2.6p5-fipsmd5.patch
@@ -0,0 +1,47 @@
+diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c
+--- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5	2011-12-01 03:55:17.000000000 +0100
++++ ntp-4.2.6p5/libntp/a_md5encrypt.c	2012-10-24 16:24:04.972358878 +0200
+@@ -38,7 +38,11 @@ MD5authencrypt(
+ 	 * was creaded.
+ 	 */
+ 	INIT_SSL();
+-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
++	if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
++		msyslog(LOG_ERR,
++		    "MAC encrypt: digest init failed");
++		return (0);
++	}
+ 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
+ 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
+ 	EVP_DigestFinal(&ctx, digest, &len);
+@@ -71,7 +75,11 @@ MD5authdecrypt(
+ 	 * was created.
+ 	 */
+ 	INIT_SSL();
+-	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
++	if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
++		msyslog(LOG_ERR,
++		    "MAC decrypt: digest init failed");
++		return (0);
++	}
+ 	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
+ 	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
+ 	EVP_DigestFinal(&ctx, digest, &len);
+@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr)
+ 		return (NSRCADR(addr));
+ 
+ 	INIT_SSL();
+-	EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
++	EVP_MD_CTX_init(&ctx);
++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
++	/* MD5 is not used as a crypto hash here. */
++	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++#endif
++	if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
++		msyslog(LOG_ERR,
++		    "MD5 init failed");
++		exit(1);
++	}
+ 	EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
+ 	    sizeof(struct in6_addr));
+ 	EVP_DigestFinal(&ctx, digest, &len);
diff --git a/ntp.spec b/ntp.spec
index 9900f92..a2032e0 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -55,6 +55,8 @@ Patch3: ntp-4.2.6p3-bcast.patch
 Patch4: ntp-4.2.6p1-cmsgalign.patch
 # link ntpd with -ffast-math on ia64
 Patch5: ntp-4.2.6p1-linkfastmath.patch
+# ntpbz #2294
+Patch6: ntp-4.2.6p5-fipsmd5.patch
 # ntpbz #759
 Patch7: ntp-4.2.6p1-retcode.patch
 # ntpbz #992
@@ -151,6 +153,7 @@ This package contains NTP documentation in HTML format.
 %ifarch ia64
 %patch5 -p1 -b .linkfastmath
 %endif
+%patch6 -p1 -b .fipsmd5
 %patch7 -p1 -b .retcode
 %patch8 -p1 -b .rtnetlink
 %patch10 -p1 -b .htmldoc
