[ntp/f18] fix crash in FIPS mode (#839280)
Miroslav Lichvar
mlichvar at fedoraproject.org
Wed Oct 24 16:33:19 UTC 2012
commit fb21010cea2ca389a80e4db6aae4118bd9a11b7c
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date: Wed Oct 24 16:24:43 2012 +0200
fix crash in FIPS mode (#839280)
ntp-4.2.6p5-fipsmd5.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++
ntp.spec | 3 ++
2 files changed, 50 insertions(+), 0 deletions(-)
---
diff --git a/ntp-4.2.6p5-fipsmd5.patch b/ntp-4.2.6p5-fipsmd5.patch
new file mode 100644
index 0000000..b6d8889
--- /dev/null
+++ b/ntp-4.2.6p5-fipsmd5.patch
@@ -0,0 +1,47 @@
+diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c
+--- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 2011-12-01 03:55:17.000000000 +0100
++++ ntp-4.2.6p5/libntp/a_md5encrypt.c 2012-10-24 16:24:04.972358878 +0200
+@@ -38,7 +38,11 @@ MD5authencrypt(
+ * was creaded.
+ */
+ INIT_SSL();
+- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
++ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
++ msyslog(LOG_ERR,
++ "MAC encrypt: digest init failed");
++ return (0);
++ }
+ EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
+ EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
+ EVP_DigestFinal(&ctx, digest, &len);
+@@ -71,7 +75,11 @@ MD5authdecrypt(
+ * was created.
+ */
+ INIT_SSL();
+- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
++ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
++ msyslog(LOG_ERR,
++ "MAC decrypt: digest init failed");
++ return (0);
++ }
+ EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
+ EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
+ EVP_DigestFinal(&ctx, digest, &len);
+@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr)
+ return (NSRCADR(addr));
+
+ INIT_SSL();
+- EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
++ EVP_MD_CTX_init(&ctx);
++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
++ /* MD5 is not used as a crypto hash here. */
++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
++#endif
++ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
++ msyslog(LOG_ERR,
++ "MD5 init failed");
++ exit(1);
++ }
+ EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
+ sizeof(struct in6_addr));
+ EVP_DigestFinal(&ctx, digest, &len);
diff --git a/ntp.spec b/ntp.spec
index 9900f92..a2032e0 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -55,6 +55,8 @@ Patch3: ntp-4.2.6p3-bcast.patch
Patch4: ntp-4.2.6p1-cmsgalign.patch
# link ntpd with -ffast-math on ia64
Patch5: ntp-4.2.6p1-linkfastmath.patch
+# ntpbz #2294
+Patch6: ntp-4.2.6p5-fipsmd5.patch
# ntpbz #759
Patch7: ntp-4.2.6p1-retcode.patch
# ntpbz #992
@@ -151,6 +153,7 @@ This package contains NTP documentation in HTML format.
%ifarch ia64
%patch5 -p1 -b .linkfastmath
%endif
+%patch6 -p1 -b .fipsmd5
%patch7 -p1 -b .retcode
%patch8 -p1 -b .rtnetlink
%patch10 -p1 -b .htmldoc
More information about the scm-commits
mailing list