How can I make ntpd work with FIPS openssl3?

78 views Asked by At

I have a kirkstone yocto linux build with ntpd [email protected] Tue 23 Jun 2020 09:22:22 AM UTC (1) and OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022). I have enabled FIPS for openssl, and I have that working correctly. However, when I start ntpd with FIPS enabled, I get the following problem:

10 Jun 11:48:17 ntpd[816]: ntpd [email protected] Tue 23 Jun 2020 09:22:22 AM UTC (1): Starting
10 Jun 11:48:17 ntpd[816]: Command line: ntpd -d
10 Jun 11:48:17 ntpd[816]: ----------------------------------------------------
10 Jun 11:48:17 ntpd[816]: ntp-4 is maintained by Network Time Foundation,
10 Jun 11:48:17 ntpd[816]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
10 Jun 11:48:17 ntpd[816]: corporation.  Support and training for ntp-4 are
10 Jun 11:48:17 ntpd[816]: available at https://www.nwtime.org/support
10 Jun 11:48:17 ntpd[816]: ----------------------------------------------------
10 Jun 11:48:17 ntpd[816]: proto: precision = 0.360 usec (-21)
Finished Parsing!!
10 Jun 11:48:17 ntpd[816]: basedate set to 2020-06-11
10 Jun 11:48:17 ntpd[816]: gps base set to 2020-06-14 (week 2110)
hack_restrict: op RESTRICT_FLAGS addr 0.0.0.0 mask 0.0.0.0 ippeerlimit -1 mflags 00000000 rflags 00000390
hack_restrict: op RESTRICT_FLAGS addr :: mask :: ippeerlimit -1 mflags 00000000 rflags 00000390
hack_restrict: op RESTRICT_FLAGS addr 127.0.0.1 mask 255.255.255.255 ippeerlimit -1 mflags 00000000 rflags 00000000
hack_restrict: op RESTRICT_FLAGS addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -1 mflags 00000000 rflags 00000000
move_fd: estimated max descriptors: 1024, initial socket boundary: 16
10 Jun 11:48:17 ntpd[816]: MD5 init failed

MD5 should of course fail with FIPS enabled, as that is not an approved algorithm, and openssl md5 also fails, as expected. But is there a way to make ntpd work with FIPS enabled?

I looked at the source for ntpd and it looks like the ntp/libntp/a_md5encrypt.c file is where the code is failing. Also referenced is a EVP_MD_CTX_FLAG_NON_FIPS_ALLOW compiler directive, so it seems like ntpd does have some knowledge of FIPS.

Is there some way for me to recompile nptd so that it won't try and use MD5?

0

There are 0 answers