- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode,

but needed for calculating refids from IPv6 addresses as part of the NTP protocol (rfc5905). As this is a non-cryptographic use of MD5 we can use our own implementation without violating FIPS rules: chrony-refid-internal-md5.patch . OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=103
2021-07-01 14:37:51 +00:00 · 2021-07-01 14:37:51 +00:00 · f1e86c08f1
commit f1e86c08f1
parent 0e5e2f49b2
3 changed files with 52 additions and 0 deletions
--- a/chrony-refid-internal-md5.patch
+++ b/chrony-refid-internal-md5.patch
@ -0,0 +1,45 @@
+--- util.c.orig
+++ util.c
+@@ -32,7 +32,13 @@
+ #include "logging.h"
+ #include "memory.h"
+ #include "util.h"
+-#include "hash.h"
+/*
+ * We use the internal MD5 implementation here to avoid trouble with
+ * FIPS. This is OK, because MD5 is only being used for the non-crypto
+ * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs,
+ * as required by RFC 5905.
+ */
+#include "md5.c"
+ 
+ #define NSEC_PER_SEC 1000000000
+ 
+@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip)
+ uint32_t
+ UTI_IPToRefid(const IPAddr *ip)
+ {
+-  static int MD5_hash = -1;
+-  unsigned char buf[16];
+  MD5_CTX ctx;
+  unsigned char *buf = &ctx.digest;
+ 
+   switch (ip->family) {
+     case IPADDR_INET4:
+       return ip->addr.in4;
+     case IPADDR_INET6:
+-      if (MD5_hash < 0)
+-        MD5_hash = HSH_GetHashId(HSH_MD5);
+-
+-      if (MD5_hash < 0 ||
+-          HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6),
+-                   NULL, 0, buf, sizeof (buf)) != sizeof (buf))
+-        LOG_FATAL("Could not get MD5");
+-
+      MD5Init(&ctx);
+      MD5Update(&ctx, (unsigned const char *)ip->addr.in6,
+                     sizeof(ip->addr.in6));
+      MD5Final(&ctx);
+       return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+   }
+   return 0;
--- a/chrony.changes
+++ b/chrony.changes
@ -2,6 +2,11 @@
 Thu Jul  1 12:38:13 UTC 2021 - Reinhard Max <max@suse.com>

 - boo#1187906: Consolidate all references to the helper script.
+- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode,
+  but needed for calculating refids from IPv6 addresses as part of
+  the NTP protocol (rfc5905). As this is a non-cryptographic use of
+  MD5 we can use our own implementation without violating FIPS
+  rules: chrony-refid-internal-md5.patch .

 -------------------------------------------------------------------
 Sun Jun 13 13:29:36 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
--- a/chrony.spec
+++ b/chrony.spec
@ -54,6 +54,7 @@ Patch0:         chrony-config.patch
 Patch1:         chrony-service-helper.patch
 Patch2:         chrony-logrotate.patch
 Patch3:         chrony-service-ordering.patch
+Patch4:         chrony-refid-internal-md5.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  bison
 BuildRequires:  gcc-c++
@ -153,6 +154,7 @@ sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5}
 %patch1 -p1
 %patch2 -p1
 %patch3
+%patch4

 # Remove pool statements from the default /etc/chrony.conf. They will
 # be provided by branding packages in /etc/chrony.d/pool.conf .