From f1e86c08f15ec33b015dad3dbd1d11c8cf686a4774146a9ec0628ba89b921b86 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 1 Jul 2021 14:37:51 +0000 Subject: [PATCH] - bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode, but needed for calculating refids from IPv6 addresses as part of the NTP protocol (rfc5905). As this is a non-cryptographic use of MD5 we can use our own implementation without violating FIPS rules: chrony-refid-internal-md5.patch . OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=103 --- chrony-refid-internal-md5.patch | 45 +++++++++++++++++++++++++++++++++ chrony.changes | 5 ++++ chrony.spec | 2 ++ 3 files changed, 52 insertions(+) create mode 100644 chrony-refid-internal-md5.patch diff --git a/chrony-refid-internal-md5.patch b/chrony-refid-internal-md5.patch new file mode 100644 index 0000000..f4747c4 --- /dev/null +++ b/chrony-refid-internal-md5.patch @@ -0,0 +1,45 @@ +--- util.c.orig ++++ util.c +@@ -32,7 +32,13 @@ + #include "logging.h" + #include "memory.h" + #include "util.h" +-#include "hash.h" ++/* ++ * We use the internal MD5 implementation here to avoid trouble with ++ * FIPS. This is OK, because MD5 is only being used for the non-crypto ++ * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs, ++ * as required by RFC 5905. ++ */ ++#include "md5.c" + + #define NSEC_PER_SEC 1000000000 + +@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip) + uint32_t + UTI_IPToRefid(const IPAddr *ip) + { +- static int MD5_hash = -1; +- unsigned char buf[16]; ++ MD5_CTX ctx; ++ unsigned char *buf = &ctx.digest; + + switch (ip->family) { + case IPADDR_INET4: + return ip->addr.in4; + case IPADDR_INET6: +- if (MD5_hash < 0) +- MD5_hash = HSH_GetHashId(HSH_MD5); +- +- if (MD5_hash < 0 || +- HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6), +- NULL, 0, buf, sizeof (buf)) != sizeof (buf)) +- LOG_FATAL("Could not get MD5"); +- ++ MD5Init(&ctx); ++ MD5Update(&ctx, (unsigned const char *)ip->addr.in6, ++ sizeof(ip->addr.in6)); ++ MD5Final(&ctx); + return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]; + } + return 0; diff --git a/chrony.changes b/chrony.changes index b4a57c5..d9137d0 100644 --- a/chrony.changes +++ b/chrony.changes @@ -2,6 +2,11 @@ Thu Jul 1 12:38:13 UTC 2021 - Reinhard Max - boo#1187906: Consolidate all references to the helper script. +- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode, + but needed for calculating refids from IPv6 addresses as part of + the NTP protocol (rfc5905). As this is a non-cryptographic use of + MD5 we can use our own implementation without violating FIPS + rules: chrony-refid-internal-md5.patch . ------------------------------------------------------------------- Sun Jun 13 13:29:36 UTC 2021 - Callum Farmer diff --git a/chrony.spec b/chrony.spec index 1f1f4d0..7d06103 100644 --- a/chrony.spec +++ b/chrony.spec @@ -54,6 +54,7 @@ Patch0: chrony-config.patch Patch1: chrony-service-helper.patch Patch2: chrony-logrotate.patch Patch3: chrony-service-ordering.patch +Patch4: chrony-refid-internal-md5.patch BuildRequires: NetworkManager-devel BuildRequires: bison BuildRequires: gcc-c++ @@ -153,6 +154,7 @@ sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5} %patch1 -p1 %patch2 -p1 %patch3 +%patch4 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf .