IETF Logo Mail Archive

[Ntp] ntp service fails to start when fips enabled in openssl-3.x

Shreenidhi Shedi <sshedi@vmware.com> Wed, 12 January 2022 11:30 UTC

Return-Path: <sshedi@vmware.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F883A0650 for <ntp@ietfa.amsl.com>; Wed, 12 Jan 2022 03:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.674
X-Spam-Level:
X-Spam-Status: No, score=-2.674 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.576, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=vmware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SLj9IIdZ8QD for <ntp@ietfa.amsl.com>; Wed, 12 Jan 2022 03:30:32 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2058.outbound.protection.outlook.com [40.107.236.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F463A067A for <ntp@ietf.org>; Wed, 12 Jan 2022 03:30:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Orvv2jMLdynIXtwiUnXlB1USmI5whTYZ60B81cyk5BOdXJRLnruIJdkTHLv8IRTz+zcMOP/5C1J9vi2MnZtu/BSjhKkDyKRMfd8ExQtziwoVsEBdnRfFpcRaYrb3v7VscPbN37Y+SCqDX9xP4jdCUQMTw678FKqtPxGqKJiVJRuJ83j3ORie6aiTJXYMczuPxBV6thpW+iI08g5StWNuu7kSp9sGqNE+9SzC3T6idnB86W4XgJEgv8D77V3aCtPPEeh5xnnGcYyB22hJtY3KMHnpSJUFzPp9GpMpNSEpi9MwayAC95MERlaRZK5oHdx/XBa4pdLyVsNPnrVT7YbEwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X0Eij3ZG5A8JqIz/D0dpHBNgZ90xTnYu0FGWnfQ83Fc=; b=Q/MXLCj6eYLbkSeULMEF2wexI1iZ9DRm8g7eaVHC8+zCTr21G6Pnn5MnYYbSX8/oKvUVUZ4MK3bWHDzxDomnF945FalokIJhu8IrXx4H/GG+KQv3EA69gQytue+p9R2y2TOw2oNH308nMz5oj1EguRXQXPQSY89Zgi3e26Yu8ejeDryq+X59Ldlp8YhVAEFjqHnC/pp8W2tGzqRAr6KWsJdLdf+MS2Oisbl0cnqyDBMQS/Z/CnEzTICiuIzvKygsEj9ptFKtXB45oFOSWlvXIfaB5s7Fs8u+Rv5Ctlkji6mrJP1fmLM7bP6do5UuBdSj7TJEeLJlCnd70OFrEmr2mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vmware.com; dmarc=pass action=none header.from=vmware.com; dkim=pass header.d=vmware.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X0Eij3ZG5A8JqIz/D0dpHBNgZ90xTnYu0FGWnfQ83Fc=; b=U5wHp67Eg+b//PbpsQI7ilX3TtFqtpr16659V2bsvhd93RvmMXV19wYrcSulDbYF5CDeSG07BrSRR1MW6fVij4ESb8Vhs9Bjp4VeJZ9kSa0GHdRC4Nqqe6H7lmnpgkNGc4PUb0xeKr8TS6BZaDG3tZtyDK+zcVxB/rxgmkmo5KA=
Received: from DM6PR05MB5515.namprd05.prod.outlook.com (2603:10b6:5:59::12) by BY3PR05MB8353.namprd05.prod.outlook.com (2603:10b6:a03:3c0::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.7; Wed, 12 Jan 2022 11:30:25 +0000
Received: from DM6PR05MB5515.namprd05.prod.outlook.com ([fe80::c594:5e05:4d60:35e2]) by DM6PR05MB5515.namprd05.prod.outlook.com ([fe80::c594:5e05:4d60:35e2%4]) with mapi id 15.20.4888.009; Wed, 12 Jan 2022 11:30:25 +0000
From: Shreenidhi Shedi <sshedi@vmware.com>
To: "mills@udel.edu" <mills@udel.edu>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: ntp service fails to start when fips enabled in openssl-3.x
Thread-Index: AQHYB6Yz1PWodT7AvUe7aWUdr3cS0Q==
Date: Wed, 12 Jan 2022 11:30:24 +0000
Message-ID: <DM6PR05MB5515A1EF2D641B7F1E2A91F9AF529@DM6PR05MB5515.namprd05.prod.outlook.com>
Accept-Language: en-IN, en-US
Content-Language: en-IN
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
suggested_attachment_session_id: 006e27de-471c-b048-5044-5136ee8a1458
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=vmware.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cd35c2a8-dafe-4ba6-db4d-08d9d5beed38
x-ms-traffictypediagnostic: BY3PR05MB8353:EE_
x-microsoft-antispam-prvs: <BY3PR05MB8353C673F60242DE6FC9223AAF529@BY3PR05MB8353.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:510;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IQAzlkmzxW7SANLbwE5bLOdAoKrAA24IvVFw7wzz3KxlReO8TIQFIbDHr5MEU3TnURxEO+Bxn5tCUHbUmWb7kQc5hqtdiC//dz2mbZUpoTZ2Gb+MJf+nXSaVVEQX4n77LkHAG2gLCQULyVN6amalz7oZO+qHycGLiVDjLv1/PTZ2gxRjBsJ9cCzhFxh7lFIOh1Uf9JdiyyNZZKhjuzK9vSjIvGB80RViclxgg4ue2kRInFTunp7LWN3sOMfd110twQxVu5m334QH0LX/u+jjfyBf7swaN0MyR0xPjDhpgIbSruM9v2hh5wgUrATAoltJQ4lKaeXqtSnbPzlt852x3gemLk04FsoE1ajKNhl9+CoMAIz/5JtxcBiV+X2ikEYeI4hA2YgnslIzoCUOJXSgX7gDZLk2CDIJogWFs8snFJl+TvwukUZ+Moxn8C0u4Z34ihNRu5eVenEX4AeNPqdqE1Fb/CHHfua/+5elL7pCR6FKDAJrp6b0ygOh46HaHN0EgOQgGJxUALgou90Hjze/S1WOMPW0Du3L+2Z9vrrEtzSQTu/PY8jr74xlcNIoQVDQIldCmF+MXEvw59InAAOXAxA8M3mYxphTus0oAj57R8HhG7e3UXjqoR2leSK4qUvmAbYVyzYe5yJOGe2XoLruaJCBUEkv0rRlFQ1wKzi0jaDQT0iJAi+6RKveIQHcYYggC5GywmvrfOVuMdomVcLcHgo2kPg/pz61PfvcosQiHOq70gNH/iYI+H65/QnCL6TDLVUE1nwZXy+eGLP1tVSMf1fmP7KyEogPqByH6vf7DIgJavTWtgzO3UDuSPjg8SoPeYHxzGi2jmqqFZtMLv/R/A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB5515.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66556008)(66446008)(64756008)(71200400001)(38070700005)(316002)(9686003)(19627235002)(508600001)(6506007)(4326008)(7696005)(86362001)(66476007)(55236004)(8936002)(8676002)(66946007)(966005)(6916009)(76116006)(99936003)(122000001)(91956017)(186003)(26005)(166002)(38100700002)(55016003)(2906002)(52536014)(5660300002)(19627405001)(33656002)(4744005)(20210929001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0LRFzlIgp8wERLHhFLH7lul5GhoVad8U1oeBxAs4vYTIOfMT8XCas7UAnphkQ3pLo697P9WjqypUIuD/4zrxc7DrjABHAGQE1V0RqrI8rna98bJFCryVg3i4xQ1HX2vXCT9HOO/nRWRx17FwXyAVpf4UkrpQbBIFlw1yI6z2FwIOiOl7YvnJPN+ag/AJKYyIsysPPpPP+ShtvDDAcM05q0BNb6g91UaPeBrdgJO0QDLqSpsC6M0nmr6RSsCxdxErmEqqV4EZb0msAfrtQG5fDEBINOssm7mmzmIWm2qpZhHsu5wqOlH6XjxJt5EmHv2oSzphOF5V8svcF/BtCCRnHNyWanHefZyMrIOIt1U9Hat76LFr4R80ydIgE7RrSYmXQ68xAGmN/xnlRSY837gjz0UNkP9V497gIU2+kuM/s5+ndupuffVR/cJkEzEAg9v7P0Nmm5nV9mUJ1O54Q3ClM8FwPe6HF5Fm/WcZhyWAjRzEQ5EyzTJe3hWe61kr8CD8wVsOrMlrdQVEZOMkUdeQ8w5XDMcMwQZ5GfHrb35mpVl8UI8gM1jfaZoLTbYD3Jn73mHJ36ihjBLj+w5PBOxhtuApQd/ZEA3smHpEXP9VMC0GgxswYB/nu8JLnxixNauRvh5p64LMjpoRTGRtlf5VU2pNk8Y417T3y/UcrOKSN4ml/oOT2hiWujxj4mYUj8wkfp8nyH5mBrVIoHkthoFUdq8QvOQpGx9p1QESWW4uq8sSPfkHGQ1Czeq8ee5vDeYnuFr4CaYT8qBqV3vpU3OEKyr+xKo2F0L9SCuLyXG0uZCpCOsOYSUEvjJyQCSGiRpuj3r/JPSpCfDytZo5D8DvNu3qaY9VWlMZplEYiexB2+A8DEMlXElcftca0gT/PAZuLbUqvUnPLYyeMNUQORqNbnBki0DjJ6x+bEhGHhjp5pIlztlr7HsFaNQ6iCmc7/kGj8NJt0fhY+ksuJYrn8g6lokawevNBcgYYd8/FjDj4WHhXAmSsNjjQkIw0t5FI3c51Ef5J6GiL3sseO9yeEOvYpWwTeza3CU+OZ0TfcGTaxpTFser4TI5Wtn0MCfUpeCXO2w/0F1H4Iguw6L3mvCjM7s5rnXZ2YULKhPohnFNo5k5mS6hieuoBRK0gklwtccvbk2ACvhHktnmp+QBpf4CbYQX1or2Yymzl4XCYo0nc2vps2gawOhodqbkddAtUy/s3lw83+D46brxc+oYexZyQ7MI+zoUlDdrBmCZ+8Bi1HUz+Ofrm0E2S5Mu+vRtVIfsjoE2mcG38Q4idH/qklQhkR0hmH4dktWcGbWwKpX7BtzCIjcjLVcwNYPg1yFuad8yjxEQINWJ1642GkEQn7Ncna+b2x59ri/94QDCwdlW7YCW7BswIK55MNKA4rXNsfuhrMn3SlMDsz+4MhwUIWZ2hdAQXhlMy6BOAq7y5wCGo1EOwMbWsQeV4AUxPop3baerlq+GurkPwLz9ulD2xmNh1kxjM8fyPAHaSulRLHgfIHO6dVPIwNdFCMqlrMzAyNNuJC00j8NToa79T6KpjsMbpdxTHa7dM+trwhNeYJbsUw9nsHAm8RecVjaQEpUkPqbj+vlqLk+XoAYblkGS7fICuQ==
Content-Type: multipart/mixed; boundary="_004_DM6PR05MB5515A1EF2D641B7F1E2A91F9AF529DM6PR05MB5515namp_"
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR05MB5515.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cd35c2a8-dafe-4ba6-db4d-08d9d5beed38
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2022 11:30:24.8971 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 00WysAlo0T3IBRqI4K2TTC2ddvG11+o5RJhB6AuIknSHfdaGVoZONiUgCIUpbA2L3QGC0js9HvE3xdrnQW8j+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR05MB8353
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/eRkrxrEIBtpxS2HkXkr-H49CWbs>
X-Mailman-Approved-At: Sun, 16 Jan 2022 09:16:30 -0800
Subject: [Ntp] ntp service fails to start when fips enabled in openssl-3.x
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jan 2022 11:31:59 -0000

Hi David L. Mills and NTP members,

ntp service fails to start when openssl-3.x fips is enabled.
ntp uses md5 algorithm in github code link<https://github.com/ntp-project/ntp/blob/9c75327c3796ff59ac648478cd4da8b205bceb77/libntp/a_md5encrypt.c#L40>

openssl-3.x has removed support for EVP_MD_CTX_FLAG_NON_FIPS_ALLOW and we need to use EVP_MD_fetch(...) API to make md5 work in fips mode.


I am attaching the patch to make this work.
Please let me know if I need to approach from different means to make this contribution.

We are using this fix already in Photon OS
https://github.com/vmware/photon/blob/4.0/SPECS/ntp/Get-rid-of-EVP_MD_CTX_FLAG_NON_FIPS_ALLOW.patch

--
Shedi

v2.23.0 | Report a Bug | By Email