DEVHIDE
Login Or Sign up

How can I make ntpd work with FIPS openssl3?

97 Views Asked by At

I have a kirkstone yocto linux build with ntpd [email protected] Tue 23 Jun 2020 09:22:22 AM UTC (1) and OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022). I have enabled FIPS for openssl, and I have that working correctly. However, when I start ntpd with FIPS enabled, I get the following problem:

10 Jun 11:48:17 ntpd[816]: ntpd [email protected] Tue 23 Jun 2020 09:22:22 AM UTC (1): Starting
10 Jun 11:48:17 ntpd[816]: Command line: ntpd -d
10 Jun 11:48:17 ntpd[816]: ----------------------------------------------------
10 Jun 11:48:17 ntpd[816]: ntp-4 is maintained by Network Time Foundation,
10 Jun 11:48:17 ntpd[816]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
10 Jun 11:48:17 ntpd[816]: corporation.  Support and training for ntp-4 are
10 Jun 11:48:17 ntpd[816]: available at https://www.nwtime.org/support
10 Jun 11:48:17 ntpd[816]: ----------------------------------------------------
10 Jun 11:48:17 ntpd[816]: proto: precision = 0.360 usec (-21)
Finished Parsing!!
10 Jun 11:48:17 ntpd[816]: basedate set to 2020-06-11
10 Jun 11:48:17 ntpd[816]: gps base set to 2020-06-14 (week 2110)
hack_restrict: op RESTRICT_FLAGS addr 0.0.0.0 mask 0.0.0.0 ippeerlimit -1 mflags 00000000 rflags 00000390
hack_restrict: op RESTRICT_FLAGS addr :: mask :: ippeerlimit -1 mflags 00000000 rflags 00000390
hack_restrict: op RESTRICT_FLAGS addr 127.0.0.1 mask 255.255.255.255 ippeerlimit -1 mflags 00000000 rflags 00000000
hack_restrict: op RESTRICT_FLAGS addr ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ippeerlimit -1 mflags 00000000 rflags 00000000
move_fd: estimated max descriptors: 1024, initial socket boundary: 16
10 Jun 11:48:17 ntpd[816]: MD5 init failed

MD5 should of course fail with FIPS enabled, as that is not an approved algorithm, and openssl md5 also fails, as expected. But is there a way to make ntpd work with FIPS enabled?

I looked at the source for ntpd and it looks like the ntp/libntp/a_md5encrypt.c file is where the code is failing. Also referenced is a EVP_MD_CTX_FLAG_NON_FIPS_ALLOW compiler directive, so it seems like ntpd does have some knowledge of FIPS.

Is there some way for me to recompile nptd so that it won't try and use MD5?

linux openssl ntp fips ntpd
Original Q&A
0

There are 0 best solutions below

Related Questions in LINUX

Related Questions in OPENSSL

Related Questions in NTP

Related Questions in FIPS

Related Questions in NTPD

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.