What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task.
EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
For FIPS mode it adds:
EVP_add_digest(EVP_md5());
What happens later in ntpq is (list_md_fn function inside ntpq.c):
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, &digest_len);
First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point:
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
if (!(type->flags & EVP_MD_FLAG_FIPS)
&& !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0;
}
}
#endif
Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS).
After getting back to ntpq.c:
ctx->engine and ctx->digest are not set (due to the mentioned error), hence
inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
causes a segfault (ctx->digest is NULL).
So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized.
In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault.
Test case:
sudo apt install ntp
ntpq -p
Segmentation fault (core dumped)
What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_ do_all_ sorted for this task.
EVP_MD_ do_all_ sorted eventually runs openssl_ add_all_ digests_ int in c_alld.c. digest( EVP_md5( ));
For FIPS mode it adds:
EVP_add_
What happens later in ntpq is (list_md_fn function inside ntpq.c): digestbyname( name)); (ctx, digest, &digest_len);
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_
EVP_DigestFinal
First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point: CTX_FLAG_ NON_FIPS_ ALLOW)) {
EVPerr( EVP_F_EVP_ DIGESTINIT_ EX, EVP_R_DISABLED_ FOR_FIPS) ;
return 0;
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
if (!(type->flags & EVP_MD_FLAG_FIPS)
&& !(ctx->flags & EVP_MD_
}
}
#endif
Due to type->flags for MD5 being 0 there's an error set (EVP_R_ DISABLED_ FOR_FIPS) .
After getting back to ntpq.c:
ctx->engine and ctx->digest are not set (due to the mentioned error), hence
inside EVP_DigestFinal_ex (openssl/ crypto/ evp/digest. c) assert( ctx->digest- >md_size <= EVP_MAX_MD_SIZE);
OPENSSL_
causes a segfault (ctx->digest is NULL).
So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized.