Comment 0 for bug 1884265

In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault.

Test case:
sudo apt install ntp
ntpq -p
Segmentation fault (core dumped)

What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task.

EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
For FIPS mode it adds:
EVP_add_digest(EVP_md5());

What happens later in ntpq is (list_md_fn function inside ntpq.c):
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, &digest_len);

First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point:
#ifdef OPENSSL_FIPS
        if (FIPS_mode()) {
            if (!(type->flags & EVP_MD_FLAG_FIPS)
                && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
                return 0;
            }
        }
#endif

Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS).
After getting back to ntpq.c:
ctx->engine and ctx->digest are not set (due to the mentioned error), hence

inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
causes a segfault (ctx->digest is NULL).

So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized.