It seems 2 things are happening to generate this issue
1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with explicit purpose of accommodating PRF use only in fips mode. But you must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use them.
2. ntpq does not check return codes from EVP_ calls. It has,
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, &digest_len);
EVP_MD_CTX_free(ctx);
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;
EVP_DigestInit() would have returned 0 in this case indicating a failure.
Possible fixes:
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 for PRF and mark as fips-allowed. Can still use md5 with EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list.
Note: this fix can be put in fips-update ppa for availability. But, it may be a while before it is re-certified.
2. ntpq should check its return codes and do appropriate thing on error.
It seems 2 things are happening to generate this issue
1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with explicit purpose of accommodating PRF use only in fips mode. But you must pass the flag, EVP_MD_ CTX_FLAG_ NON_FIPS_ ALLOW to successfully use them.
2. ntpq does not check return codes from EVP_ calls. It has, DigestInit( ctx, EVP_get_ digestbyname( name)); DigestFinal( ctx, digest, &digest_len); MD_CTX_ free(ctx) ;
ctx = EVP_MD_CTX_new();
EVP_
EVP_
EVP_
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;
EVP_DigestInit() would have returned 0 in this case indicating a failure.
Possible fixes: CTX_FLAG_ NON_FIPS_ ALLOW flag, but its just not in fips digest list.
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 for PRF and mark as fips-allowed. Can still use md5 with EVP_MD_
Note: this fix can be put in fips-update ppa for availability. But, it may be a while before it is re-certified.
2. ntpq should check its return codes and do appropriate thing on error.