1330013 – [Bug] Problems running authenticated NTP on server with FIPS 140-2 compliance enabled.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1330013 - [Bug] Problems running authenticated NTP on server with FIPS 140-2 compliance enabled.

Summary: [Bug] Problems running authenticated NTP on server with FIPS 140-2 compliance...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ntp
Sub Component:
Version:	6.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Lichvar
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-25 09:48 UTC by Muhammad Azhar Shaikh
Modified:	2019-11-14 07:51 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-28 19:11:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Muhammad Azhar Shaikh 2016-04-25 09:48:58 UTC

Description of problem:
Unable to get NTP working on servers that have been modified per RedHat site instructions to be FIPS 140-2 compliant.
When starting ntpd, segfault occurs.



Version-Release number of selected component (if applicable)::
Red Hat Enterprise Linux Server release 6.7 (Santiago)
dracut-fips-004-400.el6.noarch
dracut-004-400.el6.noarch
fipscheck-lib-1.2.0-7.el6.x86_64
ntp-4.2.6p5-5.el6_7.4.x86_64
kernel-2.6.32-573.18.1.el6.x86_64
fipscheck-1.2.0-7.el6.x86_64




How reproducible:
Two servers, both with FIPS enabled per  https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html#enabling-fips-mode .


Summarizing steps for FIPS:
# vi /etc/sysconfig/prelink
...
PRELINKING=no 
...

# prelink -u -a  <<-- It takes lot of time.
# yum install dracut-fips
# dracut -f	
# df /boot
# vi /boot/grub/grub.conf
...
kernel <line>.... fips=1 boot=/dev/vda1
....

# reboot
# cat /proc/sys/crypto/fips_enabled 
1



Server 1: 
/etc/ntp.conf:
server 0.rhel.pool.ntp.org
crypto
includefile /etc/ntp/crypto/pw

# ntp-keygen -T -C aes-256-cbc -c DSA-SHA1 -m 1024 -b 1024 -S DSA -p apassword



Server 2 /etc/ntp.conf:
server <IP address of server 1> autokey
crypto
includefile /etc/ntp/crypto/pw

# ntp-keygen -C aes-256-cbc -c DSA-SHA1 -m 1024 -b 1024 -S DSA -p apassword

On both servers, /etc/ntp/crypto/pw:
crypto pw apassword


Start NTP on both servers.  See segfault on server 2 as soon as it queries server 1.


Actual results at my TEST machine:
[root@dhcp223-194 crypto]# tail /var/log/messages
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listen and drop on 1 v6wildcard :: UDP 123
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listen normally on 2 lo 127.0.0.1 UDP 123
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listen normally on 3 eth1 10.76.1.107 UDP 123
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listen normally on 4 lo ::1 UDP 123
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listen normally on 5 eth1 fe80::5054:ff:fe07:613b UDP 123
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: Listening on routing socket on fd #22 for interface updates
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: 0.0.0.0 c016 06 restart
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Apr 25 15:02:13 dhcp223-194 ntpd[3546]: 0.0.0.0 c011 01 freq_not_set
Apr 25 15:02:14 dhcp223-194 kernel: ntpd[3546]: segfault at 0 ip (null) sp 00007ffe335da7e8 error 14 in libnss_files-2.12.so[7f400f51a000+c000]



Actual results at customer TEST machine:
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: proto: precision = 0.170 usec
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen and drop on 1 v6wildcard :: UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen normally on 2 lo 127.0.0.1 UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen normally on 3 eth0 192.168.1.169 UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen normally on 4 eth1 192.168.56.109 UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listen normally on 5 lo ::1 UDP 123
Apr 12 15:36:01 RHEL6_7_test ntpd[1818]: Listening on routing socket on fd #22 for interface updates
Apr 12 15:36:21 RHEL6_7_test ntpd[1818]: Deferring DNS for 0.centos.pool.ntp.org 1
Apr 12 15:36:21 RHEL6_7_test ntpd[1818]: 0.0.0.0 c016 06 restart
Apr 12 15:36:21 RHEL6_7_test ntpd[1818]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Apr 12 15:36:21 RHEL6_7_test ntpd[1818]: 0.0.0.0 c011 01 freq_not_set
Apr 12 15:36:23 RHEL6_7_test ntpd[1818]: 0.0.0.0 c61c 0c clock_step +0.619749 s
Apr 12 15:36:23 RHEL6_7_test ntpd[1818]: 0.0.0.0 c614 04 freq_mode
Apr 12 15:36:24 RHEL6_7_test ntpd[1818]: 0.0.0.0 c618 08 no_sys_peer
Apr 12 15:36:24 RHEL6_7_test ntpd_intres[1822]: DNS 0.centos.pool.ntp.org -> 108.61.194.85
Apr 12 15:36:24 RHEL6_7_test ntpd_intres[1822]: MAC encrypt: digest init failed
Apr 12 15:36:24 RHEL6_7_test ntpd_intres[1822]: intres maclen 0 expected 20
Apr 12 15:38:25 RHEL6_7_test kernel: ntpd[1818]: segfault at 0 ip (null) sp 00007ffd482e5e28 error 14 in libresolv-2.12.so[7f8fb0d53000+16000]




Expected results:
It should not segfault and NTPD should work fine.

Comment 2 Miroslav Lichvar 2016-05-17 14:32:05 UTC

It seems the crash is caused by ntpd trying to use MD5 for message digests and not checking if EVP_DigestInit() in session_key() succeeded (openssl doesn't allow MD5 in the FIPS mode).

Can you please try adding "digest SHA1" to the crypto line in ntp.conf to select SHA1 for message digests? This needs to be done on all hosts using autokey that will comunicate with each other.

Note You need to log in before you can comment on or make changes to this bug.