NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2518 - Identity schemes use MD5 hash instead of a predetermined digest scheme
Summary: Identity schemes use MD5 hash instead of a predetermined digest scheme
Status: CONFIRMED
Alias: None
Product: ntp
Classification: Unclassified
Component: crypto (show other bugs)
Version: 4.2.7
Hardware: All All
: P5 enhancement
Assignee: Harlan Stenn
URL:
Depends on:
Blocks:
 
Reported: 2013-12-06 09:50 UTC by djhurtubise
Modified: 2020-03-27 18:38 UTC (History)
3 users (show)

See Also:
stenn: blocking4.2.8?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description djhurtubise 2013-12-06 09:50:14 UTC 
In order to be FIPS compliant, all cryptographic algorithms must use SHA256 or better hash algorithms. This is true in the NTP code for everything except for the identity schemes, where the hash digest used is done by the bighash() routine.
The bighash() routine uses MD5.

This is a serious issue if NTP needs to be FIPS compliant.
Comment 1 djhurtubise 2013-12-06 10:56:34 UTC 
In addition, the cookie encrypt and decrypt operations are hard-coded to RSA with the OAEP padding scheme. This should be configurable to the overall scheme desired by the client in the ASSOC request. So some hard-coded cryptographic stuff has to be rewritten to allow for cryptographic flexibility with regards to the clients digest/signature scheme it wants to use.
Comment 2 Harlan Stenn 2014-02-24 00:50:06 UTC 
Folks,

Should this issue block 4.2.8?
Comment 3 Brian Utterback 2015-08-14 22:53:20 UTC 
This issue is about to become a major headache for me if it is not resolved.
Comment 4 Sergey 2020-03-27 18:33:23 UTC 
In new versions of OpenSSL the MD5 is disabled by default:

# ntp-keygen -T -I -p asldfnalsnlas
Using OpenSSL version OpenSSL 1.1.1d  10 Sep 2019
...
Verify RSA-MD5 certificate fails
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
Comment 5 Sergey 2020-03-27 18:38:19 UTC 
I think it would be good to choose the default algorithm in build stage in the future.