[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

Joy Latten Mon, 13 Jul 2020 13:51:36 -0700

Additional testing for ntpq authentication to ensure MD5 still works for
ntpq in archive


NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure 
all still works.
Testing with ntpq + fips-openssl was also done successfully.
 
VM-A (ntp server) 

1. Edit /etc/ntp.keys to include,
    
1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include.

keys /etc/ntp.keys       
trustedkey 2         
controlkey 2
requestkey 2

3. restart ntp
sudo service ntp restart

VM-B (ntp client)

$ dpkg -l | grep ntp
ii  ntp                                    1:4.2.8p10+dfsg-5ubuntu7.1+ppa1      
           amd64        Network Time Protocol daemon and utility programs

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include,
keys /etc/ntp.keys
server <VM-B ipaddress> key 2
trustedkey 2
controlkey 2
requestkey 2

3. I commented out all the "pool" entries in /etc/ntp.conf

4. restart ntp
sudo service ntp restart


On the client,

$ ntpq -c as

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 46728  f014   yes   yes   ok     reject   reachable  1

Notice that "auth" is ok.

$ ntpq
ntpq> keytype
keytype is MD5 with 16 octet digests
ntpq> keyid 2
ntpq> ifstats
MD5 Password: <enter "cedarpark">
    interface name                                        send
 #  address/broadcast     drop flag ttl mc received sent failed peers   uptime
==============================================================================
  0 v6wildcard               D   81   0  0      0      0      0     0       96
    [::]:123
  1 v4wildcard               D   89   0  0      0      0      0     0       96
    0.0.0.0:123
  2 lo                       .    5   0  0      2      1      0     0       96
    127.0.0.1:123
  3 ens3                     .   19   0  0      2      2      0     1       96
    192.168.122.105:123
  4 lo                       .    5   0  0      0      0      0     0       96
    [::1]:123
  5 ens3                     .   11   0  0      0      0      0     0       96
    [fe80::5054:ff:fefe:b092%2]:123
ntpq> 


Note: issuing "ifstats" requires authentication.

I also tested with SHA1 and it worked as well.


And last test on client, 
ntpq -p     

remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.122.106 204.11.201.12    3 u   56   64    7    1.541    2.723   0.826

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

Reply via email to