ntpd refuses to start with FIPS mode enabled

[adam-bartlett-sp]

Description

When FIPS mode is enabled on openssl, ntpd refuses to start due to md5 being disabled as a security hash.

Impact

We can not use ntpd to synchronize time on Flatcar OS images when running in FIPS mode. This creates a security and compliance risk for customers that require FIPS 140-2 cryptography to be enabled.

Environment and steps to reproduce

1. Set-up: Flatcar OS stable 3975.2.0 with FIPS enabled. Seen on an AWS image.
2. Task. Enable FIPS with a default NTP configuration
3. Action(s): [ sequence of actions that triggered the bug, see example below ]
   a. Enabled fips mode

openssl fipsinstall \
  -out /etc/ssl/fipsmodule.cnf \
  -module /usr/lib64/ossl-modules/fips.so
cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.nonfips
sed -i '/# .include fipsmodule.cnf/s/# .include /.include \/etc\/ssl\//' /etc/ssl/openssl.cnf
sed -i '/# fips = fips_sect/s/# //' /etc/ssl/openssl.cnf
sed -i '/^set linux_append/s/\"$/ fips=1\"/' /usr/share/oem/grub.cfg
touch /etc/system-fips

b.Reboot host to trigger all FIPS mode items to be properly enabled.

4. Error:

Sep 03 16:59:39 ip-10-0-0-22 systemd[1]: Started ntpd.service - Network Time Service.
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: ntpd 4.2.8p17@1.4004-o Mon Aug  5 19:55:28 UTC 2024 (1): Starting
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: Command line: /usr/sbin/ntpd -g -n -u ntp:ntp
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: ntpd 4.2.8p17@1.4004-o Mon Aug  5 19:55:28 UTC 2024 (1): Starting
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: Command line: /usr/sbin/ntpd -g -n -u ntp:ntp
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: ----------------------------------------------------
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: ntp-4 is maintained by Network Time Foundation,
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: corporation.  Support and training for ntp-4 are
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: available at https://www.nwtime.org/support
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: ----------------------------------------------------
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: ----------------------------------------------------
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: proto: precision = 0.109 usec (-23)
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: basedate set to 2024-07-24
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: gps base set to 2024-07-28 (week 2325)
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: ntp-4 is maintained by Network Time Foundation,
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: corporation.  Support and training for ntp-4 are
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: available at https://www.nwtime.org/support
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: ----------------------------------------------------
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: proto: precision = 0.109 usec (-23)
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: basedate set to 2024-07-24
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: gps base set to 2024-07-28 (week 2325)
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]: MD5 init failed
Sep 03 16:59:39 ip-10-0-0-22 ntpd[1750]:  3 Sep 16:59:39 ntpd[1750]: MD5 init failed
Sep 03 16:59:39 ip-10-0-0-22 systemd[1]: ntpd.service: Main process exited, code=exited, status=1/FAILURE
Sep 03 16:59:39 ip-10-0-0-22 systemd[1]: ntpd.service: Failed with result 'exit-code'.
Sep 03 16:59:40 ip-10-0-0-22 systemd[1]: ntpd.service: Scheduled restart job, restart counter is at 5.
Sep 03 16:59:40 ip-10-0-0-22 systemd[1]: ntpd.service: Start request repeated too quickly.
Sep 03 16:59:40 ip-10-0-0-22 systemd[1]: ntpd.service: Failed with result 'exit-code'.
Sep 03 16:59:40 ip-10-0-0-22 systemd[1]: Failed to start ntpd.service - Network Time Service.

Expected behavior

ntpd.service should execute normally.

Additional information

None.

[tormath1]

Hello,

I think that's to be expected: md5 is not FIPS validated so this algorithm can't be used when FIPS is enabled. Looking at the source code: https://github.com/ntp-project/ntp/blob/9c75327c3796ff59ac648478cd4da8b205bceb77/libntp/a_md5encrypt.c#L119-L127 this flag EVP_MD_CTX_FLAG_NON_FIPS_ALLOW does not even seem to be used anymore: https://github.com/openssl/openssl/blob/2a6305dfcd89632b69e49f8b3efe98b7e0daa1aa/include/openssl/evp.h#L211-L212

One should patch ntp to handle correctly FIPS mode, in the meantime you can add an exception to use standard openssl configuration for this program (via Ignition or your provisioning method):

# /etc/systemd/system/ntpd.service.d/override.conf
[Service]
Environment=OPENSSL_CONF=/etc/ssl/openssl.cnf.nonfips

EDIT: Thanks for the detailed report.

[adam-bartlett-sp]

I think we're okay with the workaround for now - if we get complaints from our FIPS required users, we can look at alternative methods of addressing this.