From 4a219ecbf1e2689c4d45d22ad4cbf5a697529da9 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Tue, 17 Sep 2019 16:51:39 +0200 Subject: [PATCH] hash: drop support for RIPEMD hash functions An analysis by Tim Ruffing [1] shows that a length extension attack adding valid extension fields to NTPv4 packets is possible with some specific key lengths and hash functions using little-endian length like MD5 and RIPEMD160. chronyd currently doesn't process or generate any extension fields, but it could be a problem in future when a non-authentication extension field is supported. Drop support for all RIPEMD functions as they don't seem to be secure in the context of the NTPv4 MAC. MD5 is kept only for compatibility. [1] https://mailarchive.ietf.org/arch/msg/ntp/gvibuB6bTbDRBumfHNdJ84Kq4kA --- doc/chrony.conf.adoc | 3 +-- hash_nettle.c | 1 - hash_tomcrypt.c | 12 ------------ test/unit/hash.c | 8 -------- 4 files changed, 1 insertion(+), 23 deletions(-) diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index cf94689..1516d7e 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -2045,8 +2045,7 @@ If *chronyd* was built with enabled support for hashing using a crypto library (nettle, nss, or libtomcrypt), the following functions are available: *MD5*, *SHA1*, *SHA256*, *SHA384*, *SHA512*. Depending on which library and version is *chronyd* using, some or all of the following functions may also be available: -*SHA3-224*, *SHA3-256*, *SHA3-384*, *SHA3-512*, *RMD128*, *RMD160*, *RMD256*, -*RMD320*, *TIGER*, *WHIRLPOOL*. +*SHA3-224*, *SHA3-256*, *SHA3-384*, *SHA3-512*, *TIGER*, *WHIRLPOOL*. + The password can be specified as a string of characters not containing white space with an optional *ASCII:* prefix, or as a hexadecimal number with the diff --git a/hash_nettle.c b/hash_nettle.c index 2c3501d..2622f76 100644 --- a/hash_nettle.c +++ b/hash_nettle.c @@ -43,7 +43,6 @@ struct hash { static struct hash hashes[] = { { "MD5", "md5", NULL, NULL }, - { "RMD160", "ripemd160", NULL, NULL }, { "SHA1", "sha1", NULL, NULL }, { "SHA256", "sha256", NULL, NULL }, { "SHA384", "sha384", NULL, NULL }, diff --git a/hash_tomcrypt.c b/hash_tomcrypt.c index 4326c9e..8ee0490 100644 --- a/hash_tomcrypt.c +++ b/hash_tomcrypt.c @@ -39,18 +39,6 @@ struct hash { static const struct hash hashes[] = { { "MD5", "md5", &md5_desc }, -#ifdef LTC_RIPEMD128 - { "RMD128", "rmd128", &rmd128_desc }, -#endif -#ifdef LTC_RIPEMD160 - { "RMD160", "rmd160", &rmd160_desc }, -#endif -#ifdef LTC_RIPEMD256 - { "RMD256", "rmd256", &rmd256_desc }, -#endif -#ifdef LTC_RIPEMD320 - { "RMD320", "rmd320", &rmd320_desc }, -#endif #ifdef LTC_SHA1 { "SHA1", "sha1", &sha1_desc }, #endif diff --git a/test/unit/hash.c b/test/unit/hash.c index 5cde039..f1e44bc 100644 --- a/test/unit/hash.c +++ b/test/unit/hash.c @@ -60,14 +60,6 @@ test_unit(void) "\x39\xfc\xcb\xc1\x29\xe1\x23\x7d\x8b\x56\x54\xe3\x08\x9d\xf9\x74" "\x78\x69\x2e\x3c\x7e\x51\x1e\x9d\xab\x09\xbe\xe7\x6b\x1a\xa1\x22" "\x93\xb1\x2b\x82\x9d\x1e\xcf\xa8\x99\xc5\xec\x7b\x1d\x89\x07\x2b", 64 }, - { "RMD128", "\x6f\xd7\x1f\x37\x47\x0f\xbd\x42\x57\xc8\xbb\xee\xba\x65\xf9\x35", 16 }, - { "RMD160", "\x7a\x88\xec\xc7\x09\xc5\x65\x34\x11\x24\xe3\xf9\xf7\xa5\xbf\xc6" - "\x01\xe2\xc9\x32", 20}, - { "RMD256", "\x59\xdf\xd4\xcb\xc9\xbe\x7c\x27\x08\xa7\x23\xf7\xb3\x0c\xf0\x0d" - "\xa0\xcf\x5b\x18\x16\x51\x56\x6d\xda\x7b\x87\x24\x9d\x83\x35\xe1", 32 }, - { "RMD320", "\x68\x98\x10\xf4\xb6\x79\xb6\x15\xf1\x48\x2d\x73\xd0\x23\x84\x01" - "\xbf\xaa\x67\xcf\x1e\x35\x5c\xbf\xe9\xb8\xaf\xe1\xee\x0d\xf0\x6b" - "\xe2\x3a\x9a\x3a\xa7\x56\xad\x70", 40}, { "TIGER", "\x1c\xcd\x68\x74\xca\xd6\xd5\x17\xba\x3e\x82\xaf\xbd\x70\xdc\x66" "\x99\xaa\xae\x16\x72\x59\xd1\x64", 24}, { "WHIRLPOOL", "\xe3\xcd\xe6\xbf\xe1\x8c\xe4\x4d\xc8\xb4\xa5\x7c\x36\x8d\xc8\x8a"