diff --git a/ntp/4.2.8p17/README.md b/ntp/4.2.8p17/README.md new file mode 100644 index 00000000..6e428d6f --- /dev/null +++ b/ntp/4.2.8p17/README.md @@ -0,0 +1,15 @@ +## Build Instructions + +### Build wolfSSL ++ Configure wolfSSL with `./configure --enable-ntp`. Add `--enable-debug` if you want to enable the debug version of wolfSSL. ++ Compile with `make`. ++ Install wolfSSL into /usr/local with `sudo make install`. + +### Build NTP ++ Download ntp 4.2.8p15 with `curl -O http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p15.tar.gz`. ++ Unarchive ntp-4.2.8p15.tar.gz with `tar xvf ntp-4.2.8p15.tar.gz`. cd into ntp-4.2.8p15. ++ Patch the source code with `patch -p1 < ntp-4.2.8p15.patch`, adjusting the path to the patch file accordingly. ++ Regenerate the configure script with `./bootstrap`. ++ Configure ntp with `./configure --with-wolfssl=/usr/local`. ++ Compile with `make`. ++ To pass all tests with `make check` compile wolfSSL additionally with `--enable-md4`. diff --git a/ntp/4.2.8p17/ntp-4.2.8p17.patch b/ntp/4.2.8p17/ntp-4.2.8p17.patch new file mode 100644 index 00000000..94f5d790 --- /dev/null +++ b/ntp/4.2.8p17/ntp-4.2.8p17.patch @@ -0,0 +1,598 @@ +From da8977fc4bb4f46833cb4b30b1ac76cdc095b18d Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Tue, 31 Dec 2024 15:40:03 +0100 +Subject: [PATCH] Patch for wolfSSL + +--- + configure.ac | 98 ++++++++++++++++++------------- + include/libssl_compat.h | 4 ++ + include/ntp_crypto.h | 6 +- + include/ntp_md5.h | 9 ++- + libntp/a_md5encrypt.c | 4 +- + libntp/lib/isc/include/isc/util.h | 2 +- + libntp/lib/isc/lib.c | 2 +- + libntp/lib/isc/sockaddr.c | 6 +- + libntp/libssl_compat.c | 3 + + libntp/ntp_crypto_rnd.c | 3 + + libntp/ssl_init.c | 8 +-- + ntpd/ntp_control.c | 2 +- + ntpd/ntp_crypto.c | 15 ++++- + ntpq/ntpq.c | 4 +- + sntp/configure.ac | 6 +- + sntp/crypto.c | 2 +- + sntp/m4/ntp_wolfssl.m4 | 25 ++++++++ + tests/libntp/a_md5encrypt.c | 3 + + tests/libntp/run-a_md5encrypt.c | 1 + + tests/libntp/run-digests.c | 4 +- + util/ntp-keygen.c | 22 ++++++- + 21 files changed, 160 insertions(+), 69 deletions(-) + create mode 100644 sntp/m4/ntp_wolfssl.m4 + +diff --git a/configure.ac b/configure.ac +index c2dce35..3d821ad 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3008,49 +3008,65 @@ case "$ntp_libparse" in + esac + AC_MSG_RESULT([$ans]) + +-NTP_OPENSSL +- +-AC_MSG_CHECKING([if we want to enable CMAC support]) +-case "$ac_cv_header_openssl_cmac_h" in +- yes) +- AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?]) +- ans="yes" +- ;; +- *) ans="no" +- ;; +-esac +-AC_MSG_RESULT([$ans]) ++NTP_WOLFSSL ++if test $USE_WOLFSSL = yes; then ++ AC_CHECK_HEADER([wolfssl/options.h]) ++ if test $ac_cv_header_wolfssl_options_h = yes; then ++ AC_DEFINE([OPENSSL], [], [Use OpenSSL?]) ++ AC_DEFINE([WITH_WOLFSSL], [], [Use wolfSSL?]) ++ AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?]) ++ AC_DEFINE([USE_OPENSSL_CRYPTO_RAND], [1], [Use OpenSSL's crypto random functions?]) ++ AC_DEFINE([AUTOKEY], [1], [Support NTP Autokey protocol?]) ++ else ++ AC_MSG_ERROR([Unable to find wolfssl.]) ++ fi ++fi + +-NTP_CRYPTO_RAND ++if test $USE_WOLFSSL = no; then ++ NTP_OPENSSL + +-# if we are using OpenSSL (--with-crypto), by default Autokey is enabled +-AC_MSG_CHECKING([if we want to include NTP Autokey protocol support]) +-AC_ARG_ENABLE( +- [autokey], +- AS_HELP_STRING( +- [--enable-autokey], +- [+ support NTP Autokey protocol] +- ), +- [ntp_autokey=$enableval], +- [ntp_autokey=$ntp_openssl] +-) +-case "$ntp_autokey" in +- no) +- ;; +- *) +- case "$ntp_openssl" in +- no) +- AC_MSG_WARN([Disabling Autokey, --enable-autokey requires --with-crypto.]) +- ntp_autokey=no +- ;; +- *) +- AC_DEFINE([AUTOKEY], [1], [Support NTP Autokey protocol?]) +- ntp_autokey=yes +- ;; +- esac +- ;; +-esac +-AC_MSG_RESULT([$ntp_autokey]) ++ AC_MSG_CHECKING([if we want to enable CMAC support]) ++ case "$ac_cv_header_openssl_cmac_h" in ++ yes) ++ AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?]) ++ ans="yes" ++ ;; ++ *) ans="no" ++ ;; ++ esac ++ AC_MSG_RESULT([$ans]) ++ ++ NTP_CRYPTO_RAND ++ ++ # if we are using OpenSSL (--with-crypto), by default Autokey is enabled ++ AC_MSG_CHECKING([if we want to include NTP Autokey protocol support]) ++ AC_ARG_ENABLE( ++ [autokey], ++ AS_HELP_STRING( ++ [--enable-autokey], ++ [+ support NTP Autokey protocol] ++ ), ++ [ntp_autokey=$enableval], ++ [ntp_autokey=$ntp_openssl] ++ ) ++ case "$ntp_autokey" in ++ no) ++ ;; ++ *) ++ case "$ntp_openssl" in ++ no) ++ AC_MSG_WARN([Disabling Autokey, --enable-autokey requires --with-crypto.]) ++ ntp_autokey=no ++ ;; ++ *) ++ AC_DEFINE([AUTOKEY], [1], [Support NTP Autokey protocol?]) ++ ntp_autokey=yes ++ ;; ++ esac ++ ;; ++ esac ++ AC_MSG_RESULT([$ntp_autokey]) ++fi + + AC_SUBST([MAKE_CHECK_LAYOUT]) + AC_MSG_CHECKING([if we want to run check-layout]) +diff --git a/include/libssl_compat.h b/include/libssl_compat.h +index 2a3697c..2964515 100644 +--- a/include/libssl_compat.h ++++ b/include/libssl_compat.h +@@ -20,6 +20,8 @@ + #ifndef NTP_LIBSSL_COMPAT_H + #define NTP_LIBSSL_COMPAT_H + ++#ifndef WITH_WOLFSSL ++ + #include "openssl/evp.h" + #include "openssl/dsa.h" + #include "openssl/rsa.h" +@@ -116,4 +118,6 @@ extern int sslshim_X509_get_signature_nid(const X509 *x); + #endif /* OPENSSL_VERSION_NUMBER < v1.1.0 */ + /* ----------------------------------------------------------------- */ + ++#endif /* !WITH_WOLFSSL */ ++ + #endif /* NTP_LIBSSL_COMPAT_H */ +diff --git a/include/ntp_crypto.h b/include/ntp_crypto.h +index 32134a8..6b3af65 100644 +--- a/include/ntp_crypto.h ++++ b/include/ntp_crypto.h +@@ -19,11 +19,15 @@ + #define CRYPTO_CONF_NID 9 /* specify digest name */ + + #ifdef AUTOKEY +-#ifndef OPENSSL ++#if !defined(OPENSSL) + #error AUTOKEY should be defined only if OPENSSL is. + invalidsyntax: AUTOKEY should be defined only if OPENSSL is. + #endif + ++#ifdef WITH_WOLFSSL ++#include "wolfssl/options.h" ++#endif ++ + #include "openssl/bn.h" + #include "openssl/evp.h" + #include "ntp_calendar.h" /* for fields in the cert_info structure */ +diff --git a/include/ntp_md5.h b/include/ntp_md5.h +index 8b5a7d0..e9df8f8 100644 +--- a/include/ntp_md5.h ++++ b/include/ntp_md5.h +@@ -9,14 +9,17 @@ + # define KEY_TYPE_MD5 NID_md5 + + #ifdef OPENSSL ++#ifdef WITH_WOLFSSL ++# include ++#endif /* WITH_WOLFSSL */ + # include + # include "libssl_compat.h" +-# ifdef HAVE_OPENSSL_CMAC_H ++# if defined(HAVE_OPENSSL_CMAC_H) || (defined(WITH_WOLFSSL) && defined(WOLFSSL_CMAC)) + # include + # define CMAC "AES128CMAC" + # define AES_128_KEY_SIZE 16 +-# endif /*HAVE_OPENSSL_CMAC_H*/ +-#else /* !OPENSSL follows */ ++# endif /* HAVE_OPENSSL_CMAC_H || (WITH_WOLFSSL && WOLFSSL_CMAC) */ ++#else /* !OPENSSL follows */ + /* + * Provide OpenSSL-alike MD5 API if we're not using OpenSSL + */ +diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c +index 7a37296..b58490a 100644 +--- a/libntp/a_md5encrypt.c ++++ b/libntp/a_md5encrypt.c +@@ -111,8 +111,10 @@ make_mac( + } + + #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++ #ifndef WITH_WOLFSSL + /* make sure MD5 is allowd */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ #endif + #endif + /* [Bug 3457] DON'T use plain EVP_DigestInit! It would + * kill the flags! */ +@@ -270,7 +272,7 @@ addr2refid(sockaddr_u *addr) + INIT_SSL(); + + ctx = EVP_MD_CTX_new(); +-# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++# if defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) && !defined(WITH_WOLFSSL) + /* MD5 is not used as a crypto hash here. */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + # endif +diff --git a/libntp/lib/isc/include/isc/util.h b/libntp/lib/isc/include/isc/util.h +index 670b28b..96b35c0 100644 +--- a/libntp/lib/isc/include/isc/util.h ++++ b/libntp/lib/isc/include/isc/util.h +@@ -226,7 +226,7 @@ + /*% Unexpected Error */ + #define UNEXPECTED_ERROR isc_error_unexpected + /*% Fatal Error */ +-#define FATAL_ERROR isc_error_fatal ++#define NTP_FATAL_ERROR isc_error_fatal + /*% Runtime Check */ + #define RUNTIME_CHECK(cond) ISC_ERROR_RUNTIMECHECK(cond) + +diff --git a/libntp/lib/isc/lib.c b/libntp/lib/isc/lib.c +index a505425..2707ff9 100644 +--- a/libntp/lib/isc/lib.c ++++ b/libntp/lib/isc/lib.c +@@ -68,7 +68,7 @@ isc_lib_initmsgcat(void) { + result = isc_once_do(&msgcat_once, open_msgcat); + if (result != ISC_R_SUCCESS) { + /* +- * Normally we'd use RUNTIME_CHECK() or FATAL_ERROR(), but ++ * Normally we'd use RUNTIME_CHECK() or NTP_FATAL_ERROR(), but + * we can't do that here, since they might call us! + * (Note that the catalog might be open anyway, so we might + * as well try to provide an internationalized message.) +diff --git a/libntp/lib/isc/sockaddr.c b/libntp/lib/isc/sockaddr.c +index c6932d4..b7184f0 100644 +--- a/libntp/lib/isc/sockaddr.c ++++ b/libntp/lib/isc/sockaddr.c +@@ -360,7 +360,7 @@ isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) { + case AF_INET6: + return (PF_INET6); + default: +- FATAL_ERROR(__FILE__, __LINE__, ++ NTP_FATAL_ERROR(__FILE__, __LINE__, + isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR, + ISC_MSG_UNKNOWNFAMILY, + "unknown address family: %d"), +@@ -411,7 +411,7 @@ isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) { + sockaddr->type.sin6.sin6_port = htons(port); + break; + default: +- FATAL_ERROR(__FILE__, __LINE__, ++ NTP_FATAL_ERROR(__FILE__, __LINE__, + "%s: %d", + isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR, + ISC_MSG_UNKNOWNFAMILY, +@@ -432,7 +432,7 @@ isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) { + port = ntohs(sockaddr->type.sin6.sin6_port); + break; + default: +- FATAL_ERROR(__FILE__, __LINE__, ++ NTP_FATAL_ERROR(__FILE__, __LINE__, + "%s: %d", + isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR, + ISC_MSG_UNKNOWNFAMILY, +diff --git a/libntp/libssl_compat.c b/libntp/libssl_compat.c +index 5527682..3a3ab79 100644 +--- a/libntp/libssl_compat.c ++++ b/libntp/libssl_compat.c +@@ -17,6 +17,7 @@ + #include "config.h" + #include "ntp_types.h" + ++#ifndef WITH_WOLFSSL + /* ----------------------------------------------------------------- */ + #ifdef OPENSSL + # include +@@ -339,3 +340,5 @@ NONEMPTY_TRANSLATION_UNIT + /* ----------------------------------------------------------------- */ + #endif + /* ----------------------------------------------------------------- */ ++ ++#endif /* !WITH_WOLFSSL */ +diff --git a/libntp/ntp_crypto_rnd.c b/libntp/ntp_crypto_rnd.c +index 5fe7382..b4713cb 100644 +--- a/libntp/ntp_crypto_rnd.c ++++ b/libntp/ntp_crypto_rnd.c +@@ -19,6 +19,9 @@ + #include "safecast.h" + + #ifdef USE_OPENSSL_CRYPTO_RAND ++#ifdef WITH_WOLFSSL ++#include ++#endif + #include + #include + +diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c +index 9258932..1ec5702 100644 +--- a/libntp/ssl_init.c ++++ b/libntp/ssl_init.c +@@ -18,11 +18,11 @@ + # include + # include + # include "libssl_compat.h" +-# ifdef HAVE_OPENSSL_CMAC_H ++# if defined(HAVE_OPENSSL_CMAC_H) || (defined(WITH_WOLFSSL) && defined(WOLFSSL_CMAC)) + # include + # define CMAC_LENGTH 16 + # define CMAC "AES128CMAC" +-# endif /*HAVE_OPENSSL_CMAC_H*/ ++# endif /* HAVE_OPENSSL_CMAC_H || (WITH_WOLFSSL && WOLFSSL_CMAC) */ + int ssl_init_done; + + #if OPENSSL_VERSION_NUMBER < 0x10100000L +@@ -141,10 +141,6 @@ keytype_from_text( + key_type = 0; + #endif + +- if (!key_type && 'm' == tolower((unsigned char)text[0])) { +- key_type = NID_md5; +- } +- + if (!key_type) { + return 0; + } +diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c +index 0cc7fcb..b000bb1 100644 +--- a/ntpd/ntp_control.c ++++ b/ntpd/ntp_control.c +@@ -3662,7 +3662,7 @@ static u_int32 derive_nonce( + } + + ctx = EVP_MD_CTX_new(); +-# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) && !defined(WITH_WOLFSSL) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + rc = EVP_DigestInit_ex(ctx, EVP_get_digestbynid(NID_md5), NULL); +diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c +index 4a42076..1b06a86 100644 +--- a/ntpd/ntp_crypto.c ++++ b/ntpd/ntp_crypto.c +@@ -268,7 +268,7 @@ session_key( + break; + } + ctx = EVP_MD_CTX_new(); +-# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) && !defined(WITH_WOLFSSL) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(ctx, EVP_get_digestbynid(crypto_nid), NULL); +@@ -2094,7 +2094,7 @@ bighash( + ptr = emalloc(len); + BN_bn2bin(bn, ptr); + ctx = EVP_MD_CTX_new(); +-# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) && !defined(WITH_WOLFSSL) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); +@@ -2963,7 +2963,11 @@ crypto_bob3( + while (1) { + BN_rand(k, BN_num_bits(q), 0, 0); + BN_mod(k, k, q, bctx); ++ #ifdef WITH_WOLFSSL ++ BN_gcd(u, k, (BIGNUM*)q, bctx); ++ #else + BN_gcd(u, k, q, bctx); ++ #endif + if (BN_is_one(u)) + break; + } +@@ -3560,8 +3564,13 @@ cert_parse( + */ + case NID_subject_key_identifier: + data = X509_EXTENSION_get_data(ext); ++ #ifdef WITH_WOLFSSL ++ ret->grpkey = BN_bin2bn((const unsigned char*)&data->data[2], ++ data->length - 2, NULL); ++ #else + ret->grpkey = BN_bin2bn(&data->data[2], +- data->length - 2, NULL); ++ data->length - 2, NULL); ++ #endif + /* fall through */ + default: + DPRINTF(1, ("cert_parse: %s\n", +diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c +index 1a0e9b1..d832e4e 100644 +--- a/ntpq/ntpq.c ++++ b/ntpq/ntpq.c +@@ -45,10 +45,10 @@ + # endif + # endif + # include "libssl_compat.h" +-# ifdef HAVE_OPENSSL_CMAC_H ++# if defined(HAVE_OPENSSL_CMAC_H) || (defined(WITH_WOLFSSL) && defined(WOLFSSL_CMAC)) + # include + # define CMAC "AES128CMAC" +-# endif ++# endif /* HAVE_OPENSSL_CMAC_H || (WITH_WOLFSSL && WOLFSSL_CMAC) */ + #endif + #include + +diff --git a/sntp/configure.ac b/sntp/configure.ac +index 43c2ad6..9a921f1 100644 +--- a/sntp/configure.ac ++++ b/sntp/configure.ac +@@ -121,7 +121,11 @@ NTP_FACILITYNAMES + # Checks for typedefs, structures, and compiler characteristics. + AC_HEADER_STDBOOL + +-NTP_OPENSSL ++NTP_WOLFSSL ++if test $USE_WOLFSSL = no; then ++ NTP_OPENSSL ++fi ++ + NTP_IPV6 + + ### +diff --git a/sntp/crypto.c b/sntp/crypto.c +index 7807ccc..f7c9d79 100644 +--- a/sntp/crypto.c ++++ b/sntp/crypto.c +@@ -80,7 +80,7 @@ compute_mac( + goto mac_fail; + } + #ifdef OPENSSL /* OpenSSL 1 supports return codes 0 fail, 1 okay */ +-# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++# if defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) && !defined(WITH_WOLFSSL) + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + # endif + /* [Bug 3457] DON'T use plain EVP_DigestInit! It would +diff --git a/sntp/m4/ntp_wolfssl.m4 b/sntp/m4/ntp_wolfssl.m4 +new file mode 100644 +index 0000000..e48ff45 +--- /dev/null ++++ b/sntp/m4/ntp_wolfssl.m4 +@@ -0,0 +1,25 @@ ++AC_DEFUN([NTP_WOLFSSL], [ ++AC_ARG_WITH(wolfssl, ++ AC_HELP_STRING([--with-wolfssl=DIR],[location of wolfssl]), ++[ ++ CPPFLAGS_NTP="$CPPFLAGS_NTP -I${withval}/include/ -I${withval}/include/wolfssl" ++ LDADD_NTP="$LDADD_NTP -L${withval}/lib -lwolfssl" ++ USE_WOLFSSL=yes ++],[USE_WOLFSSL=no]) ++ ++if test $USE_WOLFSSL = yes; then ++ SAVED_CFLAGS=$CFLAGS ++ CFLAGS="$CFLAGS $CPPFLAGS_NTP" ++ AC_CHECK_HEADER([wolfssl/options.h]) ++ CFLAGS=$SAVED_CFLAGS ++ if test $ac_cv_header_wolfssl_options_h = yes; then ++ AC_DEFINE([OPENSSL], [], [Use OpenSSL?]) ++ AC_DEFINE([WITH_WOLFSSL], [], [Use wolfSSL?]) ++ AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?]) ++ AC_DEFINE([USE_OPENSSL_CRYPTO_RAND], [1], [Use OpenSSL's crypto random functions?]) ++ AC_DEFINE([AUTOKEY], [1], [Support NTP Autokey protocol?]) ++ else ++ AC_MSG_ERROR([Unable to find wolfssl.]) ++ fi ++fi ++]) +diff --git a/tests/libntp/a_md5encrypt.c b/tests/libntp/a_md5encrypt.c +index 212ec83..a61fa8a 100644 +--- a/tests/libntp/a_md5encrypt.c ++++ b/tests/libntp/a_md5encrypt.c +@@ -2,6 +2,9 @@ + #include "unity.h" + + #ifdef OPENSSL ++#ifdef WITH_WOLFSSL ++#include ++#endif /* WITH_WOLFSSL */ + # include "openssl/err.h" + # include "openssl/rand.h" + # include "openssl/evp.h" +diff --git a/tests/libntp/run-a_md5encrypt.c b/tests/libntp/run-a_md5encrypt.c +index 06dda63..8ed03c1 100644 +--- a/tests/libntp/run-a_md5encrypt.c ++++ b/tests/libntp/run-a_md5encrypt.c +@@ -25,6 +25,7 @@ + #include "config.h" + #include "ntp.h" + #include "ntp_stdlib.h" ++#include + + //=======External Functions This Runner Calls===== + extern void setUp(void); +diff --git a/tests/libntp/run-digests.c b/tests/libntp/run-digests.c +index ae574d0..16e1009 100644 +--- a/tests/libntp/run-digests.c ++++ b/tests/libntp/run-digests.c +@@ -73,8 +73,8 @@ int main(int argc, char *argv[]) + RUN_TEST(test_Digest_MD5, 205); + RUN_TEST(test_Digest_MDC2, 238); + RUN_TEST(test_Digest_RIPEMD160, 275); +- RUN_TEST(test_Digest_SHA1, 314); +- RUN_TEST(test_Digest_SHAKE128, 353); ++ RUN_TEST(test_Digest_SHA1, 316); ++ RUN_TEST(test_Digest_SHAKE128, 355); + + return (UnityEnd()); + } +diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c +index ff9d6ca..826fd79 100644 +--- a/util/ntp-keygen.c ++++ b/util/ntp-keygen.c +@@ -2195,20 +2195,29 @@ genRsaKeyPair( + ) + { + RSA * rsa = RSA_new(); +- BN_GENCB * gcb = BN_GENCB_new(); + BIGNUM * bne = BN_new(); ++#ifndef WITH_WOLFSSL ++ BN_GENCB * gcb = BN_GENCB_new(); + + if (gcb) + BN_GENCB_set_old(gcb, cb, what); ++#endif + if (bne) + BN_set_word(bne, 65537); ++#ifdef WITH_WOLFSSL ++ if (!(rsa && bne && RSA_generate_key_ex( ++ rsa, bits, bne, NULL))) ++#else + if (!(rsa && gcb && bne && RSA_generate_key_ex( + rsa, bits, bne, gcb))) ++#endif + { + RSA_free(rsa); + rsa = NULL; + } ++#ifndef WITH_WOLFSSL + BN_GENCB_free(gcb); ++#endif + BN_free(bne); + return rsa; + } +@@ -2221,19 +2230,28 @@ genDsaParams( + { + + DSA * dsa = DSA_new(); +- BN_GENCB * gcb = BN_GENCB_new(); + u_char seed[20]; ++#ifndef WITH_WOLFSSL ++ BN_GENCB * gcb = BN_GENCB_new(); + + if (gcb) + BN_GENCB_set_old(gcb, cb, what); ++#endif + RAND_bytes(seed, sizeof(seed)); ++#ifdef WITH_WOLFSSL ++ if (!(dsa && DSA_generate_parameters_ex( ++ dsa, bits, seed, sizeof(seed), NULL, NULL, NULL))) ++#else + if (!(dsa && gcb && DSA_generate_parameters_ex( + dsa, bits, seed, sizeof(seed), NULL, NULL, gcb))) ++#endif + { + DSA_free(dsa); + dsa = NULL; + } ++#ifndef WITH_WOLFSSL + BN_GENCB_free(gcb); ++#endif + return dsa; + } + +-- +2.34.1 +