faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

keys: add support for checking truncated MACs

Browse source
This commit is contained in:
Miroslav Lichvar 2016-11-29 11:32:39 +01:00
parent 2f5b4aea91
commit 38c4a7ff97
3 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
keys.c
View file

@ -350,12 +350,14 @@ generate_ntp_auth(int hash_id, const unsigned char *key, int key_len,
static int static int
check_ntp_auth(int hash_id, const unsigned char *key, int key_len, check_ntp_auth(int hash_id, const unsigned char *key, int key_len,
const unsigned char *data, int data_len, const unsigned char *data, int data_len,
const unsigned char *auth, int auth_len) const unsigned char *auth, int auth_len, int trunc_len)
{ {
unsigned char buf[MAX_HASH_LENGTH]; unsigned char buf[MAX_HASH_LENGTH];
int hash_len;
return generate_ntp_auth(hash_id, key, key_len, data, data_len, hash_len = generate_ntp_auth(hash_id, key, key_len, data, data_len, buf, sizeof (buf));
buf, sizeof (buf)) == auth_len && !memcmp(buf, auth, auth_len);
return MIN(hash_len, trunc_len) == auth_len && !memcmp(buf, auth, auth_len);
} }
/* ================================================== */ /* ================================================== */
@ -379,7 +381,7 @@ KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len,
int int
KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len, KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
const unsigned char *auth, int auth_len) const unsigned char *auth, int auth_len, int trunc_len)
{ {
Key *key; Key *key;
@ -389,5 +391,5 @@ KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
return 0; return 0;
return check_ntp_auth(key->hash_id, (unsigned char *)key->val, key->len, return check_ntp_auth(key->hash_id, (unsigned char *)key->val, key->len,
data, data_len, auth, auth_len); data, data_len, auth, auth_len, trunc_len);
} }

4
keys.h
View file

@ -41,7 +41,7 @@ extern int KEY_CheckKeyLength(uint32_t key_id);
extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data,
int data_len, unsigned char *auth, int auth_len); int data_len, unsigned char *auth, int auth_len);
extern int KEY_CheckAuth(uint32_t key_id, const unsigned char *data, extern int KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
int data_len, const unsigned char *auth, int auth_len); const unsigned char *auth, int auth_len, int trunc_len);
#endif /* GOT_KEYS_H */ #endif /* GOT_KEYS_H */

2
ntp_core.c
View file

@ -1181,7 +1181,7 @@ check_packet_auth(NTP_Packet *pkt, int length,
if (remainder >= NTP_MIN_MAC_LENGTH && remainder <= NTP_MAX_MAC_LENGTH) { if (remainder >= NTP_MIN_MAC_LENGTH && remainder <= NTP_MAX_MAC_LENGTH) {
id = ntohl(*(uint32_t *)(data + i)); id = ntohl(*(uint32_t *)(data + i));
if (KEY_CheckAuth(id, (void *)pkt, i, (void *)(data + i + 4), if (KEY_CheckAuth(id, (void *)pkt, i, (void *)(data + i + 4),
remainder - 4)) { remainder - 4, NTP_MAX_MAC_LENGTH - 4)) {
*auth_mode = AUTH_SYMMETRIC; *auth_mode = AUTH_SYMMETRIC;
*key_id = id; *key_id = id;
return 1; return 1;