faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

client: add CMAC support to keygen command

Browse source 
Allow a CMAC cipher to be specified in the keygen command. Ignore the
specified length as the key length is determined by the cipher.
This commit is contained in:
Miroslav Lichvar 2019-09-19 13:17:20 +02:00
parent 57957ab6cf
commit 510aa8b050
3 changed files with 26 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
client.c
View file

@ -33,6 +33,7 @@
#include "array.h" #include "array.h"
#include "candm.h" #include "candm.h"
#include "cmac.h"
#include "logging.h" #include "logging.h"
#include "memory.h" #include "memory.h"
#include "nameserv.h" #include "nameserv.h"
@ -2852,28 +2853,39 @@ process_cmd_retries(const char *line)
static int static int
process_cmd_keygen(char *line) process_cmd_keygen(char *line)
{ {
char hash_name[17];
unsigned char key[512]; unsigned char key[512];
unsigned int i, length, id = 1, bits = 160; char type[17];
unsigned int i, cmac_length, length, id = 1, bits = 160;
#ifdef FEAT_SECHASH #ifdef FEAT_SECHASH
snprintf(hash_name, sizeof (hash_name), "SHA1"); snprintf(type, sizeof (type), "SHA1");
#else #else
snprintf(hash_name, sizeof (hash_name), "MD5"); snprintf(type, sizeof (type), "MD5");
#endif #endif
if (sscanf(line, "%u %16s %u", &id, hash_name, &bits)) if (sscanf(line, "%u %16s %u", &id, type, &bits))
; ;
length = CLAMP(10, (bits + 7) / 8, sizeof (key)); #ifdef HAVE_CMAC
if (HSH_GetHashId(hash_name) < 0) { cmac_length = CMC_GetKeyLength(type);
LOG(LOGS_ERR, "Unknown hash function %s", hash_name); #else
cmac_length = 0;
#endif
if (HSH_GetHashId(type) >= 0) {
length = (bits + 7) / 8;
} else if (cmac_length > 0) {
length = cmac_length;
} else {
LOG(LOGS_ERR, "Unknown hash function or cipher %s", type);
return 0; return 0;
} }
length = CLAMP(10, length, sizeof (key));
UTI_GetRandomBytesUrandom(key, length); UTI_GetRandomBytesUrandom(key, length);
printf("%u %s HEX:", id, hash_name); printf("%u %s HEX:", id, type);
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
printf("%02hhX", key[i]); printf("%02hhX", key[i]);
printf("\n"); printf("\n");

1
configure vendored
View file

@ -886,6 +886,7 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ] && [ $try_nettle = "1" ];
then then
add_def HAVE_CMAC add_def HAVE_CMAC
EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_nettle.o" EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_nettle.o"
EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_nettle.o"
fi fi
fi fi
fi fi

8
doc/chronyc.adoc
View file

@ -1188,10 +1188,10 @@ generated from the _/dev/urandom_ device and it is printed to standard output.
+ +
The command has three optional arguments. The first argument is the key number The command has three optional arguments. The first argument is the key number
(by default 1), which will be specified with the *key* option of the *server* (by default 1), which will be specified with the *key* option of the *server*
or *peer* directives in the configuration file. The second argument is the hash or *peer* directives in the configuration file. The second argument is the name
function (by default SHA1 or MD5 if SHA1 is not available) and the third of the hash function or cipher (by default SHA1, or MD5 if SHA1 is not
argument is the number of bits the key should have, between 80 and 4096 bits available). The third argument is the length of the key in bits if a hash
(by default 160 bits). function was selected, between 80 and 4096 bits (by default 160 bits).
+ +
An example is: An example is:
+ +