From aad42ceaec7d0685ca01e93fc19df555302aebda Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 25 Jan 2016 16:50:51 +0100 Subject: [PATCH] keys: warn about short key only if used by source After restricting authentication of servers and peers to the specified key, a short key in the key file is a security problem from the client's point of view only if it's specified for a source. --- keys.c | 18 +++++++++++++++--- keys.h | 1 + ntp_core.c | 9 +++++++-- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/keys.c b/keys.c index 0fc9d4e..4af7eb6 100644 --- a/keys.c +++ b/keys.c @@ -198,9 +198,6 @@ KEY_Reload(void) continue; } - if (key.len < MIN_SECURE_KEY_LENGTH) - LOG(LOGS_WARN, LOGF_Keys, "Key %"PRIu32" is too short", key_id); - key.id = key_id; key.val = MallocArray(char, key.len); memcpy(key.val, keyval, key.len); @@ -295,6 +292,21 @@ KEY_GetAuthDelay(uint32_t key_id) /* ================================================== */ +int +KEY_CheckKeyLength(uint32_t key_id) +{ + Key *key; + + key = get_key_by_id(key_id); + + if (!key) + return 0; + + return key->len >= MIN_SECURE_KEY_LENGTH; +} + +/* ================================================== */ + int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len, unsigned char *auth, int auth_len) diff --git a/keys.h b/keys.h index e6e51aa..65536cf 100644 --- a/keys.h +++ b/keys.h @@ -37,6 +37,7 @@ extern void KEY_Reload(void); extern int KEY_GetKey(uint32_t key_id, char **key, int *len); extern int KEY_KeyKnown(uint32_t key_id); extern int KEY_GetAuthDelay(uint32_t key_id); +extern int KEY_CheckKeyLength(uint32_t key_id); extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len, unsigned char *auth, int auth_len); diff --git a/ntp_core.c b/ntp_core.c index 8428642..4087c98 100644 --- a/ntp_core.c +++ b/ntp_core.c @@ -497,8 +497,13 @@ NCR_GetInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type, SourcePar result->do_auth = 1; result->auth_key_id = params->authkey; if (!KEY_KeyKnown(result->auth_key_id)) { - LOG(LOGS_WARN, LOGF_NtpCore, "Source %s added with unknown key %"PRIu32, - UTI_IPToString(&result->remote_addr.ip_addr), result->auth_key_id); + LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s", + result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr), + "missing"); + } else if (!KEY_CheckKeyLength(result->auth_key_id)) { + LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s", + result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr), + "too short"); } }