keys: warn about short key only if used by source
After restricting authentication of servers and peers to the specified key, a short key in the key file is a security problem from the client's point of view only if it's specified for a source.
This commit is contained in:
Miroslav Lichvar
parent
f225469e6e
commit
aad42ceaec
3 changed files with 23 additions and 5 deletions
18
keys.c
18
keys.c
|
|
@ -198,9 +198,6 @@ KEY_Reload(void)
|
|||
continue;
|
||||
}
|
||||
|
||||
if (key.len < MIN_SECURE_KEY_LENGTH)
|
||||
LOG(LOGS_WARN, LOGF_Keys, "Key %"PRIu32" is too short", key_id);
|
||||
|
||||
key.id = key_id;
|
||||
key.val = MallocArray(char, key.len);
|
||||
memcpy(key.val, keyval, key.len);
|
||||
|
|
@ -295,6 +292,21 @@ KEY_GetAuthDelay(uint32_t key_id)
|
|||
|
||||
/* ================================================== */
|
||||
|
||||
int
|
||||
KEY_CheckKeyLength(uint32_t key_id)
|
||||
{
|
||||
Key *key;
|
||||
|
||||
key = get_key_by_id(key_id);
|
||||
|
||||
if (!key)
|
||||
return 0;
|
||||
|
||||
return key->len >= MIN_SECURE_KEY_LENGTH;
|
||||
}
|
||||
|
||||
/* ================================================== */
|
||||
|
||||
int
|
||||
KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len,
|
||||
unsigned char *auth, int auth_len)
|
||||
|
|
|
|||
1
keys.h
1
keys.h
|
|
@ -37,6 +37,7 @@ extern void KEY_Reload(void);
|
|||
extern int KEY_GetKey(uint32_t key_id, char **key, int *len);
|
||||
extern int KEY_KeyKnown(uint32_t key_id);
|
||||
extern int KEY_GetAuthDelay(uint32_t key_id);
|
||||
extern int KEY_CheckKeyLength(uint32_t key_id);
|
||||
|
||||
extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data,
|
||||
int data_len, unsigned char *auth, int auth_len);
|
||||
|
|
|
|||
|
|
@ -497,8 +497,13 @@ NCR_GetInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type, SourcePar
|
|||
result->do_auth = 1;
|
||||
result->auth_key_id = params->authkey;
|
||||
if (!KEY_KeyKnown(result->auth_key_id)) {
|
||||
LOG(LOGS_WARN, LOGF_NtpCore, "Source %s added with unknown key %"PRIu32,
|
||||
UTI_IPToString(&result->remote_addr.ip_addr), result->auth_key_id);
|
||||
LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s",
|
||||
result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr),
|
||||
"missing");
|
||||
} else if (!KEY_CheckKeyLength(result->auth_key_id)) {
|
||||
LOG(LOGS_WARN, LOGF_NtpCore, "Key %"PRIu32" used by source %s is %s",
|
||||
result->auth_key_id, UTI_IPToString(&result->remote_addr.ip_addr),
|
||||
"too short");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue