1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
|
/*
* HMS: we need to test:
* - OpenSSL versions, if we are building with them
* - our versions
*
* We may need to test with(out) OPENSSL separately.
*/
#include <config.h>
#include "crypto.h"
#include <ctype.h>
#include "isc/string.h"
#include "ntp_md5.h"
#ifndef EVP_MAX_MD_SIZE
# define EVP_MAX_MD_SIZE 32
#endif
struct key *key_ptr;
size_t key_cnt = 0;
typedef struct key Key_T;
static u_int
compute_mac(
u_char digest[EVP_MAX_MD_SIZE],
char const * macname,
void const * pkt_data,
u_int pkt_size,
void const * key_data,
u_int key_size
)
{
u_int len = 0;
#if defined(OPENSSL) && defined(ENABLE_CMAC)
size_t slen = 0;
#endif
int key_type;
INIT_SSL();
key_type = keytype_from_text(macname, NULL);
#if defined(OPENSSL) && defined(ENABLE_CMAC)
/* Check if CMAC key type specific code required */
if (key_type == NID_cmac) {
CMAC_CTX * ctx = NULL;
u_char keybuf[AES_128_KEY_SIZE];
/* adjust key size (zero padded buffer) if necessary */
if (AES_128_KEY_SIZE > key_size) {
memcpy(keybuf, key_data, key_size);
memset((keybuf + key_size), 0,
(AES_128_KEY_SIZE - key_size));
key_data = keybuf;
}
if (!(ctx = CMAC_CTX_new())) {
msyslog(LOG_ERR, "make_mac: CMAC %s CTX new failed.", CMAC);
}
else if (!CMAC_Init(ctx, key_data, AES_128_KEY_SIZE,
EVP_aes_128_cbc(), NULL)) {
msyslog(LOG_ERR, "make_mac: CMAC %s Init failed.", CMAC);
}
else if (!CMAC_Update(ctx, pkt_data, (size_t)pkt_size)) {
msyslog(LOG_ERR, "make_mac: CMAC %s Update failed.", CMAC);
}
else if (!CMAC_Final(ctx, digest, &slen)) {
msyslog(LOG_ERR, "make_mac: CMAC %s Final failed.", CMAC);
slen = 0;
}
len = (u_int)slen;
CMAC_CTX_cleanup(ctx);
/* Test our AES-128-CMAC implementation */
} else /* MD5 MAC handling */
#endif
{
EVP_MD_CTX * ctx;
if (!(ctx = EVP_MD_CTX_new())) {
msyslog(LOG_ERR, "make_mac: MAC %s Digest CTX new failed.",
macname);
goto mac_fail;
}
#ifdef OPENSSL /* OpenSSL 1 supports return codes 0 fail, 1 okay */
# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
# endif
/* [Bug 3457] DON'T use plain EVP_DigestInit! It would
* kill the flags! */
if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) {
msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
macname);
goto mac_fail;
}
if (!EVP_DigestUpdate(ctx, key_data, key_size)) {
msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.",
macname);
goto mac_fail;
}
if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) {
msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.",
macname);
goto mac_fail;
}
if (!EVP_DigestFinal(ctx, digest, &len)) {
msyslog(LOG_ERR, "make_mac: MAC %s Digest Final failed.",
macname);
len = 0;
}
#else /* !OPENSSL */
EVP_DigestInit(ctx, EVP_get_digestbynid(key_type));
EVP_DigestUpdate(ctx, key_data, key_size);
EVP_DigestUpdate(ctx, pkt_data, pkt_size);
EVP_DigestFinal(ctx, digest, &len);
#endif
mac_fail:
EVP_MD_CTX_free(ctx);
}
return len;
}
int
make_mac(
const void * pkt_data,
int pkt_size,
int mac_size,
Key_T const * cmp_key,
void * digest
)
{
u_int len;
u_char dbuf[EVP_MAX_MD_SIZE];
if (cmp_key->key_len > 64 || mac_size <= 0)
return 0;
if (pkt_size % 4 != 0)
return 0;
len = compute_mac(dbuf, cmp_key->typen,
pkt_data, (u_int)pkt_size,
cmp_key->key_seq, (u_int)cmp_key->key_len);
if (len) {
if (len > (u_int)mac_size)
len = (u_int)mac_size;
memcpy(digest, dbuf, len);
}
return (int)len;
}
/* Generates a md5 digest of the key specified in keyid concatenated with the
* ntp packet (exluding the MAC) and compares this digest to the digest in
* the packet's MAC. If they're equal this function returns 1 (packet is
* authentic) or else 0 (not authentic).
*/
int
auth_md5(
void const * pkt_data,
int pkt_size,
int mac_size,
Key_T const * cmp_key
)
{
u_int len = 0;
u_char const * pkt_ptr = pkt_data;
u_char dbuf[EVP_MAX_MD_SIZE];
if (mac_size <= 0 || (size_t)mac_size > sizeof(dbuf))
return FALSE;
len = compute_mac(dbuf, cmp_key->typen,
pkt_ptr, (u_int)pkt_size,
cmp_key->key_seq, (u_int)cmp_key->key_len);
pkt_ptr += pkt_size + 4;
if (len > (u_int)mac_size)
len = (u_int)mac_size;
/* isc_tsmemcmp will be better when its easy to link with. sntp
* is a 1-shot program, so snooping for timing attacks is
* Harder.
*/
return ((u_int)mac_size == len) && !memcmp(dbuf, pkt_ptr, len);
}
static int
hex_val(
unsigned char x
)
{
int val;
if ('0' <= x && x <= '9')
val = x - '0';
else if ('a' <= x && x <= 'f')
val = x - 'a' + 0xa;
else if ('A' <= x && x <= 'F')
val = x - 'A' + 0xA;
else
val = -1;
return val;
}
/* Load keys from the specified keyfile into the key structures.
* Returns -1 if the reading failed, otherwise it returns the
* number of keys it read
*/
int
auth_init(
const char *keyfile,
struct key **keys
)
{
FILE *keyf = fopen(keyfile, "r");
struct key *prev = NULL;
int scan_cnt, line_cnt = 1;
char kbuf[200];
char keystring[129];
/* HMS: Is it OK to do this later, after we know we have a key file? */
INIT_SSL();
if (keyf == NULL) {
if (debug)
printf("sntp auth_init: Couldn't open key file %s for reading!\n", keyfile);
return -1;
}
if (feof(keyf)) {
if (debug)
printf("sntp auth_init: Key file %s is empty!\n", keyfile);
fclose(keyf);
return -1;
}
key_cnt = 0;
while (!feof(keyf)) {
char * octothorpe;
struct key *act;
int goodline = 0;
if (NULL == fgets(kbuf, sizeof(kbuf), keyf))
continue;
kbuf[sizeof(kbuf) - 1] = '\0';
octothorpe = strchr(kbuf, '#');
if (octothorpe)
*octothorpe = '\0';
act = emalloc(sizeof(*act));
/* keep width 15 = sizeof struct key.typen - 1 synced */
scan_cnt = sscanf(kbuf, "%d %15s %128s",
&act->key_id, act->typen, keystring);
if (scan_cnt == 3) {
int len = strlen(keystring);
goodline = 1; /* assume best for now */
if (len <= 20) {
act->key_len = len;
memcpy(act->key_seq, keystring, len + 1);
} else if ((len & 1) != 0) {
goodline = 0; /* it's bad */
} else {
int j;
act->key_len = len >> 1;
for (j = 0; j < len; j+=2) {
int val;
val = (hex_val(keystring[j]) << 4) |
hex_val(keystring[j+1]);
if (val < 0) {
goodline = 0; /* it's bad */
break;
}
act->key_seq[j>>1] = (char)val;
}
}
act->typei = keytype_from_text(act->typen, NULL);
if (0 == act->typei) {
printf("%s: line %d: key %d, %s not supported - ignoring\n",
keyfile, line_cnt,
act->key_id, act->typen);
goodline = 0; /* it's bad */
}
}
if (goodline) {
act->next = NULL;
if (NULL == prev)
*keys = act;
else
prev->next = act;
prev = act;
key_cnt++;
} else {
if (debug) {
printf("auth_init: scanf %d items, skipping line %d.",
scan_cnt, line_cnt);
}
free(act);
}
line_cnt++;
}
fclose(keyf);
key_ptr = *keys;
return key_cnt;
}
/* Looks for the key with keyid key_id and sets the d_key pointer to the
* address of the key. If no matching key is found the pointer is not touched.
*/
void
get_key(
int key_id,
struct key **d_key
)
{
struct key *itr_key;
if (key_cnt == 0)
return;
for (itr_key = key_ptr; itr_key; itr_key = itr_key->next) {
if (itr_key->key_id == key_id) {
*d_key = itr_key;
break;
}
}
return;
}
|
