---
+
+* [Bug 3471] Check for openssl/[ch]mac.h. HStenn.
+ - add #define ENABLE_CMAC support in configure. HStenn.
+---
(4.2.8p11) 2018/02/27 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3454] Unauthenticated packet can reset authenticated interleave
NTP_OPENSSL
+AC_MSG_CHECKING([if we want to enable CMAC support])
+case "$ac_cv_header_openssl_cmac_h" in
+ yes)
+ AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?])
+ ans="yes"
+ ;;
+ *) ans="no"
+ ;;
+esac
+AC_MSG_RESULT([$ans])
+
NTP_CRYPTO_RAND
# if we are using OpenSSL (--with-crypto), by default Autokey is enabled
#define NTP_MD5_H
#ifdef OPENSSL
-# include "openssl/evp.h"
+# include <openssl/evp.h>
# include "libssl_compat.h"
+# ifdef HAVE_OPENSSL_CMAC_H
+# include <openssl/cmac.h>
+# define CMAC "AES128CMAC"
+# define AES_128_KEY_SIZE 16
+# endif /*HAVE_OPENSSL_CMAC_H*/
#else /* !OPENSSL follows */
/*
* Provide OpenSSL-alike MD5 API if we're not using OpenSSL
#include "ntp_md5.h" /* provides OpenSSL digest API */
#include "isc/string.h"
-#ifdef OPENSSL
-# include "openssl/cmac.h"
-# define CMAC "AES128CMAC"
-# define AES_128_KEY_SIZE 16
-#endif
-
typedef struct {
const void * buf;
size_t len;
size_t len;
} rwbuffT;
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
static size_t
cmac_ctx_size(
CMAC_CTX * ctx)
}
return mlen;
}
-#endif /*OPENSSL*/
+#endif /*OPENSSL && ENABLE_CMAC*/
static size_t
make_mac(
INIT_SSL();
/* Check if CMAC key type specific code required */
+# ifdef ENABLE_CMAC
if (ktype == NID_cmac) {
CMAC_CTX * ctx = NULL;
void const * keyptr = key->buf;
if (ctx)
CMAC_CTX_cleanup(ctx);
}
- else { /* generic MAC handling */
+ else
+# endif /*ENABLE_CMAC*/
+ { /* generic MAC handling */
EVP_MD_CTX * ctx = EVP_MD_CTX_new();
u_int uilen = 0;
#include <lib_strbuf.h>
#ifdef OPENSSL
-# include "openssl/cmac.h"
-# include "openssl/crypto.h"
-# include "openssl/err.h"
-# include "openssl/evp.h"
-# include "openssl/opensslv.h"
+# include <openssl/crypto.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+# include <openssl/opensslv.h>
# include "libssl_compat.h"
-
-# define CMAC_LENGTH 16
-# define CMAC "AES128CMAC"
-
+# ifdef HAVE_OPENSSL_CMAC_H
+# include <openssl/cmac.h>
+# define CMAC_LENGTH 16
+# define CMAC "AES128CMAC"
+# endif /*HAVE_OPENSSL_CMAC_H*/
int ssl_init_done;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
key_type = OBJ_sn2nid(upcased);
+# ifdef ENABLE_CMAC
if (!key_type && !strncmp(CMAC, upcased, strlen(CMAC) + 1)) {
key_type = NID_cmac;
__FILE__, __LINE__, __func__, CMAC);
}
}
+# endif /*ENABLE_CMAC*/
#else
key_type = 0;
digest_len = (md) ? EVP_MD_size(md) : 0;
if (!md || digest_len <= 0) {
+# ifdef ENABLE_CMAC
if (key_type == NID_cmac) {
digest_len = CMAC_LENGTH;
fprintf(stderr, "%s:%d:%s():%s:len\n",
__FILE__, __LINE__, __func__, CMAC);
}
- } else {
+ } else
+# endif /*ENABLE_CMAC*/
+ {
fprintf(stderr,
"key type %s is not supported by OpenSSL\n",
keytype_name(key_type));
INIT_SSL();
name = OBJ_nid2sn(nid);
+# ifdef ENABLE_CMAC
if (NID_cmac == nid) {
name = CMAC;
__FILE__, __LINE__, __func__, CMAC);
}
} else
+# endif /*ENABLE_CMAC*/
if (NULL == name) {
name = unknown_type;
}
#include "ntp_lineedit.h"
#include "ntp_debug.h"
#ifdef OPENSSL
-#include "openssl/evp.h"
-#include "openssl/objects.h"
-#include "openssl/err.h"
-#ifdef SYS_WINNT
-# include "openssl/opensslv.h"
-# if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L
-# define HAVE_EVP_MD_DO_ALL_SORTED 1
+# include "openssl/evp.h"
+# include "openssl/objects.h"
+# include "openssl/err.h"
+# ifdef SYS_WINNT
+# include "openssl/opensslv.h"
+# if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L
+# define HAVE_EVP_MD_DO_ALL_SORTED 1
+# endif
+# endif
+# include "libssl_compat.h"
+# ifdef HAVE_OPENSSL_CMAC_H
+# include <openssl/cmac.h>
+# define CMAC "AES128CMAC"
# endif
-#endif
-#include "libssl_compat.h"
-
-#define CMAC "AES128CMAC"
#endif
#include <ssl_applink.c>
static char *
insert_cmac(char *list)
{
+#ifdef ENABLE_CMAC
int insert;
size_t len;
}
} /* insert */
} /* List not empty */
-
+#endif /*ENABLE_CMAC*/
return list;
}
# endif
#include "isc/string.h"
#include "ntp_md5.h"
-/* HMS: We may not have OpenSSL, but we have our own AES-128-CMAC */
-#define CMAC "AES128CMAC"
-#ifdef OPENSSL
-# include "openssl/cmac.h"
-# define AES_128_KEY_SIZE 16
-#endif /* OPENSSL */
-
#ifndef EVP_MAX_MD_SIZE
# define EVP_MAX_MD_SIZE 32
#endif
INIT_SSL();
key_type = keytype_from_text(macname, NULL);
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
/* Check if CMAC key type specific code required */
if (key_type == NID_cmac) {
CMAC_CTX * ctx = NULL;
case "$ntp_openssl" in
yes)
+ AC_CHECK_HEADERS([openssl/cmac.h openssl/hmac.h])
AC_DEFINE([OPENSSL], [], [Use OpenSSL?])
case "$VER_SUFFIX" in
*o*) ;;
void
test_MakeCMac(void)
{
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
const char* PKT_DATA = "abcdefgh0123";
const int PKT_LEN = strlen(PKT_DATA);
void
VerifyOpenSSLCMAC(struct key *cmac)
{
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
/* XXX: HMS: auth_md5 must be renamed/incorrect. */
// TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac));
void
test_CorrectAuthenticatedPacketCMAC(void)
{
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
+
PrepareAuthenticationTest(30, CMAC_LENGTH, CMAC, "abcdefghijklmnop");
TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
TEST_ASSERT_EQUAL(pkt_len,
process_pkt(&testpkt.p, &testsock, pkt_len,
MODE_SERVER, &testspkt.p, "UnitTest"));
+
+#else
+
+ TEST_IGNORE_MESSAGE("OpenSSL CMAC not used, skipping...");
+
+#endif /* OPENSSL */
}
void
test_CMACKeyTypeWithDigestLength(void) {
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
size_t digestLength;
size_t expected = TEST_CMAC_DIGEST_LENGTH;
TEST_ASSERT_EQUAL(expected, digestLength);
/* OPENSSL */
#else
- TEST_IGNORE_MESSAGE("Skipping because OPENSSL isn't defined");
+ TEST_IGNORE_MESSAGE("Skipping because OPENSSL/CMAC isn't defined");
#endif
}
void
test_CMACKeyName(void) {
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
TEST_ASSERT_EQUAL_STRING(CMAC, keytype_name(NID_cmac));
#else
- TEST_IGNORE_MESSAGE("Skipping because OPENSSL isn't defined");
+ TEST_IGNORE_MESSAGE("Skipping because OPENSSL/CMAC isn't defined");
#endif /* OPENSSL */
}
projects / thirdparty / ntp.git / commitdiff
