From: Juergen Perlinger <perlinger@ntp.org>
Date: Fri, 16 Mar 2018 05:37:19 +0000 (+0100)
Subject: [Bug 3471] Check for openssl/[ch]mac.h
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22f58e0aa46dfaf6d9c99dce09ad8967d04f291e;p=thirdparty%2Fntp.git

[Bug 3471] Check for openssl/[ch]mac.h
 - cond-compile if CMAC not supported
 - fix tests when CMAC not available
 - add #define ENABLE_CMAC support in configure

bk: 5aab580f86I6UvVtp5jk9SbQUKRrWQ
---

diff --git a/ChangeLog b/ChangeLog
index dcfa59c07..dad61610e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 ---
+
+* [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
+  - add #define ENABLE_CMAC support in configure.  HStenn.
+---
 (4.2.8p11) 2018/02/27 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Sec 3454] Unauthenticated packet can reset authenticated interleave
diff --git a/configure.ac b/configure.ac
index 4e7e06af6..31d712379 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3014,6 +3014,17 @@ AC_MSG_RESULT([$ans])
 
 NTP_OPENSSL
 
+AC_MSG_CHECKING([if we want to enable CMAC support])
+case "$ac_cv_header_openssl_cmac_h" in
+ yes)
+    AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?])
+    ans="yes"
+    ;;
+ *) ans="no"
+    ;;
+esac
+AC_MSG_RESULT([$ans])
+
 NTP_CRYPTO_RAND
 
 # if we are using OpenSSL (--with-crypto), by default Autokey is enabled
diff --git a/include/ntp_md5.h b/include/ntp_md5.h
index 01b417a80..06c90b2d2 100644
--- a/include/ntp_md5.h
+++ b/include/ntp_md5.h
@@ -7,8 +7,13 @@
 #define NTP_MD5_H
 
 #ifdef OPENSSL
-# include "openssl/evp.h"
+# include <openssl/evp.h>
 # include "libssl_compat.h"
+# ifdef HAVE_OPENSSL_CMAC_H
+#  include <openssl/cmac.h>
+#  define CMAC                  "AES128CMAC"
+#  define AES_128_KEY_SIZE      16
+# endif /*HAVE_OPENSSL_CMAC_H*/
 #else	/* !OPENSSL follows */
 /*
  * Provide OpenSSL-alike MD5 API if we're not using OpenSSL
diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c
index 7dc7e7ecf..d69b748bd 100644
--- a/libntp/a_md5encrypt.c
+++ b/libntp/a_md5encrypt.c
@@ -12,12 +12,6 @@
 #include "ntp_md5.h"	/* provides OpenSSL digest API */
 #include "isc/string.h"
 
-#ifdef OPENSSL
-# include "openssl/cmac.h"
-# define  CMAC			"AES128CMAC"
-# define  AES_128_KEY_SIZE	16
-#endif
-
 typedef struct {
 	const void *	buf;
 	size_t		len;
@@ -28,7 +22,7 @@ typedef struct {
 	size_t		len;
 } rwbuffT;
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
 static size_t
 cmac_ctx_size(
 	CMAC_CTX *	ctx)
@@ -42,7 +36,7 @@ cmac_ctx_size(
 	}
 	return mlen;
 }
-#endif /*OPENSSL*/
+#endif /*OPENSSL && ENABLE_CMAC*/
 
 static size_t
 make_mac(
@@ -63,6 +57,7 @@ make_mac(
 	INIT_SSL();
 
 	/* Check if CMAC key type specific code required */
+#   ifdef ENABLE_CMAC
 	if (ktype == NID_cmac) {
 		CMAC_CTX *	ctx    = NULL;
 		void const *	keyptr = key->buf;
@@ -100,7 +95,9 @@ make_mac(
 		if (ctx)
 			CMAC_CTX_cleanup(ctx);
 	}
-	else {	/* generic MAC handling */
+	else
+#   endif /*ENABLE_CMAC*/
+	{	/* generic MAC handling */
 		EVP_MD_CTX *	ctx   = EVP_MD_CTX_new();
 		u_int		uilen = 0;
 		
diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c
index 96d9d0838..925893257 100644
--- a/libntp/ssl_init.c
+++ b/libntp/ssl_init.c
@@ -13,16 +13,16 @@
 #include <lib_strbuf.h>
 
 #ifdef OPENSSL
-# include "openssl/cmac.h"
-# include "openssl/crypto.h"
-# include "openssl/err.h"
-# include "openssl/evp.h"
-# include "openssl/opensslv.h"
+# include <openssl/crypto.h>
+# include <openssl/err.h>
+# include <openssl/evp.h>
+# include <openssl/opensslv.h>
 # include "libssl_compat.h"
-
-# define CMAC_LENGTH	16
-# define CMAC		"AES128CMAC"
-
+# ifdef HAVE_OPENSSL_CMAC_H
+#  include <openssl/cmac.h>
+#  define CMAC_LENGTH	16
+#  define CMAC		"AES128CMAC"
+# endif /*HAVE_OPENSSL_CMAC_H*/
 int ssl_init_done;
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -126,6 +126,7 @@ keytype_from_text(
 
 	key_type = OBJ_sn2nid(upcased);
 
+#   ifdef ENABLE_CMAC
 	if (!key_type && !strncmp(CMAC, upcased, strlen(CMAC) + 1)) {
 		key_type = NID_cmac;
 
@@ -134,6 +135,7 @@ keytype_from_text(
 				__FILE__, __LINE__, __func__, CMAC);
 		}
 	}
+#   endif /*ENABLE_CMAC*/
 #else
 
 	key_type = 0;
@@ -153,6 +155,7 @@ keytype_from_text(
 		digest_len = (md) ? EVP_MD_size(md) : 0;
 
 		if (!md || digest_len <= 0) {
+#   ifdef ENABLE_CMAC
 		    if (key_type == NID_cmac) {
 			digest_len = CMAC_LENGTH;
 
@@ -160,7 +163,9 @@ keytype_from_text(
 				fprintf(stderr, "%s:%d:%s():%s:len\n",
 					__FILE__, __LINE__, __func__, CMAC);
 			}
-		    } else {
+		    } else
+#   endif /*ENABLE_CMAC*/
+		    {
 			fprintf(stderr,
 				"key type %s is not supported by OpenSSL\n",
 				keytype_name(key_type));
@@ -209,6 +214,7 @@ keytype_name(
 	INIT_SSL();
 	name = OBJ_nid2sn(nid);
 
+#   ifdef ENABLE_CMAC
 	if (NID_cmac == nid) {
 		name = CMAC;
 
@@ -217,6 +223,7 @@ keytype_name(
 				__FILE__, __LINE__, __func__, CMAC);
 		}
 	} else
+#   endif /*ENABLE_CMAC*/
 	if (NULL == name) {
 		name = unknown_type;
 	}
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 17c2f17d3..ee186d69e 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -32,18 +32,20 @@
 #include "ntp_lineedit.h"
 #include "ntp_debug.h"
 #ifdef OPENSSL
-#include "openssl/evp.h"
-#include "openssl/objects.h"
-#include "openssl/err.h"
-#ifdef SYS_WINNT
-# include "openssl/opensslv.h"
-# if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L
-#    define HAVE_EVP_MD_DO_ALL_SORTED	1
+# include "openssl/evp.h"
+# include "openssl/objects.h"
+# include "openssl/err.h"
+# ifdef SYS_WINNT
+#  include "openssl/opensslv.h"
+#  if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L
+#     define HAVE_EVP_MD_DO_ALL_SORTED	1
+#  endif
+# endif
+# include "libssl_compat.h"
+# ifdef HAVE_OPENSSL_CMAC_H
+#  include <openssl/cmac.h>
+#  define CMAC "AES128CMAC"
 # endif
-#endif
-#include "libssl_compat.h"
-
-#define CMAC "AES128CMAC"
 #endif
 #include <ssl_applink.c>
 
@@ -3711,6 +3713,7 @@ list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg)
 static char *
 insert_cmac(char *list)
 {
+#ifdef ENABLE_CMAC
     int insert;
     size_t len;
 
@@ -3807,7 +3810,7 @@ insert_cmac(char *list)
 	    }
 	} /* insert */
     } /* List not empty */
-
+#endif /*ENABLE_CMAC*/
     return list;
 }
 # endif
diff --git a/sntp/crypto.c b/sntp/crypto.c
index ce5d136fc..be94ed51d 100644
--- a/sntp/crypto.c
+++ b/sntp/crypto.c
@@ -12,13 +12,6 @@
 #include "isc/string.h"
 #include "ntp_md5.h"
 
-/* HMS: We may not have OpenSSL, but we have our own AES-128-CMAC */
-#define  CMAC		"AES128CMAC"
-#ifdef OPENSSL
-# include "openssl/cmac.h"
-# define  AES_128_KEY_SIZE	16
-#endif /* OPENSSL */
-
 #ifndef EVP_MAX_MD_SIZE
 # define EVP_MAX_MD_SIZE 32
 #endif
@@ -45,7 +38,7 @@ compute_mac(
 	INIT_SSL();
 	key_type = keytype_from_text(macname, NULL);
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
 	/* Check if CMAC key type specific code required */
 	if (key_type == NID_cmac) {
 		CMAC_CTX *	ctx    = NULL;
diff --git a/sntp/m4/ntp_openssl.m4 b/sntp/m4/ntp_openssl.m4
index 112b7a2d2..2f9d6c431 100644
--- a/sntp/m4/ntp_openssl.m4
+++ b/sntp/m4/ntp_openssl.m4
@@ -242,6 +242,7 @@ AC_MSG_RESULT([$ntp_openssl])
 
 case "$ntp_openssl" in
  yes)
+    AC_CHECK_HEADERS([openssl/cmac.h openssl/hmac.h])
     AC_DEFINE([OPENSSL], [], [Use OpenSSL?])
     case "$VER_SUFFIX" in
      *o*) ;;
diff --git a/sntp/tests/crypto.c b/sntp/tests/crypto.c
index 64c784dc7..8ecd74368 100644
--- a/sntp/tests/crypto.c
+++ b/sntp/tests/crypto.c
@@ -85,7 +85,7 @@ test_MakeSHA1Mac(void)
 void
 test_MakeCMac(void)
 {
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
 
 	const char* PKT_DATA = "abcdefgh0123";
 	const int PKT_LEN = strlen(PKT_DATA);
@@ -191,7 +191,7 @@ test_VerifyCMAC(void)
 void
 VerifyOpenSSLCMAC(struct key *cmac)
 {
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
 
 	/* XXX: HMS: auth_md5 must be renamed/incorrect. */
 	// TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac));
diff --git a/sntp/tests/packetProcessing.c b/sntp/tests/packetProcessing.c
index 910c56172..9c9f061c4 100644
--- a/sntp/tests/packetProcessing.c
+++ b/sntp/tests/packetProcessing.c
@@ -464,6 +464,8 @@ test_CorrectAuthenticatedPacketSHA1(void)
 void
 test_CorrectAuthenticatedPacketCMAC(void)
 {
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
+
 	PrepareAuthenticationTest(30, CMAC_LENGTH, CMAC, "abcdefghijklmnop");
 	TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
 
@@ -480,5 +482,11 @@ test_CorrectAuthenticatedPacketCMAC(void)
 	TEST_ASSERT_EQUAL(pkt_len,
 			  process_pkt(&testpkt.p, &testsock, pkt_len,
 				      MODE_SERVER, &testspkt.p, "UnitTest"));
+
+#else
+	
+	TEST_IGNORE_MESSAGE("OpenSSL CMAC not used, skipping...");
+	
+#endif	/* OPENSSL */
 }
 
diff --git a/tests/libntp/ssl_init.c b/tests/libntp/ssl_init.c
index 9a59a9b42..69b395e05 100644
--- a/tests/libntp/ssl_init.c
+++ b/tests/libntp/ssl_init.c
@@ -59,7 +59,7 @@ test_SHA1KeyTypeWithDigestLength(void) {
 
 void
 test_CMACKeyTypeWithDigestLength(void) {
-#ifdef OPENSSL
+#if defined(OPENSSL) && defined(ENABLE_CMAC)
 	size_t digestLength;
 	size_t expected = TEST_CMAC_DIGEST_LENGTH;
 
@@ -67,7 +67,7 @@ test_CMACKeyTypeWithDigestLength(void) {
 	TEST_ASSERT_EQUAL(expected, digestLength);
 	/* OPENSSL */
 #else 
-	TEST_IGNORE_MESSAGE("Skipping because OPENSSL isn't defined");
+	TEST_IGNORE_MESSAGE("Skipping because OPENSSL/CMAC isn't defined");
 #endif
 }
 
@@ -91,10 +91,10 @@ test_SHA1KeyName(void) {
 
 void
 test_CMACKeyName(void) {
-#ifdef OPENSSL
+#if defined(OPENSSL)  && defined(ENABLE_CMAC)
 	TEST_ASSERT_EQUAL_STRING(CMAC, keytype_name(NID_cmac));
 #else
-	TEST_IGNORE_MESSAGE("Skipping because OPENSSL isn't defined");
+	TEST_IGNORE_MESSAGE("Skipping because OPENSSL/CMAC isn't defined");
 #endif	/* OPENSSL */
 }