From: Dave Hart <hart@ntp.org>
Date: Fri, 9 Jun 2023 19:11:34 +0000 (+0000)
Subject: Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c regression test.
X-Git-Tag: NTP_4_2_8P18_RC1~49^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b02b4fafcb5781d42753f91d0a035d137bbd8271;p=thirdparty%2Fntp.git

Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c regression test.

bk: 648379666uNUjOBJTYXrXisSm-MFhA
---

diff --git a/ChangeLog b/ChangeLog
index 93cdab8b9..3a41cecc9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+---
+* Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c. <hart@ntp.org>
+
 ---
 (4.2.8p17) 2023/06/06 Released by Harlan Stenn <stenn@ntp.org>
 
diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index d28b4b932..69652cd03 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -927,6 +927,7 @@ authdecrypt(
 			      pkt, length, size, keyno);
 }
 
+
 /* password decoding helpers */
 static size_t
 pwdecode_plain(
diff --git a/libntp/authreadkeys.c b/libntp/authreadkeys.c
index fa2f5b540..d62a91ab6 100644
--- a/libntp/authreadkeys.c
+++ b/libntp/authreadkeys.c
@@ -218,14 +218,14 @@ authreadkeys(
 		keytype = keytype_from_text(token, NULL);
 		if (keytype == 0) {
 			log_maybe(NULL,
-				  "authreadkeys: invalid type for key %d",
-				  keyno);
+				  "authreadkeys: unsupported type %s for key %d",
+				  token, keyno);
 #  ifdef ENABLE_CMAC
 		} else if (NID_cmac != keytype &&
 				EVP_get_digestbynid(keytype) == NULL) {
 			log_maybe(NULL,
-				  "authreadkeys: no algorithm for key %d",
-				  keyno);
+				  "authreadkeys: no algorithm for %s key %d",
+				  token, keyno);
 			keytype = 0;
 #  endif /* ENABLE_CMAC */
 		}
@@ -270,12 +270,14 @@ authreadkeys(
 					  "authreadkeys: passwd has bad char for key %d",
 					  keyno);
 				break;
+#ifdef DEBUG
 			default:
 				log_maybe(&nerr,
-					  "authreadkeys: unknown errno %d for key %d",
+					  "authreadkeys: unexpected errno %d for key %d: %m",
 					  errno, keyno);
 				break;
 			}
+#endif
 			continue;
 		}
 		next = emalloc(sizeof(KeyDataT) + len);
diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c
index 925893257..dd66c78db 100644
--- a/libntp/ssl_init.c
+++ b/libntp/ssl_init.c
@@ -102,7 +102,7 @@ keytype_from_text(
 	int		key_type;
 	u_int		digest_len;
 #ifdef OPENSSL	/* --*-- OpenSSL code --*-- */
-	const u_long	max_digest_len = MAX_MAC_LEN - sizeof(keyid_t);
+	const u_long	max_digest_len = MAX_MDG_LEN;
 	char *		upcased;
 	char *		pch;
 	EVP_MD const *	md;
@@ -217,11 +217,6 @@ keytype_name(
 #   ifdef ENABLE_CMAC
 	if (NID_cmac == nid) {
 		name = CMAC;
-
-		if (debug) {
-			fprintf(stderr, "%s:%d:%s():%s:nid\n",
-				__FILE__, __LINE__, __func__, CMAC);
-		}
 	} else
 #   endif /*ENABLE_CMAC*/
 	if (NULL == name) {
diff --git a/ntpq/ntpq.c b/ntpq/ntpq.c
index 1a0e9b1a6..4ac41b567 100644
--- a/ntpq/ntpq.c
+++ b/ntpq/ntpq.c
@@ -3941,31 +3941,25 @@ list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg)
 	size_t 	       len, n;
 	const char    *name, **seen;
 	struct hstate *hstate = arg;
-	const char    *cp;
 
 	/* m is MD obj, from is name or alias, to is base name for alias */
-	if (!m || !from || to)
+	if (!m || !from || to) {
 		return; /* Ignore aliases */
+	}
 
 	/* Discard MACs that NTP won't accept. */
 	/* Keep this consistent with keytype_from_text() in ssl_init.c. */
-	if (EVP_MD_size(m) > (MAX_MAC_LEN - sizeof(keyid_t)))
+	if (EVP_MD_size(m) > MAX_MDG_LEN) {
 		return;
+	}
 
 	name = EVP_MD_name(m);
-
-	/* Lowercase names aren't accepted by keytype_from_text in ssl_init.c */
-
-	for (cp = name; *cp; cp++)
-		if (islower((unsigned char)*cp))
-			return;
-
-	len = (cp - name) + 1;
+	len = strlen(name) + 1;
 
 	/* There are duplicates.  Discard if name has been seen. */
 
 	for (seen = hstate->seen; *seen; seen++)
-		if (!strcmp(*seen, name))
+		if (!strcasecmp(*seen, name))
 			return;
 
 	n = (seen - hstate->seen) + 2;
@@ -4057,11 +4051,12 @@ insert_cmac(char *list)
 					/* No - end of list */
 					if (!delim && !last_nl) {
 						delim = list + len;
-					} else
+					} else {
 						/* New line and no delim or before delim? */
 						if (last_nl && (!delim || last_nl < delim)) {
 							delim = last_nl;
 						}
+					}
 
 					/* Found insertion point where CMAC before entry? */
 					if (strncmp(CMAC, point, delim - point) < 0) {
diff --git a/tests/libntp/data/ntp.keys b/tests/libntp/data/ntp.keys
index 6c8c743fd..ef634dd00 100644
--- a/tests/libntp/data/ntp.keys
+++ b/tests/libntp/data/ntp.keys
@@ -1,15 +1,16 @@
-# This unit test ntp.keys file has hard-coded the current set
-# of OpenSSL-supported digest algorithms.  It needs to be updated
-# after newer algorithms are available.  The current list can be
+# This unit test ntp.keys file has hard-coded the union of sets
+# of OpenSSL-supported digest algorithms we've come across.  It
+# needs to be updated as algorithms are observed.  A list can be
 # obtained with:
 #
 # ntpq -c "help keytype"
 #
-# tests/libntp/digest.c similarly hardcodes the list of digests
-# to test.
+# tests/libntp/digests.c similarly hardcodes the list of digests
+# to test.  This file must be kept in sync with it.
 #
 # Each digest is tested twice with keyids separated by 50 for
 # plaintext and hex-encoded keys.
+#
 
  1 AES128CMAC	X~A=%NWlo]p$dGq,S3M9
  2 MD4		oV'8?f+J5`_EOvW!B,R`
@@ -18,9 +19,9 @@
  5 RIPEMD160	I89p}f6QopwC\LwHBm;e
  6 SHA1		A;H=E;.m4N%t%EeJ90[d
  7 SHAKE128	|HxLoa,mzG<"y>^TI_(1
- 8 MD5		306+^SHLV5{"v7W`U3aY	# unused so far
- 9 MD5		lGyKZgsI_Pi"y"8JAT98	# unused
-10 MD5		2:VO]Q5u%/b&}.<P?T~9	# unused
+ 8 DSA		306+^SHLV5{"v7W`U3aY
+ 9 DSA-SHA	lGyKZgsI_Pi"y"8JAT98
+10 SHA		2:VO]Q5u%/b&}.<P?T~9
 
 51 AES128CMAC 	d0cd9f3ee181769ca7cccaada09f093c5fe8e628
 52 MD4		7080bc47eea6b379b2ff841805a144fb4a241a16
@@ -29,6 +30,6 @@
 55 RIPEMD160	6028ec169bfbe55ab61ffa7baa34b482020f0619
 56 SHA1		17d96a86eb9b9075f33e1c0a08bb2bb61e916e33
 57 SHAKE128	70da1a91030eb91836c1cf76cf67ddfd6b96fa91
-58 SHA1		7ce5deea7569d7423d5e1b497c8eb3bfeff852d5	# unused so far
-59 SHA1		9fd568e8f371deae54a65bc50b52bbe1f6529589	# unused
-60 SHA1		ce85046978a4df8366e102c4f1267399bbc25737	# unused
+58 DSA		7ce5deea7569d7423d5e1b497c8eb3bfeff852d5
+59 DSA-SHA	9fd568e8f371deae54a65bc50b52bbe1f6529589
+60 SHA		ce85046978a4df8366e102c4f1267399bbc25737
diff --git a/tests/libntp/digests.c b/tests/libntp/digests.c
index 03e9ef1b8..b837ea676 100644
--- a/tests/libntp/digests.c
+++ b/tests/libntp/digests.c
@@ -363,7 +363,7 @@ void test_Digest_SHAKE128(void)
 			0xaa, 0xa6, 0xcd, 0x76
 		};
 	u_char expectedB[MAX_MAC_LEN] =
-		{ 
+		{
 			0, 0, 0, KEYID_B,
 			0x07, 0x04, 0x63, 0xcc,
 			0x46, 0xaf, 0xca, 0x00,
@@ -380,6 +380,123 @@ void test_Digest_SHAKE128(void)
 }
 
 
+#define DSA_KEYID		8
+#undef KEYID_A
+#define KEYID_A			DSA_KEYID
+#undef DG_SZ
+#define DG_SZ			20
+#undef KEYID_B
+#define KEYID_B			(KEYID_A + HEX_KEYID_OFFSET)
+void test_Digest_DSA(void);
+void test_Digest_DSA(void)
+{
+#ifdef OPENSSL
+	u_char expectedA[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_A,
+			0xaf, 0xa0, 0x1d, 0x0c,
+			0x92, 0xcb, 0xca, 0x95,
+			0x0d, 0x57, 0x60, 0x49,
+			0xe5, 0x28, 0x03, 0xf2,
+			0x7b, 0x5b, 0xb1, 0x4a
+		};
+	u_char expectedB[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_B,
+			0x77, 0xcd, 0x88, 0xc2,
+			0xed, 0x5d, 0x57, 0xc5,
+			0x28, 0x92, 0xf0, 0x21,
+			0x2b, 0xb9, 0x48, 0xac,
+			0xfe, 0x9f, 0xf5, 0x1c
+		};
+
+	TEST_ASSERT(setup);
+	TEST_ONE_DIGEST(KEYID_A, DG_SZ, expectedA);
+	TEST_ONE_DIGEST(KEYID_B, DG_SZ, expectedB);
+#else	/* ! OPENSSL follows  */
+	TEST_IGNORE_MESSAGE("Skipping, no OPENSSL");
+#endif
+}
+
+
+#define DSA_SHA_KEYID		9
+#undef KEYID_A
+#define KEYID_A			DSA_SHA_KEYID
+#undef DG_SZ
+#define DG_SZ			20
+#undef KEYID_B
+#define KEYID_B			(KEYID_A + HEX_KEYID_OFFSET)
+void test_Digest_DSA_SHA(void);
+void test_Digest_DSA_SHA(void)
+{
+#ifdef OPENSSL
+	u_char expectedA[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_A,
+			0x7c, 0xb5, 0x79, 0xd0,
+			0xf2, 0xcd, 0x47, 0xc0,
+			0x21, 0xf3, 0xf5, 0x04,
+			0x10, 0xc4, 0x59, 0x5c,
+			0xd9, 0xa4, 0x4f, 0x3b
+		};
+	u_char expectedB[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_B,
+			0xb9, 0xca, 0xa6, 0x8e,
+			0xd3, 0xcb, 0x94, 0x6a,
+			0x6d, 0xae, 0xb4, 0xc8,
+			0x0e, 0xc9, 0xf6, 0xed,
+			0x58, 0x1a, 0xed, 0x22
+		};
+
+	TEST_ASSERT(setup);
+	TEST_ONE_DIGEST(KEYID_A, DG_SZ, expectedA);
+	TEST_ONE_DIGEST(KEYID_B, DG_SZ, expectedB);
+#else	/* ! OPENSSL follows  */
+	TEST_IGNORE_MESSAGE("Skipping, no OPENSSL");
+#endif
+}
+
+
+#define SHA_KEYID		10
+#undef KEYID_A
+#define KEYID_A			SHA_KEYID
+#undef DG_SZ
+#define DG_SZ			20
+#undef KEYID_B
+#define KEYID_B			(KEYID_A + HEX_KEYID_OFFSET)
+void test_Digest_SHA(void);
+void test_Digest_SHA(void)
+{
+#ifdef OPENSSL
+	u_char expectedA[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_A,
+			0xd5, 0xbd, 0xb8, 0x55,
+			0x9b, 0x9e, 0x5e, 0x8f,
+			0x1a, 0x3d, 0x99, 0x60,
+			0xbd, 0x70, 0x0c, 0x5c,
+			0x68, 0xae, 0xb0, 0xbd
+		};
+	u_char expectedB[MAX_MAC_LEN] =
+		{
+			0, 0, 0, KEYID_B,
+			0x63, 0x05, 0x41, 0x45,
+			0xe9, 0x61, 0x84, 0xe7,
+			0xc6, 0x94, 0x24, 0xa4,
+			0x84, 0x76, 0xc7, 0xc9,
+			0xdd, 0x80, 0x80, 0x89
+		};
+
+	TEST_ASSERT(setup);
+	TEST_ONE_DIGEST(KEYID_A, DG_SZ, expectedA);
+	TEST_ONE_DIGEST(KEYID_B, DG_SZ, expectedB);
+#else	/* ! OPENSSL follows  */
+	TEST_IGNORE_MESSAGE("Skipping, no OPENSSL");
+#endif
+}
+
+
 /*
  * Dump a MAC in a form easy to cut and paste into the expected declaration.
  */
@@ -395,8 +512,8 @@ void dump_mac(
 
 	dc += snprintf(dump + dc, sizeof(dump) - dc, "digest with key %u { ", keyid);
 
-	for (idx = 0; idx < octets; idx++) {
-		if (10 == idx) {
+	for (idx = 4; idx < octets; idx++) {
+		if (14 == idx) {
 			msyslog(LOG_DEBUG, "%s", dump);
 			dc = 0;
 		}
diff --git a/tests/libntp/run-digests.c b/tests/libntp/run-digests.c
index ae574d0e2..1c882e233 100644
--- a/tests/libntp/run-digests.c
+++ b/tests/libntp/run-digests.c
@@ -40,6 +40,9 @@ extern void test_Digest_MDC2(void);
 extern void test_Digest_RIPEMD160(void);
 extern void test_Digest_SHA1(void);
 extern void test_Digest_SHAKE128(void);
+extern void test_Digest_DSA(void);
+extern void test_Digest_DSA_SHA(void);
+extern void test_Digest_SHA(void);
 
 
 //=======Suite Setup=====
@@ -75,6 +78,9 @@ int main(int argc, char *argv[])
   RUN_TEST(test_Digest_RIPEMD160, 275);
   RUN_TEST(test_Digest_SHA1, 314);
   RUN_TEST(test_Digest_SHAKE128, 353);
+  RUN_TEST(test_Digest_DSA, 390);
+  RUN_TEST(test_Digest_DSA_SHA, 419);
+  RUN_TEST(test_Digest_SHA, 448);
 
   return (UnityEnd());
 }