From: Juergen Perlinger Date: Tue, 20 Oct 2020 04:48:48 +0000 (+0200) Subject: [Bug 3693] Improvement of error handling key lengths X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc69bf626d554a23fce4ce515176579be153ac9c;p=thirdparty%2Fntp.git [Bug 3693] Improvement of error handling key lengths bk: 5f8e6c30wzk2xbHqA57ksdRWX3Eqgw --- diff --git a/ChangeLog b/ChangeLog index eeceaa9f1..d28c48747 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +--- +* [Bug 3693] Improvement of error handling key lengths + - original patch by Richard Schmidt, with mods & unit test fixes + --- (4.2.8p15) 2020/06/23 Released by Harlan Stenn diff --git a/include/ntp_stdlib.h b/include/ntp_stdlib.h index 265aafa73..2d5cf3aa4 100644 --- a/include/ntp_stdlib.h +++ b/include/ntp_stdlib.h @@ -100,7 +100,7 @@ extern void auth_prealloc_symkeys(int); extern int ymd2yd (int, int, int); /* a_md5encrypt.c */ -extern int MD5authdecrypt (int, const u_char *, size_t, u_int32 *, size_t, size_t); +extern int MD5authdecrypt (int, const u_char *, size_t, u_int32 *, size_t, size_t, keyid_t); extern size_t MD5authencrypt (int, const u_char *, size_t, u_int32 *, size_t); extern void MD5auth_setkey (keyid_t, int, const u_char *, size_t, KeyAccT *c); extern u_int32 addr2refid (sockaddr_u *); diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c index 57100de3a..77c63464b 100644 --- a/libntp/a_md5encrypt.c +++ b/libntp/a_md5encrypt.c @@ -220,7 +220,8 @@ MD5authdecrypt( size_t klen, /* key length */ u_int32 * pkt, /* packet pointer */ size_t length, /* packet length */ - size_t size /* MAC size */ + size_t size, /* MAC size */ + keyid_t keyno /* key id (for err log) */ ) { u_char digest[EVP_MAX_MD_SIZE]; @@ -236,7 +237,8 @@ MD5authdecrypt( dlen = MAX_MDG_LEN; if (size != (size_t)dlen + KEY_MAC_LEN) { msyslog(LOG_ERR, - "MAC decrypt: MAC length error"); + "MAC decrypt: MAC length error: len=%zu key=%d", + size, keyno); return (0); } return !isc_tsmemcmp(digest, diff --git a/libntp/authkeys.c b/libntp/authkeys.c index 7c1cbb065..0cac2fd81 100644 --- a/libntp/authkeys.c +++ b/libntp/authkeys.c @@ -925,5 +925,5 @@ authdecrypt( return MD5authdecrypt(cache_type, cache_secret, cache_secretsize, - pkt, length, size); + pkt, length, size, keyno); } diff --git a/tests/libntp/a_md5encrypt.c b/tests/libntp/a_md5encrypt.c index 844be16fa..212ec8313 100644 --- a/tests/libntp/a_md5encrypt.c +++ b/tests/libntp/a_md5encrypt.c @@ -36,6 +36,7 @@ union { "ijklmnopqrstuvwx\0\0\0\0\x0c\x0e\x84\xcf\x0b\xb7\xa8\x68\x8e\x52\x38\xdb\xbc\x1c\x39\x54" }; +static const keyid_t keyId = 42; void test_Encrypt(void); void test_DecryptValid(void); @@ -54,7 +55,7 @@ test_Encrypt(void) { length = MD5authencrypt(keytype, key, keyLength, packetPtr, packetLength); - TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, packetPtr, packetLength, length)); + TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, packetPtr, packetLength, length, keyId)); TEST_ASSERT_EQUAL(20, length); TEST_ASSERT_EQUAL_MEMORY(expectedPacket.u8, packetPtr, totalLength); @@ -64,12 +65,12 @@ test_Encrypt(void) { void test_DecryptValid(void) { - TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, expectedPacket.u32, packetLength, 20)); + TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, expectedPacket.u32, packetLength, 20, keyId)); } void test_DecryptInvalid(void) { - TEST_ASSERT_FALSE(MD5authdecrypt(keytype, key, keyLength, invalidPacket.u32, packetLength, 20)); + TEST_ASSERT_FALSE(MD5authdecrypt(keytype, key, keyLength, invalidPacket.u32, packetLength, 20, keyId)); } void diff --git a/tests/libntp/run-a_md5encrypt.c b/tests/libntp/run-a_md5encrypt.c index 2d9c08669..06dda63f0 100644 --- a/tests/libntp/run-a_md5encrypt.c +++ b/tests/libntp/run-a_md5encrypt.c @@ -62,11 +62,11 @@ int main(int argc, char *argv[]) progname = argv[0]; suite_setup(); UnityBegin("a_md5encrypt.c"); - RUN_TEST(test_Encrypt, 40); - RUN_TEST(test_DecryptValid, 41); - RUN_TEST(test_DecryptInvalid, 42); - RUN_TEST(test_IPv4AddressToRefId, 43); - RUN_TEST(test_IPv6AddressToRefId, 44); + RUN_TEST(test_Encrypt, 41); + RUN_TEST(test_DecryptValid, 42); + RUN_TEST(test_DecryptInvalid, 43); + RUN_TEST(test_IPv4AddressToRefId, 44); + RUN_TEST(test_IPv6AddressToRefId, 45); return (UnityEnd()); }