From: Juergen Perlinger Date: Thu, 21 Dec 2017 06:59:17 +0000 (+0100) Subject: zero-pad or truncate AES128CMAC keys to exactly 16byte X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3cabbe7c6dc5cae38e80e9412b11d66cab59e4e;p=thirdparty%2Fntp.git zero-pad or truncate AES128CMAC keys to exactly 16byte bk: 5a3b5bc5YDu6Z-uEKqsewvrvMmq3DQ --- diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c index 064a79a70..c2917ce64 100644 --- a/libntp/a_md5encrypt.c +++ b/libntp/a_md5encrypt.c @@ -42,8 +42,7 @@ cmac_ctx_size( } return mlen; } -#endif - +#endif /*OPENSSL*/ static size_t make_mac( @@ -65,14 +64,23 @@ make_mac( /* Check if CMAC key type specific code required */ if (ktype == NID_cmac) { - CMAC_CTX * ctx = CMAC_CTX_new(); + CMAC_CTX * ctx = NULL; + void const * keyptr = key->buf; + u_char keybuf[AES_128_KEY_SIZE]; + + /* adjust key size (zero padded buffer) if necessary */ + if (AES_128_KEY_SIZE > key->len) { + memcpy(keybuf, keyptr, key->len); + memset((keybuf + key->len), 0, + (AES_128_KEY_SIZE - key->len)); + keyptr = keybuf; + } - if ( ! ctx) { + if (NULL == (ctx = CMAC_CTX_new())) { msyslog(LOG_ERR, "MAC encrypt: CMAC %s CTX new failed.", CMAC); goto cmac_fail; } - if (!CMAC_Init(ctx, key->buf, key->len, - EVP_aes_128_cbc(), NULL)) { + if (!CMAC_Init(ctx, keyptr, AES_128_KEY_SIZE, EVP_aes_128_cbc(), NULL)) { msyslog(LOG_ERR, "MAC encrypt: CMAC %s Init failed.", CMAC); goto cmac_fail; } diff --git a/sntp/crypto.c b/sntp/crypto.c index acfa39aa7..800d91de7 100644 --- a/sntp/crypto.c +++ b/sntp/crypto.c @@ -16,7 +16,8 @@ #define CMAC "AES128CMAC" #ifdef OPENSSL # include "openssl/cmac.h" -#endif +# define AES_128_KEY_SIZE 16 +#endif /* OPENSSL */ struct key *key_ptr; size_t key_cnt = 0; @@ -45,28 +46,29 @@ make_mac( #ifdef OPENSSL /* Check if CMAC key type specific code required */ if (key_type == NID_cmac) { - CMAC_CTX * ctx; - - if (debug) { - fprintf(stderr, "%s:%d:%s():%s:nid\n", - __FILE__, __LINE__, __func__, CMAC); + CMAC_CTX * ctx = NULL; + void const * keyptr = cmp_key->key_seq; + u_char keybuf[AES_128_KEY_SIZE]; + + /* adjust key size (zero padded buffer) if necessary */ + if (AES_128_KEY_SIZE > cmp_key->key_len) { + memcpy(keybuf, keyptr, cmp_key->key_len); + memset((keybuf + cmp_key->key_len), 0, + (AES_128_KEY_SIZE - cmp_key->key_len)); + keyptr = keybuf; } - + if (!(ctx = CMAC_CTX_new())) { - fprintf(stderr, "make_mac: CMAC %s CTX new failed.\n", CMAC); msyslog(LOG_ERR, "make_mac: CMAC %s CTX new failed.", CMAC); } - else if (!CMAC_Init(ctx, cmp_key->key_seq, - (size_t)cmp_key->key_len, EVP_aes_128_cbc(), NULL)) { - fprintf(stderr, "make_mac: CMAC %s Init failed.\n", CMAC); + else if (!CMAC_Init(ctx, keyptr, AES_128_KEY_SIZE, + EVP_aes_128_cbc(), NULL)) { msyslog(LOG_ERR, "make_mac: CMAC %s Init failed.", CMAC); } else if (!CMAC_Update(ctx, pkt_data, (size_t)pkt_size)) { - fprintf(stderr, "make_mac: CMAC %s Update failed.\n", CMAC); msyslog(LOG_ERR, "make_mac: CMAC %s Update failed.", CMAC); } else if (!CMAC_Final(ctx, digest, &slen)) { - fprintf(stderr, "make_mac: CMAC %s Final failed.\n", CMAC); msyslog(LOG_ERR, "make_mac: CMAC %s Final failed.", CMAC); slen = 0; } @@ -81,34 +83,24 @@ make_mac( EVP_MD_CTX * ctx; if (!(ctx = EVP_MD_CTX_new())) { - fprintf(stderr, "make_mac: MAC %s Digest CTX new failed.\n", - cmp_key->typen); msyslog(LOG_ERR, "make_mac: MAC %s Digest CTX new failed.", cmp_key->typen); } #ifdef OPENSSL /* OpenSSL 1 supports return codes 0 fail, 1 okay */ else if (!EVP_DigestInit(ctx, EVP_get_digestbynid(key_type))) { - fprintf(stderr, "make_mac: MAC %s Digest Init failed.\n", - cmp_key->typen); msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.", cmp_key->typen); } else if (!EVP_DigestUpdate(ctx, (const u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len)) { - fprintf(stderr, "make_mac: MAC %s Digest Update key failed.\n", - cmp_key->typen); msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.", cmp_key->typen); } else if (!EVP_DigestUpdate(ctx, pkt_data, (u_int)pkt_size)) { - fprintf(stderr, "make_mac: MAC %s Digest Update data failed.\n", - cmp_key->typen); msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.", cmp_key->typen); } else if (!EVP_DigestFinal(ctx, digest, &len)) { - fprintf(stderr, "make_mac: MAC %s Digest Final failed.\n", - cmp_key->typen); msyslog(LOG_ERR, "make_mac: MAC %s Digest Final failed.", cmp_key->typen); len = 0;