From: Dave Hart Date: Thu, 4 Apr 2024 21:49:45 +0000 (+0000) Subject: [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. X-Git-Tag: NTP_4_2_8P18_RC1~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f88f200ee15b86a5057f346f392cdf2389952ebc;p=thirdparty%2Fntp.git [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. bk: 660f2079SNgChUf978L85gfDkkNoCg --- diff --git a/ChangeLog b/ChangeLog index 52b3cf3c8..0179e4e16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ --- +* [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. * [Bug 3903] lib/isc/win32/strerror.c NTstrerror() is not thread-safe. * [Bug 3901] LIB_GETBUF isn't thread-safe. diff --git a/include/Makefile.am b/include/Makefile.am index dd739ebbc..b661ca639 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -8,6 +8,7 @@ noinst_HEADERS = \ ascii.h \ audio.h \ binio.h \ + c99_snprintf.h \ declcond.h \ gps.h \ hopf6039.h \ diff --git a/include/ntp.h b/include/ntp.h index 606618692..de1171666 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -562,9 +562,15 @@ struct pkt { #define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */ #define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ #define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ -#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ -#define MAX_MAC_LEN (6 * sizeof(u_int32)) /* SHA */ +#define MD5_LENGTH 16 +#define SHAKE128_LENGTH 16 +#define CMAC_LENGTH 16 +#define SHA1_LENGTH 20 #define KEY_MAC_LEN sizeof(u_int32) /* key ID in MAC */ +#define MAX_MD5_LEN (KEY_MAC_LEN + MD5_LENGTH) +#define MAX_SHAKE128_LEN (KEY_MAC_LEN + SHAKE128_LENGTH) +#define MAX_SHA1_LEN (KEY_MAC_LEN + SHA1_LENGTH) +#define MAX_MAC_LEN (6 * sizeof(u_int32)) /* any MAC */ #define MAX_MDG_LEN (MAX_MAC_LEN-KEY_MAC_LEN) /* max. digest len */ /* diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c index 1c60a2949..a571405a5 100644 --- a/libntp/a_md5encrypt.c +++ b/libntp/a_md5encrypt.c @@ -62,7 +62,7 @@ get_md_ctx( #else if (!EVP_DigestInit(digest_ctx, EVP_get_digestbynid(nid))) { msyslog(LOG_ERR, "%s init failed", OBJ_nid2sn(nid)); - exit(1); + return NULL; } return digest_ctx; @@ -190,7 +190,7 @@ make_mac( /* * MD5authencrypt - generate message digest * - * Returns length of MAC including key ID and digest. + * Returns 0 on failure or length of MAC including key ID. */ size_t MD5authencrypt( @@ -205,13 +205,14 @@ MD5authencrypt( rwbuffT digb = { digest, sizeof(digest) }; robuffT keyb = { key, klen }; robuffT msgb = { pkt, length }; - size_t dlen = 0; + size_t dlen; dlen = make_mac(&digb, type, &keyb, &msgb); - /* If the MAC is longer than the MAX then truncate it. */ - if (dlen > MAX_MDG_LEN) - dlen = MAX_MDG_LEN; - memcpy((u_char *)pkt + length + KEY_MAC_LEN, digest, dlen); + if (0 == dlen) { + return 0; + } + memcpy((u_char *)pkt + length + KEY_MAC_LEN, digest, + min(dlen, MAX_MDG_LEN)); return (dlen + KEY_MAC_LEN); } @@ -239,15 +240,11 @@ MD5authdecrypt( size_t dlen = 0; dlen = make_mac(&digb, type, &keyb, &msgb); - - /* If the MAC is longer than the MAX then truncate it. */ - if (dlen > MAX_MDG_LEN) - dlen = MAX_MDG_LEN; - if (size != (size_t)dlen + KEY_MAC_LEN) { + if (0 == dlen || size != dlen + KEY_MAC_LEN) { msyslog(LOG_ERR, - "MAC decrypt: MAC length error: len=%u key=%d", - (u_int)size, keyno); - return (0); + "MAC decrypt: MAC length error: %u not %u for key %u", + (u_int)size, (u_int)(dlen + KEY_MAC_LEN), keyno); + return FALSE; } return !isc_tsmemcmp(digest, (u_char *)pkt + length + KEY_MAC_LEN, dlen); diff --git a/libntp/authkeys.c b/libntp/authkeys.c index 69652cd03..29671ac92 100644 --- a/libntp/authkeys.c +++ b/libntp/authkeys.c @@ -611,6 +611,9 @@ authhavekey( /* * The key is found and trusted. Initialize the key cache. + * The cache really should be a struct savekey to streamline + * this code. Using a sk pointer would be even faster but more + * fragile around pointing to freed memory. */ cache_keyid = sk->keyid; cache_type = sk->type; diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c index 0ffd8528d..6de8a0b5f 100644 --- a/libntp/ssl_init.c +++ b/libntp/ssl_init.c @@ -77,9 +77,6 @@ ssl_check_version(void) } INIT_SSL(); } - -#else /* !OPENSSL */ -# define MD5_LENGTH 16 #endif /* OPENSSL */ diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c index 42f2d8053..36ffee32e 100644 --- a/ntpd/ntp_io.c +++ b/ntpd/ntp_io.c @@ -4956,7 +4956,7 @@ init_async_notifications(void) int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE); struct sockaddr_nl sa; #else - int fd = socket(PF_ROUTE, SOCK_RAW, 0); + int fd = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); #endif if (fd < 0) { msyslog(LOG_ERR, diff --git a/sntp/crypto.c b/sntp/crypto.c index 7807ccc00..1be2ea3f0 100644 --- a/sntp/crypto.c +++ b/sntp/crypto.c @@ -16,14 +16,15 @@ size_t key_cnt = 0; typedef struct key Key_T; -static u_int +static size_t compute_mac( - u_char digest[EVP_MAX_MD_SIZE], + u_char * digest, + size_t dig_sz, char const * macname, void const * pkt_data, - u_int pkt_size, + size_t pkt_len, void const * key_data, - u_int key_size + size_t key_size ) { u_int len = 0; @@ -56,7 +57,7 @@ compute_mac( EVP_aes_128_cbc(), NULL)) { msyslog(LOG_ERR, "make_mac: CMAC %s Init failed.", CMAC); } - else if (!CMAC_Update(ctx, pkt_data, (size_t)pkt_size)) { + else if (!CMAC_Update(ctx, pkt_data, pkt_len)) { msyslog(LOG_ERR, "make_mac: CMAC %s Update failed.", CMAC); } else if (!CMAC_Final(ctx, digest, &slen)) { @@ -95,7 +96,7 @@ compute_mac( macname); goto mac_fail; } - if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) { + if (!EVP_DigestUpdate(ctx, pkt_data, pkt_len)) { msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.", macname); goto mac_fail; @@ -112,7 +113,7 @@ compute_mac( goto mac_fail; } EVP_DigestUpdate(ctx, key_data, key_size); - EVP_DigestUpdate(ctx, pkt_data, pkt_size); + EVP_DigestUpdate(ctx, pkt_data, pkt_len); EVP_DigestFinal(ctx, digest, &len); #endif mac_fail: @@ -122,34 +123,28 @@ compute_mac( return len; } -int + +size_t make_mac( const void * pkt_data, - int pkt_size, - int mac_size, + size_t pkt_len, Key_T const * cmp_key, - void * digest + void * digest, + size_t dig_sz ) { u_int len; u_char dbuf[EVP_MAX_MD_SIZE]; - if (cmp_key->key_len > 64 || mac_size <= 0) - return 0; - if (pkt_size % 4 != 0) + if (cmp_key->key_len > 64 || pkt_len % 4 != 0) { return 0; - - len = compute_mac(dbuf, cmp_key->typen, - pkt_data, (u_int)pkt_size, - cmp_key->key_seq, (u_int)cmp_key->key_len); - - - if (len) { - if (len > (u_int)mac_size) - len = (u_int)mac_size; - memcpy(digest, dbuf, len); } - return (int)len; + len = compute_mac(dbuf, sizeof(dbuf), cmp_key->typen, pkt_data, + pkt_len, cmp_key->key_seq, cmp_key->key_len); + INSIST(len <= dig_sz); + memcpy(digest, dbuf, len); + + return len; } @@ -161,8 +156,8 @@ make_mac( int auth_md5( void const * pkt_data, - int pkt_size, - int mac_size, + size_t pkt_len, + size_t mac_len, Key_T const * cmp_key ) { @@ -170,22 +165,20 @@ auth_md5( u_char const * pkt_ptr = pkt_data; u_char dbuf[EVP_MAX_MD_SIZE]; - if (mac_size <= 0 || (size_t)mac_size > sizeof(dbuf)) + if (0 == mac_len || mac_len > sizeof(dbuf)) { return FALSE; + } + len = compute_mac(dbuf, sizeof(dbuf), cmp_key->typen, + pkt_ptr, pkt_len, cmp_key->key_seq, + cmp_key->key_len); - len = compute_mac(dbuf, cmp_key->typen, - pkt_ptr, (u_int)pkt_size, - cmp_key->key_seq, (u_int)cmp_key->key_len); - - pkt_ptr += pkt_size + 4; - if (len > (u_int)mac_size) - len = (u_int)mac_size; + pkt_ptr += pkt_len + sizeof(keyid_t); /* isc_tsmemcmp will be better when its easy to link with. sntp * is a 1-shot program, so snooping for timing attacks is * Harder. */ - return ((u_int)mac_size == len) && !memcmp(dbuf, pkt_ptr, len); + return mac_len == len && !memcmp(dbuf, pkt_ptr, mac_len); } static int @@ -312,14 +305,15 @@ auth_init( */ void get_key( - int key_id, - struct key **d_key + keyid_t key_id, + struct key ** d_key ) { struct key *itr_key; - if (key_cnt == 0) + if (key_cnt == 0) { return; + } for (itr_key = key_ptr; itr_key; itr_key = itr_key->next) { if (itr_key->key_id == key_id) { *d_key = itr_key; diff --git a/sntp/crypto.h b/sntp/crypto.h index 4e75df20a..4afe865e5 100644 --- a/sntp/crypto.h +++ b/sntp/crypto.h @@ -17,18 +17,19 @@ struct key { struct key * next; - int key_id; - int key_len; + keyid_t key_id; + size_t key_len; int typei; char typen[20]; char key_seq[64]; }; extern int auth_init(const char *keyfile, struct key **keys); -extern void get_key(int key_id, struct key **d_key); -extern int make_mac(const void *pkt_data, int pkt_size, int mac_size, - const struct key *cmp_key, void *digest); -extern int auth_md5(const void *pkt_data, int pkt_size, int mac_size, - const struct key *cmp_key); +extern void get_key(keyid_t key_id, struct key **d_key); +extern size_t make_mac(const void *pkt_data, size_t pkt_len, + const struct key *cmp_key, void *digest, + size_t dig_sz); +extern int auth_md5(const void *pkt_data, size_t pkt_len, + size_t dig_len, const struct key *cmp_key); #endif diff --git a/sntp/main.c b/sntp/main.c index 08064a6c0..b1a35b42a 100644 --- a/sntp/main.c +++ b/sntp/main.c @@ -1010,12 +1010,12 @@ kill_asyncio( sock6 = INVALID_SOCKET; } if (INVALID_SOCKET != bsock4) { - closesocket(sock4); - sock4 = INVALID_SOCKET; + closesocket(bsock4); + bsock4 = INVALID_SOCKET; } if (INVALID_SOCKET != bsock6) { - closesocket(sock6); - sock6 = INVALID_SOCKET; + closesocket(bsock6); + bsock6 = INVALID_SOCKET; } } #endif @@ -1033,9 +1033,9 @@ worker_resp_cb( { blocking_child * c; - DEBUG_INSIST(EV_READ & what); + REQUIRE(EV_READ & what); c = ctx; - DEBUG_INSIST(fd == c->resp_read_pipe); + INSIST(fd == c->resp_read_pipe); process_blocking_resp(c); } @@ -1060,7 +1060,7 @@ intres_timeout_req( ev_worker_timeout = event_new(base, -1, EV_TIMEOUT | EV_PERSIST, &worker_timeout, NULL); - DEBUG_INSIST(NULL != ev_worker_timeout); + INSIST(NULL != ev_worker_timeout); } else { event_del(ev_worker_timeout); } @@ -1082,7 +1082,7 @@ worker_timeout( UNUSED_ARG(fd); UNUSED_ARG(ctx); - DEBUG_REQUIRE(EV_TIMEOUT & what); + REQUIRE(EV_TIMEOUT & what); worker_idle_timer_fired(); } @@ -1144,8 +1144,8 @@ generate_pkt ( } if (pkt_key != NULL) { x_pkt->exten[0] = htonl(key_id); - mac_size = make_mac(x_pkt, pkt_len, MAX_MDG_LEN, - pkt_key, (char *)&x_pkt->exten[1]); + mac_size = make_mac(x_pkt, pkt_len, pkt_key, + (char *)&x_pkt->exten[1], MAX_MDG_LEN); if (mac_size > 0) pkt_len += mac_size + KEY_MAC_LEN; #ifdef DEBUG diff --git a/sntp/tests/crypto.c b/sntp/tests/crypto.c index 7e4bf423e..509efe79c 100644 --- a/sntp/tests/crypto.c +++ b/sntp/tests/crypto.c @@ -7,15 +7,14 @@ #define CMAC "AES128CMAC" -#define MD5_LENGTH 16 #define SHA1_LENGTH 20 #define CMAC_LENGTH 16 -void test_MakeMd5Mac(void); +void test_MakeSHAKE128Mac(void); void test_MakeSHA1Mac(void); void test_MakeCMac(void); -void test_VerifyCorrectMD5(void); +void test_VerifySHAKE128(void); void test_VerifySHA1(void); void test_VerifyCMAC(void); void test_VerifyFailure(void); @@ -26,26 +25,36 @@ void VerifyOpenSSLCMAC(struct key *cmac); void -test_MakeMd5Mac(void) +test_MakeSHAKE128Mac(void) { - const char* PKT_DATA = "abcdefgh0123"; - const int PKT_LEN = strlen(PKT_DATA); - const char* EXPECTED_DIGEST = - "\x52\x6c\xb8\x38\xaf\x06\x5a\xfb\x6c\x98\xbb\xc0\x9b\x0a\x7a\x1b"; - char actual[MD5_LENGTH]; +#ifdef OPENSSL - struct key md5; - md5.next = NULL; - md5.key_id = 10; - md5.key_len = 6; - memcpy(&md5.key_seq, "md5seq", md5.key_len); - strlcpy(md5.typen, "MD5", sizeof(md5.typen)); - md5.typei = keytype_from_text(md5.typen, NULL); + const char KEY[] = "SHAKE128 unit test key"; + const u_char PAYLOAD[] = "packettestdata16"; + const size_t PAYLOAD_LEN = sizeof(PAYLOAD) - 1; + const u_char EXPECTED_DIGEST[] = + "\x62\x5A\x8F\xE4\x66\xCB\xF3\xA6" + "\x73\x62\x68\x8D\x11\xB8\x42\xBB"; + u_char actual[sizeof(EXPECTED_DIGEST) - 1]; + struct key sk; + + sk.next = NULL; + sk.key_id = 10; + sk.key_len = sizeof(KEY) - 1; + memcpy(&sk.key_seq, KEY, min(sizeof(sk.key_seq), sk.key_len)); + strlcpy(sk.typen, "SHAKE128", sizeof(sk.typen)); + sk.typei = keytype_from_text(sk.typen, NULL); + + TEST_ASSERT_EQUAL(sizeof(actual), + make_mac(PAYLOAD, PAYLOAD_LEN, &sk, actual, + sizeof(actual))); + + TEST_ASSERT_EQUAL_HEX8_ARRAY(EXPECTED_DIGEST, actual, sizeof(actual)); +#else - TEST_ASSERT_EQUAL(MD5_LENGTH, - make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual)); + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); - TEST_ASSERT_TRUE(memcmp(EXPECTED_DIGEST, actual, MD5_LENGTH) == 0); +#endif /* OPENSSL */ } @@ -70,7 +79,8 @@ test_MakeSHA1Mac(void) sha1.typei = keytype_from_text(sha1.typen, NULL); TEST_ASSERT_EQUAL(SHA1_LENGTH, - make_mac(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1, actual)); + make_mac(PKT_DATA, PKT_LEN, &sha1, actual, + SHA1_LENGTH)); TEST_ASSERT_EQUAL_MEMORY(EXPECTED_DIGEST, actual, SHA1_LENGTH); @@ -102,7 +112,7 @@ test_MakeCMac(void) memcpy(&cmac.typen, CMAC, strlen(CMAC) + 1); TEST_ASSERT_EQUAL(CMAC_LENGTH, - make_mac(PKT_DATA, PKT_LEN, CMAC_LENGTH, &cmac, actual)); + make_mac(PKT_DATA, PKT_LEN, &cmac, actual, CMAC_LENGTH)); TEST_ASSERT_EQUAL_MEMORY(EXPECTED_DIGEST, actual, CMAC_LENGTH); @@ -115,24 +125,40 @@ test_MakeCMac(void) void -test_VerifyCorrectMD5(void) +test_VerifySHAKE128(void) { - const char* PKT_DATA = - "sometestdata" /* Data */ - "\0\0\0\0" /* Key-ID (unused) */ - "\xc7\x58\x99\xdd\x99\x32\x0f\x71" /* MAC */ - "\x2b\x7b\xfe\x4f\xa2\x32\xcf\xac"; - const int PKT_LEN = 12; - struct key md5; +#ifdef OPENSSL + const char KEY[] = "SHAKE128 unit test key"; + const u_char PAYLOAD[] = "packettestdata16"; + const size_t PAYLOAD_LEN = sizeof(PAYLOAD) - 1; + const u_char EXPECTED_DIGEST[] = + "\x62\x5A\x8F\xE4\x66\xCB\xF3\xA6" + "\x73\x62\x68\x8D\x11\xB8\x42\xBB"; + const size_t DIGEST_LEN = sizeof(EXPECTED_DIGEST) - 1; + struct key sk; + u_char PKT_DATA[ PAYLOAD_LEN + sizeof(sk.key_id) + + DIGEST_LEN]; + u_char *p; + + sk.next = NULL; + sk.key_id = 0; + sk.key_len = sizeof(KEY) - 1; + memcpy(&sk.key_seq, KEY, min(sizeof(sk.key_seq), sk.key_len)); + strlcpy(sk.typen, "SHAKE128", sizeof(sk.typen)); + sk.typei = keytype_from_text(sk.typen, NULL); + + p = PKT_DATA; + memcpy(p, PAYLOAD, PAYLOAD_LEN); p += PAYLOAD_LEN; + memcpy(p, &sk.key_id, sizeof(sk.key_id)); p += sizeof(sk.key_id); + memcpy(p, EXPECTED_DIGEST, DIGEST_LEN); p += DIGEST_LEN; + TEST_ASSERT_TRUE(sizeof(PKT_DATA) == p - PKT_DATA); + + TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PAYLOAD_LEN, DIGEST_LEN, &sk)); +#else - md5.next = NULL; - md5.key_id = 0; - md5.key_len = 6; - memcpy(&md5.key_seq, "md5key", md5.key_len); - strlcpy(md5.typen, "MD5", sizeof(md5.typen)); - md5.typei = keytype_from_text(md5.typen, NULL); + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); - TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5)); +#endif /* OPENSSL */ } @@ -216,42 +242,77 @@ VerifyLocalCMAC(struct key *cmac) void test_VerifyFailure(void) { - /* We use a copy of the MD5 verification code, but modify the - * last bit to make sure verification fails. + /* + * We use a copy of test_VerifySHAKE128(), but modify the + * last packet octet to make sure verification fails. */ - const char* PKT_DATA = - "sometestdata" /* Data */ - "\0\0\0\0" /* Key-ID (unused) */ - "\xc7\x58\x99\xdd\x99\x32\x0f\x71" /* MAC */ - "\x2b\x7b\xfe\x4f\xa2\x32\xcf\x00"; /* Last byte is wrong! */ - const int PKT_LEN = 12; - struct key md5; +#ifdef OPENSSL + const char KEY[] = "SHAKE128 unit test key"; + const u_char PAYLOAD[] = "packettestdata1_"; + /* last packet byte different */ + const size_t PAYLOAD_LEN = sizeof(PAYLOAD) - 1; + const u_char EXPECTED_DIGEST[] = + "\x62\x5A\x8F\xE4\x66\xCB\xF3\xA6" + "\x73\x62\x68\x8D\x11\xB8\x42\xBB"; + const size_t DIGEST_LEN = sizeof(EXPECTED_DIGEST) - 1; + struct key sk; + u_char PKT_DATA[ PAYLOAD_LEN + sizeof(sk.key_id) + + DIGEST_LEN]; + u_char *p; + + sk.next = NULL; + sk.key_id = 0; + sk.key_len = sizeof(KEY) - 1; + memcpy(&sk.key_seq, KEY, min(sizeof(sk.key_seq), sk.key_len)); + strlcpy(sk.typen, "SHAKE128", sizeof(sk.typen)); + sk.typei = keytype_from_text(sk.typen, NULL); + + p = PKT_DATA; + memcpy(p, PAYLOAD, PAYLOAD_LEN); p += PAYLOAD_LEN; + memcpy(p, &sk.key_id, sizeof(sk.key_id)); p += sizeof(sk.key_id); + memcpy(p, EXPECTED_DIGEST, DIGEST_LEN); p += DIGEST_LEN; + TEST_ASSERT_TRUE(sizeof(PKT_DATA) == p - PKT_DATA); + + TEST_ASSERT_FALSE(auth_md5(PKT_DATA, PAYLOAD_LEN, DIGEST_LEN, &sk)); +#else - md5.next = NULL; - md5.key_id = 0; - md5.key_len = 6; - memcpy(&md5.key_seq, "md5key", md5.key_len); - strlcpy(md5.typen, "MD5", sizeof(md5.typen)); - md5.typei = keytype_from_text(md5.typen, NULL); + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); - TEST_ASSERT_FALSE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5)); +#endif /* OPENSSL */ } void test_PacketSizeNotMultipleOfFourBytes(void) { - const char* PKT_DATA = "123456"; - const int PKT_LEN = 6; - char actual[MD5_LENGTH]; - struct key md5; - - md5.next = NULL; - md5.key_id = 10; - md5.key_len = 6; - memcpy(&md5.key_seq, "md5seq", md5.key_len); - strlcpy(md5.typen, "MD5", sizeof(md5.typen)); - md5.typei = keytype_from_text(md5.typen, NULL); - - TEST_ASSERT_EQUAL(0, make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual)); + /* + * We use a copy of test_MakeSHAKE128Mac(), but modify + * the packet length to 17. + */ +#ifdef OPENSSL + + const char KEY[] = "SHAKE128 unit test key"; + const u_char PAYLOAD[] = "packettestdata_17"; + const size_t PAYLOAD_LEN = sizeof(PAYLOAD) - 1; + const u_char EXPECTED_DIGEST[] = + "\x62\x5A\x8F\xE4\x66\xCB\xF3\xA6" + "\x73\x62\x68\x8D\x11\xB8\x42\xBB"; + u_char actual[sizeof(EXPECTED_DIGEST) - 1]; + struct key sk; + + sk.next = NULL; + sk.key_id = 10; + sk.key_len = sizeof(KEY) - 1; + memcpy(&sk.key_seq, KEY, min(sizeof(sk.key_seq), sk.key_len)); + strlcpy(sk.typen, "SHAKE128", sizeof(sk.typen)); + sk.typei = keytype_from_text(sk.typen, NULL); + + TEST_ASSERT_EQUAL(0, + make_mac(PAYLOAD, PAYLOAD_LEN, &sk, actual, + sizeof(actual))); +#else + + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); + +#endif /* OPENSSL */ } diff --git a/sntp/tests/packetHandling.c b/sntp/tests/packetHandling.c index 6787eeaa2..cf52ccd60 100644 --- a/sntp/tests/packetHandling.c +++ b/sntp/tests/packetHandling.c @@ -72,26 +72,36 @@ test_GenerateUnauthenticatedPacket(void) void test_GenerateAuthenticatedPacket(void) { - static const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN; - +#ifdef OPENSSL + + const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_SHAKE128_LEN; + struct key testkey; struct pkt testpkt; struct timeval xmt; l_fp expected_xmt, actual_xmt; - char expected_mac[MAX_MD5_LEN]; - + const char key[] = "123456789"; + size_t mac_sz; + const u_char expected_mac[] = { + 0x46, 0x79, 0x81, 0x6b, + 0x22, 0xe3, 0xa7, 0xaf, + 0x1d, 0x63, 0x20, 0xfb, + 0xc7, 0xd6, 0x87, 0x2c + }; + testkey.next = NULL; testkey.key_id = 30; - testkey.key_len = 9; - memcpy(testkey.key_seq, "123456789", testkey.key_len); - strlcpy(testkey.typen, "MD5", sizeof(testkey.typen)); + strlcpy(testkey.key_seq, key, sizeof(testkey.key_seq)); + testkey.key_len = strlen(testkey.key_seq); + strlcpy(testkey.typen, "SHAKE128", sizeof(testkey.typen)); testkey.typei = keytype_from_text(testkey.typen, NULL); - GETTIMEOFDAY(&xmt, NULL); - xmt.tv_sec += JAN_1970; + xmt.tv_sec = JAN_1970; + xmt.tv_usec = 0; TEST_ASSERT_EQUAL(EXPECTED_PKTLEN, - generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey)); + generate_pkt(&testpkt, &xmt, testkey.key_id, + &testkey)); TEST_ASSERT_EQUAL(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode)); @@ -105,10 +115,20 @@ test_GenerateAuthenticatedPacket(void) TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt)); TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0])); - - TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */ - make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN-4, &testkey, expected_mac)); - TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4); + + TEST_ASSERT_EQUAL(sizeof(expected_mac), SHAKE128_LENGTH); + mac_sz = make_mac(&testpkt, LEN_PKT_NOMAC, &testkey, + &testpkt.exten[1], MAX_MDG_LEN); + TEST_ASSERT_EQUAL(mac_sz, SHAKE128_LENGTH); + + TEST_ASSERT_EQUAL_MEMORY(expected_mac, (void *)&testpkt.exten[1], + SHAKE128_LENGTH); + +#else /* !OPENSSL follows */ + + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); + +#endif } @@ -169,7 +189,7 @@ test_OffsetCalculationNegativeOffset(void) rpkt.precision = -1; rpkt.rootdelay = HTONS_FP(DTOUFP(0.5)); rpkt.rootdisp = HTONS_FP(DTOUFP(0.5)); - + /* Synch Distance is (0.5+0.5)/2.0, or 0.5 */ get_systime(&reftime); HTONL_FP(&reftime, &rpkt.reftime); diff --git a/sntp/tests/packetProcessing.c b/sntp/tests/packetProcessing.c index 03d219399..0e7fedee2 100644 --- a/sntp/tests/packetProcessing.c +++ b/sntp/tests/packetProcessing.c @@ -15,7 +15,6 @@ extern int key_cnt; void PrepareAuthenticationTest(int key_id,int key_len,const char* type,const void* key_seq); -void PrepareAuthenticationTestMD5(int key_id,int key_len,const void* key_seq); void setUp(void); void tearDown(void); void test_TooShortLength(void); @@ -35,14 +34,15 @@ void test_RejectWrongResponseServerMode(void); void test_AcceptNoSentPacketBroadcastMode(void); void test_CorrectUnauthenticatedPacket(void); void test_CorrectAuthenticatedPacketMD5(void); +void test_CorrectAuthenticatedPacketSHAKE128(void); void test_CorrectAuthenticatedPacketSHA1(void); void test_CorrectAuthenticatedPacketCMAC(void); /* [Bug 2998] There are some issues whith the definition of 'struct pkt' * when AUTOKEY is undefined -- the formal struct is too small to hold * all the extension fields that are going to be tested. We have to make - * sure we have the extra bytes, or the test yield undefined results due - * to buffer overrun. + * sure we have the extra bytes, or the test yields undefined results due + * to buffer overrun. */ #ifndef AUTOKEY # define EXTRA_BUFSIZE 256 @@ -53,7 +53,7 @@ void test_CorrectAuthenticatedPacketCMAC(void); union tpkt { struct pkt p; u_char b[sizeof(struct pkt) + EXTRA_BUFSIZE]; -}; +}; static union tpkt testpkt; static union tpkt testspkt; @@ -70,34 +70,27 @@ PrepareAuthenticationTest( ) { char str[25]; - snprintf(str, 25, "%d", key_id); + + snprintf(str, sizeof(str), "%d", key_id); ActivateOption("-a", str); key_cnt = 1; - key_ptr = emalloc(sizeof(struct key)); + if (NULL == key_ptr) { + key_ptr = emalloc(sizeof(*key_ptr)); + } key_ptr->next = NULL; key_ptr->key_id = key_id; key_ptr->key_len = key_len; - memcpy(key_ptr->typen, type, strlen(type) + 1); + strncpy(key_ptr->typen, type, sizeof(key_ptr->typen)); TEST_ASSERT_TRUE(key_len < sizeof(key_ptr->key_seq)); - memcpy(key_ptr->key_seq, key_seq, key_ptr->key_len); + memcpy(key_ptr->key_seq, key_seq, + min(key_len, sizeof(key_ptr->key_seq))); restoreKeyDb = true; } -void -PrepareAuthenticationTestMD5( - int key_id, - int key_len, - const void * key_seq - ) -{ - PrepareAuthenticationTest(key_id, key_len, "MD5", key_seq); -} - - void setUp(void) { @@ -109,7 +102,7 @@ setUp(void) * so they contain at least some valid data. */ testpkt.p.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOWARNING, NTP_VERSION, - MODE_SERVER); + MODE_SERVER); testpkt.p.stratum = STRATUM_REFCLOCK; memcpy(&testpkt.p.refid, "GPS\0", 4); @@ -127,7 +120,7 @@ setUp(void) void tearDown(void) -{ +{ if (restoreKeyDb) { key_cnt = 0; free(key_ptr); @@ -171,7 +164,7 @@ test_TooShortExtensionFieldLength(void) * still... */ uint32_t * pe = testpkt.p.exten + 7; - + /* The lower 16-bits are the length of the extension field. * This lengths must be multiples of 4 bytes, which gives * a minimum of 4 byte extension field length. @@ -224,19 +217,20 @@ test_CryptoNAKPacketReject(void) void test_AuthenticatedPacketInvalid(void) { +#ifdef OPENSSL + size_t pkt_len = LEN_PKT_NOMAC; + size_t mac_len; + /* Activate authentication option */ - PrepareAuthenticationTestMD5(50, 9, "123456789"); + PrepareAuthenticationTest(50, 9, "SHAKE128", "123456789"); TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); - - /* Prepare the packet. */ - int pkt_len = LEN_PKT_NOMAC; + /* Prepare the packet. */ testpkt.p.exten[0] = htonl(50); - int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, - &testpkt.p.exten[1]); + mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, + &testpkt.p.exten[1], MAX_MDG_LEN); - pkt_len += 4 + mac_len; + pkt_len += KEY_MAC_LEN + mac_len; /* Now, alter the MAC so it becomes invalid. */ testpkt.p.exten[1] += 1; @@ -244,30 +238,43 @@ test_AuthenticatedPacketInvalid(void) TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL, process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not enabled, skipping..."); + +#endif } void test_AuthenticatedPacketUnknownKey(void) { +#ifdef OPENSSL + size_t pkt_len = LEN_PKT_NOMAC; + size_t mac_len; + /* Activate authentication option */ - PrepareAuthenticationTestMD5(30, 9, "123456789"); + PrepareAuthenticationTest(30, 9, "SHAKE128", "123456789"); TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); - + /* Prepare the packet. Note that the Key-ID expected is 30, but * the packet has a key id of 50. */ - int pkt_len = LEN_PKT_NOMAC; - testpkt.p.exten[0] = htonl(50); - int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, - &testpkt.p.exten[1]); + mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, + &testpkt.p.exten[1], MAX_MDG_LEN); pkt_len += KEY_MAC_LEN + mac_len; TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL, process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not enabled, skipping..."); + +#endif } @@ -282,7 +289,7 @@ test_ServerVersionTooOld(void) TEST_ASSERT_TRUE(PKT_VERSION(testpkt.p.li_vn_mode) < NTP_OLDVERSION); int pkt_len = LEN_PKT_NOMAC; - + TEST_ASSERT_EQUAL(SERVER_UNUSEABLE, process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); @@ -418,44 +425,96 @@ test_CorrectUnauthenticatedPacket(void) void test_CorrectAuthenticatedPacketMD5(void) { - PrepareAuthenticationTestMD5(10, 15, "123456789abcdef"); +#ifdef OPENSSL + + keyid_t k_id = 10; + int pkt_len = LEN_PKT_NOMAC; + int mac_len; + + PrepareAuthenticationTest(k_id, 15, "MD5", "123456789abcdef"); TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); + /* Prepare the packet. */ + testpkt.p.exten[0] = htonl(k_id); + mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, + &testpkt.p.exten[1], MAX_MDG_LEN); + + /* TODO: Should not expect failure if non-FIPS OpenSSL */ + TEST_EXPECT_FAIL_MESSAGE("FIPS OpenSSL bars MD5"); + + pkt_len += KEY_MAC_LEN + mac_len; + + TEST_ASSERT_EQUAL(pkt_len, + process_pkt(&testpkt.p, &testsock, pkt_len, + MODE_SERVER, &testspkt.p, "UnitTest")); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not enabled, skipping..."); + +#endif +} + + +void +test_CorrectAuthenticatedPacketSHAKE128(void) +{ +#ifdef OPENSSL + + keyid_t k_id = 10; int pkt_len = LEN_PKT_NOMAC; + int mac_len; + + PrepareAuthenticationTest(k_id, 15, "SHAKE128", "123456789abcdef"); + TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); /* Prepare the packet. */ - testpkt.p.exten[0] = htonl(10); - int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, - &testpkt.p.exten[1]); + testpkt.p.exten[0] = htonl(k_id); + mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, &testpkt.p.exten[1], + SHAKE128_LENGTH); pkt_len += KEY_MAC_LEN + mac_len; TEST_ASSERT_EQUAL(pkt_len, process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not enabled, skipping..."); + +#endif } void test_CorrectAuthenticatedPacketSHA1(void) { - PrepareAuthenticationTest(20, 15, "SHA1", "abcdefghijklmno"); - TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); +#ifdef OPENSSL + keyid_t k_id = 20; int pkt_len = LEN_PKT_NOMAC; + int mac_len; + + PrepareAuthenticationTest(k_id, 15, "SHA1", "abcdefghijklmno"); + TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); /* Prepare the packet. */ - testpkt.p.exten[0] = htonl(20); - int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MDG_LEN, key_ptr, - &testpkt.p.exten[1]); + testpkt.p.exten[0] = htonl(k_id); + mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, &testpkt.p.exten[1], + SHA1_LENGTH); pkt_len += KEY_MAC_LEN + mac_len; TEST_ASSERT_EQUAL(pkt_len, process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not enabled, skipping..."); + +#endif } @@ -471,9 +530,8 @@ test_CorrectAuthenticatedPacketCMAC(void) /* Prepare the packet. */ testpkt.p.exten[0] = htonl(30); - int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MAC_LEN, key_ptr, - &testpkt.p.exten[1]); + int mac_len = make_mac(&testpkt.p, pkt_len, key_ptr, + &testpkt.p.exten[1], MAX_MAC_LEN); pkt_len += 4 + mac_len; @@ -482,9 +540,9 @@ test_CorrectAuthenticatedPacketCMAC(void) MODE_SERVER, &testspkt.p, "UnitTest")); #else - + TEST_IGNORE_MESSAGE("CMAC not enabled, skipping..."); - + #endif /* OPENSSL */ } diff --git a/sntp/tests/run-crypto.c b/sntp/tests/run-crypto.c index a486f86c4..83e8d1943 100644 --- a/sntp/tests/run-crypto.c +++ b/sntp/tests/run-crypto.c @@ -30,10 +30,10 @@ //=======External Functions This Runner Calls===== extern void setUp(void); extern void tearDown(void); -extern void test_MakeMd5Mac(void); +extern void test_MakeSHAKE128Mac(void); extern void test_MakeSHA1Mac(void); extern void test_MakeCMac(void); -extern void test_VerifyCorrectMD5(void); +extern void test_VerifySHAKE128(void); extern void test_VerifySHA1(void); extern void test_VerifyCMAC(void); extern void test_VerifyFailure(void); @@ -66,14 +66,14 @@ int main(int argc, char *argv[]) progname = argv[0]; suite_setup(); UnityBegin("crypto.c"); - RUN_TEST(test_MakeMd5Mac, 15); - RUN_TEST(test_MakeSHA1Mac, 16); - RUN_TEST(test_MakeCMac, 17); - RUN_TEST(test_VerifyCorrectMD5, 18); - RUN_TEST(test_VerifySHA1, 19); - RUN_TEST(test_VerifyCMAC, 20); - RUN_TEST(test_VerifyFailure, 21); - RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 22); + RUN_TEST(test_MakeSHAKE128Mac, 14); + RUN_TEST(test_MakeSHA1Mac, 15); + RUN_TEST(test_MakeCMac, 16); + RUN_TEST(test_VerifySHAKE128, 17); + RUN_TEST(test_VerifySHA1, 18); + RUN_TEST(test_VerifyCMAC, 19); + RUN_TEST(test_VerifyFailure, 20); + RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 21); return (UnityEnd()); } diff --git a/sntp/tests/run-packetProcessing.c b/sntp/tests/run-packetProcessing.c index b3782314d..eeeb6f1bf 100644 --- a/sntp/tests/run-packetProcessing.c +++ b/sntp/tests/run-packetProcessing.c @@ -47,6 +47,7 @@ extern void test_RejectWrongResponseServerMode(void); extern void test_AcceptNoSentPacketBroadcastMode(void); extern void test_CorrectUnauthenticatedPacket(void); extern void test_CorrectAuthenticatedPacketMD5(void); +extern void test_CorrectAuthenticatedPacketSHAKE128(void); extern void test_CorrectAuthenticatedPacketSHA1(void); extern void test_CorrectAuthenticatedPacketCMAC(void); @@ -77,23 +78,24 @@ int main(int argc, char *argv[]) progname = argv[0]; suite_setup(); UnityBegin("packetProcessing.c"); - RUN_TEST(test_TooShortLength, 21); - RUN_TEST(test_LengthNotMultipleOfFour, 22); - RUN_TEST(test_TooShortExtensionFieldLength, 23); - RUN_TEST(test_UnauthenticatedPacketReject, 24); - RUN_TEST(test_CryptoNAKPacketReject, 25); - RUN_TEST(test_AuthenticatedPacketInvalid, 26); - RUN_TEST(test_AuthenticatedPacketUnknownKey, 27); - RUN_TEST(test_ServerVersionTooOld, 28); - RUN_TEST(test_ServerVersionTooNew, 29); - RUN_TEST(test_NonWantedMode, 30); - RUN_TEST(test_KoDRate, 31); - RUN_TEST(test_KoDDeny, 32); - RUN_TEST(test_RejectUnsyncedServer, 33); - RUN_TEST(test_RejectWrongResponseServerMode, 34); - RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 35); - RUN_TEST(test_CorrectUnauthenticatedPacket, 36); - RUN_TEST(test_CorrectAuthenticatedPacketMD5, 37); + RUN_TEST(test_TooShortLength, 20); + RUN_TEST(test_LengthNotMultipleOfFour, 21); + RUN_TEST(test_TooShortExtensionFieldLength, 22); + RUN_TEST(test_UnauthenticatedPacketReject, 23); + RUN_TEST(test_CryptoNAKPacketReject, 24); + RUN_TEST(test_AuthenticatedPacketInvalid, 25); + RUN_TEST(test_AuthenticatedPacketUnknownKey, 26); + RUN_TEST(test_ServerVersionTooOld, 27); + RUN_TEST(test_ServerVersionTooNew, 28); + RUN_TEST(test_NonWantedMode, 29); + RUN_TEST(test_KoDRate, 30); + RUN_TEST(test_KoDDeny, 31); + RUN_TEST(test_RejectUnsyncedServer, 32); + RUN_TEST(test_RejectWrongResponseServerMode, 33); + RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 34); + RUN_TEST(test_CorrectUnauthenticatedPacket, 35); + RUN_TEST(test_CorrectAuthenticatedPacketMD5, 36); + RUN_TEST(test_CorrectAuthenticatedPacketSHAKE128, 37); RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 38); RUN_TEST(test_CorrectAuthenticatedPacketCMAC, 39); diff --git a/sntp/unity/unity_internals.h b/sntp/unity/unity_internals.h index a04f52b47..3d22e7aa2 100644 --- a/sntp/unity/unity_internals.h +++ b/sntp/unity/unity_internals.h @@ -519,6 +519,9 @@ void UnityAssertDoubleSpecial(const _UD actual, const UNITY_FLOAT_TRAIT_T style); #endif +void UnityExpectFailMessage(const char* msg, + const UNITY_LINE_TYPE line); + //------------------------------------------------------- // Error Strings We Might Need //------------------------------------------------------- @@ -708,8 +711,7 @@ extern const char UnityStrErr64[]; //End of UNITY_INTERNALS_H #endif -//#define TEST_EXPECT_FAIL() Unity.isExpectingFail = 1; -//#define TEST_EXPECT_FAIL_MESSAGE(message) Unity.isExpectingFail = 1; Unity.XFAILMessage = message; //PROBLEM : does this work on all compilers? +// Not part of standard distribution -#define TEST_EXPECT_FAIL() UnityExpectFail(); -#define TEST_EXPECT_FAIL_MESSAGE(message) UnityExpectFailMessage( (message) ); +#define TEST_EXPECT_FAIL() UnityExpectFail(); +#define TEST_EXPECT_FAIL_MESSAGE(message) UnityExpectFailMessage((message), __LINE__); diff --git a/tests/libntp/a_md5encrypt.c b/tests/libntp/a_md5encrypt.c index d7674b012..dc722e064 100644 --- a/tests/libntp/a_md5encrypt.c +++ b/tests/libntp/a_md5encrypt.c @@ -9,34 +9,56 @@ #include "ntp.h" #include "ntp_stdlib.h" -u_long current_time = 4; - /* - * Example packet with MD5 hash calculated manually. + * Example packet with SHA1 hash calculated manually: + * echo -n abcdefghijklmnopqrstuvwx | openssl sha1 - */ -const int keytype = KEY_TYPE_MD5; -const u_char *key = (const u_char*)"abcdefgh"; -const u_short keyLength = 8; -const u_char *packet = (const u_char*)"ijklmnopqrstuvwx"; -#define packetLength 16 -#define keyIdLength 4 -#define digestLength 16 -#define totalLength (packetLength + keyIdLength + digestLength) +#ifdef OPENSSL +const keyid_t keyId = 42; +const int keytype = NID_sha1; +const u_char key[] = "abcdefgh"; +const size_t keyLength = sizeof(key) - 1; +const u_char payload[] = "ijklmnopqrstuvwx"; +#define payloadLength (sizeof(payload) - 1) +#define keyIdLength (sizeof(keyid_t)) +#define digestLength SHA1_LENGTH +#define packetLength (payloadLength + keyIdLength + digestLength) union { - u_char u8 [totalLength]; + u_char u8 [packetLength]; uint32_t u32[1]; -} expectedPacket = { - "ijklmnopqrstuvwx\0\0\0\0\x0c\x0e\x84\xcf\x0b\xb7\xa8\x68\x8e\x52\x38\xdb\xbc\x1c\x39\x53" +} expectedPacket = +{ + { + 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', + 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', + 0x00, 0x00, 0x00, 0x00, + 0xd7, 0x17, 0xe2, 0x2e, + 0x16, 0x59, 0x30, 0x5f, + 0xad, 0x6e, 0xf0, 0x88, + 0x64, 0x92, 0x3d, 0xb6, + 0x4a, 0xba, 0x9c, 0x08 + } }; union { - u_char u8 [totalLength]; + u_char u8 [packetLength]; uint32_t u32[1]; -} invalidPacket = { - "ijklmnopqrstuvwx\0\0\0\0\x0c\x0e\x84\xcf\x0b\xb7\xa8\x68\x8e\x52\x38\xdb\xbc\x1c\x39\x54" -}; +} invalidPacket = +{ + { + 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', + 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', + 0x00, 0x00, 0x00, 0x00, + 0xd7, 0x17, 0xe2, 0x2e, + 0x16, 0x59, 0x30, 0x5f, + 0xad, 0x6e, 0xf0, 0x88, + 0x64, 0x92, 0x3d, 0xb6, + 0x4a, 0xba, 0x9c, 0xff + } +}; /* same as expectedPacket but with last octet modified */ +#endif /* OPENSSL */ -static const keyid_t keyId = 42; +u_long current_time = 4; void test_Encrypt(void); void test_DecryptValid(void); @@ -46,35 +68,57 @@ void test_IPv6AddressToRefId(void); void -test_Encrypt(void) { +test_Encrypt(void) +{ +#ifndef OPENSSL + TEST_IGNORE_MESSAGE("non-SSL build"); +#else u_int32 *packetPtr; - int length; + size_t length; - packetPtr = emalloc_zero(totalLength * sizeof(*packetPtr)); - memcpy(packetPtr, packet, packetLength); + packetPtr = emalloc_zero(packetLength); + memcpy(packetPtr, payload, payloadLength); - length = MD5authencrypt(keytype, key, keyLength, packetPtr, packetLength); + length = MD5authencrypt(keytype, key, keyLength, + packetPtr, payloadLength); - TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, packetPtr, packetLength, length, keyId)); + TEST_ASSERT_EQUAL(MAX_SHA1_LEN, length); - TEST_ASSERT_EQUAL(20, length); - TEST_ASSERT_EQUAL_MEMORY(expectedPacket.u8, packetPtr, totalLength); + TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, packetPtr, + payloadLength, MAX_SHA1_LEN, keyId)); + TEST_ASSERT_EQUAL_MEMORY(expectedPacket.u8, packetPtr, packetLength); free(packetPtr); +#endif /* OPENSSL */ } void -test_DecryptValid(void) { - TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, expectedPacket.u32, packetLength, 20, keyId)); +test_DecryptValid(void) +{ +#ifndef OPENSSL + TEST_IGNORE_MESSAGE("non-SSL build"); +#else + TEST_ASSERT_TRUE(MD5authdecrypt(keytype, key, keyLength, + expectedPacket.u32, payloadLength, + MAX_SHA1_LEN, keyId)); +#endif /* OPENSSL */ } void -test_DecryptInvalid(void) { - TEST_ASSERT_FALSE(MD5authdecrypt(keytype, key, keyLength, invalidPacket.u32, packetLength, 20, keyId)); +test_DecryptInvalid(void) +{ +#ifndef OPENSSL + TEST_IGNORE_MESSAGE("non-SSL build"); +#else + TEST_ASSERT_FALSE(MD5authdecrypt(keytype, key, keyLength, + invalidPacket.u32, payloadLength, + MAX_SHA1_LEN, keyId)); +#endif /* OPENSSL */ } void -test_IPv4AddressToRefId(void) { +test_IPv4AddressToRefId(void) +{ sockaddr_u addr; u_int32 addr4n; diff --git a/tests/libntp/digests.c b/tests/libntp/digests.c index b837ea676..10b9d2c12 100644 --- a/tests/libntp/digests.c +++ b/tests/libntp/digests.c @@ -110,7 +110,7 @@ do { \ authtrust((key), 1); \ \ res_sz = authencrypt((key), pkt, pkt_sz); \ - if (KEY_MAC_LEN == res_sz) { \ + if (0 == res_sz) { \ TEST_IGNORE_MESSAGE("Likely OpenSSL 3 failed digest " \ "init."); \ return; \ diff --git a/tests/libntp/run-a_md5encrypt.c b/tests/libntp/run-a_md5encrypt.c index 06dda63f0..14c7f8419 100644 --- a/tests/libntp/run-a_md5encrypt.c +++ b/tests/libntp/run-a_md5encrypt.c @@ -62,11 +62,11 @@ int main(int argc, char *argv[]) progname = argv[0]; suite_setup(); UnityBegin("a_md5encrypt.c"); - RUN_TEST(test_Encrypt, 41); - RUN_TEST(test_DecryptValid, 42); - RUN_TEST(test_DecryptInvalid, 43); - RUN_TEST(test_IPv4AddressToRefId, 44); - RUN_TEST(test_IPv6AddressToRefId, 45); + RUN_TEST(test_Encrypt, 63); + RUN_TEST(test_DecryptValid, 64); + RUN_TEST(test_DecryptInvalid, 65); + RUN_TEST(test_IPv4AddressToRefId, 66); + RUN_TEST(test_IPv6AddressToRefId, 67); return (UnityEnd()); } diff --git a/tests/libntp/run-digests.c b/tests/libntp/run-digests.c index 1c882e233..bc56f1cb9 100644 --- a/tests/libntp/run-digests.c +++ b/tests/libntp/run-digests.c @@ -79,8 +79,8 @@ int main(int argc, char *argv[]) RUN_TEST(test_Digest_SHA1, 314); RUN_TEST(test_Digest_SHAKE128, 353); RUN_TEST(test_Digest_DSA, 390); - RUN_TEST(test_Digest_DSA_SHA, 419); - RUN_TEST(test_Digest_SHA, 448); + RUN_TEST(test_Digest_DSA_SHA, 429); + RUN_TEST(test_Digest_SHA, 468); return (UnityEnd()); } diff --git a/tests/libntp/run-ssl_init.c b/tests/libntp/run-ssl_init.c index 8450a27c3..0ec84eb19 100644 --- a/tests/libntp/run-ssl_init.c +++ b/tests/libntp/run-ssl_init.c @@ -63,13 +63,13 @@ int main(int argc, char *argv[]) progname = argv[0]; suite_setup(); UnityBegin("ssl_init.c"); - RUN_TEST(test_MD5KeyTypeWithoutDigestLength, 20); - RUN_TEST(test_MD5KeyTypeWithDigestLength, 21); - RUN_TEST(test_SHA1KeyTypeWithDigestLength, 22); - RUN_TEST(test_CMACKeyTypeWithDigestLength, 23); - RUN_TEST(test_MD5KeyName, 24); - RUN_TEST(test_SHA1KeyName, 25); - RUN_TEST(test_CMACKeyName, 26); + RUN_TEST(test_MD5KeyTypeWithoutDigestLength, 16); + RUN_TEST(test_MD5KeyTypeWithDigestLength, 17); + RUN_TEST(test_SHA1KeyTypeWithDigestLength, 18); + RUN_TEST(test_CMACKeyTypeWithDigestLength, 19); + RUN_TEST(test_MD5KeyName, 20); + RUN_TEST(test_SHA1KeyName, 21); + RUN_TEST(test_CMACKeyName, 22); return (UnityEnd()); } diff --git a/tests/libntp/ssl_init.c b/tests/libntp/ssl_init.c index 69b395e05..d42b5592e 100644 --- a/tests/libntp/ssl_init.c +++ b/tests/libntp/ssl_init.c @@ -13,10 +13,6 @@ #include "unity.h" -static const size_t TEST_MD5_DIGEST_LENGTH = 16; -static const size_t TEST_SHA1_DIGEST_LENGTH = 20; -static const size_t TEST_CMAC_DIGEST_LENGTH = 16; - void test_MD5KeyTypeWithoutDigestLength(void); void test_MD5KeyTypeWithDigestLength(void); void test_SHA1KeyTypeWithDigestLength(void); @@ -35,7 +31,7 @@ test_MD5KeyTypeWithoutDigestLength(void) { void test_MD5KeyTypeWithDigestLength(void) { size_t digestLength; - size_t expected = TEST_MD5_DIGEST_LENGTH; + size_t expected = MD5_LENGTH; TEST_ASSERT_EQUAL(KEY_TYPE_MD5, keytype_from_text("MD5", &digestLength)); TEST_ASSERT_EQUAL(expected, digestLength); @@ -46,7 +42,7 @@ void test_SHA1KeyTypeWithDigestLength(void) { #ifdef OPENSSL size_t digestLength; - size_t expected = TEST_SHA1_DIGEST_LENGTH; + size_t expected = SHA1_LENGTH; TEST_ASSERT_EQUAL(NID_sha1, keytype_from_text("SHA1", &digestLength)); TEST_ASSERT_EQUAL(expected, digestLength); @@ -61,7 +57,7 @@ void test_CMACKeyTypeWithDigestLength(void) { #if defined(OPENSSL) && defined(ENABLE_CMAC) size_t digestLength; - size_t expected = TEST_CMAC_DIGEST_LENGTH; + size_t expected = CMAC_LENGTH; TEST_ASSERT_EQUAL(NID_cmac, keytype_from_text(CMAC, &digestLength)); TEST_ASSERT_EQUAL(expected, digestLength); diff --git a/util/lsf-times.c b/util/lsf-times.c new file mode 100644 index 000000000..5289e2d42 --- /dev/null +++ b/util/lsf-times.c @@ -0,0 +1 @@ +/* lsf-times.c stub */