[Git][NTPsec/ntpsec][6auth] Change over to crypto from ntp.ntpc
James Browning
gitlab at mg.gitlab.com
Tue May 5 15:37:34 UTC 2020
James Browning pushed to branch 6auth at NTPsec / ntpsec
Commits:
ceb1951b by James Browning at 2020-05-05T08:36:58-07:00
Change over to crypto from ntp.ntpc
- - - - -
2 changed files:
- pylib/packet.py
- tests/pylib/test_packet.py
Changes:
=====================================
pylib/packet.py
=====================================
@@ -205,7 +205,6 @@ A Mode 6 packet cannot have extension fields.
# SPDX-License-Identifier: BSD-2-Clause
from __future__ import print_function, division
import getpass
-import hashlib
import hmac
import os
import select
@@ -1574,15 +1573,15 @@ def parse_mru_variables(variables):
"addr": lambda e: e.sortaddr(),
# IPv6 desc. then IPv4 desc.
"-addr": lambda e: e.sortaddr(),
- # hit count ascending
+ # hit count ascending
"count": lambda e: -e.ct,
# hit count descending
"-count": lambda e: e.ct,
- # score ascending
+ # score ascending
"score": lambda e: -e.sc,
# score descending
"-score": lambda e: e.sc,
- # drop count ascending
+ # drop count ascending
"drop": lambda e: -e.dr,
# drop count descending
"-drop": lambda e: e.dr,
@@ -1701,13 +1700,15 @@ class Authenticator:
self.passwords[int(keyid)] = (keytype, passwd)
def __len__(self):
+ 'return the number of keytype/passwd tuples stored'
return len(self.passwords)
def __getitem__(self, keyid):
+ 'get a keytype/passwd tuple by keyid'
return self.passwords.get(keyid)
def control(self, keyid=None):
- "Get a keyid/passwd pair that conrtrols localhost"
+ "Get the keytype/passwd tuple that controls localhost and its id"
if keyid is not None:
if keyid in self.passwords:
return (keyid,) + self.passwords[keyid]
@@ -1723,19 +1724,18 @@ class Authenticator:
if len(passwd) > 20:
passwd = ntp.util.hexstr2octets(passwd)
return (keyid, keytype, passwd)
- else:
- # No control lines found
- raise ValueError
+ # No control lines found
+ raise ValueError
@staticmethod
def compute_mac(payload, keyid, keytype, passwd):
'Create the authentication payload to send'
- hasher = hashlib.new(keytype)
- hasher.update(ntp.poly.polybytes(passwd))
- hasher.update(payload)
- if hasher.digest_size == 0:
- return None
- return struct.pack("!I", keyid) + hasher.digest()[:MAX_BARE_MAC_LENGTH]
+ if not ntp.ntpc.checkname(keytype):
+ return False
+ mac2 = ntp.ntpc.mac(ntp.poly.polybytes(payload), ntp.poly.polybytes(passwd), keytype)
+ if not mac2 or len(mac2) == 0:
+ return b''
+ return struct.pack("!I", keyid) + mac2
@staticmethod
def have_mac(packet):
@@ -1755,9 +1755,11 @@ class Authenticator:
print('AUTH: No key %08x...' % keyid)
return False
(keytype, passwd) = self.passwords[keyid]
- hasher = hashlib.new(keytype)
- hasher.update(ntp.poly.polybytes(passwd))
- hasher.update(payload)
- return hmac.compare_digest(mac, hasher.digest()[:MAX_BARE_MAC_LENGTH])
+ if not ntp.ntpc.checkname(keytype):
+ return False
+ mac2 = ntp.ntpc.mac(ntp.poly.polybytes(payload), ntp.poly.polybytes(passwd), keytype)
+ if not mac2:
+ return False
+ return hmac.compare_digest(mac, mac2)
# end
=====================================
tests/pylib/test_packet.py
=====================================
@@ -3,17 +3,17 @@
from __future__ import print_function, division
-import unittest
-import ntp.packet
-import ntp.control
-import ntp.util
-import ntp.magic
-import socket
+import getpass
import select
+import socket
import sys
-import getpass
+import unittest
import jigs
+import ntp.control
+import ntp.magic
+import ntp.packet
import ntp.poly
+import ntp.util
odict = ntp.util.OrderedDict
@@ -2082,17 +2082,13 @@ class TestAuthenticator(unittest.TestCase):
def test_compute_mac(self):
f = self.target.compute_mac
- try:
- temphash = ntpp.hashlib
- fakehashlibmod = jigs.HashlibModuleJig()
- ntpp.hashlib = fakehashlibmod
- # Test no digest
- self.assertEqual(f("", 0, None, ntp.poly.polybytes("")), None)
- # Test with digest
- self.assertEqual(f("foo", 0x42, "bar", "quux"),
- ntp.poly.polybytes("\x00\x00\x00\x42blahblahblahblah"))
- finally:
- ntpp.hashlib = temphash
+ pkt = ntp.util.hexstr2octets('240300e8000012ce0000091941138e89' + 'e25b102e9fe94dc9e25b1175bd5a3000' + 'e25b1175bd6cf48ee25b1175bd70e594')
+ mac1 = b'\x00\x00\x00\rL\x7f\xc1\xd1\xe9\xd3\xf8\xec\x91\xdf\xecS\x89e\xc5\xf3'
+ key1 = ntp.util.hexstr2octets('2f3badbb640bf975fec519df8a83e829')
+ key2 = ''
+ self.assertEqual(f(pkt, 0x0e, 'neun', key2), False)
+ # FIXME Find out why the following test works
+ self.assertEqual(f(pkt, 0x0d, 'aes', key1), mac1)
def test_have_mac(self):
f = self.target.have_mac
@@ -2105,19 +2101,13 @@ class TestAuthenticator(unittest.TestCase):
def test_verify_mac(self):
cls = self.target()
- cls.passwords[0x23] = ("a", "z")
- good_pkt = "foobar\x00\x00\x00\x23blahblahblahblah"
- bad_pkt = "foobar\xDE\xAD\xDE\xAFblahblahblah"
- try:
- temphash = ntpp.hashlib
- fakehashlibmod = jigs.HashlibModuleJig()
- ntpp.hashlib = fakehashlibmod
- # Test good
- self.assertEqual(cls.verify_mac(ntp.poly.polybytes(good_pkt), packet_end=6, mac_begin=6), True)
- # Test bad
- self.assertEqual(cls.verify_mac(ntp.poly.polybytes(bad_pkt), packet_end=6, mac_begin=6), False)
- finally:
- ntpp.hashlib = temphash
+ cls.passwords[0x20] = ('aria-192', ntp.util.hexstr2octets('2f3badbb640bf975fec519df8a83e8292f3badbb640bf975'))
+ good_pkt = '240300e8000012ce0000091941138e89' + 'e25b102e9fe94dc9e25b1176280a8000' + 'e25b1176281c2321e25b11762820e836' + '00000020157ccbe4b0d3081bd7853463' + '89f7690c'
+ bad_pkt = '240300e8000012ce0000091941138e89' + 'e25b102e9fe94dc9e25b11763a84a000' + 'e25b11763a94efe6e25b11763a99c162' + '00000020fac63503ca24039ad658938d' + '5aad2f4b'
+ # Test good
+ self.assertEqual(cls.verify_mac(ntp.poly.polybytes(ntp.util.hexstr2octets(good_pkt)), packet_end=48, mac_begin=48), True)
+ # Test bad
+ self.assertEqual(cls.verify_mac(ntp.poly.polybytes(ntp.util.hexstr2octets(bad_pkt)), packet_end=48, mac_begin=48), False)
if __name__ == "__main__":
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/ceb1951b117938bc573b104e8f70e37548cc5a43
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/ceb1951b117938bc573b104e8f70e37548cc5a43
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200505/993de5a5/attachment-0001.htm>
More information about the vc
mailing list