[Git][NTPsec/ntpsec][6auth] 2 commits: Change over to crypto from ntp.ntpc

James Browning gitlab at mg.gitlab.com
Tue May 5 16:18:40 UTC 2020 


James Browning pushed to branch 6auth at NTPsec / ntpsec


Commits:
236b0811 by James Browning at 2020-05-05T09:13:42-07:00
Change over to crypto from ntp.ntpc 


- - - - -
c5b84266 by James Browning at 2020-05-05T09:17:41-07:00
Auto-pep8ify the last commits changes


- - - - -


2 changed files:

- pylib/packet.py
- tests/pylib/test_packet.py


Changes:

=====================================
pylib/packet.py
=====================================
@@ -205,7 +205,6 @@ A Mode 6 packet cannot have extension fields.
 # SPDX-License-Identifier: BSD-2-Clause
 from __future__ import print_function, division
 import getpass
-import hashlib
 import hmac
 import os
 import select
@@ -1574,15 +1573,15 @@ def parse_mru_variables(variables):
             "addr": lambda e: e.sortaddr(),
             # IPv6 desc. then IPv4 desc.
             "-addr": lambda e: e.sortaddr(),
-            # hit count ascending 
+            # hit count ascending
             "count": lambda e: -e.ct,
             # hit count descending
             "-count": lambda e: e.ct,
-            # score ascending 
+            # score ascending
             "score": lambda e: -e.sc,
             # score descending
             "-score": lambda e: e.sc,
-            # drop count ascending 
+            # drop count ascending
             "drop": lambda e: -e.dr,
             # drop count descending
             "-drop": lambda e: e.dr,
@@ -1701,13 +1700,15 @@ class Authenticator:
                 self.passwords[int(keyid)] = (keytype, passwd)
 
     def __len__(self):
+        'return the number of keytype/passwd tuples stored'
         return len(self.passwords)
 
     def __getitem__(self, keyid):
+        'get a keytype/passwd tuple by keyid'
         return self.passwords.get(keyid)
 
     def control(self, keyid=None):
-        "Get a keyid/passwd pair that conrtrols localhost"
+        "Get the keytype/passwd tuple that controls localhost and its id"
         if keyid is not None:
             if keyid in self.passwords:
                 return (keyid,) + self.passwords[keyid]
@@ -1723,19 +1724,19 @@ class Authenticator:
                 if len(passwd) > 20:
                     passwd = ntp.util.hexstr2octets(passwd)
                 return (keyid, keytype, passwd)
-        else:
-            # No control lines found
-            raise ValueError
+        # No control lines found
+        raise ValueError
 
     @staticmethod
     def compute_mac(payload, keyid, keytype, passwd):
         'Create the authentication payload to send'
-        hasher = hashlib.new(keytype)
-        hasher.update(ntp.poly.polybytes(passwd))
-        hasher.update(payload)
-        if hasher.digest_size == 0:
-            return None
-        return struct.pack("!I", keyid) + hasher.digest()[:MAX_BARE_MAC_LENGTH]
+        if not ntp.ntpc.checkname(keytype):
+            return False
+        mac2 = ntp.ntpc.mac(ntp.poly.polybytes(payload),
+                            ntp.poly.polybytes(passwd), keytype)
+        if not mac2 or len(mac2) == 0:
+            return b''
+        return struct.pack("!I", keyid) + mac2
 
     @staticmethod
     def have_mac(packet):
@@ -1755,9 +1756,12 @@ class Authenticator:
             print('AUTH: No key %08x...' % keyid)
             return False
         (keytype, passwd) = self.passwords[keyid]
-        hasher = hashlib.new(keytype)
-        hasher.update(ntp.poly.polybytes(passwd))
-        hasher.update(payload)
-        return hmac.compare_digest(mac, hasher.digest()[:MAX_BARE_MAC_LENGTH])
+        if not ntp.ntpc.checkname(keytype):
+            return False
+        mac2 = ntp.ntpc.mac(ntp.poly.polybytes(payload),
+                            ntp.poly.polybytes(passwd), keytype)
+        if not mac2:
+            return False
+        return hmac.compare_digest(mac, mac2)
 
 # end


=====================================
tests/pylib/test_packet.py
=====================================
@@ -3,17 +3,17 @@
 
 from __future__ import print_function, division
 
-import unittest
-import ntp.packet
-import ntp.control
-import ntp.util
-import ntp.magic
-import socket
+import getpass
 import select
+import socket
 import sys
-import getpass
+import unittest
 import jigs
+import ntp.control
+import ntp.magic
+import ntp.packet
 import ntp.poly
+import ntp.util
 
 odict = ntp.util.OrderedDict
 
@@ -2082,17 +2082,14 @@ class TestAuthenticator(unittest.TestCase):
 
     def test_compute_mac(self):
         f = self.target.compute_mac
-        try:
-            temphash = ntpp.hashlib
-            fakehashlibmod = jigs.HashlibModuleJig()
-            ntpp.hashlib = fakehashlibmod
-            # Test no digest
-            self.assertEqual(f("", 0, None, ntp.poly.polybytes("")), None)
-            # Test with digest
-            self.assertEqual(f("foo", 0x42, "bar", "quux"),
-                             ntp.poly.polybytes("\x00\x00\x00\x42blahblahblahblah"))
-        finally:
-            ntpp.hashlib = temphash
+        pkt = ntp.util.hexstr2octets('240300e8000012ce0000091941138e89' +
+                                     'e25b102e9fe94dc9e25b1175bd5a3000' + 'e25b1175bd6cf48ee25b1175bd70e594')
+        mac1 = b'\x00\x00\x00\rL\x7f\xc1\xd1\xe9\xd3\xf8\xec\x91\xdf\xecS\x89e\xc5\xf3'
+        key1 = ntp.util.hexstr2octets('2f3badbb640bf975fec519df8a83e829')
+        key2 = ''
+        self.assertEqual(f(pkt, 0x0e, 'neun', key2), False)
+        # FIXME Find out why the following test works
+        self.assertEqual(f(pkt, 0x0d, 'aes', key1), mac1)
 
     def test_have_mac(self):
         f = self.target.have_mac
@@ -2105,19 +2102,20 @@ class TestAuthenticator(unittest.TestCase):
 
     def test_verify_mac(self):
         cls = self.target()
-        cls.passwords[0x23] = ("a", "z")
-        good_pkt = "foobar\x00\x00\x00\x23blahblahblahblah"
-        bad_pkt = "foobar\xDE\xAD\xDE\xAFblahblahblah"
-        try:
-            temphash = ntpp.hashlib
-            fakehashlibmod = jigs.HashlibModuleJig()
-            ntpp.hashlib = fakehashlibmod
-            # Test good
-            self.assertEqual(cls.verify_mac(ntp.poly.polybytes(good_pkt), packet_end=6, mac_begin=6), True)
-            # Test bad
-            self.assertEqual(cls.verify_mac(ntp.poly.polybytes(bad_pkt), packet_end=6, mac_begin=6), False)
-        finally:
-            ntpp.hashlib = temphash
+        cls.passwords[0x0d] = (
+            'aes-128', ntp.util.hexstr2octets('2f3badbb640bf975fec519df8a83e829'))
+        good_pkt = '240300e80000139a00000ae8cc0286a2' + 'e25c0c4dfff93ee2e25c0cca53f45000' + \
+            'e25c0cca54048d79e25c0cca5408646b' + \
+            '0000000dbe93e3f1d530d9252147c298' + 'c00c85f9'
+        bad_pkt = '240300e80000131f00000779cc0286a2' + 'e25c0d54ff6e4835e25c0dc2bea43000' + \
+            'e25c0dc2beb78905e25c0dc2bebc0737' + \
+            '0000000d4c2d64c447e701b74e3ad98c' + 'e65d13c3'
+        # Test good
+        self.assertEqual(cls.verify_mac(ntp.poly.polybytes(
+            ntp.util.hexstr2octets(good_pkt)), packet_end=48, mac_begin=48), True)
+        # Test bad
+        self.assertEqual(cls.verify_mac(ntp.poly.polybytes(
+            ntp.util.hexstr2octets(bad_pkt)), packet_end=48, mac_begin=48), False)
 
 
 if __name__ == "__main__":



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c43b96bcddbc54e8fbd0fab0cf93726128806687...c5b842664985809971abee8b5f6beccca2dfd8ba

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c43b96bcddbc54e8fbd0fab0cf93726128806687...c5b842664985809971abee8b5f6beccca2dfd8ba
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200505/bfe4e4df/attachment-0001.htm>

More information about the vc mailing list