[Git][NTPsec/ntpsec][master] 2 commits: ntp.packet: Add test and diagnostic info dump to triage nul-trunc

Mon May 9 19:58:04 UTC 2022


Richard Laager pushed to branch master at NTPsec / ntpsec


Commits:
e2d54584 by James Browning at 2022-05-09T10:02:41-07:00
ntp.packet: Add test and diagnostic info dump to triage nul-trunc

- - - - -
220f6181 by James Browning at 2022-05-09T10:03:43-07:00
ntp.ntpc: Fix issue where mac wrapper stops before sending a NUL

- - - - -


3 changed files:

- pylib/ntpc.py
- tests/libntp/macencrypt.c
- tests/pylib/test_ntpc.py


Changes:

=====================================
pylib/ntpc.py
=====================================
@@ -76,14 +76,14 @@ def checkname(name):
 def mac(data, key, name):
     """Compute HMAC or CMAC from data, key, and algorithm name."""
     resultlen = ctypes.c_size_t()
-    result = (ctypes.c_char * 64)()
+    result = (ctypes.c_ubyte * 64)()
     result.value = b'\0' * 64
     _ntpc.do_mac.restype = None
     _ntpc.do_mac(ntp.poly.polybytes(name),
                  ntp.poly.polybytes(data), len(data),
                  ntp.poly.polybytes(key), len(key),
                  ctypes.byref(result), ctypes.byref(resultlen))
-    return result.value
+    return ntp.poly.polybytes(bytearray(result)[:resultlen.value])
 
 
 def setprogname(in_string):


=====================================
tests/libntp/macencrypt.c
=====================================
@@ -161,6 +161,54 @@ TEST(macencrypt, IPv6AddressToRefId) {
 	TEST_ASSERT_EQUAL(expected, addr2refid(&addr));
 }
 
+TEST(macencrypt, null_trunc) {
+	const char *algo = "aes-128-cbc";
+	unsigned char key[] = {
+		0x0f, 0xd2, 0x28, 0x7c, 0x1e, 0x97, 0xa5, 0x0c,
+		0xb9, 0xd3, 0xcb, 0x9f, 0x80, 0xde, 0xbc, 0xb6,
+	};
+	unsigned char sample[96] = {
+		0xe3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xe6, 0x13, 0x6a, 0x71, 0x2d, 0x8c, 0x48, 0x00,
+	};
+	unsigned char expected_sample[] = {
+		0xe3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xe6, 0x13, 0x6a, 0x71, 0x2d, 0x8c, 0x48, 0x00,
+
+		0x00, 0x00, 0x00, 0x64, // this line is ignored
+
+		0x01, 0xc1, 0x67, 0xa4, 0xdf, 0x28, 0xf2, 0x5a,
+		0x47, 0x94, 0xbf, 0x00, 0xc8, 0xb3, 0x54, 0x69
+	};
+	int len_pack = 48;
+	auth.keyid = 100;
+	auth.type = AUTH_CMAC;
+	auth.digest = NULL;
+	auth.cipher = EVP_get_cipherbyname(algo);
+	auth.key = (uint8_t *)key;
+	auth.key_size = (unsigned short)strlen(CMACkey);
+	TEST_ASSERT_NOT_NULL(auth.cipher);
+
+	int length = cmac_encrypt(&auth,
+				  (uint32_t*)sample, len_pack);
+
+	TEST_ASSERT_EQUAL(4+16, length);            /* aria-128 */
+
+	TEST_ASSERT_EQUAL_MEMORY(
+	    &(expected_sample[52]),
+	    &(sample[52]),
+	    digestLength
+	);
+}
+
 /* Both digest and CMAC tests share some global variables
  * that get setup by Encrypt or CMAC_Encrypt
  * Thus the tests must be run in the right order.
@@ -174,4 +222,5 @@ TEST_GROUP_RUNNER(macencrypt) {
 	RUN_TEST_CASE(macencrypt, DecryptInvalidCMAC);
 	RUN_TEST_CASE(macencrypt, IPv4AddressToRefId);
 	RUN_TEST_CASE(macencrypt, IPv6AddressToRefId);
+	RUN_TEST_CASE(macencrypt, null_trunc)
 }


=====================================
tests/pylib/test_ntpc.py
=====================================
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: BSD-2-Clause
 import unittest
 import ntp.ntpc
+import ntp.poly
+import ntp.util
 
 
 class TestPylibNtpc(unittest.TestCase):
@@ -28,6 +30,21 @@ class TestPylibNtpc(unittest.TestCase):
             self.assertEqual(ntp.ntpc.prettydate(in_string), to_string)
             self.assertAlmostEqual(ntp.ntpc.lfptofloat(in_string), to_float)
 
+    def test_nul_trunc(self):
+        k_type = "aes-128"
+        key = ntp.util.hexstr2octets(
+            "0fd2287c1e97a50cb9d3cb9f80debcb6")
+        sample = ntp.util.hexstr2octets(
+            "e3000000000000000000000000000000" +
+            "00000000000000000000000000000000" +
+            "0000000000000000e6136a712d8c4800" +
+            "00000064" +
+            "01c167a4df28f25a4794bf00c8b35469")
+        mac2 = ntp.ntpc.mac(ntp.poly.polybytes(sample[:48]),
+                            ntp.poly.polybytes(key), k_type)
+        mac1 = ntp.poly.polybytes(sample[52:])
+        self.assertEqual([len(mac1), mac1], [len(mac2), mac2], msg="nul trunc")
+
 
 if __name__ == '__main__':
     unittest.main()



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e27cae1492f3920d1da7498271127934a52fae49...220f6181e1ded0992c2223ea7f1494d2346ae2ab

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e27cae1492f3920d1da7498271127934a52fae49...220f6181e1ded0992c2223ea7f1494d2346ae2ab
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20220509/5f003a6a/attachment-0001.htm>
