[Git][NTPsec/ntpsec][master] 3 commits: FFI: Check return codes of CMAC_* from -lcrypto

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Thu Dec 7 12:30:34 UTC 2023 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
80bcf512 by James Browning at 2023-12-07T12:27:15+00:00
FFI: Check return codes of CMAC_* from -lcrypto

- - - - -
65f0fb2e by James Browning at 2023-12-07T12:27:15+00:00
FFI: Wrap more code blocks with curly braces.


- - - - -
96ab4b68 by James Browning at 2023-12-07T12:27:15+00:00
FFI: Revise comments and white space.


- - - - -


1 changed file:

- libntp/pymodule-mac.c


Changes:

=====================================
libntp/pymodule-mac.c
=====================================
@@ -14,7 +14,7 @@
 
 #include "pymodule-mac.h"
 
-/* Don't include Python.h */
+// Don't include Python.h
 
 #define OPENSSL_SUPPRESS_DEPRECATED 1
 #include <openssl/evp.h>
@@ -26,19 +26,20 @@
 #define EVP_MD_CTX_new() EVP_MD_CTX_create()
 #endif
 
-/* Needed on OpenSSL < 1.1.0 */
+// Needed on OpenSSL < 1.1.0
 static void init_ssl(void) {
 	static bool init_done = false;
-	if (init_done)
+	if (init_done) {
 		return;
+        }
 	init_done = true;
 	OpenSSL_add_all_ciphers();
 	OpenSSL_add_all_digests();
 }
 
 /* xx = ntp.ntpc.checkname(name)
- * returns false if algorithm name is invalid. */
-
+ * returns false if algorithm name is invalid.
+ */
 int do_checkname(const char *name)
 {
 	char upcase[100];
@@ -71,11 +72,11 @@ int do_checkname(const char *name)
 }
 
 
-/* mac = ntp.ntpc.mac(data, key, name) */
+// mac = ntp.ntpc.mac(data, key, name)
 
 #if EVP_MAX_MD_SIZE > MAX_MAC_LENGTH
 #error "MAX_MAC_LENGTH isn't big enough"
-/* FIXME: Does this cover CMAC ?? */
+// FIXME: Does this cover CMAC ??
 #endif
 
 void do_mac(char *name,
@@ -100,10 +101,11 @@ void do_mac(char *name,
 
         digest = EVP_get_digestbyname(upcase);
 	if (NULL != digest) {
-		/* Old digest case, MD5, SHA1 */
+		// Old digest case, MD5, SHA1
 		unsigned int maclenint;
-		if (NULL == digest_ctx)
+		if (NULL == digest_ctx) {
 			digest_ctx = EVP_MD_CTX_new();
+                }
 		if (!EVP_DigestInit_ex(digest_ctx, digest, NULL)) {
 			*maclen = 0;
 			return;
@@ -111,8 +113,9 @@ void do_mac(char *name,
 		EVP_DigestUpdate(digest_ctx, key, keylen);
 		EVP_DigestUpdate(digest_ctx, data, (unsigned int)datalen);
 		EVP_DigestFinal_ex(digest_ctx, mac, &maclenint);
-		if (MAX_MAC_LENGTH < maclenint)
+		if (MAX_MAC_LENGTH < maclenint) {
 			maclenint = MAX_MAC_LENGTH;
+                }
 		*maclen = maclenint;
 		return;
 	}
@@ -129,28 +132,36 @@ void do_mac(char *name,
 	}
 	cipherlen = EVP_CIPHER_key_length(cipher);
 	if (cipherlen < keylen) {
-		keylen = cipherlen;		/* truncate */
+		keylen = cipherlen;		// truncate
 	} else if (cipherlen > keylen) {
 		memcpy(newkey, key, keylen);
-		while (cipherlen > keylen)
-			key[keylen++] = 0;	/* pad with 0s */
+		while (cipherlen > keylen) {
+			key[keylen++] = 0;	// pad with 0s
+                }
 		key = newkey;
 	}
-	if (NULL == cmac_ctx)
+        /* Coverity CID 462307, 2023 June 11
+         * CMAC API is undocumented and deprecated in OpenSSL 3.
+         * See libntp/macencrypt.c
+         */
+	if (NULL == cmac_ctx) {
 		cmac_ctx = CMAC_CTX_new();
+        }
         if (!CMAC_Init(cmac_ctx, key, keylen, cipher, NULL)) {
-                /* Shouldn't happen.  Does if wrong key_size. */
+                // Shouldn't happen.  Does if wrong key_size.
 		*maclen = 0;
 		return;
         }
-        /* Coverity CID 462307, 2023 June 11
-         * CMAC API is undocumented and deprecated in OpenSSL 3.
-         * See libntp/macencrypt.c */
-        /* coverity[checked_return] */
-        CMAC_Update(cmac_ctx, data, (unsigned int)datalen);
-        CMAC_Final(cmac_ctx, mac, maclen);
-        if (MAX_MAC_LENGTH < *maclen)
+        if (!CMAC_Update(cmac_ctx, data, (unsigned int)datalen)) {
+                *maclen = 0;
+                return;
+        }
+        if (!CMAC_Final(cmac_ctx, mac, maclen)) {
+                *maclen = 0;
+                return;
+        }
+        if (MAX_MAC_LENGTH < *maclen) {
                 *maclen = MAX_MAC_LENGTH;
+        }
 	return;
 }
-



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/fbcbd33d23a9703749c9d3a6bb859b42f0a56e6e...96ab4b68c91827175ef1e707fc445382c3e89ca7

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/fbcbd33d23a9703749c9d3a6bb859b42f0a56e6e...96ab4b68c91827175ef1e707fc445382c3e89ca7
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20231207/51163e36/attachment-0001.htm>

More information about the vc mailing list