diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-06-06 12:43:04 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2023-06-09 13:35:55 +0000 |
| commit | 5d3fa3d71c3166f573b045a870e45e464399e2ef (patch) | |
| tree | 4a7d4fbf837e96684e879cdb01772dda32d86bbf /contrib/ntp/libntp | |
| parent | 8eba66320128e4258b2e0b676d1e6b7a96f81532 (diff) | |
ntp: import ntp-4.2.8p17
Fixes two small bugs including one regression.
Merge commit 'ab1f1aa8333369a83ff284848fc3fc2e52d5f29f'
(cherry picked from commit e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
ntp: Fix build
Two files used to obtain time from reference clocks did not include
ntp_types.h resulting in an undefined NONEMPTY_TRANSLATION_UNIT.
Fixes: e6bfd18d21b2
(cherry picked from commit 82aa1470c94c55db31c0168d65f8a08fa1d41378)
Diffstat (limited to 'contrib/ntp/libntp')
| -rw-r--r-- | contrib/ntp/libntp/a_md5encrypt.c | 23 | ||||
| -rw-r--r-- | contrib/ntp/libntp/authkeys.c | 27 | ||||
| -rw-r--r-- | contrib/ntp/libntp/authreadkeys.c | 12 | ||||
| -rw-r--r-- | contrib/ntp/libntp/msyslog.c | 5 |
4 files changed, 39 insertions, 28 deletions
diff --git a/contrib/ntp/libntp/a_md5encrypt.c b/contrib/ntp/libntp/a_md5encrypt.c index 6011af52af6d..7a372969123f 100644 --- a/contrib/ntp/libntp/a_md5encrypt.c +++ b/contrib/ntp/libntp/a_md5encrypt.c @@ -9,7 +9,6 @@ #include "ntp_string.h" #include "ntp_stdlib.h" #include "ntp.h" -#include "ntp_md5.h" /* provides OpenSSL digest API */ #include "isc/string.h" typedef struct { @@ -22,10 +21,12 @@ typedef struct { size_t len; } rwbuffT; + #if defined(OPENSSL) && defined(ENABLE_CMAC) static size_t cmac_ctx_size( - CMAC_CTX * ctx) + CMAC_CTX * ctx + ) { size_t mlen = 0; @@ -36,14 +37,16 @@ cmac_ctx_size( } return mlen; } -#endif /*OPENSSL && ENABLE_CMAC*/ +#endif /* OPENSSL && ENABLE_CMAC */ + static size_t make_mac( const rwbuffT * digest, int ktype, const robuffT * key, - const robuffT * msg) + const robuffT * msg + ) { /* * Compute digest of key concatenated with packet. Note: the @@ -66,8 +69,8 @@ make_mac( /* adjust key size (zero padded buffer) if necessary */ if (AES_128_KEY_SIZE > key->len) { memcpy(keybuf, keyptr, key->len); - memset((keybuf + key->len), 0, - (AES_128_KEY_SIZE - key->len)); + zero_mem((keybuf + key->len), + (AES_128_KEY_SIZE - key->len)); keyptr = keybuf; } @@ -107,10 +110,10 @@ make_mac( goto mac_fail; } - #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW /* make sure MD5 is allowd */ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - #endif + #endif /* [Bug 3457] DON'T use plain EVP_DigestInit! It would * kill the flags! */ if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(ktype), NULL)) { @@ -239,8 +242,8 @@ MD5authdecrypt( dlen = MAX_MDG_LEN; if (size != (size_t)dlen + KEY_MAC_LEN) { msyslog(LOG_ERR, - "MAC decrypt: MAC length error: len=%zu key=%d", - size, keyno); + "MAC decrypt: MAC length error: len=%u key=%d", + (u_int)size, keyno); return (0); } return !isc_tsmemcmp(digest, diff --git a/contrib/ntp/libntp/authkeys.c b/contrib/ntp/libntp/authkeys.c index 4448dadd2b6a..d28b4b932b84 100644 --- a/contrib/ntp/libntp/authkeys.c +++ b/contrib/ntp/libntp/authkeys.c @@ -284,8 +284,7 @@ init_auth(void) */ newalloc = authhashbuckets * sizeof(key_hash[0]); - key_hash = erealloc(key_hash, newalloc); - memset(key_hash, '\0', newalloc); + key_hash = emalloc_zero(newalloc); INIT_DLIST(key_listhead, llink); @@ -458,7 +457,7 @@ auth_resize_hashtable(void) newalloc = authhashbuckets * sizeof(key_hash[0]); key_hash = erealloc(key_hash, newalloc); - memset(key_hash, '\0', newalloc); + zero_mem(key_hash, newalloc); ITER_DLIST_BEGIN(key_listhead, sk, llink, symkey) hash = KEYHASH(sk->keyid); @@ -528,14 +527,14 @@ freesymkey( bucket = &key_hash[KEYHASH(sk->keyid)]; if (sk->secret != NULL) { - memset(sk->secret, '\0', sk->secretsize); + zero_mem(sk->secret, sk->secretsize); free(sk->secret); } UNLINK_SLIST(unlinked, *bucket, sk, hlink, symkey); DEBUG_ENSURE(sk == unlinked); UNLINK_DLIST(sk, llink); - memset((char *)sk + offsetof(symkey, symkey_payload), '\0', - sizeof(*sk) - offsetof(symkey, symkey_payload)); + zero_mem((char *)sk + offsetof(symkey, symkey_payload), + sizeof(*sk) - offsetof(symkey, symkey_payload)); LINK_SLIST(authfreekeys, sk, llink.f); authnumkeys--; authnumfreekeys++; @@ -719,13 +718,13 @@ authistrusted( if (keyno == cache_keyid) { return (KEY_TRUSTED & cache_flags) && - keyacc_contains(cache_keyacclist, sau, TRUE); + keyacc_contains(cache_keyacclist, sau, TRUE); } if (NULL != (sk = auth_findkey(keyno))) { authkeyuncached++; return (KEY_TRUSTED & sk->flags) && - keyacc_contains(sk->keyacclist, sau, TRUE); + keyacc_contains(sk->keyacclist, sau, TRUE); } authkeynotfound++; @@ -800,7 +799,7 @@ MD5auth_setkey( allocsymkey(keyno, 0, (u_short)keytype, 0, secretsize, secret, ka); #ifdef DEBUG - if (debug >= 4) { + if (debug >= 1) { size_t j; printf("auth_setkey: key %d type %d len %d ", (int)keyno, @@ -816,7 +815,7 @@ MD5auth_setkey( /* * auth_delkeys - delete non-autokey untrusted keys, and clear all info - * except the trusted bit of non-autokey trusted keys, in + * except the trusted bit of non-autokey trusted keys, in * preparation for rereading the keys file. */ void @@ -835,7 +834,7 @@ auth_delkeys(void) */ if (KEY_TRUSTED & sk->flags) { if (sk->secret != NULL) { - memset(sk->secret, 0, sk->secretsize); + zero_mem(sk->secret, sk->secretsize); free(sk->secret); sk->secret = NULL; /* TALOS-CAN-0054 */ } @@ -886,9 +885,9 @@ authencrypt( * consists of a single word with value zero. */ authencryptions++; - pkt[length / 4] = htonl(keyno); + pkt[length / KEY_MAC_LEN] = htonl(keyno); if (0 == keyno) { - return 4; + return KEY_MAC_LEN; } if (!authhavekey(keyno)) { return 0; @@ -972,7 +971,7 @@ pwdecode_hex( reslen = (size_t)-1; break; } - tmp = (u_char)((ptr - hex) > 1); + tmp = (u_char)((ptr - hex) >> 1); if (j & 1) dst[j >> 1] |= tmp; else diff --git a/contrib/ntp/libntp/authreadkeys.c b/contrib/ntp/libntp/authreadkeys.c index da91bd0d3443..fa2f5b540de4 100644 --- a/contrib/ntp/libntp/authreadkeys.c +++ b/contrib/ntp/libntp/authreadkeys.c @@ -234,7 +234,7 @@ authreadkeys( * The key type is unused, but is required to be 'M' or * 'm' for compatibility. */ - if (!(*token == 'M' || *token == 'm')) { + if (! (toupper(*token) == 'M')) { log_maybe(NULL, "authreadkeys: invalid type for key %d", keyno); @@ -357,13 +357,21 @@ authreadkeys( continue; } - INSIST(NULL != next); + DEBUG_INSIST(NULL != next); +#if defined(OPENSSL) && defined(ENABLE_CMAC) + if (NID_cmac == keytype && len < 16) { + msyslog(LOG_WARNING, CMAC " keys are 128 bits, " + "zero-extending key %u by %u bits", + (u_int)keyno, 8 * (16 - (u_int)len)); + } +#endif /* OPENSSL && ENABLE_CMAC */ next->next = list; list = next; } fclose(fp); if (nerr > 0) { const char * why = ""; + if (nerr > nerr_maxlimit) why = " (emergency break)"; msyslog(LOG_ERR, diff --git a/contrib/ntp/libntp/msyslog.c b/contrib/ntp/libntp/msyslog.c index ae950171f468..a1ba72792595 100644 --- a/contrib/ntp/libntp/msyslog.c +++ b/contrib/ntp/libntp/msyslog.c @@ -583,8 +583,9 @@ setup_logfile( syslog_fname); } -/* Helper for unit tests, where stdout + stderr are piped to the same - * stream. This works moderately reliable only if both streams are +/* + * Helper for unit tests, where stdout + stderr are piped to the same + * stream. This works moderately reliably only if both streams are * unbuffered or line buffered. Unfortunately stdout can be fully * buffered on pipes or files... */ |