freebsd_amp_hwpstate/libntp/a_md5encrypt.c

/*
 *	digest support for NTP, MD5 and with OpenSSL more
 */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include "ntp_fp.h"
#include "ntp_string.h"
#include "ntp_stdlib.h"
#include "ntp.h"
#ifdef OPENSSL
# include "openssl/evp.h"
#else
# include "ntp_md5.h"	/* provides clone of OpenSSL MD5 API */
#endif

/*
 * MD5authencrypt - generate message digest
 *
 * Returns length of MAC including key ID and digest.
 */
int
MD5authencrypt(
	int	type,		/* hash algorithm */
	u_char	*key,		/* key pointer */
	u_int32 *pkt,		/* packet pointer */
	int	length		/* packet length */
	)
{
	u_char	digest[EVP_MAX_MD_SIZE];
	u_int	len;
	EVP_MD_CTX ctx;

	/*
	 * Compute digest of key concatenated with packet. Note: the
	 * key type and digest type have been verified when the key
	 * was creaded.
	 */
	INIT_SSL();
	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
	EVP_DigestFinal(&ctx, digest, &len);
	memmove((u_char *)pkt + length + 4, digest, len);
	return (len + 4);
}


/*
 * MD5authdecrypt - verify MD5 message authenticator
 *
 * Returns one if digest valid, zero if invalid.
 */
int
MD5authdecrypt(
	int	type,		/* hash algorithm */
	u_char	*key,		/* key pointer */
	u_int32	*pkt,		/* packet pointer */
	int	length,	 	/* packet length */
	int	size		/* MAC size */
	)
{
	u_char	digest[EVP_MAX_MD_SIZE];
	u_int	len;
	EVP_MD_CTX ctx;

	/*
	 * Compute digest of key concatenated with packet. Note: the
	 * key type and digest type have been verified when the key
	 * was created.
	 */
	INIT_SSL();
	EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
	EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
	EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
	EVP_DigestFinal(&ctx, digest, &len);
	if ((u_int)size != len + 4) {
		msyslog(LOG_ERR,
		    "MAC decrypt: MAC length error");
		return (0);
	}
	return (!memcmp(digest, (char *)pkt + length + 4, len));
}

/*
 * Calculate the reference id from the address. If it is an IPv4
 * address, use it as is. If it is an IPv6 address, do a md5 on
 * it and use the bottom 4 bytes.
 * The result is in network byte order.
 */
u_int32
addr2refid(sockaddr_u *addr)
{
	u_char		digest[20];
	u_int32		addr_refid;
	EVP_MD_CTX	ctx;
	u_int		len;

	if (IS_IPV4(addr))
		return (NSRCADR(addr));

	INIT_SSL();
	EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
	EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
	    sizeof(struct in6_addr));
	EVP_DigestFinal(&ctx, digest, &len);
	memcpy(&addr_refid, digest, 4);
	return (addr_refid);
}
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`/*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* digest support for NTP, MD5 and with OpenSSL more`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*/`
			`#ifdef HAVE_CONFIG_H`
			`#include <config.h>`
			`#endif`

Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`#include "ntp_fp.h"`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`#include "ntp_string.h"`
			`#include "ntp_stdlib.h"`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`#include "ntp.h"`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`#ifdef OPENSSL`
			`# include "openssl/evp.h"`
			`#else`
			`# include "ntp_md5.h" /* provides clone of OpenSSL MD5 API */`
			`#endif`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00
			`/*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* MD5authencrypt - generate message digest`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* Returns length of MAC including key ID and digest.`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*/`
			`int`
			`MD5authencrypt(`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`int type, /* hash algorithm */`
			`u_char key, / key pointer */`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`u_int32 pkt, / packet pointer */`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`int length /* packet length */`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`)`
			`{`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`u_char digest[EVP_MAX_MD_SIZE];`
			`u_int len;`
			`EVP_MD_CTX ctx;`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00
			`/*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* Compute digest of key concatenated with packet. Note: the`
			`* key type and digest type have been verified when the key`
			`* was creaded.`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*/`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`INIT_SSL();`
			`EVP_DigestInit(&ctx, EVP_get_digestbynid(type));`
			`EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);`
			`EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);`
			`EVP_DigestFinal(&ctx, digest, &len);`
			`memmove((u_char *)pkt + length + 4, digest, len);`
			`return (len + 4);`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`}`


			`/*`
			`* MD5authdecrypt - verify MD5 message authenticator`
			`*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* Returns one if digest valid, zero if invalid.`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*/`
			`int`
			`MD5authdecrypt(`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`int type, /* hash algorithm */`
			`u_char key, / key pointer */`
			`u_int32 pkt, / packet pointer */`
			`int length, /* packet length */`
			`int size /* MAC size */`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`)`
			`{`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`u_char digest[EVP_MAX_MD_SIZE];`
			`u_int len;`
			`EVP_MD_CTX ctx;`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00
			`/*`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* Compute digest of key concatenated with packet. Note: the`
			`* key type and digest type have been verified when the key`
			`* was created.`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`*/`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`INIT_SSL();`
			`EVP_DigestInit(&ctx, EVP_get_digestbynid(type));`
			`EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);`
			`EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);`
			`EVP_DigestFinal(&ctx, digest, &len);`
			`if ((u_int)size != len + 4) {`
			`msyslog(LOG_ERR,`
			`"MAC decrypt: MAC length error");`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`return (0);`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`}`
			`return (!memcmp(digest, (char *)pkt + length + 4, len));`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`}`

			`/*`
			`* Calculate the reference id from the address. If it is an IPv4`
			`* address, use it as is. If it is an IPv6 address, do a md5 on`
			`* it and use the bottom 4 bytes.`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`* The result is in network byte order.`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`*/`
			`u_int32`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`addr2refid(sockaddr_u *addr)`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`{`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`u_char digest[20];`
			`u_int32 addr_refid;`
			`EVP_MD_CTX ctx;`
			`u_int len;`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`if (IS_IPV4(addr))`
			`return (NSRCADR(addr));`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`INIT_SSL();`
			`EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));`
			`EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`sizeof(struct in6_addr));`
Virgin import of ntpd 4.2.6p5. When the series of commits is complete, things like https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks should be fixed. PR: bin/148836 (except that we import a newer version) Asked by: Too many MFC after: 2 weeks 2013-12-04 21:33:17 +00:00			`EVP_DigestFinal(&ctx, digest, &len);`
Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00			`memcpy(&addr_refid, digest, 4);`
Import ntp 4.2.4p5 in the vendor code area. Far too many changes to list here, please see CommitLog for detailed changes. XXX html/build/hints/solaris.xtra.4095849 is not being imported as it conflicts with the detect-merge-conflict.sh script in our repo. 2008-08-18 14:26:05 +00:00			`return (addr_refid);`
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`}`