1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
Upstream-Status: Backport [Debian]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: ntp-4.2.6p5/include/ntp_random.h
===================================================================
--- ntp-4.2.6p5.orig/include/ntp_random.h
+++ ntp-4.2.6p5/include/ntp_random.h
@@ -1,6 +1,9 @@
#include <ntp_types.h>
+void ntp_crypto_srandom(void);
+int ntp_crypto_random_buf(void *buf, size_t nbytes);
+
long ntp_random (void);
void ntp_srandom (unsigned long);
void ntp_srandomdev (void);
Index: ntp-4.2.6p5/libntp/ntp_random.c
===================================================================
--- ntp-4.2.6p5.orig/libntp/ntp_random.c
+++ ntp-4.2.6p5/libntp/ntp_random.c
@@ -481,3 +481,74 @@ ntp_random( void )
}
return(i);
}
+
+/*
+ * Crypto-quality random number functions
+ *
+ * Author: Harlan Stenn, 2014
+ *
+ * This file is Copyright (c) 2014 by Network Time Foundation.
+ * BSD terms apply: see the file COPYRIGHT in the distribution root for details.
+ */
+
+#ifdef OPENSSL
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+int crypto_rand_init = 0;
+#endif
+
+/*
+ * ntp_crypto_srandom:
+ *
+ * Initialize the random number generator, if needed by the underlying
+ * crypto random number generation mechanism.
+ */
+
+void
+ntp_crypto_srandom(
+ void
+ )
+{
+#ifdef OPENSSL
+ if (!crypto_rand_init) {
+ RAND_poll();
+ crypto_rand_init = 1;
+ }
+#else
+ /* No initialization needed for arc4random() */
+#endif
+}
+
+/*
+ * ntp_crypto_random_buf:
+ *
+ * Returns 0 on success, -1 on error.
+ */
+int
+ntp_crypto_random_buf(
+ void *buf,
+ size_t nbytes
+ )
+{
+#ifdef OPENSSL
+ int rc;
+
+ rc = RAND_bytes(buf, nbytes);
+ if (1 != rc) {
+ unsigned long err;
+ char *err_str;
+
+ err = ERR_get_error();
+ err_str = ERR_error_string(err, NULL);
+ /* XXX: Log the error */
+
+ return -1;
+ }
+ return 0;
+#else
+ arc4random_buf(buf, nbytes);
+ return 0;
+#endif
+}
+
Index: ntp-4.2.6p5/util/ntp-keygen.c
===================================================================
--- ntp-4.2.6p5.orig/util/ntp-keygen.c
+++ ntp-4.2.6p5/util/ntp-keygen.c
@@ -261,6 +261,8 @@ main(
ssl_check_version();
#endif /* OPENSSL */
+ ntp_crypto_srandom();
+
/*
* Process options, initialize host name and timestamp.
*/
@@ -727,7 +729,14 @@ gen_md5(
int temp;
while (1) {
- temp = ntp_random() & 0xff;
+ int rc;
+
+ rc = ntp_crypto_random_buf(&temp, 1);
+ if (-1 == rc) {
+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+ exit (-1);
+ }
+ temp &= 0xff;
if (temp == '#')
continue;
|
