From 38c4a7ff97c217715359d459a81262862c66a3b4 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 29 Nov 2016 11:32:39 +0100
Subject: [PATCH] keys: add support for checking truncated MACs

---
 keys.c     | 12 +++++++-----
 keys.h     |  4 ++--
 ntp_core.c |  2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/keys.c b/keys.c
index 333009b..dfe18a3 100644
--- a/keys.c
+++ b/keys.c
@@ -350,12 +350,14 @@ generate_ntp_auth(int hash_id, const unsigned char *key, int key_len,
 static int
 check_ntp_auth(int hash_id, const unsigned char *key, int key_len,
                const unsigned char *data, int data_len,
-               const unsigned char *auth, int auth_len)
+               const unsigned char *auth, int auth_len, int trunc_len)
 {
   unsigned char buf[MAX_HASH_LENGTH];
+  int hash_len;
 
-  return generate_ntp_auth(hash_id, key, key_len, data, data_len,
-                           buf, sizeof (buf)) == auth_len && !memcmp(buf, auth, auth_len);
+  hash_len = generate_ntp_auth(hash_id, key, key_len, data, data_len, buf, sizeof (buf));
+
+  return MIN(hash_len, trunc_len) == auth_len && !memcmp(buf, auth, auth_len);
 }
 
 /* ================================================== */
@@ -379,7 +381,7 @@ KEY_GenerateAuth(uint32_t key_id, const unsigned char *data, int data_len,
 
 int
 KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
-    const unsigned char *auth, int auth_len)
+              const unsigned char *auth, int auth_len, int trunc_len)
 {
   Key *key;
 
@@ -389,5 +391,5 @@ KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
     return 0;
 
   return check_ntp_auth(key->hash_id, (unsigned char *)key->val, key->len,
-                        data, data_len, auth, auth_len);
+                        data, data_len, auth, auth_len, trunc_len);
 }
diff --git a/keys.h b/keys.h
index 65536cf..9e5d236 100644
--- a/keys.h
+++ b/keys.h
@@ -41,7 +41,7 @@ extern int KEY_CheckKeyLength(uint32_t key_id);
 
 extern int KEY_GenerateAuth(uint32_t key_id, const unsigned char *data,
     int data_len, unsigned char *auth, int auth_len);
-extern int KEY_CheckAuth(uint32_t key_id, const unsigned char *data,
-    int data_len, const unsigned char *auth, int auth_len);
+extern int KEY_CheckAuth(uint32_t key_id, const unsigned char *data, int data_len,
+                         const unsigned char *auth, int auth_len, int trunc_len);
 
 #endif /* GOT_KEYS_H */
diff --git a/ntp_core.c b/ntp_core.c
index 24b4891..fccdb49 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1181,7 +1181,7 @@ check_packet_auth(NTP_Packet *pkt, int length,
     if (remainder >= NTP_MIN_MAC_LENGTH && remainder <= NTP_MAX_MAC_LENGTH) {
       id = ntohl(*(uint32_t *)(data + i));
       if (KEY_CheckAuth(id, (void *)pkt, i, (void *)(data + i + 4),
-                        remainder - 4)) {
+                        remainder - 4, NTP_MAX_MAC_LENGTH - 4)) {
         *auth_mode = AUTH_SYMMETRIC;
         *key_id = id;
         return 1;