From owner-freebsd-security@freebsd.org Mon Jun 14 17:27:56 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F004465DA18 for ; Mon, 14 Jun 2021 17:27:56 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G3dgv5TbZz3t2X for ; Mon, 14 Jun 2021 17:27:55 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: by mail-pj1-x1031.google.com with SMTP id 22-20020a17090a0c16b0290164a5354ad0so10530201pjs.2 for ; Mon, 14 Jun 2021 10:27:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=T4XbqsAelp3ujqv6/39XDzt+kgLy8mcyynPjk+Je+3U=; b=u1HDOhUTaSrX/X5zckIRib4/4/aPVjuv87KCHJvSmGSUoh+8+cEQKl4wCdmCW2ZzjZ I4IF+jTiiI2FCx4GKwrkMpy9L2NQXMlrp4aGYD6LAlUPfMa3ULGo+8To0QC6xkhzqFWa AWKPClrEf2KV142dHnijPuUyfrDV8LQLRkIIl7LaLzouTrM0Fxx3zdQbL2jTGHl8ad9E duG9EepJ2XQFqiJ27struof2fwNAnBvCl6DjDM5M81r1zgH1PwYzkbMg52U44yuJMRTE IbeBpc67UJe0DzRTWVahHw3Sf9ImfzD5bM4uRn7j1qV5ma03jvftRPedrSg/Gx1PUoxO ilbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=T4XbqsAelp3ujqv6/39XDzt+kgLy8mcyynPjk+Je+3U=; b=bSSL/Mto+HLxOzf0eCjLxuaF4laDpxklUFwgjhT48VD/jjk/xV6WybqCzgXpy7W6RD nZLMmcH7WugbZ1iUrq+feLJxFCrxwPiS7tcShQRZ/YMcD+VxTFIlD54KyHeY6/gq6grx vENtPi4ZJzm72UhlTsL8152pURcHZfFwNxYybN/mKllbZCVcOeBiUnhjRSi0B3Jn85QZ QCi5ksUadCqrQSi/RtcfgoxCFw4yjcyNh5WrkAHTOVI//f/uAqD3AuNxTATSNHJDdxMX iJ5ZCaT7Lkgvnuu7xMQM6DT/5bb80O37g1eqjsSq/VrkOO0Hnc2+UDFlD3+afFPgHbAu 7aAA== X-Gm-Message-State: AOAM532wqBghriXf6Zwwuy81KaRcFh5krshs6yjzjsYAbiQWQwzymaU5 s0w6MM+i9s3ow98PywLPL6stRSeAkjT607LaowQ= X-Google-Smtp-Source: ABdhPJxUpfQl7041BbpOriSvgwBGKu9VZadgeW0eJz6D2GqQW/io4Jm78UA0R5nm99nQXewXpSW2bw== X-Received: by 2002:a17:90a:8b0d:: with SMTP id y13mr237009pjn.14.1623691673783; Mon, 14 Jun 2021 10:27:53 -0700 (PDT) Received: from [10.65.53.112] ([72.163.220.28]) by smtp.gmail.com with ESMTPSA id bb20sm5025207pjb.3.2021.06.14.10.27.51 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jun 2021 10:27:52 -0700 (PDT) From: Shamsher singh Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: ntpv4 steps for AES128CMAC authentication Message-Id: <9AEAF58B-22F0-4E8E-AA70-DEB6DCCF4344@gmail.com> Date: Mon, 14 Jun 2021 22:57:50 +0530 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4G3dgv5TbZz3t2X X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=u1HDOhUT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of meetshamsher@gmail.com designates 2607:f8b0:4864:20::1031 as permitted sender) smtp.mailfrom=meetshamsher@gmail.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; TO_DN_NONE(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::1031:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RECEIVED_SPAMHAUS_PBL(0.00)[72.163.220.28:received]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::1031:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1031:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Mon, 14 Jun 2021 20:32:58 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2021 17:27:57 -0000 Hi, I have taken latest NTPv4 from https://www.freshports.org/net/ntp/ = I am able to test MD5 and SHA authentication. But not able to test = AES128CMAC. For all test used below parts: Added keys for MD5, SHA1 and AES128MAC=20 Ref: used from http://doc.ntp.org/current-stable/keygen.html = Example: 1 MD5 2 SHA1 3 AES128CMAC ... at /etc/ntp.keys in client and /etc/ntp/keys in server. I am able to see authentication working fine for Md5 and SHA1 using=20 ntpdate -d -a 1 --> working fine ntpdate -d -a 2 --> working fine ntpdate -d -a 3 --> fails The 1st two passes easily but 3rd one fails for AES128CMAC. It seems i am missing something here to test/validate it. Can you please tell/guide me the steps how can i test it? I am using below NTP version : # ntpd --version ntpd 4.2.8p15@1.3728-o Wed Jun 2 11:00:34 = UTC 2021 (1) Thanks & regards Shamsher From owner-freebsd-security@freebsd.org Tue Jun 15 14:43:16 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8A2A664B854 for ; Tue, 15 Jun 2021 14:43:16 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G49zR417dz3tnJ for ; Tue, 15 Jun 2021 14:43:15 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: by mail-pl1-x62a.google.com with SMTP id v13so8577473ple.9 for ; Tue, 15 Jun 2021 07:43:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=GuvVzy7Prbg6pNp2W01yGuioUO0XfcCbVjLpBVOsN3k=; b=BTN+V/0qX3PDEUTKFb37RLnyLXMjtztxtzoNQfRMdIRsvME5rBeBqhxDwFR9MbNePR 07wJKIfDyblEERrnGzV6bKyfIZL5RHzxU8ltp/jCDEaa6L9ix6icOpw/T6inxaty8v+K v8drE2UTEW5iFOZrkekLkeOp0zom5oDK5aMNbwsmGpLziUwO+XUnq3OnN36Qv5aZwYX/ jWhTWh8Ghn4xZrZ5tsmDnx8DAXLsRQpnHH3ansU6wT2drg2nyPKVeRIToSGX9dLvrL2I K6kZhkPjX2EQ9mEQNMFPb4UmKfPWu0Q1V9vqPIUtVk0vI/4r9q2BANqY0WIo/DcrW2mz 0Dwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=GuvVzy7Prbg6pNp2W01yGuioUO0XfcCbVjLpBVOsN3k=; b=IV6cmbyFbOdceoIO+YeI+wB3gmyvyEG8GjH9xcSapNN9SmA0C0TnHo4IARHOGSJvTP nQzMPbIG7Dxu8mEDeaSFT8SrignaqHkCLB/1lxyoFGDHQBvZTLcr9XA1k32ibCIjwpSL eV7s3Pb/jqaUEfKq/IvK6kAbu9y9y9LFalDKEnS0EfaEnT6fp8Qa9neZkIkMkkQiWm2R ZDQdhzGTTkGbCyGhouCT7jLjObfJpdZ2V/qZgAoqDD6MUms8osESIC9sIGq4+/FZfLa2 7CgB+K+s70bXxI8aFw48jHqNHhlflVSFmeQQFHCWQK96ez+QuN605O4OJiP3HBy8+i6o KAzA== X-Gm-Message-State: AOAM533WXnI71ZxEoaz7Uo5xnea8ejP1XVFHrkDNgZ4ANKjbCGXVGzq9 fnoGj78xlJua2WmfjNp6yDVvIJkGqn9EHQ== X-Google-Smtp-Source: ABdhPJy9MVQuYYh/EkAgmebL2xfyJjRihERhRibwCev+4/a9TuSmwh4B+D8wM04l/P5NH4z3Gu8ucA== X-Received: by 2002:a17:902:bb90:b029:11a:cf7c:997c with SMTP id m16-20020a170902bb90b029011acf7c997cmr4483181pls.80.1623768193474; Tue, 15 Jun 2021 07:43:13 -0700 (PDT) Received: from ?IPv6:2001:420:c0e0:1003::438? ([2001:420:c0e0:1003::438]) by smtp.gmail.com with ESMTPSA id p15sm3009000pjb.45.2021.06.15.07.43.12 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Jun 2021 07:43:12 -0700 (PDT) From: Shamsher singh Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: ntpv4 steps for AES128CMAC authentication Date: Tue, 15 Jun 2021 20:13:10 +0530 References: <9AEAF58B-22F0-4E8E-AA70-DEB6DCCF4344@gmail.com> To: freebsd-security@freebsd.org In-Reply-To: <9AEAF58B-22F0-4E8E-AA70-DEB6DCCF4344@gmail.com> Message-Id: X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4G49zR417dz3tnJ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=BTN+V/0q; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of meetshamsher@gmail.com designates 2607:f8b0:4864:20::62a as permitted sender) smtp.mailfrom=meetshamsher@gmail.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::62a:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::62a:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::62a:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Wed, 16 Jun 2021 05:26:43 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2021 14:43:16 -0000 Hi, Just for info the openssl shows below also support in my system: # openssl -v openssl:Error: '-v' is an invalid command. Standard commands asn1parse ca ciphers cms =20= crl crl2pkcs7 dgst dh =20= dhparam dsa dsaparam ec =20= ec ecparam ecparam enc =20= engine errstr gendh gendsa =20= genpkey genrsa nseq ocsp =20= passwd pkcs12 pkcs7 pkcs8 =20= pkey pkeyparam pkeyutl prime =20= rand req rsa rsautl =20= s_client s_server s_time sess_id =20= smime speed spkac srp =20= ts verify version x509 =20= Message Digest commands (see the `dgst' command for more details) md2 md4 md5 mdc2 =20= rmd160 sha sha1 =20 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb =20= aes-256-cbc aes-256-ecb base64 bf =20= bf-cbc bf-cfb bf-ecb bf-ofb =20= camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb =20= camellia-256-cbc camellia-256-ecb cast cast-cbc =20= cast5-cbc cast5-cfb cast5-ecb cast5-ofb =20= des des-cbc des-cfb des-ecb =20= des-ede des-ede-cbc des-ede-cfb des-ede-ofb =20= des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb =20= des-ofb des3 desx idea =20= idea-cbc idea-cfb idea-ecb idea-ofb =20= rc2 rc2-40-cbc rc2-64-cbc rc2-cbc =20= rc2-cfb rc2-ecb rc2-ofb rc4 =20= rc4-40 seed seed-cbc seed-cfb =20= seed-ecb seed-ofb zlib =20 > On 14-Jun-2021, at 10:57 PM, Shamsher singh = wrote: >=20 > Hi, > I have taken latest NTPv4 from https://www.freshports.org/net/ntp/ = > I am able to test MD5 and SHA authentication. But not able to test = AES128CMAC. >=20 > For all test used below parts: > Added keys for MD5, SHA1 and AES128MAC=20 > Ref: used from http://doc.ntp.org/current-stable/keygen.html = >=20 > Example: > 1 MD5 > 2 SHA1 > 3 AES128CMAC > ... > at /etc/ntp.keys in client and /etc/ntp/keys in server. >=20 >=20 > I am able to see authentication working fine for Md5 and SHA1 using=20 > ntpdate -d -a 1 --> working fine > ntpdate -d -a 2 --> working fine > ntpdate -d -a 3 --> fails >=20 > The 1st two passes easily but 3rd one fails for AES128CMAC. > It seems i am missing something here to test/validate it. >=20 > Can you please tell/guide me the steps how can i test it? > I am using below NTP version : > # ntpd --version > ntpd 4.2.8p15@1.3728-o Wed Jun 2 11:00:34 = UTC 2021 (1) >=20 > Thanks & regards > Shamsher >=20