From owner-freebsd-security@freebsd.org Mon Jun 14 17:27:56 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F004465DA18 for ; Mon, 14 Jun 2021 17:27:56 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G3dgv5TbZz3t2X for ; Mon, 14 Jun 2021 17:27:55 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: by mail-pj1-x1031.google.com with SMTP id 22-20020a17090a0c16b0290164a5354ad0so10530201pjs.2 for ; Mon, 14 Jun 2021 10:27:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=T4XbqsAelp3ujqv6/39XDzt+kgLy8mcyynPjk+Je+3U=; b=u1HDOhUTaSrX/X5zckIRib4/4/aPVjuv87KCHJvSmGSUoh+8+cEQKl4wCdmCW2ZzjZ I4IF+jTiiI2FCx4GKwrkMpy9L2NQXMlrp4aGYD6LAlUPfMa3ULGo+8To0QC6xkhzqFWa AWKPClrEf2KV142dHnijPuUyfrDV8LQLRkIIl7LaLzouTrM0Fxx3zdQbL2jTGHl8ad9E duG9EepJ2XQFqiJ27struof2fwNAnBvCl6DjDM5M81r1zgH1PwYzkbMg52U44yuJMRTE IbeBpc67UJe0DzRTWVahHw3Sf9ImfzD5bM4uRn7j1qV5ma03jvftRPedrSg/Gx1PUoxO ilbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=T4XbqsAelp3ujqv6/39XDzt+kgLy8mcyynPjk+Je+3U=; b=bSSL/Mto+HLxOzf0eCjLxuaF4laDpxklUFwgjhT48VD/jjk/xV6WybqCzgXpy7W6RD nZLMmcH7WugbZ1iUrq+feLJxFCrxwPiS7tcShQRZ/YMcD+VxTFIlD54KyHeY6/gq6grx vENtPi4ZJzm72UhlTsL8152pURcHZfFwNxYybN/mKllbZCVcOeBiUnhjRSi0B3Jn85QZ QCi5ksUadCqrQSi/RtcfgoxCFw4yjcyNh5WrkAHTOVI//f/uAqD3AuNxTATSNHJDdxMX iJ5ZCaT7Lkgvnuu7xMQM6DT/5bb80O37g1eqjsSq/VrkOO0Hnc2+UDFlD3+afFPgHbAu 7aAA== X-Gm-Message-State: AOAM532wqBghriXf6Zwwuy81KaRcFh5krshs6yjzjsYAbiQWQwzymaU5 s0w6MM+i9s3ow98PywLPL6stRSeAkjT607LaowQ= X-Google-Smtp-Source: ABdhPJxUpfQl7041BbpOriSvgwBGKu9VZadgeW0eJz6D2GqQW/io4Jm78UA0R5nm99nQXewXpSW2bw== X-Received: by 2002:a17:90a:8b0d:: with SMTP id y13mr237009pjn.14.1623691673783; Mon, 14 Jun 2021 10:27:53 -0700 (PDT) Received: from [10.65.53.112] ([72.163.220.28]) by smtp.gmail.com with ESMTPSA id bb20sm5025207pjb.3.2021.06.14.10.27.51 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Jun 2021 10:27:52 -0700 (PDT) From: Shamsher singh Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: ntpv4 steps for AES128CMAC authentication Message-Id: <9AEAF58B-22F0-4E8E-AA70-DEB6DCCF4344@gmail.com> Date: Mon, 14 Jun 2021 22:57:50 +0530 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4G3dgv5TbZz3t2X X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=u1HDOhUT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of meetshamsher@gmail.com designates 2607:f8b0:4864:20::1031 as permitted sender) smtp.mailfrom=meetshamsher@gmail.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MV_CASE(0.50)[]; TO_DN_NONE(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::1031:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RECEIVED_SPAMHAUS_PBL(0.00)[72.163.220.28:received]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::1031:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1031:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-Mailman-Approved-At: Mon, 14 Jun 2021 20:32:58 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2021 17:27:57 -0000 Hi, I have taken latest NTPv4 from https://www.freshports.org/net/ntp/ = I am able to test MD5 and SHA authentication. But not able to test = AES128CMAC. For all test used below parts: Added keys for MD5, SHA1 and AES128MAC=20 Ref: used from http://doc.ntp.org/current-stable/keygen.html = Example: 1 MD5 2 SHA1 3 AES128CMAC ... at /etc/ntp.keys in client and /etc/ntp/keys in server. I am able to see authentication working fine for Md5 and SHA1 using=20 ntpdate -d -a 1 --> working fine ntpdate -d -a 2 --> working fine ntpdate -d -a 3 --> fails The 1st two passes easily but 3rd one fails for AES128CMAC. It seems i am missing something here to test/validate it. Can you please tell/guide me the steps how can i test it? I am using below NTP version : # ntpd --version ntpd 4.2.8p15@1.3728-o Wed Jun 2 11:00:34 = UTC 2021 (1) Thanks & regards Shamsher