From owner-freebsd-security@freebsd.org Mon Jun 21 06:34:31 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7E2F7640C07 for ; Mon, 21 Jun 2021 06:34:31 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G7frk3dHZz4TGW for ; Mon, 21 Jun 2021 06:34:30 +0000 (UTC) (envelope-from meetshamsher@gmail.com) Received: by mail-pf1-x432.google.com with SMTP id g6so12868161pfq.1 for ; Sun, 20 Jun 2021 23:34:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=cUufb8GAdKvoSkYtaBtzi1sB1AWohY2XLkDynBJPk1k=; b=MNi3vshbudUDkHh/T+Fv8fXh19hOC+IZ/Yt0YiudjmUdD5bkq4gAuIzDdKWZ6OHXZs DBoRRe8DCbMRJA5CS70vaPQRqLxDWnThHXTfgxPWNLrBk6oxGfA4QTemLXLPhLV/u4/o y2fDy4ZEPPvrF9ZiM9qGzJxJ24SdPuu84yWSsnl/osqxBznIPK6RPGnjqR7HyOhI7DGP P3d8iKFDG8zNzhquxY/z8usJKV+Q5liaMliAh9B1ylVSO2rZUL/fGINWGsFZxTcA/3Dw 7OmeTpHe56oHGpKwXV8uPNkSf2xd9Iy+ST31btCODytLWD9yC15faikEciLhcjg6OXK0 +SSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=cUufb8GAdKvoSkYtaBtzi1sB1AWohY2XLkDynBJPk1k=; b=R+Af+s5jlSVUGk9Vw7Nkf9EXJglSgrMcec6FlXsFMiFYCaEBHXZwGZS+6MNO5NDEpF kIppWKI5j5ASBbnOdzJLQPndo+ddXkiQL/28mVxm+EobsZdqdomuknl6V/0orzawqyR4 jLdk2i8EM8+/052OJSAAeF6M7hhmZGzEXCpDL4JXSIoBw10Hpk7MJaeWM5Pxvz2iD5sI 31THuDNanL/At3+gfgRY5iSwLxRGbgBMQiFV60/1hFAwju1hpCKHkXH3Peg+WvaMqIQi j/j32UPyhWOFRpfna3hv60KN4vRSRCXNFgNazso9LCkomLhEjJSq39q68sqCTrugaNrN J6KA== X-Gm-Message-State: AOAM533Yq3zOrB3MEVsTq7QCJgxes0gQTCf76kATKVbRSnB5ipK75q+s ecqRYEzrXbfK/rMkvn5GAzEsROzoW/wmZqoe X-Google-Smtp-Source: ABdhPJwBianr4ZB4DYDfRssQH5BuTPBiVS3twHcQpG6nVU8XHPD9nEdMdw+i0nFocR4Nj3J8HHYrfw== X-Received: by 2002:a63:1a4f:: with SMTP id a15mr22214424pgm.313.1624257268108; Sun, 20 Jun 2021 23:34:28 -0700 (PDT) Received: from ?IPv6:2001:420:c0e0:1008::38e? ([2001:420:c0e0:1008::38e]) by smtp.gmail.com with ESMTPSA id q23sm15456038pgm.31.2021.06.20.23.34.26 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 Jun 2021 23:34:27 -0700 (PDT) From: Shamsher singh Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\)) Subject: Re: NTPv4 steps for AES128CMAC authentication Date: Mon, 21 Jun 2021 12:04:24 +0530 References: To: freebsd-security@freebsd.org In-Reply-To: Message-Id: <3FC5588E-5FC8-4043-A269-82F9C6249353@gmail.com> X-Mailer: Apple Mail (2.3608.120.23.2.7) X-Rspamd-Queue-Id: 4G7frk3dHZz4TGW X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=MNi3vshb; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of meetshamsher@gmail.com designates 2607:f8b0:4864:20::432 as permitted sender) smtp.mailfrom=meetshamsher@gmail.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::432:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::432:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::432:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2021 06:34:31 -0000 Hi, Can you please share the test steps to validate AES128CMAC = authentication for NTPv4 ? Thanks & regards Shamsher Singh > On 16-Jun-2021, at 5:30 PM, freebsd-security-request@freebsd.org = wrote: >=20 > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org >=20 > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org >=20 > You can reach the person managing the list at > freebsd-security-owner@freebsd.org >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." >=20 >=20 > Today's Topics: >=20 > 1. Re: ntpv4 steps for AES128CMAC authentication (Shamsher singh) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Tue, 15 Jun 2021 20:13:10 +0530 > From: Shamsher singh > To: freebsd-security@freebsd.org > Subject: Re: ntpv4 steps for AES128CMAC authentication > Message-ID: > Content-Type: text/plain; charset=3Dus-ascii >=20 > Hi, > Just for info the openssl shows below also support in my system: >=20 > # openssl -v > openssl:Error: '-v' is an invalid command. >=20 > Standard commands > asn1parse ca ciphers cms = =20 > crl crl2pkcs7 dgst dh = =20 > dhparam dsa dsaparam ec = =20 > ec ecparam ecparam enc = =20 > engine errstr gendh gendsa = =20 > genpkey genrsa nseq ocsp = =20 > passwd pkcs12 pkcs7 pkcs8 = =20 > pkey pkeyparam pkeyutl prime = =20 > rand req rsa rsautl = =20 > s_client s_server s_time sess_id = =20 > smime speed spkac srp = =20 > ts verify version x509 = =20 >=20 > Message Digest commands (see the `dgst' command for more details) > md2 md4 md5 mdc2 = =20 > rmd160 sha sha1 =20 >=20 > Cipher commands (see the `enc' command for more details) > aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb = =20 > aes-256-cbc aes-256-ecb base64 bf = =20 > bf-cbc bf-cfb bf-ecb bf-ofb = =20 > camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb = =20 > camellia-256-cbc camellia-256-ecb cast cast-cbc = =20 > cast5-cbc cast5-cfb cast5-ecb cast5-ofb = =20 > des des-cbc des-cfb des-ecb = =20 > des-ede des-ede-cbc des-ede-cfb des-ede-ofb = =20 > des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb = =20 > des-ofb des3 desx idea = =20 > idea-cbc idea-cfb idea-ecb idea-ofb = =20 > rc2 rc2-40-cbc rc2-64-cbc rc2-cbc = =20 > rc2-cfb rc2-ecb rc2-ofb rc4 = =20 > rc4-40 seed seed-cbc seed-cfb = =20 > seed-ecb seed-ofb zlib =20 >=20 >> On 14-Jun-2021, at 10:57 PM, Shamsher singh = wrote: >>=20 >> Hi, >> I have taken latest NTPv4 from https://www.freshports.org/net/ntp/ = >> I am able to test MD5 and SHA authentication. But not able to test = AES128CMAC. >>=20 >> For all test used below parts: >> Added keys for MD5, SHA1 and AES128MAC=20 >> Ref: used from http://doc.ntp.org/current-stable/keygen.html = >>=20 >> Example: >> 1 MD5 >> 2 SHA1 >> 3 AES128CMAC >> ... >> at /etc/ntp.keys in client and /etc/ntp/keys in server. >>=20 >>=20 >> I am able to see authentication working fine for Md5 and SHA1 using=20= >> ntpdate -d -a 1 --> working fine >> ntpdate -d -a 2 --> working fine >> ntpdate -d -a 3 --> fails >>=20 >> The 1st two passes easily but 3rd one fails for AES128CMAC. >> It seems i am missing something here to test/validate it. >>=20 >> Can you please tell/guide me the steps how can i test it? >> I am using below NTP version : >> # ntpd --version >> ntpd 4.2.8p15@1.3728-o Wed Jun 2 11:00:34 = UTC 2021 (1) >>=20 >> Thanks & regards >> Shamsher >>=20 >=20 >=20 >=20 > ------------------------------ >=20 > Subject: Digest Footer >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 >=20 > ------------------------------ >=20 > End of freebsd-security Digest, Vol 756, Issue 2 > ************************************************