Bug #11850
closed
NTP authentication input validation rejects valid keys
0%
Description
I run into issues with the "Enable NTPv3 authentication (RFC 1305)" and more precisely whit entering a valit SHA-1 key.
According to "https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/*services_ntpd.php*" following condition is coded:
elseif (($pconfig['serverauthalgo'] == 'sha1') && ((strlen(base64_decode($pconfig['serverauthkey'])) != 40) ||
!ctype_xdigit($pconfig['serverauthkey']))) {
$input_errors[] = gettext("The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.");Thus as soon as either (strlen(base64_decode($pconfig['serverauthkey'])) != 40) OR !ctype_xdigit($pconfig['serverauthkey']) the key is not accepted by pfSense. Obviously a base64 decoded 40 character long hex string will fail such check. And in case it would be base64 encoded string it would fail the !ctype_xdigit($pconfig['serverauthkey']) check. Thus it seems difficult to enter any valid key (?)
Assuming my key is:
$ echo '*094c533b614d9e4bcb6e18a97a7b0e4d459025bd*' | base64
MDk0YzUzM2I2MTRkOWU0YmNiNmUxOGE5N2E3YjBlNGQ0NTkwMjViZAo=
and other try:
$ echo '094c533b614d9e4bcb6e18a97a7b0e4d459025bd' | base64 --decode
���}��^��q���ƽ�������tۖ�
So what ever I insert - it ends up in:
The following input errors were detected:
The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.
Updated by Viktor Gurov over 3 years ago
- Target version deleted (
21.05) - Affected Version set to 2.5.0
An MD5 key is a string of 20 random printable ASCII characters,
while a SHA key is a string of 40 random hex digits.
from https://www.freebsd.org/cgi/man.cgi?query=ntp-keygen&apropos=0&sektion=8&manpath=FreeBSD+11-current&format=html
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/224
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.6.0
Updated by Jim Pingle over 3 years ago
- Status changed from Pull Request Review to Feedback
PR was merged yesterday.
Updated by Jim Pingle over 3 years ago
- Subject changed from NTP Authentication key for SHA1 digest to NTP authentication input validation rejects valid keys
Updating subject for release notes.
Updated by Thomas Paetzold over 3 years ago
Jim Pingle wrote:
Updating subject for release notes.
As I'm still on the 21.02.2-RELEASE (amd64) - when could I expect the 21.05 to be rolled out?
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2
Updated by Jim Pingle over 3 years ago
- Category changed from Authentication to NTPD
Updated by
Updated by Thomas Paetzold over 3 years ago
Thanks the effort made.
Just want to confirm: in 21.05-RELEASE it works now as expected.