Project

General

Profile

Bug #11850

NTP authentication input validation rejects valid keys

Added by Thomas Paetzold about 2 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
NTPD
Target version:
Start date:
04/24/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

I run into issues with the "Enable NTPv3 authentication (RFC 1305)" and more precisely whit entering a valit SHA-1 key.

According to "https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/*services_ntpd.php*" following condition is coded:

elseif (($pconfig['serverauthalgo'] == 'sha1') && ((strlen(base64_decode($pconfig['serverauthkey'])) != 40) ||
!ctype_xdigit($pconfig['serverauthkey']))) {
$input_errors[] = gettext("The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.");

Thus as soon as either (strlen(base64_decode($pconfig['serverauthkey'])) != 40) OR !ctype_xdigit($pconfig['serverauthkey']) the key is not accepted by pfSense. Obviously a base64 decoded 40 character long hex string will fail such check. And in case it would be base64 encoded string it would fail the !ctype_xdigit($pconfig['serverauthkey']) check. Thus it seems difficult to enter any valid key (?)

Assuming my key is:
$ echo '*094c533b614d9e4bcb6e18a97a7b0e4d459025bd*' | base64
MDk0YzUzM2I2MTRkOWU0YmNiNmUxOGE5N2E3YjBlNGQ0NTkwMjViZAo=

and other try:

$ echo '094c533b614d9e4bcb6e18a97a7b0e4d459025bd' | base64 --decode
���}��^��q���ƽ�������tۖ�

So what ever I insert - it ends up in:

The following input errors were detected:

The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.

Associated revisions

Revision a69f79bd (diff)
Added by Viktor Gurov about 1 month ago

NTP Authentication key input validation fix. Issue #11850

History

#1 Updated by Viktor Gurov about 2 months ago

  • Target version deleted (21.05)
  • Affected Version set to 2.5.0

An MD5 key is a string of 20 random printable ASCII characters,
while a SHA key is a string of 40 random hex digits.
from https://www.freebsd.org/cgi/man.cgi?query=ntp-keygen&apropos=0&sektion=8&manpath=FreeBSD+11-current&format=html

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/224

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.6.0

#3 Updated by Jim Pingle about 1 month ago

  • Status changed from Pull Request Review to Feedback

PR was merged yesterday.

#4 Updated by Jim Pingle about 1 month ago

  • Plus Target Version set to 21.05

#5 Updated by Jim Pingle about 1 month ago

Already in 21.05 branch.

#6 Updated by Jim Pingle about 1 month ago

  • Subject changed from NTP Authentication key for SHA1 digest to NTP authentication input validation rejects valid keys

Updating subject for release notes.

#7 Updated by Thomas Paetzold about 1 month ago

Jim Pingle wrote:

Updating subject for release notes.

As I'm still on the 21.02.2-RELEASE (amd64) - when could I expect the 21.05 to be rolled out?

#8 Updated by Jim Pingle 19 days ago

  • Target version changed from 2.6.0 to 2.5.2

#9 Updated by Jim Pingle 19 days ago

  • Category changed from Authentication to NTPD

#10 Updated by Jim Pingle 12 days ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF