Project

General

Profile

Actions

Bug #11850

closed

NTP authentication input validation rejects valid keys

Added by Thomas Paetzold 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
NTPD
Target version:
Start date:
04/24/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

I run into issues with the "Enable NTPv3 authentication (RFC 1305)" and more precisely whit entering a valit SHA-1 key.

According to "https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/*services_ntpd.php*" following condition is coded:

elseif (($pconfig['serverauthalgo'] == 'sha1') && ((strlen(base64_decode($pconfig['serverauthkey'])) != 40) ||
!ctype_xdigit($pconfig['serverauthkey']))) {
$input_errors[] = gettext("The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.");

Thus as soon as either (strlen(base64_decode($pconfig['serverauthkey'])) != 40) OR !ctype_xdigit($pconfig['serverauthkey']) the key is not accepted by pfSense. Obviously a base64 decoded 40 character long hex string will fail such check. And in case it would be base64 encoded string it would fail the !ctype_xdigit($pconfig['serverauthkey']) check. Thus it seems difficult to enter any valid key (?)

Assuming my key is:
$ echo '*094c533b614d9e4bcb6e18a97a7b0e4d459025bd*' | base64
MDk0YzUzM2I2MTRkOWU0YmNiNmUxOGE5N2E3YjBlNGQ0NTkwMjViZAo=

and other try:

$ echo '094c533b614d9e4bcb6e18a97a7b0e4d459025bd' | base64 --decode
���}��^��q���ƽ�������tۖ�

So what ever I insert - it ends up in:

The following input errors were detected:

The supplied value for NTP Authentication key for SHA1 digest must be hex-encoded string of 40 characters.
Actions

Also available in: Atom PDF