[ntp:questions] authenticated packet using alternate digest algorithms

Greg.Dowd at microchip.com Greg.Dowd at microchip.com
Thu May 2 16:58:54 UTC 2019

Thanks, seems to work fine if you have the right version.  Testing 4.2.8p10 against 4.2.8p12 at least is interoperable.  4.2.6p5 not so much.  So maybe 4.2.8 and higher?


Greg Dowd
Principal Engineering Technologist, FTD
3870 N. First St. | San Jose | CA 95134 | USA
Office: 408.964.7643
Email: greg.dowd at microchip.com
Company Website:  www.microsemi.com

-----Original Message-----
From: questions [mailto:questions-bounces+greg.dowd=microsemi.com at lists.ntp.org] On Behalf Of Miroslav Lichvar
Sent: Thursday, May 2, 2019 12:59 AM
To: Greg Dowd - C32313 <Greg.Dowd at microchip.com>
Cc: questions at lists.ntp.org
Subject: Re: [ntp:questions] authenticated packet using alternate digest algorithms

External E-Mail

On Tue, Apr 30, 2019 at 04:08:47PM +0000, Greg.Dowd at microchip.com wrote:
> However, in operation things get weird.  Md5 and sha1 are fine.  Ripemd160 is successful but I think that is just lucky because it has a 160bit digest that ends up looking like a sha1 mac.  However, I "think" because I don't have support in openssl, sha224, 256, and 384 don't even try to send MAC frames, just regular no auth.  So they look like they work but they have no MAC.  Sha512 actually generates a 64 byte mac and stuffs all of it in the frame so 68 bye HMAC (with key) but this gets parsed as an extension and fails.  
> So what's up?  Is this like somewhere in the middle of development?  I remember discussions about have an extension field to either negotiate or at least identify digest algorithms but I don't think this is that.

Latest ntp-4.2.8 versions should truncate digests longer than 160 bits (192-bit MAC). What version were you testing? I'm not sure in which one exactly this was introduced.

Miroslav Lichvar
questions mailing list
questions at lists.ntp.org

More information about the questions mailing list