[ntp:hackers] NTP cores in authistrustedip.

Harlan Stenn stenn at ntp.org
Wed Apr 20 07:25:32 UTC 2016


Brian,

brian utterback writes:
> I was trying to set up autokey for some testing and my NTP client is
> crashing in authistrustedip in an INSIST macro.

First, separate from all of what you have found, autokey has been known
to be insecure for about four years' time now.  It's being replaced by
Network Time Security, which is under active development.

Next, the current code has changed a fair amount from what you cite.
I see how to fix this for the autokey case.  Would you please open a bug
report for this?

I'll see if I can get this fixed right now.

H
--

> If I follow the packet, it is being processed in receive() at this point:
> 
>  901                  * Compute the cryptosum. Note a clogging attack may
>  902                  * succeed in bloating the key cache. If an autokey,
>  903                  * purge it immediately, since we won't be needing it
>  904                  * again. If the packet is authentic, it can
> mobilize an
>  905                  * association. Note that there is no key zero.
>  906                  */
>  907                 if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
>  908                     has_mac))
>  909                         is_authentic = AUTH_ERROR;
>  910                 else
>  911                         is_authentic = AUTH_OK;
>  912 #ifdef AUTOKEY
>  913                 if (crypto_flags && skeyid > NTP_MAXKEY)
>  914                         authtrust(skeyid, 0);
>  915 #endif  /* AUTOKEY */
> 
> The packet is fine, so is_authentic gets AUTH_OK, but the call to
> authtrust sets the trust to 0 and the key is removed from the cache and
> the key table.
> 
> Later on after all of the FLASH tests and validation, we get to this point:
> 
> 1612         switch (hismode) {
> 1613             case MODE_SERVER:           /* server mode */
> 1614             case MODE_BROADCAST:        /* broadcast mode */
> 1615             case MODE_ACTIVE:           /* symmetric active mode */
> 1616                 if (   is_authentic == AUTH_OK
> 1617                     && !authistrustedip(skeyid, &peer->srcadr)) {
> 1618                         report_event(PEVNT_AUTH, peer, "authIP");
> 1619                         peer->badauth++;
> 1620                         return;
> 1621                 }
> 1622                 break;
> 
> Well, is_authentic is AUTH_OK, so we call authistrustedip() with the
> skeyid (which we purged) and the source address. The function looks like
> this:
> 
> 563                 authkeyuncached++;
> 564                 bucket = &key_hash[KEYHASH(keyno)];
> 565                 for (sk = *bucket; sk != NULL; sk = sk->hlink) {
> 566                         if (keyno == sk->keyid)
> 567                                 break;
> 568                 }
> 569                 if (NULL == sk || !(KEY_TRUSTED & sk->flags)) {
> 570                         INSIST(!"authistrustedip: keyid not
> found/trusted!");
> 571                         return FALSE;
> 572                 }
> 
> Since we purged the key from the table, the key isn't found and the
> INSIST gets invoked and the process aborts. So, it looks to me like this
> INSIST shouldn't have been there, maybe a DPRINT or something, since the
> return after it will never get executed. But more to the point, how can
> the processing ever work since we purged the key?
> 
> It may be possible that I have get up autokey incorrectly. I am trying
> to test IFF, but I really need to test all of them. The instructions on
> how to do it are simply abysmal on the web site and are out of date and
> I think they might have been incomplete to begin with. Does anyone have
> cheatsheet on setting up autokey?
> 
> 
> 
> -- 
> Oracle <http://www.oracle.com>
> Brian Utterback | Principal Software Engineer
> Phone: +1 6038973049 <tel:+1%206038973049>
> Oracle Systems/RPE Solaris Network
> 1 Oracle Dr. | Nashua, NH 03062
> ------------------------------------------------------------------------
> All working systems eventually start to exhibit their own agenda
> ------------------------------------------------------------------------
> Green Oracle <http://www.oracle.com/commitment> Oracle is committed to
> developing practices and products that help protect the environment
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> http://lists.ntp.org/listinfo/hackers
> 


More information about the hackers mailing list