[Git][NTPsec/ntpsec][master] Implement generation of CMAC keys for draft-ietf-ntp-mac-01.

Eric S. Raymond gitlab at mg.gitlab.com
Fri Aug 11 15:33:21 UTC 2017


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
7c9ee15a by Eric S. Raymond at 2017-08-11T11:32:33-04:00
Implement generation of CMAC keys for draft-ietf-ntp-mac-01.

- - - - -


3 changed files:

- docs/includes/ntpkeygen-body.txt
- libntp/macencrypt.c
- ntpclients/ntpkeygen


Changes:

=====================================
docs/includes/ntpkeygen-body.txt
=====================================
--- a/docs/includes/ntpkeygen-body.txt
+++ b/docs/includes/ntpkeygen-body.txt
@@ -5,7 +5,7 @@
 [[synop]]
 == Synopsis ==
 [verse]
-+ntpkeygen+ [+-M+]
++ntpkeygen+ [+-M+] [+-C+]
 
 [[descrip]]
 == Description ==
@@ -14,20 +14,24 @@ This program generates the keys used in NTP's symmetric key
 cryptography.
 
 The program produces a file containing ten pseudo-random printable
-ASCII strings suitable for the MD5 message digest algorithm included
-in the distribution.  It also produces an additional ten hex-encoded
-random bit strings suitable for the SHA-1 and other message digest
-algorithms. The message digest keys file must be distributed and
-stored using secure means beyond the scope of NTP itself. Besides
-the keys used for ordinary NTP associations, additional keys can be
-defined as passwords for the link:ntpq.html[+ntpq+] utility program.
+ASCII strings suitable for the message digest algorithms (MD5 and
+AES-CMAC) included in the distribution.  It also produces an
+additional ten hex-encoded random bit strings suitable for the SHA-1
+and other message digest algorithms. The message digest keys file must
+be distributed and stored using secure means beyond the scope of NTP
+itself. Besides the keys used for ordinary NTP associations,
+additional keys can be defined as passwords for the
+link:ntpq.html[+ntpq+] utility program.
 
 [[cmd]]
 == Command Line Options ==
 
 +-M+, +--md5key+::
   Dummy option for backward compatibility in old scripts.  This
-  program always runs in -M mode.
+  program runs in -M mode by default.
+
++-C+, +--cmackey+::
+  Generate AES-CMAC keys.
 
 [[run]]
 == Running the program ==
@@ -115,7 +119,7 @@ format:
 |====================================================================
 |Field	| Meaning
 |keyno	| Positive integer in the range 1-65,535
-|type	| MD5 or SHA-1 , type of key
+|type	| MD5, CMAC, or SHA-1: type of key
 |key	| the actual key, printable ASCII
 |====================================================================
 


=====================================
libntp/macencrypt.c
=====================================
--- a/libntp/macencrypt.c
+++ b/libntp/macencrypt.c
@@ -76,7 +76,7 @@ mac_authencrypt(
 
 
 /*
- * mac_authdecrypt - verify MD5 message authenticator
+ * mac_authdecrypt - verify message authenticator
  *
  * Returns true if digest valid, false if invalid.
  */


=====================================
ntpclients/ntpkeygen
=====================================
--- a/ntpclients/ntpkeygen
+++ b/ntpclients/ntpkeygen
@@ -10,9 +10,8 @@
 # association maintained by soft links. Following is a list of file
 # types.
 #
-# ntpkey_MD5key_<hostname>.<filestamp>
-# MD5 (128-bit) keys used to compute message digests in symmetric
-# key cryptography
+# ntpkey_MD5key_<hostname>.<filestamp>: MD5 (128-bit) keys
+# ntpkey_CMACkey_<hostname>.<filestamp>: CMAC (128-bit) keys
 
 from __future__ import print_function
 
@@ -25,40 +24,40 @@ import getopt
 import stat
 
 #
-# Cryptodefines
+# Cryptodefines.
 #
-MD5KEYS = 10    # number of keys generated of each type
-MD5SIZE = 20    # maximum key size
+BASEKEYS = 10    # number of keys generated of each type
+BASESIZE = 20    # maximum key size for MD5 and CMAC
 
-
-def gen_md5(id, groupname):
+def gen_keys(id, groupname):
     "Generate semi-random MD5 and SHA1 keys compatible with NTPv3 and NTPv4."
-    with fheader("MD5key", id, groupname) as wp:
-        for i in range(1, MD5KEYS+1):
-            md5key = ""
-            for j in range(MD5SIZE):
+    upid = id.upper()
+    with fheader(upid + "key", id, groupname) as wp:
+        for i in range(1, BASEKEYS+1):
+            basekey = ""
+            for j in range(BASESIZE):
                 while True:
                     r = randomizer.randint(0x21, 0x7e)
                     if r != ord('#'):
                         break
-                md5key += chr(r)
-            wp.write("%2d MD5 %s  # MD5 key\n" % (i, md5key))
-        for i in range(1, MD5KEYS+1):
+                basekey += chr(r)
+            wp.write("%2d %s %s  # %s key\n" % (i, upid, basekey, upid))
+        for i in range(1, BASEKEYS+1):
             sha1key = ""
-            for j in range(MD5SIZE):
+            for j in range(BASESIZE):
                 sha1key += "%02x" % randomizer.randint(0x00, 0xff)
-            wp.write("%2d SHA1 %s  # SHA1 key\n" % (i + MD5KEYS, sha1key))
+            wp.write("%2d SHA1 %s  # SHA1 key\n" % (i + BASEKEYS, sha1key))
 
 
 #
 # Generate file header and link
 #
-def fheader(file,       # file name id
+def fheader(stem,       # Filename stem made from MAC type
             ulink,      # linkname
             owner       # owner name
             ):
     try:
-        filename = "ntpkey_%s_%s.%u" % (file, owner, int(time.time()))
+        filename = "ntpkey_%s_%s.%u" % (stem, owner, int(time.time()))
         orig_umask = os.umask(stat.S_IWGRP | stat.S_IRWXO)
         wp = open(filename, "w")
         os.umask(orig_umask)
@@ -78,23 +77,26 @@ def fheader(file,       # file name id
 
 if __name__ == '__main__':
     try:
-        (options, arguments) = getopt.getopt(sys.argv[1:], "hM", ["help"])
+        (options, arguments) = getopt.getopt(sys.argv[1:], "hMC", ["help", "md5key", "cmackey"])
     except getopt.GetoptError as e:
         print(e)
         raise SystemExit(1)
 
+    keytype = "md5"
     for (switch, val) in options:
-        if switch == '-M':
+        if switch in ('-M', '--md5key'):
             # dummy MD5 option for backwards compatibility
-            pass
+            keytype = "md5"
+        elif switch in ('-C', '--cmackey'):
+            keytype = "cmac"
         elif switch in ("-h", "--help"):
-            print("usage: ntpkeygen [-M]")
+            print("usage: ntpkeygen [-M] [-C]")
             raise SystemExit(0)
 
     # The seed is ignored by random.SystemRandom,
     # even though the docs do not say so.
     randomizer = random.SystemRandom()
-    gen_md5("md5", socket.gethostname())
+    gen_keys(keytype, socket.gethostname())
     raise SystemExit(0)
 
 # end



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7c9ee15a864bb0eda5ba2427dead7ea99392421e

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7c9ee15a864bb0eda5ba2427dead7ea99392421e
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170811/a9609be0/attachment.html>


More information about the vc mailing list