[Git][NTPsec/ntpsec][master] Revert broken CMAC implementation

Daniel Fox Franke gitlab at mg.gitlab.com
Sat Aug 12 01:33:34 UTC 2017 

Daniel Fox Franke pushed to branch master at NTPsec / ntpsec


Commits:
7089ae27 by Daniel Fox Franke at 2017-08-11T21:31:56-04:00
Revert broken CMAC implementation

- - - - -


4 changed files:

- NEWS
- docs/includes/ntpkeygen-body.txt
- libntp/macencrypt.c
- ntpclients/ntpkeygen


Changes:

=====================================
NEWS
=====================================
--- a/NEWS
+++ b/NEWS
@@ -15,9 +15,6 @@ ntpmon now reports units on time figures.
 
 Builds are fully reproducible; see SOURCE_DATE_EPOCH and BUILD_EPOCH.
 
-AES-CMAC authentication hashes are supported.  All that is necessary is for
-hosts to share the same key of type CMAC in their respective key files.
-
 == 2017-03-21: 0.9.7 ==
 
 The code size has been further reduced, to 60KLOC.


=====================================
docs/includes/ntpkeygen-body.txt
=====================================
--- a/docs/includes/ntpkeygen-body.txt
+++ b/docs/includes/ntpkeygen-body.txt
@@ -5,7 +5,7 @@
 [[synop]]
 == Synopsis ==
 [verse]
-+ntpkeygen+ [+-M+] [+-C+]
++ntpkeygen+ [+-M+]
 
 [[descrip]]
 == Description ==
@@ -14,24 +14,20 @@ This program generates the keys used in NTP's symmetric key
 cryptography.
 
 The program produces a file containing ten pseudo-random printable
-ASCII strings suitable for the message digest algorithms (MD5 and
-AES-CMAC) included in the distribution.  It also produces an
-additional ten hex-encoded random bit strings suitable for the SHA-1
-and other message digest algorithms. The message digest keys file must
-be distributed and stored using secure means beyond the scope of NTP
-itself. Besides the keys used for ordinary NTP associations,
-additional keys can be defined as passwords for the
-link:ntpq.html[+ntpq+] utility program.
+ASCII strings suitable for the MD5 message digest algorithm included
+in the distribution.  It also produces an additional ten hex-encoded
+random bit strings suitable for the SHA-1 and other message digest
+algorithms. The message digest keys file must be distributed and
+stored using secure means beyond the scope of NTP itself. Besides
+the keys used for ordinary NTP associations, additional keys can be
+defined as passwords for the link:ntpq.html[+ntpq+] utility program.
 
 [[cmd]]
 == Command Line Options ==
 
 +-M+, +--md5key+::
   Dummy option for backward compatibility in old scripts.  This
-  program runs in -M mode by default.
-
-+-C+, +--cmackey+::
-  Generate AES-CMAC keys.
+  program always runs in -M mode.
 
 [[run]]
 == Running the program ==
@@ -119,7 +115,7 @@ format:
 |====================================================================
 |Field	| Meaning
 |keyno	| Positive integer in the range 1-65,535
-|type	| MD5, CMAC, or SHA-1: type of key
+|type	| MD5 or SHA-1 , type of key
 |key	| the actual key, printable ASCII
 |====================================================================
 


=====================================
libntp/macencrypt.c
=====================================
--- a/libntp/macencrypt.c
+++ b/libntp/macencrypt.c
@@ -76,7 +76,7 @@ mac_authencrypt(
 
 
 /*
- * mac_authdecrypt - verify message authenticator
+ * mac_authdecrypt - verify MD5 message authenticator
  *
  * Returns true if digest valid, false if invalid.
  */


=====================================
ntpclients/ntpkeygen
=====================================
--- a/ntpclients/ntpkeygen
+++ b/ntpclients/ntpkeygen
@@ -10,8 +10,9 @@
 # association maintained by soft links. Following is a list of file
 # types.
 #
-# ntpkey_MD5key_<hostname>.<filestamp>: MD5 (128-bit) keys
-# ntpkey_CMACkey_<hostname>.<filestamp>: CMAC (128-bit) keys
+# ntpkey_MD5key_<hostname>.<filestamp>
+# MD5 (128-bit) keys used to compute message digests in symmetric
+# key cryptography
 
 from __future__ import print_function
 
@@ -24,40 +25,40 @@ import getopt
 import stat
 
 #
-# Cryptodefines.
+# Cryptodefines
 #
-BASEKEYS = 10    # number of keys generated of each type
-BASESIZE = 20    # maximum key size for MD5 and CMAC
+MD5KEYS = 10    # number of keys generated of each type
+MD5SIZE = 20    # maximum key size
 
-def gen_keys(id, groupname):
+
+def gen_md5(id, groupname):
     "Generate semi-random MD5 and SHA1 keys compatible with NTPv3 and NTPv4."
-    upid = id.upper()
-    with fheader(upid + "key", id, groupname) as wp:
-        for i in range(1, BASEKEYS+1):
-            basekey = ""
-            for j in range(BASESIZE):
+    with fheader("MD5key", id, groupname) as wp:
+        for i in range(1, MD5KEYS+1):
+            md5key = ""
+            for j in range(MD5SIZE):
                 while True:
                     r = randomizer.randint(0x21, 0x7e)
                     if r != ord('#'):
                         break
-                basekey += chr(r)
-            wp.write("%2d %s %s  # %s key\n" % (i, upid, basekey, upid))
-        for i in range(1, BASEKEYS+1):
+                md5key += chr(r)
+            wp.write("%2d MD5 %s  # MD5 key\n" % (i, md5key))
+        for i in range(1, MD5KEYS+1):
             sha1key = ""
-            for j in range(BASESIZE):
+            for j in range(MD5SIZE):
                 sha1key += "%02x" % randomizer.randint(0x00, 0xff)
-            wp.write("%2d SHA1 %s  # SHA1 key\n" % (i + BASEKEYS, sha1key))
+            wp.write("%2d SHA1 %s  # SHA1 key\n" % (i + MD5KEYS, sha1key))
 
 
 #
 # Generate file header and link
 #
-def fheader(stem,       # Filename stem made from MAC type
+def fheader(file,       # file name id
             ulink,      # linkname
             owner       # owner name
             ):
     try:
-        filename = "ntpkey_%s_%s.%u" % (stem, owner, int(time.time()))
+        filename = "ntpkey_%s_%s.%u" % (file, owner, int(time.time()))
         orig_umask = os.umask(stat.S_IWGRP | stat.S_IRWXO)
         wp = open(filename, "w")
         os.umask(orig_umask)
@@ -77,26 +78,23 @@ def fheader(stem,       # Filename stem made from MAC type
 
 if __name__ == '__main__':
     try:
-        (options, arguments) = getopt.getopt(sys.argv[1:], "hMC", ["help", "md5key", "cmackey"])
+        (options, arguments) = getopt.getopt(sys.argv[1:], "hM", ["help"])
     except getopt.GetoptError as e:
         print(e)
         raise SystemExit(1)
 
-    keytype = "md5"
     for (switch, val) in options:
-        if switch in ('-M', '--md5key'):
+        if switch == '-M':
             # dummy MD5 option for backwards compatibility
-            keytype = "md5"
-        elif switch in ('-C', '--cmackey'):
-            keytype = "cmac"
+            pass
         elif switch in ("-h", "--help"):
-            print("usage: ntpkeygen [-M] [-C]")
+            print("usage: ntpkeygen [-M]")
             raise SystemExit(0)
 
     # The seed is ignored by random.SystemRandom,
     # even though the docs do not say so.
     randomizer = random.SystemRandom()
-    gen_keys(keytype, socket.gethostname())
+    gen_md5("md5", socket.gethostname())
     raise SystemExit(0)
 
 # end



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7089ae2762f6226fa681c5fb032438dd52bba826

---
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7089ae2762f6226fa681c5fb032438dd52bba826
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170812/666136ea/attachment.html>

More information about the vc mailing list