Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 11580] New: Incorrect parsing of NTP datagrams with SHA1 based message authent

Wireshark-bugs: [Wireshark-bugs] [Bug 11580] New: Incorrect parsing of NTP datagrams with SHA1 b

Date: Fri, 09 Oct 2015 07:06:28 +0000

Bug ID	11580
Summary	Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
Product	Wireshark
Version	unspecified
Hardware	All
OS	Linux (other)
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	[email protected]
Reporter	[email protected]

Created attachment 13902 [details]
pcap of ntp sync with four UDP request-response exchanges where authentication
is done using sha1.

Build Information:
Version 1.12.1 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.14.12, with Cairo 1.14.2, with Pango 1.36.8, with
GLib 2.44.0, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux),
with libnl 3, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python,
with GnuTLS 3.3.8, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Feb 25 2014 21:09:53), without AirPcap.

Running on Linux 3.19.0-30-generic, with locale en_US.UTF-8, with libpcap
version 1.6.2, with libz 1.2.8, GnuTLS 3.3.8, Gcrypt 1.6.2.
Intel(R) Core(TM) i7-5557U CPU @ 3.10GHz

Built using gcc 4.9.2.

--
ntpd, the network time protocol reference implementation (see
http://www.ntp.org/) has from 4.2.6 supported both MD5 and SHA1 based
authentication where the client request and server response is protected using
a message authentication code (MAC). For md5 based MACs, Wireshark is able to
parse NTP datagrams and show extracted key and authentication code.

But for SHA1 based MACs, the Wireshark parser does an incorrect parsing and
instead interpret the key ID as the extension field length. The result is that
given the key ID in the datagram, the key ID displayed end up being part of the
MAC (which means that the ID displayd varies from datagram to datagram). And
the MAC displayed being both incorrect and shorter than the MAC for md5. I've
not tested what happens with a big key ID.

Included are a pcap of a successful exchange with sha1 based authentication. (A
successful time sync exchange consists of four separate request-responses.)
Open it in Wireshark and look at how the datagrams are parsed.

(I have a similar exchange for md5 baed authentication, but seems only to be
able to add ome file to this bug report, not two.)

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 11570] Buildbot crash output: fuzz-2015-10-06-30742.pcap
Next by Date: [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
Previous by thread: [Wireshark-bugs] [Bug 11556] TShark does not display all packets even when they match a given read filter
Next by thread: [Wireshark-bugs] [Bug 11580] Incorrect parsing of NTP datagrams with SHA1 based message authentication code (MAC)
Index(es):
- Date
- Thread