fix auth field (key_id and mac) in standard and control msg

2025-10-12 03:28:19 +00:00 · 2019-06-06 16:38:05 +02:00 · 2019-06-06 16:38:05 +02:00 · 2cd2c65fe3
commit 2cd2c65fe3
parent df0a4b9bb7
4 changed files with 51 additions and 78 deletions
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@ -39,13 +39,14 @@ type NTP_std_msg = record {
        origin_ts      : NTP_Time;
        receive_ts     : NTP_Time;
        transmit_ts    : NTP_Time;
-        extensions     : Extension_Field[] &until($input.length() <= 18);
-        have_mac       : case (offsetof(have_mac) < length) of {
+        #extensions     : Extension_Field[] &until($input.length() == 20); #TODO: this need to be properly parsed 
+        mac_fields     : case (has_mac) of {
                                true  -> mac : NTP_MAC;
                                false -> nil : empty;
-                         } &requires(length);
+                         } &requires(has_mac);
 } &let {
        length          = sourcedata.length();
+	has_mac: bool	= (length - offsetof(mac_fields)) == 20;
 } &byteorder=bigendian &exportsourcedata;

 # This format is for mode==6, control msg
@ -53,33 +54,40 @@ type NTP_std_msg = record {
 type NTP_control_msg = record {
        second_byte	: uint8;
        sequence	: uint16;
-        status      	: uint16;    #TODO: this must be further specified
+        status      	: uint16;    #TODO: this can be further parsed internally
        association_id	: uint16;
        offs		: uint16;
        c	   	: uint16;
 	data		: bytestring &length=c;
-        have_mac       : case (offsetof(have_mac) < length) of {
-                                true  -> mac : NTP_MAC;
+        mac_fields     : case (has_control_mac) of {
+                                true  -> mac : NTP_CONTROL_MAC;
                                false -> nil : empty;
-                         } &requires(length);
+                         } &requires(has_control_mac);
 } &let {
        R:	bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
        E:	bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
        M:     	bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
-        OpCode:	uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+        OpCode:	uint8  = (second_byte & 0x1F);		# Last 5 bits of 8-bits value
        length          = sourcedata.length();
+        has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;

-
+# As in RFC 5905
 type NTP_MAC = record {
 	key_id: uint32;
 	digest: bytestring &length=16;
-} &length=18;
+} &length=20;
+
+# As in RFC 1119
+type NTP_CONTROL_MAC = record {
+        key_id: uint32;
+     	crypto_checksum: bytestring &length=8;
+} &length=12;

 type Extension_Field = record {
  field_type: uint16;
-  length    : uint16;
-  data      : bytestring &length=length-4;
+  ext_len   : uint16;
+  data      : bytestring &length=ext_len-4;
 };

 type NTP_Short_Time = record {