[ntp:bugs] [Bug 1242] --enable-wintime should be enabled by default on all target systems

Martin Burnicki via the NTP Bugzilla bugzilla at ntp.org
Mon Jul 6 10:07:03 UTC 2009 

http://bugs.ntp.org/1242



----------------------------------------------------------------------------
Additional Comments From burnicki at ntp.org (Martin Burnicki)
Submitted on 2009-07-06 10:07

Danny,

(In reply to comment #29)
> (In reply to comment #26)
> Danny wrote
> > The point is that the code that is under discussion that is embedded in
> > a ifdef WINTIME macro, is not there in the stable release and
> > furthermore sends a mode 2 packet and you can tell this by inspection.
> 
> Martin wrote:
> Of course there is a *bunch* of changes between the versions of ntp_proto.c
> in -stable and -dev.
> 
> I have not examined every possible code path, but as I've already
> mentioned in comment #15 ntpd 4.2.5p185 (ntp-dev) does not reply
> at all by default, but it replies with a mode 1 packet if it has
> been built with -enable-wintime. The behaviour with WINTIME defined
> is exactly the same as with ntpd 4.2.4p7 and earlier versions.

Well, what I wrote above is not quite correct. ntpd 4.2.5p185 replies indeed 
with a mode 2 packet (if it replies), whereas ntpd 4.2.4p7 replies with a mode 
1 packet.

Anyway, the relevant pieces of code are quite similar in -stable and -dev:

In ntp-stable:

  case AM_NEWPASS:
    /*
     * If the inbound packet is correctly authenticated and
     * enabled, a symmetric passive association is
     * mobilized. If not but correctly authenticated, a
     * symmetric active response is sent. If authentication
     * fails, send a crypto-NAK packet. 
     */
    if (!AUTH(restrict_mask & RES_DONTTRUST, is_authentic))
    {
      if (is_authentic == AUTH_ERROR)
        fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
      return;                 /* bad auth */
    }
    if (!AUTH(sys_authenticate | (restrict_mask &
                    RES_NOPEER), is_authentic)) {
-->   fast_xmit(rbufp, MODE_ACTIVE, skeyid, restrict_mask);
      return;                 /* hooray */
    }

In ntp-dev:
  case AM_NEWPASS:
    /*
     * If authentication fails, drop the packet. If Autokey,
     * send a crypto-NAK.
     */
    if (!AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) {
#ifdef OPENSSL
      if (crypto_flags && skeyid > NTP_MAXKEY)
        fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0);
#endif /* OPENSSL */
      sys_restricted++;
      return;                 /* access denied */
    }
    if (!AUTH(sys_authenticate | (restrict_mask &
         RES_NOPEER), is_authentic)) {
#ifdef WINTIME
      /*
       * If authenticated but cannot mobilize an
       * association, send a summetric passive
       * response without mobilizing an association.
       * This is for drat broken Windows clients. See
       * Microsoft KB 875424 for preferred workaround.
       */
-->   fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL, flags);
#else /* WINTIME */
      sys_restricted++;
#endif /* WINTIME */
      return;                 /* hooray */
    }

The relevant fast_xmit is in both cases the second call, just before the hooray 
comment, flagged with a --> above. So, Danny, I wonder why you didn't find 
this.

Martin

-- 
Martin Burnicki <burnicki at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the bugs mailing list