[ntp:hackers] Autokey update
mills at udel.edu
Sun May 3 18:56:12 UTC 2009
The Autokey support has been overhauled to fix a couple of bugs and
protect against potential packet buffer overflow.
1. The ntp-keygen program has been fixed to support a sign keys file
separate from the host keys file. This is necessary to support DSA-based
signatures. These changes are consistent with the documentation.
2. The OpenSSL DSA signature routine has a bug that returns an incorrect
signature length. Workaround is to use the known signature length and
disregard the return.
3. Testing with modulus sizes to 2048 bits reveals a very rare but
possible case where two certificates can occur in the same packet, which
can result in a packet buffer overflow using z 2048-bit modulus. The
case arises only in symmetric modes where each peer requests the other
to sign its certificate at the same time. The code now watches for this
and delays the second certificate to a following packet.
4. The online documentation and in the development version has been updated.
It's been tested on intricate and unlikely configurations involving
client/server, symmetric and broadcast modes with and without
interleaved modes and multiple hierarchical secure groups, each with
different keys and certificate types. Interleaved mode is really useful
at the larger packet sizes (up to 2000 octets), as the packet length and
signing time doesn't matter. Packet transmission time does matter, but
in symmetric modes the delays are reciprocal.
More information about the hackers