[ntp:security] NOEPEER patch

Martin Burnicki martin.burnicki at meinberg.de
Fri Aug 3 10:46:57 UTC 2018


Harlan Stenn wrote:
> On 8/3/2018 2:28 AM, Martin Burnicki wrote:
>> Harlan Stenn wrote:
>>> and now it is:
>>>   if (!peer || !peer->keyid || !(peer->flags & FLAG_SKEY)
>>> 	return INVALIDNAK;
>>> and I think we want:
>>>   if (!peer || (!peer->keyid && !(peer->flags & FLAG_SKEY))
>>> 	return INVALIDNAK;
>> The fact that the FLAG_SKEY test has been in the code before Pearly's
>> change doesn't necessarily mean that the test is correct, and required.
>> Similar to the MODE_ACTIVE reply in this case instead of a MODE_PASSIVE
>> reply that would be expected, even according to Dave.
>> So *why* is FLAG_SKEY tested here? If a packet with an invalid/unknown
>> key was received then it should make no difference if the *key* was a
>> symmetric one, or an autokey one.
> All I know right now (at 0237) is that this test dates back to August of
> 2001, and possibly before that.
> It *might* have something to do with the recollection I have that during
> the first few packets of the autokey dance, there will not (yet) be a keyid.

OK, can you eventually discuss this with DLM?

I'm going to try if he change you proposed above will also result in the
behavior expected in our case.

Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki at meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg,
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com
Training: https://www.meinberg.academy

More information about the security mailing list