[ntp:security] NOEPEER patch

Martin Burnicki martin.burnicki at meinberg.de
Fri Aug 3 10:46:57 UTC 2018


Harlan,

Harlan Stenn wrote:
> On 8/3/2018 2:28 AM, Martin Burnicki wrote:
>> Harlan Stenn wrote:
>>> and now it is:
>>>
>>>   if (!peer || !peer->keyid || !(peer->flags & FLAG_SKEY)
>>> 	return INVALIDNAK;
>>>
>>> and I think we want:
>>>
>>>   if (!peer || (!peer->keyid && !(peer->flags & FLAG_SKEY))
>>> 	return INVALIDNAK;
>>
>> The fact that the FLAG_SKEY test has been in the code before Pearly's
>> change doesn't necessarily mean that the test is correct, and required.
>>
>> Similar to the MODE_ACTIVE reply in this case instead of a MODE_PASSIVE
>> reply that would be expected, even according to Dave.
>>
>> So *why* is FLAG_SKEY tested here? If a packet with an invalid/unknown
>> key was received then it should make no difference if the *key* was a
>> symmetric one, or an autokey one.
> 
> All I know right now (at 0237) is that this test dates back to August of
> 2001, and possibly before that.
> 
> It *might* have something to do with the recollection I have that during
> the first few packets of the autokey dance, there will not (yet) be a keyid.

OK, can you eventually discuss this with DLM?

I'm going to try if he change you proposed above will also result in the
behavior expected in our case.

Martin
-- 
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki at meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg,
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com
Training: https://www.meinberg.academy



More information about the security mailing list