git.ipfire.org Git - thirdparty/chrony.git/commit

author	Miroslav Lichvar <mlichvar@redhat.com>
	Thu, 19 Sep 2024 12:19:12 +0000 (14:19 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Thu, 3 Oct 2024 13:02:03 +0000 (15:02 +0200)
commit	689605b6a2d2b26f44e8f086ae41521f06b83c31
tree	2d6bedf40e3abc2b41bbe99429e8cc43ea86df52	tree \| snapshot
parent	0707865413e83d4724ca8d168086cf83794a69b2	commit \| diff

nts: switch client to compliant key exporter on NTS NAK

Implement a fallback for the NTS-NTP client to switch to the compliant
AES-128-GCM-SIV exporter context when the server is using the compliant
context, but does not support the new NTS-KE record negotiating its use,
assuming it can respond with an NTS NAK to the request authenticated
with the incorrect key.

Export both sets of keys when processing the NTS-KE response. If an NTS
NAK is the only valid response from the server after the last NTS-KE
session, switch to the keys exported with the compliant context for the
following requests instead of dropping all cookies and restarting
NTS-KE. Don't switch back to the original keys if an NTS NAK is received
again.

nts_ke_client.c		diff \| blob \| blame \| history
nts_ke_client.h		diff \| blob \| blame \| history
nts_ntp_client.c		diff \| blob \| blame \| history
siv.h		diff \| blob \| blame \| history
test/unit/nts_ntp_client.c		diff \| blob \| blame \| history