[Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include...

bk: 56a35729LkqOGyByqJWSlFEPCcxibg

diff --git a/ChangeLog b/ChangeLog
index 9458ee18d76ff2e52b4345e479b016a856ac38cc..e2dae78f4df2eed9c9b8f9d9096847b00eef2018 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---
 
+* [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve
+  time. Include passive servers in this check. HStenn.
 * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
   - integrated patches by Loganaden Velvidron <logan@ntp.org>
     with some modifications & unit tests

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index ad454099f8b924a16ca84cf3fd162a1d8ab58e61..072e01eededea96d9b4602eba1448c75bf271561 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1610,6 +1610,7 @@ receive(
            case MODE_SERVER:           /* server mode */
            case MODE_BROADCAST:        /* broadcast mode */
            case MODE_ACTIVE:           /* symmetric active mode */
+           case MODE_PASSIVE:          /* symmetric passive mode */
                if (   is_authentic == AUTH_OK
                    && !authistrustedip(skeyid, &peer->srcadr)) {
                        report_event(PEVNT_AUTH, peer, "authIP");
@@ -1619,7 +1620,6 @@ receive(
                break;
 
            case MODE_UNSPEC:           /* unspecified (old version) */
-           case MODE_PASSIVE:          /* symmetric passive mode */
            case MODE_CLIENT:           /* client mode */
 #if 0          /* At this point, MODE_CONTROL is overloaded by MODE_BCLIENT */
            case MODE_CONTROL:          /* control mode */