ntp_proto.c, ChangeLog:

  [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
  [Sec 2781] Authentication doesn't protect symmetric associations against DoS attacks.

bk: 550a80b0iGyIv4t9J1GJ_74V_eEx4A

diff --git a/ChangeLog b/ChangeLog
index 04fb22a9d9d4188e20541d27d216fb2d1f208365..ca71c988af668cb6be1464908cd5eebeaf5badd7 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,9 @@
 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt
 * [Bug 2774] Unreasonably verbose printout - leap pending/warning
 * [Bug 2775] ntp-keygen.c fails to compile under Windows.
+* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
+* [Sec 2781] Authentication doesn't protect symmetric associations against
+  DoS attacks.
 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
 ---
 (4.2.8p1) 2015/02/04 Released by Harlan Stenn <stenn@ntp.org>

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 37c3f0325e07f0d7b4b0e9196bde28f9c7d172b6..356d2ca04061c9c073ef6bc993558681b5b179da 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -1255,16 +1255,6 @@ receive(
                peer->flash |= TEST2;           /* bogus */
        }
 
-       /*
-        * Update the state variables.
-        */
-       if (peer->flip == 0) {
-               if (hismode != MODE_BROADCAST)
-                       peer->rec = p_xmt;
-               peer->dst = rbufp->recv_time;
-       }
-       peer->xmt = p_xmt;
-
        /*
         * If this is a crypto_NAK, the server cannot authenticate a
         * client packet. The server might have just changed keys. Clear
@@ -1285,18 +1275,20 @@ receive(
                return;
 
        /* 
-        * If the digest fails, the client cannot authenticate a server
+        * If the digest fails or it's missing for authenticated
+        * associations, the client cannot authenticate a server
         * reply to a client packet previously sent. The loopback check
         * is designed to avoid a bait-and-switch attack, which was
         * possible in past versions. If symmetric modes, return a
         * crypto-NAK. The peer should restart the protocol.
         */
-       } else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST),
-           is_authentic)) {
+       } else if (!AUTH(peer->keyid || has_mac ||
+                        (restrict_mask & RES_DONTTRUST), is_authentic)) {
                report_event(PEVNT_AUTH, peer, "digest");
                peer->flash |= TEST5;           /* bad auth */
                peer->badauth++;
-               if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
+               if (has_mac &&
+                   (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
                        fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
                if (peer->flags & FLAG_PREEMPT) {
                        unpeer(peer);
@@ -1309,6 +1301,16 @@ receive(
                return;
        }
 
+       /*
+        * Update the state variables.
+        */
+       if (peer->flip == 0) {
+               if (hismode != MODE_BROADCAST)
+                       peer->rec = p_xmt;
+               peer->dst = rbufp->recv_time;
+       }
+       peer->xmt = p_xmt;
+
        /*
         * Set the peer ppoll to the maximum of the packet ppoll and the
         * peer minpoll. If a kiss-o'-death, set the peer minpoll to