ntp: don't send crypto-NAKs

Crypto-NAK is useful only with Autokey where it allows quick reset
of the association. There is no plan to support Autokey and NTS will
specify its own message for authentication errors.

diff --git a/ntp_core.c b/ntp_core.c
index 7ea4a6c7b3736be8e2434a2a3d0fa356dd21a90f..19da58d0a18d3143d1a32b4bb12aee0208891b84 100644 (file)
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -66,7 +66,6 @@ typedef enum {
 
 typedef enum {
   AUTH_NONE = 0,                /* No authentication */
-  AUTH_CRYPTO_NAK,              /* Empty MAC indicating authentication error */
   AUTH_SYMMETRIC,               /* MAC using symmetric key (RFC 1305, RFC 5905) */
   AUTH_MSSNTP,                  /* MS-SNTP authenticator field */
   AUTH_MSSNTP_EXT,              /* MS-SNTP extended authenticator field */
@@ -944,10 +943,6 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */
       return NSD_SignAndSendPacket(key_id, &message, where_to, from, length);
     }
   } else {
-    if (auth_mode == AUTH_CRYPTO_NAK) {
-      message.auth_keyid = 0;
-      length += sizeof (message.auth_keyid);
-    }
     UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, &ts_fuzz);
   }
 
@@ -1172,7 +1167,7 @@ check_packet_auth(NTP_Packet *pkt, int length,
 
   /* This is not 100% reliable as a MAC could fail to authenticate and could
      pass as an extension field, leaving reminder smaller than the minimum MAC
-     length.  Not a big problem, at worst we won't reply with a crypto-NAK. */
+     length */
   if (remainder >= NTP_MIN_MAC_LENGTH) {
     *auth_mode = AUTH_SYMMETRIC;
     *key_id = ntohl(*(uint32_t *)(data + i));
@@ -1749,10 +1744,6 @@ NCR_ProcessUnknown
       case AUTH_NONE:
         /* Reply with no MAC */
         break;
-      case AUTH_SYMMETRIC:
-        /* Reply with crypto-NAK */
-        auth_mode = AUTH_CRYPTO_NAK;
-        break;
       case AUTH_MSSNTP:
         /* Ignore the failure (MS-SNTP servers don't check client MAC) */
         break;