Don't restart NTS-KE if a spoofed NAK response was received and no valid
response is received for a subsequent request.
the last successful key establishment. A number larger than 1 indicates a
problem with the network or server.
*NAK*:::
-This column shows whether an NTS NAK was received since the last authenticated
-response. A NAK indicates that authentication failed on the server side due to
+This column shows whether an NTS NAK was received since the last request.
+A NAK indicates that authentication failed on the server side due to
*chronyd* using a cookie which is no longer valid and that it needs to perform
the key establishment again in order to get new cookies.
*Cook*:::
inst->num_cookies--;
inst->cookie_index = (inst->cookie_index + 1) % NTS_MAX_COOKIES;
+ inst->nak_response = 0;
inst->ok_response = 0;
return 1;
info.mode = MODE_CLIENT;
info.length = random() % (sizeof (packet) + 1);
- inst->num_cookies = 0;
+ if (inst->num_cookies > 0 && random() % 2) {
+ inst->num_cookies = 0;
- TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info));
+ TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info));
+ }
while (!NNC_PrepareForAuth(inst)) {
inst->next_nke_attempt = SCH_GetLastEventMonoTime() + random() % 10 - 7;
projects / thirdparty / chrony.git / commitdiff
