ntp: improve replay protection in symmetric mode

Always allow update from the first valid response, even if its transmit
timestamp is not newer than the currently saved timestamp. This shoud
provide a temporary protection in the case where the attacker does have
an authenticated packet from future, but the peers are using the same
polling interval and the protocol is already synchronised. This could be
also useful in the case where the attacker cannot observe the traffic
and authentication is disabled.

diff --git a/ntp_core.c b/ntp_core.c
index b92e0e1577588a0f5e5ee5eee68635ebd170289a..50a3aec1483775981ceaacc2fec3badadfe7a7b6 100644 (file)
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1458,7 +1458,7 @@ receive_packet(NCR_Instance inst, NTP_Local_Address *local_addr,
   if ((inst->mode == MODE_CLIENT && valid_packet && !inst->valid_rx) ||
       (inst->mode == MODE_ACTIVE && (valid_packet || !inst->valid_rx) &&
        test5 && !UTI_IsZeroNtp64(&message->transmit_ts) &&
-       (!inst->updated_timestamps ||
+       (!inst->updated_timestamps || (valid_packet && !inst->valid_rx) ||
         UTI_CompareNtp64(&inst->remote_ntp_tx, &message->transmit_ts) < 0))) {
     inst->remote_ntp_rx = message->receive_ts;
     inst->remote_ntp_tx = message->transmit_ts;