From: Harlan Stenn Date: Sat, 23 Jan 2016 10:34:17 +0000 (+0000) Subject: [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d572d548067236075b87f9c83ff17ea3c835698;p=thirdparty%2Fntp.git [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include passive servers in this check. HStenn. bk: 56a35729LkqOGyByqJWSlFEPCcxibg --- diff --git a/ChangeLog b/ChangeLog index 9458ee18d..e2dae78f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ --- +* [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve + time. Include passive servers in this check. HStenn. * [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org - integrated patches by Loganaden Velvidron with some modifications & unit tests diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index ad454099f..072e01eed 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1610,6 +1610,7 @@ receive( case MODE_SERVER: /* server mode */ case MODE_BROADCAST: /* broadcast mode */ case MODE_ACTIVE: /* symmetric active mode */ + case MODE_PASSIVE: /* symmetric passive mode */ if ( is_authentic == AUTH_OK && !authistrustedip(skeyid, &peer->srcadr)) { report_event(PEVNT_AUTH, peer, "authIP"); @@ -1619,7 +1620,6 @@ receive( break; case MODE_UNSPEC: /* unspecified (old version) */ - case MODE_PASSIVE: /* symmetric passive mode */ case MODE_CLIENT: /* client mode */ #if 0 /* At this point, MODE_CONTROL is overloaded by MODE_BCLIENT */ case MODE_CONTROL: /* control mode */