From: Miroslav Lichvar Date: Wed, 17 Aug 2016 09:54:34 +0000 (+0200) Subject: ntp: don't send crypto-NAKs X-Git-Tag: 3.0-pre1~134 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71e0ebcb6b977dc2a312759b70d458cf0bb221c5;p=thirdparty%2Fchrony.git ntp: don't send crypto-NAKs Crypto-NAK is useful only with Autokey where it allows quick reset of the association. There is no plan to support Autokey and NTS will specify its own message for authentication errors. --- diff --git a/ntp_core.c b/ntp_core.c index 7ea4a6c7..19da58d0 100644 --- a/ntp_core.c +++ b/ntp_core.c @@ -66,7 +66,6 @@ typedef enum { typedef enum { AUTH_NONE = 0, /* No authentication */ - AUTH_CRYPTO_NAK, /* Empty MAC indicating authentication error */ AUTH_SYMMETRIC, /* MAC using symmetric key (RFC 1305, RFC 5905) */ AUTH_MSSNTP, /* MS-SNTP authenticator field */ AUTH_MSSNTP_EXT, /* MS-SNTP extended authenticator field */ @@ -944,10 +943,6 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */ return NSD_SignAndSendPacket(key_id, &message, where_to, from, length); } } else { - if (auth_mode == AUTH_CRYPTO_NAK) { - message.auth_keyid = 0; - length += sizeof (message.auth_keyid); - } UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, &ts_fuzz); } @@ -1172,7 +1167,7 @@ check_packet_auth(NTP_Packet *pkt, int length, /* This is not 100% reliable as a MAC could fail to authenticate and could pass as an extension field, leaving reminder smaller than the minimum MAC - length. Not a big problem, at worst we won't reply with a crypto-NAK. */ + length */ if (remainder >= NTP_MIN_MAC_LENGTH) { *auth_mode = AUTH_SYMMETRIC; *key_id = ntohl(*(uint32_t *)(data + i)); @@ -1749,10 +1744,6 @@ NCR_ProcessUnknown case AUTH_NONE: /* Reply with no MAC */ break; - case AUTH_SYMMETRIC: - /* Reply with crypto-NAK */ - auth_mode = AUTH_CRYPTO_NAK; - break; case AUTH_MSSNTP: /* Ignore the failure (MS-SNTP servers don't check client MAC) */ break;