From: Juergen Perlinger <perlinger@ntp.org>
Date: Sun, 8 May 2016 09:59:28 +0000 (+0200)
Subject: [Sec 3043]  Autokey association reset. perlinger@ntp.org
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b588d0b5e73645e482847928ed837a687fa2b06d;p=thirdparty%2Fntp.git

[Sec 3043]  Autokey association reset. perlinger@ntp.org
 (fixes [Sec 3044] and [Sec 3045], too)

bk: 572f0e00tPCCm3gAK4z5KNe0suIVsg
---

diff --git a/ChangeLog b/ChangeLog
index dc7b627a6..e930510b4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---
 
+* [Sec 3043]  Autokey association reset. perlinger@ntp.org
+  (fixes [Sec 3044] and [Sec 3045], too)
 * [Sec 3046] CRYPTO_NAK crash.  stenn@ntp.org
 * [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
   - provide build environment
diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 4b50f5ae2..3ef52251b 100644
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -277,10 +277,12 @@ valid_NAK(
 	  u_char hismode
 	  )
 {
-	int base_packet_length = MIN_V4_PKT_LEN;
-	int remainder_size;
-	struct pkt *rpkt;
-	int keyid;
+	int 		base_packet_length = MIN_V4_PKT_LEN;
+	int		remainder_size;
+	struct pkt *	rpkt;
+	int		keyid;
+	l_fp		p_org;	/* origin timestamp */
+	const l_fp *	myorg;	/* selected peer origin */
 
 	/*
 	 * Check to see if there is something beyond the basic packet
@@ -320,13 +322,29 @@ valid_NAK(
 	/* 
 	 * Only valid if peer uses a key
 	 */
-	if (   peer
-	    && (peer->keyid > 0 || peer->flags & FLAG_SKEY)) {
-		return (VALIDNAK);
+	if (!peer || !peer->keyid || !(peer->flags & FLAG_SKEY)) {
+		return (INVALIDNAK);
 	}
-	else {
+
+	/*
+	 * The ORIGIN must match, or this cannot be a valid NAK, either.
+	 */
+	NTOHL_FP(&rpkt->org, &p_org);
+	if (peer->flip > 0)
+		myorg = &peer->borg;
+	else
+		myorg = &peer->aorg;
+	
+	if (L_ISZERO(&p_org) ||
+	    L_ISZERO( myorg) ||
+	    !L_ISEQU(&p_org, myorg)) {
 		return (INVALIDNAK);
 	}
+
+	/* If we ever passed all that checks, we should be safe. Well,
+	 * as safe as we can ever be with an unauthenticated crypto-nak.
+	 */
+	return (VALIDNAK);
 }
 
 
@@ -1682,13 +1700,11 @@ receive(
 		peer->flash |= TEST5;		/* bad auth */
 		peer->badauth++;
 		if (peer->flags & FLAG_PREEMPT) {
-			if (unpeer_crypto_nak_early) {
+			if (unpeer_crypto_nak_early)
 				unpeer(peer);
-			}
-			return;
 		}
 #ifdef AUTOKEY
-		if (peer->crypto)
+		else if (peer->crypto)
 			peer_clear(peer, "AUTH");
 #endif	/* AUTOKEY */
 		return;
@@ -1709,16 +1725,6 @@ receive(
 		if (   has_mac
 		    && (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
-		if (peer->flags & FLAG_PREEMPT) {
-			if (unpeer_digest_early) {
-				unpeer(peer);
-			}
-			return;
-		}
-#ifdef AUTOKEY
-		if (peer->crypto)
-			peer_clear(peer, "AUTH");
-#endif	/* AUTOKEY */
 		return;
 	}