From: Harlan Stenn Date: Sun, 9 Feb 2014 09:00:04 +0000 (+0000) Subject: [Sec 2542] Strengthen the mrulist nonce X-Git-Tag: NTP_4_2_7P420~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbac2d61f6ceac686a4e37922443da21f079a280;p=thirdparty%2Fntp.git [Sec 2542] Strengthen the mrulist nonce bk: 52f74394IKO9Kr2xa91uj8V_6mFy4w --- diff --git a/ChangeLog b/ChangeLog index df93ced9b..b744937e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ * [Bug 492] Clearly document ntpdate's pending deprecation. * [Bug 1186] ntpd fails with link local IPv6 addresses. +* [Sec 2542] Strengthen the mrulist nonce. (4.2.7p419) 2014/02/08 Released by Harlan Stenn * [Bug 2466] Wrap NMEA timestamps in 1024 week cycles. (4.2.7p418) 2014/02/05 Released by Harlan Stenn diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index c2fb501d0..c73dd7247 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -3335,7 +3335,8 @@ static u_int32 derive_nonce( u_int32 ts_f ) { - static u_int32 salt[2]; + static u_int32 salt[4]; + static u_long last_salt_update; union d_tag { u_char digest[EVP_MAX_MD_SIZE]; u_int32 extract; @@ -3343,9 +3344,13 @@ static u_int32 derive_nonce( EVP_MD_CTX ctx; u_int len; - while (!salt[0]) + while (!salt[0] || current_time - last_salt_update >= 3600) { salt[0] = ntp_random(); - salt[1] = conf_file_sum; + salt[1] = ntp_random(); + salt[2] = ntp_random(); + salt[3] = ntp_random(); + last_salt_update = current_time; + } EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5)); EVP_DigestUpdate(&ctx, salt, sizeof(salt));