NTS-KE seerver copy bug
hmurray at megapathdsl.net
Wed Oct 30 11:49:10 UTC 2019
devel at ntpsec.org said:
> Thanks for spotting that. We'll ship a CVE and a point release shortly.
It was easy to spot. The test case didn't work and there was garbage in the
There are two more bugs/quirks that I'm investigating. I don't think either
is worth waiting for.
If you typo the file name on the cert-file in something like
server <server-name> nts ca <cert-file-name>
it logs an error message, then exits. That happens in the DNS worker thread.
Remember all the work we did to make msyslog work with threads? We didn't fix
all the main code to be thread friendly. We did add a trap for calling
lib_getbuf() from a non-main thread. exit() calls all the unwind hooks (from
the non-main thread) and before long, that trap goes off.
We could peek ahead to see if the file works. The idea with the exit was so
you would know there was a problem and could fix it rather than have to poke
around to figure out why it wasn't working.
I think it's easy to make that particular error fail rather than exit. But
there are lots of others. We could make a ntp_exit that sets a flag to
disable the trap. Mumble.
The other quirk is noval when using old-enough versions of OpenSSL. I think
it doesn't work - certificate checking is built into the code. That area is
tangled up with host name checking. I'd like to make sure I understand that
There is another 1/2 a bug. I fixed the -4 and -6 flags to apply to both the
NTS-KE server and the NTP server. Before that fix, if you did
server -4 foo nts
server -6 foo nts
and foo said to use NTP server named "bar" and bar had both -4 and -6
addresses, the second one didn't work. Or something like that. I've seen
some fishy printout in the logs (wrong port) so some extra checking seems
These are my opinions. I hate spam.
More information about the devel