NTS-KE seerver copy bug

Hal Murray hmurray at megapathdsl.net
Wed Oct 30 11:49:10 UTC 2019

devel at ntpsec.org said:
> Thanks for spotting that.  We'll ship a CVE and a point release shortly.

It was easy to spot.  The test case didn't work and there was garbage in the 

There are two more bugs/quirks that I'm investigating.  I don't think either 
is worth waiting for.

If you typo the file name on the cert-file in something like
  server <server-name> nts ca <cert-file-name>
it logs an error message, then exits.  That happens in the DNS worker thread.  
Remember all the work we did to make msyslog work with threads?  We didn't fix 
all the main code to be thread friendly.  We did add a trap for calling 
lib_getbuf() from a non-main thread.  exit() calls all the unwind hooks (from 
the non-main thread) and before long, that trap goes off.

We could peek ahead to see if the file works.  The idea with the exit was so 
you would know there was a problem and could fix it rather than have to poke 
around to figure out why it wasn't working.

I think it's easy to make that particular error fail rather than exit.  But 
there are lots of others.  We could make a ntp_exit that sets a flag to 
disable the trap.  Mumble.

The other quirk is noval when using old-enough versions of OpenSSL.  I think 
it doesn't work - certificate checking is built into the code.  That area is 
tangled up with host name checking.  I'd like to make sure I understand that 

There is another 1/2 a bug.  I fixed the -4 and -6 flags to apply to both the 
NTS-KE server and the NTP server.  Before that fix, if  you did
  server -4 foo nts
  server -6 foo nts
and foo said to use NTP server named "bar" and bar had both -4 and -6 
addresses, the second one didn't work.  Or something like that.  I've seen 
some fishy printout in the logs (wrong port) so some extra checking seems 

These are my opinions.  I hate spam.

More information about the devel mailing list