[Git][NTPsec/ntpsec][master] Back out Hal's emergency patch, and announce when the daemon is in replay mode.

Eric S. Raymond gitlab at mg.gitlab.com
Tue Dec 15 13:22:51 UTC 2015 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
b48bab12 by Eric S. Raymond at 2015-12-15T08:21:18Z
Back out Hal's emergency patch, and announce when the daemon is in replay mode.

- - - - -


2 changed files:

- ntpd/ntp_intercept.c
- ntpd/ntp_proto.c


Changes:

=====================================
ntpd/ntp_intercept.c
=====================================
--- a/ntpd/ntp_intercept.c
+++ b/ntpd/ntp_intercept.c
@@ -653,10 +653,7 @@ void intercept_sendpkt(const char *legend,
 		  struct pkt *pkt, int len)
 {
     char pkt_dump[BUFSIZ], newpacket[BUFSIZ];
-if (1) {
-	sendpkt(dest, ep, ttl, pkt, len);
-	return;
-};
+
     packet_dump(pkt_dump, sizeof(pkt_dump), dest, pkt, len);
     snprintf(newpacket, sizeof(newpacket), "sendpkt %s %s\n", legend, pkt_dump);
 
@@ -679,10 +676,6 @@ if (1) {
 void intercept_receive(struct recvbuf *rbufp)
 {
     char pkt_dump[BUFSIZ], newpacket[BUFSIZ];
-if (1) {
-	receive(rbufp);
-	return;
-};
 
     packet_dump(pkt_dump, sizeof(pkt_dump),
 		&rbufp->recv_srcadr,


=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -2240,7 +2240,19 @@ peer_clear(
 	} else if (MODE_PASSIVE == peer->hmode) {
 		peer->nextdate += ntp_minpkt;
 	} else {
-		peer->nextdate += intercept_ntp_random(__func__) % peer->minpoll;
+	    /*
+	     * Randomizing the next poll interval used to be done with
+	     * ntp_random(); this leads to replay-mode problems and is
+	     * unnecessary, any deterministic but uniformly
+	     * distributed function of the peer state would be good
+	     * enough.  Furthermore, changing the function creates no
+	     * interop problems. For security reasons (to prevent
+	     * hypothetical timing attacks) we want at least one input
+	     * to be invisible from outside ntpd; the internal
+	     * association ID fits the bill.
+	     */
+	    int pseudorandom = peer->associd ^ sock_hash(&peer->srcadr);
+	    peer->nextdate += pseudorandom % peer->minpoll;
 	}
 #ifdef ENABLE_AUTOKEY
 	peer->refresh = current_time + (1 << NTP_REFRESH);



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/b48bab1221165fa2c3cc2f58207cfb7128be500c
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20151215/a7bd7eff/attachment.html>

More information about the vc mailing list