From 2a8ce63fc72ed155ed364c9660f467825c88f073 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 27 Jul 2016 13:28:01 +0200 Subject: [PATCH] ntp: detect MS-SNTP packets When a received packet fails to authenticate, check if the digest contains zeroes and treat it as an MS-SNTP packet with authenticator or extended authenticator field. For now, discard these packets, i.e. don't respond with a crypto-NAK. --- ntp_core.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ntp_core.c b/ntp_core.c index 2039f6e..09ee03b 100644 --- a/ntp_core.c +++ b/ntp_core.c @@ -67,6 +67,8 @@ typedef enum { AUTH_NONE = 0, /* No authentication */ AUTH_CRYPTO_NAK, /* Empty MAC indicating authentication error */ AUTH_SYMMETRIC, /* MAC using symmetric key (RFC 1305, RFC 5905) */ + AUTH_MSSNTP, /* MS-SNTP authenticator field */ + AUTH_MSSNTP_EXT, /* MS-SNTP extended authenticator field */ } AuthenticationMode; /* ================================================== */ @@ -1105,6 +1107,19 @@ check_packet_format(NTP_Packet *message, int length) /* ================================================== */ +static int +is_zero_data(unsigned char *data, int length) +{ + int i; + + for (i = 0; i < length; i++) + if (data[i]) + return 0; + return 1; +} + +/* ================================================== */ + static int check_packet_auth(NTP_Packet *pkt, int length, AuthenticationMode *auth_mode, uint32_t *key_id) @@ -1156,6 +1171,15 @@ check_packet_auth(NTP_Packet *pkt, int length, if (remainder >= NTP_MIN_MAC_LENGTH) { *auth_mode = AUTH_SYMMETRIC; *key_id = ntohl(*(uint32_t *)(data + i)); + + /* Check if it is an MS-SNTP authenticator field or extended authenticator + field with zeroes as digest */ + if (version == 3 && *key_id) { + if (remainder == 20 && is_zero_data(data + i + 4, remainder - 4)) + *auth_mode = AUTH_MSSNTP; + else if (remainder == 72 && is_zero_data(data + i + 8, remainder - 8)) + *auth_mode = AUTH_MSSNTP_EXT; + } } else { *auth_mode = AUTH_NONE; *key_id = 0;