From 71e0ebcb6b977dc2a312759b70d458cf0bb221c5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 17 Aug 2016 11:54:34 +0200 Subject: [PATCH] ntp: don't send crypto-NAKs Crypto-NAK is useful only with Autokey where it allows quick reset of the association. There is no plan to support Autokey and NTS will specify its own message for authentication errors. --- ntp_core.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/ntp_core.c b/ntp_core.c index 7ea4a6c..19da58d 100644 --- a/ntp_core.c +++ b/ntp_core.c @@ -66,7 +66,6 @@ typedef enum { typedef enum { AUTH_NONE = 0, /* No authentication */ - AUTH_CRYPTO_NAK, /* Empty MAC indicating authentication error */ AUTH_SYMMETRIC, /* MAC using symmetric key (RFC 1305, RFC 5905) */ AUTH_MSSNTP, /* MS-SNTP authenticator field */ AUTH_MSSNTP_EXT, /* MS-SNTP extended authenticator field */ @@ -944,10 +943,6 @@ transmit_packet(NTP_Mode my_mode, /* The mode this machine wants to be */ return NSD_SignAndSendPacket(key_id, &message, where_to, from, length); } } else { - if (auth_mode == AUTH_CRYPTO_NAK) { - message.auth_keyid = 0; - length += sizeof (message.auth_keyid); - } UTI_TimevalToInt64(&local_transmit, &message.transmit_ts, &ts_fuzz); } @@ -1172,7 +1167,7 @@ check_packet_auth(NTP_Packet *pkt, int length, /* This is not 100% reliable as a MAC could fail to authenticate and could pass as an extension field, leaving reminder smaller than the minimum MAC - length. Not a big problem, at worst we won't reply with a crypto-NAK. */ + length */ if (remainder >= NTP_MIN_MAC_LENGTH) { *auth_mode = AUTH_SYMMETRIC; *key_id = ntohl(*(uint32_t *)(data + i)); @@ -1749,10 +1744,6 @@ NCR_ProcessUnknown case AUTH_NONE: /* Reply with no MAC */ break; - case AUTH_SYMMETRIC: - /* Reply with crypto-NAK */ - auth_mode = AUTH_CRYPTO_NAK; - break; case AUTH_MSSNTP: /* Ignore the failure (MS-SNTP servers don't check client MAC) */ break;