From cc20ead3dcc0fa7f5e71f36e9201468e32f04f2e Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 20 Jul 2020 16:31:49 +0200 Subject: [PATCH] nts: reset NAK indicator with new request Don't restart NTS-KE if a spoofed NAK response was received and no valid response is received for a subsequent request. --- doc/chronyc.adoc | 4 ++-- nts_ntp_client.c | 1 + test/unit/nts_ntp_client.c | 6 ++++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/chronyc.adoc b/doc/chronyc.adoc index 0442131..bb0af01 100644 --- a/doc/chronyc.adoc +++ b/doc/chronyc.adoc @@ -599,8 +599,8 @@ This column shows the number of attempts to perform the key establishment since the last successful key establishment. A number larger than 1 indicates a problem with the network or server. *NAK*::: -This column shows whether an NTS NAK was received since the last authenticated -response. A NAK indicates that authentication failed on the server side due to +This column shows whether an NTS NAK was received since the last request. +A NAK indicates that authentication failed on the server side due to *chronyd* using a cookie which is no longer valid and that it needs to perform the key establishment again in order to get new cookies. *Cook*::: diff --git a/nts_ntp_client.c b/nts_ntp_client.c index 31c0960..effe060 100644 --- a/nts_ntp_client.c +++ b/nts_ntp_client.c @@ -335,6 +335,7 @@ NNC_GenerateRequestAuth(NNC_Instance inst, NTP_Packet *packet, inst->num_cookies--; inst->cookie_index = (inst->cookie_index + 1) % NTS_MAX_COOKIES; + inst->nak_response = 0; inst->ok_response = 0; return 1; diff --git a/test/unit/nts_ntp_client.c b/test/unit/nts_ntp_client.c index 448ff7e..ccfba91 100644 --- a/test/unit/nts_ntp_client.c +++ b/test/unit/nts_ntp_client.c @@ -82,9 +82,11 @@ get_request(NNC_Instance inst) info.mode = MODE_CLIENT; info.length = random() % (sizeof (packet) + 1); - inst->num_cookies = 0; + if (inst->num_cookies > 0 && random() % 2) { + inst->num_cookies = 0; - TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info)); + TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info)); + } while (!NNC_PrepareForAuth(inst)) { inst->next_nke_attempt = SCH_GetLastEventMonoTime() + random() % 10 - 7;