NTP peering broken since recent security update?

Dennis Glatting freebsd at pki2.com
Sun Apr 12 05:25:38 UTC 2015 

On Thu, 2015-04-09 at 08:14 -1000, Kent Kuriyama wrote:
> Are you doing any NTP authentication between peers?
> 

ntp_proto.c appears to be the problem.

* If you restore the prior ntp_proto.c, peering works (at least for me).

* If you make the diffs from the enclosed patch against the updated
ntp_proto.c (i.e., the updated version from svn), peering works.

* Peering works for net/ntp and net/ntp-devel.

For a while I suspected it was an optimizer problem because it isn't
obvious to me why the patch works. I had resorted to backing chunks of
the updated ntp_proto.c and ntp_crypto.c out. I'm still testing.

I found my leap seconds file was way out of date. The installed ntpd
didn't report the problem but net/ntp complained.


Marvin# diff -c ntp_proto.c.orig ntp_proto.c
*** ntp_proto.c.orig	Sat Apr 11 23:51:43 2015
--- ntp_proto.c	Sat Apr 11 23:54:54 2015
***************
*** 948,957 ****
  			peer->flash |= TEST2;	/* bogus packet */
  	}
  
! 	/*
! 	 * If unsynchronized or bogus abandon ship. If the crypto machine
! 	 * breaks, light the crypto bit and plaint the log.
! 	 */
  	if (peer->flash & PKT_TEST_MASK) {
  #ifdef OPENSSL
  		if (crypto_flags && (peer->flags & FLAG_SKEY)) {
--- 948,960 ----
  			peer->flash |= TEST2;	/* bogus packet */
  	}
  
!  	/*
! 	 * Update the origin and destination timestamps. If
! 	 * unsynchronized or bogus abandon ship. If the crypto machine
!  	 * breaks, light the crypto bit and plaint the log.
!  	 */
! 	peer->org = p_xmt;
! 	peer->rec = rbufp->recv_time;
  	if (peer->flash & PKT_TEST_MASK) {
  #ifdef OPENSSL
  		if (crypto_flags && (peer->flags & FLAG_SKEY)) {
***************
*** 994,1005 ****
  	/*
  	 * That was hard and I am sweaty, but the packet is squeaky
  	 * clean. Get on with real work.
- 	 *
- 	 * Update the origin and destination timestamps.
  	 */
- 	peer->org = p_xmt;
- 	peer->rec = rbufp->recv_time;
- 
  	peer->received++;
  	peer->timereceived = current_time;
  	if (is_authentic == AUTH_OK)
--- 997,1003 ----








> On Thu, Apr 9, 2015 at 6:04 AM, Arthur Chance <freebsd at qeng-ho.org> wrote:
> 
> > I have three NTP servers on my internal networks. Each of them uses
> > various external machines as servers but they also peer with the other two
> > internal ones to give some resilience in case the outside world goes away.
> > Since the update and restart associated with FreeBSD-SA-15:07.ntp the ntpd
> > processes appear to be unable to see peers (reach = 0) although they're
> > locking onto the servers quite happily.
> >
> > Anyone else seeing this?
> >
> > --
> > Those who do not learn from computing history are doomed to
> > GOTO 1
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> > unsubscribe at freebsd.org"
> >
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list