Date: Sat, 11 Apr 2015 22:25:25 -0700 From: Dennis Glatting <freebsd@pki2.com> To: Kent Kuriyama <kent.kuriyama@gmail.com> Cc: Arthur Chance <freebsd@qeng-ho.org>, FreeBSD-Questions <freebsd-questions@freebsd.org> Subject: Re: NTP peering broken since recent security update? Message-ID: <1428816325.33049.17.camel@pki2.com> In-Reply-To: <CACArijCGxeFFzuP6X=vyvz%2B5CR25ik74jvrdPsSUv2yFVjz3OA@mail.gmail.com> References: <5526A2F1.5030609@qeng-ho.org> <CACArijCGxeFFzuP6X=vyvz%2B5CR25ik74jvrdPsSUv2yFVjz3OA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2015-04-09 at 08:14 -1000, Kent Kuriyama wrote:
> Are you doing any NTP authentication between peers?
>
ntp_proto.c appears to be the problem.
* If you restore the prior ntp_proto.c, peering works (at least for me).
* If you make the diffs from the enclosed patch against the updated
ntp_proto.c (i.e., the updated version from svn), peering works.
* Peering works for net/ntp and net/ntp-devel.
For a while I suspected it was an optimizer problem because it isn't
obvious to me why the patch works. I had resorted to backing chunks of
the updated ntp_proto.c and ntp_crypto.c out. I'm still testing.
I found my leap seconds file was way out of date. The installed ntpd
didn't report the problem but net/ntp complained.
Marvin# diff -c ntp_proto.c.orig ntp_proto.c
*** ntp_proto.c.orig Sat Apr 11 23:51:43 2015
--- ntp_proto.c Sat Apr 11 23:54:54 2015
***************
*** 948,957 ****
peer->flash |= TEST2; /* bogus packet */
}
! /*
! * If unsynchronized or bogus abandon ship. If the crypto machine
! * breaks, light the crypto bit and plaint the log.
! */
if (peer->flash & PKT_TEST_MASK) {
#ifdef OPENSSL
if (crypto_flags && (peer->flags & FLAG_SKEY)) {
--- 948,960 ----
peer->flash |= TEST2; /* bogus packet */
}
! /*
! * Update the origin and destination timestamps. If
! * unsynchronized or bogus abandon ship. If the crypto machine
! * breaks, light the crypto bit and plaint the log.
! */
! peer->org = p_xmt;
! peer->rec = rbufp->recv_time;
if (peer->flash & PKT_TEST_MASK) {
#ifdef OPENSSL
if (crypto_flags && (peer->flags & FLAG_SKEY)) {
***************
*** 994,1005 ****
/*
* That was hard and I am sweaty, but the packet is squeaky
* clean. Get on with real work.
- *
- * Update the origin and destination timestamps.
*/
- peer->org = p_xmt;
- peer->rec = rbufp->recv_time;
-
peer->received++;
peer->timereceived = current_time;
if (is_authentic == AUTH_OK)
--- 997,1003 ----
> On Thu, Apr 9, 2015 at 6:04 AM, Arthur Chance <freebsd@qeng-ho.org> wrote:
>
> > I have three NTP servers on my internal networks. Each of them uses
> > various external machines as servers but they also peer with the other two
> > internal ones to give some resilience in case the outside world goes away.
> > Since the update and restart associated with FreeBSD-SA-15:07.ntp the ntpd
> > processes appear to be unable to see peers (reach = 0) although they're
> > locking onto the servers quite happily.
> >
> > Anyone else seeing this?
> >
> > --
> > Those who do not learn from computing history are doomed to
> > GOTO 1
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> > unsubscribe@freebsd.org"
> >
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1428816325.33049.17.camel>