| [chrony-dev] 'Bug/Implementation' fix for v3 NTP client using 'authentication' with key id == 0 |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
- To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: [chrony-dev] 'Bug/Implementation' fix for v3 NTP client using 'authentication' with key id == 0
- From: Jan Vanhercke <jan.vanhercke@xxxxxxxx>
- Date: Thu, 7 May 2026 11:42:02 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mimir.be; s=google; t=1778146926; x=1778751726; darn=chrony.tuxfamily.org; h=content-transfer-encoding:organization:subject:from:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=YzUF8tEnfPYNMko3OtuL7w5lA6QIkxpdt8FuN3Ql9F0=; b=I4Ml+1cyzByA9YSNej8ZR1wCl9j/FzkQj1xvJC7o2L4FDd/2h+UCAjQqTVvRObLoyz eVs6tAAScsuy5bkNtqagLMdaY2gsVQunYi4Odsy6p+VUxe7s1D7WXzRh3Ktg9Noap9GY cjMjinhdfb86V1C0cWu7F6iZNEc633NmpTyFHawj0Aeq8jm7oL141ZLvUdQEKFe/ku8x rBTCl3MaZZ88wqb3cfI3X0OQnaFJWAYKONGMdyFyIOIgwFus/7jgXwfswVcwShIeylsx h/Tv/Z+0geLcBro+wAQXL2/ePRBJ/FgV3uck6aRJe77jHfeaOsG98SLFO7/XSQATo0ho oc/w==
- Organization: MiMiR bv
Hi,
Since we switched from ntpd to chrony 4.6.1, some of our appliances
could no longer sync.
After some debugging we discovered that these clients are using v3 NTP
with authentication, but using a key id == 0, although the RFC specifies
that the key id must be greater than 1.
I could not find a clear stipulation of what must be done with a packet
having key id == 0. The pseudo seems to imply it must be calculated and
the hash verified, but since the key id should not exist, what should
the output of the hash then be?
Anyhow the appliances we use expect no authentication occur. Since we
really wanted to switch to chrony we implemented a patch that reverts to
no authentication when the keyid == 0 to cover this gray zone.
The fix works and has been put in production. Hopefully this can be
incorporated in the mainline.
Below is de diff of our code against git tag 4.6.1:
diff --git a/ntp_core.c b/ntp_core.c
index 2965413..2cc98e7 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -1586,11 +1586,11 @@ parse_packet(NTP_Packet *packet, int length,
NTP_PacketInfo *info)
/* Check if it is an MS-SNTP authenticator field or extended
authenticator
field with zeroes as digest */
- if (info->version == 3 && info->auth.mac.key_id != 0) {
+ if (info->version == 3) {
if (remainder == 20 && is_zero_data(data + parsed + 4, remainder
- 4))
- info->auth.mode = NTP_AUTH_MSSNTP;
+ info->auth.mode = (info->auth.mac.key_id != 0) ?
NTP_AUTH_MSSNTP : NTP_AUTH_NONE;
else if (remainder == 72 && is_zero_data(data + parsed + 8,
remainder - 8))
- info->auth.mode = NTP_AUTH_MSSNTP_EXT;
+ info->auth.mode = (info->auth.mac.key_id != 0) ?
NTP_AUTH_MSSNTP_EXT : NTP_AUTH_NONE;
}
return 1;
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.