http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A http://bugs.ntp.org/show_bug.cgi?id=2779 diff -Naurp ntp-4.2.6p5/ntpd/ntp_proto.c ntp-4.2.6p5.oden/ntpd/ntp_proto.c --- ntp-4.2.6p5/ntpd/ntp_proto.c 2015-04-08 09:09:56.000000000 +0200 +++ ntp-4.2.6p5.oden/ntpd/ntp_proto.c 2015-04-08 09:09:31.000000000 +0200 @@ -1130,19 +1130,21 @@ receive( #endif /* OPENSSL */ return; - /* - * If the digest fails, the client cannot authenticate a server + /* + * If the digest fails or it's missing for authenticated + * associations, the client cannot authenticate a server * reply to a client packet previously sent. The loopback check * is designed to avoid a bait-and-switch attack, which was * possible in past versions. If symmetric modes, return a * crypto-NAK. The peer should restart the protocol. */ - } else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST), - is_authentic)) { + } else if (!AUTH(peer->keyid || has_mac || + (restrict_mask & RES_DONTTRUST), is_authentic)) { report_event(PEVNT_AUTH, peer, "digest"); peer->flash |= TEST5; /* bad auth */ peer->badauth++; - if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE) + if (has_mac && + (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)) fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask); if (peer->flags & FLAG_PREEMPT) { unpeer(peer);