CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()

Upstream-Status: Backport [Debian]

Signed-off-by: Armin Kuster <akuster808@gmail.com>

Index: git/ntpd/ntp_config.c
===================================================================
--- git.orig/ntpd/ntp_config.c	2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntp_config.c	2014-12-20 18:45:47.672921968 +0100
@@ -1866,13 +1866,16 @@
 		req_hashlen = digest_len;
 #endif
 	} else {
-		int	rankey;
+		unsigned char rankey[16];
+
+		if (ntp_crypto_random_buf(rankey, sizeof (rankey))) {
+			msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
+			exit(1);
+		}
 
-		rankey = ntp_random();
 		req_keytype = NID_md5;
 		req_hashlen = 16;
-		MD5auth_setkey(req_keyid, req_keytype,
-		    (u_char *)&rankey, sizeof(rankey));
+		MD5auth_setkey(req_keyid, req_keytype, rankey, sizeof(rankey));
 		authtrust(req_keyid, 1);
 	}
 
Index: git/ntpd/ntpd.c
===================================================================
--- git.orig/ntpd/ntpd.c	2014-12-20 18:45:45.232872120 +0100
+++ git/ntpd/ntpd.c	2014-12-20 18:45:47.672921968 +0100
@@ -597,6 +597,7 @@
 	get_systime(&now);
 
 	ntp_srandom((int)(now.l_i * now.l_uf));
+	ntp_crypto_srandom();
 
 #if !defined(VMS)
 # ifndef NODETACH