1 /* $OpenBSD: client.c,v 1.106 2019/05/29 18:48:33 otto Exp $ */ 2 3 /* 4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * Copyright (c) 2004 Alexander Guy <alexander.guy@andern.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <errno.h> 22 #include <md5.h> 23 #include <stdio.h> 24 #include <stdlib.h> 25 #include <string.h> 26 #include <time.h> 27 #include <unistd.h> 28 29 #include "ntpd.h" 30 31 int client_update(struct ntp_peer *); 32 void set_deadline(struct ntp_peer *, time_t); 33 34 void 35 set_next(struct ntp_peer *p, time_t t) 36 { 37 p->next = getmonotime() + t; 38 p->deadline = 0; 39 p->poll = t; 40 } 41 42 void 43 set_deadline(struct ntp_peer *p, time_t t) 44 { 45 p->deadline = getmonotime() + t; 46 p->next = 0; 47 } 48 49 int 50 client_peer_init(struct ntp_peer *p) 51 { 52 if ((p->query = calloc(1, sizeof(struct ntp_query))) == NULL) 53 fatal("client_peer_init calloc"); 54 p->query->fd = -1; 55 p->query->msg.status = MODE_CLIENT | (NTP_VERSION << 3); 56 p->state = STATE_NONE; 57 p->shift = 0; 58 p->trustlevel = TRUSTLEVEL_PATHETIC; 59 p->lasterror = 0; 60 p->senderrors = 0; 61 62 return (client_addr_init(p)); 63 } 64 65 int 66 client_addr_init(struct ntp_peer *p) 67 { 68 struct sockaddr_in *sa_in; 69 struct sockaddr_in6 *sa_in6; 70 struct ntp_addr *h; 71 72 for (h = p->addr; h != NULL; h = h->next) { 73 switch (h->ss.ss_family) { 74 case AF_INET: 75 sa_in = (struct sockaddr_in *)&h->ss; 76 if (ntohs(sa_in->sin_port) == 0) 77 sa_in->sin_port = htons(123); 78 p->state = STATE_DNS_DONE; 79 break; 80 case AF_INET6: 81 sa_in6 = (struct sockaddr_in6 *)&h->ss; 82 if (ntohs(sa_in6->sin6_port) == 0) 83 sa_in6->sin6_port = htons(123); 84 p->state = STATE_DNS_DONE; 85 break; 86 default: 87 fatalx("king bula sez: wrong AF in client_addr_init"); 88 /* NOTREACHED */ 89 } 90 } 91 92 p->query->fd = -1; 93 set_next(p, 0); 94 95 return (0); 96 } 97 98 int 99 client_nextaddr(struct ntp_peer *p) 100 { 101 if (p->query->fd != -1) { 102 close(p->query->fd); 103 p->query->fd = -1; 104 } 105 106 if (p->state == STATE_DNS_INPROGRESS) 107 return (-1); 108 109 if (p->addr_head.a == NULL) { 110 priv_dns(IMSG_HOST_DNS, p->addr_head.name, p->id); 111 p->state = STATE_DNS_INPROGRESS; 112 return (-1); 113 } 114 115 if (p->addr == NULL || (p->addr = p->addr->next) == NULL) 116 p->addr = p->addr_head.a; 117 118 p->shift = 0; 119 p->trustlevel = TRUSTLEVEL_PATHETIC; 120 121 return (0); 122 } 123 124 int 125 client_query(struct ntp_peer *p) 126 { 127 int val; 128 129 if (p->addr == NULL && client_nextaddr(p) == -1) { 130 set_next(p, MAXIMUM(SETTIME_TIMEOUT, 131 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 132 return (0); 133 } 134 135 if (conf->status.synced && p->addr->notauth) { 136 peer_addr_head_clear(p); 137 client_nextaddr(p); 138 return (0); 139 } 140 141 if (p->state < STATE_DNS_DONE || p->addr == NULL) 142 return (-1); 143 144 if (p->query->fd == -1) { 145 struct sockaddr *sa = (struct sockaddr *)&p->addr->ss; 146 struct sockaddr *qa4 = (struct sockaddr *)&p->query_addr4; 147 struct sockaddr *qa6 = (struct sockaddr *)&p->query_addr6; 148 149 if ((p->query->fd = socket(p->addr->ss.ss_family, SOCK_DGRAM, 150 0)) == -1) 151 fatal("client_query socket"); 152 153 if (p->addr->ss.ss_family == qa4->sa_family) { 154 if (bind(p->query->fd, qa4, SA_LEN(qa4)) == -1) 155 fatal("couldn't bind to IPv4 query address: %s", 156 log_sockaddr(qa4)); 157 } else if (p->addr->ss.ss_family == qa6->sa_family) { 158 if (bind(p->query->fd, qa6, SA_LEN(qa6)) == -1) 159 fatal("couldn't bind to IPv6 query address: %s", 160 log_sockaddr(qa6)); 161 } 162 163 if (connect(p->query->fd, sa, SA_LEN(sa)) == -1) { 164 if (errno == ECONNREFUSED || errno == ENETUNREACH || 165 errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) { 166 client_nextaddr(p); 167 set_next(p, MAXIMUM(SETTIME_TIMEOUT, 168 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 169 return (-1); 170 } else 171 fatal("client_query connect"); 172 } 173 val = IPTOS_LOWDELAY; 174 if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query->fd, 175 IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1) 176 log_warn("setsockopt IPTOS_LOWDELAY"); 177 val = 1; 178 if (setsockopt(p->query->fd, SOL_SOCKET, SO_TIMESTAMP, 179 &val, sizeof(val)) == -1) 180 fatal("setsockopt SO_TIMESTAMP"); 181 } 182 183 /* 184 * Send out a random 64-bit number as our transmit time. The NTP 185 * server will copy said number into the originate field on the 186 * response that it sends us. This is totally legal per the SNTP spec. 187 * 188 * The impact of this is two fold: we no longer send out the current 189 * system time for the world to see (which may aid an attacker), and 190 * it gives us a (not very secure) way of knowing that we're not 191 * getting spoofed by an attacker that can't capture our traffic 192 * but can spoof packets from the NTP server we're communicating with. 193 * 194 * Save the real transmit timestamp locally. 195 */ 196 197 p->query->msg.xmttime.int_partl = arc4random(); 198 p->query->msg.xmttime.fractionl = arc4random(); 199 p->query->xmttime = gettime_corrected(); 200 201 if (ntp_sendmsg(p->query->fd, NULL, &p->query->msg) == -1) { 202 p->senderrors++; 203 set_next(p, INTERVAL_QUERY_PATHETIC); 204 p->trustlevel = TRUSTLEVEL_PATHETIC; 205 return (-1); 206 } 207 208 p->senderrors = 0; 209 p->state = STATE_QUERY_SENT; 210 set_deadline(p, QUERYTIME_MAX); 211 212 return (0); 213 } 214 215 int 216 client_dispatch(struct ntp_peer *p, u_int8_t settime) 217 { 218 struct ntp_msg msg; 219 struct msghdr somsg; 220 struct iovec iov[1]; 221 struct timeval tv; 222 char buf[NTP_MSGSIZE]; 223 union { 224 struct cmsghdr hdr; 225 char buf[CMSG_SPACE(sizeof(tv))]; 226 } cmsgbuf; 227 struct cmsghdr *cmsg; 228 ssize_t size; 229 double T1, T2, T3, T4; 230 time_t interval; 231 232 memset(&somsg, 0, sizeof(somsg)); 233 iov[0].iov_base = buf; 234 iov[0].iov_len = sizeof(buf); 235 somsg.msg_iov = iov; 236 somsg.msg_iovlen = 1; 237 somsg.msg_control = cmsgbuf.buf; 238 somsg.msg_controllen = sizeof(cmsgbuf.buf); 239 240 T4 = getoffset(); 241 if ((size = recvmsg(p->query->fd, &somsg, 0)) == -1) { 242 if (errno == EHOSTUNREACH || errno == EHOSTDOWN || 243 errno == ENETUNREACH || errno == ENETDOWN || 244 errno == ECONNREFUSED || errno == EADDRNOTAVAIL || 245 errno == ENOPROTOOPT || errno == ENOENT) { 246 client_log_error(p, "recvmsg", errno); 247 set_next(p, error_interval()); 248 return (0); 249 } else 250 fatal("recvfrom"); 251 } 252 253 if (somsg.msg_flags & MSG_TRUNC) { 254 client_log_error(p, "recvmsg packet", EMSGSIZE); 255 set_next(p, error_interval()); 256 return (0); 257 } 258 259 if (somsg.msg_flags & MSG_CTRUNC) { 260 client_log_error(p, "recvmsg control data", E2BIG); 261 set_next(p, error_interval()); 262 return (0); 263 } 264 265 for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL; 266 cmsg = CMSG_NXTHDR(&somsg, cmsg)) { 267 if (cmsg->cmsg_level == SOL_SOCKET && 268 cmsg->cmsg_type == SCM_TIMESTAMP) { 269 memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv)); 270 T4 += gettime_from_timeval(&tv); 271 break; 272 } 273 } 274 275 if (T4 < JAN_1970) { 276 client_log_error(p, "recvmsg control format", EBADF); 277 set_next(p, error_interval()); 278 return (0); 279 } 280 281 ntp_getmsg((struct sockaddr *)&p->addr->ss, buf, size, &msg); 282 283 if (msg.orgtime.int_partl != p->query->msg.xmttime.int_partl || 284 msg.orgtime.fractionl != p->query->msg.xmttime.fractionl) 285 return (0); 286 287 if ((msg.status & LI_ALARM) == LI_ALARM || msg.stratum == 0 || 288 msg.stratum > NTP_MAXSTRATUM) { 289 char s[16]; 290 291 if ((msg.status & LI_ALARM) == LI_ALARM) { 292 strlcpy(s, "alarm", sizeof(s)); 293 } else if (msg.stratum == 0) { 294 /* Kiss-o'-Death (KoD) packet */ 295 strlcpy(s, "KoD", sizeof(s)); 296 } else if (msg.stratum > NTP_MAXSTRATUM) { 297 snprintf(s, sizeof(s), "stratum %d", msg.stratum); 298 } 299 interval = error_interval(); 300 set_next(p, interval); 301 log_info("reply from %s: not synced (%s), next query %llds", 302 log_sockaddr((struct sockaddr *)&p->addr->ss), s, 303 (long long)interval); 304 return (0); 305 } 306 307 /* 308 * From RFC 2030 (with a correction to the delay math): 309 * 310 * Timestamp Name ID When Generated 311 * ------------------------------------------------------------ 312 * Originate Timestamp T1 time request sent by client 313 * Receive Timestamp T2 time request received by server 314 * Transmit Timestamp T3 time reply sent by server 315 * Destination Timestamp T4 time reply received by client 316 * 317 * The roundtrip delay d and local clock offset t are defined as 318 * 319 * d = (T4 - T1) - (T3 - T2) t = ((T2 - T1) + (T3 - T4)) / 2. 320 */ 321 322 T1 = p->query->xmttime; 323 T2 = lfp_to_d(msg.rectime); 324 T3 = lfp_to_d(msg.xmttime); 325 326 /* 327 * XXX workaround: time_t / tv_sec must never wrap. 328 * around 2020 we will need a solution (64bit time_t / tv_sec). 329 * consider every answer with a timestamp beyond january 2030 bogus. 330 */ 331 if (T2 > JAN_2030 || T3 > JAN_2030) { 332 set_next(p, error_interval()); 333 return (0); 334 } 335 336 /* Detect liars */ 337 if (conf->constraint_median != 0 && 338 (constraint_check(T2) != 0 || constraint_check(T3) != 0)) { 339 log_info("reply from %s: constraint check failed", 340 log_sockaddr((struct sockaddr *)&p->addr->ss)); 341 set_next(p, error_interval()); 342 return (0); 343 } 344 345 p->reply[p->shift].offset = ((T2 - T1) + (T3 - T4)) / 2; 346 p->reply[p->shift].delay = (T4 - T1) - (T3 - T2); 347 p->reply[p->shift].status.stratum = msg.stratum; 348 if (p->reply[p->shift].delay < 0) { 349 interval = error_interval(); 350 set_next(p, interval); 351 log_info("reply from %s: negative delay %fs, " 352 "next query %llds", 353 log_sockaddr((struct sockaddr *)&p->addr->ss), 354 p->reply[p->shift].delay, (long long)interval); 355 return (0); 356 } 357 p->reply[p->shift].error = (T2 - T1) - (T3 - T4); 358 p->reply[p->shift].rcvd = getmonotime(); 359 p->reply[p->shift].good = 1; 360 361 p->reply[p->shift].status.leap = (msg.status & LIMASK); 362 p->reply[p->shift].status.precision = msg.precision; 363 p->reply[p->shift].status.rootdelay = sfp_to_d(msg.rootdelay); 364 p->reply[p->shift].status.rootdispersion = sfp_to_d(msg.dispersion); 365 p->reply[p->shift].status.refid = msg.refid; 366 p->reply[p->shift].status.reftime = lfp_to_d(msg.reftime); 367 p->reply[p->shift].status.poll = msg.ppoll; 368 369 if (p->addr->ss.ss_family == AF_INET) { 370 p->reply[p->shift].status.send_refid = 371 ((struct sockaddr_in *)&p->addr->ss)->sin_addr.s_addr; 372 } else if (p->addr->ss.ss_family == AF_INET6) { 373 MD5_CTX context; 374 u_int8_t digest[MD5_DIGEST_LENGTH]; 375 376 MD5Init(&context); 377 MD5Update(&context, ((struct sockaddr_in6 *)&p->addr->ss)-> 378 sin6_addr.s6_addr, sizeof(struct in6_addr)); 379 MD5Final(digest, &context); 380 memcpy((char *)&p->reply[p->shift].status.send_refid, digest, 381 sizeof(u_int32_t)); 382 } else 383 p->reply[p->shift].status.send_refid = msg.xmttime.fractionl; 384 385 if (p->trustlevel < TRUSTLEVEL_PATHETIC) 386 interval = scale_interval(INTERVAL_QUERY_PATHETIC); 387 else if (p->trustlevel < TRUSTLEVEL_AGGRESSIVE) 388 interval = scale_interval(INTERVAL_QUERY_AGGRESSIVE); 389 else 390 interval = scale_interval(INTERVAL_QUERY_NORMAL); 391 392 set_next(p, interval); 393 p->state = STATE_REPLY_RECEIVED; 394 395 /* every received reply which we do not discard increases trust */ 396 if (p->trustlevel < TRUSTLEVEL_MAX) { 397 if (p->trustlevel < TRUSTLEVEL_BADPEER && 398 p->trustlevel + 1 >= TRUSTLEVEL_BADPEER) 399 log_info("peer %s now valid", 400 log_sockaddr((struct sockaddr *)&p->addr->ss)); 401 p->trustlevel++; 402 } 403 404 log_debug("reply from %s: offset %f delay %f, " 405 "next query %llds", 406 log_sockaddr((struct sockaddr *)&p->addr->ss), 407 p->reply[p->shift].offset, p->reply[p->shift].delay, 408 (long long)interval); 409 410 client_update(p); 411 if (settime) 412 priv_settime(p->reply[p->shift].offset); 413 414 if (++p->shift >= OFFSET_ARRAY_SIZE) 415 p->shift = 0; 416 417 return (0); 418 } 419 420 int 421 client_update(struct ntp_peer *p) 422 { 423 int i, best = 0, good = 0; 424 425 /* 426 * clock filter 427 * find the offset which arrived with the lowest delay 428 * use that as the peer update 429 * invalidate it and all older ones 430 */ 431 432 for (i = 0; good == 0 && i < OFFSET_ARRAY_SIZE; i++) 433 if (p->reply[i].good) { 434 good++; 435 best = i; 436 } 437 438 for (; i < OFFSET_ARRAY_SIZE; i++) 439 if (p->reply[i].good) { 440 good++; 441 if (p->reply[i].delay < p->reply[best].delay) 442 best = i; 443 } 444 445 if (good < 8) 446 return (-1); 447 448 memcpy(&p->update, &p->reply[best], sizeof(p->update)); 449 if (priv_adjtime() == 0) { 450 for (i = 0; i < OFFSET_ARRAY_SIZE; i++) 451 if (p->reply[i].rcvd <= p->reply[best].rcvd) 452 p->reply[i].good = 0; 453 } 454 return (0); 455 } 456 457 void 458 client_log_error(struct ntp_peer *peer, const char *operation, int error) 459 { 460 const char *address; 461 462 address = log_sockaddr((struct sockaddr *)&peer->addr->ss); 463 if (peer->lasterror == error) { 464 log_debug("%s %s: %s", operation, address, strerror(error)); 465 return; 466 } 467 peer->lasterror = error; 468 log_warn("%s %s", operation, address); 469 } 470