1 /* $OpenBSD: client.c,v 1.88 2009/06/24 17:34:32 henning Exp $ */ 2 3 /* 4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * Copyright (c) 2004 Alexander Guy <alexander.guy@andern.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER 16 * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 17 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/param.h> 21 #include <errno.h> 22 #include <md5.h> 23 #include <stdio.h> 24 #include <stdlib.h> 25 #include <string.h> 26 #include <time.h> 27 #include <unistd.h> 28 29 #include "ntpd.h" 30 31 int client_update(struct ntp_peer *); 32 void set_deadline(struct ntp_peer *, time_t); 33 34 void 35 set_next(struct ntp_peer *p, time_t t) 36 { 37 p->next = getmonotime() + t; 38 p->deadline = 0; 39 } 40 41 void 42 set_deadline(struct ntp_peer *p, time_t t) 43 { 44 p->deadline = getmonotime() + t; 45 p->next = 0; 46 } 47 48 int 49 client_peer_init(struct ntp_peer *p) 50 { 51 if ((p->query = calloc(1, sizeof(struct ntp_query))) == NULL) 52 fatal("client_peer_init calloc"); 53 p->query->fd = -1; 54 p->query->msg.status = MODE_CLIENT | (NTP_VERSION << 3); 55 p->state = STATE_NONE; 56 p->shift = 0; 57 p->trustlevel = TRUSTLEVEL_PATHETIC; 58 p->lasterror = 0; 59 p->senderrors = 0; 60 61 return (client_addr_init(p)); 62 } 63 64 int 65 client_addr_init(struct ntp_peer *p) 66 { 67 struct sockaddr_in *sa_in; 68 struct sockaddr_in6 *sa_in6; 69 struct ntp_addr *h; 70 71 for (h = p->addr; h != NULL; h = h->next) { 72 switch (h->ss.ss_family) { 73 case AF_INET: 74 sa_in = (struct sockaddr_in *)&h->ss; 75 if (ntohs(sa_in->sin_port) == 0) 76 sa_in->sin_port = htons(123); 77 p->state = STATE_DNS_DONE; 78 break; 79 case AF_INET6: 80 sa_in6 = (struct sockaddr_in6 *)&h->ss; 81 if (ntohs(sa_in6->sin6_port) == 0) 82 sa_in6->sin6_port = htons(123); 83 p->state = STATE_DNS_DONE; 84 break; 85 default: 86 fatalx("king bula sez: wrong AF in client_addr_init"); 87 /* not reached */ 88 } 89 } 90 91 p->query->fd = -1; 92 set_next(p, 0); 93 94 return (0); 95 } 96 97 int 98 client_nextaddr(struct ntp_peer *p) 99 { 100 if (p->query->fd != -1) { 101 close(p->query->fd); 102 p->query->fd = -1; 103 } 104 105 if (p->state == STATE_DNS_INPROGRESS) 106 return (-1); 107 108 if (p->addr_head.a == NULL) { 109 priv_host_dns(p->addr_head.name, p->id); 110 p->state = STATE_DNS_INPROGRESS; 111 return (-1); 112 } 113 114 if ((p->addr = p->addr->next) == NULL) 115 p->addr = p->addr_head.a; 116 117 p->shift = 0; 118 p->trustlevel = TRUSTLEVEL_PATHETIC; 119 120 return (0); 121 } 122 123 int 124 client_query(struct ntp_peer *p) 125 { 126 int val; 127 128 if (p->addr == NULL && client_nextaddr(p) == -1) { 129 set_next(p, MAX(SETTIME_TIMEOUT, 130 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 131 return (0); 132 } 133 134 if (p->state < STATE_DNS_DONE || p->addr == NULL) 135 return (-1); 136 137 if (p->query->fd == -1) { 138 struct sockaddr *sa = (struct sockaddr *)&p->addr->ss; 139 140 if ((p->query->fd = socket(p->addr->ss.ss_family, SOCK_DGRAM, 141 0)) == -1) 142 fatal("client_query socket"); 143 if (connect(p->query->fd, sa, SA_LEN(sa)) == -1) { 144 if (errno == ECONNREFUSED || errno == ENETUNREACH || 145 errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) { 146 client_nextaddr(p); 147 set_next(p, MAX(SETTIME_TIMEOUT, 148 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 149 return (-1); 150 } else 151 fatal("client_query connect"); 152 } 153 val = IPTOS_LOWDELAY; 154 if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query->fd, 155 IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1) 156 log_warn("setsockopt IPTOS_LOWDELAY"); 157 val = 1; 158 if (setsockopt(p->query->fd, SOL_SOCKET, SO_TIMESTAMP, 159 &val, sizeof(val)) == -1) 160 fatal("setsockopt SO_TIMESTAMP"); 161 } 162 163 /* 164 * Send out a random 64-bit number as our transmit time. The NTP 165 * server will copy said number into the originate field on the 166 * response that it sends us. This is totally legal per the SNTP spec. 167 * 168 * The impact of this is two fold: we no longer send out the current 169 * system time for the world to see (which may aid an attacker), and 170 * it gives us a (not very secure) way of knowing that we're not 171 * getting spoofed by an attacker that can't capture our traffic 172 * but can spoof packets from the NTP server we're communicating with. 173 * 174 * Save the real transmit timestamp locally. 175 */ 176 177 p->query->msg.xmttime.int_partl = arc4random(); 178 p->query->msg.xmttime.fractionl = arc4random(); 179 p->query->xmttime = gettime_corrected(); 180 181 if (ntp_sendmsg(p->query->fd, NULL, &p->query->msg, 182 NTP_MSGSIZE_NOAUTH, 0) == -1) { 183 p->senderrors++; 184 set_next(p, INTERVAL_QUERY_PATHETIC); 185 p->trustlevel = TRUSTLEVEL_PATHETIC; 186 return (-1); 187 } 188 189 p->senderrors = 0; 190 p->state = STATE_QUERY_SENT; 191 set_deadline(p, QUERYTIME_MAX); 192 193 return (0); 194 } 195 196 int 197 client_dispatch(struct ntp_peer *p, u_int8_t settime) 198 { 199 struct ntp_msg msg; 200 struct msghdr somsg; 201 struct iovec iov[1]; 202 struct timeval tv; 203 char buf[NTP_MSGSIZE]; 204 union { 205 struct cmsghdr hdr; 206 char buf[CMSG_SPACE(sizeof(tv))]; 207 } cmsgbuf; 208 struct cmsghdr *cmsg; 209 ssize_t size; 210 double T1, T2, T3, T4; 211 time_t interval; 212 213 bzero(&somsg, sizeof(somsg)); 214 iov[0].iov_base = buf; 215 iov[0].iov_len = sizeof(buf); 216 somsg.msg_iov = iov; 217 somsg.msg_iovlen = 1; 218 somsg.msg_control = cmsgbuf.buf; 219 somsg.msg_controllen = sizeof(cmsgbuf.buf); 220 221 T4 = getoffset(); 222 if ((size = recvmsg(p->query->fd, &somsg, 0)) == -1) { 223 if (errno == EHOSTUNREACH || errno == EHOSTDOWN || 224 errno == ENETUNREACH || errno == ENETDOWN || 225 errno == ECONNREFUSED || errno == EADDRNOTAVAIL || 226 errno == ENOPROTOOPT || errno == ENOENT) { 227 client_log_error(p, "recvmsg", errno); 228 set_next(p, error_interval()); 229 return (0); 230 } else 231 fatal("recvfrom"); 232 } 233 234 if (somsg.msg_flags & MSG_TRUNC) { 235 client_log_error(p, "recvmsg packet", EMSGSIZE); 236 set_next(p, error_interval()); 237 return (0); 238 } 239 240 if (somsg.msg_flags & MSG_CTRUNC) { 241 client_log_error(p, "recvmsg control data", E2BIG); 242 set_next(p, error_interval()); 243 return (0); 244 } 245 246 for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL; 247 cmsg = CMSG_NXTHDR(&somsg, cmsg)) { 248 if (cmsg->cmsg_level == SOL_SOCKET && 249 cmsg->cmsg_type == SCM_TIMESTAMP) { 250 memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv)); 251 T4 += tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec; 252 break; 253 } 254 } 255 256 if (T4 < JAN_1970) { 257 client_log_error(p, "recvmsg control format", EBADF); 258 set_next(p, error_interval()); 259 return (0); 260 } 261 262 ntp_getmsg((struct sockaddr *)&p->addr->ss, buf, size, &msg); 263 264 if (msg.orgtime.int_partl != p->query->msg.xmttime.int_partl || 265 msg.orgtime.fractionl != p->query->msg.xmttime.fractionl) 266 return (0); 267 268 if ((msg.status & LI_ALARM) == LI_ALARM || msg.stratum == 0 || 269 msg.stratum > NTP_MAXSTRATUM) { 270 char s[16]; 271 272 if ((msg.status & LI_ALARM) == LI_ALARM) { 273 strlcpy(s, "alarm", sizeof(s)); 274 } else if (msg.stratum == 0) { 275 /* Kiss-o'-Death (KoD) packet */ 276 strlcpy(s, "KoD", sizeof(s)); 277 } else if (msg.stratum > NTP_MAXSTRATUM) { 278 snprintf(s, sizeof(s), "stratum %d", msg.stratum); 279 } 280 interval = error_interval(); 281 set_next(p, interval); 282 log_info("reply from %s: not synced (%s), next query %ds", 283 log_sockaddr((struct sockaddr *)&p->addr->ss), s, 284 interval); 285 return (0); 286 } 287 288 /* 289 * From RFC 2030 (with a correction to the delay math): 290 * 291 * Timestamp Name ID When Generated 292 * ------------------------------------------------------------ 293 * Originate Timestamp T1 time request sent by client 294 * Receive Timestamp T2 time request received by server 295 * Transmit Timestamp T3 time reply sent by server 296 * Destination Timestamp T4 time reply received by client 297 * 298 * The roundtrip delay d and local clock offset t are defined as 299 * 300 * d = (T4 - T1) - (T3 - T2) t = ((T2 - T1) + (T3 - T4)) / 2. 301 */ 302 303 T1 = p->query->xmttime; 304 T2 = lfp_to_d(msg.rectime); 305 T3 = lfp_to_d(msg.xmttime); 306 307 /* 308 * XXX workaround: time_t / tv_sec must never wrap. 309 * around 2020 we will need a solution (64bit time_t / tv_sec). 310 * consider every answer with a timestamp beyond january 2030 bogus. 311 */ 312 if (T2 > JAN_2030 || T3 > JAN_2030) { 313 set_next(p, error_interval()); 314 return (0); 315 } 316 317 p->reply[p->shift].offset = ((T2 - T1) + (T3 - T4)) / 2; 318 p->reply[p->shift].delay = (T4 - T1) - (T3 - T2); 319 if (p->reply[p->shift].delay < 0) { 320 interval = error_interval(); 321 set_next(p, interval); 322 log_info("reply from %s: negative delay %fs, " 323 "next query %ds", 324 log_sockaddr((struct sockaddr *)&p->addr->ss), 325 p->reply[p->shift].delay, interval); 326 return (0); 327 } 328 p->reply[p->shift].error = (T2 - T1) - (T3 - T4); 329 p->reply[p->shift].rcvd = getmonotime(); 330 p->reply[p->shift].good = 1; 331 332 p->reply[p->shift].status.leap = (msg.status & LIMASK); 333 p->reply[p->shift].status.precision = msg.precision; 334 p->reply[p->shift].status.rootdelay = sfp_to_d(msg.rootdelay); 335 p->reply[p->shift].status.rootdispersion = sfp_to_d(msg.dispersion); 336 p->reply[p->shift].status.refid = msg.refid; 337 p->reply[p->shift].status.reftime = lfp_to_d(msg.reftime); 338 p->reply[p->shift].status.poll = msg.ppoll; 339 p->reply[p->shift].status.stratum = msg.stratum; 340 341 if (p->addr->ss.ss_family == AF_INET) { 342 p->reply[p->shift].status.send_refid = 343 ((struct sockaddr_in *)&p->addr->ss)->sin_addr.s_addr; 344 } else if (p->addr->ss.ss_family == AF_INET6) { 345 MD5_CTX context; 346 u_int8_t digest[MD5_DIGEST_LENGTH]; 347 348 MD5Init(&context); 349 MD5Update(&context, ((struct sockaddr_in6 *)&p->addr->ss)-> 350 sin6_addr.s6_addr, sizeof(struct in6_addr)); 351 MD5Final(digest, &context); 352 memcpy((char *)&p->reply[p->shift].status.send_refid, digest, 353 sizeof(u_int32_t)); 354 } else 355 p->reply[p->shift].status.send_refid = msg.xmttime.fractionl; 356 357 if (p->trustlevel < TRUSTLEVEL_PATHETIC) 358 interval = scale_interval(INTERVAL_QUERY_PATHETIC); 359 else if (p->trustlevel < TRUSTLEVEL_AGGRESSIVE) 360 interval = scale_interval(INTERVAL_QUERY_AGGRESSIVE); 361 else 362 interval = scale_interval(INTERVAL_QUERY_NORMAL); 363 364 set_next(p, interval); 365 p->state = STATE_REPLY_RECEIVED; 366 367 /* every received reply which we do not discard increases trust */ 368 if (p->trustlevel < TRUSTLEVEL_MAX) { 369 if (p->trustlevel < TRUSTLEVEL_BADPEER && 370 p->trustlevel + 1 >= TRUSTLEVEL_BADPEER) 371 log_info("peer %s now valid", 372 log_sockaddr((struct sockaddr *)&p->addr->ss)); 373 p->trustlevel++; 374 } 375 376 log_debug("reply from %s: offset %f delay %f, " 377 "next query %ds", log_sockaddr((struct sockaddr *)&p->addr->ss), 378 p->reply[p->shift].offset, p->reply[p->shift].delay, interval); 379 380 client_update(p); 381 if (settime) 382 priv_settime(p->reply[p->shift].offset); 383 384 if (++p->shift >= OFFSET_ARRAY_SIZE) 385 p->shift = 0; 386 387 return (0); 388 } 389 390 int 391 client_update(struct ntp_peer *p) 392 { 393 int i, best = 0, good = 0; 394 395 /* 396 * clock filter 397 * find the offset which arrived with the lowest delay 398 * use that as the peer update 399 * invalidate it and all older ones 400 */ 401 402 for (i = 0; good == 0 && i < OFFSET_ARRAY_SIZE; i++) 403 if (p->reply[i].good) { 404 good++; 405 best = i; 406 } 407 408 for (; i < OFFSET_ARRAY_SIZE; i++) 409 if (p->reply[i].good) { 410 good++; 411 if (p->reply[i].delay < p->reply[best].delay) 412 best = i; 413 } 414 415 if (good < 8) 416 return (-1); 417 418 memcpy(&p->update, &p->reply[best], sizeof(p->update)); 419 if (priv_adjtime() == 0) { 420 for (i = 0; i < OFFSET_ARRAY_SIZE; i++) 421 if (p->reply[i].rcvd <= p->reply[best].rcvd) 422 p->reply[i].good = 0; 423 } 424 return (0); 425 } 426 427 void 428 client_log_error(struct ntp_peer *peer, const char *operation, int error) 429 { 430 const char *address; 431 432 address = log_sockaddr((struct sockaddr *)&peer->addr->ss); 433 if (peer->lasterror == error) { 434 log_debug("%s %s: %s", operation, address, strerror(error)); 435 return; 436 } 437 peer->lasterror = error; 438 log_warn("%s %s", operation, address); 439 } 440