1 /* $OpenBSD: client.c,v 1.118 2023/12/20 15:36:36 otto Exp $ */
2
3 /*
4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
5 * Copyright (c) 2004 Alexander Guy <alexander.guy@andern.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <sys/types.h>
21 #include <errno.h>
22 #include <md5.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <time.h>
27 #include <unistd.h>
28
29 #include "ntpd.h"
30
31 int client_update(struct ntp_peer *);
32 int auto_cmp(const void *, const void *);
33 void handle_auto(u_int8_t, double);
34 void set_deadline(struct ntp_peer *, time_t);
35
36 void
set_next(struct ntp_peer * p,time_t t)37 set_next(struct ntp_peer *p, time_t t)
38 {
39 p->next = getmonotime() + t;
40 p->deadline = 0;
41 p->poll = t;
42 }
43
44 void
set_deadline(struct ntp_peer * p,time_t t)45 set_deadline(struct ntp_peer *p, time_t t)
46 {
47 p->deadline = getmonotime() + t;
48 p->next = 0;
49 }
50
51 int
client_peer_init(struct ntp_peer * p)52 client_peer_init(struct ntp_peer *p)
53 {
54 p->query.fd = -1;
55 p->query.msg.status = MODE_CLIENT | (NTP_VERSION << 3);
56 p->query.xmttime = 0;
57 p->state = STATE_NONE;
58 p->shift = 0;
59 p->trustlevel = TRUSTLEVEL_PATHETIC;
60 p->lasterror = 0;
61 p->senderrors = 0;
62
63 return (client_addr_init(p));
64 }
65
66 int
client_addr_init(struct ntp_peer * p)67 client_addr_init(struct ntp_peer *p)
68 {
69 struct sockaddr_in *sa_in;
70 struct sockaddr_in6 *sa_in6;
71 struct ntp_addr *h;
72
73 for (h = p->addr; h != NULL; h = h->next) {
74 switch (h->ss.ss_family) {
75 case AF_INET:
76 sa_in = (struct sockaddr_in *)&h->ss;
77 if (ntohs(sa_in->sin_port) == 0)
78 sa_in->sin_port = htons(123);
79 p->state = STATE_DNS_DONE;
80 break;
81 case AF_INET6:
82 sa_in6 = (struct sockaddr_in6 *)&h->ss;
83 if (ntohs(sa_in6->sin6_port) == 0)
84 sa_in6->sin6_port = htons(123);
85 p->state = STATE_DNS_DONE;
86 break;
87 default:
88 fatalx("king bula sez: wrong AF in client_addr_init");
89 /* NOTREACHED */
90 }
91 }
92
93 p->query.fd = -1;
94 set_next(p, 0);
95
96 return (0);
97 }
98
99 int
client_nextaddr(struct ntp_peer * p)100 client_nextaddr(struct ntp_peer *p)
101 {
102 if (p->query.fd != -1) {
103 close(p->query.fd);
104 p->query.fd = -1;
105 }
106
107 if (p->state == STATE_DNS_INPROGRESS)
108 return (-1);
109
110 if (p->addr_head.a == NULL) {
111 priv_dns(IMSG_HOST_DNS, p->addr_head.name, p->id);
112 p->state = STATE_DNS_INPROGRESS;
113 return (-1);
114 }
115
116 p->shift = 0;
117 p->trustlevel = TRUSTLEVEL_PATHETIC;
118
119 if (p->addr == NULL)
120 p->addr = p->addr_head.a;
121 else if ((p->addr = p->addr->next) == NULL)
122 return (1);
123
124 return (0);
125 }
126
127 int
client_query(struct ntp_peer * p)128 client_query(struct ntp_peer *p)
129 {
130 int val;
131
132 if (p->addr == NULL && client_nextaddr(p) == -1) {
133 if (conf->settime)
134 set_next(p, INTERVAL_AUIO_DNSFAIL);
135 else
136 set_next(p, MAXIMUM(SETTIME_TIMEOUT,
137 scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
138 return (0);
139 }
140
141 if (conf->status.synced && p->addr->notauth) {
142 peer_addr_head_clear(p);
143 client_nextaddr(p);
144 return (0);
145 }
146
147 if (p->state < STATE_DNS_DONE || p->addr == NULL)
148 return (-1);
149
150 if (p->query.fd == -1) {
151 struct sockaddr *sa = (struct sockaddr *)&p->addr->ss;
152 struct sockaddr *qa4 = (struct sockaddr *)&p->query_addr4;
153 struct sockaddr *qa6 = (struct sockaddr *)&p->query_addr6;
154
155 if ((p->query.fd = socket(p->addr->ss.ss_family, SOCK_DGRAM,
156 0)) == -1)
157 fatal("client_query socket");
158
159 if (p->addr->ss.ss_family == qa4->sa_family) {
160 if (bind(p->query.fd, qa4, SA_LEN(qa4)) == -1)
161 fatal("couldn't bind to IPv4 query address: %s",
162 log_sockaddr(qa4));
163 } else if (p->addr->ss.ss_family == qa6->sa_family) {
164 if (bind(p->query.fd, qa6, SA_LEN(qa6)) == -1)
165 fatal("couldn't bind to IPv6 query address: %s",
166 log_sockaddr(qa6));
167 }
168
169 if (connect(p->query.fd, sa, SA_LEN(sa)) == -1) {
170 if (errno == ECONNREFUSED || errno == ENETUNREACH ||
171 errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) {
172 /* cycle through addresses, but do increase
173 senderrors */
174 client_nextaddr(p);
175 if (p->addr == NULL)
176 p->addr = p->addr_head.a;
177 set_next(p, MAXIMUM(SETTIME_TIMEOUT,
178 scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
179 p->senderrors++;
180 return (-1);
181 } else
182 fatal("client_query connect");
183 }
184 val = IPTOS_LOWDELAY;
185 if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query.fd,
186 IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1)
187 log_warn("setsockopt IPTOS_LOWDELAY");
188 val = 1;
189 if (setsockopt(p->query.fd, SOL_SOCKET, SO_TIMESTAMP,
190 &val, sizeof(val)) == -1)
191 fatal("setsockopt SO_TIMESTAMP");
192 }
193
194 /*
195 * Send out a random 64-bit number as our transmit time. The NTP
196 * server will copy said number into the originate field on the
197 * response that it sends us. This is totally legal per the SNTP spec.
198 *
199 * The impact of this is two fold: we no longer send out the current
200 * system time for the world to see (which may aid an attacker), and
201 * it gives us a (not very secure) way of knowing that we're not
202 * getting spoofed by an attacker that can't capture our traffic
203 * but can spoof packets from the NTP server we're communicating with.
204 *
205 * Save the real transmit timestamp locally.
206 */
207
208 p->query.msg.xmttime.int_partl = arc4random();
209 p->query.msg.xmttime.fractionl = arc4random();
210 p->query.xmttime = gettime();
211
212 if (ntp_sendmsg(p->query.fd, NULL, &p->query.msg) == -1) {
213 p->senderrors++;
214 set_next(p, INTERVAL_QUERY_PATHETIC);
215 p->trustlevel = TRUSTLEVEL_PATHETIC;
216 return (-1);
217 }
218
219 p->senderrors = 0;
220 p->state = STATE_QUERY_SENT;
221 set_deadline(p, QUERYTIME_MAX);
222
223 return (0);
224 }
225
226 int
auto_cmp(const void * a,const void * b)227 auto_cmp(const void *a, const void *b)
228 {
229 double at = *(const double *)a;
230 double bt = *(const double *)b;
231 return at < bt ? -1 : (at > bt ? 1 : 0);
232 }
233
234 void
handle_auto(uint8_t trusted,double offset)235 handle_auto(uint8_t trusted, double offset)
236 {
237 static int count;
238 static double v[AUTO_REPLIES];
239
240 /*
241 * It happens the (constraint) resolves initially fail, don't give up
242 * but see if we get validated replies later.
243 */
244 if (!trusted && conf->constraint_median == 0)
245 return;
246
247 if (offset < AUTO_THRESHOLD) {
248 /* don't bother */
249 priv_settime(0, "offset is negative or close enough");
250 return;
251 }
252 /* collect some more */
253 v[count++] = offset;
254 if (count < AUTO_REPLIES)
255 return;
256
257 /* we have enough */
258 qsort(v, count, sizeof(double), auto_cmp);
259 if (AUTO_REPLIES % 2 == 0)
260 offset = (v[AUTO_REPLIES / 2 - 1] + v[AUTO_REPLIES / 2]) / 2;
261 else
262 offset = v[AUTO_REPLIES / 2];
263 priv_settime(offset, "");
264 }
265
266
267 /*
268 * -1: Not processed, not an NTP message (e.g. icmp induced ECONNREFUSED)
269 * 0: Not prrocessed due to validation issues
270 * 1: NTP message validated and processed
271 */
272 int
client_dispatch(struct ntp_peer * p,u_int8_t settime,u_int8_t automatic)273 client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
274 {
275 struct ntp_msg msg;
276 struct msghdr somsg;
277 struct iovec iov[1];
278 struct timeval tv;
279 char buf[NTP_MSGSIZE];
280 union {
281 struct cmsghdr hdr;
282 char buf[CMSG_SPACE(sizeof(tv))];
283 } cmsgbuf;
284 struct cmsghdr *cmsg;
285 ssize_t size;
286 double T1, T2, T3, T4, offset, delay;
287 time_t interval;
288
289 memset(&somsg, 0, sizeof(somsg));
290 iov[0].iov_base = buf;
291 iov[0].iov_len = sizeof(buf);
292 somsg.msg_iov = iov;
293 somsg.msg_iovlen = 1;
294 somsg.msg_control = cmsgbuf.buf;
295 somsg.msg_controllen = sizeof(cmsgbuf.buf);
296
297 if ((size = recvmsg(p->query.fd, &somsg, 0)) == -1) {
298 if (errno == EHOSTUNREACH || errno == EHOSTDOWN ||
299 errno == ENETUNREACH || errno == ENETDOWN ||
300 errno == ECONNREFUSED || errno == EADDRNOTAVAIL ||
301 errno == ENOPROTOOPT || errno == ENOENT) {
302 client_log_error(p, "recvmsg", errno);
303 set_next(p, error_interval());
304 return (-1);
305 } else
306 fatal("recvfrom");
307 }
308
309 if (somsg.msg_flags & MSG_TRUNC) {
310 client_log_error(p, "recvmsg packet", EMSGSIZE);
311 set_next(p, error_interval());
312 return (0);
313 }
314
315 if (somsg.msg_flags & MSG_CTRUNC) {
316 client_log_error(p, "recvmsg control data", E2BIG);
317 set_next(p, error_interval());
318 return (0);
319 }
320
321 for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL;
322 cmsg = CMSG_NXTHDR(&somsg, cmsg)) {
323 if (cmsg->cmsg_level == SOL_SOCKET &&
324 cmsg->cmsg_type == SCM_TIMESTAMP) {
325 memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv));
326 T4 = gettime_from_timeval(&tv);
327 break;
328 }
329 }
330 if (cmsg == NULL)
331 fatal("SCM_TIMESTAMP");
332
333 ntp_getmsg((struct sockaddr *)&p->addr->ss, buf, size, &msg);
334
335 if (msg.orgtime.int_partl != p->query.msg.xmttime.int_partl ||
336 msg.orgtime.fractionl != p->query.msg.xmttime.fractionl)
337 return (0);
338
339 if ((msg.status & LI_ALARM) == LI_ALARM || msg.stratum == 0 ||
340 msg.stratum > NTP_MAXSTRATUM) {
341 char s[16];
342
343 if ((msg.status & LI_ALARM) == LI_ALARM) {
344 strlcpy(s, "alarm", sizeof(s));
345 } else if (msg.stratum == 0) {
346 /* Kiss-o'-Death (KoD) packet */
347 strlcpy(s, "KoD", sizeof(s));
348 } else if (msg.stratum > NTP_MAXSTRATUM) {
349 snprintf(s, sizeof(s), "stratum %d", msg.stratum);
350 }
351 interval = error_interval();
352 set_next(p, interval);
353 log_info("reply from %s: not synced (%s), next query %llds",
354 log_ntp_addr(p->addr), s, (long long)interval);
355 return (0);
356 }
357
358 /*
359 * From RFC 2030 (with a correction to the delay math):
360 *
361 * Timestamp Name ID When Generated
362 * ------------------------------------------------------------
363 * Originate Timestamp T1 time request sent by client
364 * Receive Timestamp T2 time request received by server
365 * Transmit Timestamp T3 time reply sent by server
366 * Destination Timestamp T4 time reply received by client
367 *
368 * The roundtrip delay d and local clock offset t are defined as
369 *
370 * d = (T4 - T1) - (T3 - T2) t = ((T2 - T1) + (T3 - T4)) / 2.
371 */
372
373 T1 = p->query.xmttime;
374 T2 = lfp_to_d(msg.rectime);
375 T3 = lfp_to_d(msg.xmttime);
376
377 /* Detect liars */
378 if (!p->trusted && conf->constraint_median != 0 &&
379 (constraint_check(T2) != 0 || constraint_check(T3) != 0)) {
380 log_info("reply from %s: constraint check failed",
381 log_ntp_addr(p->addr));
382 set_next(p, error_interval());
383 return (0);
384 }
385
386 p->reply[p->shift].offset = ((T2 - T1) + (T3 - T4)) / 2 - getoffset();
387 p->reply[p->shift].delay = (T4 - T1) - (T3 - T2);
388 p->reply[p->shift].status.stratum = msg.stratum;
389 if (p->reply[p->shift].delay < 0) {
390 interval = error_interval();
391 set_next(p, interval);
392 log_info("reply from %s: negative delay %fs, "
393 "next query %llds",
394 log_ntp_addr(p->addr),
395 p->reply[p->shift].delay, (long long)interval);
396 return (0);
397 }
398 p->reply[p->shift].error = (T2 - T1) - (T3 - T4);
399 p->reply[p->shift].rcvd = getmonotime();
400 p->reply[p->shift].good = 1;
401
402 p->reply[p->shift].status.leap = (msg.status & LIMASK);
403 p->reply[p->shift].status.precision = msg.precision;
404 p->reply[p->shift].status.rootdelay = sfp_to_d(msg.rootdelay);
405 p->reply[p->shift].status.rootdispersion = sfp_to_d(msg.dispersion);
406 p->reply[p->shift].status.refid = msg.refid;
407 p->reply[p->shift].status.reftime = lfp_to_d(msg.reftime);
408 p->reply[p->shift].status.poll = msg.ppoll;
409
410 if (p->addr->ss.ss_family == AF_INET) {
411 p->reply[p->shift].status.send_refid =
412 ((struct sockaddr_in *)&p->addr->ss)->sin_addr.s_addr;
413 } else if (p->addr->ss.ss_family == AF_INET6) {
414 MD5_CTX context;
415 u_int8_t digest[MD5_DIGEST_LENGTH];
416
417 MD5Init(&context);
418 MD5Update(&context, ((struct sockaddr_in6 *)&p->addr->ss)->
419 sin6_addr.s6_addr, sizeof(struct in6_addr));
420 MD5Final(digest, &context);
421 memcpy((char *)&p->reply[p->shift].status.send_refid, digest,
422 sizeof(u_int32_t));
423 } else
424 p->reply[p->shift].status.send_refid = msg.xmttime.fractionl;
425
426 p->state = STATE_REPLY_RECEIVED;
427
428 /* every received reply which we do not discard increases trust */
429 if (p->trustlevel < TRUSTLEVEL_MAX) {
430 if (p->trustlevel < TRUSTLEVEL_BADPEER &&
431 p->trustlevel + 1 >= TRUSTLEVEL_BADPEER)
432 log_info("peer %s now valid",
433 log_ntp_addr(p->addr));
434 p->trustlevel++;
435 }
436
437 offset = p->reply[p->shift].offset;
438 delay = p->reply[p->shift].delay;
439
440 client_update(p);
441 if (settime) {
442 if (automatic)
443 handle_auto(p->trusted, p->reply[p->shift].offset);
444 else
445 priv_settime(p->reply[p->shift].offset, "");
446 }
447
448 if (p->trustlevel < TRUSTLEVEL_PATHETIC)
449 interval = scale_interval(INTERVAL_QUERY_PATHETIC);
450 else if (p->trustlevel < TRUSTLEVEL_AGGRESSIVE)
451 interval = (conf->settime && conf->automatic) ?
452 INTERVAL_QUERY_ULTRA_VIOLENCE :
453 scale_interval(INTERVAL_QUERY_AGGRESSIVE);
454 else
455 interval = scale_interval(INTERVAL_QUERY_NORMAL);
456
457 log_debug("reply from %s: offset %f delay %f, "
458 "next query %llds", log_ntp_addr(p->addr),
459 offset, delay, (long long)interval);
460
461 set_next(p, interval);
462
463 if (++p->shift >= OFFSET_ARRAY_SIZE)
464 p->shift = 0;
465
466 return (1);
467 }
468
469 int
client_update(struct ntp_peer * p)470 client_update(struct ntp_peer *p)
471 {
472 int shift, best = -1, good = 0;
473
474 /*
475 * clock filter
476 * find the offset which arrived with the lowest delay
477 * use that as the peer update
478 * invalidate it and all older ones
479 */
480
481 for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++)
482 if (p->reply[shift].good) {
483 good++;
484 if (best == -1 ||
485 p->reply[shift].delay < p->reply[best].delay)
486 best = shift;
487 }
488
489 if (best == -1 || good < 8)
490 return (-1);
491
492 p->update = p->reply[best];
493 if (priv_adjtime() == 0) {
494 for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++)
495 if (p->reply[shift].rcvd <= p->reply[best].rcvd)
496 p->reply[shift].good = 0;
497 }
498 return (0);
499 }
500
501 void
client_log_error(struct ntp_peer * peer,const char * operation,int error)502 client_log_error(struct ntp_peer *peer, const char *operation, int error)
503 {
504 const char *address;
505
506 address = log_ntp_addr(peer->addr);
507 if (peer->lasterror == error) {
508 log_debug("%s %s: %s", operation, address, strerror(error));
509 return;
510 }
511 peer->lasterror = error;
512 log_warn("%s %s", operation, address);
513 }
514