1 /* $OpenBSD: client.c,v 1.117 2022/03/24 07:37:19 otto Exp $ */ 2 3 /* 4 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * Copyright (c) 2004 Alexander Guy <alexander.guy@andern.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <errno.h> 22 #include <md5.h> 23 #include <stdio.h> 24 #include <stdlib.h> 25 #include <string.h> 26 #include <time.h> 27 #include <unistd.h> 28 29 #include "ntpd.h" 30 31 int client_update(struct ntp_peer *); 32 int auto_cmp(const void *, const void *); 33 void handle_auto(u_int8_t, double); 34 void set_deadline(struct ntp_peer *, time_t); 35 36 void 37 set_next(struct ntp_peer *p, time_t t) 38 { 39 p->next = getmonotime() + t; 40 p->deadline = 0; 41 p->poll = t; 42 } 43 44 void 45 set_deadline(struct ntp_peer *p, time_t t) 46 { 47 p->deadline = getmonotime() + t; 48 p->next = 0; 49 } 50 51 int 52 client_peer_init(struct ntp_peer *p) 53 { 54 p->query.fd = -1; 55 p->query.msg.status = MODE_CLIENT | (NTP_VERSION << 3); 56 p->query.xmttime = 0; 57 p->state = STATE_NONE; 58 p->shift = 0; 59 p->trustlevel = TRUSTLEVEL_PATHETIC; 60 p->lasterror = 0; 61 p->senderrors = 0; 62 63 return (client_addr_init(p)); 64 } 65 66 int 67 client_addr_init(struct ntp_peer *p) 68 { 69 struct sockaddr_in *sa_in; 70 struct sockaddr_in6 *sa_in6; 71 struct ntp_addr *h; 72 73 for (h = p->addr; h != NULL; h = h->next) { 74 switch (h->ss.ss_family) { 75 case AF_INET: 76 sa_in = (struct sockaddr_in *)&h->ss; 77 if (ntohs(sa_in->sin_port) == 0) 78 sa_in->sin_port = htons(123); 79 p->state = STATE_DNS_DONE; 80 break; 81 case AF_INET6: 82 sa_in6 = (struct sockaddr_in6 *)&h->ss; 83 if (ntohs(sa_in6->sin6_port) == 0) 84 sa_in6->sin6_port = htons(123); 85 p->state = STATE_DNS_DONE; 86 break; 87 default: 88 fatalx("king bula sez: wrong AF in client_addr_init"); 89 /* NOTREACHED */ 90 } 91 } 92 93 p->query.fd = -1; 94 set_next(p, 0); 95 96 return (0); 97 } 98 99 int 100 client_nextaddr(struct ntp_peer *p) 101 { 102 if (p->query.fd != -1) { 103 close(p->query.fd); 104 p->query.fd = -1; 105 } 106 107 if (p->state == STATE_DNS_INPROGRESS) 108 return (-1); 109 110 if (p->addr_head.a == NULL) { 111 priv_dns(IMSG_HOST_DNS, p->addr_head.name, p->id); 112 p->state = STATE_DNS_INPROGRESS; 113 return (-1); 114 } 115 116 p->shift = 0; 117 p->trustlevel = TRUSTLEVEL_PATHETIC; 118 119 if (p->addr == NULL) 120 p->addr = p->addr_head.a; 121 else if ((p->addr = p->addr->next) == NULL) 122 return (1); 123 124 return (0); 125 } 126 127 int 128 client_query(struct ntp_peer *p) 129 { 130 int val; 131 132 if (p->addr == NULL && client_nextaddr(p) == -1) { 133 if (conf->settime) 134 set_next(p, INTERVAL_AUIO_DNSFAIL); 135 else 136 set_next(p, MAXIMUM(SETTIME_TIMEOUT, 137 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 138 return (0); 139 } 140 141 if (conf->status.synced && p->addr->notauth) { 142 peer_addr_head_clear(p); 143 client_nextaddr(p); 144 return (0); 145 } 146 147 if (p->state < STATE_DNS_DONE || p->addr == NULL) 148 return (-1); 149 150 if (p->query.fd == -1) { 151 struct sockaddr *sa = (struct sockaddr *)&p->addr->ss; 152 struct sockaddr *qa4 = (struct sockaddr *)&p->query_addr4; 153 struct sockaddr *qa6 = (struct sockaddr *)&p->query_addr6; 154 155 if ((p->query.fd = socket(p->addr->ss.ss_family, SOCK_DGRAM, 156 0)) == -1) 157 fatal("client_query socket"); 158 159 if (p->addr->ss.ss_family == qa4->sa_family) { 160 if (bind(p->query.fd, qa4, SA_LEN(qa4)) == -1) 161 fatal("couldn't bind to IPv4 query address: %s", 162 log_sockaddr(qa4)); 163 } else if (p->addr->ss.ss_family == qa6->sa_family) { 164 if (bind(p->query.fd, qa6, SA_LEN(qa6)) == -1) 165 fatal("couldn't bind to IPv6 query address: %s", 166 log_sockaddr(qa6)); 167 } 168 169 if (connect(p->query.fd, sa, SA_LEN(sa)) == -1) { 170 if (errno == ECONNREFUSED || errno == ENETUNREACH || 171 errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) { 172 /* cycle through addresses, but do increase 173 senderrors */ 174 client_nextaddr(p); 175 if (p->addr == NULL) 176 p->addr = p->addr_head.a; 177 set_next(p, MAXIMUM(SETTIME_TIMEOUT, 178 scale_interval(INTERVAL_QUERY_AGGRESSIVE))); 179 p->senderrors++; 180 return (-1); 181 } else 182 fatal("client_query connect"); 183 } 184 val = IPTOS_LOWDELAY; 185 if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query.fd, 186 IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1) 187 log_warn("setsockopt IPTOS_LOWDELAY"); 188 val = 1; 189 if (setsockopt(p->query.fd, SOL_SOCKET, SO_TIMESTAMP, 190 &val, sizeof(val)) == -1) 191 fatal("setsockopt SO_TIMESTAMP"); 192 } 193 194 /* 195 * Send out a random 64-bit number as our transmit time. The NTP 196 * server will copy said number into the originate field on the 197 * response that it sends us. This is totally legal per the SNTP spec. 198 * 199 * The impact of this is two fold: we no longer send out the current 200 * system time for the world to see (which may aid an attacker), and 201 * it gives us a (not very secure) way of knowing that we're not 202 * getting spoofed by an attacker that can't capture our traffic 203 * but can spoof packets from the NTP server we're communicating with. 204 * 205 * Save the real transmit timestamp locally. 206 */ 207 208 p->query.msg.xmttime.int_partl = arc4random(); 209 p->query.msg.xmttime.fractionl = arc4random(); 210 p->query.xmttime = gettime(); 211 212 if (ntp_sendmsg(p->query.fd, NULL, &p->query.msg) == -1) { 213 p->senderrors++; 214 set_next(p, INTERVAL_QUERY_PATHETIC); 215 p->trustlevel = TRUSTLEVEL_PATHETIC; 216 return (-1); 217 } 218 219 p->senderrors = 0; 220 p->state = STATE_QUERY_SENT; 221 set_deadline(p, QUERYTIME_MAX); 222 223 return (0); 224 } 225 226 int 227 auto_cmp(const void *a, const void *b) 228 { 229 double at = *(const double *)a; 230 double bt = *(const double *)b; 231 return at < bt ? -1 : (at > bt ? 1 : 0); 232 } 233 234 void 235 handle_auto(uint8_t trusted, double offset) 236 { 237 static int count; 238 static double v[AUTO_REPLIES]; 239 240 /* 241 * It happens the (constraint) resolves initially fail, don't give up 242 * but see if we get validated replies later. 243 */ 244 if (!trusted && conf->constraint_median == 0) 245 return; 246 247 if (offset < AUTO_THRESHOLD) { 248 /* don't bother */ 249 priv_settime(0, "offset is negative or close enough"); 250 return; 251 } 252 /* collect some more */ 253 v[count++] = offset; 254 if (count < AUTO_REPLIES) 255 return; 256 257 /* we have enough */ 258 qsort(v, count, sizeof(double), auto_cmp); 259 if (AUTO_REPLIES % 2 == 0) 260 offset = (v[AUTO_REPLIES / 2 - 1] + v[AUTO_REPLIES / 2]) / 2; 261 else 262 offset = v[AUTO_REPLIES / 2]; 263 priv_settime(offset, ""); 264 } 265 266 267 /* 268 * -1: Not processed, not an NTP message (e.g. icmp induced ECONNREFUSED) 269 * 0: Not prrocessed due to validation issues 270 * 1: NTP message validated and processed 271 */ 272 int 273 client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic) 274 { 275 struct ntp_msg msg; 276 struct msghdr somsg; 277 struct iovec iov[1]; 278 struct timeval tv; 279 char buf[NTP_MSGSIZE]; 280 union { 281 struct cmsghdr hdr; 282 char buf[CMSG_SPACE(sizeof(tv))]; 283 } cmsgbuf; 284 struct cmsghdr *cmsg; 285 ssize_t size; 286 double T1, T2, T3, T4, offset, delay; 287 time_t interval; 288 289 memset(&somsg, 0, sizeof(somsg)); 290 iov[0].iov_base = buf; 291 iov[0].iov_len = sizeof(buf); 292 somsg.msg_iov = iov; 293 somsg.msg_iovlen = 1; 294 somsg.msg_control = cmsgbuf.buf; 295 somsg.msg_controllen = sizeof(cmsgbuf.buf); 296 297 if ((size = recvmsg(p->query.fd, &somsg, 0)) == -1) { 298 if (errno == EHOSTUNREACH || errno == EHOSTDOWN || 299 errno == ENETUNREACH || errno == ENETDOWN || 300 errno == ECONNREFUSED || errno == EADDRNOTAVAIL || 301 errno == ENOPROTOOPT || errno == ENOENT) { 302 client_log_error(p, "recvmsg", errno); 303 set_next(p, error_interval()); 304 return (-1); 305 } else 306 fatal("recvfrom"); 307 } 308 309 if (somsg.msg_flags & MSG_TRUNC) { 310 client_log_error(p, "recvmsg packet", EMSGSIZE); 311 set_next(p, error_interval()); 312 return (0); 313 } 314 315 if (somsg.msg_flags & MSG_CTRUNC) { 316 client_log_error(p, "recvmsg control data", E2BIG); 317 set_next(p, error_interval()); 318 return (0); 319 } 320 321 for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL; 322 cmsg = CMSG_NXTHDR(&somsg, cmsg)) { 323 if (cmsg->cmsg_level == SOL_SOCKET && 324 cmsg->cmsg_type == SCM_TIMESTAMP) { 325 memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv)); 326 T4 = gettime_from_timeval(&tv); 327 break; 328 } 329 } 330 if (cmsg == NULL) 331 fatal("SCM_TIMESTAMP"); 332 333 ntp_getmsg((struct sockaddr *)&p->addr->ss, buf, size, &msg); 334 335 if (msg.orgtime.int_partl != p->query.msg.xmttime.int_partl || 336 msg.orgtime.fractionl != p->query.msg.xmttime.fractionl) 337 return (0); 338 339 if ((msg.status & LI_ALARM) == LI_ALARM || msg.stratum == 0 || 340 msg.stratum > NTP_MAXSTRATUM) { 341 char s[16]; 342 343 if ((msg.status & LI_ALARM) == LI_ALARM) { 344 strlcpy(s, "alarm", sizeof(s)); 345 } else if (msg.stratum == 0) { 346 /* Kiss-o'-Death (KoD) packet */ 347 strlcpy(s, "KoD", sizeof(s)); 348 } else if (msg.stratum > NTP_MAXSTRATUM) { 349 snprintf(s, sizeof(s), "stratum %d", msg.stratum); 350 } 351 interval = error_interval(); 352 set_next(p, interval); 353 log_info("reply from %s: not synced (%s), next query %llds", 354 log_sockaddr((struct sockaddr *)&p->addr->ss), s, 355 (long long)interval); 356 return (0); 357 } 358 359 /* 360 * From RFC 2030 (with a correction to the delay math): 361 * 362 * Timestamp Name ID When Generated 363 * ------------------------------------------------------------ 364 * Originate Timestamp T1 time request sent by client 365 * Receive Timestamp T2 time request received by server 366 * Transmit Timestamp T3 time reply sent by server 367 * Destination Timestamp T4 time reply received by client 368 * 369 * The roundtrip delay d and local clock offset t are defined as 370 * 371 * d = (T4 - T1) - (T3 - T2) t = ((T2 - T1) + (T3 - T4)) / 2. 372 */ 373 374 T1 = p->query.xmttime; 375 T2 = lfp_to_d(msg.rectime); 376 T3 = lfp_to_d(msg.xmttime); 377 378 /* Detect liars */ 379 if (!p->trusted && conf->constraint_median != 0 && 380 (constraint_check(T2) != 0 || constraint_check(T3) != 0)) { 381 log_info("reply from %s: constraint check failed", 382 log_sockaddr((struct sockaddr *)&p->addr->ss)); 383 set_next(p, error_interval()); 384 return (0); 385 } 386 387 p->reply[p->shift].offset = ((T2 - T1) + (T3 - T4)) / 2 - getoffset(); 388 p->reply[p->shift].delay = (T4 - T1) - (T3 - T2); 389 p->reply[p->shift].status.stratum = msg.stratum; 390 if (p->reply[p->shift].delay < 0) { 391 interval = error_interval(); 392 set_next(p, interval); 393 log_info("reply from %s: negative delay %fs, " 394 "next query %llds", 395 log_sockaddr((struct sockaddr *)&p->addr->ss), 396 p->reply[p->shift].delay, (long long)interval); 397 return (0); 398 } 399 p->reply[p->shift].error = (T2 - T1) - (T3 - T4); 400 p->reply[p->shift].rcvd = getmonotime(); 401 p->reply[p->shift].good = 1; 402 403 p->reply[p->shift].status.leap = (msg.status & LIMASK); 404 p->reply[p->shift].status.precision = msg.precision; 405 p->reply[p->shift].status.rootdelay = sfp_to_d(msg.rootdelay); 406 p->reply[p->shift].status.rootdispersion = sfp_to_d(msg.dispersion); 407 p->reply[p->shift].status.refid = msg.refid; 408 p->reply[p->shift].status.reftime = lfp_to_d(msg.reftime); 409 p->reply[p->shift].status.poll = msg.ppoll; 410 411 if (p->addr->ss.ss_family == AF_INET) { 412 p->reply[p->shift].status.send_refid = 413 ((struct sockaddr_in *)&p->addr->ss)->sin_addr.s_addr; 414 } else if (p->addr->ss.ss_family == AF_INET6) { 415 MD5_CTX context; 416 u_int8_t digest[MD5_DIGEST_LENGTH]; 417 418 MD5Init(&context); 419 MD5Update(&context, ((struct sockaddr_in6 *)&p->addr->ss)-> 420 sin6_addr.s6_addr, sizeof(struct in6_addr)); 421 MD5Final(digest, &context); 422 memcpy((char *)&p->reply[p->shift].status.send_refid, digest, 423 sizeof(u_int32_t)); 424 } else 425 p->reply[p->shift].status.send_refid = msg.xmttime.fractionl; 426 427 p->state = STATE_REPLY_RECEIVED; 428 429 /* every received reply which we do not discard increases trust */ 430 if (p->trustlevel < TRUSTLEVEL_MAX) { 431 if (p->trustlevel < TRUSTLEVEL_BADPEER && 432 p->trustlevel + 1 >= TRUSTLEVEL_BADPEER) 433 log_info("peer %s now valid", 434 log_sockaddr((struct sockaddr *)&p->addr->ss)); 435 p->trustlevel++; 436 } 437 438 offset = p->reply[p->shift].offset; 439 delay = p->reply[p->shift].delay; 440 441 client_update(p); 442 if (settime) { 443 if (automatic) 444 handle_auto(p->trusted, p->reply[p->shift].offset); 445 else 446 priv_settime(p->reply[p->shift].offset, ""); 447 } 448 449 if (p->trustlevel < TRUSTLEVEL_PATHETIC) 450 interval = scale_interval(INTERVAL_QUERY_PATHETIC); 451 else if (p->trustlevel < TRUSTLEVEL_AGGRESSIVE) 452 interval = (conf->settime && conf->automatic) ? 453 INTERVAL_QUERY_ULTRA_VIOLENCE : 454 scale_interval(INTERVAL_QUERY_AGGRESSIVE); 455 else 456 interval = scale_interval(INTERVAL_QUERY_NORMAL); 457 458 log_debug("reply from %s: offset %f delay %f, " 459 "next query %llds", 460 log_sockaddr((struct sockaddr *)&p->addr->ss), 461 offset, delay, 462 (long long)interval); 463 464 set_next(p, interval); 465 466 if (++p->shift >= OFFSET_ARRAY_SIZE) 467 p->shift = 0; 468 469 return (1); 470 } 471 472 int 473 client_update(struct ntp_peer *p) 474 { 475 int shift, best = -1, good = 0; 476 477 /* 478 * clock filter 479 * find the offset which arrived with the lowest delay 480 * use that as the peer update 481 * invalidate it and all older ones 482 */ 483 484 for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++) 485 if (p->reply[shift].good) { 486 good++; 487 if (best == -1 || 488 p->reply[shift].delay < p->reply[best].delay) 489 best = shift; 490 } 491 492 if (best == -1 || good < 8) 493 return (-1); 494 495 p->update = p->reply[best]; 496 if (priv_adjtime() == 0) { 497 for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++) 498 if (p->reply[shift].rcvd <= p->reply[best].rcvd) 499 p->reply[shift].good = 0; 500 } 501 return (0); 502 } 503 504 void 505 client_log_error(struct ntp_peer *peer, const char *operation, int error) 506 { 507 const char *address; 508 509 address = log_sockaddr((struct sockaddr *)&peer->addr->ss); 510 if (peer->lasterror == error) { 511 log_debug("%s %s: %s", operation, address, strerror(error)); 512 return; 513 } 514 peer->lasterror = error; 515 log_warn("%s %s", operation, address); 516 } 517