Edit

IABSD.fr/src/usr.sbin/ntpd/client.c

Branch :

  • Show log

    Commit

  • Author : bluhm
    Date : 2021-04-21 09:38:11
    Hash : 4c6157fa
    Message : Improve ntpd offset handling. Call the index of the offset loops "shift" consistently. Merge the two offset loops in client_update() into one. Use a simple assignment for the best value instead of memcpy(). Use the same mechanism to loop over the offset array everywhere to avoid an invalid best value. tested by weerd@; OK claudio@

  • usr.sbin/ntpd/client.c
  • /*	$OpenBSD: client.c,v 1.116 2021/04/21 09:38:11 bluhm Exp $ */
    
    /*
     * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
     * Copyright (c) 2004 Alexander Guy <alexander.guy@andern.org>
     *
     * Permission to use, copy, modify, and distribute this software for any
     * purpose with or without fee is hereby granted, provided that the above
     * copyright notice and this permission notice appear in all copies.
     *
     * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
     * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
     * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
     * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
     * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     */
    
    #include <sys/types.h>
    #include <errno.h>
    #include <md5.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <time.h>
    #include <unistd.h>
    
    #include "ntpd.h"
    
    int	client_update(struct ntp_peer *);
    int	auto_cmp(const void *, const void *);
    void	handle_auto(u_int8_t, double);
    void	set_deadline(struct ntp_peer *, time_t);
    
    void
    set_next(struct ntp_peer *p, time_t t)
    {
    	p->next = getmonotime() + t;
    	p->deadline = 0;
    	p->poll = t;
    }
    
    void
    set_deadline(struct ntp_peer *p, time_t t)
    {
    	p->deadline = getmonotime() + t;
    	p->next = 0;
    }
    
    int
    client_peer_init(struct ntp_peer *p)
    {
    	if ((p->query = calloc(1, sizeof(struct ntp_query))) == NULL)
    		fatal("client_peer_init calloc");
    	p->query->fd = -1;
    	p->query->msg.status = MODE_CLIENT | (NTP_VERSION << 3);
    	p->state = STATE_NONE;
    	p->shift = 0;
    	p->trustlevel = TRUSTLEVEL_PATHETIC;
    	p->lasterror = 0;
    	p->senderrors = 0;
    
    	return (client_addr_init(p));
    }
    
    int
    client_addr_init(struct ntp_peer *p)
    {
    	struct sockaddr_in	*sa_in;
    	struct sockaddr_in6	*sa_in6;
    	struct ntp_addr		*h;
    
    	for (h = p->addr; h != NULL; h = h->next) {
    		switch (h->ss.ss_family) {
    		case AF_INET:
    			sa_in = (struct sockaddr_in *)&h->ss;
    			if (ntohs(sa_in->sin_port) == 0)
    				sa_in->sin_port = htons(123);
    			p->state = STATE_DNS_DONE;
    			break;
    		case AF_INET6:
    			sa_in6 = (struct sockaddr_in6 *)&h->ss;
    			if (ntohs(sa_in6->sin6_port) == 0)
    				sa_in6->sin6_port = htons(123);
    			p->state = STATE_DNS_DONE;
    			break;
    		default:
    			fatalx("king bula sez: wrong AF in client_addr_init");
    			/* NOTREACHED */
    		}
    	}
    
    	p->query->fd = -1;
    	set_next(p, 0);
    
    	return (0);
    }
    
    int
    client_nextaddr(struct ntp_peer *p)
    {
    	if (p->query->fd != -1) {
    		close(p->query->fd);
    		p->query->fd = -1;
    	}
    
    	if (p->state == STATE_DNS_INPROGRESS)
    		return (-1);
    
    	if (p->addr_head.a == NULL) {
    		priv_dns(IMSG_HOST_DNS, p->addr_head.name, p->id);
    		p->state = STATE_DNS_INPROGRESS;
    		return (-1);
    	}
    
    	p->shift = 0;
    	p->trustlevel = TRUSTLEVEL_PATHETIC;
    
    	if (p->addr == NULL)
    		p->addr = p->addr_head.a;
    	else if ((p->addr = p->addr->next) == NULL)
    		return (1);
    
    	return (0);
    }
    
    int
    client_query(struct ntp_peer *p)
    {
    	int	val;
    
    	if (p->addr == NULL && client_nextaddr(p) == -1) {
    		if (conf->settime)
    			set_next(p, INTERVAL_AUIO_DNSFAIL);
    		else
    			set_next(p, MAXIMUM(SETTIME_TIMEOUT,
    			    scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
    		return (0);
    	}
    
    	if (conf->status.synced && p->addr->notauth) {
    		peer_addr_head_clear(p);
    		client_nextaddr(p);
    		return (0);
    	}
    
    	if (p->state < STATE_DNS_DONE || p->addr == NULL)
    		return (-1);
    
    	if (p->query->fd == -1) {
    		struct sockaddr *sa = (struct sockaddr *)&p->addr->ss;
    		struct sockaddr *qa4 = (struct sockaddr *)&p->query_addr4;
    		struct sockaddr *qa6 = (struct sockaddr *)&p->query_addr6;
    
    		if ((p->query->fd = socket(p->addr->ss.ss_family, SOCK_DGRAM,
    		    0)) == -1)
    			fatal("client_query socket");
    
    		if (p->addr->ss.ss_family == qa4->sa_family) {
    			if (bind(p->query->fd, qa4, SA_LEN(qa4)) == -1)
    				fatal("couldn't bind to IPv4 query address: %s",
    				    log_sockaddr(qa4));
    		} else if (p->addr->ss.ss_family == qa6->sa_family) {
    			if (bind(p->query->fd, qa6, SA_LEN(qa6)) == -1)
    				fatal("couldn't bind to IPv6 query address: %s",
    				    log_sockaddr(qa6));
    		}
    
    		if (connect(p->query->fd, sa, SA_LEN(sa)) == -1) {
    			if (errno == ECONNREFUSED || errno == ENETUNREACH ||
    			    errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) {
    				/* cycle through addresses, but do increase
    				   senderrors */
    				client_nextaddr(p);
    				if (p->addr == NULL)
    					p->addr = p->addr_head.a;
    				set_next(p, MAXIMUM(SETTIME_TIMEOUT,
    				    scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
    				p->senderrors++;
    				return (-1);
    			} else
    				fatal("client_query connect");
    		}
    		val = IPTOS_LOWDELAY;
    		if (p->addr->ss.ss_family == AF_INET && setsockopt(p->query->fd,
    		    IPPROTO_IP, IP_TOS, &val, sizeof(val)) == -1)
    			log_warn("setsockopt IPTOS_LOWDELAY");
    		val = 1;
    		if (setsockopt(p->query->fd, SOL_SOCKET, SO_TIMESTAMP,
    		    &val, sizeof(val)) == -1)
    			fatal("setsockopt SO_TIMESTAMP");
    	}
    
    	/*
    	 * Send out a random 64-bit number as our transmit time.  The NTP
    	 * server will copy said number into the originate field on the
    	 * response that it sends us.  This is totally legal per the SNTP spec.
    	 *
    	 * The impact of this is two fold: we no longer send out the current
    	 * system time for the world to see (which may aid an attacker), and
    	 * it gives us a (not very secure) way of knowing that we're not
    	 * getting spoofed by an attacker that can't capture our traffic
    	 * but can spoof packets from the NTP server we're communicating with.
    	 *
    	 * Save the real transmit timestamp locally.
    	 */
    
    	p->query->msg.xmttime.int_partl = arc4random();
    	p->query->msg.xmttime.fractionl = arc4random();
    	p->query->xmttime = gettime();
    
    	if (ntp_sendmsg(p->query->fd, NULL, &p->query->msg) == -1) {
    		p->senderrors++;
    		set_next(p, INTERVAL_QUERY_PATHETIC);
    		p->trustlevel = TRUSTLEVEL_PATHETIC;
    		return (-1);
    	}
    
    	p->senderrors = 0;
    	p->state = STATE_QUERY_SENT;
    	set_deadline(p, QUERYTIME_MAX);
    
    	return (0);
    }
    
    int
    auto_cmp(const void *a, const void *b)
    {
    	double at = *(const double *)a;
    	double bt = *(const double *)b;
    	return at < bt ? -1 : (at > bt ? 1 : 0);
    }
    
    void
    handle_auto(uint8_t trusted, double offset)
    {
    	static int count;
    	static double v[AUTO_REPLIES];
    
    	/*
    	 * It happens the (constraint) resolves initially fail, don't give up
    	 * but see if we get validated replies later.
    	 */
    	if (!trusted && conf->constraint_median == 0)
    		return;
    
    	if (offset < AUTO_THRESHOLD) {
    		/* don't bother */
    		priv_settime(0, "offset is negative or close enough");
    		return;
    	}
    	/* collect some more */
    	v[count++] = offset;
    	if (count < AUTO_REPLIES)
    		return;
    	
    	/* we have enough */
    	qsort(v, count, sizeof(double), auto_cmp);
    	if (AUTO_REPLIES % 2 == 0)
    		offset = (v[AUTO_REPLIES / 2 - 1] + v[AUTO_REPLIES / 2]) / 2;
    	else
    		offset = v[AUTO_REPLIES / 2];
    	priv_settime(offset, "");
    }
    
    
    /*
     * -1: Not processed, not an NTP message (e.g. icmp induced  ECONNREFUSED)
     *  0: Not prrocessed due to validation issues
     *  1: NTP message validated and processed
     */
    int
    client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
    {
    	struct ntp_msg		 msg;
    	struct msghdr		 somsg;
    	struct iovec		 iov[1];
    	struct timeval		 tv;
    	char			 buf[NTP_MSGSIZE];
    	union {
    		struct cmsghdr	hdr;
    		char		buf[CMSG_SPACE(sizeof(tv))];
    	} cmsgbuf;
    	struct cmsghdr		*cmsg;
    	ssize_t			 size;
    	double			 T1, T2, T3, T4, offset, delay;
    	time_t			 interval;
    
    	memset(&somsg, 0, sizeof(somsg));
    	iov[0].iov_base = buf;
    	iov[0].iov_len = sizeof(buf);
    	somsg.msg_iov = iov;
    	somsg.msg_iovlen = 1;
    	somsg.msg_control = cmsgbuf.buf;
    	somsg.msg_controllen = sizeof(cmsgbuf.buf);
    
    	if ((size = recvmsg(p->query->fd, &somsg, 0)) == -1) {
    		if (errno == EHOSTUNREACH || errno == EHOSTDOWN ||
    		    errno == ENETUNREACH || errno == ENETDOWN ||
    		    errno == ECONNREFUSED || errno == EADDRNOTAVAIL ||
    		    errno == ENOPROTOOPT || errno == ENOENT) {
    			client_log_error(p, "recvmsg", errno);
    			set_next(p, error_interval());
    			return (-1);
    		} else
    			fatal("recvfrom");
    	}
    
    	if (somsg.msg_flags & MSG_TRUNC) {
    		client_log_error(p, "recvmsg packet", EMSGSIZE);
    		set_next(p, error_interval());
    		return (0);
    	}
    
    	if (somsg.msg_flags & MSG_CTRUNC) {
    		client_log_error(p, "recvmsg control data", E2BIG);
    		set_next(p, error_interval());
    		return (0);
    	}
    
    	for (cmsg = CMSG_FIRSTHDR(&somsg); cmsg != NULL;
    	    cmsg = CMSG_NXTHDR(&somsg, cmsg)) {
    		if (cmsg->cmsg_level == SOL_SOCKET &&
    		    cmsg->cmsg_type == SCM_TIMESTAMP) {
    			memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv));
    			T4 = gettime_from_timeval(&tv);
    			break;
    		}
    	}
    	if (cmsg == NULL)
    		fatal("SCM_TIMESTAMP");
    
    	ntp_getmsg((struct sockaddr *)&p->addr->ss, buf, size, &msg);
    
    	if (msg.orgtime.int_partl != p->query->msg.xmttime.int_partl ||
    	    msg.orgtime.fractionl != p->query->msg.xmttime.fractionl)
    		return (0);
    
    	if ((msg.status & LI_ALARM) == LI_ALARM || msg.stratum == 0 ||
    	    msg.stratum > NTP_MAXSTRATUM) {
    		char s[16];
    
    		if ((msg.status & LI_ALARM) == LI_ALARM) {
    			strlcpy(s, "alarm", sizeof(s));
    		} else if (msg.stratum == 0) {
    			/* Kiss-o'-Death (KoD) packet */
    			strlcpy(s, "KoD", sizeof(s));
    		} else if (msg.stratum > NTP_MAXSTRATUM) {
    			snprintf(s, sizeof(s), "stratum %d", msg.stratum);
    		}
    		interval = error_interval();
    		set_next(p, interval);
    		log_info("reply from %s: not synced (%s), next query %llds",
    		    log_sockaddr((struct sockaddr *)&p->addr->ss), s,
    			(long long)interval);
    		return (0);
    	}
    
    	/*
    	 * From RFC 2030 (with a correction to the delay math):
    	 *
    	 *     Timestamp Name          ID   When Generated
    	 *     ------------------------------------------------------------
    	 *     Originate Timestamp     T1   time request sent by client
    	 *     Receive Timestamp       T2   time request received by server
    	 *     Transmit Timestamp      T3   time reply sent by server
    	 *     Destination Timestamp   T4   time reply received by client
    	 *
    	 *  The roundtrip delay d and local clock offset t are defined as
    	 *
    	 *    d = (T4 - T1) - (T3 - T2)     t = ((T2 - T1) + (T3 - T4)) / 2.
    	 */
    
    	T1 = p->query->xmttime;
    	T2 = lfp_to_d(msg.rectime);
    	T3 = lfp_to_d(msg.xmttime);
    
    	/* Detect liars */
    	if (!p->trusted && conf->constraint_median != 0 &&
    	    (constraint_check(T2) != 0 || constraint_check(T3) != 0)) {
    		log_info("reply from %s: constraint check failed",
    		    log_sockaddr((struct sockaddr *)&p->addr->ss));
    		set_next(p, error_interval());
    		return (0);
    	}
    
    	p->reply[p->shift].offset = ((T2 - T1) + (T3 - T4)) / 2 - getoffset();
    	p->reply[p->shift].delay = (T4 - T1) - (T3 - T2);
    	p->reply[p->shift].status.stratum = msg.stratum;
    	if (p->reply[p->shift].delay < 0) {
    		interval = error_interval();
    		set_next(p, interval);
    		log_info("reply from %s: negative delay %fs, "
    		    "next query %llds",
    		    log_sockaddr((struct sockaddr *)&p->addr->ss),
    		    p->reply[p->shift].delay, (long long)interval);
    		return (0);
    	}
    	p->reply[p->shift].error = (T2 - T1) - (T3 - T4);
    	p->reply[p->shift].rcvd = getmonotime();
    	p->reply[p->shift].good = 1;
    
    	p->reply[p->shift].status.leap = (msg.status & LIMASK);
    	p->reply[p->shift].status.precision = msg.precision;
    	p->reply[p->shift].status.rootdelay = sfp_to_d(msg.rootdelay);
    	p->reply[p->shift].status.rootdispersion = sfp_to_d(msg.dispersion);
    	p->reply[p->shift].status.refid = msg.refid;
    	p->reply[p->shift].status.reftime = lfp_to_d(msg.reftime);
    	p->reply[p->shift].status.poll = msg.ppoll;
    
    	if (p->addr->ss.ss_family == AF_INET) {
    		p->reply[p->shift].status.send_refid =
    		    ((struct sockaddr_in *)&p->addr->ss)->sin_addr.s_addr;
    	} else if (p->addr->ss.ss_family == AF_INET6) {
    		MD5_CTX		context;
    		u_int8_t	digest[MD5_DIGEST_LENGTH];
    
    		MD5Init(&context);
    		MD5Update(&context, ((struct sockaddr_in6 *)&p->addr->ss)->
    		    sin6_addr.s6_addr, sizeof(struct in6_addr));
    		MD5Final(digest, &context);
    		memcpy((char *)&p->reply[p->shift].status.send_refid, digest,
    		    sizeof(u_int32_t));
    	} else
    		p->reply[p->shift].status.send_refid = msg.xmttime.fractionl;
    
    	p->state = STATE_REPLY_RECEIVED;
    
    	/* every received reply which we do not discard increases trust */
    	if (p->trustlevel < TRUSTLEVEL_MAX) {
    		if (p->trustlevel < TRUSTLEVEL_BADPEER &&
    		    p->trustlevel + 1 >= TRUSTLEVEL_BADPEER)
    			log_info("peer %s now valid",
    			    log_sockaddr((struct sockaddr *)&p->addr->ss));
    		p->trustlevel++;
    	}
    
    	offset = p->reply[p->shift].offset;
    	delay = p->reply[p->shift].delay;
    
    	client_update(p);
    	if (settime) {
    		if (automatic)
    			handle_auto(p->trusted, p->reply[p->shift].offset);
    		else
    			priv_settime(p->reply[p->shift].offset, "");
    	}
    
    	if (p->trustlevel < TRUSTLEVEL_PATHETIC)
    		interval = scale_interval(INTERVAL_QUERY_PATHETIC);
    	else if (p->trustlevel < TRUSTLEVEL_AGGRESSIVE)
    		interval = (conf->settime && conf->automatic) ?
    		    INTERVAL_QUERY_ULTRA_VIOLENCE :
    		    scale_interval(INTERVAL_QUERY_AGGRESSIVE);
    	else
    		interval = scale_interval(INTERVAL_QUERY_NORMAL);
    
    	log_debug("reply from %s: offset %f delay %f, "
    	    "next query %llds",
    	    log_sockaddr((struct sockaddr *)&p->addr->ss),
    	    offset, delay,
    	    (long long)interval);
    
    	set_next(p, interval);
    
    	if (++p->shift >= OFFSET_ARRAY_SIZE)
    		p->shift = 0;
    
    	return (1);
    }
    
    int
    client_update(struct ntp_peer *p)
    {
    	int	shift, best = -1, good = 0;
    
    	/*
    	 * clock filter
    	 * find the offset which arrived with the lowest delay
    	 * use that as the peer update
    	 * invalidate it and all older ones
    	 */
    
    	for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++)
    		if (p->reply[shift].good) {
    			good++;
    			if (best == -1 ||
    			    p->reply[shift].delay < p->reply[best].delay)
    				best = shift;
    		}
    
    	if (best == -1 || good < 8)
    		return (-1);
    
    	p->update = p->reply[best];
    	if (priv_adjtime() == 0) {
    		for (shift = 0; shift < OFFSET_ARRAY_SIZE; shift++)
    			if (p->reply[shift].rcvd <= p->reply[best].rcvd)
    				p->reply[shift].good = 0;
    	}
    	return (0);
    }
    
    void
    client_log_error(struct ntp_peer *peer, const char *operation, int error)
    {
    	const char *address;
    
    	address = log_sockaddr((struct sockaddr *)&peer->addr->ss);
    	if (peer->lasterror == error) {
    		log_debug("%s %s: %s", operation, address, strerror(error));
    		return;
    	}
    	peer->lasterror = error;
    	log_warn("%s %s", operation, address);
    }