void
test_GenerateAuthenticatedPacket(void)
{
static const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN;
struct key testkey;
struct pkt testpkt;
struct timeval xmt;
l_fp expected_xmt, actual_xmt;
char expected_mac[MAX_MD5_LEN];
testkey.next = NULL;
testkey.key_id = 30;
testkey.key_len = 9;
memcpy(testkey.key_seq, "123456789", testkey.key_len);
strlcpy(testkey.typen, "MD5", sizeof(testkey.typen));
testkey.typei = keytype_from_text(testkey.typen, NULL);
GETTIMEOFDAY(&xmt, NULL);
xmt.tv_sec += JAN_1970;
TEST_ASSERT_EQUAL(EXPECTED_PKTLEN,
generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey));
TEST_ASSERT_EQUAL(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
TEST_ASSERT_EQUAL(8, testpkt.ppoll);
TVTOTS(&xmt, &expected_xmt);
NTOHL_FP(&testpkt.xmt, &actual_xmt);
TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt));
TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0]));
TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */
make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN-4, &testkey, expected_mac));
TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4);
}
TEST_F(mainTest, GenerateUnauthenticatedPacket) {
pkt testpkt;
timeval xmt;
GETTIMEOFDAY(&xmt, NULL);
xmt.tv_sec += JAN_1970;
EXPECT_EQ(LEN_PKT_NOMAC,
generate_pkt(&testpkt, &xmt, 0, NULL));
EXPECT_EQ(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode));
EXPECT_EQ(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode));
EXPECT_EQ(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode));
EXPECT_EQ(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
EXPECT_EQ(8, testpkt.ppoll);
l_fp expected_xmt, actual_xmt;
TVTOTS(&xmt, &expected_xmt);
NTOHL_FP(&testpkt.xmt, &actual_xmt);
EXPECT_TRUE(LfpEquality(expected_xmt, actual_xmt));
}
TEST_F(mainTest, GenerateAuthenticatedPacket) {
key testkey;
testkey.next = NULL;
testkey.key_id = 30;
testkey.key_len = 9;
memcpy(testkey.key_seq, "123456789", testkey.key_len);
memcpy(testkey.type, "MD5", 3);
pkt testpkt;
timeval xmt;
GETTIMEOFDAY(&xmt, NULL);
xmt.tv_sec += JAN_1970;
const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN;
EXPECT_EQ(EXPECTED_PKTLEN,
generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey));
EXPECT_EQ(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode));
EXPECT_EQ(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode));
EXPECT_EQ(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode));
EXPECT_EQ(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
EXPECT_EQ(8, testpkt.ppoll);
l_fp expected_xmt, actual_xmt;
TVTOTS(&xmt, &expected_xmt);
NTOHL_FP(&testpkt.xmt, &actual_xmt);
EXPECT_TRUE(LfpEquality(expected_xmt, actual_xmt));
EXPECT_EQ(testkey.key_id, ntohl(testpkt.exten[0]));
char expected_mac[MAX_MD5_LEN];
ASSERT_EQ(MAX_MD5_LEN - 4, // Remove the key_id, only keep the mac.
make_mac((char*)&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac));
EXPECT_TRUE(memcmp(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4) == 0);
}
void
test_GenerateUnauthenticatedPacket(void)
{
struct pkt testpkt;
struct timeval xmt;
l_fp expected_xmt, actual_xmt;
GETTIMEOFDAY(&xmt, NULL);
xmt.tv_sec += JAN_1970;
TEST_ASSERT_EQUAL(LEN_PKT_NOMAC,
generate_pkt(&testpkt, &xmt, 0, NULL));
TEST_ASSERT_EQUAL(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode));
TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum));
TEST_ASSERT_EQUAL(8, testpkt.ppoll);
TVTOTS(&xmt, &expected_xmt);
NTOHL_FP(&testpkt.xmt, &actual_xmt);
TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt));
}
void
offset_calculation (
struct pkt *rpkt,
int rpktl,
struct timeval *tv_dst,
double *offset,
double *precision,
double *root_dispersion
)
{
l_fp p_rec, p_xmt, p_ref, p_org, tmp, dst;
u_fp p_rdly, p_rdsp;
double t21, t34, delta;
/* Convert timestamps from network to host byte order */
p_rdly = NTOHS_FP(rpkt->rootdelay);
p_rdsp = NTOHS_FP(rpkt->rootdisp);
NTOHL_FP(&rpkt->reftime, &p_ref);
NTOHL_FP(&rpkt->org, &p_org);
NTOHL_FP(&rpkt->rec, &p_rec);
NTOHL_FP(&rpkt->xmt, &p_xmt);
*precision = LOGTOD(rpkt->precision);
#ifdef DEBUG
printf("sntp precision: %f\n", *precision);
#endif /* DEBUG */
*root_dispersion = FPTOD(p_rdsp);
#ifdef DEBUG
printf("sntp rootdelay: %f\n", FPTOD(p_rdly));
printf("sntp rootdisp: %f\n", *root_dispersion);
pkt_output(rpkt, rpktl, stdout);
printf("sntp offset_calculation: rpkt->reftime:\n");
l_fp_output(&(rpkt->reftime), stdout);
printf("sntp offset_calculation: rpkt->org:\n");
l_fp_output(&(rpkt->org), stdout);
printf("sntp offset_calculation: rpkt->rec:\n");
l_fp_output(&(rpkt->rec), stdout);
printf("sntp offset_calculation: rpkt->rec:\n");
l_fp_output_bin(&(rpkt->rec), stdout);
printf("sntp offset_calculation: rpkt->rec:\n");
l_fp_output_dec(&(rpkt->rec), stdout);
printf("sntp offset_calculation: rpkt->xmt:\n");
l_fp_output(&(rpkt->xmt), stdout);
#endif
/* Compute offset etc. */
tmp = p_rec;
L_SUB(&tmp, &p_org);
LFPTOD(&tmp, t21);
TVTOTS(tv_dst, &dst);
dst.l_ui += JAN_1970;
tmp = p_xmt;
L_SUB(&tmp, &dst);
LFPTOD(&tmp, t34);
*offset = (t21 + t34) / 2.;
delta = t21 - t34;
if (ENABLED_OPT(NORMALVERBOSE))
printf("sntp offset_calculation:\tt21: %.6f\t\t t34: %.6f\n\t\tdelta: %.6f\t offset: %.6f\n",
t21, t34, delta, *offset);
}
void
offset_calculation(
struct pkt *rpkt,
int rpktl,
struct timeval *tv_dst,
double *offset,
double *precision,
double *synch_distance
)
{
l_fp p_rec, p_xmt, p_ref, p_org, tmp, dst;
u_fp p_rdly, p_rdsp;
double t21, t34, delta;
/* Convert timestamps from network to host byte order */
p_rdly = NTOHS_FP(rpkt->rootdelay);
p_rdsp = NTOHS_FP(rpkt->rootdisp);
NTOHL_FP(&rpkt->reftime, &p_ref);
NTOHL_FP(&rpkt->org, &p_org);
NTOHL_FP(&rpkt->rec, &p_rec);
NTOHL_FP(&rpkt->xmt, &p_xmt);
*precision = LOGTOD(rpkt->precision);
TRACE(3, ("offset_calculation: LOGTOD(rpkt->precision): %f\n", *precision));
/* Compute offset etc. */
tmp = p_rec;
L_SUB(&tmp, &p_org);
LFPTOD(&tmp, t21);
TVTOTS(tv_dst, &dst);
dst.l_ui += JAN_1970;
tmp = p_xmt;
L_SUB(&tmp, &dst);
LFPTOD(&tmp, t34);
*offset = (t21 + t34) / 2.;
delta = t21 - t34;
// synch_distance is:
// (peer->delay + peer->rootdelay) / 2 + peer->disp
// + peer->rootdisp + clock_phi * (current_time - peer->update)
// + peer->jitter;
//
// and peer->delay = fabs(peer->offset - p_offset) * 2;
// and peer->offset needs history, so we're left with
// p_offset = (t21 + t34) / 2.;
// peer->disp = 0; (we have no history to augment this)
// clock_phi = 15e-6;
// peer->jitter = LOGTOD(sys_precision); (we have no history to augment this)
// and ntp_proto.c:set_sys_tick_precision() should get us sys_precision.
//
// so our answer seems to be:
//
// (fabs(t21 + t34) + peer->rootdelay) / 3.
// + 0 (peer->disp)
// + peer->rootdisp
// + 15e-6 (clock_phi)
// + LOGTOD(sys_precision)
INSIST( FPTOD(p_rdly) >= 0. );
#if 1
*synch_distance = (fabs(t21 + t34) + FPTOD(p_rdly)) / 3.
+ 0.
+ FPTOD(p_rdsp)
+ 15e-6
+ 0. /* LOGTOD(sys_precision) when we can get it */
;
INSIST( *synch_distance >= 0. );
#else
*synch_distance = (FPTOD(p_rdly) + FPTOD(p_rdsp))/2.0;
#endif
#ifdef DEBUG
if (debug > 3) {
printf("sntp rootdelay: %f\n", FPTOD(p_rdly));
printf("sntp rootdisp: %f\n", FPTOD(p_rdsp));
printf("sntp syncdist: %f\n", *synch_distance);
pkt_output(rpkt, rpktl, stdout);
printf("sntp offset_calculation: rpkt->reftime:\n");
l_fp_output(&p_ref, stdout);
printf("sntp offset_calculation: rpkt->org:\n");
l_fp_output(&p_org, stdout);
printf("sntp offset_calculation: rpkt->rec:\n");
l_fp_output(&p_rec, stdout);
printf("sntp offset_calculation: rpkt->xmt:\n");
l_fp_output(&p_xmt, stdout);
}
#endif
TRACE(3, ("sntp offset_calculation:\trec - org t21: %.6f\n"
"\txmt - dst t34: %.6f\tdelta: %.6f\toffset: %.6f\n",
t21, t34, delta, *offset));
return;
}
/*
** Check if it's data for us and whether it's useable or not.
**
** If not, return a failure code so we can delete this server from our list
** and continue with another one.
*/
int
process_pkt (
struct pkt *rpkt,
sockaddr_u *sender,
int pkt_len,
int mode,
struct pkt *spkt,
const char * func_name
)
{
u_int key_id;
struct key * pkt_key;
int is_authentic;
int mac_size;
u_int exten_len;
u_int32 * exten_end;
u_int32 * packet_end;
l_fp sent_xmt;
l_fp resp_org;
// key_id = 0;
pkt_key = NULL;
is_authentic = (HAVE_OPT(AUTHENTICATION)) ? 0 : -1;
/*
* Parse the extension field if present. We figure out whether
* an extension field is present by measuring the MAC size. If
* the number of words following the packet header is 0, no MAC
* is present and the packet is not authenticated. If 1, the
* packet is a crypto-NAK; if 3, the packet is authenticated
* with DES; if 5, the packet is authenticated with MD5; if 6,
* the packet is authenticated with SHA. If 2 or 4, the packet
* is a runt and discarded forthwith. If greater than 6, an
* extension field is present, so we subtract the length of the
* field and go around again.
*/
if (pkt_len < (int)LEN_PKT_NOMAC || (pkt_len & 3) != 0) {
msyslog(LOG_ERR,
"%s: Incredible packet length: %d. Discarding.",
func_name, pkt_len);
return PACKET_UNUSEABLE;
}
/* HMS: the following needs a bit of work */
/* Note: pkt_len must be a multiple of 4 at this point! */
packet_end = (void*)((char*)rpkt + pkt_len);
exten_end = skip_efields(rpkt->exten, packet_end);
if (NULL == exten_end) {
msyslog(LOG_ERR,
"%s: Missing extension field. Discarding.",
func_name);
return PACKET_UNUSEABLE;
}
/* get size of MAC in cells; can be zero */
exten_len = (u_int)(packet_end - exten_end);
/* deduce action required from remaining length */
switch (exten_len) {
case 0: /* no Legacy MAC */
break;
case 1: /* crypto NAK */
/* Only if the keyID is 0 and there were no EFs */
key_id = ntohl(*exten_end);
printf("Crypto NAK = 0x%08x from %s\n", key_id, stoa(sender));
break;
case 3: /* key ID + 3DES MAC -- unsupported! */
msyslog(LOG_ERR,
"%s: Key ID + 3DES MAC is unsupported. Discarding.",
func_name);
return PACKET_UNUSEABLE;
case 5: /* key ID + MD5 MAC */
case 6: /* key ID + SHA MAC */
/*
** Look for the key used by the server in the specified
** keyfile and if existent, fetch it or else leave the
** pointer untouched
*/
key_id = ntohl(*exten_end);
get_key(key_id, &pkt_key);
if (!pkt_key) {
printf("unrecognized key ID = 0x%08x\n", key_id);
break;
}
/*
** Seems like we've got a key with matching keyid.
**
** Generate a md5sum of the packet with the key from our
** keyfile and compare those md5sums.
*/
mac_size = exten_len << 2;
if (!auth_md5(rpkt, pkt_len - mac_size,
mac_size - 4, pkt_key)) {
is_authentic = FALSE;
break;
}
/* Yay! Things worked out! */
is_authentic = TRUE;
TRACE(1, ("sntp %s: packet from %s authenticated using key id %d.\n",
func_name, stoa(sender), key_id));
break;
default:
msyslog(LOG_ERR,
"%s: Unexpected extension length: %d. Discarding.",
func_name, exten_len);
return PACKET_UNUSEABLE;
}
switch (is_authentic) {
case -1: /* unknown */
break;
case 0: /* not authentic */
return SERVER_AUTH_FAIL;
break;
case 1: /* authentic */
break;
default: /* error */
break;
}
/* Check for server's ntp version */
if (PKT_VERSION(rpkt->li_vn_mode) < NTP_OLDVERSION ||
PKT_VERSION(rpkt->li_vn_mode) > NTP_VERSION) {
msyslog(LOG_ERR,
"%s: Packet shows wrong version (%d)",
func_name, PKT_VERSION(rpkt->li_vn_mode));
return SERVER_UNUSEABLE;
}
/* We want a server to sync with */
if (PKT_MODE(rpkt->li_vn_mode) != mode &&
PKT_MODE(rpkt->li_vn_mode) != MODE_PASSIVE) {
msyslog(LOG_ERR,
"%s: mode %d stratum %d", func_name,
PKT_MODE(rpkt->li_vn_mode), rpkt->stratum);
return SERVER_UNUSEABLE;
}
/* Stratum is unspecified (0) check what's going on */
if (STRATUM_PKT_UNSPEC == rpkt->stratum) {
char *ref_char;
TRACE(1, ("%s: Stratum unspecified, going to check for KOD (stratum: %d)\n",
func_name, rpkt->stratum));
ref_char = (char *) &rpkt->refid;
TRACE(1, ("%s: Packet refid: %c%c%c%c\n", func_name,
ref_char[0], ref_char[1], ref_char[2], ref_char[3]));
/* If it's a KOD packet we'll just use the KOD information */
if (ref_char[0] != 'X') {
if (strncmp(ref_char, "DENY", 4) == 0)
return KOD_DEMOBILIZE;
if (strncmp(ref_char, "RSTR", 4) == 0)
return KOD_DEMOBILIZE;
if (strncmp(ref_char, "RATE", 4) == 0)
return KOD_RATE;
/*
** There are other interesting kiss codes which
** might be interesting for authentication.
*/
}
}
/* If the server is not synced it's not really useable for us */
if (LEAP_NOTINSYNC == PKT_LEAP(rpkt->li_vn_mode)) {
msyslog(LOG_ERR,
"%s: %s not in sync, skipping this server",
func_name, stoa(sender));
return SERVER_UNUSEABLE;
}
/*
* Decode the org timestamp and make sure we're getting a response
* to our last request, but only if we're not in broadcast mode.
*/
if (MODE_BROADCAST == mode)
return pkt_len;
if (!L_ISEQU(&rpkt->org, &spkt->xmt)) {
NTOHL_FP(&rpkt->org, &resp_org);
NTOHL_FP(&spkt->xmt, &sent_xmt);
msyslog(LOG_ERR,
"%s response org expected to match sent xmt",
stoa(sender));
msyslog(LOG_ERR, "resp org: %s", prettydate(&resp_org));
msyslog(LOG_ERR, "sent xmt: %s", prettydate(&sent_xmt));
return PACKET_UNUSEABLE;
}
return pkt_len;
}
/*
* findpeer - find and return a peer match for a received datagram in
* the peer_hash table.
*/
struct peer *
findpeer(
struct recvbuf *rbufp,
int pkt_mode,
int * action
)
{
struct peer * p;
sockaddr_u * srcadr;
u_int hash;
struct pkt * pkt;
l_fp pkt_org;
findpeer_calls++;
srcadr = &rbufp->recv_srcadr;
hash = NTP_HASH_ADDR(srcadr);
for (p = peer_hash[hash]; p != NULL; p = p->adr_link) {
if (ADDR_PORT_EQ(srcadr, &p->srcadr)) {
/*
* if the association matching rules determine
* that this is not a valid combination, then
* look for the next valid peer association.
*/
*action = MATCH_ASSOC(p->hmode, pkt_mode);
/*
* A response to our manycastclient solicitation
* might be misassociated with an ephemeral peer
* already spun for the server. If the packet's
* org timestamp doesn't match the peer's, check
* if it matches the ACST prototype peer's. If
* so it is a redundant solicitation response,
* return AM_ERR to discard it. [Bug 1762]
*/
if (MODE_SERVER == pkt_mode &&
AM_PROCPKT == *action) {
pkt = &rbufp->recv_pkt;
NTOHL_FP(&pkt->org, &pkt_org);
if (!L_ISEQU(&p->aorg, &pkt_org) &&
findmanycastpeer(rbufp))
*action = AM_ERR;
}
/*
* if an error was returned, exit back right
* here.
*/
if (*action == AM_ERR)
return NULL;
/*
* if a match is found, we stop our search.
*/
if (*action != AM_NOMATCH)
break;
}
}
/*
* If no matching association is found
*/
if (NULL == p) {
*action = MATCH_ASSOC(NO_PEER, pkt_mode);
} else if (p->dstadr != rbufp->dstadr) {
set_peerdstadr(p, rbufp->dstadr);
if (p->dstadr == rbufp->dstadr) {
DPRINTF(1, ("Changed %s local address to match response\n",
stoa(&p->srcadr)));
return findpeer(rbufp, pkt_mode, action);
}
}
return p;
}
