void test_GenerateAuthenticatedPacket(void) { static const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN; struct key testkey; struct pkt testpkt; struct timeval xmt; l_fp expected_xmt, actual_xmt; char expected_mac[MAX_MD5_LEN]; testkey.next = NULL; testkey.key_id = 30; testkey.key_len = 9; memcpy(testkey.key_seq, "123456789", testkey.key_len); strlcpy(testkey.typen, "MD5", sizeof(testkey.typen)); testkey.typei = keytype_from_text(testkey.typen, NULL); GETTIMEOFDAY(&xmt, NULL); xmt.tv_sec += JAN_1970; TEST_ASSERT_EQUAL(EXPECTED_PKTLEN, generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey)); TEST_ASSERT_EQUAL(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum)); TEST_ASSERT_EQUAL(8, testpkt.ppoll); TVTOTS(&xmt, &expected_xmt); NTOHL_FP(&testpkt.xmt, &actual_xmt); TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt)); TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0])); TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */ make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN-4, &testkey, expected_mac)); TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4); }
TEST_F(mainTest, GenerateUnauthenticatedPacket) { pkt testpkt; timeval xmt; GETTIMEOFDAY(&xmt, NULL); xmt.tv_sec += JAN_1970; EXPECT_EQ(LEN_PKT_NOMAC, generate_pkt(&testpkt, &xmt, 0, NULL)); EXPECT_EQ(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode)); EXPECT_EQ(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode)); EXPECT_EQ(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode)); EXPECT_EQ(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum)); EXPECT_EQ(8, testpkt.ppoll); l_fp expected_xmt, actual_xmt; TVTOTS(&xmt, &expected_xmt); NTOHL_FP(&testpkt.xmt, &actual_xmt); EXPECT_TRUE(LfpEquality(expected_xmt, actual_xmt)); }
TEST_F(mainTest, GenerateAuthenticatedPacket) { key testkey; testkey.next = NULL; testkey.key_id = 30; testkey.key_len = 9; memcpy(testkey.key_seq, "123456789", testkey.key_len); memcpy(testkey.type, "MD5", 3); pkt testpkt; timeval xmt; GETTIMEOFDAY(&xmt, NULL); xmt.tv_sec += JAN_1970; const int EXPECTED_PKTLEN = LEN_PKT_NOMAC + MAX_MD5_LEN; EXPECT_EQ(EXPECTED_PKTLEN, generate_pkt(&testpkt, &xmt, testkey.key_id, &testkey)); EXPECT_EQ(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode)); EXPECT_EQ(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode)); EXPECT_EQ(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode)); EXPECT_EQ(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum)); EXPECT_EQ(8, testpkt.ppoll); l_fp expected_xmt, actual_xmt; TVTOTS(&xmt, &expected_xmt); NTOHL_FP(&testpkt.xmt, &actual_xmt); EXPECT_TRUE(LfpEquality(expected_xmt, actual_xmt)); EXPECT_EQ(testkey.key_id, ntohl(testpkt.exten[0])); char expected_mac[MAX_MD5_LEN]; ASSERT_EQ(MAX_MD5_LEN - 4, // Remove the key_id, only keep the mac. make_mac((char*)&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac)); EXPECT_TRUE(memcmp(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4) == 0); }
void test_GenerateUnauthenticatedPacket(void) { struct pkt testpkt; struct timeval xmt; l_fp expected_xmt, actual_xmt; GETTIMEOFDAY(&xmt, NULL); xmt.tv_sec += JAN_1970; TEST_ASSERT_EQUAL(LEN_PKT_NOMAC, generate_pkt(&testpkt, &xmt, 0, NULL)); TEST_ASSERT_EQUAL(LEAP_NOTINSYNC, PKT_LEAP(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(NTP_VERSION, PKT_VERSION(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(MODE_CLIENT, PKT_MODE(testpkt.li_vn_mode)); TEST_ASSERT_EQUAL(STRATUM_UNSPEC, PKT_TO_STRATUM(testpkt.stratum)); TEST_ASSERT_EQUAL(8, testpkt.ppoll); TVTOTS(&xmt, &expected_xmt); NTOHL_FP(&testpkt.xmt, &actual_xmt); TEST_ASSERT_TRUE(LfpEquality(expected_xmt, actual_xmt)); }
void offset_calculation ( struct pkt *rpkt, int rpktl, struct timeval *tv_dst, double *offset, double *precision, double *root_dispersion ) { l_fp p_rec, p_xmt, p_ref, p_org, tmp, dst; u_fp p_rdly, p_rdsp; double t21, t34, delta; /* Convert timestamps from network to host byte order */ p_rdly = NTOHS_FP(rpkt->rootdelay); p_rdsp = NTOHS_FP(rpkt->rootdisp); NTOHL_FP(&rpkt->reftime, &p_ref); NTOHL_FP(&rpkt->org, &p_org); NTOHL_FP(&rpkt->rec, &p_rec); NTOHL_FP(&rpkt->xmt, &p_xmt); *precision = LOGTOD(rpkt->precision); #ifdef DEBUG printf("sntp precision: %f\n", *precision); #endif /* DEBUG */ *root_dispersion = FPTOD(p_rdsp); #ifdef DEBUG printf("sntp rootdelay: %f\n", FPTOD(p_rdly)); printf("sntp rootdisp: %f\n", *root_dispersion); pkt_output(rpkt, rpktl, stdout); printf("sntp offset_calculation: rpkt->reftime:\n"); l_fp_output(&(rpkt->reftime), stdout); printf("sntp offset_calculation: rpkt->org:\n"); l_fp_output(&(rpkt->org), stdout); printf("sntp offset_calculation: rpkt->rec:\n"); l_fp_output(&(rpkt->rec), stdout); printf("sntp offset_calculation: rpkt->rec:\n"); l_fp_output_bin(&(rpkt->rec), stdout); printf("sntp offset_calculation: rpkt->rec:\n"); l_fp_output_dec(&(rpkt->rec), stdout); printf("sntp offset_calculation: rpkt->xmt:\n"); l_fp_output(&(rpkt->xmt), stdout); #endif /* Compute offset etc. */ tmp = p_rec; L_SUB(&tmp, &p_org); LFPTOD(&tmp, t21); TVTOTS(tv_dst, &dst); dst.l_ui += JAN_1970; tmp = p_xmt; L_SUB(&tmp, &dst); LFPTOD(&tmp, t34); *offset = (t21 + t34) / 2.; delta = t21 - t34; if (ENABLED_OPT(NORMALVERBOSE)) printf("sntp offset_calculation:\tt21: %.6f\t\t t34: %.6f\n\t\tdelta: %.6f\t offset: %.6f\n", t21, t34, delta, *offset); }
void offset_calculation( struct pkt *rpkt, int rpktl, struct timeval *tv_dst, double *offset, double *precision, double *synch_distance ) { l_fp p_rec, p_xmt, p_ref, p_org, tmp, dst; u_fp p_rdly, p_rdsp; double t21, t34, delta; /* Convert timestamps from network to host byte order */ p_rdly = NTOHS_FP(rpkt->rootdelay); p_rdsp = NTOHS_FP(rpkt->rootdisp); NTOHL_FP(&rpkt->reftime, &p_ref); NTOHL_FP(&rpkt->org, &p_org); NTOHL_FP(&rpkt->rec, &p_rec); NTOHL_FP(&rpkt->xmt, &p_xmt); *precision = LOGTOD(rpkt->precision); TRACE(3, ("offset_calculation: LOGTOD(rpkt->precision): %f\n", *precision)); /* Compute offset etc. */ tmp = p_rec; L_SUB(&tmp, &p_org); LFPTOD(&tmp, t21); TVTOTS(tv_dst, &dst); dst.l_ui += JAN_1970; tmp = p_xmt; L_SUB(&tmp, &dst); LFPTOD(&tmp, t34); *offset = (t21 + t34) / 2.; delta = t21 - t34; // synch_distance is: // (peer->delay + peer->rootdelay) / 2 + peer->disp // + peer->rootdisp + clock_phi * (current_time - peer->update) // + peer->jitter; // // and peer->delay = fabs(peer->offset - p_offset) * 2; // and peer->offset needs history, so we're left with // p_offset = (t21 + t34) / 2.; // peer->disp = 0; (we have no history to augment this) // clock_phi = 15e-6; // peer->jitter = LOGTOD(sys_precision); (we have no history to augment this) // and ntp_proto.c:set_sys_tick_precision() should get us sys_precision. // // so our answer seems to be: // // (fabs(t21 + t34) + peer->rootdelay) / 3. // + 0 (peer->disp) // + peer->rootdisp // + 15e-6 (clock_phi) // + LOGTOD(sys_precision) INSIST( FPTOD(p_rdly) >= 0. ); #if 1 *synch_distance = (fabs(t21 + t34) + FPTOD(p_rdly)) / 3. + 0. + FPTOD(p_rdsp) + 15e-6 + 0. /* LOGTOD(sys_precision) when we can get it */ ; INSIST( *synch_distance >= 0. ); #else *synch_distance = (FPTOD(p_rdly) + FPTOD(p_rdsp))/2.0; #endif #ifdef DEBUG if (debug > 3) { printf("sntp rootdelay: %f\n", FPTOD(p_rdly)); printf("sntp rootdisp: %f\n", FPTOD(p_rdsp)); printf("sntp syncdist: %f\n", *synch_distance); pkt_output(rpkt, rpktl, stdout); printf("sntp offset_calculation: rpkt->reftime:\n"); l_fp_output(&p_ref, stdout); printf("sntp offset_calculation: rpkt->org:\n"); l_fp_output(&p_org, stdout); printf("sntp offset_calculation: rpkt->rec:\n"); l_fp_output(&p_rec, stdout); printf("sntp offset_calculation: rpkt->xmt:\n"); l_fp_output(&p_xmt, stdout); } #endif TRACE(3, ("sntp offset_calculation:\trec - org t21: %.6f\n" "\txmt - dst t34: %.6f\tdelta: %.6f\toffset: %.6f\n", t21, t34, delta, *offset)); return; }
/* ** Check if it's data for us and whether it's useable or not. ** ** If not, return a failure code so we can delete this server from our list ** and continue with another one. */ int process_pkt ( struct pkt *rpkt, sockaddr_u *sender, int pkt_len, int mode, struct pkt *spkt, const char * func_name ) { u_int key_id; struct key * pkt_key; int is_authentic; int mac_size; u_int exten_len; u_int32 * exten_end; u_int32 * packet_end; l_fp sent_xmt; l_fp resp_org; // key_id = 0; pkt_key = NULL; is_authentic = (HAVE_OPT(AUTHENTICATION)) ? 0 : -1; /* * Parse the extension field if present. We figure out whether * an extension field is present by measuring the MAC size. If * the number of words following the packet header is 0, no MAC * is present and the packet is not authenticated. If 1, the * packet is a crypto-NAK; if 3, the packet is authenticated * with DES; if 5, the packet is authenticated with MD5; if 6, * the packet is authenticated with SHA. If 2 or 4, the packet * is a runt and discarded forthwith. If greater than 6, an * extension field is present, so we subtract the length of the * field and go around again. */ if (pkt_len < (int)LEN_PKT_NOMAC || (pkt_len & 3) != 0) { msyslog(LOG_ERR, "%s: Incredible packet length: %d. Discarding.", func_name, pkt_len); return PACKET_UNUSEABLE; } /* HMS: the following needs a bit of work */ /* Note: pkt_len must be a multiple of 4 at this point! */ packet_end = (void*)((char*)rpkt + pkt_len); exten_end = skip_efields(rpkt->exten, packet_end); if (NULL == exten_end) { msyslog(LOG_ERR, "%s: Missing extension field. Discarding.", func_name); return PACKET_UNUSEABLE; } /* get size of MAC in cells; can be zero */ exten_len = (u_int)(packet_end - exten_end); /* deduce action required from remaining length */ switch (exten_len) { case 0: /* no Legacy MAC */ break; case 1: /* crypto NAK */ /* Only if the keyID is 0 and there were no EFs */ key_id = ntohl(*exten_end); printf("Crypto NAK = 0x%08x from %s\n", key_id, stoa(sender)); break; case 3: /* key ID + 3DES MAC -- unsupported! */ msyslog(LOG_ERR, "%s: Key ID + 3DES MAC is unsupported. Discarding.", func_name); return PACKET_UNUSEABLE; case 5: /* key ID + MD5 MAC */ case 6: /* key ID + SHA MAC */ /* ** Look for the key used by the server in the specified ** keyfile and if existent, fetch it or else leave the ** pointer untouched */ key_id = ntohl(*exten_end); get_key(key_id, &pkt_key); if (!pkt_key) { printf("unrecognized key ID = 0x%08x\n", key_id); break; } /* ** Seems like we've got a key with matching keyid. ** ** Generate a md5sum of the packet with the key from our ** keyfile and compare those md5sums. */ mac_size = exten_len << 2; if (!auth_md5(rpkt, pkt_len - mac_size, mac_size - 4, pkt_key)) { is_authentic = FALSE; break; } /* Yay! Things worked out! */ is_authentic = TRUE; TRACE(1, ("sntp %s: packet from %s authenticated using key id %d.\n", func_name, stoa(sender), key_id)); break; default: msyslog(LOG_ERR, "%s: Unexpected extension length: %d. Discarding.", func_name, exten_len); return PACKET_UNUSEABLE; } switch (is_authentic) { case -1: /* unknown */ break; case 0: /* not authentic */ return SERVER_AUTH_FAIL; break; case 1: /* authentic */ break; default: /* error */ break; } /* Check for server's ntp version */ if (PKT_VERSION(rpkt->li_vn_mode) < NTP_OLDVERSION || PKT_VERSION(rpkt->li_vn_mode) > NTP_VERSION) { msyslog(LOG_ERR, "%s: Packet shows wrong version (%d)", func_name, PKT_VERSION(rpkt->li_vn_mode)); return SERVER_UNUSEABLE; } /* We want a server to sync with */ if (PKT_MODE(rpkt->li_vn_mode) != mode && PKT_MODE(rpkt->li_vn_mode) != MODE_PASSIVE) { msyslog(LOG_ERR, "%s: mode %d stratum %d", func_name, PKT_MODE(rpkt->li_vn_mode), rpkt->stratum); return SERVER_UNUSEABLE; } /* Stratum is unspecified (0) check what's going on */ if (STRATUM_PKT_UNSPEC == rpkt->stratum) { char *ref_char; TRACE(1, ("%s: Stratum unspecified, going to check for KOD (stratum: %d)\n", func_name, rpkt->stratum)); ref_char = (char *) &rpkt->refid; TRACE(1, ("%s: Packet refid: %c%c%c%c\n", func_name, ref_char[0], ref_char[1], ref_char[2], ref_char[3])); /* If it's a KOD packet we'll just use the KOD information */ if (ref_char[0] != 'X') { if (strncmp(ref_char, "DENY", 4) == 0) return KOD_DEMOBILIZE; if (strncmp(ref_char, "RSTR", 4) == 0) return KOD_DEMOBILIZE; if (strncmp(ref_char, "RATE", 4) == 0) return KOD_RATE; /* ** There are other interesting kiss codes which ** might be interesting for authentication. */ } } /* If the server is not synced it's not really useable for us */ if (LEAP_NOTINSYNC == PKT_LEAP(rpkt->li_vn_mode)) { msyslog(LOG_ERR, "%s: %s not in sync, skipping this server", func_name, stoa(sender)); return SERVER_UNUSEABLE; } /* * Decode the org timestamp and make sure we're getting a response * to our last request, but only if we're not in broadcast mode. */ if (MODE_BROADCAST == mode) return pkt_len; if (!L_ISEQU(&rpkt->org, &spkt->xmt)) { NTOHL_FP(&rpkt->org, &resp_org); NTOHL_FP(&spkt->xmt, &sent_xmt); msyslog(LOG_ERR, "%s response org expected to match sent xmt", stoa(sender)); msyslog(LOG_ERR, "resp org: %s", prettydate(&resp_org)); msyslog(LOG_ERR, "sent xmt: %s", prettydate(&sent_xmt)); return PACKET_UNUSEABLE; } return pkt_len; }
/* * findpeer - find and return a peer match for a received datagram in * the peer_hash table. */ struct peer * findpeer( struct recvbuf *rbufp, int pkt_mode, int * action ) { struct peer * p; sockaddr_u * srcadr; u_int hash; struct pkt * pkt; l_fp pkt_org; findpeer_calls++; srcadr = &rbufp->recv_srcadr; hash = NTP_HASH_ADDR(srcadr); for (p = peer_hash[hash]; p != NULL; p = p->adr_link) { if (ADDR_PORT_EQ(srcadr, &p->srcadr)) { /* * if the association matching rules determine * that this is not a valid combination, then * look for the next valid peer association. */ *action = MATCH_ASSOC(p->hmode, pkt_mode); /* * A response to our manycastclient solicitation * might be misassociated with an ephemeral peer * already spun for the server. If the packet's * org timestamp doesn't match the peer's, check * if it matches the ACST prototype peer's. If * so it is a redundant solicitation response, * return AM_ERR to discard it. [Bug 1762] */ if (MODE_SERVER == pkt_mode && AM_PROCPKT == *action) { pkt = &rbufp->recv_pkt; NTOHL_FP(&pkt->org, &pkt_org); if (!L_ISEQU(&p->aorg, &pkt_org) && findmanycastpeer(rbufp)) *action = AM_ERR; } /* * if an error was returned, exit back right * here. */ if (*action == AM_ERR) return NULL; /* * if a match is found, we stop our search. */ if (*action != AM_NOMATCH) break; } } /* * If no matching association is found */ if (NULL == p) { *action = MATCH_ASSOC(NO_PEER, pkt_mode); } else if (p->dstadr != rbufp->dstadr) { set_peerdstadr(p, rbufp->dstadr); if (p->dstadr == rbufp->dstadr) { DPRINTF(1, ("Changed %s local address to match response\n", stoa(&p->srcadr))); return findpeer(rbufp, pkt_mode, action); } } return p; }