[Git][NTPsec/ntpsec][master] 5 commits: Add ntp_random64
Hal Murray
gitlab at mg.gitlab.com
Wed Jul 11 04:28:51 UTC 2018
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
3aca5b79 by Hal Murray at 2018-07-09T01:12:02Z
Add ntp_random64
- - - - -
ec804bc4 by Hal Murray at 2018-07-09T05:50:36Z
Cleanup peer_xmit - should be no visible change
- - - - -
a745d41a by Hal Murray at 2018-07-09T07:25:23Z
First cut at data minimization
Still sends valid time in pkt->xmt
Other fields are hidden as per draft spec.
- - - - -
60fe3b92 by Hal Murray at 2018-07-09T11:18:40Z
Rest of data minimization
randomize transmit timestamp
- - - - -
fb105e4e by Hal Murray at 2018-07-10T10:46:48Z
Update NEWS: CMAC authentication, data minimization
- - - - -
6 changed files:
- NEWS
- include/ntp.h
- libntp/ntp_random.c
- ntpd/ntp_proto.c
- ntpd/ntp_refclock.c
- ntpd/ntp_util.c
Changes:
=====================================
NEWS
=====================================
@@ -12,6 +12,12 @@ on user-visible changes.
== Repository Head ==
+Use data minimization on client requests
+ https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/
+
+Support AES-128-CMAC for authentication
+ https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/
+
== 2018-06-11: 1.1.1 ==
Log timestamps now include the year. This is useful when
=====================================
include/ntp.h
=====================================
@@ -16,6 +16,7 @@
#include "ntp_net.h"
extern int32_t ntp_random (void);
+extern uint64_t ntp_random64 (void);
/*
* Calendar arithmetic - contributed by G. Healton
@@ -278,7 +279,8 @@ struct peer {
l_fp rec; /* receive time stamp */
l_fp xmt; /* transmit time stamp */
l_fp dst; /* destination timestamp */
- l_fp org; /* origin timestamp */
+ l_fp org_ts; /* origin real-timestamp */
+ l_fp org_rand; /* origin pseudo-timestamp */
double offset; /* peer clock offset */
double delay; /* peer roundtrip delay */
double jitter; /* peer jitter (squares) */
=====================================
libntp/ntp_random.c
=====================================
@@ -29,3 +29,17 @@ ntp_random(void)
}
return rnd;
}
+
+uint64_t
+ntp_random64(void)
+{
+ int err;
+ uint64_t rnd;
+ err = RAND_bytes((unsigned char *)&rnd, sizeof(rnd));
+ if (1 != err) {
+ msyslog(LOG_ERR, "ERR: ntp_random - RAND_bytes failed");
+ exit(1);
+ }
+ return rnd;
+}
+
=====================================
ntpd/ntp_proto.c
=====================================
@@ -494,7 +494,7 @@ handle_procpkt(
peer->flash |= BOGON3;
peer->bogusorg++;
return;
- } else if(rbufp->pkt.org != peer->org) {
+ } else if(rbufp->pkt.org != peer->org_rand) {
peer->flash |= BOGON2;
peer->bogusorg++;
return;
@@ -550,9 +550,9 @@ handle_procpkt(
scalbn((double)(rbufp->pkt.xmt - rbufp->recv_time), -32) :
-scalbn((double)(rbufp->recv_time - rbufp->pkt.xmt), -32);
const double t21 =
- (rbufp->pkt.rec >= peer->org) ?
- scalbn((double)(rbufp->pkt.rec - peer->org), -32) :
- -scalbn((double)(peer->org - rbufp->pkt.rec), -32);
+ (rbufp->pkt.rec >= peer->org_ts) ?
+ scalbn((double)(rbufp->pkt.rec - peer->org_ts), -32) :
+ -scalbn((double)(peer->org_ts - rbufp->pkt.rec), -32);
const double theta = (t21 + t34) / 2.;
const double delta = fabs(t21 - t34);
const double epsilon = LOGTOD(sys_vars.sys_precision) +
@@ -2049,87 +2049,82 @@ root_distance(
/*
- * peer_xmit - send packet for persistent association.
+ * peer_xmit - send client-mode packet for persistent association.
*/
static void
peer_xmit(
struct peer *peer /* peer structure pointer */
)
{
- struct pkt xpkt; /* transmit packet */
- size_t sendlen, authlen;
- auth_info *auth; /* !NULL for authentication */
- l_fp xmt_tx;
+ struct pkt xpkt; /* transmit packet */
+ unsigned int sendlen;
- if (!peer->dstadr) /* drop peers without interface */
+ if (!peer->dstadr) /* drop peers without interface */
return;
- xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_vars.sys_leap, peer->cfg.version,
- peer->hmode);
- xpkt.stratum = STRATUM_TO_PKT(sys_vars.sys_stratum);
- xpkt.ppoll = peer->hpoll;
- xpkt.precision = sys_vars.sys_precision;
- xpkt.refid = sys_vars.sys_refid;
- xpkt.rootdelay = HTONS_FP(DTOUFP(sys_vars.sys_rootdelay));
- xpkt.rootdisp = HTONS_FP(DTOUFP(sys_vars.sys_rootdisp));
- xpkt.reftime = htonl_fp(sys_vars.sys_reftime);
- xpkt.org = htonl_fp(peer->xmt);
- xpkt.rec = htonl_fp(peer->dst);
-
- /*
- * If the peer (aka server) was configured with a key, authenticate
- * the packet. Else, the packet is not authenticated.
- */
sendlen = LEN_PKT_NOMAC;
- if (peer->cfg.peerkey == 0) {
- /*
- * Transmit a-priori timestamps. This is paired with
- * a later call used to record transmission time.
+ if (NTP_VERSION == peer->cfg.version) {
+ /* Hide most of info for privacy
+ * RFC in progress - draft-ietf-ntp-data-minimization, 2018-Jul-07
*/
- get_systime(&xmt_tx);
- peer->org = xmt_tx;
- xpkt.xmt = htonl_fp(xmt_tx);
- sendpkt(&peer->srcadr, peer->dstadr, &xpkt, (int)sendlen);
- peer->sent++;
- peer->outcount++;
- peer->throttle += (1 << peer->cfg.minpoll) - 2;
-
- DPRINT(1, ("transmit: at %u %s->%s mode %d len %zu\n",
- current_time, peer->dstadr ?
- socktoa(&peer->dstadr->sin) : "-",
- socktoa(&peer->srcadr), peer->hmode, sendlen));
- return;
+ xpkt.li_vn_mode = PKT_LI_VN_MODE(
+ LEAP_NOWARNING, peer->cfg.version, MODE_CLIENT);
+ xpkt.stratum = 0;
+ xpkt.ppoll = 0;
+ xpkt.precision = 0x20;
+ xpkt.refid = 0;
+ xpkt.rootdelay = 0;
+ xpkt.rootdisp = 0;
+ xpkt.reftime = htonl_fp(0);
+ xpkt.org = htonl_fp(0);
+ xpkt.rec = htonl_fp(0);
+ peer->org_rand = ntp_random64();
+ get_systime(&peer->org_ts); /* as late as possible */
+ } else {
+ xpkt.li_vn_mode = PKT_LI_VN_MODE(
+ sys_vars.sys_leap, peer->cfg.version, peer->hmode);
+ xpkt.stratum = STRATUM_TO_PKT(sys_vars.sys_stratum);
+ xpkt.ppoll = peer->hpoll;
+ xpkt.precision = sys_vars.sys_precision;
+ xpkt.refid = sys_vars.sys_refid;
+ xpkt.rootdelay = HTONS_FP(DTOUFP(sys_vars.sys_rootdelay));
+ xpkt.rootdisp = HTONS_FP(DTOUFP(sys_vars.sys_rootdisp));
+ xpkt.reftime = htonl_fp(sys_vars.sys_reftime);
+ xpkt.org = htonl_fp(peer->xmt);
+ xpkt.rec = htonl_fp(peer->dst);
+ get_systime(&peer->org_ts); /* as late as possible */
+ peer->org_rand = peer->org_ts;
}
- /*
- * Authentication is enabled, so the transmitted packet must be
- * authenticated.
-` */
+ xpkt.xmt = htonl_fp(peer->org_rand); /* out in xmt, back in org */
+
/*
- * Transmit a-priori timestamps
+ * If the peer (aka server) was configured with a key, authenticate
+ * the packet. Else, the packet is not authenticated.
*/
- get_systime(&xmt_tx);
- peer->org = xmt_tx;
- xpkt.xmt = htonl_fp(xmt_tx);
- auth = authlookup(peer->cfg.peerkey, true);
- if (NULL == auth) {
- report_event(PEVNT_AUTH, peer, "no key");
- peer->flash |= BOGON5; /* auth error */
- peer->badauth++;
- return;
- }
- authlen = (size_t)authencrypt(auth, (uint32_t *)&xpkt, (int)sendlen);
- sendlen += authlen;
- if (sendlen > sizeof(xpkt)) {
- msyslog(LOG_ERR, "PROTO: buffer overflow %zu", sendlen);
- exit(1);
+ if (0 != peer->cfg.peerkey) {
+ auth_info *auth = authlookup(peer->cfg.peerkey, true);
+ if (NULL == auth) {
+ report_event(PEVNT_AUTH, peer, "no key");
+ peer->flash |= BOGON5; /* auth error */
+ peer->badauth++;
+ return;
+ }
+ /* Maybe bump peer->org_ts to account for crypto time */
+ sendlen += authencrypt(auth, (uint32_t *)&xpkt, sendlen);
+ if (sendlen > sizeof(xpkt)) {
+ msyslog(LOG_ERR, "PROTO: buffer overflow %u", sendlen);
+ exit(1);
+ }
}
- sendpkt(&peer->srcadr, peer->dstadr, &xpkt, (int)sendlen);
+
+ sendpkt(&peer->srcadr, peer->dstadr, &xpkt, sendlen);
+
peer->sent++;
peer->outcount++;
peer->throttle += (1 << peer->cfg.minpoll) - 2;
- DPRINT(1, ("transmit: at %u %s->%s mode %d keyid %08x len %zu\n",
+ DPRINT(1, ("transmit: at %u %s->%s mode %d keyid %08x len %u\n",
current_time, peer->dstadr ?
socktoa(&peer->dstadr->sin) : "-",
socktoa(&peer->srcadr), peer->hmode,
=====================================
ntpd/ntp_refclock.c
=====================================
@@ -532,7 +532,7 @@ refclock_receive(
}
peer->reach |= 1;
peer->reftime = pp->lastref;
- peer->org = pp->lastrec;
+ peer->org_ts = pp->lastrec;
peer->rootdisp = pp->disp;
get_systime(&peer->dst);
if (!refclock_sample(pp))
=====================================
ntpd/ntp_util.c
=====================================
@@ -540,7 +540,7 @@ record_raw_stats(
{
struct timespec now;
const sockaddr_u *dstaddr = peer->dstadr ? &peer->dstadr->sin : NULL;
- l_fp t1 = peer->org; /* originate timestamp */
+ l_fp t1 = peer->org_ts; /* originate timestamp */
l_fp t2 = peer->rec; /* receive timestamp */
l_fp t3 = peer->xmt; /* transmit timestamp */
l_fp t4 = peer->dst; /* destination timestamp */
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/e62391bf7447b1086d9e45a2aac26d995967bcff...fb105e4eb50f2b6287568ec08f8d16e6cd4d53ab
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/e62391bf7447b1086d9e45a2aac26d995967bcff...fb105e4eb50f2b6287568ec08f8d16e6cd4d53ab
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20180711/70a8afec/attachment.html>
More information about the vc
mailing list