32
34
double sys_rootdelay; /* roundtrip delay to primary source */
33
35
double sys_rootdispersion; /* dispersion to primary source */
34
36
u_int32 sys_refid; /* reference source for local clock */
37
u_int32 sys_peer_refid; /* hashed refid of our current peer */
35
38
static double sys_offset; /* current local clock offset */
36
39
l_fp sys_reftime; /* time we were last updated */
37
struct peer *sys_peer; /* our current peer */
40
struct peer *sys_peer; /* our current peer */
38
41
struct peer *sys_prefer; /* our cherished peer */
42
int sys_kod; /* kod credit */
43
int sys_kod_rate = 2; /* max kod packets per second */
44
u_long sys_clocktime; /* last system clock update */
40
46
u_long sys_automax; /* maximum session key lifetime */
44
50
* Nonspecified system state variables.
46
int sys_bclient; /* we set our time to broadcasts */
47
double sys_bdelay; /* broadcast client default delay */
52
int sys_bclient; /* broadcast client enable */
53
double sys_bdelay; /* broadcast client default delay */
54
int sys_calldelay; /* modem callup delay (s) */
48
55
int sys_authenticate; /* requre authentication for config */
49
56
l_fp sys_authdelay; /* authentication delay */
50
static u_long sys_authdly[2]; /* authentication delay shift reg */
57
static u_long sys_authdly[2]; /* authentication delay shift reg */
51
58
static u_char leap_consensus; /* consensus of survivor leap bits */
52
static double sys_selerr; /* select error (squares) */
53
static double sys_syserr; /* system error (squares) */
59
static double sys_selerr; /* select error (squares) */
60
double sys_error; /* system error (s) */
54
61
keyid_t sys_private; /* private value for session seed */
55
62
int sys_manycastserver; /* respond to manycast client pkts */
56
u_int sys_survivors; /* truest of the truechimers */
57
63
int peer_ntpdate; /* active peers in ntpdate mode */
64
int sys_survivors; /* truest of the truechimers */
59
66
char *sys_hostname; /* gethostname() name */
70
* TOS and multicast mapping stuff
72
int sys_floor = 1; /* cluster stratum floor */
73
int sys_ceiling = STRATUM_UNSPEC; /* cluster stratum ceiling*/
74
int sys_minsane = 1; /* minimum candidates */
75
int sys_minclock = NTP_MINCLOCK; /* minimum survivors */
76
int sys_cohort = 0; /* cohort switch */
77
int sys_ttlmax; /* max ttl mapping vector index */
78
u_char sys_ttl[MAX_TTL]; /* ttl mapping vector */
63
81
* Statistics counters
65
u_long sys_stattime; /* time when we started recording */
66
u_long sys_badstratum; /* packets with invalid stratum */
67
u_long sys_oldversionpkt; /* old version packets received */
68
u_long sys_newversionpkt; /* new version packets received */
69
u_long sys_unknownversion; /* don't know version packets */
70
u_long sys_badlength; /* packets with bad length */
83
u_long sys_stattime; /* time since reset */
84
u_long sys_received; /* packets received */
71
85
u_long sys_processed; /* packets processed */
72
u_long sys_badauth; /* packets dropped because of auth */
73
u_long sys_limitrejected; /* pkts rejected due to client count per net */
86
u_long sys_newversionpkt; /* current version */
87
u_long sys_oldversionpkt; /* recent version */
88
u_long sys_unknownversion; /* invalid version */
89
u_long sys_restricted; /* access denied */
90
u_long sys_badlength; /* bad length or format */
91
u_long sys_badauth; /* bad authentication */
92
u_long sys_limitrejected; /* rate exceeded */
75
94
static double root_distance P((struct peer *));
76
95
static double clock_combine P((struct peer **, int));
89
108
struct peer *peer /* peer structure pointer */
114
* The polling state machine. There are two kinds of machines,
115
* those that never expect a reply (broadcast and manycast
116
* server modes) and those that do (all other modes). The dance
94
119
hpoll = peer->hpoll;
95
if (peer->burst == 0) {
99
* The polling state machine. There are two kinds of
100
* machines, those that never expect a reply (broadcast
101
* and manycast server modes) and those that do (all
102
* other modes). The dance is intricate...
104
if (peer->cast_flags & (MDF_BCAST | MDF_MCAST)) {
107
* In broadcast mode the poll interval is fixed
108
* at minpoll and the ttl at ttlmax.
110
hpoll = peer->minpoll;
111
peer->ttl = peer->ttlmax;
113
} else if (peer->cast_flags & MDF_ACAST) {
116
* In manycast mode we start with the minpoll
117
* interval and ttl. However, the actual poll
118
* interval is eight times the nominal poll
119
* interval shown here. If fewer than three
120
* servers are found, the ttl is increased by
121
* one and we try again. If this continues to
122
* the max ttl, the poll interval is bumped by
123
* one and we try again. If at least three
124
* servers are found, the poll interval
125
* increases with the system poll interval to
126
* the max and we continue indefinately.
127
* However, about once per day when the
128
* agreement parameters are refreshed, the
129
* manycast clients are reset and we start from
130
* the beginning. This is to catch and clamp the
131
* ttl to the lowest practical value and avoid
132
* knocking on spurious doors.
134
if (sys_survivors < NTP_MINCLOCK && peer->ttl <
142
* For associations expecting a reply, the
143
* watchdog counter is bumped by one if the peer
144
* has not been heard since the previous poll.
145
* If the counter reaches the max, the peer is
146
* demobilized if not configured and just
147
* cleared if it is, but in this case the poll
148
* interval is bumped by one.
150
if (peer->unreach < NTP_UNREACH) {
152
} else if (!(peer->flags & FLAG_CONFIG)) {
162
oreach = peer->reach;
164
if (peer->reach == 0) {
167
* If this association has become unreachable,
168
* clear it and raise a trap.
171
report_event(EVNT_UNREACH, peer);
172
peer->timereachable = current_time;
173
if (!(peer->flags & FLAG_CONFIG)) {
179
hpoll = peer->minpoll;
182
if (peer->flags & FLAG_IBURST)
183
peer->burst = NTP_SHIFT;
187
* Here the peer is reachable. If it has not
188
* been heard for three consecutive polls, stuff
189
* the clock filter. Next, determine the poll
190
* interval. If the peer is a synchronization
191
* candidate, use the system poll interval. If
192
* the peer is not sane, increase it by one. If
193
* the number of valid updates is not greater
194
* than half the register size, clamp it to the
195
* minimum. This is to quickly recover the time
196
* variables when a noisy peer shows life.
198
if (!(peer->reach & 0x07)) {
199
clock_filter(peer, 0., 0., MAXDISPERSE);
202
if ((peer->stratum > 1 && peer->refid ==
203
peer->dstadr->sin.sin_addr.s_addr) ||
204
peer->stratum >= STRATUM_UNSPEC)
208
if (peer->flags & FLAG_BURST)
209
peer->burst = NTP_SHIFT;
120
if (peer->cast_flags & (MDF_BCAST | MDF_MCAST)) {
123
* In broadcast mode the poll interval is never changed
128
} else if (peer->cast_flags & MDF_ACAST) {
131
* In manycast mode we start with the minpoll interval
132
* and unity ttl. The ttl is increased by one for each
133
* poll until either enough servers have been found or
134
* the maximum ttl is reached. About once per day when
135
* the agreement parameters are refreshed, the manycast
136
* clients are reset and we start from the beginning.
137
* This is to catch and clamp the ttl to the lowest
138
* practical value and avoid knocking on spurious doors.
140
if (sys_survivors < sys_minclock && peer->ttl <
213
144
if (peer->burst == 0) {
216
* If a broadcast client at this point, the
217
* burst has concluded, so we switch to client
218
* mode and purge the keylist, since no further
219
* transmissions will be made.
221
if (peer->cast_flags & MDF_BCLNT) {
222
peer->hmode = MODE_BCLIENT;
227
poll_update(peer, hpoll);
231
* If ntpdate mode and the clock has not been
232
* set and all peers have completed the burst,
233
* we declare a successful failure.
237
if (peer_ntpdate > 0)
147
oreach = peer->reach;
149
peer->hyst *= HYST_TC;
150
if (peer->reach == 0) {
153
* If this association has become
154
* unreachable, clear it and raise a
158
report_event(EVNT_UNREACH,
160
peer->timereachable =
162
if (peer->flags & FLAG_CONFIG) {
172
* If a configured association has been
173
* unreachable for a long time, double
174
* it at each poll and send a single
175
* packet instead of a burst. If not
176
* configured, off it. If it flashes
177
* authentic error, mark it
178
* cryptographically dead.
180
if (peer->unreach < NTP_UNREACH) {
182
if (peer->flags & FLAG_IBURST &&
183
!(peer->flash & TEST5))
184
peer->burst = NTP_BURST;
185
} else if (!(peer->flags &
239
NLOG(NLOG_SYNCEVENT | NLOG_SYSEVENT)
241
"no reply; clock not set");
243
"ntpd: no reply; clock not set\n");
250
peer->outdate = current_time;
251
poll_update(peer, hpoll);
254
* We need to be very careful about honking uncivilized time.
255
* Never transmit if in broadcast client mode or access denied.
256
* If in broadcast mode, transmit only if synchronized to a
259
if (peer->hmode == MODE_BCLIENT || peer->flash & TEST4) {
261
} else if (peer->hmode == MODE_BROADCAST) {
262
if (sys_peer == NULL)
190
} else if (peer->flash & TEST5) {
191
peer_clear(peer, "CRYPTO");
192
peer->flash += TEST4;
194
if (hpoll < peer->maxpoll)
199
* Here the peer is reachable. If it has
200
* not been heard for three consecutive
201
* polls, stuff infinity in the clock
202
* filter. Next, determine the poll
203
* interval. If the peer is unfit for
204
* synchronization, increase it by one;
205
* else, use the system poll interval,
206
* but clamp it within bounds for this
210
if (!(peer->reach & 0x07))
211
clock_filter(peer, 0., 0.,
213
if (peer_unfit(peer)) {
214
if (hpoll < peer->maxpoll)
218
if (hpoll > peer->maxpoll)
219
hpoll = peer->maxpoll;
220
else if (hpoll < peer->minpoll)
221
hpoll = peer->minpoll;
222
if (peer->flags & FLAG_BURST)
223
peer->burst = NTP_BURST;
229
* Call-gap control. If we are restrained, each
230
* burst consists of only one packet.
232
if (memcmp(&peer->refid, "RSTR", 4) == 0)
236
if (peer->burst == 0) {
239
* If a broadcast client at this point,
240
* the burst has concluded, so we switch
241
* to client mode and purge the keylist,
242
* since no further transmissions will
245
if (peer->cast_flags & MDF_BCLNT) {
246
peer->hmode = MODE_BCLIENT;
253
* If ntpdate mode and the clock has not
254
* been set and all peers have completed
255
* the burst, we declare a successful
260
if (peer_ntpdate == 0) {
262
"no reply; clock not set");
267
poll_update(peer, hpoll);
272
peer->outdate = peer->nextdate = current_time;
275
* Do not transmit if in broadcast client mode.
277
if (peer->hmode == MODE_BCLIENT) {
278
poll_update(peer, hpoll);
282
* Do not transmit in broadcast mode unless we are synchronized.
284
} else if (peer->hmode == MODE_BROADCAST && sys_peer == NULL) {
285
poll_update(peer, hpoll);
290
* Do not transmit if in access-deny or crypto jail. Clamp the
291
* poll to minimum if a get out of jail free card shows up.
293
if (peer->flash & TEST4) {
294
if (!(peer->flags & FLAG_CONFIG)) {
298
poll_update(peer, peer->minpoll);
301
poll_update(peer, hpoll);
299
340
* simply discarded without prejudice. Some restrictions have to
300
341
* be handled later in order to generate a kiss-of-death packet.
344
* Bogus port check is before anything, since it probably
345
* reveals a clogging attack.
348
if (SRCPORT(&rbufp->recv_srcadr) == 0) {
350
return; /* bogus port */
302
352
ntp_monitor(rbufp);
303
353
restrict_mask = restrictions(&rbufp->recv_srcadr);
306
printf("receive: at %ld %s<-%s restrict %02x\n",
307
current_time, ntoa(&rbufp->dstadr->sin),
308
ntoa(&rbufp->recv_srcadr), restrict_mask);
356
printf("receive: at %ld %s<-%s restrict %03x\n",
357
current_time, stoa(&rbufp->dstadr->sin),
358
stoa(&rbufp->recv_srcadr), restrict_mask);
310
if (restrict_mask & RES_IGNORE)
360
if (restrict_mask & RES_IGNORE) {
311
362
return; /* no anything */
312
if (!(SRCPORT(&rbufp->recv_srcadr) == NTP_PORT ||
313
SRCPORT(&rbufp->recv_srcadr) >= IPPORT_RESERVED)) {
315
return; /* invalid port */
317
364
pkt = &rbufp->recv_pkt;
318
if (PKT_VERSION(pkt->li_vn_mode) == NTP_VERSION) {
319
sys_newversionpkt++; /* new version */
320
} else if (!(restrict_mask & RES_VERSION) &&
321
PKT_VERSION(pkt->li_vn_mode) >= NTP_OLDVERSION) {
322
sys_oldversionpkt++; /* old version */
324
sys_unknownversion++;
325
return; /* invalid version */
327
if (PKT_MODE(pkt->li_vn_mode) == MODE_PRIVATE) {
328
if (restrict_mask & RES_NOQUERY)
365
hismode = (int)PKT_MODE(pkt->li_vn_mode);
366
if (hismode == MODE_PRIVATE) {
367
if (restrict_mask & RES_NOQUERY) {
329
369
return; /* no query private */
330
371
process_private(rbufp, ((restrict_mask &
331
372
RES_NOMODIFY) == 0));
334
if (PKT_MODE(pkt->li_vn_mode) == MODE_CONTROL) {
335
if (restrict_mask & RES_NOQUERY)
375
if (hismode == MODE_CONTROL) {
376
if (restrict_mask & RES_NOQUERY) {
336
378
return; /* no query control */
337
380
process_control(rbufp, restrict_mask);
383
if (restrict_mask & RES_DONTSERVE) {
385
return; /* no time */
340
387
if (rbufp->recv_length < LEN_PKT_NOMAC) {
342
389
return; /* runt packet */
393
* Version check must be after the query packets, since they
394
* intentionally use early version.
396
if (PKT_VERSION(pkt->li_vn_mode) == NTP_VERSION) {
397
sys_newversionpkt++; /* new version */
398
} else if (!(restrict_mask & RES_VERSION) &&
399
PKT_VERSION(pkt->li_vn_mode) >= NTP_OLDVERSION) {
400
sys_oldversionpkt++; /* previous version */
402
sys_unknownversion++;
403
return; /* old version */
346
* Validate mode. Note that NTPv1 is no longer supported.
407
* Figure out his mode and validate the packet. This has some
408
* legacy raunch that probably should be removed. In very early
409
* NTP versions mode 0 was equivalent to what later versions
410
* would interpret as client mode.
348
hismode = (int)PKT_MODE(pkt->li_vn_mode);
349
412
if (hismode == MODE_UNSPEC) {
351
return; /* invalid mode */
413
if (PKT_VERSION(pkt->li_vn_mode) == NTP_OLDVERSION) {
414
hismode = MODE_CLIENT;
417
return; /* invalid mode */
355
* Discard broadcast packets received on the wildcard interface
356
* or if not enabled as broadcast client.
422
* Discard broadcast if not enabled as broadcast client. If
423
* Autokey, the wildcard interface cannot be used, so dump
424
* packets gettiing off the bus at that stop as well. This means
425
* that some systems with broken interface code, specifically
426
* Linux, will not work with Autokey.
358
if (PKT_MODE(pkt->li_vn_mode) == MODE_BROADCAST &&
359
#ifdef OPEN_BCAST_SOCKET
360
(rbufp->dstadr == any_interface || !sys_bclient))
428
if (hismode == MODE_BROADCAST) {
429
if (!sys_bclient || restrict_mask & RES_NOPEER) {
431
return; /* no client */
434
if (crypto_flags && rbufp->dstadr == any_interface) {
436
return; /* no client */
367
442
* Parse the extension field if present. We figure out whether
602
686
* there is no match, that's curious and could be an
603
687
* intruder attempting to clog, so we just ignore it.
605
* First, make sure the packet is authentic. If so and
606
* the manycast association is found, we mobilize a
607
* client mode association, copy pertinent variables
608
* from the manycast to the client mode association and
609
* wind up the spring.
689
* First, make sure the packet is authentic and not
690
* restricted. If so and the manycast association is
691
* found, we mobilize a client association and copy
692
* pertinent variables from the manycast association to
693
* the new client association.
611
695
* There is an implosion hazard at the manycast client,
612
696
* since the manycast servers send the server packet
697
* immediately. If the guy is already here, don't fire
615
if ((restrict_mask & (RES_DONTSERVE | RES_LIMITED |
616
RES_NOPEER)) || (sys_authenticate &&
620
peer2 = findmanycastpeer(rbufp);
624
peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
700
if (restrict_mask & RES_DONTTRUST) {
702
return; /* no trust */
704
if (sys_authenticate && !is_authentic)
705
return; /* bad auth */
707
if ((peer2 = findmanycastpeer(rbufp)) == NULL)
708
return; /* no assoc match */
710
if ((peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
625
711
MODE_CLIENT, PKT_VERSION(pkt->li_vn_mode),
626
sys_minpoll, NTP_MAXDPOLL, FLAG_IBURST |
627
(peer2->flags & (FLAG_AUTHENABLE | FLAG_SKEY)),
628
MDF_UCAST, 0, skeyid);
712
NTP_MINDPOLL, NTP_MAXDPOLL, FLAG_IBURST, MDF_UCAST |
713
MDF_ACLNT, 0, skeyid)) == NULL)
714
return; /* system error */
717
* We don't need these, but it warms the billboards.
719
peer->ttl = peer2->ttl;
636
725
* This is the first packet received from a symmetric
637
* active peer. First, make sure the packet is
638
* authentic. If so, mobilize a symmetric passive
726
* active peer. First, make sure it is authentic and not
727
* restricted. If so, mobilize a passive association.
728
* If authentication fails send a crypto-NAK; otherwise,
641
if ((restrict_mask & (RES_DONTSERVE | RES_LIMITED |
642
RES_NOPEER)) || (sys_authenticate &&
731
if (restrict_mask & RES_DONTTRUST) {
733
return; /* no trust */
735
if (sys_authenticate && !is_authentic) {
644
736
fast_xmit(rbufp, MODE_PASSIVE, 0,
738
return; /* bad auth */
648
peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
740
if ((peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
649
741
MODE_PASSIVE, PKT_VERSION(pkt->li_vn_mode),
650
sys_minpoll, NTP_MAXDPOLL, sys_authenticate ?
651
FLAG_AUTHENABLE : 0, MDF_UCAST, 0, skeyid);
742
NTP_MINDPOLL, NTP_MAXDPOLL, 0, MDF_UCAST, 0,
744
return; /* system error */
659
751
* This is the first packet received from a broadcast
660
* server. First, make sure the packet is authentic, not
661
* restricted and that we are a broadcast or multicast
662
* client. If so, mobilize a broadcast client
752
* server. First, make sure it is authentic and not
753
* restricted and that we are a broadcast client. If so,
754
* mobilize a broadcast client association. We don't
755
* kiss any frogs here.
665
if ((restrict_mask & (RES_DONTSERVE | RES_LIMITED |
666
RES_NOPEER)) || (sys_authenticate &&
667
!is_authentic) || !sys_bclient)
670
peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
671
MODE_CLIENT, PKT_VERSION(pkt->li_vn_mode),
672
sys_minpoll, NTP_MAXDPOLL, FLAG_MCAST |
673
FLAG_IBURST | (sys_authenticate ?
674
FLAG_AUTHENABLE : 0), MDF_BCLNT, 0, skeyid);
757
if (restrict_mask & RES_DONTTRUST) {
759
return; /* no trust */
761
if (sys_authenticate && !is_authentic)
762
return; /* bad auth */
764
if (sys_bclient == 0)
765
return; /* not a client */
767
if (sys_bclient == 1)
768
peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
769
MODE_CLIENT, PKT_VERSION(pkt->li_vn_mode),
770
NTP_MINDPOLL, NTP_MAXDPOLL, FLAG_MCAST |
771
FLAG_IBURST, MDF_BCLNT, 0, skeyid);
773
peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
774
MODE_BCLIENT, PKT_VERSION(pkt->li_vn_mode),
775
NTP_MINDPOLL, NTP_MAXDPOLL, 0, MDF_BCLNT, 0,
677
777
if (peer == NULL)
679
if (peer->flags & FLAG_SKEY)
680
crypto_recv(peer, rbufp);
778
return; /* system error */
781
* Danger looms. If this is autokey, go process the
782
* extension fields. If something goes wrong, abandon
783
* ship and don't trust subsequent packets.
786
if ((rval = crypto_recv(peer, rbufp)) !=
788
struct sockaddr_storage mskadr_sin;
792
SET_HOSTMASK(&mskadr_sin,
793
rbufp->recv_srcadr.ss_family);
794
hack_restrict(RESTRICT_FLAGS,
795
&rbufp->recv_srcadr, &mskadr_sin,
796
0, RES_DONTTRUST | RES_TIMEOUT);
800
"packet: bad exten %x\n",
811
* This is a broadcast packet received in client mode.
812
* It could happen if the initial client/server volley
813
* is not complete before the next broadcast packet is
814
* received. Be liberal in what we accept.
689
* Happiness and nothing broke. Earn some revenue.
819
* This is a symmetric mode packet received in symmetric
820
* mode, a server packet received in client mode or a
821
* broadcast packet received in broadcast client mode.
822
* If it is restricted, this is very strange because it
823
* is rude to send a packet to a restricted address. If
824
* anyway, flash a restrain kiss and skedaddle to
825
* Seattle. If not authentic, leave a light on and
828
if (restrict_mask & RES_DONTTRUST) {
830
if (peer->flags & FLAG_CONFIG)
831
peer_clear(peer, "RSTR");
834
return; /* no trust */
696
* Invalid mode combination. Leave the island
841
* Invalid mode combination. This happens when a passive
842
* mode packet arrives and matches another passive
843
* association or no association at all, or when a
844
* server mode packet arrives and matches a broadcast
845
* client association. This is usually the result of
846
* reconfiguring a client on-fly. If authenticated
847
* passive mode packet, send a crypto-NAK; otherwise,
850
if (has_mac && hismode == MODE_PASSIVE)
851
fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
701
854
printf("receive: bad protocol %d\n", retcode);
707
* If the peer isn't configured, set his authenable and autokey
708
* status based on the packet. Once the status is set, it can't
709
* be unset. It seems like a silly idea to do this here, rather
710
* in the configuration routine, but in some goofy cases the
711
* first packet sent cannot be authenticated and we need a way
712
* for the dude to change his mind.
860
* We do a little homework. Note we can get here with an
861
* authentication error. We need to do this in order to validate
862
* a crypto-NAK later. Note the order of processing; it is very
863
* important to avoid livelocks, deadlocks and lockpicks.
714
oflags = peer->flags;
715
866
peer->timereceived = current_time;
717
if (!(peer->flags & FLAG_CONFIG) && has_mac) {
718
peer->flags |= FLAG_AUTHENABLE;
720
if (skeyid > NTP_MAXKEY)
721
peer->flags |= FLAG_SKEY;
726
* A valid packet must be from an authentic and allowed source.
727
* All packets must pass the authentication allowed tests.
728
* Autokey authenticated packets must pass additional tests and
729
* public-key authenticated packets must have the credentials
730
* verified. If all tests are passed, the packet is forwarded
731
* for processing. If not, the packet is discarded and the
732
* association demobilized if appropriate.
736
peer->flags |= FLAG_AUTHENTIC;
868
peer->flags &= ~FLAG_AUTHENTIC;
871
peer->flags |= FLAG_AUTHENTIC;
872
else if (sys_authenticate)
873
peer->flash |= TEST5; /* bad auth */
875
NTOHL_FP(&pkt->org, &p_org);
876
NTOHL_FP(&pkt->xmt, &p_xmt);
879
* If the packet is an old duplicate, drop it.
881
if (L_ISEQU(&peer->org, &p_xmt)) { /* test 1 */
882
peer->flash |= TEST1; /* dupe */
886
* For broadcast server mode, loopback checking is disabled. An
887
* authentication error probably means the server restarted or
888
* rolled a new private value. If so, dump the association
889
* and wait for the next message.
891
} else if (hismode == MODE_BROADCAST) {
892
if (peer->flash & TEST5) {
899
* For server and symmetric modes, if the association transmit
900
* timestamp matches the packet originate timestamp, loopback is
901
* confirmed. Note in symmetric modes this also happens when the
902
* first packet from the active peer arrives at the newly
903
* mobilized passive peer. An authentication error probably
904
* means the server or peer restarted or rolled a new private
905
* value, but could be an intruder trying to stir up trouble.
906
* However, if this is a crypto-NAK, we know it is authentic. If
907
* the server is reachable, restart the protocol; if not, ignore
908
* it and wait for timeout.
910
} else if (L_ISEQU(&peer->xmt, &p_org)) {
911
if (peer->flash & TEST5) {
912
if (has_mac == 4 && pkt->exten[0] == 0 &&
914
if (peer->flags & FLAG_CONFIG) {
915
peer_clear(peer, "AUTH");
925
* If the client or passive peer has never transmitted anything,
926
* this is either the first message from a symmetric peer or
927
* possibly a duplicate received before the transmit timeout.
930
} else if (L_ISZERO(&peer->xmt)) {
934
* Now it gets interesting. We have transmitted at least one
935
* packet. If the packet originate timestamp is nonzero, it
936
* does not match the association transmit timestamp, which is a
937
* loopback error. This error might mean a manycast server has
938
* answered a manycast honk from us and we already have an
939
* association for him, in which case quietly drop the packet
940
* here. It might mean an old duplicate, dropped packet or
941
* intruder replay, in which case we drop it later after
942
* extension field processing, but never let it touch the time
945
} else if (!L_ISZERO(&p_org)) {
946
if (peer->cast_flags & MDF_ACLNT)
947
return; /* not a client */
949
peer->flash |= TEST2;
953
* The packet originate timestamp is zero, meaning the other guy
954
* either didn't receive the first packet or died and restarted.
955
* If the association originate timestamp is zero, this is the
956
* first packet received, so we pass it on.
958
} else if (L_ISZERO(&peer->org)) {
962
* The other guy has restarted and we are still on the wire. We
963
* should demobilize/clear and get out of Dodge. If this is
964
* symmetric mode, we should also send a crypto-NAK.
738
peer->flags &= ~FLAG_AUTHENTIC;
740
if (peer->hmode == MODE_BROADCAST &&
741
(restrict_mask & RES_DONTTRUST)) /* test 4 */
742
peer->flash |= TEST4; /* access denied */
743
if (peer->flags & FLAG_AUTHENABLE) {
744
if (!(peer->flags & FLAG_AUTHENTIC)) /* test 5 */
745
peer->flash |= TEST5; /* auth failed */
746
else if (!(oflags & FLAG_AUTHENABLE))
747
report_event(EVNT_PEERAUTH, peer);
967
if (hismode == MODE_ACTIVE)
968
fast_xmit(rbufp, MODE_PASSIVE, 0,
970
else if (hismode == MODE_PASSIVE)
971
fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
752
printf("receive: bad auth %03x\n", peer->flash);
974
printf("receive: dropped %03x\n", peer->flash);
976
if (peer->flags & FLAG_CONFIG)
977
peer_clear(peer, "DROP");
982
if (peer->flash & ~TEST2) {
759
988
* More autokey dance. The rules of the cha-cha are as follows:
761
990
* 1. If there is no key or the key is not auto, do nothing.
763
* 2. If an extension field contains a verified signature, it is
992
* 2. If this packet is in response to the one just previously
993
* sent or from a broadcast server, do the extension fields.
994
* Otherwise, assume bogosity and bail out.
996
* 3. If an extension field contains a verified signature, it is
764
997
* self-authenticated and we sit the dance.
766
* 3. If this is a server reply, check only to see that the
999
* 4. If this is a server reply, check only to see that the
767
1000
* transmitted key ID matches the received key ID.
769
* 4. Check to see that one or more hashes of the current key ID
1002
* 5. Check to see that one or more hashes of the current key ID
770
1003
* matches the previous key ID or ultimate original key ID
771
1004
* obtained from the broadcaster or symmetric peer. If no
772
1005
* match, sit the dance and wait for timeout.
1007
* In case of crypto error, fire the orchestra and stop dancing.
774
if (peer->flags & FLAG_SKEY) {
1009
if (crypto_flags && (peer->flags & FLAG_SKEY)) {
775
1010
peer->flash |= TEST10;
776
crypto_recv(peer, rbufp);
777
poll_update(peer, peer->hpoll);
778
if (hismode == MODE_SERVER) {
1011
rval = crypto_recv(peer, rbufp);
1012
if (rval != XEVNT_OK) {
1013
peer_clear(peer, "CRYP");
1014
peer->flash |= TEST4; /* crypto error */
1015
} else if (hismode == MODE_SERVER) {
779
1016
if (skeyid == peer->keyid)
780
1017
peer->flash &= ~TEST10;
781
1018
} else if (!peer->flash & TEST10) {
782
1019
peer->pkeyid = skeyid;
1020
} else if ((ap = (struct autokey *)peer->recval.ptr) !=
786
1024
for (i = 0; ; i++) {
787
1025
if (tkeyid == peer->pkeyid ||
788
tkeyid == peer->recauto.key) {
1026
tkeyid == ap->key) {
789
1027
peer->flash &= ~TEST10;
790
1028
peer->pkeyid = skeyid;
793
if (i > peer->recauto.seq)
795
1033
tkeyid = session_key(
796
1034
&rbufp->recv_srcadr, dstadr_sin,
797
1035
tkeyid, pkeyid, 0);
1038
if (!(peer->crypto & CRYPTO_FLAG_PROV)) /* test 11 */
1039
peer->flash |= TEST11; /* not proventic */
803
* This is delicious. Ordinarily, we kick out all errors
804
* at this point; however, in symmetric mode and just
805
* warming up, an unsynchronized peer must inject the
806
* timestamps, even if it fails further up the road. So,
807
* let the dude by here, but only if the jerk is not yet
808
* reachable. After that, he's on his own.
1042
* If the transmit queue is nonempty, clamp the host
1043
* poll interval to the packet poll interval.
810
if (!(peer->flags & FLAG_PROVEN))
811
peer->flash |= TEST11;
812
if (peer->flash && peer->reach) {
815
printf("packet: bad autokey %03x\n",
1045
if (peer->cmmd != 0) {
1046
peer->ppoll = pkt->ppoll;
1047
poll_update(peer, peer->hpoll);
1050
#endif /* OPENSSL */
825
* We have survived the gaunt. Forward to the packet routine. If
826
* a symmetric passive association has been mobilized and the
827
* association doesn't deserve to live, it will die in the
828
* transmit routine if not reachable after timeout.
1053
* The dance is complete and the flash bits have been lit. Toss
1054
* the packet over the fence for processing, which may light up
830
1057
process_packet(peer, pkt, &rbufp->recv_time);
1060
* Well, that was nice. If TEST4 is lit, either the crypto
1061
* machine jammed or a kiss-o'-death packet flew in, either of
1064
if (peer->flash & TEST4) {
1065
msyslog(LOG_INFO, "receive: fatal error %03x for %s",
1066
peer->flash, stoa(&peer->srcadr));
1067
if (!(peer->flags & FLAG_CONFIG))
1074
* If TEST10 is lit, the autokey sequence has broken, which
1075
* probably means the server has refreshed its private value.
1076
* Not to worry, reset and wait for the next time.
1078
if (peer->flash & TEST10 && peer->crypto & CRYPTO_FLAG_AUTO) {
1082
"receive: bad auto %03x\n", peer->flash);
1084
if (peer->flags & FLAG_CONFIG)
1085
peer_clear(peer, "AUTO");
1089
#endif /* OPENSSL */
864
1123
NTOHL_FP(&pkt->reftime, &p_reftime);
865
1124
NTOHL_FP(&pkt->rec, &p_rec);
866
1125
NTOHL_FP(&pkt->xmt, &p_xmt);
867
if (PKT_MODE(pkt->li_vn_mode) != MODE_BROADCAST)
1126
pmode = PKT_MODE(pkt->li_vn_mode);
1127
pleap = PKT_LEAP(pkt->li_vn_mode);
1128
if (pmode != MODE_BROADCAST)
868
1129
NTOHL_FP(&pkt->org, &p_org);
870
1131
p_org = peer->rec;
873
* Test for old, duplicate or unsynch packets (tests 1-3).
875
peer->rec = *recv_ts;
876
pmode = PKT_MODE(pkt->li_vn_mode);
877
pleap = PKT_LEAP(pkt->li_vn_mode);
878
1132
pstratum = PKT_TO_STRATUM(pkt->stratum);
1135
* Test for kiss-o'death packet (DENY or CRYP)
1137
if (pleap == LEAP_NOTINSYNC && pstratum == STRATUM_UNSPEC) {
1138
if (memcmp(&pkt->refid, "DENY", 4) == 0) {
1139
peer_clear(peer, "DENY");
1140
peer->flash |= TEST4; /* access deny */
1141
} else if (memcmp(&pkt->refid, "CRYP", 4) == 0) {
1142
peer_clear(peer, "CRYP");
1143
peer->flash |= TEST4; /* crypto error */
1148
* Test for unsynchronized server.
879
1150
if (L_ISHIS(&peer->org, &p_xmt)) /* count old packets */
881
if (L_ISEQU(&peer->org, &p_xmt)) /* 1 */
882
peer->flash |= TEST1; /* dupe */
883
if (pmode != MODE_BROADCAST) {
884
if (!L_ISEQU(&peer->xmt, &p_org)) /* 2 */
885
peer->flash |= TEST2; /* bogus */
886
if (L_ISZERO(&p_rec) || L_ISZERO(&p_org)) /* test 3 */
887
peer->flash |= TEST3; /* unsynch */
889
if (L_ISZERO(&p_xmt)) /* 3 */
890
peer->flash |= TEST3; /* unsynch */
1152
if (pmode != MODE_BROADCAST && (L_ISZERO(&p_rec) ||
1153
L_ISZERO(&p_org))) /* test 3 */
1154
peer->flash |= TEST3; /* unsynch */
1155
if (L_ISZERO(&p_xmt)) /* test 3 */
1156
peer->flash |= TEST3; /* unsynch */
1159
* If any tests fail, the packet is discarded leaving only the
1160
* timestamps, which are enough to get the protocol started. The
1161
* originate timestamp is copied from the packet transmit
1162
* timestamp and the receive timestamp is copied from the
1163
* packet receive timestamp. If okay so far, we save the leap,
1164
* stratum and refid for billboards.
891
1166
peer->org = p_xmt;
894
* If tests 1-3 fail, the packet is discarded leaving only the
895
* receive and origin timestamps and poll interval, which is
896
* enough to get the protocol started.
1167
peer->rec = *recv_ts;
898
1168
if (peer->flash) {
901
printf("packet: bad data %03x\n",
1171
printf("packet: bad data %03x from %s\n",
1172
peer->flash, stoa(&peer->srcadr));
908
* A kiss-of-death (kod) packet is returned by a server in case
909
* the client is denied access. It consists of the client
910
* request packet with the leap bits indicating never
911
* synchronized, stratum zero and reference ID field the ASCII
912
* string "DENY". If the packet originate timestamp matches the
913
* association transmit timestamp the kod is legitimate. If the
914
* peer leap bits indicate never synchronized, this must be
915
* access deny and the association is disabled; otherwise this
916
* must be a limit reject. In either case a naughty message is
917
* forced to the system log.
919
if (pleap == LEAP_NOTINSYNC && pstratum >= STRATUM_UNSPEC &&
920
memcmp(&pkt->refid, "DENY", 4) == 0) {
921
if (peer->leap == LEAP_NOTINSYNC) {
922
peer->stratum = STRATUM_UNSPEC;
923
peer->flash |= TEST4;
924
memcpy(&peer->refid, &pkt->refid, 4);
925
msyslog(LOG_INFO, "access denied");
927
msyslog(LOG_INFO, "limit reject");
1177
peer->stratum = pstratum;
1178
peer->refid = pkt->refid;
933
1181
* Test for valid peer data (tests 6-8)
963
1213
record_raw_stats(&peer->srcadr, &peer->dstadr->sin, &p_org,
964
1214
&p_rec, &p_xmt, &peer->rec);
966
1215
peer->pmode = pmode;
967
peer->stratum = pstratum;
968
1216
peer->ppoll = pkt->ppoll;
969
1217
peer->precision = pkt->precision;
970
1218
peer->rootdelay = p_del;
971
1219
peer->rootdispersion = p_disp;
972
peer->refid = pkt->refid;
973
1220
peer->reftime = p_reftime;
974
1221
if (!(peer->reach)) {
975
1222
report_event(EVNT_REACH, peer);
976
1223
peer->timereachable = current_time;
978
1225
peer->reach |= 1;
980
1226
poll_update(peer, peer->hpoll);
983
* If running in a client/server association, calculate the
984
* clock offset c, roundtrip delay d and dispersion e. We use
985
* the equations (reordered from those in the spec). Note that,
986
* in a broadcast association, org has been set to the time of
987
* last reception. Note the computation of dispersion includes
988
* the system precision plus that due to the frequency error
989
* since the originate time.
991
* c = ((t2 - t3) + (t1 - t0)) / 2
992
* d = (t2 - t3) - (t1 - t0)
993
* e = (org - rec) (seconds only)
1229
* For a client/server association, calculate the clock offset,
1230
* roundtrip delay and dispersion. The equations are reordered
1231
* from the spec for more efficient use of temporaries. For a
1232
* broadcast association, offset the last measurement by the
1233
* computed delay during the client/server volley. Note that
1234
* org has been set to the time of last reception. Note the
1235
* computation of dispersion includes the system precision plus
1236
* that due to the frequency error since the originate time.
1238
* It is very important to respect the hazards of overflow. The
1239
* only permitted operation on raw timestamps is subtraction,
1240
* where the result is a signed quantity spanning from 68 years
1241
* in the past to 68 years in the future. To avoid loss of
1242
* precision, these calculations are done using 64-bit integer
1243
* arithmetic. However, the offset and delay calculations are
1244
* sums and differences of these first-order differences, which
1245
* if done using 64-bit integer arithmetic, would be valid over
1246
* only half that span. Since the typical first-order
1247
* differences are usually very small, they are converted to 64- * bit doubles and all remaining calculations done in floating-
1248
* point arithmetic. This preserves the accuracy while retaining
1251
* Let t1 = p_org, t2 = p_rec, t3 = p_xmt, t4 = peer->rec:
995
t10 = p_xmt; /* compute t1 - t0 */
996
L_SUB(&t10, &peer->rec);
997
t23 = p_rec; /* compute t2 - t3 */
1000
p_disp = clock_phi * (peer->rec.l_ui - p_org.l_ui);
1253
ci = p_xmt; /* t3 - t4 */
1254
L_SUB(&ci, &peer->rec);
1256
ci = p_rec; /* t2 - t1 */
1259
ci = peer->rec; /* t4 - t1 */
1261
LFPTOD(&ci, p_disp);
1262
p_disp = clock_phi * max(p_disp, LOGTOD(sys_precision));
1003
1265
* If running in a broadcast association, the clock offset is
1136
1400
struct peer *peer,
1142
#endif /* AUTOKEY */
1145
* A little foxtrot to determine what controls the poll
1146
* interval. If the peer is reachable, but the last four polls
1147
* have not been answered, use the minimum. If declared
1148
* truechimer, use the system poll interval. This allows each
1149
* association to ramp up the poll interval for useless sources
1150
* and to clamp it to the minimum when first starting up.
1153
oldpoll = peer->kpoll;
1154
#endif /* AUTOKEY */
1155
if (hpoll > peer->maxpoll)
1156
peer->hpoll = peer->maxpoll;
1157
else if (hpoll < peer->minpoll)
1158
peer->hpoll = peer->minpoll;
1160
peer->hpoll = hpoll;
1163
* Bit of adventure here. If during a burst and not timeout,
1164
* just slink away. If timeout, figure what the next timeout
1165
* should be. If IBURST or a reference clock, use one second. If
1166
* not and the dude was reachable during the previous poll
1167
* interval, randomize over 1-4 seconds; otherwise, randomize
1168
* over 15-18 seconds. This is to give time for a modem to
1169
* complete the call, for example. If not during a burst,
1170
* randomize over the poll interval -1 to +2 seconds.
1172
* In case of manycast server, make the poll interval, which is
1173
* axtually the manycast beacon interval, eight times the system
1174
* poll interval. Normally when the host poll interval settles
1175
* up to 17.1 s, the beacon interval settles up to 2.3 hours.
1407
* This routine figures out when the next poll should set, and
1408
* that turns out to be wickedly complicated. The big problem is
1409
* that sometimes the time for the next poll is in the past.
1410
* Watch out for races here between the receive process and the
1411
* poll process. The key assertion is that, if nextdate ==
1412
* current_time, the call is from the poll process; otherwise,
1413
* it is from the receive process.
1418
* If during the crypto protocol and a message is pending, make
1419
* it wait no more than two seconds.
1422
if (peer->cmmd != NULL && (sys_leap != LEAP_NOTINSYNC ||
1424
peer->nextdate = current_time + RESP_DELAY;
1427
* If we get called from the receive routine while a burst is
1428
* pending, just slink away. If from the poll routine and a
1429
* reference clock or a pending crypto response, delay for one
1430
* second. If this is the first sent in a burst, wait for the
1431
* modem to come up. For others in the burst, delay two seconds.
1433
} else if (peer->burst > 0) {
1177
1435
if (peer->burst > 0) {
1436
#endif /* OPENSSL */
1178
1437
if (peer->nextdate != current_time)
1180
1439
#ifdef REFCLOCK
1181
1440
else if (peer->flags & FLAG_REFCLOCK)
1441
peer->nextdate += RESP_DELAY;
1184
else if (peer->reach & 0x1)
1185
peer->nextdate += RANDPOLL(BURST_INTERVAL2);
1443
else if (peer->flags & (FLAG_IBURST | FLAG_BURST) &&
1444
peer->burst == NTP_BURST)
1445
peer->nextdate += sys_calldelay;
1187
peer->nextdate += RANDPOLL(BURST_INTERVAL1);
1447
peer->nextdate += BURST_DELAY;
1449
* A manycast server beacons at the minimum poll interval times
1450
* the ttl until a sufficient number of servers have been found,
1451
* then beacons at the maximum poll interval.
1188
1453
} else if (peer->cast_flags & MDF_ACAST) {
1189
if (sys_survivors < NTP_MINCLOCK)
1190
peer->kpoll = peer->hpoll;
1454
if (sys_survivors >= sys_minclock || peer->ttl >=
1456
hpoll = peer->maxpoll;
1192
peer->kpoll = peer->hpoll + 3;
1193
peer->nextdate = peer->outdate + RANDPOLL(peer->kpoll);
1458
hpoll = peer->minpoll + peer->ttl;
1459
peer->nextdate = peer->outdate + RANDPOLL(hpoll);
1462
* The normal case after all those pesky exceptions. Set the
1463
* poll to the minimum of the host and peer values, but not
1464
* below minpoll. That's max(min(ppoll, hpoll), minpoll).
1195
peer->kpoll = max(min(peer->ppoll, peer->hpoll),
1197
peer->nextdate = peer->outdate + RANDPOLL(peer->kpoll);
1467
if (peer->ppoll < peer->minpoll)
1468
peer->nextdate = peer->outdate +
1469
RANDPOLL(peer->minpoll);
1470
if (peer->ppoll < hpoll)
1471
peer->nextdate = peer->outdate +
1472
RANDPOLL(peer->ppoll);
1474
peer->nextdate = peer->outdate +
1199
if (peer->nextdate < current_time)
1200
peer->nextdate = current_time;
1479
* If the time for the next poll has already happened, bring it
1480
* up to the next second after this one. This way the only way
1481
* to get nexdate == current time is from the poll routine.
1483
if (peer->nextdate <= current_time)
1484
peer->nextdate = current_time + 1;
1203
1487
* Bit of crass arrogance at this point. If the poll interval
1204
1488
* has changed and we have a keylist, the lifetimes in the
1205
1489
* keylist are probably bogus. In this case purge the keylist
1206
1490
* and regenerate it later.
1208
if (peer->kpoll != oldpoll)
1492
if (hpoll != peer->hpoll)
1209
1493
key_expire(peer);
1210
#endif /* AUTOKEY */
1494
#endif /* OPENSSL */
1495
peer->hpoll = hpoll;
1213
1498
printf("poll_update: at %lu %s flags %04x poll %d burst %d last %lu next %lu\n",
1214
1499
current_time, ntoa(&peer->srcadr), peer->flags,
1215
peer->kpoll, peer->burst, peer->outdate,
1500
peer->hpoll, peer->burst, peer->outdate,
1216
1501
peer->nextdate);
1222
* clear - clear peer filter registers. See Section 3.4.8 of the spec.
1507
* peer_clear - clear peer filter registers. See Section 3.4.8 of the spec.
1226
register struct peer *peer
1511
struct peer *peer, /* peer structure */
1512
char *ident /* tally lights */
1233
1518
* If cryptographic credentials have been acquired, toss them to
1636
1947
endpoint[indx[i]].type,
1637
1948
endpoint[indx[i]].val);
1641
allow = nlist; /* falsetickers assumed */
1645
for (n = 0; i <= j; i++) {
1646
n += endpoint[indx[i]].type;
1951
* This is the actual algorithm that cleaves the truechimers
1952
* from the falsetickers. The original algorithm was described
1953
* in Keith Marzullo's dissertation, but has been modified for
1956
* Briefly put, we first assume there are no falsetickers, then
1957
* scan the candidate list first from the low end upwards and
1958
* then from the high end downwards. The scans stop when the
1959
* number of intersections equals the number of candidates less
1960
* the number of falsetickers. If this doesn't happen for a
1961
* given number of falsetickers, we bump the number of
1962
* falsetickers and try again. If the number of falsetickers
1963
* becomes equal to or greater than half the number of
1964
* candidates, the Albanians have won the Byzantine wars and
1965
* correct synchronization is not possible.
1967
* Here, nlist is the number of candidates and allow is the
1968
* number of falsetickers.
1972
for (allow = 0; 2 * allow < nlist; allow++) {
1976
* Bound the interval (low, high) as the largest
1977
* interval containing points from presumed truechimers.
1981
for (i = 0; i < nl3; i++) {
1982
low = endpoint[indx[i]].val;
1983
n -= endpoint[indx[i]].type;
1984
if (n >= nlist - allow)
1649
1986
if (endpoint[indx[i]].type == 0)
1652
for (n = 0; i <= j; j--) {
1990
for (j = nl3 - 1; j >= 0; j--) {
1991
high = endpoint[indx[j]].val;
1653
1992
n += endpoint[indx[j]].type;
1993
if (n >= nlist - allow)
1656
1995
if (endpoint[indx[j]].type == 0)
2000
* If the number of candidates found outside the
2001
* interval is greater than the number of falsetickers,
2002
* then at least one truechimer is outside the interval,
2003
* so go around again. This is what makes this algorithm
2004
* different than Marzullo's.
1659
2006
if (found > allow)
2010
* If an interval containing truechimers is found, stop.
2011
* If not, increase the number of falsetickers and go
1661
low = endpoint[indx[i++]].val;
1662
high = endpoint[indx[j--]].val;
1666
2019
* If no survivors remain at this point, check if the local
1667
2020
* clock or modem drivers have been found. If so, nominate one
1668
* of them as the only survivor. Otherwise, give up and declare
1669
* us unsynchronized.
2021
* of them as the only survivor. Otherwise, give up and leave
2022
* the island to the rats.
1671
if ((allow << 1) >= nlist) {
1672
2025
if (typeacts != 0) {
1673
2026
typeacts->status = CTL_PST_SEL_SANE;
1674
2027
peer_list[0] = typeacts;
1801
* In manycast client mode we may have spooked a sizeable number
1802
* of servers that we don't need. If there are at least
1803
* NTP_MINCLOCK of them, the manycast message will be turned
1804
* off. By the time we get here we nay be ready to prune some of
1805
* them back, but we want to make sure all the candicates have
1806
* had a chance. If they didn't pass the sanity and intersection
1807
* tests, they have already been voted off the island.
1809
if (sys_survivors >= NTP_MINCLOCK && nlist < NTP_MINCLOCK)
1811
#endif /* AUTOKEY */
1812
sys_survivors = nlist;
1816
for (i = 0; i < nlist; i++)
1818
"select: %s offset %.6f, distance %.6f poll %d\n",
1819
ntoa(&peer_list[i]->srcadr),
1820
peer_list[i]->offset, synch[i],
1821
peer_list[i]->pollsw);
1826
* What remains is a list of not greater than NTP_MINCLOCK
2177
* What remains is a list usually not greater than sys_minclock
1827
2178
* peers. We want only a peer at the lowest stratum to become
1828
2179
* the system peer, although all survivors are eligible for the
1829
2180
* combining algorithm. First record their order, diddle the
1830
* flags and clamp the poll intervals. Then, consider the peers
1831
* at the lowest stratum. Of these, OR the leap bits on the
1832
* assumption that, if some of them honk nonzero bits, they must
1833
* know what they are doing. Also, check for prefer and pps
1834
* peers. If a prefer peer is found within clock_max, update the
1835
* pps switch. Of the other peers not at the lowest stratum,
1836
* check if the system peer is among them and, if found, zap
1837
* him. We note that the head of the list is at the lowest
2181
* flags and clamp the poll intervals. Then, consider each peer
2182
* in turn and OR the leap bits on the assumption that, if some
2183
* of them honk nonzero bits, they must know what they are
2184
* doing. Check for prefer and pps peers at any stratum. Check
2185
* if the old system peer is among the peers at the lowest
2186
* stratum. Note that the head of the list is at the lowest
1838
2187
* stratum and that unsynchronized peers cannot survive this
1841
* Note that we go no further, unless the number of survivors is
1842
* a majority of the suckers that have been found reachable and
1843
* no prior source is available. This avoids the transient when
1844
* one of a flock of sources is out to lunch and just happens
1845
* to be the first survivor.
2190
* Fiddle for hysteresis. Pump it up for a peer only if the peer
2191
* stratum is at least the floor and there are enough survivors.
2192
* This minimizes the pain when tossing out rascals beneath the
2193
* floorboard. Don't count peers with stratum above the ceiling.
2194
* Manycast is sooo complicated.
1847
if (osys_peer == NULL && 2 * nlist < min(nreach, NTP_MINCLOCK))
1849
2196
leap_consensus = 0;
1850
2197
for (i = nlist - 1; i >= 0; i--) {
1851
2198
peer = peer_list[i];
2199
leap_consensus |= peer->leap;
1852
2200
peer->status = CTL_PST_SEL_SYNCCAND;
1853
2202
peer->flags |= FLAG_SYSPEER;
1854
poll_update(peer, peer->hpoll);
1855
if (peer->stratum == peer_list[0]->stratum) {
1856
leap_consensus |= peer->leap;
1857
if (peer->refclktype == REFCLK_ATOM_PPS &&
1858
peer->stratum < STRATUM_UNSPEC)
1860
if (peer == osys_peer)
1862
if (peer->flags & FLAG_PREFER)
2203
if (peer->stratum >= sys_floor && osurv >= sys_minclock)
2207
if (peer->stratum <= sys_ceiling)
2209
if (peer->flags & FLAG_PREFER)
2211
if (peer->refclktype == REFCLK_ATOM_PPS &&
2212
peer->stratum < STRATUM_UNSPEC)
2214
if (peer->stratum == peer_list[0]->stratum && peer ==
2220
* In manycast client mode we may have spooked a sizeable number
2221
* of peers that we don't need. If there are at least
2222
* sys_minclock of them, the manycast message will be turned
2223
* off. By the time we get here we nay be ready to prune some of
2224
* them back, but we want to make sure all the candicates have
2225
* had a chance. If they didn't pass the sanity and intersection
2226
* tests, they have already been voted off the island.
2228
if (sys_survivors < sys_minclock && osurv >= sys_minclock)
1868
2232
* Mitigation rules of the game. There are several types of
1869
2233
* peers that make a difference here: (1) prefer local peers
1870
2234
* (type REFCLK_LOCALCLOCK with FLAG_PREFER) or prefer modem
2082
2467
key_expire(peer);
2084
2469
peer->keyid = xkeyid;
2085
2471
switch (peer->hmode) {
2088
* In broadcast mode the autokey values are required.
2089
* Send them when a new keylist is generated; otherwise,
2090
* send the association ID so the client can request
2091
* them at other times.
2474
* In broadcast server mode the autokey values are
2475
* required by the broadcast clients. Push them when a
2476
* new keylist is generated; otherwise, push the
2477
* association message so the client can request them at
2093
2480
case MODE_BROADCAST:
2094
2481
if (peer->flags & FLAG_ASSOC)
2095
cmmd = CRYPTO_AUTO | CRYPTO_RESP;
2482
exten = crypto_args(peer, CRYPTO_AUTO |
2097
cmmd = CRYPTO_ASSOC | CRYPTO_RESP;
2098
sendlen += crypto_xmit((u_int32 *)&xpkt,
2099
sendlen, cmmd, 0, peer->associd);
2485
exten = crypto_args(peer, CRYPTO_ASSOC |
2103
* In symmetric modes the public key, leapsecond table,
2104
* agreement parameters and autokey values are required.
2106
* 1. If a response is pending, always send it first.
2108
* 2. Don't send anything except a public-key request
2109
* until the public key has been stored.
2111
* 3. Once the public key has been stored, don't send
2112
* anything except an agreement parameter request
2113
* until the agreement parameters have been stored.
2115
* 4. Once the argeement parameters have been stored,
2116
* don't send anything except a public value request
2117
* until the agreed key has been stored.
2119
* 5. When the agreed key has been stored and the key
2120
* list is regenerated, send the autokey values
2121
* gratis unless they have already been sent.
2490
* In symmetric modes the digest, certificate, agreement
2491
* parameters, cookie and autokey values are required.
2492
* The leapsecond table is optional. But, a passive peer
2493
* will not believe the active peer until the latter has
2494
* synchronized, so the agreement must be postponed
2495
* until then. In any case, if a new keylist is
2496
* generated, the autokey values are pushed.
2123
2498
case MODE_ACTIVE:
2124
2499
case MODE_PASSIVE:
2126
if (peer->cmmd != 0)
2127
sendlen += crypto_xmit((u_int32 *)&xpkt,
2128
sendlen, (peer->cmmd >> 16) |
2129
CRYPTO_RESP, peer->hcookie,
2131
2500
if (!peer->crypto)
2132
sendlen += crypto_xmit((u_int32 *)&xpkt,
2133
sendlen, CRYPTO_ASSOC,
2134
peer->hcookie, peer->assoc);
2135
else if (!crypto_flags &&
2136
peer->pcookie.tstamp == 0 && sys_leap !=
2138
sendlen += crypto_xmit((u_int32 *)&xpkt,
2139
sendlen, CRYPTO_PRIV, peer->hcookie,
2141
else if (crypto_flags && peer->pubkey.ptr ==
2143
sendlen += crypto_xmit((u_int32 *)&xpkt,
2144
sendlen, CRYPTO_NAME, peer->hcookie,
2146
else if (peer->crypto & CRYPTO_FLAG_CERT)
2147
sendlen += crypto_xmit((u_int32 *)&xpkt,
2148
sendlen, CRYPTO_CERT, peer->hcookie,
2150
else if (crypto_flags && peer->crypto &
2151
CRYPTO_FLAG_DH && sys_leap !=
2153
sendlen += crypto_xmit((u_int32 *)&xpkt,
2154
sendlen, CRYPTO_DHPAR,
2155
peer->hcookie, peer->assoc);
2156
else if (crypto_flags && peer->pcookie.tstamp ==
2157
0 && sys_leap != LEAP_NOTINSYNC)
2158
sendlen += crypto_xmit((u_int32 *)&xpkt,
2159
sendlen, CRYPTO_DH, peer->hcookie,
2162
if (peer->cmmd != 0)
2163
sendlen += crypto_xmit((u_int32 *)&xpkt,
2164
sendlen, (peer->cmmd >> 16) |
2165
CRYPTO_RESP, peer->hcookie,
2167
if (peer->pcookie.tstamp == 0 && sys_leap !=
2169
sendlen += crypto_xmit((u_int32 *)&xpkt,
2170
sendlen, CRYPTO_PRIV, peer->hcookie,
2173
else if (!(peer->flags & FLAG_AUTOKEY))
2174
sendlen += crypto_xmit((u_int32 *)&xpkt,
2175
sendlen, CRYPTO_AUTO, peer->hcookie,
2177
else if ((peer->flags & FLAG_ASSOC) &&
2178
(peer->cmmd >> 16) != CRYPTO_AUTO)
2179
sendlen += crypto_xmit((u_int32 *)&xpkt,
2180
sendlen, CRYPTO_AUTO | CRYPTO_RESP,
2181
peer->hcookie, peer->associd);
2183
else if (peer->crypto & CRYPTO_FLAG_TAI)
2184
sendlen += crypto_xmit((u_int32 *)&xpkt,
2185
sendlen, CRYPTO_TAI, peer->hcookie,
2501
exten = crypto_args(peer, CRYPTO_ASSOC,
2503
else if (!(peer->crypto & CRYPTO_FLAG_VALID))
2504
exten = crypto_args(peer, CRYPTO_CERT,
2508
* Identity. Note we have to sign the
2509
* certificate before the cookie to avoid a
2510
* deadlock when the passive peer is walking the
2511
* certificate trail. Awesome.
2513
else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
2514
exten = crypto_args(peer,
2515
crypto_ident(peer), NULL);
2516
else if (sys_leap != LEAP_NOTINSYNC &&
2517
!(peer->crypto & CRYPTO_FLAG_SIGN))
2518
exten = crypto_args(peer, CRYPTO_SIGN,
2522
* Autokey. We request the cookie only when the
2523
* server and client are synchronized and
2524
* signatures work both ways. On the other hand,
2525
* the active peer needs the autokey values
2526
* before then and when the passive peer is
2527
* waiting for the active peer to synchronize.
2528
* Any time we regenerate the key list, we offer
2529
* the autokey values without being asked.
2531
else if (sys_leap != LEAP_NOTINSYNC &&
2532
peer->leap != LEAP_NOTINSYNC &&
2533
!(peer->crypto & CRYPTO_FLAG_AGREE))
2534
exten = crypto_args(peer, CRYPTO_COOK,
2536
else if (peer->flags & FLAG_ASSOC)
2537
exten = crypto_args(peer, CRYPTO_AUTO |
2539
else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
2540
exten = crypto_args(peer, CRYPTO_AUTO,
2544
* Postamble. We trade leapseconds only when the
2545
* server and client are synchronized.
2547
else if (sys_leap != LEAP_NOTINSYNC &&
2548
peer->leap != LEAP_NOTINSYNC &&
2549
peer->crypto & CRYPTO_FLAG_TAI &&
2550
!(peer->crypto & CRYPTO_FLAG_LEAP))
2551
exten = crypto_args(peer, CRYPTO_TAI,
2192
* In client mode, the public key, host cookie and
2193
* autokey values are required. In broadcast client
2194
* mode, these values must be acquired during the
2556
* In client mode the digest, certificate, agreement
2557
* parameters and cookie are required. The leapsecond
2558
* table is optional. If broadcast client mode, the
2559
* autokey values are required as well. In broadcast
2560
* client mode, these values must be acquired during the
2195
2561
* client/server exchange to avoid having to wait until
2196
2562
* the next key list regeneration. Otherwise, the poor
2197
2563
* dude may die a lingering death until becoming
2198
* unreachable and attempting rebirth. Note that we ask
2199
* for the cookie at each key list regeneration anyway.
2564
* unreachable and attempting rebirth.
2566
* If neither the server or client have the agreement
2567
* parameters, the protocol transmits the cookie in the
2568
* clear. If the server has the parameters, the client
2569
* requests them and the protocol blinds it using the
2570
* agreed key. It is a protocol error if the client has
2571
* the parameters but the server does not.
2201
2573
case MODE_CLIENT:
2202
if (peer->cmmd != 0)
2203
sendlen += crypto_xmit((u_int32 *)&xpkt,
2204
sendlen, (peer->cmmd >> 16) |
2205
CRYPTO_RESP, peer->hcookie,
2207
2574
if (!peer->crypto)
2208
sendlen += crypto_xmit((u_int32 *)&xpkt,
2209
sendlen, CRYPTO_ASSOC,
2210
peer->hcookie, peer->assoc);
2212
else if (crypto_flags && peer->pubkey.ptr ==
2214
sendlen += crypto_xmit((u_int32 *)&xpkt,
2215
sendlen, CRYPTO_NAME, peer->hcookie,
2217
else if (peer->crypto & CRYPTO_FLAG_CERT)
2218
sendlen += crypto_xmit((u_int32 *)&xpkt,
2219
sendlen, CRYPTO_CERT, peer->hcookie,
2222
else if (peer->pcookie.tstamp == 0)
2223
sendlen += crypto_xmit((u_int32 *)&xpkt,
2224
sendlen, CRYPTO_PRIV, peer->hcookie,
2226
else if (!(peer->flags & FLAG_AUTOKEY) &&
2575
exten = crypto_args(peer, CRYPTO_ASSOC,
2577
else if (!(peer->crypto & CRYPTO_FLAG_VALID))
2578
exten = crypto_args(peer, CRYPTO_CERT,
2584
else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
2585
exten = crypto_args(peer,
2586
crypto_ident(peer), NULL);
2591
else if (!(peer->crypto & CRYPTO_FLAG_AGREE))
2592
exten = crypto_args(peer, CRYPTO_COOK,
2594
else if (!(peer->crypto & CRYPTO_FLAG_AUTO) &&
2227
2595
(peer->cast_flags & MDF_BCLNT))
2228
sendlen += crypto_xmit((u_int32 *)&xpkt,
2229
sendlen, CRYPTO_AUTO, peer->hcookie,
2232
else if (peer->crypto & CRYPTO_FLAG_TAI)
2233
sendlen += crypto_xmit((u_int32 *)&xpkt,
2234
sendlen, CRYPTO_TAI, peer->hcookie,
2596
exten = crypto_args(peer, CRYPTO_AUTO,
2600
* Postamble. We can sign the certificate here,
2601
* since there is no chance of deadlock.
2603
else if (sys_leap != LEAP_NOTINSYNC &&
2604
!(peer->crypto & CRYPTO_FLAG_SIGN))
2605
exten = crypto_args(peer, CRYPTO_SIGN,
2607
else if (sys_leap != LEAP_NOTINSYNC &&
2608
peer->crypto & CRYPTO_FLAG_TAI &&
2609
!(peer->crypto & CRYPTO_FLAG_LEAP))
2610
exten = crypto_args(peer, CRYPTO_TAI,
2616
* Build the extension fields if available. If an error
2617
* occured, the crypto machinery broke or was
2618
* misconfigured, so plaint the log and douse the
2621
if (peer->cmmd != NULL) {
2622
peer->cmmd->associd = htonl(peer->associd);
2623
sendlen += crypto_xmit(&xpkt, &peer->srcadr,
2624
sendlen, peer->cmmd, 0);
2628
if (exten != NULL) {
2629
if (exten->opcode != 0) {
2630
sendlen += crypto_xmit(&xpkt,
2631
&peer->srcadr, sendlen, exten, 0);
2633
peer_clear(peer, "CRYP");
2634
peer->flash |= TEST4; /* crypto error */
2636
"transmit: crypto error for %s",
2637
stoa(&peer->srcadr));
2242
2643
* If extension fields are present, we must use a
2243
* private value of zero and force min poll interval.
2644
* private cookie value of zero. Most intricate.
2246
2646
if (sendlen > LEN_PKT_NOMAC)
2247
2647
session_key(&peer->dstadr->sin, &peer->srcadr,
2250
#endif /* AUTOKEY */
2650
#endif /* OPENSSL */
2653
* If something broke go directly to jail without sending the
2656
if (peer->flash & TEST4)
2251
2659
xkeyid = peer->keyid;
2252
2660
get_systime(&peer->xmt);
2253
2661
L_ADD(&peer->xmt, &sys_authdelay);
2254
2662
HTONL_FP(&peer->xmt, &xpkt.xmt);
2255
2663
authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
2256
2664
if (authlen == 0) {
2258
"transmit: no encryption key found");
2259
peer->flash |= TEST4 | TEST5;
2665
peer_clear(peer, "NKEY");
2666
peer->flash |= TEST4; /* no key found */
2667
msyslog(LOG_INFO, "transmit: key %u not found for %s",
2668
xkeyid, stoa(&peer->srcadr));
2262
2671
sendlen += authlen;
2264
2673
if (xkeyid > NTP_MAXKEY)
2265
2674
authtrust(xkeyid, 0);
2266
#endif /* AUTOKEY */
2675
#endif /* OPENSSL */
2267
2676
get_systime(&xmt_tx);
2268
2677
if (sendlen > sizeof(xpkt)) {
2269
2678
msyslog(LOG_ERR, "buffer overflow %u", sendlen);
2272
sendpkt(&peer->srcadr, peer->dstadr, peer->ttl, &xpkt, sendlen);
2681
sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl], &xpkt,
2275
2685
* Calculate the encryption delay. Keep the minimum over
2315
2725
struct recvbuf *rbufp, /* receive packet pointer */
2316
int xmode, /* transmit mode */
2317
keyid_t xkeyid, /* transmit key ID */
2318
int mask /* restrict mask */
2726
int xmode, /* transmit mode */
2727
keyid_t xkeyid, /* transmit key ID */
2728
int mask /* restrict mask */
2321
struct pkt xpkt; /* transmit packet structure */
2322
struct pkt *rpkt; /* receive packet structure */
2323
l_fp xmt_ts; /* transmit timestamp */
2324
l_fp xmt_tx; /* transmit timestamp after authent */
2325
int sendlen, authlen;
2731
struct pkt xpkt; /* transmit packet structure */
2732
struct pkt *rpkt; /* receive packet structure */
2733
l_fp xmt_ts; /* timestamp */
2734
l_fp xmt_tx; /* timestamp after authent */
2735
int sendlen, authlen;
2328
2741
* Initialize transmit packet header fields from the receive
2329
2742
* buffer provided. We leave some fields intact as received. If
2330
* the gazinta was from a multicast address, the gazouta must go
2743
* the gazinta was from a multicast address, the gazoutta must
2744
* go out another way.
2333
2746
rpkt = &rbufp->recv_pkt;
2334
2747
if (rbufp->dstadr->flags & INT_MULTICAST)
2335
2748
rbufp->dstadr = findinterface(&rbufp->recv_srcadr);
2338
* If the caller is restricted, return a kiss-of-death packet;
2339
* otherwise, smooch politely.
2751
* If the packet has picked up a restriction due to either
2752
* access denied or rate exceeded, decide what to do with it.
2341
if (mask & (RES_DONTSERVE | RES_LIMITED)) {
2342
if (!(mask & RES_DEMOBILIZE)) {
2754
if (mask & (RES_DONTTRUST | RES_LIMITED)) {
2755
char *code = "????";
2757
if (mask & RES_LIMITED) {
2758
sys_limitrejected++;
2760
} else if (mask & RES_DONTTRUST) {
2766
* Here we light up a kiss-of-death (KoD) packet. KoD
2767
* packets have leap bits unsynchronized, stratum zero
2768
* and reference ID the four-character error code. Note
2769
* the rate limit on these packets. Once a second
2770
* initialize a bucket counter. Every packet sent
2771
* decrements the counter until reaching zero. If the
2772
* counter is zero, drop the kod.
2774
if (sys_kod == 0 || !(mask & RES_DEMOBILIZE))
2346
PKT_LI_VN_MODE(LEAP_NOTINSYNC,
2347
PKT_VERSION(rpkt->li_vn_mode), xmode);
2348
xpkt.stratum = STRATUM_UNSPEC;
2349
memcpy(&xpkt.refid, "DENY", 4);
2778
memcpy(&xpkt.refid, code, 4);
2779
xpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC,
2780
PKT_VERSION(rpkt->li_vn_mode), xmode);
2781
xpkt.stratum = STRATUM_UNSPEC;
2352
2783
xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap,
2353
2784
PKT_VERSION(rpkt->li_vn_mode), xmode);
2474
if (peer->keylist != NULL) {
2905
if (peer->keylist != NULL) {
2475
2906
for (i = 0; i <= peer->keynumber; i++)
2476
2907
authtrust(peer->keylist[i], 0);
2477
2908
free(peer->keylist);
2478
2909
peer->keylist = NULL;
2480
peer->keynumber = peer->sndauto.seq = 0;
2911
value_free(&peer->sndval);
2912
peer->keynumber = 0;
2483
2915
printf("key_expire: at %lu\n", current_time);
2486
#endif /* AUTOKEY */
2918
#endif /* OPENSSL */
2922
* Determine if the peer is unfit for synchronization
2924
* A peer is unfit for synchronization if
2926
* > a synchronization loop would form
2927
* > never been synchronized
2928
* > stratum undefined or too high
2929
* > too long without synchronization
2930
* > designated noselect
2932
static int /* 0 if no, 1 if yes */
2934
struct peer *peer /* peer structure pointer */
2937
return (!peer->reach || (peer->stratum > 1 && peer->refid ==
2938
peer->dstadr->addr_refid) || peer->leap == LEAP_NOTINSYNC ||
2939
peer->stratum >= STRATUM_UNSPEC || peer->flags &
2489
2945
* Find the precision of this particular machine
2491
#define DUSECS 1000000 /* us in a s */
2492
#define HUSECS (1 << 20) /* approx DUSECS for shifting etc */
2493
#define MINSTEP 5 /* minimum clock increment (us) */
2494
#define MAXSTEP 20000 /* maximum clock increment (us) */
2495
#define MINLOOPS 5 /* minimum number of step samples */
2947
#define MINSTEP 100e-9 /* minimum clock increment (s) */
2948
#define MAXSTEP 20e-3 /* maximum clock increment (s) */
2949
#define MINLOOPS 5 /* minimum number of step samples */
2498
* This routine calculates the differences between successive calls to
2499
* gettimeofday(). If a difference is less than zero, the us field
2500
* has rolled over to the next second, so we add a second in us. If
2501
* the difference is greater than zero and less than MINSTEP, the
2502
* clock has been advanced by a small amount to avoid standing still.
2503
* If the clock has advanced by a greater amount, then a timer interrupt
2504
* has occurred and this amount represents the precision of the clock.
2505
* In order to guard against spurious values, which could occur if we
2506
* happen to hit a fat interrupt, we do this for MINLOOPS times and
2507
* keep the minimum value obtained.
2952
* This routine calculates the system precision, defined as the minimum
2953
* of a sequency of differences between successive readings of the
2954
* system clock. However, if the system clock can be read more than once
2955
* during a tick interval, the difference can be zero or one LSB unit,
2956
* where the LSB corresponds to one nanosecond or one microsecond.
2957
* Conceivably, if some other process preempts this one and reads the
2958
* clock, the difference can be more than one LSB unit.
2960
* For hardware clock frequencies of 10 MHz or less, we assume the
2961
* logical clock advances only at the hardware clock tick. For higher
2962
* frequencies, we assume the logical clock can advance no more than 100
2963
* nanoseconds between ticks.
2510
2966
default_get_precision(void)
2513
#if !defined(SYS_WINNT) && !defined(VMS) && !defined(_SEQUENT_)
2514
struct timezone tzp;
2515
#elif defined(VMS) || defined(_SEQUENT_)
2520
#endif /* defined(VMS) || defined(_SEQUENT_) */
2526
#ifdef HAVE_GETCLOCK
2529
#if defined(__FreeBSD__) && __FreeBSD__ >= 3
2533
/* Try to see if we can find the frequency of of the counter
2534
* which drives our timekeeping
2537
i = sysctlbyname("kern.timecounter.frequency", &freq, &j , 0,
2540
i = sysctlbyname("machdep.tsc_freq", &freq, &j , 0, 0);
2542
i = sysctlbyname("machdep.i586_freq", &freq, &j , 0, 0);
2544
i = sysctlbyname("machdep.i8254_freq", &freq, &j , 0,
2547
for (i = 1; freq ; i--)
2554
#ifdef HAVE_GETCLOCK
2555
(void) getclock(TIMEOFDAY, &ts);
2556
tp.tv_sec = ts.tv_sec;
2557
tp.tv_usec = ts.tv_nsec / 1000;
2558
#else /* not HAVE_GETCLOCK */
2559
GETTIMEOFDAY(&tp, &tzp);
2560
#endif /* not HAVE_GETCLOCK */
2562
for (i = 0; i < MINLOOPS && usec < HUSECS;) {
2563
#ifdef HAVE_GETCLOCK
2564
(void) getclock(TIMEOFDAY, &ts);
2565
tp.tv_sec = ts.tv_sec;
2566
tp.tv_usec = ts.tv_nsec / 1000;
2567
#else /* not HAVE_GETCLOCK */
2568
GETTIMEOFDAY(&tp, &tzp);
2569
#endif /* not HAVE_GETCLOCK */
2570
diff = tp.tv_usec - last;
2575
if (diff > MINSTEP) {
2582
msyslog(LOG_INFO, "precision = %ld usec", val);
2584
val = MINSTEP; /* val <= MINSTEP; fast machine */
2586
for (i = 0; diff > val; i--)
2968
l_fp val; /* current seconds fraction */
2969
l_fp last; /* last seconds fraction */
2970
l_fp diff; /* difference */
2971
double tick; /* computed tick value */
2972
double dtemp; /* scratch */
2973
int i; /* log2 precision */
2976
* Loop to find tick value in nanoseconds. Toss out outlyer
2977
* values less than the minimun tick value. In wacky cases, use
2978
* the default maximum value.
2982
for (i = 0; i < MINLOOPS;) {
2985
L_SUB(&diff, &last);
2987
LFPTOD(&diff, dtemp);
2988
if (dtemp < MINSTEP)
2996
* Find the nearest power of two.
2999
msyslog(LOG_INFO, "precision = %.3f usec", tick * 1e6);
3000
for (i = 0; tick <= 1; i++)
3002
if (tick - 1. > 1. - tick / 2)
3009
* kod_proto - called once per second to limit kiss-of-death packets
3014
sys_kod = sys_kod_rate;
2592
3019
* init_proto - initialize the protocol module's data