mirror of https://github.com/subgraph/fw-daemon
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
417 lines
18 KiB
417 lines
18 KiB
// Copyright 2016 Google, Inc. All rights reserved.
|
|
//
|
|
// Use of this source code is governed by a BSD-style license
|
|
// that can be found in the LICENSE file in the root of the source
|
|
// tree.
|
|
//
|
|
//******************************************************************************
|
|
|
|
package layers
|
|
|
|
import (
|
|
"encoding/binary"
|
|
"errors"
|
|
|
|
"github.com/google/gopacket"
|
|
)
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Network Time Protocol (NTP) Decoding Layer
|
|
// ------------------------------------------
|
|
// This file provides a GoPacket decoding layer for NTP.
|
|
//
|
|
//******************************************************************************
|
|
//
|
|
// About The Network Time Protocol (NTP)
|
|
// -------------------------------------
|
|
// NTP is a protocol that enables computers on the internet to set their
|
|
// clocks to the correct time (or to a time that is acceptably close to the
|
|
// correct time). NTP runs on top of UDP.
|
|
//
|
|
// There have been a series of versions of the NTP protocol. The latest
|
|
// version is V4 and is specified in RFC 5905:
|
|
// http://www.ietf.org/rfc/rfc5905.txt
|
|
//
|
|
//******************************************************************************
|
|
//
|
|
// References
|
|
// ----------
|
|
//
|
|
// Wikipedia's NTP entry:
|
|
// https://en.wikipedia.org/wiki/Network_Time_Protocol
|
|
// This is the best place to get an overview of NTP.
|
|
//
|
|
// Network Time Protocol Home Website:
|
|
// http://www.ntp.org/
|
|
// This appears to be the official website of NTP.
|
|
//
|
|
// List of current NTP Protocol RFCs:
|
|
// http://www.ntp.org/rfc.html
|
|
//
|
|
// RFC 958: "Network Time Protocol (NTP)" (1985)
|
|
// https://tools.ietf.org/html/rfc958
|
|
// This is the original NTP specification.
|
|
//
|
|
// RFC 1305: "Network Time Protocol (Version 3) Specification, Implementation and Analysis" (1992)
|
|
// https://tools.ietf.org/html/rfc1305
|
|
// The protocol was updated in 1992 yielding NTP V3.
|
|
//
|
|
// RFC 5905: "Network Time Protocol Version 4: Protocol and Algorithms Specification" (2010)
|
|
// https://www.ietf.org/rfc/rfc5905.txt
|
|
// The protocol was updated in 2010 yielding NTP V4.
|
|
// V4 is backwards compatible with all previous versions of NTP.
|
|
//
|
|
// RFC 5906: "Network Time Protocol Version 4: Autokey Specification"
|
|
// https://tools.ietf.org/html/rfc5906
|
|
// This document addresses the security of the NTP protocol
|
|
// and is probably not relevant to this package.
|
|
//
|
|
// RFC 5907: "Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)"
|
|
// https://tools.ietf.org/html/rfc5907
|
|
// This document addresses the management of NTP servers and
|
|
// is probably not relevant to this package.
|
|
//
|
|
// RFC 5908: "Network Time Protocol (NTP) Server Option for DHCPv6"
|
|
// https://tools.ietf.org/html/rfc5908
|
|
// This document addresses the use of NTP in DHCPv6 and is
|
|
// probably not relevant to this package.
|
|
//
|
|
// "Let's make a NTP Client in C"
|
|
// https://lettier.github.io/posts/2016-04-26-lets-make-a-ntp-client-in-c.html
|
|
// This web page contains useful information about the details of NTP,
|
|
// including an NTP record struture in C, and C code.
|
|
//
|
|
// "NTP Packet Header (NTP Reference Implementation) (Computer Network Time Synchronization)"
|
|
// http://what-when-how.com/computer-network-time-synchronization/
|
|
// ntp-packet-header-ntp-reference-implementation-computer-network-time-synchronization/
|
|
// This web page contains useful information on the details of NTP.
|
|
//
|
|
// "Technical information - NTP Data Packet"
|
|
// https://www.meinbergglobal.com/english/info/ntp-packet.htm
|
|
// This page has a helpful diagram of an NTP V4 packet.
|
|
//
|
|
//******************************************************************************
|
|
//
|
|
// Obsolete References
|
|
// -------------------
|
|
//
|
|
// RFC 1119: "RFC-1119 "Network Time Protocol (Version 2) Specification and Implementation" (1989)
|
|
// https://tools.ietf.org/html/rfc1119
|
|
// Version 2 was drafted in 1989.
|
|
// It is unclear whether V2 was ever implememented or whether the
|
|
// ideas ended up in V3 (which was implemented in 1992).
|
|
//
|
|
// RFC 1361: "Simple Network Time Protocol (SNTP)"
|
|
// https://tools.ietf.org/html/rfc1361
|
|
// This document is obsoleted by RFC 1769 and is included only for completeness.
|
|
//
|
|
// RFC 1769: "Simple Network Time Protocol (SNTP)"
|
|
// https://tools.ietf.org/html/rfc1769
|
|
// This document is obsoleted by RFC 2030 and RFC 4330 and is included only for completeness.
|
|
//
|
|
// RFC 2030: "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI"
|
|
// https://tools.ietf.org/html/rfc2030
|
|
// This document is obsoleted by RFC 4330 and is included only for completeness.
|
|
//
|
|
// RFC 4330: "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI"
|
|
// https://tools.ietf.org/html/rfc4330
|
|
// This document is obsoleted by RFC 5905 and is included only for completeness.
|
|
//
|
|
//******************************************************************************
|
|
//
|
|
// Endian And Bit Numbering Issues
|
|
// -------------------------------
|
|
//
|
|
// Endian and bit numbering issues can be confusing. Here is some
|
|
// clarification:
|
|
//
|
|
// ENDIAN: Values are sent big endian.
|
|
// https://en.wikipedia.org/wiki/Endianness
|
|
//
|
|
// BIT NUMBERING: Bits are numbered 0 upwards from the most significant
|
|
// bit to the least significant bit. This means that if there is a 32-bit
|
|
// value, the most significant bit is called bit 0 and the least
|
|
// significant bit is called bit 31.
|
|
//
|
|
// See RFC 791 Appendix B for more discussion.
|
|
//
|
|
//******************************************************************************
|
|
//
|
|
// NTP V3 and V4 Packet Format
|
|
// ---------------------------
|
|
// NTP packets are UDP packets whose payload contains an NTP record.
|
|
//
|
|
// The NTP RFC defines the format of the NTP record.
|
|
//
|
|
// There have been four versions of the protocol:
|
|
//
|
|
// V1 in 1985
|
|
// V2 in 1989
|
|
// V3 in 1992
|
|
// V4 in 2010
|
|
//
|
|
// It is clear that V1 and V2 are obsolete, and there is no need to
|
|
// cater for these formats.
|
|
//
|
|
// V3 and V4 essentially use the same format, with V4 adding some optional
|
|
// fields on the end. So this package supports the V3 and V4 formats.
|
|
//
|
|
// The current version of NTP (NTP V4)'s RFC (V4 - RFC 5905) contains
|
|
// the following diagram for the NTP record format:
|
|
|
|
// 0 1 2 3
|
|
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// |LI | VN |Mode | Stratum | Poll | Precision |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | Root Delay |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | Root Dispersion |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | Reference ID |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// + Reference Timestamp (64) +
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// + Origin Timestamp (64) +
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// + Receive Timestamp (64) +
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// + Transmit Timestamp (64) +
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// . .
|
|
// . Extension Field 1 (variable) .
|
|
// . .
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// . .
|
|
// . Extension Field 2 (variable) .
|
|
// . .
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | Key Identifier |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// | |
|
|
// | dgst (128) |
|
|
// | |
|
|
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
// From http://www.ietf.org/rfc/rfc5905.txt
|
|
//
|
|
// The fields "Extension Field 1 (variable)" and later are optional fields,
|
|
// and so we can set a minimum NTP record size of 48 bytes.
|
|
//
|
|
const ntpMinimumRecordSizeInBytes int = 48
|
|
|
|
//******************************************************************************
|
|
|
|
// NTP Type
|
|
// --------
|
|
// Type NTP implements the DecodingLayer interface. Each NTP object
|
|
// represents in a structured form the NTP record present as the UDP
|
|
// payload in an NTP UDP packet.
|
|
//
|
|
|
|
type NTPLeapIndicator uint8
|
|
type NTPVersion uint8
|
|
type NTPMode uint8
|
|
type NTPStratum uint8
|
|
type NTPLog2Seconds int8
|
|
type NTPFixed16Seconds uint32
|
|
type NTPReferenceID uint32
|
|
type NTPTimestamp uint64
|
|
|
|
type NTP struct {
|
|
BaseLayer // Stores the packet bytes and payload bytes.
|
|
|
|
LeapIndicator NTPLeapIndicator // [0,3]. Indicates whether leap second(s) is to be added.
|
|
Version NTPVersion // [0,7]. Version of the NTP protocol.
|
|
Mode NTPMode // [0,7]. Mode.
|
|
Stratum NTPStratum // [0,255]. Stratum of time server in the server tree.
|
|
Poll NTPLog2Seconds // [-128,127]. The maximum interval between successive messages, in log2 seconds.
|
|
Precision NTPLog2Seconds // [-128,127]. The precision of the system clock, in log2 seconds.
|
|
RootDelay NTPFixed16Seconds // [0,2^32-1]. Total round trip delay to the reference clock in seconds times 2^16.
|
|
RootDispersion NTPFixed16Seconds // [0,2^32-1]. Total dispersion to the reference clock, in seconds times 2^16.
|
|
ReferenceID NTPReferenceID // ID code of reference clock [0,2^32-1].
|
|
ReferenceTimestamp NTPTimestamp // Most recent timestamp from the reference clock.
|
|
OriginTimestamp NTPTimestamp // Local time when request was sent from local host.
|
|
ReceiveTimestamp NTPTimestamp // Local time (on server) that request arrived at server host.
|
|
TransmitTimestamp NTPTimestamp // Local time (on server) that request departed server host.
|
|
|
|
// FIX: This package should analyse the extension fields and represent the extension fields too.
|
|
ExtensionBytes []byte // Just put extensions in a byte slice.
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// LayerType returns the layer type of the NTP object, which is LayerTypeNTP.
|
|
func (d *NTP) LayerType() gopacket.LayerType {
|
|
return LayerTypeNTP
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// decodeNTP analyses a byte slice and attempts to decode it as an NTP
|
|
// record of a UDP packet.
|
|
//
|
|
// If it succeeds, it loads p with information about the packet and returns nil.
|
|
// If it fails, it returns an error (non nil).
|
|
//
|
|
// This function is employed in layertypes.go to register the NTP layer.
|
|
func decodeNTP(data []byte, p gopacket.PacketBuilder) error {
|
|
|
|
// Attempt to decode the byte slice.
|
|
d := &NTP{}
|
|
err := d.DecodeFromBytes(data, p)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// If the decoding worked, add the layer to the packet and set it
|
|
// as the application layer too, if there isn't already one.
|
|
p.AddLayer(d)
|
|
p.SetApplicationLayer(d)
|
|
|
|
return nil
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// DecodeFromBytes analyses a byte slice and attempts to decode it as an NTP
|
|
// record of a UDP packet.
|
|
//
|
|
// Upon succeeds, it loads the NTP object with information about the packet
|
|
// and returns nil.
|
|
// Upon failure, it returns an error (non nil).
|
|
func (d *NTP) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {
|
|
|
|
// If the data block is too short to be a NTP record, then return an error.
|
|
if len(data) < ntpMinimumRecordSizeInBytes {
|
|
df.SetTruncated()
|
|
return errors.New("NTP packet too short")
|
|
}
|
|
|
|
// RFC 5905 does not appear to define a maximum NTP record length.
|
|
// The protocol allows "extension fields" to be included in the record,
|
|
// and states about these fields:"
|
|
//
|
|
// "While the minimum field length containing required fields is
|
|
// four words (16 octets), a maximum field length remains to be
|
|
// established."
|
|
//
|
|
// For this reason, the packet length is not checked here for being too long.
|
|
|
|
// NTP type embeds type BaseLayer which contains two fields:
|
|
// Contents is supposed to contain the bytes of the data at this level.
|
|
// Payload is supposed to contain the payload of this level.
|
|
// Here we set the baselayer to be the bytes of the NTP record.
|
|
d.BaseLayer = BaseLayer{Contents: data[:len(data)]}
|
|
|
|
// Extract the fields from the block of bytes.
|
|
// To make sense of this, refer to the packet diagram
|
|
// above and the section on endian conventions.
|
|
|
|
// The first few fields are all packed into the first 32 bits. Unpack them.
|
|
f := data[0]
|
|
d.LeapIndicator = NTPLeapIndicator((f & 0xC0) >> 6)
|
|
d.Version = NTPVersion((f & 0x38) >> 3)
|
|
d.Mode = NTPMode(f & 0x07)
|
|
d.Stratum = NTPStratum(data[1])
|
|
d.Poll = NTPLog2Seconds(data[2])
|
|
d.Precision = NTPLog2Seconds(data[3])
|
|
|
|
// The remaining fields can just be copied in big endian order.
|
|
d.RootDelay = NTPFixed16Seconds(binary.BigEndian.Uint32(data[4:8]))
|
|
d.RootDispersion = NTPFixed16Seconds(binary.BigEndian.Uint32(data[8:12]))
|
|
d.ReferenceID = NTPReferenceID(binary.BigEndian.Uint32(data[12:16]))
|
|
d.ReferenceTimestamp = NTPTimestamp(binary.BigEndian.Uint64(data[16:24]))
|
|
d.OriginTimestamp = NTPTimestamp(binary.BigEndian.Uint64(data[24:32]))
|
|
d.ReceiveTimestamp = NTPTimestamp(binary.BigEndian.Uint64(data[32:40]))
|
|
d.TransmitTimestamp = NTPTimestamp(binary.BigEndian.Uint64(data[40:48]))
|
|
|
|
// This layer does not attempt to analyse the extension bytes.
|
|
// But if there are any, we'd like the user to know. So we just
|
|
// place them all in an ExtensionBytes field.
|
|
d.ExtensionBytes = data[48:]
|
|
|
|
// Return no error.
|
|
return nil
|
|
}
|
|
|
|
// SerializeTo writes the serialized form of this layer into the
|
|
// SerializationBuffer, implementing gopacket.SerializableLayer.
|
|
// See the docs for gopacket.SerializableLayer for more info.
|
|
func (d *NTP) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOptions) error {
|
|
data, err := b.PrependBytes(ntpMinimumRecordSizeInBytes)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Pack the first few fields into the first 32 bits.
|
|
h := uint8(0)
|
|
h |= (uint8(d.LeapIndicator) << 6) & 0xC0
|
|
h |= (uint8(d.Version) << 3) & 0x38
|
|
h |= (uint8(d.Mode)) & 0x07
|
|
data[0] = byte(h)
|
|
data[1] = byte(d.Stratum)
|
|
data[2] = byte(d.Poll)
|
|
data[3] = byte(d.Precision)
|
|
|
|
// The remaining fields can just be copied in big endian order.
|
|
binary.BigEndian.PutUint32(data[4:8], uint32(d.RootDelay))
|
|
binary.BigEndian.PutUint32(data[8:12], uint32(d.RootDispersion))
|
|
binary.BigEndian.PutUint32(data[12:16], uint32(d.ReferenceID))
|
|
binary.BigEndian.PutUint64(data[16:24], uint64(d.ReferenceTimestamp))
|
|
binary.BigEndian.PutUint64(data[24:32], uint64(d.OriginTimestamp))
|
|
binary.BigEndian.PutUint64(data[32:40], uint64(d.ReceiveTimestamp))
|
|
binary.BigEndian.PutUint64(data[40:48], uint64(d.TransmitTimestamp))
|
|
|
|
ex, err := b.AppendBytes(len(d.ExtensionBytes))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
copy(ex, d.ExtensionBytes)
|
|
|
|
return nil
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// CanDecode returns a set of layers that NTP objects can decode.
|
|
// As NTP objects can only decide the NTP layer, we can return just that layer.
|
|
// Apparently a single layer type implements LayerClass.
|
|
func (d *NTP) CanDecode() gopacket.LayerClass {
|
|
return LayerTypeNTP
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// NextLayerType specifies the next layer that GoPacket should attempt to
|
|
// analyse after this (NTP) layer. As NTP packets do not contain any payload
|
|
// bytes, there are no further layers to analyse.
|
|
func (d *NTP) NextLayerType() gopacket.LayerType {
|
|
return gopacket.LayerTypeZero
|
|
}
|
|
|
|
//******************************************************************************
|
|
|
|
// NTP packets do not carry any data payload, so the empty byte slice is retured.
|
|
// In Go, a nil slice is functionally identical to an empty slice, so we
|
|
// return nil to avoid a heap allocation.
|
|
func (d *NTP) Payload() []byte {
|
|
return nil
|
|
}
|
|
|
|
//******************************************************************************
|
|
//* End Of NTP File *
|
|
//******************************************************************************
|