xref: /freebsd/contrib/ntp/ntpd/ntp_proto.c (revision f5f40dd63bc7acbb5312b26ac1ea1103c12352a6)
1 /*
2  * ntp_proto.c - NTP version 4 protocol machinery
3  *
4  * ATTENTION: Get approval from Harlan on all changes to this file!
5  *	    (Harlan will be discussing these changes with Dave Mills.)
6  *
7  */
8 #ifdef HAVE_CONFIG_H
9 #include <config.h>
10 #endif
11 
12 #include "ntpd.h"
13 #include "ntp_stdlib.h"
14 #include "ntp_unixtime.h"
15 #include "ntp_control.h"
16 #include "ntp_string.h"
17 #include "ntp_leapsec.h"
18 #include "ntp_psl.h"
19 #include "refidsmear.h"
20 
21 #include <stdio.h>
22 #ifdef HAVE_LIBSCF_H
23 #include <libscf.h>
24 #endif
25 #ifdef HAVE_UNISTD_H
26 #include <unistd.h>
27 #endif
28 
29 /* [Bug 3031] define automatic broadcastdelay cutoff preset */
30 #ifndef BDELAY_DEFAULT
31 # define BDELAY_DEFAULT (-0.050)
32 #endif
33 
34 #define SRVFUZ_SHIFT	6	/* 64 seconds */
35 #define SRVRSP_FUZZ(x)					\
36 	do {						\
37 		x.l_uf = 0;				\
38 		x.l_ui &= ~((1 << SRVFUZ_SHIFT) - 1U);	\
39 	} while (FALSE)
40 
41 /*
42  * This macro defines the authentication state. If x is 1 authentication
43  * is required; otherwise it is optional.
44  */
45 #define	AUTH(x, y)	((x) ? (y) == AUTH_OK \
46 			     : (y) == AUTH_OK || (y) == AUTH_NONE)
47 
48 typedef enum
49 auth_state {
50 	AUTH_UNKNOWN = -1,	/* Unknown */
51 	AUTH_NONE,		/* authentication not required */
52 	AUTH_OK,		/* authentication OK */
53 	AUTH_ERROR,		/* authentication error */
54 	AUTH_CRYPTO		/* crypto_NAK */
55 } auth_code;
56 
57 /*
58  * Set up Kiss Code values
59  */
60 
61 typedef enum
62 kiss_codes {
63 	NOKISS,				/* No Kiss Code */
64 	RATEKISS,			/* Rate limit Kiss Code */
65 	DENYKISS,			/* Deny Kiss */
66 	RSTRKISS,			/* Restricted Kiss */
67 	XKISS				/* Experimental Kiss */
68 } kiss_code;
69 
70 typedef enum
71 nak_error_codes {
72 	NONAK,				/* No NAK seen */
73 	INVALIDNAK,			/* NAK cannot be used */
74 	VALIDNAK			/* NAK is valid */
75 } nak_code;
76 
77 /*
78  * traffic shaping parameters
79  */
80 #define	NTP_IBURST	6	/* packets in iburst */
81 #define	RESP_DELAY	1	/* refclock burst delay (s) */
82 
83 /*
84  * pool soliciting restriction duration (s)
85  */
86 #define	POOL_SOLICIT_WINDOW	8
87 
88 /*
89  * flag bits propagated from pool/manycast to individual peers
90  */
91 #define POOL_FLAG_PMASK		(FLAG_IBURST | FLAG_NOSELECT)
92 
93 /*
94  * peer_select groups statistics for a peer used by clock_select() and
95  * clock_cluster().
96  */
97 typedef struct peer_select_tag {
98 	struct peer *	peer;
99 	double		synch;	/* sync distance */
100 	double		error;	/* jitter */
101 	double		seljit;	/* selection jitter */
102 } peer_select;
103 
104 /*
105  * System variables are declared here. Unless specified otherwise, all
106  * times are in seconds.
107  */
108 u_char	sys_leap;		/* system leap indicator, use set_sys_leap() to change this */
109 u_char	xmt_leap;		/* leap indicator sent in client requests, set up by set_sys_leap() */
110 u_char	sys_stratum;		/* system stratum */
111 s_char	sys_precision;		/* local clock precision (log2 s) */
112 double	sys_rootdelay;		/* roundtrip delay to root (primary source) */
113 double	sys_rootdisp;		/* dispersion to root (primary source) */
114 double	prev_rootdisp;		/* previous root dispersion */
115 double	p2_rootdisp;		/* previous previous root dispersion */
116 u_int32 sys_refid;		/* reference id (network byte order) */
117 l_fp	sys_reftime;		/* last update time */
118 l_fp	prev_reftime;		/* previous sys_reftime */
119 l_fp	p2_reftime;		/* previous previous sys_reftime */
120 u_long	prev_time;		/* "current_time" when saved prev_time */
121 u_long	p2_time;		/* previous prev_time */
122 struct	peer *sys_peer;		/* current peer */
123 
124 #ifdef LEAP_SMEAR
125 struct leap_smear_info leap_smear;
126 #endif
127 int leap_sec_in_progress;
128 
129 /*
130  * Rate controls. Leaky buckets are used to throttle the packet
131  * transmission rates in order to protect busy servers such as at NIST
132  * and USNO. There is a counter for each association and another for KoD
133  * packets. The association counter decrements each second, but not
134  * below zero. Each time a packet is sent the counter is incremented by
135  * a configurable value representing the average interval between
136  * packets. A packet is delayed as long as the counter is greater than
137  * zero. Note this does not affect the time value computations.
138  */
139 /*
140  * Nonspecified system state variables
141  */
142 int	sys_bclient;		/* broadcast client enable */
143 int	sys_mclient;		/* multicast client enable */
144 double	sys_bdelay;		/* broadcast client default delay */
145 int	sys_authenticate;	/* requre authentication for config */
146 l_fp	sys_authdelay;		/* authentication delay */
147 double	sys_offset;	/* current local clock offset */
148 double	sys_mindisp = MINDISPERSE; /* minimum distance (s) */
149 double	sys_maxdist = MAXDISTANCE; /* selection threshold */
150 double	sys_jitter;		/* system jitter */
151 u_long	sys_epoch;		/* last clock update time */
152 static	double sys_clockhop;	/* clockhop threshold */
153 static int leap_vote_ins;	/* leap consensus for insert */
154 static int leap_vote_del;	/* leap consensus for delete */
155 keyid_t	sys_private;		/* private value for session seed */
156 int	sys_manycastserver;	/* respond to manycast client pkts */
157 int	ntp_mode7;		/* respond to ntpdc (mode7) */
158 int	peer_ntpdate;		/* active peers in ntpdate mode */
159 int	sys_survivors;		/* truest of the truechimers */
160 char	*sys_ident = NULL;	/* identity scheme */
161 
162 /*
163  * TOS and multicast mapping stuff
164  */
165 int	sys_floor = 0;		/* cluster stratum floor */
166 u_char	sys_bcpollbstep = 0;	/* Broadcast Poll backstep gate */
167 int	sys_ceiling = STRATUM_UNSPEC - 1; /* cluster stratum ceiling */
168 int	sys_minsane = 1;	/* minimum candidates */
169 int	sys_minclock = NTP_MINCLOCK; /* minimum candidates */
170 int	sys_maxclock = NTP_MAXCLOCK; /* maximum candidates */
171 int	sys_cohort = 0;		/* cohort switch */
172 int	sys_orphan = STRATUM_UNSPEC + 1; /* orphan stratum */
173 int	sys_orphwait = NTP_ORPHWAIT; /* orphan wait */
174 int	sys_beacon = BEACON;	/* manycast beacon interval */
175 u_int	sys_ttlmax;		/* max ttl mapping vector index */
176 u_char	sys_ttl[MAX_TTL];	/* ttl mapping vector */
177 
178 /*
179  * Statistics counters - first the good, then the bad
180  */
181 u_long	sys_stattime;		/* elapsed time */
182 u_long	sys_received;		/* packets received */
183 u_long	sys_processed;		/* packets for this host */
184 u_long	sys_newversion;		/* current version */
185 u_long	sys_oldversion;		/* old version */
186 u_long	sys_restricted;		/* access denied */
187 u_long	sys_badlength;		/* bad length or format */
188 u_long	sys_badauth;		/* bad authentication */
189 u_long	sys_declined;		/* declined */
190 u_long	sys_limitrejected;	/* rate exceeded */
191 u_long	sys_kodsent;		/* KoD sent */
192 
193 /*
194  * Mechanism knobs: how soon do we peer_clear() or unpeer()?
195  *
196  * The default way is "on-receipt".  If this was a packet from a
197  * well-behaved source, on-receipt will offer the fastest recovery.
198  * If this was from a DoS attack, the default way makes it easier
199  * for a bad-guy to DoS us.  So look and see what bites you harder
200  * and choose according to your environment.
201  */
202 int peer_clear_digest_early	= 1;	/* bad digest (TEST5) and Autokey */
203 int unpeer_crypto_early		= 1;	/* bad crypto (TEST9) */
204 int unpeer_crypto_nak_early	= 1;	/* crypto_NAK (TEST5) */
205 int unpeer_digest_early		= 1;	/* bad digest (TEST5) */
206 
207 int dynamic_interleave = DYNAMIC_INTERLEAVE;	/* Bug 2978 mitigation */
208 
209 int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
210 nak_code	valid_NAK	(struct peer *peer, struct recvbuf *rbufp, u_char hismode);
211 static	double	root_distance	(struct peer *);
212 static	void	clock_combine	(peer_select *, int, int);
213 static	void	peer_xmit	(struct peer *);
214 static	void	fast_xmit	(struct recvbuf *, int, keyid_t, int);
215 static	void	pool_xmit	(struct peer *);
216 static	void	clock_update	(struct peer *);
217 static	void	measure_precision(void);
218 static	double	measure_tick_fuzz(void);
219 static	int	local_refid	(struct peer *);
220 static	int	peer_unfit	(struct peer *);
221 #ifdef AUTOKEY
222 static	int	group_test	(char *, char *);
223 #endif /* AUTOKEY */
224 #ifdef WORKER
225 void	pool_name_resolved	(int, int, void *, const char *,
226 				 const char *, const struct addrinfo *,
227 				 const struct addrinfo *);
228 #endif /* WORKER */
229 
230 const char *	amtoa		(int am);
231 
232 
233 void
234 set_sys_leap(
235 	u_char new_sys_leap
236 	)
237 {
238 	sys_leap = new_sys_leap;
239 	xmt_leap = sys_leap;
240 
241 	/*
242 	 * Under certain conditions we send faked leap bits to clients, so
243 	 * eventually change xmt_leap below, but never change LEAP_NOTINSYNC.
244 	 */
245 	if (xmt_leap != LEAP_NOTINSYNC) {
246 		if (leap_sec_in_progress) {
247 			/* always send "not sync" */
248 			xmt_leap = LEAP_NOTINSYNC;
249 		}
250 #ifdef LEAP_SMEAR
251 		else {
252 			/*
253 			 * If leap smear is enabled in general we must
254 			 * never send a leap second warning to clients,
255 			 * so make sure we only send "in sync".
256 			 */
257 			if (leap_smear.enabled)
258 				xmt_leap = LEAP_NOWARNING;
259 		}
260 #endif	/* LEAP_SMEAR */
261 	}
262 }
263 
264 
265 /*
266  * Kiss Code check
267  */
268 int
269 kiss_code_check(
270 	u_char hisleap,
271 	u_char hisstratum,
272 	u_char hismode,
273 	u_int32 refid
274 	)
275 {
276 
277 	if (   hismode == MODE_SERVER
278 	    && hisleap == LEAP_NOTINSYNC
279 	    && hisstratum == STRATUM_UNSPEC) {
280 		if(memcmp(&refid,"RATE", 4) == 0) {
281 			return (RATEKISS);
282 		} else if(memcmp(&refid,"DENY", 4) == 0) {
283 			return (DENYKISS);
284 		} else if(memcmp(&refid,"RSTR", 4) == 0) {
285 			return (RSTRKISS);
286 		} else if(memcmp(&refid,"X", 1) == 0) {
287 			return (XKISS);
288 		}
289 	}
290 	return (NOKISS);
291 }
292 
293 
294 /*
295  * Check that NAK is valid
296  */
297 nak_code
298 valid_NAK(
299 	  struct peer *peer,
300 	  struct recvbuf *rbufp,
301 	  u_char hismode
302 	  )
303 {
304 	int		base_packet_length = MIN_V4_PKT_LEN;
305 	int		remainder_size;
306 	struct pkt *	rpkt;
307 	int		keyid;
308 	l_fp		p_org;	/* origin timestamp */
309 	const l_fp *	myorg;	/* selected peer origin */
310 
311 	/*
312 	 * Check to see if there is something beyond the basic packet
313 	 */
314 	if (rbufp->recv_length == base_packet_length) {
315 		return NONAK;
316 	}
317 
318 	remainder_size = rbufp->recv_length - base_packet_length;
319 	/*
320 	 * Is this a potential NAK?
321 	 */
322 	if (remainder_size != 4) {
323 		return NONAK;
324 	}
325 
326 	/*
327 	 * Only server responses can contain NAK's
328 	 */
329 
330 	if (hismode != MODE_SERVER &&
331 	    hismode != MODE_ACTIVE &&
332 	    hismode != MODE_PASSIVE
333 	    ) {
334 		return INVALIDNAK;
335 	}
336 
337 	/*
338 	 * Make sure that the extra field in the packet is all zeros
339 	 */
340 	rpkt = &rbufp->recv_pkt;
341 	keyid = ntohl(((u_int32 *)rpkt)[base_packet_length / 4]);
342 	if (keyid != 0) {
343 		return INVALIDNAK;
344 	}
345 
346 	/*
347 	 * During the first few packets of the autokey dance there will
348 	 * not (yet) be a keyid, but in this case FLAG_SKEY is set.
349 	 * So the NAK is invalid if either there's no peer, or
350 	 * if the keyid is 0 and FLAG_SKEY is not set.
351 	 */
352 	if (!peer || (!peer->keyid && !(peer->flags & FLAG_SKEY))) {
353 		return INVALIDNAK;
354 	}
355 
356 	/*
357 	 * The ORIGIN must match, or this cannot be a valid NAK, either.
358 	 */
359 
360 	if (FLAG_LOOPNONCE & peer->flags) {
361 		myorg = &peer->nonce;
362 	} else {
363 		if (peer->flip > 0) {
364 			myorg = &peer->borg;
365 		} else {
366 			myorg = &peer->aorg;
367 		}
368 	}
369 
370 	NTOHL_FP(&rpkt->org, &p_org);
371 
372 	if (L_ISZERO(&p_org) ||
373 	    L_ISZERO( myorg) ||
374 	    !L_ISEQU(&p_org, myorg)) {
375 		return INVALIDNAK;
376 	}
377 
378 	/* If we ever passed all that checks, we should be safe. Well,
379 	 * as safe as we can ever be with an unauthenticated crypto-nak.
380 	 */
381 	return VALIDNAK;
382 }
383 
384 
385 /*
386  * transmit - transmit procedure called by poll timeout
387  */
388 void
389 transmit(
390 	struct peer *peer	/* peer structure pointer */
391 	)
392 {
393 	u_char	hpoll;
394 
395 	/*
396 	 * The polling state machine. There are two kinds of machines,
397 	 * those that never expect a reply (broadcast and manycast
398 	 * server modes) and those that do (all other modes). The dance
399 	 * is intricate...
400 	 */
401 	hpoll = peer->hpoll;
402 
403 	/*
404 	 * If we haven't received anything (even if unsync) since last
405 	 * send, reset ppoll.
406 	 */
407 	if (peer->outdate > peer->timelastrec && !peer->reach)
408 		peer->ppoll = peer->maxpoll;
409 
410 	/*
411 	 * In broadcast mode the poll interval is never changed from
412 	 * minpoll.
413 	 */
414 	if (peer->cast_flags & (MDF_BCAST | MDF_MCAST)) {
415 		peer->outdate = current_time;
416 		poll_update(peer, hpoll, 0);
417 		if (sys_leap != LEAP_NOTINSYNC)
418 			peer_xmit(peer);
419 		return;
420 	}
421 
422 	/*
423 	 * In manycast mode we start with unity ttl. The ttl is
424 	 * increased by one for each poll until either sys_maxclock
425 	 * servers have been found or the maximum ttl is reached. When
426 	 * sys_maxclock servers are found we stop polling until one or
427 	 * more servers have timed out or until less than sys_minclock
428 	 * associations turn up. In this case additional better servers
429 	 * are dragged in and preempt the existing ones.  Once every
430 	 * sys_beacon seconds we are to transmit unconditionally, but
431 	 * this code is not quite right -- peer->unreach counts polls
432 	 * and is being compared with sys_beacon, so the beacons happen
433 	 * every sys_beacon polls.
434 	 */
435 	if (peer->cast_flags & MDF_ACAST) {
436 		peer->outdate = current_time;
437 		poll_update(peer, hpoll, 0);
438 		if (peer->unreach > sys_beacon) {
439 			peer->unreach = 0;
440 			peer->ttl = 0;
441 			peer_xmit(peer);
442 		} else if (   sys_survivors < sys_minclock
443 			   || peer_associations < sys_maxclock) {
444 			if (peer->ttl < sys_ttlmax)
445 				peer->ttl++;
446 			peer_xmit(peer);
447 		}
448 		peer->unreach++;
449 		return;
450 	}
451 
452 	/*
453 	 * Pool associations transmit unicast solicitations when there
454 	 * are less than a hard limit of 2 * sys_maxclock associations,
455 	 * and either less than sys_minclock survivors or less than
456 	 * sys_maxclock associations.  The hard limit prevents unbounded
457 	 * growth in associations if the system clock or network quality
458 	 * result in survivor count dipping below sys_minclock often.
459 	 * This was observed testing with pool, where sys_maxclock == 12
460 	 * resulted in 60 associations without the hard limit.  A
461 	 * similar hard limit on manycastclient ephemeral associations
462 	 * may be appropriate.
463 	 */
464 	if (peer->cast_flags & MDF_POOL) {
465 		peer->outdate = current_time;
466 		poll_update(peer, hpoll, 0);
467 		if (   (peer_associations <= 2 * sys_maxclock)
468 		    && (   peer_associations < sys_maxclock
469 			|| sys_survivors < sys_minclock))
470 			pool_xmit(peer);
471 		return;
472 	}
473 
474 	/* [Bug 3851] drop pool servers which can no longer be reached. */
475 	if (MDF_PCLNT & peer->cast_flags) {
476 		if (   (IS_IPV6(&peer->srcadr) && !nonlocal_v6_addr_up)
477 		    || !nonlocal_v4_addr_up) {
478 			unpeer(peer);
479 			return;
480 		}
481 	}
482 
483 	 /*
484 	 * In unicast modes the dance is much more intricate. It is
485 	 * designed to back off whenever possible to minimize network
486 	 * traffic.
487 	 */
488 	if (peer->burst == 0) {
489 		u_char oreach;
490 
491 		/*
492 		 * Update the reachability status. If not heard for
493 		 * three consecutive polls, stuff infinity in the clock
494 		 * filter.
495 		 */
496 		oreach = peer->reach;
497 		peer->outdate = current_time;
498 		peer->unreach++;
499 		peer->reach <<= 1;
500 		if (!peer->reach) {
501 
502 			/*
503 			 * Here the peer is unreachable. If it was
504 			 * previously reachable raise a trap. Send a
505 			 * burst if enabled.
506 			 */
507 			clock_filter(peer, 0., 0., MAXDISPERSE);
508 			if (oreach) {
509 				peer_unfit(peer);
510 				report_event(PEVNT_UNREACH, peer, NULL);
511 			}
512 			if (   (peer->flags & FLAG_IBURST)
513 			    && peer->retry == 0)
514 				peer->retry = NTP_RETRY;
515 		} else {
516 
517 			/*
518 			 * Here the peer is reachable. Send a burst if
519 			 * enabled and the peer is fit.  Reset unreach
520 			 * for persistent and ephemeral associations.
521 			 * Unreach is also reset for survivors in
522 			 * clock_select().
523 			 */
524 			hpoll = sys_poll;
525 			if (!(peer->flags & FLAG_PREEMPT))
526 				peer->unreach = 0;
527 			if (   (peer->flags & FLAG_BURST)
528 			    && peer->retry == 0
529 			    && !peer_unfit(peer))
530 				peer->retry = NTP_RETRY;
531 		}
532 
533 		/*
534 		 * Watch for timeout.  If ephemeral, toss the rascal;
535 		 * otherwise, bump the poll interval. Note the
536 		 * poll_update() routine will clamp it to maxpoll.
537 		 * If preemptible and we have more peers than maxclock,
538 		 * and this peer has the minimum score of preemptibles,
539 		 * demobilize.
540 		 */
541 		if (peer->unreach >= NTP_UNREACH) {
542 			hpoll++;
543 			/* ephemeral: no FLAG_CONFIG nor FLAG_PREEMPT */
544 			if (!(peer->flags & (FLAG_CONFIG | FLAG_PREEMPT))) {
545 				report_event(PEVNT_RESTART, peer, "timeout");
546 				peer_clear(peer, "TIME");
547 				unpeer(peer);
548 				return;
549 			}
550 			if (   (peer->flags & FLAG_PREEMPT)
551 			    && (peer_associations > sys_maxclock)
552 			    && score_all(peer)) {
553 				report_event(PEVNT_RESTART, peer, "timeout");
554 				peer_clear(peer, "TIME");
555 				unpeer(peer);
556 				return;
557 			}
558 		}
559 	} else {
560 		peer->burst--;
561 		if (peer->burst == 0) {
562 
563 			/*
564 			 * If ntpdate mode and the clock has not been
565 			 * set and all peers have completed the burst,
566 			 * we declare a successful failure.
567 			 */
568 			if (mode_ntpdate) {
569 				peer_ntpdate--;
570 				if (peer_ntpdate == 0) {
571 					msyslog(LOG_NOTICE,
572 					    "ntpd: no servers found");
573 					if (!msyslog_term)
574 						printf(
575 						    "ntpd: no servers found\n");
576 					exit (0);
577 				}
578 			}
579 		}
580 	}
581 	if (peer->retry > 0)
582 		peer->retry--;
583 
584 	/*
585 	 * Do not transmit if in broadcast client mode.
586 	 */
587 	poll_update(peer, hpoll, (peer->hmode == MODE_CLIENT));
588 	if (peer->hmode != MODE_BCLIENT)
589 		peer_xmit(peer);
590 
591 	return;
592 }
593 
594 
595 #ifdef DEBUG
596 const char *
597 amtoa(
598 	int am
599 	)
600 {
601 	char *bp;
602 
603 	switch(am) {
604 	    case AM_ERR:	return "AM_ERR";
605 	    case AM_NOMATCH:	return "AM_NOMATCH";
606 	    case AM_PROCPKT:	return "AM_PROCPKT";
607 	    case AM_BCST:	return "AM_BCST";
608 	    case AM_FXMIT:	return "AM_FXMIT";
609 	    case AM_MANYCAST:	return "AM_MANYCAST";
610 	    case AM_NEWPASS:	return "AM_NEWPASS";
611 	    case AM_NEWBCL:	return "AM_NEWBCL";
612 	    case AM_POSSBCL:	return "AM_POSSBCL";
613 	    default:
614 		LIB_GETBUF(bp);
615 		snprintf(bp, LIB_BUFLENGTH, "AM_#%d", am);
616 		return bp;
617 	}
618 }
619 #endif	/* DEBUG */
620 
621 
622 /*
623  * receive - receive procedure called for each packet received
624  */
625 void
626 receive(
627 	struct recvbuf *rbufp
628 	)
629 {
630 	register struct peer *peer;	/* peer structure pointer */
631 	register struct pkt *pkt;	/* receive packet pointer */
632 	u_char	hisversion;		/* packet version */
633 	u_char	hisleap;		/* packet leap indicator */
634 	u_char	hismode;		/* packet mode */
635 	u_char	hisstratum;		/* packet stratum */
636 	r4addr	r4a;			/* address restrictions */
637 	u_short	restrict_mask;		/* restrict bits */
638 	const char *hm_str;		/* hismode string */
639 	int	kissCode = NOKISS;	/* Kiss Code */
640 	int	has_mac;		/* length of MAC field */
641 	int	authlen;		/* offset of MAC field */
642 	auth_code is_authentic = AUTH_UNKNOWN;	/* Was AUTH_NONE */
643 	nak_code crypto_nak_test;	/* result of crypto-NAK check */
644 	int	retcode = AM_NOMATCH;	/* match code */
645 	keyid_t	skeyid = 0;		/* key IDs */
646 	u_int32	opcode = 0;		/* extension field opcode */
647 	sockaddr_u *dstadr_sin;		/* active runway */
648 	u_char	cast_flags;		/* MDF_* flags for newpeer() */
649 	struct peer *peer2;		/* aux peer structure pointer */
650 	endpt	*match_ep;		/* newpeer() local address */
651 	l_fp	p_org;			/* origin timestamp */
652 	l_fp	p_rec;			/* receive timestamp */
653 	l_fp	p_xmt;			/* transmit timestamp */
654 #ifdef DEBUG
655 	const char *am_str;		/* association match string */
656 #endif
657 #ifdef AUTOKEY
658 	char	hostname[NTP_MAXSTRLEN + 1];
659 	char	*groupname = NULL;
660 	struct autokey *ap;		/* autokey structure pointer */
661 	int	rval;			/* cookie snatcher */
662 	keyid_t	pkeyid = 0, tkeyid = 0;	/* key IDs */
663 #endif	/* AUTOKEY */
664 #ifdef HAVE_NTP_SIGND
665 	static unsigned char zero_key[16];
666 #endif /* HAVE_NTP_SIGND */
667 
668 	/*
669 	 * Note that there are many places we do not call record_raw_stats().
670 	 *
671 	 * We only want to call it *after* we've sent a response, or perhaps
672 	 * when we've decided to drop a packet.
673 	 */
674 
675 	/*
676 	 * Monitor the packet and get restrictions. Note that the packet
677 	 * length for control and private mode packets must be checked
678 	 * by the service routines. Some restrictions have to be handled
679 	 * later in order to generate a kiss-o'-death packet.
680 	 */
681 	/*
682 	 * Bogus port check is before anything, since it probably
683 	 * reveals a clogging attack. Likewise the mimimum packet size
684 	 * of 2 bytes (for mode 6/7) must be checked first.
685 	 */
686 	sys_received++;
687 	if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) {
688 		sys_badlength++;
689 		return;				/* bogus port / length */
690 	}
691 	restrictions(&rbufp->recv_srcadr, &r4a);
692 	restrict_mask = r4a.rflags;
693 
694 	pkt = &rbufp->recv_pkt;
695 	hisversion = PKT_VERSION(pkt->li_vn_mode);
696 	hismode = (int)PKT_MODE(pkt->li_vn_mode);
697 
698 	if (restrict_mask & RES_IGNORE) {
699 		DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
700 		sys_restricted++;
701 		return;				/* ignore everything */
702 	}
703 	if (hismode == MODE_PRIVATE) {
704 		if (!ntp_mode7 || (restrict_mask & RES_NOQUERY)) {
705 			DPRINTF(2, ("receive: drop: !mode7 or RES_NOQUERY\n"));
706 			sys_restricted++;
707 			return;			/* no query private */
708 		}
709 		process_private(rbufp, !(RES_NOMODIFY & restrict_mask));
710 		return;
711 	}
712 	if (hismode == MODE_CONTROL) {
713 		if (restrict_mask & RES_NOQUERY) {
714 			DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
715 			sys_restricted++;
716 			return;			/* no query control */
717 		}
718 		process_control(rbufp, restrict_mask);
719 		return;
720 	}
721 	if (restrict_mask & RES_DONTSERVE) {
722 		DPRINTF(2, ("receive: drop: RES_DONTSERVE\n"));
723 		sys_restricted++;
724 		return;				/* no time serve */
725 	}
726 
727 
728 	/* If we arrive here, we should have a standard NTP packet. We
729 	 * check that the minimum size is available and fetch some more
730 	 * items from the packet once we can be sure they are indeed
731 	 * there.
732 	 */
733 	if (rbufp->recv_length < LEN_PKT_NOMAC) {
734 		sys_badlength++;
735 		return;				/* bogus length */
736 	}
737 
738 	hisleap = PKT_LEAP(pkt->li_vn_mode);
739 	hisstratum = PKT_TO_STRATUM(pkt->stratum);
740 	DEBUG_INSIST(0 != hisstratum);	/* paranoia check PKT_TO_STRATUM result */
741 					/* TODO: this should be in a unit test */
742 	DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s "
743 		    "restrict %s org 0x%x.%08x xmt 0x%x.%08x\n",
744 		    current_time, stoa(&rbufp->dstadr->sin),
745 		    stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
746 		    iflags_str(rbufp->dstadr->flags),
747 		    rflags_str(restrict_mask),
748 		    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
749 		    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
750 
751 	/*
752 	 * This is for testing. If restricted drop ten percent of
753 	 * surviving packets.
754 	 */
755 	if (restrict_mask & RES_FLAKE) {
756 		if (ntp_uurandom() < .1) {
757 			DPRINTF(2, ("receive: drop: RES_FLAKE\n"));
758 			sys_restricted++;
759 			return;			/* no flakeway */
760 		}
761 	}
762 
763 	/*
764 	** Format Layer Checks
765 	**
766 	** Validate the packet format.  The packet size, packet header,
767 	** and any extension field lengths are checked.  We identify
768 	** the beginning of the MAC, to identify the upper limit of
769 	** of the hash computation.
770 	**
771 	** In case of a format layer check violation, the packet is
772 	** discarded with no further processing.
773 	*/
774 
775 	/*
776 	 * Version check must be after the query packets, since they
777 	 * intentionally use an early version.
778 	 */
779 	if (hisversion == NTP_VERSION) {
780 		sys_newversion++;		/* new version */
781 	} else if (   !(restrict_mask & RES_VERSION)
782 		   && hisversion >= NTP_OLDVERSION) {
783 		sys_oldversion++;		/* previous version */
784 	} else {
785 		DPRINTF(2, ("receive: drop: RES_VERSION\n"));
786 		sys_badlength++;
787 		return;				/* old version */
788 	}
789 
790 	/*
791 	 * Figure out his mode and validate the packet. This has some
792 	 * legacy raunch that probably should be removed. In very early
793 	 * NTP versions mode 0 was equivalent to what later versions
794 	 * would interpret as client mode.
795 	 */
796 	if (hismode == MODE_UNSPEC) {
797 		if (hisversion == NTP_OLDVERSION) {
798 			hismode = MODE_CLIENT;
799 		} else {
800 			DPRINTF(2, ("receive: drop: MODE_UNSPEC\n"));
801 			sys_badlength++;
802 			return;			/* invalid mode */
803 		}
804 	}
805 
806 	/*
807 	 * Validate the poll interval in the packet.
808 	 * 0 probably indicates a data-minimized packet.
809 	 * A valid poll interval is required for RATEKISS, where
810 	 * a value of 0 is not allowed.  We check for this below.
811 	 *
812 	 * There might be arguments against this check.  If you have
813 	 * any of these arguments, please let us know.
814 	 *
815 	 * At this point, the packet cannot be a mode[67] packet.
816 	 */
817 	if (   pkt->ppoll
818 	    && (   (NTP_MINPOLL > pkt->ppoll)
819 	        || (NTP_MAXPOLL < pkt->ppoll)
820 	       )
821 	   ) {
822 #ifdef BUG3870
823 		DPRINTF(2, ("receive: drop: Invalid ppoll (%d) from %s\n",
824 				pkt->ppoll, stoa(&rbufp->recv_srcadr)));
825 		sys_badlength++;
826 		return;			/* invalid packet poll */
827 #else
828 		DPRINTF(2, ("receive: info: Invalid ppoll (%d) from %s\n",
829 				pkt->ppoll, stoa(&rbufp->recv_srcadr)));
830 #endif
831 	}
832 
833 	/*
834 	 * Parse the extension field if present. We figure out whether
835 	 * an extension field is present by measuring the MAC size. If
836 	 * the number of words following the packet header is 0, no MAC
837 	 * is present and the packet is not authenticated. If 1, the
838 	 * packet is a crypto-NAK; if 3, the packet is authenticated
839 	 * with DES; if 5, the packet is authenticated with MD5; if 6,
840 	 * the packet is authenticated with SHA. If 2 or * 4, the packet
841 	 * is a runt and discarded forthwith. If greater than 6, an
842 	 * extension field is present, so we subtract the length of the
843 	 * field and go around again.
844 	 *
845 	 * Note the above description is lame.  We should/could also check
846 	 * the two bytes that make up the EF type and subtype, and then
847 	 * check the two bytes that tell us the EF length.  A legacy MAC
848 	 * has a 4 byte keyID, and for conforming symmetric keys its value
849 	 * must be <= 64k, meaning the top two bytes will always be zero.
850 	 * Since the EF Type of 0 is reserved/unused, there's no way a
851 	 * conforming legacy MAC could ever be misinterpreted as an EF.
852 	 *
853 	 * There is more, but this isn't the place to document it.
854 	 */
855 
856 	authlen = LEN_PKT_NOMAC;
857 	has_mac = rbufp->recv_length - authlen;
858 	while (has_mac > 0) {
859 		u_int32	len;
860 #ifdef AUTOKEY
861 		u_int32	hostlen;
862 		struct exten *ep;
863 #endif /*AUTOKEY */
864 
865 		if (has_mac % 4 != 0 || has_mac < (int)MIN_MAC_LEN) {
866 			DPRINTF(2, ("receive: drop: bad post-packet length\n"));
867 			sys_badlength++;
868 			return;			/* bad length */
869 		}
870 		/*
871 		 * This next test is clearly wrong - it needlessly
872 		 * prohibits short EFs (which don't yet exist)
873 		 */
874 		if (has_mac <= (int)MAX_MAC_LEN) {
875 			skeyid = ntohl(((u_int32 *)pkt)[authlen / 4]);
876 			break;
877 
878 		} else {
879 			opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
880 			len = opcode & 0xffff;
881 			if (   len % 4 != 0
882 			    || len < 4
883 			    || (int)len + authlen > rbufp->recv_length) {
884 				DPRINTF(2, ("receive: drop: bad EF length\n"));
885 				sys_badlength++;
886 				return;		/* bad length */
887 			}
888 #ifdef AUTOKEY
889 			/*
890 			 * Extract calling group name for later.  If
891 			 * sys_groupname is non-NULL, there must be
892 			 * a group name provided to elicit a response.
893 			 */
894 			if (   (opcode & 0x3fff0000) == CRYPTO_ASSOC
895 			    && sys_groupname != NULL) {
896 				ep = (struct exten *)&((u_int32 *)pkt)[authlen / 4];
897 				hostlen = ntohl(ep->vallen);
898 				if (   hostlen >= sizeof(hostname)
899 				    || hostlen > len -
900 						offsetof(struct exten, pkt)) {
901 					DPRINTF(2, ("receive: drop: bad autokey hostname length\n"));
902 					sys_badlength++;
903 					return;		/* bad length */
904 				}
905 				memcpy(hostname, &ep->pkt, hostlen);
906 				hostname[hostlen] = '\0';
907 				groupname = strchr(hostname, '@');
908 				if (groupname == NULL) {
909 					DPRINTF(2, ("receive: drop: empty autokey groupname\n"));
910 					sys_declined++;
911 					return;
912 				}
913 				groupname++;
914 			}
915 #endif /* AUTOKEY */
916 			authlen += len;
917 			has_mac -= len;
918 		}
919 	}
920 
921 	/*
922 	 * If has_mac is < 0 we had a malformed packet.
923 	 */
924 	if (has_mac < 0) {
925 		DPRINTF(2, ("receive: drop: post-packet under-read\n"));
926 		sys_badlength++;
927 		return;		/* bad length */
928 	}
929 
930 	/*
931 	** Packet Data Verification Layer
932 	**
933 	** This layer verifies the packet data content.  If
934 	** authentication is required, a MAC must be present.
935 	** If a MAC is present, it must validate.
936 	** Crypto-NAK?  Look - a shiny thing!
937 	**
938 	** If authentication fails, we're done.
939 	*/
940 
941 	/*
942 	 * If authentication is explicitly required, a MAC must be present.
943 	 */
944 	if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
945 		DPRINTF(2, ("receive: drop: RES_DONTTRUST\n"));
946 		sys_restricted++;
947 		return;				/* access denied */
948 	}
949 
950 	/*
951 	 * Update the MRU list and finger the cloggers. It can be a
952 	 * little expensive, so turn it off for production use.
953 	 * RES_LIMITED and RES_KOD will be cleared in the returned
954 	 * restrict_mask unless one or both actions are warranted.
955 	 */
956 	restrict_mask = ntp_monitor(rbufp, restrict_mask);
957 	if (restrict_mask & RES_LIMITED) {
958 		sys_limitrejected++;
959 		if (   !(restrict_mask & RES_KOD)
960 		    || MODE_BROADCAST == hismode
961 		    || MODE_SERVER == hismode) {
962 			if (MODE_SERVER == hismode) {
963 				DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n",
964 					stoa(&rbufp->recv_srcadr)));
965 			} else {
966 				DPRINTF(2, ("receive: drop: RES_KOD\n"));
967 			}
968 			return;			/* rate exceeded */
969 		}
970 		if (hismode == MODE_CLIENT) {
971 			fast_xmit(rbufp, MODE_SERVER, skeyid,
972 			    restrict_mask);
973 		} else {
974 			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
975 			    restrict_mask);
976 		}
977 		return;				/* rate exceeded */
978 	}
979 	restrict_mask &= ~RES_KOD;
980 
981 	/*
982 	 * We have tossed out as many buggy packets as possible early in
983 	 * the game to reduce the exposure to a clogging attack. Now we
984 	 * have to burn some cycles to find the association and
985 	 * authenticate the packet if required. Note that we burn only
986 	 * digest cycles, again to reduce exposure. There may be no
987 	 * matching association and that's okay.
988 	 *
989 	 * More on the autokey mambo. Normally the local interface is
990 	 * found when the association was mobilized with respect to a
991 	 * designated remote address. We assume packets arriving from
992 	 * the remote address arrive via this interface and the local
993 	 * address used to construct the autokey is the unicast address
994 	 * of the interface. However, if the sender is a broadcaster,
995 	 * the interface broadcast address is used instead.
996 	 * Notwithstanding this technobabble, if the sender is a
997 	 * multicaster, the broadcast address is null, so we use the
998 	 * unicast address anyway. Don't ask.
999 	 */
1000 
1001 	peer = findpeer(rbufp,  hismode, &retcode);
1002 	dstadr_sin = &rbufp->dstadr->sin;
1003 	NTOHL_FP(&pkt->org, &p_org);
1004 	NTOHL_FP(&pkt->rec, &p_rec);
1005 	NTOHL_FP(&pkt->xmt, &p_xmt);
1006 	hm_str = modetoa(hismode);
1007 #ifdef DEBUG
1008 	am_str = amtoa(retcode);
1009 #endif
1010 
1011 	/*
1012 	 * Authentication is conditioned by three switches:
1013 	 *
1014 	 * NOPEER  (RES_NOPEER) do not mobilize an association unless
1015 	 *         authenticated
1016 	 * NOTRUST (RES_DONTTRUST) do not allow access unless
1017 	 *         authenticated (implies NOPEER)
1018 	 * enable  (sys_authenticate) master NOPEER switch, by default
1019 	 *         on
1020 	 *
1021 	 * The NOPEER and NOTRUST can be specified on a per-client basis
1022 	 * using the restrict command. The enable switch if on implies
1023 	 * NOPEER for all clients. There are four outcomes:
1024 	 *
1025 	 * NONE    The packet has no MAC.
1026 	 * OK      the packet has a MAC and authentication succeeds
1027 	 * ERROR   the packet has a MAC and authentication fails
1028 	 * CRYPTO  crypto-NAK. The MAC has four octets only.
1029 	 *
1030 	 * Note: The AUTH(x, y) macro is used to filter outcomes. If x
1031 	 * is zero, acceptable outcomes of y are NONE and OK. If x is
1032 	 * one, the only acceptable outcome of y is OK.
1033 	 */
1034 	crypto_nak_test = valid_NAK(peer, rbufp, hismode);
1035 
1036 	/*
1037 	 * Drop any invalid crypto-NAKs
1038 	 */
1039 	if (crypto_nak_test == INVALIDNAK) {
1040 		report_event(PEVNT_AUTH, peer, "Invalid_NAK");
1041 		if (0 != peer) {
1042 			peer->badNAK++;
1043 		}
1044 		msyslog(LOG_ERR, "Invalid-NAK error at %ld %s<-%s",
1045 			current_time, stoa(dstadr_sin), stoa(&rbufp->recv_srcadr));
1046 		return;
1047 	}
1048 
1049 	if (has_mac == 0) {
1050 		restrict_mask &= ~RES_MSSNTP;
1051 		is_authentic = AUTH_NONE; /* not required */
1052 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s len %d org 0x%x.%08x xmt 0x%x.%08x NOMAC\n",
1053 			    current_time, stoa(dstadr_sin),
1054 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1055 			    authlen,
1056 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1057 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1058 	} else if (crypto_nak_test == VALIDNAK) {
1059 		restrict_mask &= ~RES_MSSNTP;
1060 		is_authentic = AUTH_CRYPTO; /* crypto-NAK */
1061 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s keyid %08x len %d auth %d org 0x%x.%08x xmt 0x%x.%08x CRYPTONAK\n",
1062 			    current_time, stoa(dstadr_sin),
1063 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1064 			    skeyid, authlen + has_mac, is_authentic,
1065 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1066 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1067 
1068 #ifdef HAVE_NTP_SIGND
1069 		/*
1070 		 * If the signature is 20 bytes long, the last 16 of
1071 		 * which are zero, then this is a Microsoft client
1072 		 * wanting AD-style authentication of the server's
1073 		 * reply.
1074 		 *
1075 		 * This is described in Microsoft's WSPP docs, in MS-SNTP:
1076 		 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
1077 		 */
1078 	} else if (   has_mac == MAX_MD5_LEN
1079 		   && (restrict_mask & RES_MSSNTP)
1080 		   && (retcode == AM_FXMIT || retcode == AM_NEWPASS)
1081 		   && (memcmp(zero_key, (char *)pkt + authlen + 4,
1082 			      MAX_MD5_LEN - 4) == 0)) {
1083 		is_authentic = AUTH_NONE;
1084 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s len %d org %x.%08x xmt %x.%08x SIGND\n",
1085 			    current_time, stoa(dstadr_sin),
1086 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1087 			    authlen,
1088 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1089 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1090 #endif /* HAVE_NTP_SIGND */
1091 
1092 	} else {
1093 		/*
1094 		 * has_mac is not 0
1095 		 * Not a VALID_NAK
1096 		 * Not an MS-SNTP SIGND packet
1097 		 *
1098 		 * So there is a MAC here.
1099 		 */
1100 
1101 		restrict_mask &= ~RES_MSSNTP;
1102 #ifdef AUTOKEY
1103 		/*
1104 		 * For autokey modes, generate the session key
1105 		 * and install in the key cache. Use the socket
1106 		 * broadcast or unicast address as appropriate.
1107 		 */
1108 		if (crypto_flags && skeyid > NTP_MAXKEY) {
1109 
1110 			/*
1111 			 * More on the autokey dance (AKD). A cookie is
1112 			 * constructed from public and private values.
1113 			 * For broadcast packets, the cookie is public
1114 			 * (zero). For packets that match no
1115 			 * association, the cookie is hashed from the
1116 			 * addresses and private value. For server
1117 			 * packets, the cookie was previously obtained
1118 			 * from the server. For symmetric modes, the
1119 			 * cookie was previously constructed using an
1120 			 * agreement protocol; however, should PKI be
1121 			 * unavailable, we construct a fake agreement as
1122 			 * the EXOR of the peer and host cookies.
1123 			 *
1124 			 * hismode	ephemeral	persistent
1125 			 * =======================================
1126 			 * active	0		cookie#
1127 			 * passive	0%		cookie#
1128 			 * client	sys cookie	0%
1129 			 * server	0%		sys cookie
1130 			 * broadcast	0		0
1131 			 *
1132 			 * # if unsync, 0
1133 			 * % can't happen
1134 			 */
1135 			if (has_mac < (int)MAX_MD5_LEN) {
1136 				DPRINTF(2, ("receive: drop: MD5 digest too short\n"));
1137 				sys_badauth++;
1138 				return;
1139 			}
1140 			if (hismode == MODE_BROADCAST) {
1141 
1142 				/*
1143 				 * For broadcaster, use the interface
1144 				 * broadcast address when available;
1145 				 * otherwise, use the unicast address
1146 				 * found when the association was
1147 				 * mobilized. However, if this is from
1148 				 * the wildcard interface, game over.
1149 				 */
1150 				if (   crypto_flags
1151 				    && rbufp->dstadr ==
1152 				       ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
1153 					DPRINTF(2, ("receive: drop: BCAST from wildcard\n"));
1154 					sys_restricted++;
1155 					return;		/* no wildcard */
1156 				}
1157 				pkeyid = 0;
1158 				if (!SOCK_UNSPEC(&rbufp->dstadr->bcast))
1159 					dstadr_sin =
1160 					    &rbufp->dstadr->bcast;
1161 			} else if (peer == NULL) {
1162 				pkeyid = session_key(
1163 				    &rbufp->recv_srcadr, dstadr_sin, 0,
1164 				    sys_private, 0);
1165 			} else {
1166 				pkeyid = peer->pcookie;
1167 			}
1168 
1169 			/*
1170 			 * The session key includes both the public
1171 			 * values and cookie. In case of an extension
1172 			 * field, the cookie used for authentication
1173 			 * purposes is zero. Note the hash is saved for
1174 			 * use later in the autokey mambo.
1175 			 */
1176 			if (authlen > (int)LEN_PKT_NOMAC && pkeyid != 0) {
1177 				session_key(&rbufp->recv_srcadr,
1178 				    dstadr_sin, skeyid, 0, 2);
1179 				tkeyid = session_key(
1180 				    &rbufp->recv_srcadr, dstadr_sin,
1181 				    skeyid, pkeyid, 0);
1182 			} else {
1183 				tkeyid = session_key(
1184 				    &rbufp->recv_srcadr, dstadr_sin,
1185 				    skeyid, pkeyid, 2);
1186 			}
1187 
1188 		}
1189 #endif	/* AUTOKEY */
1190 
1191 		/*
1192 		 * Compute the cryptosum. Note a clogging attack may
1193 		 * succeed in bloating the key cache. If an autokey,
1194 		 * purge it immediately, since we won't be needing it
1195 		 * again. If the packet is authentic, it can mobilize an
1196 		 * association. Note that there is no key zero.
1197 		 */
1198 		if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
1199 		    has_mac))
1200 			is_authentic = AUTH_ERROR;
1201 		else
1202 			is_authentic = AUTH_OK;
1203 #ifdef AUTOKEY
1204 		if (crypto_flags && skeyid > NTP_MAXKEY)
1205 			authtrust(skeyid, 0);
1206 #endif	/* AUTOKEY */
1207 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s keyid %08x len %d auth %d org 0x%x.%08x xmt 0x%x.%08x MAC\n",
1208 			    current_time, stoa(dstadr_sin),
1209 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1210 			    skeyid, authlen + has_mac, is_authentic,
1211 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1212 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1213 	}
1214 
1215 
1216 	/*
1217 	 * Bug 3454:
1218 	 *
1219 	 * Now come at this from a different perspective:
1220 	 * - If we expect a MAC and it's not there, we drop it.
1221 	 * - If we expect one keyID and get another, we drop it.
1222 	 * - If we have a MAC ahd it hasn't been validated yet, try.
1223 	 * - if the provided MAC doesn't validate, we drop it.
1224 	 *
1225 	 * There might be more to this.
1226 	 */
1227 	if (0 != peer && 0 != peer->keyid) {
1228 		/* Should we msyslog() any of these? */
1229 
1230 		/*
1231 		 * This should catch:
1232 		 * - no keyID where one is expected,
1233 		 * - different keyID than what we expect.
1234 		 */
1235 		if (peer->keyid != skeyid) {
1236 			DPRINTF(2, ("receive: drop: Wanted keyID %d, got %d from %s\n",
1237 				    peer->keyid, skeyid,
1238 				    stoa(&rbufp->recv_srcadr)));
1239 			sys_restricted++;
1240 			return;			/* drop: access denied */
1241 		}
1242 
1243 		/*
1244 		 * if has_mac != 0 ...
1245 		 * - If it has not yet been validated, do so.
1246 		 *   (under what circumstances might that happen?)
1247 		 * - if missing or bad MAC, log and drop.
1248 		 */
1249 		if (0 != has_mac) {
1250 			if (is_authentic == AUTH_UNKNOWN) {
1251 				/* How can this happen? */
1252 				DPRINTF(2, ("receive: 3454 check: AUTH_UNKNOWN from %s\n",
1253 				    stoa(&rbufp->recv_srcadr)));
1254 				if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
1255 				    has_mac)) {
1256 					/* MAC invalid or not found */
1257 					is_authentic = AUTH_ERROR;
1258 				} else {
1259 					is_authentic = AUTH_OK;
1260 				}
1261 			}
1262 			if (is_authentic != AUTH_OK) {
1263 				DPRINTF(2, ("receive: drop: missing or bad MAC from %s\n",
1264 					    stoa(&rbufp->recv_srcadr)));
1265 				sys_restricted++;
1266 				return;		/* drop: access denied */
1267 			}
1268 		}
1269 	}
1270 	/**/
1271 
1272 	/*
1273 	** On-Wire Protocol Layer
1274 	**
1275 	** Verify protocol operations consistent with the on-wire protocol.
1276 	** The protocol discards bogus and duplicate packets as well as
1277 	** minimizes disruptions doe to protocol restarts and dropped
1278 	** packets.  The operations are controlled by two timestamps:
1279 	** the transmit timestamp saved in the client state variables,
1280 	** and the origin timestamp in the server packet header.  The
1281 	** comparison of these two timestamps is called the loopback test.
1282 	** The transmit timestamp functions as a nonce to verify that the
1283 	** response corresponds to the original request.  The transmit
1284 	** timestamp also serves to discard replays of the most recent
1285 	** packet.  Upon failure of either test, the packet is discarded
1286 	** with no further action.
1287 	*/
1288 
1289 	/*
1290 	 * The association matching rules are implemented by a set of
1291 	 * routines and an association table. A packet matching an
1292 	 * association is processed by the peer process for that
1293 	 * association. If there are no errors, an ephemeral association
1294 	 * is mobilized: a broadcast packet mobilizes a broadcast client
1295 	 * aassociation; a manycast server packet mobilizes a manycast
1296 	 * client association; a symmetric active packet mobilizes a
1297 	 * symmetric passive association.
1298 	 */
1299 	DPRINTF(1, ("receive: MATCH_ASSOC dispatch: mode %d/%s:%s \n",
1300 		hismode, hm_str, am_str));
1301 	switch (retcode) {
1302 
1303 	/*
1304 	 * This is a client mode packet not matching any association. If
1305 	 * an ordinary client, simply toss a server mode packet back
1306 	 * over the fence. If a manycast client, we have to work a
1307 	 * little harder.
1308 	 *
1309 	 * There are cases here where we do not call record_raw_stats().
1310 	 */
1311 	case AM_FXMIT:
1312 
1313 		/*
1314 		 * If authentication OK, send a server reply; otherwise,
1315 		 * send a crypto-NAK.
1316 		 */
1317 		if (!(rbufp->dstadr->flags & INT_MCASTOPEN)) {
1318 			/* HMS: would be nice to log FAST_XMIT|BADAUTH|RESTRICTED */
1319 			record_raw_stats(&rbufp->recv_srcadr,
1320 			    &rbufp->dstadr->sin,
1321 			    &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
1322 			    PKT_LEAP(pkt->li_vn_mode),
1323 			    PKT_VERSION(pkt->li_vn_mode),
1324 			    PKT_MODE(pkt->li_vn_mode),
1325 			    PKT_TO_STRATUM(pkt->stratum),
1326 			    pkt->ppoll,
1327 			    pkt->precision,
1328 			    FPTOD(NTOHS_FP(pkt->rootdelay)),
1329 			    FPTOD(NTOHS_FP(pkt->rootdisp)),
1330 			    pkt->refid,
1331 			    rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
1332 
1333 			if (AUTH(restrict_mask & RES_DONTTRUST,
1334 			   is_authentic)) {
1335 				/* Bug 3596: Do we want to fuzz the reftime? */
1336 				fast_xmit(rbufp, MODE_SERVER, skeyid,
1337 				    restrict_mask);
1338 			} else if (is_authentic == AUTH_ERROR) {
1339 				/* Bug 3596: Do we want to fuzz the reftime? */
1340 				fast_xmit(rbufp, MODE_SERVER, 0,
1341 				    restrict_mask);
1342 				sys_badauth++;
1343 			} else {
1344 				DPRINTF(2, ("receive: AM_FXMIT drop: !mcast restricted\n"));
1345 				sys_restricted++;
1346 			}
1347 
1348 			return;			/* hooray */
1349 		}
1350 
1351 		/*
1352 		 * This must be manycast. Do not respond if not
1353 		 * configured as a manycast server.
1354 		 */
1355 		if (!sys_manycastserver) {
1356 			DPRINTF(2, ("receive: AM_FXMIT drop: Not manycastserver\n"));
1357 			sys_restricted++;
1358 			return;			/* not enabled */
1359 		}
1360 
1361 #ifdef AUTOKEY
1362 		/*
1363 		 * Do not respond if not the same group.
1364 		 */
1365 		if (group_test(groupname, NULL)) {
1366 			DPRINTF(2, ("receive: AM_FXMIT drop: empty groupname\n"));
1367 			sys_declined++;
1368 			return;
1369 		}
1370 #endif /* AUTOKEY */
1371 
1372 		/*
1373 		 * Do not respond if we are not synchronized or our
1374 		 * stratum is greater than the manycaster or the
1375 		 * manycaster has already synchronized to us.
1376 		 */
1377 		if (   sys_leap == LEAP_NOTINSYNC
1378 		    || sys_stratum >= hisstratum
1379 		    || (!sys_cohort && sys_stratum == hisstratum + 1)
1380 		    || rbufp->dstadr->addr_refid == pkt->refid
1381 #	    ifdef WORDS_BIGENDIAN	/* see local_refid() comment */
1382 		    || (   IS_IPV6(&rbufp->dstadr->sin)
1383 			&&rbufp->dstadr->old_refid ==  pkt->refid)
1384 #	    endif
1385 								  ) {
1386 			DPRINTF(2, ("receive: sys leap: %0x, sys_stratum %d > hisstratum+1 %d, !sys_cohort %d && sys_stratum == hisstratum+1, loop refid %#x == pkt refid %#x\n", sys_leap, sys_stratum, hisstratum + 1, !sys_cohort, rbufp->dstadr->addr_refid, pkt->refid));
1387 			DPRINTF(2, ("receive: AM_FXMIT drop: LEAP_NOTINSYNC || stratum || loop\n"));
1388 			sys_declined++;
1389 			return;			/* no help */
1390 		}
1391 
1392 		/*
1393 		 * Do not respond if the packet came into an IPv6 link-local
1394 		 * address on an interface where we also have a usable
1395 		 * global address, to avoid duplicate associations.
1396 		 */
1397 		if (INT_LL_OF_GLOB & rbufp->dstadr->flags) {
1398 			DPRINTF(2, ("receive: declining manycast solicitation on link-local IPv6\n"));
1399 			sys_declined++;
1400 			return;
1401 		}
1402 
1403 		/*
1404 		 * Respond only if authentication succeeds. Don't do a
1405 		 * crypto-NAK, as that would not be useful.
1406 		 */
1407 		if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) {
1408 			record_raw_stats(&rbufp->recv_srcadr,
1409 			    &rbufp->dstadr->sin,
1410 			    &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
1411 			    PKT_LEAP(pkt->li_vn_mode),
1412 			    PKT_VERSION(pkt->li_vn_mode),
1413 			    PKT_MODE(pkt->li_vn_mode),
1414 			    PKT_TO_STRATUM(pkt->stratum),
1415 			    pkt->ppoll,
1416 			    pkt->precision,
1417 			    FPTOD(NTOHS_FP(pkt->rootdelay)),
1418 			    FPTOD(NTOHS_FP(pkt->rootdisp)),
1419 			    pkt->refid,
1420 			    rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
1421 
1422 			/* Bug 3596: Do we want to fuzz the reftime? */
1423 			fast_xmit(rbufp, MODE_SERVER, skeyid,
1424 			    restrict_mask);
1425 		}
1426 		return;				/* hooray */
1427 
1428 	/*
1429 	 * This is a server mode packet returned in response to a client
1430 	 * mode packet sent to a multicast group address (for
1431 	 * manycastclient) or to a unicast address (for pool). The
1432 	 * origin timestamp is a good nonce to reliably associate the
1433 	 * reply with what was sent. If there is no match, that's
1434 	 * curious and could be an intruder attempting to clog, so we
1435 	 * just ignore it.
1436 	 *
1437 	 * If the packet is authentic and the manycastclient or pool
1438 	 * association is found, we mobilize a client association and
1439 	 * copy pertinent variables from the manycastclient or pool
1440 	 * association to the new client association. If not, just
1441 	 * ignore the packet.
1442 	 *
1443 	 * There is an implosion hazard at the manycast client, since
1444 	 * the manycast servers send the server packet immediately. If
1445 	 * the guy is already here, don't fire up a duplicate.
1446 	 *
1447 	 * There are cases here where we do not call record_raw_stats().
1448 	 */
1449 	case AM_MANYCAST:
1450 
1451 #ifdef AUTOKEY
1452 		/*
1453 		 * Do not respond if not the same group.
1454 		 */
1455 		if (group_test(groupname, NULL)) {
1456 			DPRINTF(2, ("receive: AM_MANYCAST drop: empty groupname\n"));
1457 			sys_declined++;
1458 			return;
1459 		}
1460 #endif /* AUTOKEY */
1461 		/* Do not spin up duplicate manycast associations */
1462 		if (INT_LL_OF_GLOB & rbufp->dstadr->flags) {
1463 			DPRINTF(2, ("receive: AM_MANYCAST drop: link-local server\n"));
1464 			sys_declined++;
1465 			return;
1466 		}
1467 		if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
1468 			DPRINTF(2, ("receive: AM_MANYCAST drop: No manycast peer\n"));
1469 			sys_restricted++;
1470 			return;			/* not enabled */
1471 		}
1472 		if (!AUTH(  (!(peer2->cast_flags & MDF_POOL)
1473 			     && sys_authenticate)
1474 			  || (restrict_mask & (RES_NOPEER |
1475 			      RES_DONTTRUST)), is_authentic)
1476 		    /* MC: RES_NOEPEER? */
1477 		   ) {
1478 			DPRINTF(2, ("receive: AM_MANYCAST drop: bad auth || (NOPEER|DONTTRUST)\n"));
1479 			sys_restricted++;
1480 			return;			/* access denied */
1481 		}
1482 
1483 		/*
1484 		 * Do not respond if unsynchronized or stratum is below
1485 		 * the floor or at or above the ceiling.
1486 		 */
1487 		if (   hisleap == LEAP_NOTINSYNC
1488 		    || hisstratum < sys_floor
1489 		    || hisstratum >= sys_ceiling) {
1490 			DPRINTF(2, ("receive: AM_MANYCAST drop: unsync/stratum\n"));
1491 			sys_declined++;
1492 			return;			/* no help */
1493 		}
1494 		cast_flags = MDF_UCAST;
1495 		if (MDF_POOL & peer2->cast_flags) {
1496 			cast_flags |= MDF_PCLNT;
1497 		}
1498 		peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
1499 			       r4a.ippeerlimit, MODE_CLIENT, hisversion,
1500 			       peer2->minpoll, peer2->maxpoll,
1501 			       (FLAG_PREEMPT | (POOL_FLAG_PMASK & peer2->flags)),
1502 			       cast_flags, 0, skeyid, sys_ident);
1503 		if (NULL == peer) {
1504 			DPRINTF(2, ("receive: AM_MANYCAST drop: duplicate\n"));
1505 			sys_declined++;
1506 			return;			/* ignore duplicate */
1507 		}
1508 
1509 		/*
1510 		 * After each ephemeral pool association is spun,
1511 		 * accelerate the next poll for the pool solicitor so
1512 		 * the pool will fill promptly.
1513 		 */
1514 		if (peer2->cast_flags & MDF_POOL)
1515 			peer2->nextdate = current_time + 1;
1516 
1517 		/*
1518 		 * Further processing of the solicitation response would
1519 		 * simply detect its origin timestamp as bogus for the
1520 		 * brand-new association (it matches the prototype
1521 		 * association) and tinker with peer->nextdate delaying
1522 		 * first sync.
1523 		 */
1524 		return;		/* solicitation response handled */
1525 
1526 	/*
1527 	 * This is the first packet received from a broadcast server. If
1528 	 * the packet is authentic and we are enabled as broadcast
1529 	 * client, mobilize a broadcast client association. We don't
1530 	 * kiss any frogs here.
1531 	 *
1532 	 * There are cases here where we do not call record_raw_stats().
1533 	 */
1534 	case AM_NEWBCL:
1535 
1536 #ifdef AUTOKEY
1537 		/*
1538 		 * Do not respond if not the same group.
1539 		 */
1540 		if (group_test(groupname, sys_ident)) {
1541 			DPRINTF(2, ("receive: AM_NEWBCL drop: groupname mismatch\n"));
1542 			sys_declined++;
1543 			return;
1544 		}
1545 #endif /* AUTOKEY */
1546 		if (!sys_bclient && !sys_mclient) {
1547 			DPRINTF(2, ("receive: AM_NEWBCL drop: not a bclient/mclient\n"));
1548 			sys_restricted++;
1549 			return;			/* not enabled */
1550 		}
1551 		if (!AUTH(sys_authenticate | (restrict_mask &
1552 			  (RES_NOPEER | RES_DONTTRUST)), is_authentic)
1553 		    /* NEWBCL: RES_NOEPEER? */
1554 		   ) {
1555 			DPRINTF(2, ("receive: AM_NEWBCL drop: AUTH failed\n"));
1556 			sys_restricted++;
1557 			return;			/* access denied */
1558 		}
1559 
1560 		/*
1561 		 * Do not respond if unsynchronized or stratum is below
1562 		 * the floor or at or above the ceiling.
1563 		 */
1564 		if (   hisleap == LEAP_NOTINSYNC
1565 		    || hisstratum < sys_floor
1566 		    || hisstratum >= sys_ceiling) {
1567 			DPRINTF(2, ("receive: AM_NEWBCL drop: Unsync or bad stratum\n"));
1568 			sys_declined++;
1569 			return;			/* no help */
1570 		}
1571 
1572 #ifdef AUTOKEY
1573 		/*
1574 		 * Do not respond if Autokey and the opcode is not a
1575 		 * CRYPTO_ASSOC response with association ID.
1576 		 */
1577 		if (   crypto_flags && skeyid > NTP_MAXKEY
1578 		    && (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
1579 			DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not CRYPTO_ASSOC\n"));
1580 			sys_declined++;
1581 			return;			/* protocol error */
1582 		}
1583 #endif	/* AUTOKEY */
1584 
1585 		/*
1586 		 * Broadcasts received via a multicast address may
1587 		 * arrive after a unicast volley has begun
1588 		 * with the same remote address.  newpeer() will not
1589 		 * find duplicate associations on other local endpoints
1590 		 * if a non-NULL endpoint is supplied.  multicastclient
1591 		 * ephemeral associations are unique across all local
1592 		 * endpoints.
1593 		 */
1594 		if (!(INT_MCASTOPEN & rbufp->dstadr->flags))
1595 			match_ep = rbufp->dstadr;
1596 		else
1597 			match_ep = NULL;
1598 
1599 		/*
1600 		 * Determine whether to execute the initial volley.
1601 		 */
1602 		if (sys_bdelay > 0.0) {
1603 #ifdef AUTOKEY
1604 			/*
1605 			 * If a two-way exchange is not possible,
1606 			 * neither is Autokey.
1607 			 */
1608 			if (crypto_flags && skeyid > NTP_MAXKEY) {
1609 				sys_restricted++;
1610 				DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not 2-way\n"));
1611 				return;		/* no autokey */
1612 			}
1613 #endif	/* AUTOKEY */
1614 
1615 			/*
1616 			 * Do not execute the volley. Start out in
1617 			 * broadcast client mode.
1618 			 */
1619 			peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
1620 			    r4a.ippeerlimit, MODE_BCLIENT, hisversion,
1621 			    pkt->ppoll, pkt->ppoll,
1622 			    FLAG_PREEMPT, MDF_BCLNT, 0, skeyid, sys_ident);
1623 			if (NULL == peer) {
1624 				DPRINTF(2, ("receive: AM_NEWBCL drop: duplicate\n"));
1625 				sys_restricted++;
1626 				return;		/* ignore duplicate */
1627 
1628 			} else {
1629 				peer->delay = sys_bdelay;
1630 				peer->bxmt = p_xmt;
1631 			}
1632 			break;
1633 		}
1634 
1635 		/*
1636 		 * Execute the initial volley in order to calibrate the
1637 		 * propagation delay and run the Autokey protocol.
1638 		 *
1639 		 * Note that the minpoll is taken from the broadcast
1640 		 * packet, normally 6 (64 s) and that the poll interval
1641 		 * is fixed at this value.
1642 		 */
1643 		peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
1644 			       r4a.ippeerlimit, MODE_CLIENT, hisversion,
1645 			       pkt->ppoll, pkt->ppoll,
1646 			       FLAG_BC_VOL | FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT,
1647 			       0, skeyid, sys_ident);
1648 		if (NULL == peer) {
1649 			DPRINTF(2, ("receive: AM_NEWBCL drop: empty newpeer() failed\n"));
1650 			sys_restricted++;
1651 			return;			/* ignore duplicate */
1652 		}
1653 		peer->bxmt = p_xmt;
1654 #ifdef AUTOKEY
1655 		if (skeyid > NTP_MAXKEY)
1656 			crypto_recv(peer, rbufp);
1657 #endif	/* AUTOKEY */
1658 
1659 		return;				/* hooray */
1660 
1661 	/*
1662 	 * This is the first packet received from a potential ephemeral
1663 	 * symmetric active peer.  First, deal with broken Windows clients.
1664 	 * Then, if NOEPEER is enabled, drop it.  If the packet meets our
1665 	 * authenticty requirements and is the first he sent, mobilize
1666 	 * a passive association.
1667 	 * Otherwise, kiss the frog.
1668 	 *
1669 	 * There are cases here where we do not call record_raw_stats().
1670 	 */
1671 	case AM_NEWPASS:
1672 
1673 		DEBUG_REQUIRE(MODE_ACTIVE == hismode);
1674 
1675 #ifdef AUTOKEY
1676 		/*
1677 		 * Do not respond if not the same group.
1678 		 */
1679 		if (group_test(groupname, sys_ident)) {
1680 			DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
1681 			sys_declined++;
1682 			return;
1683 		}
1684 #endif /* AUTOKEY */
1685 		if (!AUTH(sys_authenticate | (restrict_mask &
1686 			  (RES_NOPEER | RES_DONTTRUST)), is_authentic)
1687 		   ) {
1688 			/*
1689 			 * If authenticated but cannot mobilize an
1690 			 * association, send a symmetric passive
1691 			 * response without mobilizing an association.
1692 			 * This is for drat broken Windows clients. See
1693 			 * Microsoft KB 875424 for preferred workaround.
1694 			 */
1695 			if (AUTH(restrict_mask & RES_DONTTRUST,
1696 				 is_authentic)) {
1697 				fast_xmit(rbufp, MODE_PASSIVE, skeyid,
1698 				    restrict_mask);
1699 				return;			/* hooray */
1700 			}
1701 			/* HMS: Why is this next set of lines a feature? */
1702 			if (is_authentic == AUTH_ERROR) {
1703 				fast_xmit(rbufp, MODE_PASSIVE, 0,
1704 				    restrict_mask);
1705 				sys_restricted++;
1706 				return;
1707 			}
1708 
1709 			if (restrict_mask & RES_NOEPEER) {
1710 				DPRINTF(2, ("receive: AM_NEWPASS drop: NOEPEER\n"));
1711 				sys_declined++;
1712 				return;
1713 			}
1714 
1715 			/* [Bug 2941]
1716 			 * If we got here, the packet isn't part of an
1717 			 * existing association, either isn't correctly
1718 			 * authenticated or it is but we are refusing
1719 			 * ephemeral peer requests, and it didn't meet
1720 			 * either of the previous two special cases so we
1721 			 * should just drop it on the floor.  For example,
1722 			 * crypto-NAKs (is_authentic == AUTH_CRYPTO)
1723 			 * will make it this far.  This is just
1724 			 * debug-printed and not logged to avoid log
1725 			 * flooding.
1726 			 */
1727 			DPRINTF(2, ("receive: at %ld refusing to mobilize passive association"
1728 				    " with unknown peer %s mode %d/%s:%s keyid %08x len %d auth %d\n",
1729 				    current_time, stoa(&rbufp->recv_srcadr),
1730 				    hismode, hm_str, am_str, skeyid,
1731 				    (authlen + has_mac), is_authentic));
1732 			sys_declined++;
1733 			return;
1734 		}
1735 
1736 		if (restrict_mask & RES_NOEPEER) {
1737 			DPRINTF(2, ("receive: AM_NEWPASS drop: NOEPEER\n"));
1738 			sys_declined++;
1739 			return;
1740 		}
1741 
1742 		/*
1743 		 * Do not respond if synchronized and if stratum is
1744 		 * below the floor or at or above the ceiling. Note,
1745 		 * this allows an unsynchronized peer to synchronize to
1746 		 * us. It would be very strange if he did and then was
1747 		 * nipped, but that could only happen if we were
1748 		 * operating at the top end of the range.  It also means
1749 		 * we will spin an ephemeral association in response to
1750 		 * MODE_ACTIVE KoDs, which will time out eventually.
1751 		 */
1752 		if (   hisleap != LEAP_NOTINSYNC
1753 		       && (hisstratum < sys_floor || hisstratum >= sys_ceiling)) {
1754 			DPRINTF(2, ("receive: AM_NEWPASS drop: Remote stratum (%d) out of range\n",
1755 					hisstratum));
1756 			sys_declined++;
1757 			return;			/* no help */
1758 		}
1759 
1760 		/*
1761 		 * The message is correctly authenticated and allowed.
1762 		 * Mobilize a symmetric passive association, if we won't
1763 		 * exceed the ippeerlimit.
1764 		 */
1765 		if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
1766 				    r4a.ippeerlimit, MODE_PASSIVE, hisversion,
1767 				    pkt->ppoll, NTP_MAXDPOLL, 0, MDF_UCAST, 0,
1768 				    skeyid, sys_ident)) == NULL) {
1769 			DPRINTF(2, ("receive: AM_NEWPASS drop: newpeer() failed\n"));
1770 			sys_declined++;
1771 			return;			/* ignore duplicate */
1772 		}
1773 		break;
1774 
1775 
1776 	/*
1777 	 * Process regular packet. Nothing special.
1778 	 *
1779 	 * There are cases here where we do not call record_raw_stats().
1780 	 */
1781 	case AM_PROCPKT:
1782 
1783 #ifdef AUTOKEY
1784 		/*
1785 		 * Do not respond if not the same group.
1786 		 */
1787 		if (group_test(groupname, peer->ident)) {
1788 			DPRINTF(2, ("receive: AM_PROCPKT drop: Autokey group mismatch\n"));
1789 			sys_declined++;
1790 			return;
1791 		}
1792 #endif /* AUTOKEY */
1793 
1794 		if (MODE_BROADCAST == hismode) {
1795 			int	bail = 0;
1796 			l_fp	tdiff;
1797 			u_long	deadband;
1798 
1799 			DPRINTF(2, ("receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\n",
1800 				    (current_time - peer->timelastrec),
1801 				    peer->ppoll, (1 << peer->ppoll)
1802 				    ));
1803 			/* Things we can check:
1804 			 *
1805 			 * Did the poll interval change?
1806 			 * Is the poll interval in the packet in-range?
1807 			 * Did this packet arrive too soon?
1808 			 * Is the timestamp in this packet monotonic
1809 			 *  with respect to the previous packet?
1810 			 */
1811 
1812 			/* This is noteworthy, not error-worthy */
1813 			if (pkt->ppoll != peer->ppoll) {
1814 				msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %u to %u",
1815 					stoa(&rbufp->recv_srcadr),
1816 					peer->ppoll, pkt->ppoll);
1817 			}
1818 
1819 			/* This is error-worthy */
1820 			if (   pkt->ppoll < peer->minpoll
1821 			    || pkt->ppoll > peer->maxpoll) {
1822 				msyslog(LOG_INFO, "receive: broadcast poll of %u from %s is out-of-range (%d to %d)!",
1823 					pkt->ppoll, stoa(&rbufp->recv_srcadr),
1824 					peer->minpoll, peer->maxpoll);
1825 				++bail;
1826 			}
1827 
1828 			/* too early? worth an error, too!
1829 			 *
1830 			 * [Bug 3113] Ensure that at least one poll
1831 			 * interval has elapsed since the last **clean**
1832 			 * packet was received.  We limit the check to
1833 			 * **clean** packets to prevent replayed packets
1834 			 * and incorrectly authenticated packets, which
1835 			 * we'll discard, from being used to create a
1836 			 * denial of service condition.
1837 			 */
1838 			deadband = (1u << pkt->ppoll);
1839 			if (FLAG_BC_VOL & peer->flags)
1840 				deadband -= 3;	/* allow greater fuzz after volley */
1841 			if ((current_time - peer->timereceived) < deadband) {
1842 				msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %lu, not %lu seconds!",
1843 					stoa(&rbufp->recv_srcadr),
1844 					(current_time - peer->timereceived),
1845 					deadband);
1846 				++bail;
1847 			}
1848 
1849 			/* Alert if time from the server is non-monotonic.
1850 			 *
1851 			 * [Bug 3114] is about Broadcast mode replay DoS.
1852 			 *
1853 			 * Broadcast mode *assumes* a trusted network.
1854 			 * Even so, it's nice to be robust in the face
1855 			 * of attacks.
1856 			 *
1857 			 * If we get an authenticated broadcast packet
1858 			 * with an "earlier" timestamp, it means one of
1859 			 * two things:
1860 			 *
1861 			 * - the broadcast server had a backward step.
1862 			 *
1863 			 * - somebody is trying a replay attack.
1864 			 *
1865 			 * deadband: By default, we assume the broadcast
1866 			 * network is trustable, so we take our accepted
1867 			 * broadcast packets as we receive them.  But
1868 			 * some folks might want to take additional poll
1869 			 * delays before believing a backward step.
1870 			 */
1871 			if (sys_bcpollbstep) {
1872 				/* pkt->ppoll or peer->ppoll ? */
1873 				deadband = (1u << pkt->ppoll)
1874 					   * sys_bcpollbstep + 2;
1875 			} else {
1876 				deadband = 0;
1877 			}
1878 
1879 			if (L_ISZERO(&peer->bxmt)) {
1880 				tdiff.l_ui = tdiff.l_uf = 0;
1881 			} else {
1882 				tdiff = p_xmt;
1883 				L_SUB(&tdiff, &peer->bxmt);
1884 			}
1885 			if (   tdiff.l_i < 0
1886 			    && (current_time - peer->timereceived) < deadband)
1887 			{
1888 				msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: 0x%x.%08x -> 0x%x.%08x",
1889 					stoa(&rbufp->recv_srcadr),
1890 					peer->bxmt.l_ui, peer->bxmt.l_uf,
1891 					p_xmt.l_ui, p_xmt.l_uf
1892 					);
1893 				++bail;
1894 			}
1895 
1896 			if (bail) {
1897 				DPRINTF(2, ("receive: AM_PROCPKT drop: bail\n"));
1898 				peer->timelastrec = current_time;
1899 				sys_declined++;
1900 				return;
1901 			}
1902 		}
1903 
1904 		break;
1905 
1906 	/*
1907 	 * A passive packet matches a passive association. This is
1908 	 * usually the result of reconfiguring a client on the fly. As
1909 	 * this association might be legitimate and this packet an
1910 	 * attempt to deny service, just ignore it.
1911 	 */
1912 	case AM_ERR:
1913 		DPRINTF(2, ("receive: AM_ERR drop.\n"));
1914 		sys_declined++;
1915 		return;
1916 
1917 	/*
1918 	 * For everything else there is the bit bucket.
1919 	 */
1920 	default:
1921 		DPRINTF(2, ("receive: default drop.\n"));
1922 		sys_declined++;
1923 		return;
1924 	}
1925 
1926 #ifdef AUTOKEY
1927 	/*
1928 	 * If the association is configured for Autokey, the packet must
1929 	 * have a public key ID; if not, the packet must have a
1930 	 * symmetric key ID.
1931 	 */
1932 	if (   is_authentic != AUTH_CRYPTO
1933 	    && (   ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY)
1934 	        || (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
1935 		DPRINTF(2, ("receive: drop: Autokey but wrong/bad auth\n"));
1936 		sys_badauth++;
1937 		return;
1938 	}
1939 #endif	/* AUTOKEY */
1940 
1941 	peer->received++;
1942 	peer->flash &= ~PKT_TEST_MASK;
1943 	if (peer->flags & FLAG_XBOGUS) {
1944 		peer->flags &= ~FLAG_XBOGUS;
1945 		peer->flash |= TEST3;
1946 	}
1947 
1948 	/*
1949 	 * Next comes a rigorous schedule of timestamp checking. If the
1950 	 * transmit timestamp is zero, the server has not initialized in
1951 	 * interleaved modes or is horribly broken.
1952 	 *
1953 	 * A KoD packet we pay attention to cannot have a 0 transmit
1954 	 * timestamp.
1955 	 */
1956 
1957 	kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
1958 
1959 	if (L_ISZERO(&p_xmt)) {
1960 		peer->flash |= TEST3;			/* unsynch */
1961 		if (kissCode != NOKISS) {		/* KoD packet */
1962 			peer->bogusorg++;		/* for TEST2 or TEST3 */
1963 			msyslog(LOG_INFO,
1964 				"receive: Unexpected zero transmit timestamp in KoD from %s",
1965 				ntoa(&peer->srcadr));
1966 			return;
1967 		}
1968 
1969 	/*
1970 	 * If the transmit timestamp duplicates our previous one, the
1971 	 * packet is a replay. This prevents the bad guys from replaying
1972 	 * the most recent packet, authenticated or not.
1973 	 */
1974 	} else if (   ((FLAG_LOOPNONCE & peer->flags) && L_ISEQU(&peer->nonce, &p_xmt))
1975 		   || (!(FLAG_LOOPNONCE & peer->flags) && L_ISEQU(&peer->xmt, &p_xmt))
1976 	) {
1977 		DPRINTF(2, ("receive: drop: Duplicate xmit\n"));
1978 		peer->flash |= TEST1;			/* duplicate */
1979 		peer->oldpkt++;
1980 		return;
1981 
1982 	/*
1983 	 * If this is a broadcast mode packet, make sure hisstratum
1984 	 * is appropriate.  Don't do anything else here - we wait to
1985 	 * see if this is an interleave broadcast packet until after
1986 	 * we've validated the MAC that SHOULD be provided.
1987 	 *
1988 	 * hisstratum cannot be 0 - see assertion above.
1989 	 * If hisstratum is 15, then we'll advertise as UNSPEC but
1990 	 * at least we'll be able to sync with the broadcast server.
1991 	 */
1992 	} else if (hismode == MODE_BROADCAST) {
1993 		/* 0 is unexpected too, and impossible */
1994 		if (STRATUM_UNSPEC <= hisstratum) {
1995 			/* Is this a ++sys_declined or ??? */
1996 			msyslog(LOG_INFO,
1997 				"receive: Unexpected stratum (%d) in broadcast from %s",
1998 				hisstratum, ntoa(&peer->srcadr));
1999 			return;
2000 		}
2001 
2002 	/*
2003 	 * Basic KoD validation checking:
2004 	 *
2005 	 * KoD packets are a mixed-blessing.  Forged KoD packets
2006 	 * are DoS attacks.  There are rare situations where we might
2007 	 * get a valid KoD response, though.  Since KoD packets are
2008 	 * a special case that complicate the checks we do next, we
2009 	 * handle the basic KoD checks here.
2010 	 *
2011 	 * Note that we expect the incoming KoD packet to have its
2012 	 * (nonzero) org, rec, and xmt timestamps set to the xmt timestamp
2013 	 * that we have previously sent out.  Watch interleave mode.
2014 	 */
2015 	} else if (kissCode != NOKISS) {
2016 		DEBUG_INSIST(!L_ISZERO(&p_xmt));
2017 		if (   L_ISZERO(&p_org)		/* We checked p_xmt above */
2018 		    || L_ISZERO(&p_rec)) {
2019 			peer->bogusorg++;
2020 			msyslog(LOG_INFO,
2021 				"receive: KoD packet from %s has a zero org or rec timestamp.  Ignoring.",
2022 				ntoa(&peer->srcadr));
2023 			return;
2024 		}
2025 
2026 		if (   !L_ISEQU(&p_xmt, &p_org)
2027 		    || !L_ISEQU(&p_xmt, &p_rec)) {
2028 			peer->bogusorg++;
2029 			msyslog(LOG_INFO,
2030 				"receive: KoD packet from %s has inconsistent xmt/org/rec timestamps.  Ignoring.",
2031 				ntoa(&peer->srcadr));
2032 			return;
2033 		}
2034 
2035 		/* Be conservative */
2036 		if (peer->flip == 0 && !L_ISEQU(&p_org, &peer->aorg)) {
2037 			peer->bogusorg++;
2038 			msyslog(LOG_INFO,
2039 				"receive: flip 0 KoD origin timestamp 0x%x.%08x from %s does not match 0x%x.%08x - ignoring.",
2040 				p_org.l_ui, p_org.l_uf,
2041 				ntoa(&peer->srcadr),
2042 				peer->aorg.l_ui, peer->aorg.l_uf);
2043 			return;
2044 		} else if (peer->flip == 1 && !L_ISEQU(&p_org, &peer->borg)) {
2045 			peer->bogusorg++;
2046 			msyslog(LOG_INFO,
2047 				"receive: flip 1 KoD origin timestamp 0x%x.%08x from %s does not match interleave 0x%x.%08x - ignoring.",
2048 				p_org.l_ui, p_org.l_uf,
2049 				ntoa(&peer->srcadr),
2050 				peer->borg.l_ui, peer->borg.l_uf);
2051 			return;
2052 		}
2053 
2054 		/*
2055 		 * Basic mode checks:
2056 		 *
2057 		 * If there is no origin timestamp, it's either an initial
2058 		 * packet or we've already received a response to our query.
2059 		 * Of course, should 'aorg' be all-zero because this really
2060 		 * was the original transmit timestamp, we'll ignore this
2061 		 * reply.  There is a window of one nanosecond once every
2062 		 * 136 years' time where this is possible.  We currently
2063 		 * ignore this situation, as a completely zero timestamp
2064 		 * is (quietly?) disallowed.
2065 		 *
2066 		 * Otherwise, check for bogus packet in basic mode.
2067 		 * If it is bogus, switch to interleaved mode and
2068 		 * resynchronize, but only after confirming the packet is
2069 		 * not bogus in symmetric interleaved mode.
2070 		 *
2071 		 * This could also mean somebody is forging packets claiming
2072 		 * to be from us, attempting to cause our server to KoD us.
2073 		 *
2074 		 * We have earlier asserted that hisstratum cannot be 0.
2075 		 * If hisstratum is STRATUM_UNSPEC, it means he's not sync'd.
2076 		 */
2077 
2078 		/* XXX: FLAG_LOOPNONCE */
2079 		DEBUG_INSIST(0 == (FLAG_LOOPNONCE & peer->flags));
2080 
2081 		if (RATEKISS == kissCode) {
2082 			msyslog(LOG_INFO, "RATE KoD from %s poll %u",
2083 				ntoa(&peer->srcadr), 1u << pkt->ppoll);
2084 		} else {
2085 			msyslog(LOG_INFO, "KoD %s from %s",
2086 				refid_str(pkt->refid, -1),
2087 				ntoa(&peer->srcadr));
2088 		}
2089 	} else if (peer->flip == 0) {
2090 		if (0) {
2091 		} else if (L_ISZERO(&p_org)) {
2092 			const char *action;
2093 
2094 #ifdef BUG3361
2095 			msyslog(LOG_INFO,
2096 				"receive: BUG 3361: Clearing peer->aorg ");
2097 			L_CLR(&peer->aorg);
2098 			/* Clear peer->nonce, too? */
2099 #endif
2100 			/**/
2101 			switch (hismode) {
2102 				/* We allow 0org for: */
2103 			    case UCHAR_MAX:
2104 				action = "Allow";
2105 				break;
2106 				/* We disallow 0org for: */
2107 			    case MODE_UNSPEC:
2108 			    case MODE_ACTIVE:
2109 			    case MODE_PASSIVE:
2110 			    case MODE_CLIENT:
2111 			    case MODE_SERVER:
2112 			    case MODE_BROADCAST:
2113 				action = "Drop";
2114 				peer->bogusorg++;
2115 				peer->flash |= TEST2;	/* bogus */
2116 				break;
2117 			    default:
2118 				action = "";	/* for cranky compilers / MSVC */
2119 				INSIST(!"receive(): impossible hismode");
2120 				break;
2121 			}
2122 			/**/
2123 			msyslog(LOG_INFO,
2124 				"receive: %s 0 origin timestamp from %s@%s xmt 0x%x.%08x",
2125 				action, hm_str, ntoa(&peer->srcadr),
2126 				ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf));
2127 		} else if (   L_ISZERO(&peer->aorg) && MODE_CLIENT != hismode
2128 			   && !memcmp("STEP", &peer->refid, 4)) {
2129 			/* response came in just after we stepped clock, normal */
2130 		} else if (!L_ISEQU(&p_org, &peer->aorg)) {
2131 			/* are there cases here where we should bail? */
2132 			/* Should we set TEST2 if we decide to try xleave? */
2133 			peer->bogusorg++;
2134 			peer->flash |= TEST2;	/* bogus */
2135 			msyslog(LOG_INFO,
2136 				"duplicate or replay: org 0x%x.%08x does not match 0x%x.%08x from %s@%s",
2137 				ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
2138 				peer->aorg.l_ui, peer->aorg.l_uf,
2139 				hm_str, ntoa(&peer->srcadr));
2140 			if (  !L_ISZERO(&peer->dst)
2141 			    && L_ISEQU(&p_org, &peer->dst)) {
2142 				/* Might be the start of an interleave */
2143 				if (dynamic_interleave) {
2144 					peer->flip = 1;
2145 					report_event(PEVNT_XLEAVE, peer, NULL);
2146 				} else {
2147 					msyslog(LOG_INFO,
2148 						"receive: Dynamic interleave from %s@%s denied",
2149 						hm_str, ntoa(&peer->srcadr));
2150 				}
2151 			}
2152 		} else {
2153 			L_CLR(&peer->aorg);
2154 			/* XXX: FLAG_LOOPNONCE */
2155 		}
2156 
2157 	/*
2158 	 * Check for valid nonzero timestamp fields.
2159 	 */
2160 	} else if (   L_ISZERO(&p_org)
2161 		   || L_ISZERO(&p_rec)
2162 		   || L_ISZERO(&peer->dst)) {
2163 		peer->flash |= TEST3;		/* unsynch */
2164 
2165 	/*
2166 	 * Check for bogus packet in interleaved symmetric mode. This
2167 	 * can happen if a packet is lost, duplicated or crossed. If
2168 	 * found, flip and resynchronize.
2169 	 */
2170 	} else if (   !L_ISZERO(&peer->dst)
2171 		   && !L_ISEQU(&p_org, &peer->dst)) {
2172 		DPRINTF(2, ("receive: drop: Bogus packet in interleaved symmetric mode\n"));
2173 		peer->bogusorg++;
2174 		peer->flags |= FLAG_XBOGUS;
2175 		peer->flash |= TEST2;		/* bogus */
2176 #ifdef BUG3453
2177 		return; /* Bogus packet, we are done */
2178 #endif
2179 	}
2180 
2181 	/**/
2182 
2183 	/*
2184 	 * If this is a crypto_NAK, the server cannot authenticate a
2185 	 * client packet. The server might have just changed keys. Clear
2186 	 * the association and restart the protocol.
2187 	 */
2188 	if (crypto_nak_test == VALIDNAK) {
2189 		report_event(PEVNT_AUTH, peer, "crypto_NAK");
2190 		peer->flash |= TEST5;		/* bad auth */
2191 		peer->badauth++;
2192 		if (peer->flags & FLAG_PREEMPT) {
2193 			if (unpeer_crypto_nak_early) {
2194 				unpeer(peer);
2195 			}
2196 			DPRINTF(2, ("receive: drop: PREEMPT crypto_NAK\n"));
2197 			return;
2198 		}
2199 #ifdef AUTOKEY
2200 		if (peer->crypto) {
2201 			peer_clear(peer, "AUTH");
2202 		}
2203 #endif	/* AUTOKEY */
2204 		DPRINTF(2, ("receive: drop: crypto_NAK\n"));
2205 		return;
2206 
2207 	/*
2208 	 * If the digest fails or it's missing for authenticated
2209 	 * associations, the client cannot authenticate a server
2210 	 * reply to a client packet previously sent. The loopback check
2211 	 * is designed to avoid a bait-and-switch attack, which was
2212 	 * possible in past versions. If symmetric modes, return a
2213 	 * crypto-NAK. The peer should restart the protocol.
2214 	 */
2215 	} else if (!AUTH(peer->keyid || has_mac ||
2216 			 (restrict_mask & RES_DONTTRUST), is_authentic)) {
2217 
2218 		if (peer->flash & PKT_TEST_MASK) {
2219 			msyslog(LOG_INFO,
2220 				"receive: Bad auth in packet with bad timestamps from %s denied - spoof?",
2221 				ntoa(&peer->srcadr));
2222 			return;
2223 		}
2224 
2225 		report_event(PEVNT_AUTH, peer, "digest");
2226 		peer->flash |= TEST5;		/* bad auth */
2227 		peer->badauth++;
2228 		if (   has_mac
2229 		    && (   hismode == MODE_ACTIVE
2230 			|| hismode == MODE_PASSIVE))
2231 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
2232 		if (peer->flags & FLAG_PREEMPT) {
2233 			if (unpeer_digest_early) {
2234 				unpeer(peer);
2235 			}
2236 		}
2237 #ifdef AUTOKEY
2238 		else if (peer_clear_digest_early && peer->crypto) {
2239 			peer_clear(peer, "AUTH");
2240 		}
2241 #endif	/* AUTOKEY */
2242 		DPRINTF(2, ("receive: drop: Bad or missing AUTH\n"));
2243 		return;
2244 	}
2245 
2246 	/*
2247 	 * For broadcast packets:
2248 	 *
2249 	 * HMS: This next line never made much sense to me, even
2250 	 * when it was up higher:
2251 	 *   If an initial volley, bail out now and let the
2252 	 *   client do its stuff.
2253 	 *
2254 	 * If the packet has not failed authentication, then
2255 	 * - if the origin timestamp is nonzero this is an
2256 	 *   interleaved broadcast, so restart the protocol.
2257 	 * - else, this is not an interleaved broadcast packet.
2258 	 */
2259 	if (hismode == MODE_BROADCAST) {
2260 		if (   is_authentic == AUTH_OK
2261 		    || is_authentic == AUTH_NONE) {
2262 			if (!L_ISZERO(&p_org)) {
2263 				if (!(peer->flags & FLAG_XB)) {
2264 					msyslog(LOG_INFO,
2265 						"receive: Broadcast server at %s is in interleave mode",
2266 						ntoa(&peer->srcadr));
2267 					peer->flags |= FLAG_XB;
2268 					peer->aorg = p_xmt;
2269 					peer->borg = rbufp->recv_time;
2270 					report_event(PEVNT_XLEAVE, peer, NULL);
2271 					return;
2272 				}
2273 			} else if (peer->flags & FLAG_XB) {
2274 				msyslog(LOG_INFO,
2275 					"receive: Broadcast server at %s is no longer in interleave mode",
2276 					ntoa(&peer->srcadr));
2277 				peer->flags &= ~FLAG_XB;
2278 			}
2279 		} else {
2280 			msyslog(LOG_INFO,
2281 				"receive: Bad broadcast auth (%d) from %s",
2282 				is_authentic, ntoa(&peer->srcadr));
2283 		}
2284 
2285 		/*
2286 		 * Now that we know the packet is correctly authenticated,
2287 		 * update peer->bxmt.
2288 		 */
2289 		peer->bxmt = p_xmt;
2290 	}
2291 
2292 
2293 	/*
2294 	** Update the state variables.
2295 	*/
2296 	if (peer->flip == 0) {
2297 		if (hismode != MODE_BROADCAST)
2298 			peer->rec = p_xmt;
2299 		peer->dst = rbufp->recv_time;
2300 	}
2301 	peer->xmt = p_xmt;
2302 
2303 	/*
2304 	 * Set the peer ppoll to the maximum of the packet ppoll and the
2305 	 * peer minpoll. If a kiss-o'-death, set the peer minpoll to
2306 	 * this maximum and advance the headway to give the sender some
2307 	 * headroom. Very intricate.
2308 	 */
2309 
2310 	/*
2311 	 * Check for any kiss codes. Note this is only used when a server
2312 	 * responds to a packet request.
2313 	 */
2314 
2315 	/*
2316 	 * Check to see if this is a RATE Kiss Code
2317 	 * Currently this kiss code will accept whatever valid poll
2318 	 * rate that the server sends
2319 	 */
2320 	if (   (NTP_MINPOLL > pkt->ppoll)
2321 	    || (NTP_MAXPOLL < pkt->ppoll)
2322 	   ) {
2323 		DPRINTF(2, ("RATEKISS: Invalid ppoll (%d) from %s\n",
2324 				pkt->ppoll, stoa(&rbufp->recv_srcadr)));
2325 		sys_badlength++;
2326 		return;			/* invalid packet poll */
2327 	}
2328 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
2329 	if (kissCode == RATEKISS) {
2330 		peer->selbroken++;	/* Increment the KoD count */
2331 		report_event(PEVNT_RATE, peer, NULL);
2332 		if (pkt->ppoll > peer->minpoll)
2333 			peer->minpoll = peer->ppoll;
2334 		peer->burst = peer->retry = 0;
2335 		peer->throttle = (NTP_SHIFT + 1) * (1 << peer->minpoll);
2336 		poll_update(peer, pkt->ppoll, 0);
2337 		return;				/* kiss-o'-death */
2338 	}
2339 	if (kissCode != NOKISS) {
2340 		peer->selbroken++;	/* Increment the KoD count */
2341 		return;		/* Drop any other kiss code packets */
2342 	}
2343 
2344 
2345 	/*
2346 	 * XXX
2347 	 */
2348 
2349 
2350 	/*
2351 	 * If:
2352 	 *	- this is a *cast (uni-, broad-, or m-) server packet
2353 	 *	- and it's symmetric-key authenticated
2354 	 * then see if the sender's IP is trusted for this keyid.
2355 	 * If it is, great - nothing special to do here.
2356 	 * Otherwise, we should report and bail.
2357 	 *
2358 	 * Autokey-authenticated packets are accepted.
2359 	 */
2360 
2361 	switch (hismode) {
2362 	    case MODE_SERVER:		/* server mode */
2363 	    case MODE_BROADCAST:	/* broadcast mode */
2364 	    case MODE_ACTIVE:		/* symmetric active mode */
2365 	    case MODE_PASSIVE:		/* symmetric passive mode */
2366 		if (   is_authentic == AUTH_OK
2367 		    && skeyid
2368 		    && skeyid <= NTP_MAXKEY
2369 		    && !authistrustedip(skeyid, &peer->srcadr)) {
2370 			report_event(PEVNT_AUTH, peer, "authIP");
2371 			peer->badauth++;
2372 			return;
2373 		}
2374 		break;
2375 
2376 	    case MODE_CLIENT:		/* client mode */
2377 #if 0		/* At this point, MODE_CONTROL is overloaded by MODE_BCLIENT */
2378 	    case MODE_CONTROL:		/* control mode */
2379 #endif
2380 	    case MODE_PRIVATE:		/* private mode */
2381 	    case MODE_BCLIENT:		/* broadcast client mode */
2382 		break;
2383 
2384 	    case MODE_UNSPEC:		/* unspecified (old version) */
2385 	    default:
2386 		msyslog(LOG_INFO,
2387 			"receive: Unexpected mode (%d) in packet from %s",
2388 			hismode, ntoa(&peer->srcadr));
2389 		break;
2390 	}
2391 
2392 
2393 	/*
2394 	 * That was hard and I am sweaty, but the packet is squeaky
2395 	 * clean. Get on with real work.
2396 	 */
2397 	peer->timereceived = current_time;
2398 	peer->timelastrec = current_time;
2399 	if (is_authentic == AUTH_OK)
2400 		peer->flags |= FLAG_AUTHENTIC;
2401 	else
2402 		peer->flags &= ~FLAG_AUTHENTIC;
2403 
2404 #ifdef AUTOKEY
2405 	/*
2406 	 * More autokey dance. The rules of the cha-cha are as follows:
2407 	 *
2408 	 * 1. If there is no key or the key is not auto, do nothing.
2409 	 *
2410 	 * 2. If this packet is in response to the one just previously
2411 	 *    sent or from a broadcast server, do the extension fields.
2412 	 *    Otherwise, assume bogosity and bail out.
2413 	 *
2414 	 * 3. If an extension field contains a verified signature, it is
2415 	 *    self-authenticated and we sit the dance.
2416 	 *
2417 	 * 4. If this is a server reply, check only to see that the
2418 	 *    transmitted key ID matches the received key ID.
2419 	 *
2420 	 * 5. Check to see that one or more hashes of the current key ID
2421 	 *    matches the previous key ID or ultimate original key ID
2422 	 *    obtained from the broadcaster or symmetric peer. If no
2423 	 *    match, sit the dance and call for new autokey values.
2424 	 *
2425 	 * In case of crypto error, fire the orchestra, stop dancing and
2426 	 * restart the protocol.
2427 	 */
2428 	if (peer->flags & FLAG_SKEY) {
2429 		/*
2430 		 * Decrement remaining autokey hashes. This isn't
2431 		 * perfect if a packet is lost, but results in no harm.
2432 		 */
2433 		ap = (struct autokey *)peer->recval.ptr;
2434 		if (ap != NULL) {
2435 			if (ap->seq > 0)
2436 				ap->seq--;
2437 		}
2438 		peer->flash |= TEST8;
2439 		rval = crypto_recv(peer, rbufp);
2440 		if (rval == XEVNT_OK) {
2441 			peer->unreach = 0;
2442 		} else {
2443 			if (rval == XEVNT_ERR) {
2444 				report_event(PEVNT_RESTART, peer,
2445 				    "crypto error");
2446 				peer_clear(peer, "CRYP");
2447 				peer->flash |= TEST9;	/* bad crypt */
2448 				if (peer->flags & FLAG_PREEMPT) {
2449 					if (unpeer_crypto_early) {
2450 						unpeer(peer);
2451 					}
2452 				}
2453 			}
2454 			return;
2455 		}
2456 
2457 		/*
2458 		 * If server mode, verify the receive key ID matches
2459 		 * the transmit key ID.
2460 		 */
2461 		if (hismode == MODE_SERVER) {
2462 			if (skeyid == peer->keyid)
2463 				peer->flash &= ~TEST8;
2464 
2465 		/*
2466 		 * If an extension field is present, verify only that it
2467 		 * has been correctly signed. We don't need a sequence
2468 		 * check here, but the sequence continues.
2469 		 */
2470 		} else if (!(peer->flash & TEST8)) {
2471 			peer->pkeyid = skeyid;
2472 
2473 		/*
2474 		 * Now the fun part. Here, skeyid is the current ID in
2475 		 * the packet, pkeyid is the ID in the last packet and
2476 		 * tkeyid is the hash of skeyid. If the autokey values
2477 		 * have not been received, this is an automatic error.
2478 		 * If so, check that the tkeyid matches pkeyid. If not,
2479 		 * hash tkeyid and try again. If the number of hashes
2480 		 * exceeds the number remaining in the sequence, declare
2481 		 * a successful failure and refresh the autokey values.
2482 		 */
2483 		} else if (ap != NULL) {
2484 			int i;
2485 
2486 			for (i = 0; ; i++) {
2487 				if (   tkeyid == peer->pkeyid
2488 				    || tkeyid == ap->key) {
2489 					peer->flash &= ~TEST8;
2490 					peer->pkeyid = skeyid;
2491 					ap->seq -= i;
2492 					break;
2493 				}
2494 				if (i > ap->seq) {
2495 					peer->crypto &=
2496 					    ~CRYPTO_FLAG_AUTO;
2497 					break;
2498 				}
2499 				tkeyid = session_key(
2500 				    &rbufp->recv_srcadr, dstadr_sin,
2501 				    tkeyid, pkeyid, 0);
2502 			}
2503 			if (peer->flash & TEST8)
2504 				report_event(PEVNT_AUTH, peer, "keylist");
2505 		}
2506 		if (!(peer->crypto & CRYPTO_FLAG_PROV)) /* test 9 */
2507 			peer->flash |= TEST8;	/* bad autokey */
2508 
2509 		/*
2510 		 * The maximum lifetime of the protocol is about one
2511 		 * week before restarting the Autokey protocol to
2512 		 * refresh certificates and leapseconds values.
2513 		 */
2514 		if (current_time > peer->refresh) {
2515 			report_event(PEVNT_RESTART, peer,
2516 			    "crypto refresh");
2517 			peer_clear(peer, "TIME");
2518 			return;
2519 		}
2520 	}
2521 #endif	/* AUTOKEY */
2522 
2523 	/*
2524 	 * The dance is complete and the flash bits have been lit. Toss
2525 	 * the packet over the fence for processing, which may light up
2526 	 * more flashers. Leave if the packet is not good.
2527 	 */
2528 	process_packet(peer, pkt, rbufp->recv_length);
2529 	/* Bug 2734: TEST3 prevents initial interleave sync */
2530 	if ((~TEST3 & peer->flash) & PKT_TEST_MASK) {
2531 		return;
2532 	}
2533 
2534 	/* [bug 3592] Update poll. Ideally this should not happen in a
2535 	 * receive branch, but too much is going on here... at least we
2536 	 * do it only if the packet was good!
2537 	 */
2538 	poll_update(peer, peer->hpoll, (peer->hmode == MODE_CLIENT));
2539 
2540 	/*
2541 	 * In interleaved mode update the state variables. Also adjust the
2542 	 * transmit phase to avoid crossover.
2543 	 */
2544 	if (peer->flip != 0) {
2545 		peer->rec = p_rec;
2546 		peer->dst = rbufp->recv_time;
2547 		if (peer->nextdate - current_time < (1U << min(peer->ppoll,
2548 		    peer->hpoll)) / 2)
2549 			peer->nextdate++;
2550 		else
2551 			peer->nextdate--;
2552 	}
2553 }
2554 
2555 
2556 /*
2557  * process_packet - Packet Procedure, a la Section 3.4.4 of RFC-1305
2558  *	Or almost, at least.  If we're in here we have a reasonable
2559  *	expectation that we will be having a long term
2560  *	relationship with this host.
2561  */
2562 void
2563 process_packet(
2564 	register struct peer *peer,
2565 	register struct pkt *pkt,
2566 	u_int	len
2567 	)
2568 {
2569 	double	t34, t21;
2570 	double	p_offset, p_del, p_disp;
2571 	l_fp	p_rec, p_xmt, p_org, p_reftime, ci;
2572 	u_char	pmode, pleap, pversion, pstratum;
2573 #ifdef ASSYM
2574 	int	itemp;
2575 	double	etemp, ftemp, td;
2576 #endif /* ASSYM */
2577 
2578 	p_del = FPTOD(NTOHS_FP(pkt->rootdelay));
2579 	p_offset = 0;
2580 	p_disp = FPTOD(NTOHS_FP(pkt->rootdisp));
2581 	NTOHL_FP(&pkt->reftime, &p_reftime);
2582 	NTOHL_FP(&pkt->org, &p_org);
2583 	NTOHL_FP(&pkt->rec, &p_rec);
2584 	NTOHL_FP(&pkt->xmt, &p_xmt);
2585 	pmode = PKT_MODE(pkt->li_vn_mode);
2586 	pleap = PKT_LEAP(pkt->li_vn_mode);
2587 	pversion = PKT_VERSION(pkt->li_vn_mode);
2588 	pstratum = PKT_TO_STRATUM(pkt->stratum);
2589 
2590 	/*
2591 	 * Verify the server is synchronized; that is, the leap bits,
2592 	 * stratum and root distance are valid.
2593 	 */
2594 	if (   pleap == LEAP_NOTINSYNC		/* test 6 */
2595 	    || pstratum < sys_floor || pstratum >= sys_ceiling)
2596 		peer->flash |= TEST6;		/* bad synch or strat */
2597 	if (p_del / 2 + p_disp >= MAXDISPERSE)	/* test 7 */
2598 		peer->flash |= TEST7;		/* bad header */
2599 
2600 	/*
2601 	 * If any tests fail at this point, the packet is discarded.
2602 	 * Note that some flashers may have already been set in the
2603 	 * receive() routine.
2604 	 */
2605 	if (peer->flash & PKT_TEST_MASK) {
2606 		peer->seldisptoolarge++;
2607 		DPRINTF(1, ("packet: flash header %04x\n",
2608 			    peer->flash));
2609 		/* [Bug 3592] do *not* update poll on bad packets! */
2610 		return;
2611 	}
2612 
2613 	/*
2614 	 * update stats, now that we really handle this packet:
2615 	 */
2616 	sys_processed++;
2617 	peer->processed++;
2618 
2619 	/*
2620 	 * Capture the header values in the client/peer association..
2621 	 */
2622 	record_raw_stats(&peer->srcadr,
2623 	    peer->dstadr ? &peer->dstadr->sin : NULL,
2624 	    &p_org, &p_rec, &p_xmt, &peer->dst,
2625 	    pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision,
2626 	    p_del, p_disp, pkt->refid,
2627 	    len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
2628 	peer->leap = pleap;
2629 	peer->stratum = min(pstratum, STRATUM_UNSPEC);
2630 	peer->pmode = pmode;
2631 	peer->precision = pkt->precision;
2632 	peer->rootdelay = p_del;
2633 	peer->rootdisp = p_disp;
2634 	peer->refid = pkt->refid;		/* network byte order */
2635 	peer->reftime = p_reftime;
2636 
2637 	/*
2638 	 * First, if either burst mode is armed, enable the burst.
2639 	 * Compute the headway for the next packet and delay if
2640 	 * necessary to avoid exceeding the threshold.
2641 	 */
2642 	if (peer->retry > 0) {
2643 		peer->retry = 0;
2644 		if (peer->reach)
2645 			peer->burst = min(1 << (peer->hpoll -
2646 			    peer->minpoll), NTP_SHIFT) - 1;
2647 		else
2648 			peer->burst = NTP_IBURST - 1;
2649 		if (peer->burst > 0)
2650 			peer->nextdate = current_time;
2651 	}
2652 
2653 	/*
2654 	 * If the peer was previously unreachable, raise a trap. In any
2655 	 * case, mark it reachable.
2656 	 */
2657 	if (!peer->reach) {
2658 		report_event(PEVNT_REACH, peer, NULL);
2659 		peer->timereachable = current_time;
2660 	}
2661 	peer->reach |= 1;
2662 
2663 	/*
2664 	 * For a client/server association, calculate the clock offset,
2665 	 * roundtrip delay and dispersion. The equations are reordered
2666 	 * from the spec for more efficient use of temporaries. For a
2667 	 * broadcast association, offset the last measurement by the
2668 	 * computed delay during the client/server volley. Note the
2669 	 * computation of dispersion includes the system precision plus
2670 	 * that due to the frequency error since the origin time.
2671 	 *
2672 	 * It is very important to respect the hazards of overflow. The
2673 	 * only permitted operation on raw timestamps is subtraction,
2674 	 * where the result is a signed quantity spanning from 68 years
2675 	 * in the past to 68 years in the future. To avoid loss of
2676 	 * precision, these calculations are done using 64-bit integer
2677 	 * arithmetic. However, the offset and delay calculations are
2678 	 * sums and differences of these first-order differences, which
2679 	 * if done using 64-bit integer arithmetic, would be valid over
2680 	 * only half that span. Since the typical first-order
2681 	 * differences are usually very small, they are converted to 64-
2682 	 * bit doubles and all remaining calculations done in floating-
2683 	 * double arithmetic. This preserves the accuracy while
2684 	 * retaining the 68-year span.
2685 	 *
2686 	 * There are three interleaving schemes, basic, interleaved
2687 	 * symmetric and interleaved broadcast. The timestamps are
2688 	 * idioscyncratically different. See the onwire briefing/white
2689 	 * paper at www.eecis.udel.edu/~mills for details.
2690 	 *
2691 	 * Interleaved symmetric mode
2692 	 * t1 = peer->aorg/borg, t2 = peer->rec, t3 = p_xmt,
2693 	 * t4 = peer->dst
2694 	 */
2695 	if (peer->flip != 0) {
2696 		ci = p_xmt;				/* t3 - t4 */
2697 		L_SUB(&ci, &peer->dst);
2698 		LFPTOD(&ci, t34);
2699 		ci = p_rec;				/* t2 - t1 */
2700 		if (peer->flip > 0)
2701 			L_SUB(&ci, &peer->borg);
2702 		else
2703 			L_SUB(&ci, &peer->aorg);
2704 		LFPTOD(&ci, t21);
2705 		p_del = t21 - t34;
2706 		p_offset = (t21 + t34) / 2.;
2707 		if (p_del < 0 || p_del > 1.) {
2708 			mprintf_event(PEVNT_XERR, peer,
2709 				      "t21 %.9f t34 %.9f", t21, t34);
2710 			return;
2711 		}
2712 
2713 	/*
2714 	 * Broadcast modes
2715 	 */
2716 	} else if (peer->pmode == MODE_BROADCAST) {
2717 
2718 		/*
2719 		 * Interleaved broadcast mode. Use interleaved timestamps.
2720 		 * t1 = peer->borg, t2 = p_org, t3 = p_org, t4 = aorg
2721 		 */
2722 		if (peer->flags & FLAG_XB) {
2723 			ci = p_org;			/* delay */
2724 			L_SUB(&ci, &peer->aorg);
2725 			LFPTOD(&ci, t34);
2726 			ci = p_org;			/* t2 - t1 */
2727 			L_SUB(&ci, &peer->borg);
2728 			LFPTOD(&ci, t21);
2729 			peer->aorg = p_xmt;
2730 			peer->borg = peer->dst;
2731 			if (t34 < 0 || t34 > 1.) {
2732 				/* drop all if in the initial volley */
2733 				if (FLAG_BC_VOL & peer->flags)
2734 					goto bcc_init_volley_fail;
2735 				mprintf_event(PEVNT_XERR, peer,
2736 					      "offset %.9f delay %.9f",
2737 					      t21, t34);
2738 				return;
2739 			}
2740 			p_offset = t21;
2741 			peer->xleave = t34;
2742 
2743 		/*
2744 		 * Basic broadcast - use direct timestamps.
2745 		 * t3 = p_xmt, t4 = peer->dst
2746 		 */
2747 		} else {
2748 			ci = p_xmt;		/* t3 - t4 */
2749 			L_SUB(&ci, &peer->dst);
2750 			LFPTOD(&ci, t34);
2751 			p_offset = t34;
2752 		}
2753 
2754 		/*
2755 		 * When calibration is complete and the clock is
2756 		 * synchronized, the bias is calculated as the difference
2757 		 * between the unicast timestamp and the broadcast
2758 		 * timestamp. This works for both basic and interleaved
2759 		 * modes.
2760 		 * [Bug 3031] Don't keep this peer when the delay
2761 		 * calculation gives reason to suspect clock steps.
2762 		 * This is assumed for delays > 50ms.
2763 		 */
2764 		if (FLAG_BC_VOL & peer->flags) {
2765 			peer->flags &= ~FLAG_BC_VOL;
2766 			peer->delay = fabs(peer->offset - p_offset) * 2;
2767 			DPRINTF(2, ("broadcast volley: initial delay=%.6f\n",
2768 				peer->delay));
2769 			if (peer->delay > fabs(sys_bdelay)) {
2770 		bcc_init_volley_fail:
2771 				DPRINTF(2, ("%s", "broadcast volley: initial delay exceeds limit\n"));
2772 				unpeer(peer);
2773 				return;
2774 			}
2775 		}
2776 		peer->nextdate = current_time + (1u << peer->ppoll) - 2u;
2777 		p_del = peer->delay;
2778 		p_offset += p_del / 2;
2779 
2780 
2781 	/*
2782 	 * Basic mode, otherwise known as the old fashioned way.
2783 	 *
2784 	 * t1 = p_org, t2 = p_rec, t3 = p_xmt, t4 = peer->dst
2785 	 */
2786 	} else {
2787 		ci = p_xmt;				/* t3 - t4 */
2788 		L_SUB(&ci, &peer->dst);
2789 		LFPTOD(&ci, t34);
2790 		ci = p_rec;				/* t2 - t1 */
2791 		L_SUB(&ci, &p_org);
2792 		LFPTOD(&ci, t21);
2793 		p_del = fabs(t21 - t34);
2794 		p_offset = (t21 + t34) / 2.;
2795 	}
2796 	p_del = max(p_del, LOGTOD(sys_precision));
2797 	p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) +
2798 	    clock_phi * p_del;
2799 
2800 #if ASSYM
2801 	/*
2802 	 * This code calculates the outbound and inbound data rates by
2803 	 * measuring the differences between timestamps at different
2804 	 * packet lengths. This is helpful in cases of large asymmetric
2805 	 * delays commonly experienced on deep space communication
2806 	 * links.
2807 	 */
2808 	if (peer->t21_last > 0 && peer->t34_bytes > 0) {
2809 		itemp = peer->t21_bytes - peer->t21_last;
2810 		if (itemp > 25) {
2811 			etemp = t21 - peer->t21;
2812 			if (fabs(etemp) > 1e-6) {
2813 				ftemp = itemp / etemp;
2814 				if (ftemp > 1000.)
2815 					peer->r21 = ftemp;
2816 			}
2817 		}
2818 		itemp = len - peer->t34_bytes;
2819 		if (itemp > 25) {
2820 			etemp = -t34 - peer->t34;
2821 			if (fabs(etemp) > 1e-6) {
2822 				ftemp = itemp / etemp;
2823 				if (ftemp > 1000.)
2824 					peer->r34 = ftemp;
2825 			}
2826 		}
2827 	}
2828 
2829 	/*
2830 	 * The following section compensates for different data rates on
2831 	 * the outbound (d21) and inbound (t34) directions. To do this,
2832 	 * it finds t such that r21 * t - r34 * (d - t) = 0, where d is
2833 	 * the roundtrip delay. Then it calculates the correction as a
2834 	 * fraction of d.
2835 	 */
2836 	peer->t21 = t21;
2837 	peer->t21_last = peer->t21_bytes;
2838 	peer->t34 = -t34;
2839 	peer->t34_bytes = len;
2840 	DPRINTF(2, ("packet: t21 %.9lf %d t34 %.9lf %d\n", peer->t21,
2841 		    peer->t21_bytes, peer->t34, peer->t34_bytes));
2842 	if (peer->r21 > 0 && peer->r34 > 0 && p_del > 0) {
2843 		if (peer->pmode != MODE_BROADCAST)
2844 			td = (peer->r34 / (peer->r21 + peer->r34) -
2845 			    .5) * p_del;
2846 		else
2847 			td = 0;
2848 
2849 		/*
2850 		 * Unfortunately, in many cases the errors are
2851 		 * unacceptable, so for the present the rates are not
2852 		 * used. In future, we might find conditions where the
2853 		 * calculations are useful, so this should be considered
2854 		 * a work in progress.
2855 		 */
2856 		t21 -= td;
2857 		t34 -= td;
2858 		DPRINTF(2, ("packet: del %.6lf r21 %.1lf r34 %.1lf %.6lf\n",
2859 			    p_del, peer->r21 / 1e3, peer->r34 / 1e3,
2860 			    td));
2861 	}
2862 #endif /* ASSYM */
2863 
2864 	/*
2865 	 * That was awesome. Now hand off to the clock filter.
2866 	 */
2867 	clock_filter(peer, p_offset + peer->bias, p_del, p_disp);
2868 
2869 	/*
2870 	 * If we are in broadcast calibrate mode, return to broadcast
2871 	 * client mode when the client is fit and the autokey dance is
2872 	 * complete.
2873 	 */
2874 	if (   (FLAG_BC_VOL & peer->flags)
2875 	    && MODE_CLIENT == peer->hmode
2876 	    && !(TEST11 & peer_unfit(peer))) {	/* distance exceeded */
2877 #ifdef AUTOKEY
2878 		if (peer->flags & FLAG_SKEY) {
2879 			if (!(~peer->crypto & CRYPTO_FLAG_ALL))
2880 				peer->hmode = MODE_BCLIENT;
2881 		} else {
2882 			peer->hmode = MODE_BCLIENT;
2883 		}
2884 #else	/* !AUTOKEY follows */
2885 		peer->hmode = MODE_BCLIENT;
2886 #endif	/* !AUTOKEY */
2887 	}
2888 }
2889 
2890 
2891 /*
2892  * clock_update - Called at system process update intervals.
2893  */
2894 static void
2895 clock_update(
2896 	struct peer *peer	/* peer structure pointer */
2897 	)
2898 {
2899 	double	dtemp;
2900 	l_fp	now;
2901 #ifdef HAVE_LIBSCF_H
2902 	char	*fmri;
2903 #endif /* HAVE_LIBSCF_H */
2904 
2905 	/*
2906 	 * Update the system state variables. We do this very carefully,
2907 	 * as the poll interval might need to be clamped differently.
2908 	 */
2909 	sys_peer = peer;
2910 	sys_epoch = peer->epoch;
2911 	if (sys_poll < peer->minpoll)
2912 		sys_poll = peer->minpoll;
2913 	if (sys_poll > peer->maxpoll)
2914 		sys_poll = peer->maxpoll;
2915 	poll_update(peer, sys_poll, 0);
2916 	sys_stratum = min(peer->stratum + 1, STRATUM_UNSPEC);
2917 	if (   peer->stratum == STRATUM_REFCLOCK
2918 	    || peer->stratum == STRATUM_UNSPEC)
2919 		sys_refid = peer->refid;
2920 	else
2921 		sys_refid = addr2refid(&peer->srcadr);
2922 	/*
2923 	 * Root Dispersion (E) is defined (in RFC 5905) as:
2924 	 *
2925 	 * E = p.epsilon_r + p.epsilon + p.psi + PHI*(s.t - p.t) + |THETA|
2926 	 *
2927 	 * where:
2928 	 *  p.epsilon_r is the PollProc's root dispersion
2929 	 *  p.epsilon   is the PollProc's dispersion
2930 	 *  p.psi       is the PollProc's jitter
2931 	 *  THETA       is the combined offset
2932 	 *
2933 	 * NB: Think Hard about where these numbers come from and
2934 	 * what they mean.  When did peer->update happen?  Has anything
2935 	 * interesting happened since then?  What values are the most
2936 	 * defensible?  Why?
2937 	 *
2938 	 * DLM thinks this equation is probably the best of all worse choices.
2939 	 */
2940 	dtemp	= peer->rootdisp
2941 		+ peer->disp
2942 		+ sys_jitter
2943 		+ clock_phi * (current_time - peer->update)
2944 		+ fabs(sys_offset);
2945 
2946 	p2_rootdisp = prev_rootdisp;
2947 	prev_rootdisp = sys_rootdisp;
2948 	if (dtemp > sys_mindisp)
2949 		sys_rootdisp = dtemp;
2950 	else
2951 		sys_rootdisp = sys_mindisp;
2952 
2953 	sys_rootdelay = peer->delay + peer->rootdelay;
2954 
2955 	p2_reftime = prev_reftime;
2956 	p2_time = prev_time;
2957 
2958 	prev_reftime = sys_reftime;
2959 	prev_time = current_time + 64 + (rand() & 0x3f);	/* 64-127 s */
2960 
2961 	sys_reftime = peer->dst;
2962 
2963 	DPRINTF(1, ("clock_update: at %lu sample %lu associd %d\n",
2964 		    current_time, peer->epoch, peer->associd));
2965 
2966 	/*
2967 	 * Comes now the moment of truth. Crank the clock discipline and
2968 	 * see what comes out.
2969 	 */
2970 	switch (local_clock(peer, sys_offset)) {
2971 
2972 	/*
2973 	 * Clock exceeds panic threshold. Life as we know it ends.
2974 	 */
2975 	case -1:
2976 		msyslog(LOG_ERR, "Clock offset exceeds panic threshold.");
2977 #ifdef HAVE_LIBSCF_H
2978 		/*
2979 		 * For Solaris enter the maintenance mode.
2980 		 */
2981 		if ((fmri = getenv("SMF_FMRI")) != NULL) {
2982 			if (smf_maintain_instance(fmri, 0) < 0) {
2983 				msyslog(LOG_ERR, "smf_maintain_instance: %s",
2984 						 scf_strerror(scf_error()));
2985 				exit(1);
2986 			}
2987 			/*
2988 			 * Sleep until SMF kills us.
2989 			 */
2990 			msyslog(LOG_ERR, "%s placed into maintenance. "
2991 				"Set system clock by hand before clearing.",
2992 				fmri);
2993 			for (;;)
2994 				pause();
2995 		}
2996 #endif /* HAVE_LIBSCF_H */
2997 		msyslog(LOG_ERR, "Set system clock by hand.");
2998 		exit (-1);
2999 		/* not reached */
3000 
3001 	/*
3002 	 * Clock was stepped. Flush all time values of all peers.
3003 	 */
3004 	case 2:
3005 		clear_all();
3006 		set_sys_leap(LEAP_NOTINSYNC);
3007 		sys_stratum = STRATUM_UNSPEC;
3008 		memcpy(&sys_refid, "STEP", 4);
3009 		sys_rootdelay = 0;
3010 		p2_rootdisp = 0;
3011 		prev_rootdisp = 0;
3012 		sys_rootdisp = 0;
3013 		L_CLR(&p2_reftime);	/* Should we clear p2_reftime? */
3014 		L_CLR(&prev_reftime);	/* Should we clear prev_reftime? */
3015 		L_CLR(&sys_reftime);
3016 		sys_jitter = LOGTOD(sys_precision);
3017 		leapsec_reset_frame();
3018 		break;
3019 
3020 	/*
3021 	 * Clock was slewed. Handle the leapsecond stuff.
3022 	 */
3023 	case 1:
3024 
3025 		/*
3026 		 * If this is the first time the clock is set, reset the
3027 		 * leap bits. If crypto, the timer will goose the setup
3028 		 * process.
3029 		 */
3030 		if (sys_leap == LEAP_NOTINSYNC) {
3031 			set_sys_leap(LEAP_NOWARNING);
3032 #ifdef AUTOKEY
3033 			if (crypto_flags)
3034 				crypto_update();
3035 #endif	/* AUTOKEY */
3036 
3037 		}
3038 
3039 		/*
3040 		 * If there is no leap second pending and the number of
3041 		 * survivor leap bits is greater than half the number of
3042 		 * survivors, try to schedule a leap for the end of the
3043 		 * current month. (This only works if no leap second for
3044 		 * that range is in the table, so doing this more than
3045 		 * once is mostly harmless.)
3046 		 */
3047 		if (leapsec == LSPROX_NOWARN) {
3048 			if (   leap_vote_ins > leap_vote_del
3049 			    && leap_vote_ins > sys_survivors / 2) {
3050 				get_systime(&now);
3051 				leapsec_add_dyn(TRUE, now.l_ui, NULL);
3052 			}
3053 			if (   leap_vote_del > leap_vote_ins
3054 			    && leap_vote_del > sys_survivors / 2) {
3055 				get_systime(&now);
3056 				leapsec_add_dyn(FALSE, now.l_ui, NULL);
3057 			}
3058 		}
3059 		break;
3060 
3061 	/*
3062 	 * Popcorn spike or step threshold exceeded. Pretend it never
3063 	 * happened.
3064 	 */
3065 	default:
3066 		break;
3067 	}
3068 }
3069 
3070 
3071 /*
3072  * poll_update - update peer poll interval
3073  */
3074 void
3075 poll_update(
3076 	struct peer *peer,	/* peer structure pointer */
3077 	u_char	mpoll,
3078 	u_char  skewpoll
3079 	)
3080 {
3081 	u_long	next, utemp, limit;
3082 	u_char	hpoll;
3083 
3084 	/*
3085 	 * This routine figures out when the next poll should be sent.
3086 	 * That turns out to be wickedly complicated. One problem is
3087 	 * that sometimes the time for the next poll is in the past when
3088 	 * the poll interval is reduced. We watch out for races here
3089 	 * between the receive process and the poll process.
3090 	 *
3091 	 * Clamp the poll interval between minpoll and maxpoll.
3092 	 */
3093 	hpoll = max(min(peer->maxpoll, mpoll), peer->minpoll);
3094 
3095 #ifdef AUTOKEY
3096 	/*
3097 	 * If during the crypto protocol the poll interval has changed,
3098 	 * the lifetimes in the key list are probably bogus. Purge the
3099 	 * the key list and regenerate it later.
3100 	 */
3101 	if ((peer->flags & FLAG_SKEY) && hpoll != peer->hpoll)
3102 		key_expire(peer);
3103 #endif	/* AUTOKEY */
3104 	peer->hpoll = hpoll;
3105 
3106 	/*
3107 	 * There are three variables important for poll scheduling, the
3108 	 * current time (current_time), next scheduled time (nextdate)
3109 	 * and the earliest time (utemp). The earliest time is 2 s
3110 	 * seconds, but could be more due to rate management. When
3111 	 * sending in a burst, use the earliest time. When not in a
3112 	 * burst but with a reply pending, send at the earliest time
3113 	 * unless the next scheduled time has not advanced. This can
3114 	 * only happen if multiple replies are pending in the same
3115 	 * response interval. Otherwise, send at the later of the next
3116 	 * scheduled time and the earliest time.
3117 	 *
3118 	 * Now we figure out if there is an override. If a burst is in
3119 	 * progress and we get called from the receive process, just
3120 	 * slink away. If called from the poll process, delay 1 s for a
3121 	 * reference clock, otherwise 2 s.
3122 	 */
3123 	utemp = current_time + max(peer->throttle - (NTP_SHIFT - 1) *
3124 	    (1 << peer->minpoll), ntp_minpkt);
3125 
3126  	/*[Bug 3592] avoid unlimited postpone of next poll */
3127 	limit = (2u << hpoll);
3128 	if (limit > 64)
3129 		limit -= (limit >> 2);
3130 	limit += peer->outdate;
3131 	if (limit < current_time)
3132 		limit = current_time;
3133 
3134 	if (peer->burst > 0) {
3135 		if (peer->nextdate > current_time)
3136 			return;
3137 #ifdef REFCLOCK
3138 		else if (peer->flags & FLAG_REFCLOCK)
3139 			peer->nextdate = current_time + RESP_DELAY;
3140 #endif /* REFCLOCK */
3141 		else
3142 			peer->nextdate = utemp;
3143 
3144 #ifdef AUTOKEY
3145 	/*
3146 	 * If a burst is not in progress and a crypto response message
3147 	 * is pending, delay 2 s, but only if this is a new interval.
3148 	 */
3149 	} else if (peer->cmmd != NULL) {
3150 		if (peer->nextdate > current_time) {
3151 			if (peer->nextdate + ntp_minpkt != utemp)
3152 				peer->nextdate = utemp;
3153 		} else {
3154 			peer->nextdate = utemp;
3155 		}
3156 #endif	/* AUTOKEY */
3157 
3158 	/*
3159 	 * The ordinary case. If a retry, use minpoll; if unreachable,
3160 	 * use host poll; otherwise, use the minimum of host and peer
3161 	 * polls; In other words, oversampling is okay but
3162 	 * understampling is evil. Use the maximum of this value and the
3163 	 * headway. If the average headway is greater than the headway
3164 	 * threshold, increase the headway by the minimum interval.
3165 	 */
3166 	} else {
3167 		if (peer->retry > 0)
3168 			hpoll = peer->minpoll;
3169 		else
3170 			hpoll = min(peer->ppoll, peer->hpoll);
3171 #ifdef REFCLOCK
3172 		if (peer->flags & FLAG_REFCLOCK)
3173 			next = 1 << hpoll;
3174 		else
3175 #endif /* REFCLOCK */
3176 			next = ((0x1000UL | (ntp_random() & 0x0ff)) <<
3177 			    hpoll) >> 12;
3178 		next += peer->outdate;
3179 		/* XXX: bug3596: Deal with poll skew list? */
3180 		if (skewpoll) {
3181 			psl_item psi;
3182 
3183 			if (0 == get_pollskew(hpoll, &psi)) {
3184 				int sub = psi.sub;
3185 				int qty = psi.qty;
3186 				int msk = psi.msk;
3187 				int val;
3188 
3189 				if (   0 != sub
3190 				    || 0 != qty) {
3191 					do {
3192 						val = ntp_random() & msk;
3193 					} while (val > qty);
3194 
3195 					next -= sub;
3196 					next += val;
3197 				}
3198 			} else {
3199 				/* get_pollskew() already logged this */
3200 			}
3201 		}
3202 		if (next > utemp)
3203 			peer->nextdate = next;
3204 		else
3205 			peer->nextdate = utemp;
3206 		if (peer->throttle > (1 << peer->minpoll))
3207 			peer->nextdate += ntp_minpkt;
3208 	}
3209 
3210  	/*[Bug 3592] avoid unlimited postpone of next poll */
3211 	if (peer->nextdate > limit) {
3212 		DPRINTF(1, ("poll_update: clamp reached; limit %lu next %lu\n",
3213 			    limit, peer->nextdate));
3214 		peer->nextdate = limit;
3215 	}
3216 	DPRINTF(2, ("poll_update: at %lu %s poll %d burst %d retry %d head %d early %lu next %lu\n",
3217 		    current_time, ntoa(&peer->srcadr), peer->hpoll,
3218 		    peer->burst, peer->retry, peer->throttle,
3219 		    utemp - current_time, peer->nextdate -
3220 		    current_time));
3221 }
3222 
3223 
3224 /*
3225  * peer_clear - clear peer filter registers.  See Section 3.4.8 of the
3226  * spec.
3227  */
3228 void
3229 peer_clear(
3230 	struct peer *peer,		/* peer structure */
3231 	const char *ident		/* tally lights */
3232 	)
3233 {
3234 	static u_long	earliest;
3235 	u_char		u;
3236 	l_fp		bxmt = peer->bxmt;	/* bcast clients retain this! */
3237 
3238 #ifdef AUTOKEY
3239 	/*
3240 	 * If cryptographic credentials have been acquired, toss them to
3241 	 * Valhalla. Note that autokeys are ephemeral, in that they are
3242 	 * tossed immediately upon use. Therefore, the keylist can be
3243 	 * purged anytime without needing to preserve random keys. Note
3244 	 * that, if the peer is purged, the cryptographic variables are
3245 	 * purged, too. This makes it much harder to sneak in some
3246 	 * unauthenticated data in the clock filter.
3247 	 */
3248 	key_expire(peer);
3249 	if (peer->iffval != NULL)
3250 		BN_free(peer->iffval);
3251 	value_free(&peer->cookval);
3252 	value_free(&peer->recval);
3253 	value_free(&peer->encrypt);
3254 	value_free(&peer->sndval);
3255 	if (peer->cmmd != NULL)
3256 		free(peer->cmmd);
3257 	if (peer->subject != NULL)
3258 		free(peer->subject);
3259 	if (peer->issuer != NULL)
3260 		free(peer->issuer);
3261 #endif /* AUTOKEY */
3262 
3263 	/*
3264 	 * Clear all values, including the optional crypto values above.
3265 	 */
3266 	memset(CLEAR_TO_ZERO(peer), 0, LEN_CLEAR_TO_ZERO(peer));
3267 	peer->ppoll = peer->maxpoll;
3268 	peer->hpoll = peer->minpoll;
3269 	peer->disp = MAXDISPERSE;
3270 	peer->flash = peer_unfit(peer);
3271 	peer->jitter = LOGTOD(sys_precision);
3272 
3273 	/* Don't throw away our broadcast replay protection */
3274 	if (peer->hmode == MODE_BCLIENT)
3275 		peer->bxmt = bxmt;
3276 
3277 	/*
3278 	 * If interleave mode, initialize the alternate origin switch.
3279 	 */
3280 	if (peer->flags & FLAG_XLEAVE)
3281 		peer->flip = 1;
3282 	for (u = 0; u < NTP_SHIFT; u++) {
3283 		peer->filter_order[u] = u;
3284 		peer->filter_disp[u] = MAXDISPERSE;
3285 	}
3286 #ifdef REFCLOCK
3287 	if (!(peer->flags & FLAG_REFCLOCK)) {
3288 #endif
3289 		peer->leap = LEAP_NOTINSYNC;
3290 		peer->stratum = STRATUM_UNSPEC;
3291 		memcpy(&peer->refid, ident, 4);
3292 #ifdef REFCLOCK
3293 	} else {
3294 		/* Clear refclock sample filter */
3295 		peer->procptr->codeproc = 0;
3296 		peer->procptr->coderecv = 0;
3297 	}
3298 #endif
3299 
3300 	/*
3301 	 * During initialization use the association count to spread out
3302 	 * the polls at one-second intervals. Unconfigured associations'
3303 	 * first poll is delayed by the "discard minimum" plus 1 to avoid
3304 	 * rate limiting. Other post-startup new or cleared associations
3305 	 * randomize the first poll over the minimum poll interval to
3306 	 * avoid implosion.
3307 	 */
3308 	peer->nextdate = peer->update = peer->outdate = current_time;
3309 	if (initializing) {
3310 		peer->nextdate += peer_associations;
3311 	} else if (!(FLAG_CONFIG & peer->flags)) {
3312 		peer->nextdate += ntp_minpkt + 1;
3313 		/* space out manycastclient first polls */
3314 		if (peer->nextdate < earliest) {
3315 			peer->nextdate = earliest;
3316 		}
3317 		earliest = peer->nextdate + 1;
3318 	} else {
3319 		peer->nextdate += ntp_random() % (1 << peer->minpoll);
3320 	}
3321 #ifdef AUTOKEY
3322 	peer->refresh = current_time + (1 << NTP_REFRESH);
3323 #endif	/* AUTOKEY */
3324 	DPRINTF(1, ("peer_clear: at %ld next %ld associd %d refid %s\n",
3325 		    current_time, peer->nextdate, peer->associd,
3326 		    ident));
3327 }
3328 
3329 
3330 /*
3331  * clock_filter - add incoming clock sample to filter register and run
3332  *		  the filter procedure to find the best sample.
3333  */
3334 void
3335 clock_filter(
3336 	struct peer *peer,		/* peer structure pointer */
3337 	double	sample_offset,		/* clock offset */
3338 	double	sample_delay,		/* roundtrip delay */
3339 	double	sample_disp		/* dispersion */
3340 	)
3341 {
3342 	double	dst[NTP_SHIFT];		/* distance vector */
3343 	u_char	ord[NTP_SHIFT];		/* index vector */
3344 	short	i, j;
3345 	u_char	k, m;
3346 	double	dtemp, etemp;
3347 
3348 	/*
3349 	 * A sample consists of the offset, delay, dispersion and epoch
3350 	 * of arrival. The offset and delay are determined by the on-
3351 	 * wire protocol. The dispersion grows from the last outbound
3352 	 * packet to the arrival of this one increased by the sum of the
3353 	 * peer precision and the system precision as required by the
3354 	 * error budget. First, shift the new arrival into the shift
3355 	 * register discarding the oldest one.
3356 	 */
3357 	j = peer->filter_nextpt;
3358 	peer->filter_offset[j] = sample_offset;
3359 	peer->filter_delay[j] = sample_delay;
3360 	peer->filter_disp[j] = sample_disp;
3361 	peer->filter_epoch[j] = current_time;
3362 	j = (j + 1) % NTP_SHIFT;
3363 	peer->filter_nextpt = (u_char)j;
3364 
3365 	/*
3366 	 * Update dispersions since the last update and at the same
3367 	 * time initialize the distance and index lists. Since samples
3368 	 * become increasingly uncorrelated beyond the Allan intercept,
3369 	 * only under exceptional cases will an older sample be used.
3370 	 * Therefore, the distance list uses a compound metric. If the
3371 	 * dispersion is greater than the maximum dispersion, clamp the
3372 	 * distance at that value. If the time since the last update is
3373 	 * less than the Allan intercept use the delay; otherwise, use
3374 	 * the sum of the delay and dispersion.
3375 	 */
3376 	dtemp = clock_phi * (current_time - peer->update);
3377 	peer->update = current_time;
3378 	for (i = NTP_SHIFT - 1; i >= 0; i--) {
3379 		if (i != 0)
3380 			peer->filter_disp[j] += dtemp;
3381 		if (peer->filter_disp[j] >= MAXDISPERSE) {
3382 			peer->filter_disp[j] = MAXDISPERSE;
3383 			dst[i] = MAXDISPERSE;
3384 		} else if (peer->update - peer->filter_epoch[j] >
3385 		    (u_long)ULOGTOD(allan_xpt)) {
3386 			dst[i] = peer->filter_delay[j] +
3387 			    peer->filter_disp[j];
3388 		} else {
3389 			dst[i] = peer->filter_delay[j];
3390 		}
3391 		ord[i] = (u_char)j;
3392 		j = (j + 1) % NTP_SHIFT;
3393 	}
3394 
3395 	/*
3396 	 * If the clock has stabilized, sort the samples by distance.
3397 	 */
3398 	if (freq_cnt == 0) {
3399 		for (i = 1; i < NTP_SHIFT; i++) {
3400 			for (j = 0; j < i; j++) {
3401 				if (dst[j] > dst[i]) {
3402 					k = ord[j];
3403 					ord[j] = ord[i];
3404 					ord[i] = k;
3405 					etemp = dst[j];
3406 					dst[j] = dst[i];
3407 					dst[i] = etemp;
3408 				}
3409 			}
3410 		}
3411 	}
3412 
3413 	/*
3414 	 * Copy the index list to the association structure so ntpq
3415 	 * can see it later. Prune the distance list to leave only
3416 	 * samples less than the maximum dispersion, which disfavors
3417 	 * uncorrelated samples older than the Allan intercept. To
3418 	 * further improve the jitter estimate, of the remainder leave
3419 	 * only samples less than the maximum distance, but keep at
3420 	 * least two samples for jitter calculation.
3421 	 */
3422 	m = 0;
3423 	for (i = 0; i < NTP_SHIFT; i++) {
3424 		peer->filter_order[i] = ord[i];
3425 		if (   dst[i] >= MAXDISPERSE
3426 		    || (m >= 2 && dst[i] >= sys_maxdist))
3427 			continue;
3428 		m++;
3429 	}
3430 
3431 	/*
3432 	 * Compute the dispersion and jitter. The dispersion is weighted
3433 	 * exponentially by NTP_FWEIGHT (0.5) so it is normalized close
3434 	 * to 1.0. The jitter is the RMS differences relative to the
3435 	 * lowest delay sample.
3436 	 */
3437 	peer->disp = peer->jitter = 0;
3438 	k = ord[0];
3439 	for (i = NTP_SHIFT - 1; i >= 0; i--) {
3440 		j = ord[i];
3441 		peer->disp = NTP_FWEIGHT * (  peer->disp
3442 					    + peer->filter_disp[j]);
3443 		if (i < m) {
3444 			peer->jitter += DIFF(peer->filter_offset[j],
3445 					     peer->filter_offset[k]);
3446 		}
3447 	}
3448 
3449 	/*
3450 	 * If no acceptable samples remain in the shift register,
3451 	 * quietly tiptoe home leaving only the dispersion. Otherwise,
3452 	 * save the offset, delay and jitter. Note the jitter must not
3453 	 * be less than the precision.
3454 	 */
3455 	if (0 == m) {
3456 		clock_select();
3457 		return;
3458 	}
3459 	etemp = fabs(peer->offset - peer->filter_offset[k]);
3460 	peer->offset = peer->filter_offset[k];
3461 	peer->delay = peer->filter_delay[k];
3462 	if (m > 1) {
3463 		peer->jitter /= m - 1;
3464 	}
3465 	peer->jitter = max(SQRT(peer->jitter), LOGTOD(sys_precision));
3466 
3467 	/*
3468 	 * If the the new sample and the current sample are both valid
3469 	 * and the difference between their offsets exceeds CLOCK_SGATE
3470 	 * (3) times the jitter and the interval between them is less
3471 	 * than twice the host poll interval, consider the new sample
3472 	 * a popcorn spike and ignore it.
3473 	 */
3474 	if (   peer->disp < sys_maxdist
3475 	    && peer->filter_disp[k] < sys_maxdist
3476 	    && etemp > CLOCK_SGATE * peer->jitter
3477 	    &&   peer->filter_epoch[k] - peer->epoch
3478 	       < 2. * ULOGTOD(peer->hpoll)) {
3479 		mprintf_event(PEVNT_POPCORN, peer, "%.9f s", etemp);
3480 		return;
3481 	}
3482 
3483 	/*
3484 	 * A new minimum sample is useful only if it is later than the
3485 	 * last one used. In this design the maximum lifetime of any
3486 	 * sample is not greater than NTP_SHIFT (8) times the poll
3487 	 * interval, so the maximum interval between minimum samples is
3488 	 * NTP_SHIFT packets.
3489 	 */
3490 	if (peer->filter_epoch[k] <= peer->epoch) {
3491 		DPRINTF(2, ("clock_filter: old sample %lu s\n",
3492 			    current_time - peer->filter_epoch[k]));
3493 		return;
3494 	}
3495 	peer->epoch = peer->filter_epoch[k];
3496 
3497 	/*
3498 	 * The mitigated sample statistics are saved for later
3499 	 * processing. If not synchronized or not in a burst, tickle the
3500 	 * clock select algorithm.
3501 	 */
3502 	record_peer_stats(&peer->srcadr, ctlpeerstatus(peer), peer->offset,
3503 			  peer->delay, peer->disp, peer->jitter);
3504 	DPRINTF(1, ("clock_filter: n %hu off %.9f del %.9f dsp %.9f jit %.9f\n",
3505 		    (u_short)m, peer->offset, peer->delay, peer->disp,
3506 		    peer->jitter));
3507 	if (0 == peer->burst || LEAP_NOTINSYNC == sys_leap) {
3508 		clock_select();
3509 	}
3510 }
3511 
3512 
3513 /*
3514  * clock_select - find the pick-of-the-litter clock
3515  *
3516  * LOCKCLOCK: (1) If the local clock is the prefer peer, it will always
3517  * be enabled, even if declared falseticker, (2) only the prefer peer
3518  * can be selected as the system peer, (3) if the external source is
3519  * down, the system leap bits are set to 11 and the stratum set to
3520  * infinity.
3521  */
3522 void
3523 clock_select(void)
3524 {
3525 	struct peer *peer;
3526 	int	i, j, k, n;
3527 	int	nlist, nl2;
3528 	int	allow;
3529 	int	speer;
3530 	double	d, e, f, g;
3531 	double	high, low;
3532 	double	speermet;
3533 	double	lastresort_dist = MAXDISPERSE;
3534 	double	orphmet = 2.0 * U_INT32_MAX; /* 2x is greater than */
3535 	struct endpoint endp;
3536 	struct peer *osys_peer;
3537 	struct peer *sys_prefer = NULL;	/* prefer peer */
3538 	struct peer *typesystem = NULL;
3539 	struct peer *typelastresort = NULL;
3540 	struct peer *typeorphan = NULL;
3541 #ifdef REFCLOCK
3542 	struct peer *typeacts = NULL;
3543 	struct peer *typelocal = NULL;
3544 	struct peer *typepps = NULL;
3545 #endif /* REFCLOCK */
3546 	static struct endpoint *endpoint = NULL;
3547 	static int *indx = NULL;
3548 	static peer_select *peers = NULL;
3549 	static u_int endpoint_size = 0;
3550 	static u_int peers_size = 0;
3551 	static u_int indx_size = 0;
3552 	size_t octets;
3553 
3554 	/*
3555 	 * Initialize and create endpoint, index and peer lists big
3556 	 * enough to handle all associations.
3557 	 */
3558 	osys_peer = sys_peer;
3559 	sys_survivors = 0;
3560 #ifdef LOCKCLOCK
3561 	set_sys_leap(LEAP_NOTINSYNC);
3562 	sys_stratum = STRATUM_UNSPEC;
3563 	memcpy(&sys_refid, "DOWN", 4);
3564 #endif /* LOCKCLOCK */
3565 
3566 	/*
3567 	 * Allocate dynamic space depending on the number of
3568 	 * associations.
3569 	 */
3570 	nlist = 1;
3571 	for (peer = peer_list; peer != NULL; peer = peer->p_link)
3572 		nlist++;
3573 	endpoint_size = ALIGNED_SIZE(nlist * 2 * sizeof(*endpoint));
3574 	peers_size = ALIGNED_SIZE(nlist * sizeof(*peers));
3575 	indx_size = ALIGNED_SIZE(nlist * 2 * sizeof(*indx));
3576 	octets = endpoint_size + peers_size + indx_size;
3577 	endpoint = erealloc(endpoint, octets);
3578 	peers = INC_ALIGNED_PTR(endpoint, endpoint_size);
3579 	indx = INC_ALIGNED_PTR(peers, peers_size);
3580 
3581 	/*
3582 	 * Initially, we populate the island with all the rifraff peers
3583 	 * that happen to be lying around. Those with seriously
3584 	 * defective clocks are immediately booted off the island. Then,
3585 	 * the falsetickers are culled and put to sea. The truechimers
3586 	 * remaining are subject to repeated rounds where the most
3587 	 * unpopular at each round is kicked off. When the population
3588 	 * has dwindled to sys_minclock, the survivors split a million
3589 	 * bucks and collectively crank the chimes.
3590 	 */
3591 	nlist = nl2 = 0;	/* none yet */
3592 	for (peer = peer_list; peer != NULL; peer = peer->p_link) {
3593 		peer->new_status = CTL_PST_SEL_REJECT;
3594 
3595 		/*
3596 		 * Leave the island immediately if the peer is
3597 		 * unfit to synchronize.
3598 		 */
3599 		if (peer_unfit(peer)) {
3600 			continue;
3601 		}
3602 
3603 		/*
3604 		 * If we have never been synchronised, look for any peer
3605 		 * which has ever been synchronised and pick the one which
3606 		 * has the lowest root distance. This can be used as a last
3607 		 * resort if all else fails. Once we get an initial sync
3608 		 * with this peer, sys_reftime gets set and so this
3609 		 * function becomes disabled.
3610 		 */
3611 		if (L_ISZERO(&sys_reftime)) {
3612 			d = root_distance(peer);
3613 			if (!L_ISZERO(&peer->reftime) && d < lastresort_dist) {
3614 				typelastresort = peer;
3615 				lastresort_dist = d;
3616 			}
3617 		}
3618 
3619 		/*
3620 		 * If this peer is an orphan parent, elect the
3621 		 * one with the lowest metric defined as the
3622 		 * IPv4 address or the first 64 bits of the
3623 		 * hashed IPv6 address.  To ensure convergence
3624 		 * on the same selected orphan, consider as
3625 		 * well that this system may have the lowest
3626 		 * metric and be the orphan parent.  If this
3627 		 * system wins, sys_peer will be NULL to trigger
3628 		 * orphan mode in timer().
3629 		 */
3630 		if (peer->stratum == sys_orphan) {
3631 			u_int32	localmet;
3632 			u_int32 peermet;
3633 
3634 			if (peer->dstadr != NULL)
3635 				localmet = ntohl(peer->dstadr->addr_refid);
3636 			else
3637 				localmet = U_INT32_MAX;
3638 			peermet = ntohl(addr2refid(&peer->srcadr));
3639 			if (peermet < localmet && peermet < orphmet) {
3640 				typeorphan = peer;
3641 				orphmet = peermet;
3642 			}
3643 			continue;
3644 		}
3645 
3646 		/*
3647 		 * If this peer could have the orphan parent
3648 		 * as a synchronization ancestor, exclude it
3649 		 * from selection to avoid forming a
3650 		 * synchronization loop within the orphan mesh,
3651 		 * triggering stratum climb to infinity
3652 		 * instability.  Peers at stratum higher than
3653 		 * the orphan stratum could have the orphan
3654 		 * parent in ancestry so are excluded.
3655 		 * See http://bugs.ntp.org/2050
3656 		 */
3657 		if (peer->stratum > sys_orphan) {
3658 			continue;
3659 		}
3660 #ifdef REFCLOCK
3661 		/*
3662 		 * The following are special cases. We deal
3663 		 * with them later.
3664 		 */
3665 		if (!(peer->flags & FLAG_PREFER)) {
3666 			switch (peer->refclktype) {
3667 			case REFCLK_LOCALCLOCK:
3668 				if (   current_time > orphwait
3669 				    && typelocal == NULL)
3670 					typelocal = peer;
3671 				continue;
3672 
3673 			case REFCLK_ACTS:
3674 				if (   current_time > orphwait
3675 				    && typeacts == NULL)
3676 					typeacts = peer;
3677 				continue;
3678 			}
3679 		}
3680 #endif /* REFCLOCK */
3681 
3682 		/*
3683 		 * If we get this far, the peer can stay on the
3684 		 * island, but does not yet have the immunity
3685 		 * idol.
3686 		 */
3687 		peer->new_status = CTL_PST_SEL_SANE;
3688 		f = root_distance(peer);
3689 		peers[nlist].peer = peer;
3690 		peers[nlist].error = peer->jitter;
3691 		peers[nlist].synch = f;
3692 		nlist++;
3693 
3694 		/*
3695 		 * Insert each interval endpoint on the unsorted
3696 		 * endpoint[] list.
3697 		 */
3698 		e = peer->offset;
3699 		endpoint[nl2].type = -1;	/* lower end */
3700 		endpoint[nl2].val = e - f;
3701 		nl2++;
3702 		endpoint[nl2].type = 1;		/* upper end */
3703 		endpoint[nl2].val = e + f;
3704 		nl2++;
3705 	}
3706 	/*
3707 	 * Construct sorted indx[] of endpoint[] indexes ordered by
3708 	 * offset.
3709 	 */
3710 	for (i = 0; i < nl2; i++)
3711 		indx[i] = i;
3712 	for (i = 0; i < nl2; i++) {
3713 		endp = endpoint[indx[i]];
3714 		e = endp.val;
3715 		k = i;
3716 		for (j = i + 1; j < nl2; j++) {
3717 			endp = endpoint[indx[j]];
3718 			if (endp.val < e) {
3719 				e = endp.val;
3720 				k = j;
3721 			}
3722 		}
3723 		if (k != i) {
3724 			j = indx[k];
3725 			indx[k] = indx[i];
3726 			indx[i] = j;
3727 		}
3728 	}
3729 	for (i = 0; i < nl2; i++)
3730 		DPRINTF(3, ("select: endpoint %2d %.6f\n",
3731 			endpoint[indx[i]].type, endpoint[indx[i]].val));
3732 
3733 	/*
3734 	 * This is the actual algorithm that cleaves the truechimers
3735 	 * from the falsetickers. The original algorithm was described
3736 	 * in Keith Marzullo's dissertation, but has been modified for
3737 	 * better accuracy.
3738 	 *
3739 	 * Briefly put, we first assume there are no falsetickers, then
3740 	 * scan the candidate list first from the low end upwards and
3741 	 * then from the high end downwards. The scans stop when the
3742 	 * number of intersections equals the number of candidates less
3743 	 * the number of falsetickers. If this doesn't happen for a
3744 	 * given number of falsetickers, we bump the number of
3745 	 * falsetickers and try again. If the number of falsetickers
3746 	 * becomes equal to or greater than half the number of
3747 	 * candidates, the Albanians have won the Byzantine wars and
3748 	 * correct synchronization is not possible.
3749 	 *
3750 	 * Here, nlist is the number of candidates and allow is the
3751 	 * number of falsetickers. Upon exit, the truechimers are the
3752 	 * survivors with offsets not less than low and not greater than
3753 	 * high. There may be none of them.
3754 	 */
3755 	low = 1e9;
3756 	high = -1e9;
3757 	for (allow = 0; 2 * allow < nlist; allow++) {
3758 
3759 		/*
3760 		 * Bound the interval (low, high) as the smallest
3761 		 * interval containing points from the most sources.
3762 		 */
3763 		n = 0;
3764 		for (i = 0; i < nl2; i++) {
3765 			low = endpoint[indx[i]].val;
3766 			n -= endpoint[indx[i]].type;
3767 			if (n >= nlist - allow)
3768 				break;
3769 		}
3770 		n = 0;
3771 		for (j = nl2 - 1; j >= 0; j--) {
3772 			high = endpoint[indx[j]].val;
3773 			n += endpoint[indx[j]].type;
3774 			if (n >= nlist - allow)
3775 				break;
3776 		}
3777 
3778 		/*
3779 		 * If an interval containing truechimers is found, stop.
3780 		 * If not, increase the number of falsetickers and go
3781 		 * around again.
3782 		 */
3783 		if (high > low)
3784 			break;
3785 	}
3786 
3787 	/*
3788 	 * Clustering algorithm. Whittle candidate list of falsetickers,
3789 	 * who leave the island immediately. The TRUE peer is always a
3790 	 * truechimer. We must leave at least one peer to collect the
3791 	 * million bucks.
3792 	 *
3793 	 * We assert the correct time is contained in the interval, but
3794 	 * the best offset estimate for the interval might not be
3795 	 * contained in the interval. For this purpose, a truechimer is
3796 	 * defined as the midpoint of an interval that overlaps the
3797 	 * intersection interval.
3798 	 */
3799 	j = 0;
3800 	for (i = 0; i < nlist; i++) {
3801 		double	h;
3802 
3803 		peer = peers[i].peer;
3804 		h = peers[i].synch;
3805 		if ((   high <= low
3806 		     || peer->offset + h < low
3807 		     || peer->offset - h > high
3808 		    ) && !(peer->flags & FLAG_TRUE))
3809 			continue;
3810 
3811 #ifdef REFCLOCK
3812 		/*
3813 		 * Eligible PPS peers must survive the intersection
3814 		 * algorithm. Use the first one found, but don't
3815 		 * include any of them in the cluster population.
3816 		 */
3817 		if (peer->flags & FLAG_PPS) {
3818 			if (typepps == NULL)
3819 				typepps = peer;
3820 			if (!(peer->flags & FLAG_TSTAMP_PPS))
3821 				continue;
3822 		}
3823 #endif /* REFCLOCK */
3824 
3825 		if (j != i)
3826 			peers[j] = peers[i];
3827 		j++;
3828 	}
3829 	nlist = j;
3830 
3831 	/*
3832 	 * If no survivors remain at this point, check if the modem
3833 	 * driver, local driver or orphan parent in that order. If so,
3834 	 * nominate the first one found as the only survivor.
3835 	 * Otherwise, give up and leave the island to the rats.
3836 	 */
3837 	if (nlist == 0) {
3838 		peers[0].error = 0;
3839 		peers[0].synch = sys_mindisp;
3840 #ifdef REFCLOCK
3841 		if (typeacts != NULL) {
3842 			peers[0].peer = typeacts;
3843 			nlist = 1;
3844 		} else if (typelocal != NULL) {
3845 			peers[0].peer = typelocal;
3846 			nlist = 1;
3847 		} else
3848 #endif /* REFCLOCK */
3849 		if (typeorphan != NULL) {
3850 			peers[0].peer = typeorphan;
3851 			nlist = 1;
3852 		} else if (typelastresort != NULL) {
3853 			peers[0].peer = typelastresort;
3854 			nlist = 1;
3855 		}
3856 	}
3857 
3858 	/*
3859 	 * Mark the candidates at this point as truechimers.
3860 	 */
3861 	for (i = 0; i < nlist; i++) {
3862 		peers[i].peer->new_status = CTL_PST_SEL_SELCAND;
3863 		DPRINTF(2, ("select: survivor %s %f\n",
3864 			stoa(&peers[i].peer->srcadr), peers[i].synch));
3865 	}
3866 
3867 	/*
3868 	 * Now, vote outliers off the island by select jitter weighted
3869 	 * by root distance. Continue voting as long as there are more
3870 	 * than sys_minclock survivors and the select jitter of the peer
3871 	 * with the worst metric is greater than the minimum peer
3872 	 * jitter. Stop if we are about to discard a TRUE or PREFER
3873 	 * peer, who of course have the immunity idol.
3874 	 */
3875 	while (1) {
3876 		d = 1e9;
3877 		e = -1e9;
3878 		g = 0;
3879 		k = 0;
3880 		for (i = 0; i < nlist; i++) {
3881 			if (peers[i].error < d)
3882 				d = peers[i].error;
3883 			peers[i].seljit = 0;
3884 			if (nlist > 1) {
3885 				f = 0;
3886 				for (j = 0; j < nlist; j++)
3887 					f += DIFF(peers[j].peer->offset,
3888 					    peers[i].peer->offset);
3889 				peers[i].seljit = SQRT(f / (nlist - 1));
3890 			}
3891 			if (peers[i].seljit * peers[i].synch > e) {
3892 				g = peers[i].seljit;
3893 				e = peers[i].seljit * peers[i].synch;
3894 				k = i;
3895 			}
3896 		}
3897 		g = max(g, LOGTOD(sys_precision));
3898 		if (   nlist <= max(1, sys_minclock)
3899 		    || g <= d
3900 		    || ((FLAG_TRUE | FLAG_PREFER) & peers[k].peer->flags))
3901 			break;
3902 
3903 		DPRINTF(3, ("select: drop %s seljit %.9f jit %.9f\n",
3904 			ntoa(&peers[k].peer->srcadr), g, d));
3905 		if (nlist > sys_maxclock)
3906 			peers[k].peer->new_status = CTL_PST_SEL_EXCESS;
3907 		for (j = k + 1; j < nlist; j++)
3908 			peers[j - 1] = peers[j];
3909 		nlist--;
3910 	}
3911 
3912 	/*
3913 	 * What remains is a list usually not greater than sys_minclock
3914 	 * peers. Note that unsynchronized peers cannot survive this
3915 	 * far.  Count and mark these survivors.
3916 	 *
3917 	 * While at it, count the number of leap warning bits found.
3918 	 * This will be used later to vote the system leap warning bit.
3919 	 * If a leap warning bit is found on a reference clock, the vote
3920 	 * is always won.
3921 	 *
3922 	 * Choose the system peer using a hybrid metric composed of the
3923 	 * selection jitter scaled by the root distance augmented by
3924 	 * stratum scaled by sys_mindisp (.001 by default). The goal of
3925 	 * the small stratum factor is to avoid clockhop between a
3926 	 * reference clock and a network peer which has a refclock and
3927 	 * is using an older ntpd, which does not floor sys_rootdisp at
3928 	 * sys_mindisp.
3929 	 *
3930 	 * In contrast, ntpd 4.2.6 and earlier used stratum primarily
3931 	 * in selecting the system peer, using a weight of 1 second of
3932 	 * additional root distance per stratum.  This heavy bias is no
3933 	 * longer appropriate, as the scaled root distance provides a
3934 	 * more rational metric carrying the cumulative error budget.
3935 	 */
3936 	e = 1e9;
3937 	speer = 0;
3938 	leap_vote_ins = 0;
3939 	leap_vote_del = 0;
3940 	for (i = 0; i < nlist; i++) {
3941 		peer = peers[i].peer;
3942 		peer->unreach = 0;
3943 		peer->new_status = CTL_PST_SEL_SYNCCAND;
3944 		sys_survivors++;
3945 		if (peer->leap == LEAP_ADDSECOND) {
3946 			if (peer->flags & FLAG_REFCLOCK)
3947 				leap_vote_ins = nlist;
3948 			else if (leap_vote_ins < nlist)
3949 				leap_vote_ins++;
3950 		}
3951 		if (peer->leap == LEAP_DELSECOND) {
3952 			if (peer->flags & FLAG_REFCLOCK)
3953 				leap_vote_del = nlist;
3954 			else if (leap_vote_del < nlist)
3955 				leap_vote_del++;
3956 		}
3957 		if (peer->flags & FLAG_PREFER)
3958 			sys_prefer = peer;
3959 		speermet = peers[i].seljit * peers[i].synch +
3960 		    peer->stratum * sys_mindisp;
3961 		if (speermet < e) {
3962 			e = speermet;
3963 			speer = i;
3964 		}
3965 	}
3966 
3967 	/*
3968 	 * Unless there are at least sys_misane survivors, leave the
3969 	 * building dark. Otherwise, do a clockhop dance. Ordinarily,
3970 	 * use the selected survivor speer. However, if the current
3971 	 * system peer is not speer, stay with the current system peer
3972 	 * as long as it doesn't get too old or too ugly.
3973 	 */
3974 	if (nlist > 0 && nlist >= sys_minsane) {
3975 		double	x;
3976 
3977 		typesystem = peers[speer].peer;
3978 		if (osys_peer == NULL || osys_peer == typesystem) {
3979 			sys_clockhop = 0;
3980 		} else if ((x = fabs(typesystem->offset -
3981 		    osys_peer->offset)) < sys_mindisp) {
3982 			if (0 == sys_clockhop)
3983 				sys_clockhop = sys_mindisp;
3984 			else
3985 				sys_clockhop *= .5;
3986 			DPRINTF(1, ("select: clockhop %d %.9f %.9f\n",
3987 				j, x, sys_clockhop));
3988 			if (x < sys_clockhop)
3989 				typesystem = osys_peer;
3990 			else
3991 				sys_clockhop = 0;
3992 		} else {
3993 			sys_clockhop = 0;
3994 		}
3995 	}
3996 
3997 	/*
3998 	 * Mitigation rules of the game. We have the pick of the
3999 	 * litter in typesystem if any survivors are left. If
4000 	 * there is a prefer peer, use its offset and jitter.
4001 	 * Otherwise, use the combined offset and jitter of all kitters.
4002 	 */
4003 	if (typesystem != NULL) {
4004 		if (sys_prefer == NULL) {
4005 			typesystem->new_status = CTL_PST_SEL_SYSPEER;
4006 			clock_combine(peers, sys_survivors, speer);
4007 		} else {
4008 			typesystem = sys_prefer;
4009 			sys_clockhop = 0;
4010 			typesystem->new_status = CTL_PST_SEL_SYSPEER;
4011 			sys_offset = typesystem->offset;
4012 			sys_jitter = typesystem->jitter;
4013 		}
4014 		DPRINTF(1, ("select: combine offset %.9f jitter %.9f\n",
4015 			sys_offset, sys_jitter));
4016 	}
4017 #ifdef REFCLOCK
4018 	/*
4019 	 * If a PPS driver is lit and the combined offset is less than
4020 	 * 0.4 s, select the driver as the PPS peer and use its offset
4021 	 * and jitter. However, if this is the atom driver, use it only
4022 	 * if there is a prefer peer or there are no survivors and none
4023 	 * are required.
4024 	 */
4025 	if (   typepps != NULL
4026 	    && fabs(sys_offset) < 0.4
4027 	    && (   typepps->refclktype != REFCLK_ATOM_PPS
4028 		|| (   typepps->refclktype == REFCLK_ATOM_PPS
4029 		    && (   sys_prefer != NULL
4030 			|| (typesystem == NULL && sys_minsane == 0))))) {
4031 		typesystem = typepps;
4032 		sys_clockhop = 0;
4033 		typesystem->new_status = CTL_PST_SEL_PPS;
4034 		sys_offset = typesystem->offset;
4035 		sys_jitter = typesystem->jitter;
4036 		DPRINTF(1, ("select: pps offset %.9f jitter %.9f\n",
4037 			sys_offset, sys_jitter));
4038 	}
4039 #endif /* REFCLOCK */
4040 
4041 	/*
4042 	 * If there are no survivors at this point, there is no
4043 	 * system peer. If so and this is an old update, keep the
4044 	 * current statistics, but do not update the clock.
4045 	 */
4046 	if (typesystem == NULL) {
4047 		if (osys_peer != NULL) {
4048 			orphwait = current_time + sys_orphwait;
4049 			report_event(EVNT_NOPEER, NULL, NULL);
4050 		}
4051 		sys_peer = NULL;
4052 		for (peer = peer_list; peer != NULL; peer = peer->p_link)
4053 			peer->status = peer->new_status;
4054 		return;
4055 	}
4056 
4057 	/*
4058 	 * Do not use old data, as this may mess up the clock discipline
4059 	 * stability.
4060 	 */
4061 	if (typesystem->epoch <= sys_epoch)
4062 		return;
4063 
4064 	/*
4065 	 * We have found the alpha male. Wind the clock.
4066 	 */
4067 	if (osys_peer != typesystem)
4068 		report_event(PEVNT_NEWPEER, typesystem, NULL);
4069 	for (peer = peer_list; peer != NULL; peer = peer->p_link)
4070 		peer->status = peer->new_status;
4071 	clock_update(typesystem);
4072 }
4073 
4074 
4075 static void
4076 clock_combine(
4077 	peer_select *	peers,	/* survivor list */
4078 	int		npeers,	/* number of survivors */
4079 	int		syspeer	/* index of sys.peer */
4080 	)
4081 {
4082 	int	i;
4083 	double	x, y, z, w;
4084 
4085 	y = z = w = 0;
4086 	for (i = 0; i < npeers; i++) {
4087 		x = 1. / peers[i].synch;
4088 		y += x;
4089 		z += x * peers[i].peer->offset;
4090 		w += x * DIFF(peers[i].peer->offset,
4091 		    peers[syspeer].peer->offset);
4092 	}
4093 	sys_offset = z / y;
4094 	sys_jitter = SQRT(w / y + SQUARE(peers[syspeer].seljit));
4095 }
4096 
4097 
4098 /*
4099  * root_distance - compute synchronization distance from peer to root
4100  */
4101 static double
4102 root_distance(
4103 	struct peer *peer	/* peer structure pointer */
4104 	)
4105 {
4106 	double	dtemp;
4107 
4108 	/*
4109 	 * Root Distance (LAMBDA) is defined as:
4110 	 * (delta + DELTA)/2 + epsilon + EPSILON + D
4111 	 *
4112 	 * where:
4113 	 *  delta   is the round-trip delay
4114 	 *  DELTA   is the root delay
4115 	 *  epsilon is the peer dispersion
4116 	 *	    + (15 usec each second)
4117 	 *  EPSILON is the root dispersion
4118 	 *  D       is sys_jitter
4119 	 *
4120 	 * NB: Think hard about why we are using these values, and what
4121 	 * the alternatives are, and the various pros/cons.
4122 	 *
4123 	 * DLM thinks these are probably the best choices from any of the
4124 	 * other worse choices.
4125 	 */
4126 	dtemp = (peer->delay + peer->rootdelay) / 2
4127 		+ peer->disp
4128 		  + clock_phi * (current_time - peer->update)
4129 		+ peer->rootdisp
4130 		+ peer->jitter;
4131 	/*
4132 	 * Careful squeak here. The value returned must be greater than
4133 	 * the minimum root dispersion in order to avoid clockhop with
4134 	 * highly precise reference clocks. Note that the root distance
4135 	 * cannot exceed the sys_maxdist, as this is the cutoff by the
4136 	 * selection algorithm.
4137 	 */
4138 	if (dtemp < sys_mindisp)
4139 		dtemp = sys_mindisp;
4140 	return (dtemp);
4141 }
4142 
4143 
4144 /*
4145  * peer_xmit - send packet for persistent association.
4146  */
4147 static void
4148 peer_xmit(
4149 	struct peer *peer	/* peer structure pointer */
4150 	)
4151 {
4152 	struct pkt xpkt;	/* transmit packet */
4153 	size_t	sendlen, authlen;
4154 	keyid_t	xkeyid = 0;	/* transmit key ID */
4155 	l_fp	xmt_tx, xmt_ty;
4156 
4157 	if (!peer->dstadr) {	/* can't send */
4158 		return;
4159 	}
4160 	xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, peer->version,
4161 	    peer->hmode);
4162 	xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4163 	xpkt.ppoll = peer->hpoll;
4164 	xpkt.precision = sys_precision;
4165 	xpkt.refid = sys_refid;
4166 	xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4167 	xpkt.rootdisp =  HTONS_FP(DTOUFP(sys_rootdisp));
4168 	/* Use sys_reftime for peer exchanges */
4169 	HTONL_FP(&sys_reftime, &xpkt.reftime);
4170 	HTONL_FP(&peer->rec, &xpkt.org);
4171 	HTONL_FP(&peer->dst, &xpkt.rec);
4172 
4173 	/*
4174 	 * If the received packet contains a MAC, the transmitted packet
4175 	 * is authenticated and contains a MAC. If not, the transmitted
4176 	 * packet is not authenticated.
4177 	 *
4178 	 * It is most important when autokey is in use that the local
4179 	 * interface IP address be known before the first packet is
4180 	 * sent. Otherwise, it is not possible to compute a correct MAC
4181 	 * the recipient will accept. Thus, the I/O semantics have to do
4182 	 * a little more work. In particular, the wildcard interface
4183 	 * might not be usable.
4184 	 */
4185 	sendlen = LEN_PKT_NOMAC;
4186 	if (
4187 #ifdef AUTOKEY
4188 	    !(peer->flags & FLAG_SKEY) &&
4189 #endif	/* !AUTOKEY */
4190 	    peer->keyid == 0) {
4191 
4192 		/*
4193 		 * Transmit a-priori timestamps
4194 		 */
4195 		get_systime(&xmt_tx);
4196 		if (peer->flip == 0) {	/* basic mode */
4197 			peer->aorg = xmt_tx;
4198 			HTONL_FP(&xmt_tx, &xpkt.xmt);
4199 		} else {		/* interleaved modes */
4200 			if (peer->hmode == MODE_BROADCAST) { /* bcst */
4201 				HTONL_FP(&xmt_tx, &xpkt.xmt);
4202 				if (peer->flip > 0)
4203 					HTONL_FP(&peer->borg,
4204 					    &xpkt.org);
4205 				else
4206 					HTONL_FP(&peer->aorg,
4207 					    &xpkt.org);
4208 			} else {	/* symmetric */
4209 				if (peer->flip > 0)
4210 					HTONL_FP(&peer->borg,
4211 					    &xpkt.xmt);
4212 				else
4213 					HTONL_FP(&peer->aorg,
4214 					    &xpkt.xmt);
4215 			}
4216 		}
4217 		peer->t21_bytes = sendlen;
4218 		sendpkt(&peer->srcadr, peer->dstadr,
4219 			sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
4220 			&xpkt, sendlen);
4221 		peer->sent++;
4222 		peer->throttle += (1 << peer->minpoll) - 2;
4223 
4224 		/*
4225 		 * Capture a-posteriori timestamps
4226 		 */
4227 		get_systime(&xmt_ty);
4228 		if (peer->flip != 0) {		/* interleaved modes */
4229 			if (peer->flip > 0)
4230 				peer->aorg = xmt_ty;
4231 			else
4232 				peer->borg = xmt_ty;
4233 			peer->flip = -peer->flip;
4234 		}
4235 		L_SUB(&xmt_ty, &xmt_tx);
4236 		LFPTOD(&xmt_ty, peer->xleave);
4237 		DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d len %zu xmt 0x%x.%08x\n",
4238 			    current_time, latoa(peer->dstadr),
4239 			    stoa(&peer->srcadr), peer->hmode, sendlen,
4240 			    xmt_tx.l_ui, xmt_tx.l_uf));
4241 		return;
4242 	}
4243 
4244 	/*
4245 	 * Authentication is enabled, so the transmitted packet must be
4246 	 * authenticated. If autokey is enabled, fuss with the various
4247 	 * modes; otherwise, symmetric key cryptography is used.
4248 	 */
4249 #ifdef AUTOKEY
4250 	if (peer->flags & FLAG_SKEY) {
4251 		struct exten *exten;	/* extension field */
4252 
4253 		/*
4254 		 * The Public Key Dance (PKD): Cryptographic credentials
4255 		 * are contained in extension fields, each including a
4256 		 * 4-octet length/code word followed by a 4-octet
4257 		 * association ID and optional additional data. Optional
4258 		 * data includes a 4-octet data length field followed by
4259 		 * the data itself. Request messages are sent from a
4260 		 * configured association; response messages can be sent
4261 		 * from a configured association or can take the fast
4262 		 * path without ever matching an association. Response
4263 		 * messages have the same code as the request, but have
4264 		 * a response bit and possibly an error bit set. In this
4265 		 * implementation, a message may contain no more than
4266 		 * one command and one or more responses.
4267 		 *
4268 		 * Cryptographic session keys include both a public and
4269 		 * a private componet. Request and response messages
4270 		 * using extension fields are always sent with the
4271 		 * private component set to zero. Packets without
4272 		 * extension fields indlude the private component when
4273 		 * the session key is generated.
4274 		 */
4275 		while (1) {
4276 
4277 			/*
4278 			 * Allocate and initialize a keylist if not
4279 			 * already done. Then, use the list in inverse
4280 			 * order, discarding keys once used. Keep the
4281 			 * latest key around until the next one, so
4282 			 * clients can use client/server packets to
4283 			 * compute propagation delay.
4284 			 *
4285 			 * Note that once a key is used from the list,
4286 			 * it is retained in the key cache until the
4287 			 * next key is used. This is to allow a client
4288 			 * to retrieve the encrypted session key
4289 			 * identifier to verify authenticity.
4290 			 *
4291 			 * If for some reason a key is no longer in the
4292 			 * key cache, a birthday has happened or the key
4293 			 * has expired, so the pseudo-random sequence is
4294 			 * broken. In that case, purge the keylist and
4295 			 * regenerate it.
4296 			 */
4297 			if (peer->keynumber == 0)
4298 				make_keylist(peer, peer->dstadr);
4299 			else
4300 				peer->keynumber--;
4301 			xkeyid = peer->keylist[peer->keynumber];
4302 			if (authistrusted(xkeyid))
4303 				break;
4304 			else
4305 				key_expire(peer);
4306 		}
4307 		peer->keyid = xkeyid;
4308 		exten = NULL;
4309 		switch (peer->hmode) {
4310 
4311 		/*
4312 		 * In broadcast server mode the autokey values are
4313 		 * required by the broadcast clients. Push them when a
4314 		 * new keylist is generated; otherwise, push the
4315 		 * association message so the client can request them at
4316 		 * other times.
4317 		 */
4318 		case MODE_BROADCAST:
4319 			if (peer->flags & FLAG_ASSOC)
4320 				exten = crypto_args(peer, CRYPTO_AUTO |
4321 				    CRYPTO_RESP, peer->associd, NULL);
4322 			else
4323 				exten = crypto_args(peer, CRYPTO_ASSOC |
4324 				    CRYPTO_RESP, peer->associd, NULL);
4325 			break;
4326 
4327 		/*
4328 		 * In symmetric modes the parameter, certificate,
4329 		 * identity, cookie and autokey exchanges are
4330 		 * required. The leapsecond exchange is optional. But, a
4331 		 * peer will not believe the other peer until the other
4332 		 * peer has synchronized, so the certificate exchange
4333 		 * might loop until then. If a peer finds a broken
4334 		 * autokey sequence, it uses the autokey exchange to
4335 		 * retrieve the autokey values. In any case, if a new
4336 		 * keylist is generated, the autokey values are pushed.
4337 		 */
4338 		case MODE_ACTIVE:
4339 		case MODE_PASSIVE:
4340 
4341 			/*
4342 			 * Parameter, certificate and identity.
4343 			 */
4344 			if (!peer->crypto)
4345 				exten = crypto_args(peer, CRYPTO_ASSOC,
4346 				    peer->associd, hostval.ptr);
4347 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
4348 				exten = crypto_args(peer, CRYPTO_CERT,
4349 				    peer->associd, peer->issuer);
4350 			else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
4351 				exten = crypto_args(peer,
4352 				    crypto_ident(peer), peer->associd,
4353 				    NULL);
4354 
4355 			/*
4356 			 * Cookie and autokey. We request the cookie
4357 			 * only when the this peer and the other peer
4358 			 * are synchronized. But, this peer needs the
4359 			 * autokey values when the cookie is zero. Any
4360 			 * time we regenerate the key list, we offer the
4361 			 * autokey values without being asked. If for
4362 			 * some reason either peer finds a broken
4363 			 * autokey sequence, the autokey exchange is
4364 			 * used to retrieve the autokey values.
4365 			 */
4366 			else if (   sys_leap != LEAP_NOTINSYNC
4367 				 && peer->leap != LEAP_NOTINSYNC
4368 				 && !(peer->crypto & CRYPTO_FLAG_COOK))
4369 				exten = crypto_args(peer, CRYPTO_COOK,
4370 				    peer->associd, NULL);
4371 			else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
4372 				exten = crypto_args(peer, CRYPTO_AUTO,
4373 				    peer->associd, NULL);
4374 			else if (   peer->flags & FLAG_ASSOC
4375 				 && peer->crypto & CRYPTO_FLAG_SIGN)
4376 				exten = crypto_args(peer, CRYPTO_AUTO |
4377 				    CRYPTO_RESP, peer->assoc, NULL);
4378 
4379 			/*
4380 			 * Wait for clock sync, then sign the
4381 			 * certificate and retrieve the leapsecond
4382 			 * values.
4383 			 */
4384 			else if (sys_leap == LEAP_NOTINSYNC)
4385 				break;
4386 
4387 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
4388 				exten = crypto_args(peer, CRYPTO_SIGN,
4389 				    peer->associd, hostval.ptr);
4390 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
4391 				exten = crypto_args(peer, CRYPTO_LEAP,
4392 				    peer->associd, NULL);
4393 			break;
4394 
4395 		/*
4396 		 * In client mode the parameter, certificate, identity,
4397 		 * cookie and sign exchanges are required. The
4398 		 * leapsecond exchange is optional. If broadcast client
4399 		 * mode the same exchanges are required, except that the
4400 		 * autokey exchange is substitutes for the cookie
4401 		 * exchange, since the cookie is always zero. If the
4402 		 * broadcast client finds a broken autokey sequence, it
4403 		 * uses the autokey exchange to retrieve the autokey
4404 		 * values.
4405 		 */
4406 		case MODE_CLIENT:
4407 
4408 			/*
4409 			 * Parameter, certificate and identity.
4410 			 */
4411 			if (!peer->crypto)
4412 				exten = crypto_args(peer, CRYPTO_ASSOC,
4413 				    peer->associd, hostval.ptr);
4414 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
4415 				exten = crypto_args(peer, CRYPTO_CERT,
4416 				    peer->associd, peer->issuer);
4417 			else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
4418 				exten = crypto_args(peer,
4419 				    crypto_ident(peer), peer->associd,
4420 				    NULL);
4421 
4422 			/*
4423 			 * Cookie and autokey. These are requests, but
4424 			 * we use the peer association ID with autokey
4425 			 * rather than our own.
4426 			 */
4427 			else if (!(peer->crypto & CRYPTO_FLAG_COOK))
4428 				exten = crypto_args(peer, CRYPTO_COOK,
4429 				    peer->associd, NULL);
4430 			else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
4431 				exten = crypto_args(peer, CRYPTO_AUTO,
4432 				    peer->assoc, NULL);
4433 
4434 			/*
4435 			 * Wait for clock sync, then sign the
4436 			 * certificate and retrieve the leapsecond
4437 			 * values.
4438 			 */
4439 			else if (sys_leap == LEAP_NOTINSYNC)
4440 				break;
4441 
4442 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
4443 				exten = crypto_args(peer, CRYPTO_SIGN,
4444 				    peer->associd, hostval.ptr);
4445 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
4446 				exten = crypto_args(peer, CRYPTO_LEAP,
4447 				    peer->associd, NULL);
4448 			break;
4449 		}
4450 
4451 		/*
4452 		 * Add a queued extension field if present. This is
4453 		 * always a request message, so the reply ID is already
4454 		 * in the message. If an error occurs, the error bit is
4455 		 * lit in the response.
4456 		 */
4457 		if (peer->cmmd != NULL) {
4458 			u_int32 temp32;
4459 
4460 			temp32 = CRYPTO_RESP;
4461 			peer->cmmd->opcode |= htonl(temp32);
4462 			sendlen += crypto_xmit(peer, &xpkt, NULL,
4463 			    sendlen, peer->cmmd, 0);
4464 			free(peer->cmmd);
4465 			peer->cmmd = NULL;
4466 		}
4467 
4468 		/*
4469 		 * Add an extension field created above. All but the
4470 		 * autokey response message are request messages.
4471 		 */
4472 		if (exten != NULL) {
4473 			if (exten->opcode != 0)
4474 				sendlen += crypto_xmit(peer, &xpkt,
4475 				    NULL, sendlen, exten, 0);
4476 			free(exten);
4477 		}
4478 
4479 		/*
4480 		 * Calculate the next session key. Since extension
4481 		 * fields are present, the cookie value is zero.
4482 		 */
4483 		if (sendlen > (int)LEN_PKT_NOMAC) {
4484 			session_key(&peer->dstadr->sin, &peer->srcadr,
4485 			    xkeyid, 0, 2);
4486 		}
4487 	}
4488 #endif	/* AUTOKEY */
4489 
4490 	/*
4491 	 * Transmit a-priori timestamps
4492 	 */
4493 	get_systime(&xmt_tx);
4494 	if (peer->flip == 0) {		/* basic mode */
4495 		peer->aorg = xmt_tx;
4496 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4497 	} else {			/* interleaved modes */
4498 		if (peer->hmode == MODE_BROADCAST) { /* bcst */
4499 			HTONL_FP(&xmt_tx, &xpkt.xmt);
4500 			if (peer->flip > 0)
4501 				HTONL_FP(&peer->borg, &xpkt.org);
4502 			else
4503 				HTONL_FP(&peer->aorg, &xpkt.org);
4504 		} else {		/* symmetric */
4505 			if (peer->flip > 0)
4506 				HTONL_FP(&peer->borg, &xpkt.xmt);
4507 			else
4508 				HTONL_FP(&peer->aorg, &xpkt.xmt);
4509 		}
4510 	}
4511 	xkeyid = peer->keyid;
4512 	authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
4513 	if (authlen == 0) {
4514 		report_event(PEVNT_AUTH, peer, "no key");
4515 		peer->flash |= TEST5;		/* auth error */
4516 		peer->badauth++;
4517 		return;
4518 	}
4519 	sendlen += authlen;
4520 #ifdef AUTOKEY
4521 	if (xkeyid > NTP_MAXKEY)
4522 		authtrust(xkeyid, 0);
4523 #endif	/* AUTOKEY */
4524 	if (sendlen > sizeof(xpkt)) {
4525 		msyslog(LOG_ERR, "peer_xmit: buffer overflow %u", (u_int)sendlen);
4526 		exit(EX_SOFTWARE);
4527 	}
4528 	peer->t21_bytes = sendlen;
4529 	sendpkt(&peer->srcadr, peer->dstadr,
4530 		sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
4531 		&xpkt, sendlen);
4532 	peer->sent++;
4533 	peer->throttle += (1 << peer->minpoll) - 2;
4534 
4535 	/*
4536 	 * Capture a-posteriori timestamps
4537 	 */
4538 	get_systime(&xmt_ty);
4539 	if (peer->flip != 0) {			/* interleaved modes */
4540 		if (peer->flip > 0)
4541 			peer->aorg = xmt_ty;
4542 		else
4543 			peer->borg = xmt_ty;
4544 		peer->flip = -peer->flip;
4545 	}
4546 	L_SUB(&xmt_ty, &xmt_tx);
4547 	LFPTOD(&xmt_ty, peer->xleave);
4548 #ifdef AUTOKEY
4549 	DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d keyid %08x len %zu index %d\n",
4550 		    current_time, latoa(peer->dstadr), stoa(&peer->srcadr),
4551 		    peer->hmode, xkeyid, sendlen, peer->keynumber));
4552 #else	/* !AUTOKEY follows */
4553 	DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d keyid %08x len %zu\n",
4554 		    current_time, peer->dstadr ?
4555 		    ntoa(&peer->dstadr->sin) : "-",
4556 		    ntoa(&peer->srcadr), peer->hmode, xkeyid, sendlen));
4557 #endif	/* !AUTOKEY */
4558 
4559 	return;
4560 }
4561 
4562 
4563 #ifdef LEAP_SMEAR
4564 
4565 static void
4566 leap_smear_add_offs(
4567 	l_fp *t,
4568 	l_fp *t_recv
4569 	)
4570 {
4571 
4572 	L_ADD(t, &leap_smear.offset);
4573 
4574 	/*
4575 	** XXX: Should the smear be added to the root dispersion?
4576 	*/
4577 
4578 	return;
4579 }
4580 
4581 #endif /* LEAP_SMEAR */
4582 
4583 
4584 /*
4585  * fast_xmit - Send packet for nonpersistent association. Note that
4586  * neither the source or destination can be a broadcast address.
4587  */
4588 static void
4589 fast_xmit(
4590 	struct recvbuf* rbufp,	/* receive packet pointer */
4591 	int	xmode,		/* receive mode */  /* XXX: HMS: really? */
4592 	keyid_t	xkeyid,		/* transmit key ID */
4593 	int	flags		/* restrict mask */
4594 )
4595 {
4596 	struct pkt xpkt;	/* transmit packet structure */
4597 	struct pkt* rpkt;	/* receive packet structure */
4598 	l_fp	xmt_tx, xmt_ty;
4599 	size_t	sendlen;
4600 #ifdef AUTOKEY
4601 	u_int32	temp32;
4602 #endif
4603 
4604 	/*
4605 	 * Initialize transmit packet header fields from the receive
4606 	 * buffer provided. We leave the fields intact as received, but
4607 	 * set the peer poll at the maximum of the receive peer poll and
4608 	 * the system minimum poll (ntp_minpoll). This is for KoD rate
4609 	 * control and not strictly specification compliant, but doesn't
4610 	 * break anything.
4611 	 */
4612 	rpkt = &rbufp->recv_pkt;
4613 	/*
4614 	 * If the packet was received on an endpoint open only on
4615 	 * a multicast address, the response needs to go out from
4616 	 * a unicast endpoint.
4617 	 */
4618 #ifndef MULTICAST_NONEWSOCKET
4619 	if (rbufp->dstadr->flags & INT_MCASTOPEN) {
4620 		rbufp->dstadr = findinterface(&rbufp->recv_srcadr);
4621 		if (NULL == rbufp->dstadr ||
4622 		    ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr) /* wildcard */
4623 		      == rbufp->dstadr) {
4624 			DPRINTF(2, ("No unicast local address found for"
4625 				    " reply to %s mcast.",
4626 				    stoa(&rbufp->recv_srcadr)));
4627 			return;
4628 		}
4629 	}
4630 #endif
4631 
4632 	/*
4633 	 * If this is a kiss-o'-death (KoD) packet, show leap
4634 	 * unsynchronized, stratum zero, reference ID the four-character
4635 	 * kiss code and (???) system root delay. Note we don't reveal
4636 	 * the local time, so these packets can't be used for
4637 	 * synchronization.
4638 	 */
4639 	if (flags & RES_KOD) {
4640 		sys_kodsent++;
4641 		xpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC,
4642 		    PKT_VERSION(rpkt->li_vn_mode), xmode);
4643 		xpkt.stratum = STRATUM_PKT_UNSPEC;
4644 		xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
4645 		xpkt.precision = rpkt->precision;
4646 		memcpy(&xpkt.refid, "RATE", 4);
4647 		xpkt.rootdelay = rpkt->rootdelay;
4648 		xpkt.rootdisp = rpkt->rootdisp;
4649 		xpkt.reftime = rpkt->reftime;
4650 		xpkt.org = rpkt->xmt;
4651 		xpkt.rec = rpkt->xmt;
4652 		xpkt.xmt = rpkt->xmt;
4653 
4654 	/*
4655 	 * This is a normal packet. Use the system variables.
4656 	 */
4657 	} else {
4658 		double this_rootdisp;
4659 		l_fp this_ref_time;
4660 
4661 #ifdef LEAP_SMEAR
4662 		/*
4663 		 * Make copies of the variables which can be affected by smearing.
4664 		 */
4665 		l_fp this_recv_time;
4666 #endif
4667 
4668 		/*
4669 		 * If we are inside the leap smear interval we add
4670 		 * the current smear offset to:
4671 		 * - the packet receive time,
4672 		 * - the packet transmit time,
4673 		 * - and eventually to the reftime to make sure the
4674 		 *   reftime isn't later than the transmit/receive times.
4675 		 */
4676 		xpkt.li_vn_mode = PKT_LI_VN_MODE(xmt_leap,
4677 		    PKT_VERSION(rpkt->li_vn_mode), xmode);
4678 
4679 		xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4680 		xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
4681 		xpkt.precision = sys_precision;
4682 		xpkt.refid = sys_refid;
4683 		xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4684 
4685 		/*
4686 		** Server Response Fuzzing
4687 		**
4688 		** Which values do we want to use for reftime and rootdisp?
4689 		*/
4690 
4691 		if (   MODE_SERVER == xmode
4692 		    && RES_SRVRSPFUZ & flags) {
4693 			if (current_time < p2_time) {
4694 				this_ref_time = p2_reftime;
4695 				this_rootdisp = p2_rootdisp;
4696 			} else if (current_time < prev_time) {
4697 				this_ref_time = prev_reftime;
4698 				this_rootdisp = prev_rootdisp;
4699 			} else {
4700 				this_ref_time = sys_reftime;
4701 				this_rootdisp = sys_rootdisp;
4702 			}
4703 
4704 			SRVRSP_FUZZ(this_ref_time);
4705 		} else {
4706 			this_ref_time = sys_reftime;
4707 			this_rootdisp = sys_rootdisp;
4708 		}
4709 
4710 		/*
4711 		** ROOT DISPERSION
4712 		*/
4713 
4714 		xpkt.rootdisp = HTONS_FP(DTOUFP(this_rootdisp));
4715 
4716 		/*
4717 		** REFTIME
4718 		*/
4719 
4720 #ifdef LEAP_SMEAR
4721 		if (leap_smear.in_progress) {
4722 			/* adjust the reftime by the same amount as the
4723 			 * leap smear, as we don't want to risk the
4724 			 * reftime being later than the transmit time.
4725 			 */
4726 			leap_smear_add_offs(&this_ref_time, NULL);
4727 		}
4728 #endif
4729 
4730 		HTONL_FP(&this_ref_time, &xpkt.reftime);
4731 
4732 		/*
4733 		** REFID
4734 		*/
4735 
4736 #ifdef LEAP_SMEAR
4737 		if (leap_smear.in_progress) {
4738 			xpkt.refid = convertLFPToRefID(leap_smear.offset);
4739 			DPRINTF(2, ("fast_xmit: leap_smear.in_progress: refid %8x, smear %s\n",
4740 				ntohl(xpkt.refid),
4741 				lfptoa(&leap_smear.offset, 8)
4742 				));
4743 		}
4744 #endif
4745 
4746 		/*
4747 		** ORIGIN
4748 		*/
4749 
4750 		xpkt.org = rpkt->xmt;
4751 
4752 		/*
4753 		** RECEIVE
4754 		*/
4755 #ifdef LEAP_SMEAR
4756 		this_recv_time = rbufp->recv_time;
4757 		if (leap_smear.in_progress)
4758 			leap_smear_add_offs(&this_recv_time, NULL);
4759 		HTONL_FP(&this_recv_time, &xpkt.rec);
4760 #else
4761 		HTONL_FP(&rbufp->recv_time, &xpkt.rec);
4762 #endif
4763 
4764 		/*
4765 		** TRANSMIT
4766 		*/
4767 
4768 		get_systime(&xmt_tx);
4769 #ifdef LEAP_SMEAR
4770 		if (leap_smear.in_progress)
4771 			leap_smear_add_offs(&xmt_tx, &this_recv_time);
4772 #endif
4773 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4774 	}
4775 
4776 #ifdef HAVE_NTP_SIGND
4777 	if (flags & RES_MSSNTP) {
4778 		send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt);
4779 		return;
4780 	}
4781 #endif /* HAVE_NTP_SIGND */
4782 
4783 	/*
4784 	 * If the received packet contains a MAC, the transmitted packet
4785 	 * is authenticated and contains a MAC. If not, the transmitted
4786 	 * packet is not authenticated.
4787 	 */
4788 	sendlen = LEN_PKT_NOMAC;
4789 	if (rbufp->recv_length == sendlen) {
4790 		sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, &xpkt,
4791 		    sendlen);
4792 		DPRINTF(1, ("fast_xmit: at %ld %s->%s mode %d len %lu\n",
4793 			    current_time, stoa(&rbufp->dstadr->sin),
4794 			    stoa(&rbufp->recv_srcadr), xmode,
4795 			    (u_long)sendlen));
4796 		return;
4797 	}
4798 
4799 	/*
4800 	 * The received packet contains a MAC, so the transmitted packet
4801 	 * must be authenticated. For symmetric key cryptography, use
4802 	 * the predefined and trusted symmetric keys to generate the
4803 	 * cryptosum. For autokey cryptography, use the server private
4804 	 * value to generate the cookie, which is unique for every
4805 	 * source-destination-key ID combination.
4806 	 */
4807 #ifdef AUTOKEY
4808 	if (xkeyid > NTP_MAXKEY) {
4809 		keyid_t cookie;
4810 
4811 		/*
4812 		 * The only way to get here is a reply to a legitimate
4813 		 * client request message, so the mode must be
4814 		 * MODE_SERVER. If an extension field is present, there
4815 		 * can be only one and that must be a command. Do what
4816 		 * needs, but with private value of zero so the poor
4817 		 * jerk can decode it. If no extension field is present,
4818 		 * use the cookie to generate the session key.
4819 		 */
4820 		cookie = session_key(&rbufp->recv_srcadr,
4821 		    &rbufp->dstadr->sin, 0, sys_private, 0);
4822 		if ((size_t)rbufp->recv_length > sendlen + MAX_MAC_LEN) {
4823 			session_key(&rbufp->dstadr->sin,
4824 			    &rbufp->recv_srcadr, xkeyid, 0, 2);
4825 			temp32 = CRYPTO_RESP;
4826 			rpkt->exten[0] |= htonl(temp32);
4827 			sendlen += crypto_xmit(NULL, &xpkt, rbufp,
4828 			    sendlen, (struct exten *)rpkt->exten,
4829 			    cookie);
4830 		} else {
4831 			session_key(&rbufp->dstadr->sin,
4832 			    &rbufp->recv_srcadr, xkeyid, cookie, 2);
4833 		}
4834 	}
4835 #endif	/* AUTOKEY */
4836 	get_systime(&xmt_tx);
4837 	sendlen += authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
4838 #ifdef AUTOKEY
4839 	if (xkeyid > NTP_MAXKEY)
4840 		authtrust(xkeyid, 0);
4841 #endif	/* AUTOKEY */
4842 	sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, &xpkt, sendlen);
4843 	get_systime(&xmt_ty);
4844 	L_SUB(&xmt_ty, &xmt_tx);
4845 	sys_authdelay = xmt_ty;
4846 	DPRINTF(1, ("fast_xmit: at %ld %s->%s mode %d keyid %08x len %lu\n",
4847 		    current_time, ntoa(&rbufp->dstadr->sin),
4848 		    ntoa(&rbufp->recv_srcadr), xmode, xkeyid,
4849 		    (u_long)sendlen));
4850 }
4851 
4852 
4853 /*
4854  * pool_xmit - resolve hostname or send unicast solicitation for pool.
4855  */
4856 static void
4857 pool_xmit(
4858 	struct peer *pool	/* pool solicitor association */
4859 	)
4860 {
4861 #ifdef WORKER
4862 	struct pkt	xpkt;	/* transmit packet structure */
4863 	struct addrinfo	hints;
4864 	int		rc;
4865 	endpt *		lcladr;
4866 	sockaddr_u *	rmtadr;
4867 	u_short		af;
4868 	struct peer *	p;
4869 	l_fp		xmt_tx;
4870 
4871 	DEBUG_REQUIRE(pool);
4872 	if (NULL == pool->ai) {
4873 		if (pool->addrs != NULL) {
4874 			/* free() is used with copy_addrinfo_list() */
4875 			free(pool->addrs);
4876 			pool->addrs = NULL;
4877 		}
4878 		af = AF(&pool->srcadr);
4879 		if (   (AF_INET == af && !nonlocal_v4_addr_up)
4880 		    || (AF_INET6 == af && !nonlocal_v6_addr_up)
4881 		    || (   AF_UNSPEC == af
4882 			&& !nonlocal_v4_addr_up
4883 			&& !nonlocal_v6_addr_up)) {
4884 
4885 			/* POOL DNS query would be useless [Bug 3845] */
4886 			return;
4887 		}
4888 		ZERO(hints);
4889 		hints.ai_family = AF(&pool->srcadr);
4890 		hints.ai_socktype = SOCK_DGRAM;
4891 		hints.ai_protocol = IPPROTO_UDP;
4892 		/* ignore getaddrinfo_sometime() errors, we will retry */
4893 		rc = getaddrinfo_sometime(
4894 			pool->hostname,
4895 			"ntp",
4896 			&hints,
4897 			0,			/* no retry */
4898 			&pool_name_resolved,
4899 			(void *)(intptr_t)pool->associd);
4900 		if (!rc)
4901 			DPRINTF(1, ("pool DNS lookup %s started\n",
4902 				pool->hostname));
4903 		else
4904 			msyslog(LOG_ERR,
4905 				"unable to start pool DNS %s: %m",
4906 				pool->hostname);
4907 		return;
4908 	}
4909 
4910 	do {
4911 		/* copy_addrinfo_list ai_addr points to a sockaddr_u */
4912 		rmtadr = (sockaddr_u *)(void *)pool->ai->ai_addr;
4913 		pool->ai = pool->ai->ai_next;
4914 		/* do not solicit when hopeless [Bug 3845] */
4915 		if (   (IS_IPV4(rmtadr) && !nonlocal_v4_addr_up)
4916 		    || (IS_IPV6(rmtadr) && !nonlocal_v6_addr_up)) {
4917 			continue;
4918 		}
4919 		p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0, NULL);
4920 	} while (p != NULL && pool->ai != NULL);
4921 	if (p != NULL) {
4922 		return;	/* out of addresses, re-query DNS next poll */
4923 	}
4924 	restrict_source(rmtadr, FALSE, 1 + POOL_SOLICIT_WINDOW);
4925 	lcladr = findinterface(rmtadr);
4926 	memset(&xpkt, 0, sizeof(xpkt));
4927 	xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, pool->version,
4928 					 MODE_CLIENT);
4929 	xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4930 	xpkt.ppoll = pool->hpoll;
4931 	xpkt.precision = sys_precision;
4932 	xpkt.refid = sys_refid;
4933 	xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4934 	xpkt.rootdisp = HTONS_FP(DTOUFP(sys_rootdisp));
4935 	/* Bug 3596: What are the pros/cons of using sys_reftime here? */
4936 	HTONL_FP(&sys_reftime, &xpkt.reftime);
4937 
4938 	get_systime(&xmt_tx);
4939 	pool->aorg = xmt_tx;
4940 
4941 	if (FLAG_LOOPNONCE & pool->flags) {
4942 		l_fp nonce;
4943 
4944 		do {
4945 			nonce.l_ui = ntp_random();
4946 		} while (0 == nonce.l_ui);
4947 		do {
4948 			nonce.l_uf = ntp_random();
4949 		} while (0 == nonce.l_uf);
4950 		pool->nonce = nonce;
4951 		HTONL_FP(&nonce, &xpkt.xmt);
4952 	} else {
4953 		L_CLR(&pool->nonce);
4954 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4955 	}
4956 	pool->sent++;
4957 	pool->throttle += (1 << pool->minpoll) - 2;
4958 	DPRINTF(1, ("pool_xmit: at %ld %s->%s pool\n",
4959 		    current_time, latoa(lcladr), stoa(rmtadr)));
4960 	msyslog(LOG_INFO, "Soliciting pool server %s", stoa(rmtadr));
4961 	sendpkt(rmtadr, lcladr,
4962 		sys_ttl[(pool->ttl >= sys_ttlmax) ? sys_ttlmax : pool->ttl],
4963 		&xpkt, LEN_PKT_NOMAC);
4964 #endif	/* WORKER */
4965 }
4966 
4967 
4968 #ifdef AUTOKEY
4969 	/*
4970 	 * group_test - test if this is the same group
4971 	 *
4972 	 * host		assoc		return		action
4973 	 * none		none		0		mobilize *
4974 	 * none		group		0		mobilize *
4975 	 * group	none		0		mobilize *
4976 	 * group	group		1		mobilize
4977 	 * group	different	1		ignore
4978 	 * * ignore if notrust
4979 	 */
4980 int
4981 group_test(
4982 	char	*grp,
4983 	char	*ident
4984 	)
4985 {
4986 	if (grp == NULL)
4987 		return (0);
4988 
4989 	if (strcmp(grp, sys_groupname) == 0)
4990 		return (0);
4991 
4992 	if (ident == NULL)
4993 		return (1);
4994 
4995 	if (strcmp(grp, ident) == 0)
4996 		return (0);
4997 
4998 	return (1);
4999 }
5000 #endif /* AUTOKEY */
5001 
5002 
5003 #ifdef WORKER
5004 void
5005 pool_name_resolved(
5006 	int			rescode,
5007 	int			gai_errno,
5008 	void *			context,
5009 	const char *		name,
5010 	const char *		service,
5011 	const struct addrinfo *	hints,
5012 	const struct addrinfo *	res
5013 	)
5014 {
5015 	struct peer *	pool;	/* pool solicitor association */
5016 	associd_t	assoc;
5017 
5018 	if (rescode) {
5019 		msyslog(LOG_ERR,
5020 			"error resolving pool %s: %s (%d)",
5021 			name, gai_strerror(rescode), rescode);
5022 		return;
5023 	}
5024 
5025 	assoc = (associd_t)(intptr_t)context;
5026 	pool = findpeerbyassoc(assoc);
5027 	if (NULL == pool) {
5028 		msyslog(LOG_ERR,
5029 			"Could not find assoc %u for pool DNS %s",
5030 			assoc, name);
5031 		return;
5032 	}
5033 	DPRINTF(1, ("pool DNS %s completed\n", name));
5034 	pool->addrs = copy_addrinfo_list(res);
5035 	pool->ai = pool->addrs;
5036 	pool_xmit(pool);
5037 
5038 }
5039 #endif	/* WORKER */
5040 
5041 
5042 #ifdef AUTOKEY
5043 /*
5044  * key_expire - purge the key list
5045  */
5046 void
5047 key_expire(
5048 	struct peer *peer	/* peer structure pointer */
5049 	)
5050 {
5051 	int i;
5052 
5053 	if (peer->keylist != NULL) {
5054 		for (i = 0; i <= peer->keynumber; i++)
5055 			authtrust(peer->keylist[i], 0);
5056 		free(peer->keylist);
5057 		peer->keylist = NULL;
5058 	}
5059 	value_free(&peer->sndval);
5060 	peer->keynumber = 0;
5061 	peer->flags &= ~FLAG_ASSOC;
5062 	DPRINTF(1, ("key_expire: at %lu associd %d\n", current_time,
5063 		    peer->associd));
5064 }
5065 #endif	/* AUTOKEY */
5066 
5067 
5068 /*
5069  * local_refid(peer) - Check peer refid to avoid selecting peers
5070  *		       currently synced to this ntpd.
5071  * Note that until 4.2.8p18 and 4.3.1XX ntpd calculated the IPv6
5072  * refid differently on different-endian systems.  It now calculates
5073  * the refid the same on both, the same way it did on little-endian
5074  * in the past.  On big-endian systems, ntpd also calculates a
5075  * byte-swapped version of each of its IPv6 local addresses' refids,
5076  * as endpt.old_refid and also detects a loop when seeing it.  This
5077  * ensures new BE ntpd will detect loops interoperating with older
5078  * BE ntpd, and keeps the more-common LE old ntpd code detecting
5079  * loops with IPv6 refids correctly.  Thanks to Hal Murray for
5080  * the byte-swapping idea.
5081  */
5082 static int
5083 local_refid(
5084 	struct peer *	p
5085 	)
5086 {
5087 	endpt *	unicast_ep;
5088 
5089 	if (p->dstadr != NULL && !(INT_MCASTIF & p->dstadr->flags))
5090 		unicast_ep = p->dstadr;
5091 	else
5092 		unicast_ep = findinterface(&p->srcadr);
5093 
5094 	if (unicast_ep != NULL
5095 	    && (   p->refid == unicast_ep->addr_refid
5096 #ifdef WORDS_BIGENDIAN
5097 		|| (   IS_IPV6(&unicast_ep->sin)
5098 		    && p->refid == unicast_ep->old_refid)
5099 #endif
5100 							 )) {
5101 		return TRUE;
5102 	} else {
5103 		return FALSE;
5104 	}
5105 }
5106 
5107 
5108 /*
5109  * Determine if the peer is unfit for synchronization
5110  *
5111  * A peer is unfit for synchronization if
5112  * > TEST10 bad leap or stratum below floor or at or above ceiling
5113  * > TEST11 root distance exceeded for remote peer
5114  * > TEST12 a direct or indirect synchronization loop would form
5115  * > TEST13 unreachable or noselect
5116  */
5117 int				/* FALSE if fit, TRUE if unfit */
5118 peer_unfit(
5119 	struct peer *peer	/* peer structure pointer */
5120 	)
5121 {
5122 	int	rval = 0;
5123 
5124 	/*
5125 	 * A stratum error occurs if (1) the server has never been
5126 	 * synchronized, (2) the server stratum is below the floor or
5127 	 * greater than or equal to the ceiling.
5128 	 */
5129 	if (   peer->leap == LEAP_NOTINSYNC
5130 	    || peer->stratum < sys_floor
5131 	    || peer->stratum >= sys_ceiling) {
5132 		rval |= TEST10;		/* bad synch or stratum */
5133 	}
5134 
5135 	/*
5136 	 * A distance error for a remote peer occurs if the root
5137 	 * distance is greater than or equal to the distance threshold
5138 	 * plus the increment due to one host poll interval.
5139 	 */
5140 	if (   !(peer->flags & FLAG_REFCLOCK)
5141 	    && root_distance(peer) >= sys_maxdist
5142 				      + clock_phi * ULOGTOD(peer->hpoll)) {
5143 		rval |= TEST11;		/* distance exceeded */
5144 	}
5145 
5146 	/*
5147 	 * A loop error occurs if the remote peer is synchronized to the
5148 	 * local peer or if the remote peer is synchronized to the same
5149 	 * server as the local peer but only if the remote peer is
5150 	 * neither a reference clock nor an orphan.
5151 	 */
5152 	if (peer->stratum > 1 && local_refid(peer)) {
5153 		rval |= TEST12;		/* synchronization loop */
5154 	}
5155 
5156 	/*
5157 	 * An unreachable error occurs if the server is unreachable or
5158 	 * the noselect bit is set.
5159 	 */
5160 	if (!peer->reach || (peer->flags & FLAG_NOSELECT)) {
5161 		rval |= TEST13;		/* unreachable */
5162 	}
5163 
5164 	peer->flash &= ~PEER_TEST_MASK;
5165 	peer->flash |= rval;
5166 	return (rval);
5167 }
5168 
5169 
5170 /*
5171  * Find the precision of this particular machine
5172  */
5173 #define MINSTEP		20e-9	/* minimum clock increment (s) */
5174 #define MAXSTEP		1	/* maximum clock increment (s) */
5175 #define MINCHANGES	12	/* minimum number of step samples */
5176 #define MAXLOOPS	((int)(1. / MINSTEP))	/* avoid infinite loop */
5177 
5178 /*
5179  * This routine measures the system precision defined as the minimum of
5180  * a sequence of differences between successive readings of the system
5181  * clock. However, if a difference is less than MINSTEP, the clock has
5182  * been read more than once during a clock tick and the difference is
5183  * ignored. We set MINSTEP greater than zero in case something happens
5184  * like a cache miss, and to tolerate underlying system clocks which
5185  * ensure each reading is strictly greater than prior readings while
5186  * using an underlying stepping (not interpolated) clock.
5187  *
5188  * sys_tick and sys_precision represent the time to read the clock for
5189  * systems with high-precision clocks, and the tick interval or step
5190  * size for lower-precision stepping clocks.
5191  *
5192  * This routine also measures the time to read the clock on stepping
5193  * system clocks by counting the number of readings between changes of
5194  * the underlying clock.  With either type of clock, the minimum time
5195  * to read the clock is saved as sys_fuzz, and used to ensure the
5196  * get_systime() readings always increase and are fuzzed below sys_fuzz.
5197  */
5198 void
5199 measure_precision(void)
5200 {
5201 	/*
5202 	 * With sys_fuzz set to zero, get_systime() fuzzing of low bits
5203 	 * is effectively disabled.  trunc_os_clock is FALSE to disable
5204 	 * get_ostime() simulation of a low-precision system clock.
5205 	 */
5206 	set_sys_fuzz(0.);
5207 	trunc_os_clock = FALSE;
5208 	measured_tick = measure_tick_fuzz();
5209 	set_sys_tick_precision(measured_tick);
5210 	msyslog(LOG_INFO, "proto: precision = %.3f usec (%d)",
5211 		sys_tick * 1e6, sys_precision);
5212 	if (sys_fuzz < sys_tick) {
5213 		msyslog(LOG_NOTICE, "proto: fuzz beneath %.3f usec",
5214 			sys_fuzz * 1e6);
5215 	}
5216 }
5217 
5218 
5219 /*
5220  * measure_tick_fuzz()
5221  *
5222  * measures the minimum time to read the clock (stored in sys_fuzz)
5223  * and returns the tick, the larger of the minimum increment observed
5224  * between successive clock readings and the time to read the clock.
5225  */
5226 double
5227 measure_tick_fuzz(void)
5228 {
5229 	l_fp	minstep;	/* MINSTEP as l_fp */
5230 	l_fp	val;		/* current seconds fraction */
5231 	l_fp	last;		/* last seconds fraction */
5232 	l_fp	ldiff;		/* val - last */
5233 	double	tick;		/* computed tick value */
5234 	double	diff;
5235 	long	repeats;
5236 	long	max_repeats;
5237 	int	changes;
5238 	int	i;		/* log2 precision */
5239 
5240 	tick = MAXSTEP;
5241 	max_repeats = 0;
5242 	repeats = 0;
5243 	changes = 0;
5244 	DTOLFP(MINSTEP, &minstep);
5245 	get_systime(&last);
5246 	for (i = 0; i < MAXLOOPS && changes < MINCHANGES; i++) {
5247 		get_systime(&val);
5248 		ldiff = val;
5249 		L_SUB(&ldiff, &last);
5250 		last = val;
5251 		if (L_ISGT(&ldiff, &minstep)) {
5252 			max_repeats = max(repeats, max_repeats);
5253 			repeats = 0;
5254 			changes++;
5255 			LFPTOD(&ldiff, diff);
5256 			tick = min(diff, tick);
5257 		} else {
5258 			repeats++;
5259 		}
5260 	}
5261 	if (changes < MINCHANGES) {
5262 		msyslog(LOG_ERR, "Fatal error: precision could not be measured (MINSTEP too large?)");
5263 		exit(1);
5264 	}
5265 
5266 	if (0 == max_repeats) {
5267 		set_sys_fuzz(tick);
5268 	} else {
5269 		set_sys_fuzz(tick / max_repeats);
5270 	}
5271 
5272 	return tick;
5273 }
5274 
5275 
5276 void
5277 set_sys_tick_precision(
5278 	double tick
5279 	)
5280 {
5281 	int i;
5282 
5283 	if (tick > 1.) {
5284 		msyslog(LOG_ERR,
5285 			"unsupported tick %.3f > 1s ignored", tick);
5286 		return;
5287 	}
5288 	if (tick < measured_tick) {
5289 		msyslog(LOG_ERR,
5290 			"proto: tick %.3f less than measured tick %.3f, ignored",
5291 			tick, measured_tick);
5292 		return;
5293 	} else if (tick > measured_tick) {
5294 		trunc_os_clock = TRUE;
5295 		msyslog(LOG_NOTICE,
5296 			"proto: truncating system clock to multiples of %.9f",
5297 			tick);
5298 	}
5299 	sys_tick = tick;
5300 
5301 	/*
5302 	 * Find the nearest power of two.
5303 	 */
5304 	for (i = 0; tick <= 1; i--)
5305 		tick *= 2;
5306 	if (tick - 1 > 1 - tick / 2)
5307 		i++;
5308 
5309 	sys_precision = (s_char)i;
5310 }
5311 
5312 
5313 /*
5314  * init_proto - initialize the protocol module's data
5315  */
5316 void
5317 init_proto(void)
5318 {
5319 	l_fp	dummy;
5320 	int	i;
5321 
5322 	/*
5323 	 * Fill in the sys_* stuff.  Default is don't listen to
5324 	 * broadcasting, require authentication.
5325 	 */
5326 	set_sys_leap(LEAP_NOTINSYNC);
5327 	sys_stratum = STRATUM_UNSPEC;
5328 	memcpy(&sys_refid, "INIT", 4);
5329 	sys_peer = NULL;
5330 	sys_rootdelay = 0;
5331 	sys_rootdisp = 0;
5332 	L_CLR(&sys_reftime);
5333 	sys_jitter = 0;
5334 	measure_precision();
5335 	get_systime(&dummy);
5336 	sys_survivors = 0;
5337 	sys_manycastserver = 0;
5338 	sys_bclient = 0;
5339 	sys_mclient = 0;
5340 	sys_bdelay = BDELAY_DEFAULT;	/*[Bug 3031] delay cutoff */
5341 	sys_authenticate = 1;
5342 	sys_stattime = current_time;
5343 	orphwait = current_time + sys_orphwait;
5344 	proto_clr_stats();
5345 	for (i = 0; i < MAX_TTL; ++i)
5346 		sys_ttl[i] = (u_char)((i * 256) / MAX_TTL);
5347 	sys_ttlmax = (MAX_TTL - 1);
5348 	hardpps_enable = 0;
5349 	stats_control = 1;
5350 }
5351 
5352 
5353 /*
5354  * proto_config - configure the protocol module
5355  */
5356 void
5357 proto_config(
5358 	int	item,
5359 	u_long	value,
5360 	double	dvalue,
5361 	sockaddr_u *svalue
5362 	)
5363 {
5364 	/*
5365 	 * Figure out what he wants to change, then do it
5366 	 */
5367 	DPRINTF(2, ("proto_config: code %d value %lu dvalue %lf\n",
5368 		    item, value, dvalue));
5369 
5370 	switch (item) {
5371 
5372 	/*
5373 	 * enable and disable commands - arguments are Boolean.
5374 	 */
5375 	case PROTO_AUTHENTICATE: /* authentication (auth) */
5376 		sys_authenticate = value;
5377 		break;
5378 
5379 	case PROTO_BROADCLIENT: /* broadcast client (bclient) */
5380 		sys_bclient = (int)value;
5381 		if (!sys_bclient)
5382 			io_unsetbclient();
5383 		else
5384 			io_setbclient();
5385 		break;
5386 
5387 #ifdef REFCLOCK
5388 	case PROTO_CAL:		/* refclock calibrate (calibrate) */
5389 		cal_enable = value;
5390 		break;
5391 #endif /* REFCLOCK */
5392 
5393 	case PROTO_KERNEL:	/* kernel discipline (kernel) */
5394 		select_loop(value);
5395 		break;
5396 
5397 	case PROTO_MONITOR:	/* monitoring (monitor) */
5398 		if (value)
5399 			mon_start(MON_ON);
5400 		else {
5401 			mon_stop(MON_ON);
5402 			if (mon_enabled)
5403 				msyslog(LOG_WARNING,
5404 					"restrict: 'monitor' cannot be disabled while 'limited' is enabled");
5405 		}
5406 		break;
5407 
5408 	case PROTO_NTP:		/* NTP discipline (ntp) */
5409 		ntp_enable = value;
5410 		break;
5411 
5412 	case PROTO_MODE7:	/* mode7 management (ntpdc) */
5413 		ntp_mode7 = value;
5414 		break;
5415 
5416 	case PROTO_PPS:		/* PPS discipline (pps) */
5417 		hardpps_enable = value;
5418 		break;
5419 
5420 	case PROTO_FILEGEN:	/* statistics (stats) */
5421 		stats_control = value;
5422 		break;
5423 
5424 	/*
5425 	 * tos command - arguments are double, sometimes cast to int
5426 	 */
5427 
5428 	case PROTO_BCPOLLBSTEP:	/* Broadcast Poll Backstep gate (bcpollbstep) */
5429 		sys_bcpollbstep = (u_char)dvalue;
5430 		break;
5431 
5432 	case PROTO_BEACON:	/* manycast beacon (beacon) */
5433 		sys_beacon = (int)dvalue;
5434 		break;
5435 
5436 	case PROTO_BROADDELAY:	/* default broadcast delay (bdelay) */
5437 		sys_bdelay = (dvalue ? dvalue : BDELAY_DEFAULT);
5438 		break;
5439 
5440 	case PROTO_CEILING:	/* stratum ceiling (ceiling) */
5441 		sys_ceiling = (int)dvalue;
5442 		break;
5443 
5444 	case PROTO_COHORT:	/* cohort switch (cohort) */
5445 		sys_cohort = (int)dvalue;
5446 		break;
5447 
5448 	case PROTO_FLOOR:	/* stratum floor (floor) */
5449 		sys_floor = (int)dvalue;
5450 		break;
5451 
5452 	case PROTO_MAXCLOCK:	/* maximum candidates (maxclock) */
5453 		sys_maxclock = (int)dvalue;
5454 		break;
5455 
5456 	case PROTO_MAXDIST:	/* select threshold (maxdist) */
5457 		sys_maxdist = dvalue;
5458 		break;
5459 
5460 	case PROTO_CALLDELAY:	/* modem call delay (mdelay) */
5461 		break;		/* NOT USED */
5462 
5463 	case PROTO_MINCLOCK:	/* minimum candidates (minclock) */
5464 		sys_minclock = (int)dvalue;
5465 		break;
5466 
5467 	case PROTO_MINDISP:	/* minimum distance (mindist) */
5468 		sys_mindisp = dvalue;
5469 		break;
5470 
5471 	case PROTO_MINSANE:	/* minimum survivors (minsane) */
5472 		sys_minsane = (int)dvalue;
5473 		break;
5474 
5475 	case PROTO_ORPHAN:	/* orphan stratum (orphan) */
5476 		sys_orphan = (int)dvalue;
5477 		break;
5478 
5479 	case PROTO_ORPHWAIT:	/* orphan wait (orphwait) */
5480 		orphwait -= sys_orphwait;
5481 		sys_orphwait = (dvalue >= 1) ? (int)dvalue : NTP_ORPHWAIT;
5482 		orphwait += sys_orphwait;
5483 		break;
5484 
5485 	/*
5486 	 * Miscellaneous commands
5487 	 */
5488 	case PROTO_MULTICAST_ADD: /* add group address */
5489 		if (svalue != NULL)
5490 			io_multicast_add(svalue);
5491 		sys_mclient = 1;
5492 		break;
5493 
5494 	case PROTO_MULTICAST_DEL: /* delete group address */
5495 		if (svalue != NULL)
5496 			io_multicast_del(svalue);
5497 		break;
5498 
5499 	/*
5500 	 * Peer_clear Early policy choices
5501 	 */
5502 
5503 	case PROTO_PCEDIGEST:	/* Digest */
5504 		peer_clear_digest_early = value;
5505 		break;
5506 
5507 	/*
5508 	 * Unpeer Early policy choices
5509 	 */
5510 
5511 	case PROTO_UECRYPTO:	/* Crypto */
5512 		unpeer_crypto_early = value;
5513 		break;
5514 
5515 	case PROTO_UECRYPTONAK:	/* Crypto_NAK */
5516 		unpeer_crypto_nak_early = value;
5517 		break;
5518 
5519 	case PROTO_UEDIGEST:	/* Digest */
5520 		unpeer_digest_early = value;
5521 		break;
5522 
5523 	default:
5524 		msyslog(LOG_NOTICE,
5525 		    "proto: unsupported option %d", item);
5526 	}
5527 }
5528 
5529 
5530 /*
5531  * proto_clr_stats - clear protocol stat counters
5532  */
5533 void
5534 proto_clr_stats(void)
5535 {
5536 	sys_stattime = current_time;
5537 	sys_received = 0;
5538 	sys_processed = 0;
5539 	sys_newversion = 0;
5540 	sys_oldversion = 0;
5541 	sys_declined = 0;
5542 	sys_restricted = 0;
5543 	sys_badlength = 0;
5544 	sys_badauth = 0;
5545 	sys_limitrejected = 0;
5546 	sys_kodsent = 0;
5547 	sys_lamport = 0;
5548 	sys_tsrounding = 0;
5549 }
5550