ntp_crypto.h revision 285612
1101353Smike/* 2101353Smike * ntp_crypto.h - definitions for cryptographic operations 3101353Smike */ 4101353Smike#ifndef NTP_CRYPTO_H 5101353Smike#define NTP_CRYPTO_H 6101353Smike 7101353Smike/* 8101353Smike * Configuration codes (also needed for parser without AUTOKEY) 9101353Smike */ 10101353Smike#define CRYPTO_CONF_NONE 0 /* nothing doing */ 11101353Smike#define CRYPTO_CONF_PRIV 1 /* host name */ 12101353Smike#define CRYPTO_CONF_IDENT 2 /* group name */ 13101353Smike#define CRYPTO_CONF_CERT 3 /* certificate file name */ 14101353Smike#define CRYPTO_CONF_RAND 4 /* random seed file name */ 15101353Smike#define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ 16101353Smike#define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ 17101353Smike#define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ 18101353Smike#define CRYPTO_CONF_PW 8 /* private key password */ 19101353Smike#define CRYPTO_CONF_NID 9 /* specify digest name */ 20101353Smike 21101353Smike#ifdef AUTOKEY 22101353Smike#ifndef OPENSSL 23101353Smike#error AUTOKEY should be defined only if OPENSSL is. 24101353Smikeinvalidsyntax: AUTOKEY should be defined only if OPENSSL is. 25101353Smike#endif 26101353Smike 27101353Smike#include "openssl/evp.h" 28101353Smike#include "ntp_calendar.h" /* for fields in the cert_info structure */ 29101353Smike 30101353Smike 31101353Smike/* 32101353Smike * The following bits are set by the CRYPTO_ASSOC message from 33101353Smike * the server and are not modified by the client. 34101353Smike */ 35101353Smike#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ 36101353Smike#define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ 37101353Smike 38101353Smike#define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ 39107592Sru#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ 40107592Sru#define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ 41107592Sru#define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ 42107592Sru#define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ 43101353Smike 44101353Smike/* 45101353Smike * The following bits are used by the client during the protocol 46101353Smike * exchange. 47107592Sru */ 48107619Sru#define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ 49101353Smike#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ 50101353Smike#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ 51101353Smike#define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ 52101353Smike#define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ 53101353Smike#define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ 54101353Smike#define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ 55101353Smike#define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ 56101353Smike 57101353Smike/* 58101353Smike * Flags used for certificate management 59101353Smike */ 60101353Smike#define CERT_TRUST 0x01 /* certificate is trusted */ 61101353Smike#define CERT_SIGN 0x02 /* certificate is signed */ 62107592Sru#define CERT_VALID 0x04 /* certificate is valid */ 63107592Sru#define CERT_PRIV 0x08 /* certificate is private */ 64107592Sru#define CERT_ERROR 0x80 /* certificate has errors */ 65101353Smike 66101353Smike/* 67107619Sru * Extension field definitions 68101353Smike */ 69101353Smike#define CRYPTO_MAXLEN 1024 /* max extension field length */ 70101353Smike#define CRYPTO_VN 2 /* current protocol version number */ 71107592Sru#define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) 72107592Sru#define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ 73101353Smike#define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ 74101353Smike#define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ 75101353Smike#define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ 76101353Smike#define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ 77101353Smike#define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ 78101353Smike#define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ 79101353Smike#define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ 80107592Sru#define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ 81107592Sru#define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ 82101353Smike#define CRYPTO_RESP 0x80000000 /* response */ 83101353Smike#define CRYPTO_ERROR 0x40000000 /* error */ 84101353Smike 85101353Smike/* 86101353Smike * Autokey event codes 87101353Smike */ 88101353Smike#define XEVNT_CMD(x) (CRPT_EVENT | (x)) 89107592Sru#define XEVNT_OK XEVNT_CMD(0) /* success */ 90107592Sru#define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ 91101353Smike#define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ 92101353Smike#define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ 93101353Smike#define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ 94101353Smike#define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ 95101353Smike#define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ 96107592Sru#define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ 97101353Smike#define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ 98101353Smike#define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ 99101353Smike#define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ 100101353Smike#define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ 101101353Smike#define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ 102101353Smike#define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ 103101353Smike#define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ 104101353Smike#define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ 105101677Sschweikh 106107592Sru/* 107101353Smike * Miscellaneous crypto stuff 108101353Smike */ 109101353Smike#define NTP_MAXSESSION 100 /* maximum session key list entries */ 110101353Smike#define NTP_MAXEXTEN 2048 /* maximum extension field size */ 111101353Smike#define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ 112101353Smike#define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ 113101353Smike#define NTP_REFRESH 19 /* default restart timeout (log2 s) */ 114101353Smike#define NTP_MAXKEY 65535 /* maximum symmetric key ID */ 115101353Smike 116101353Smike/* 117107592Sru * The autokey structure holds the values used to authenticate key IDs. 118101353Smike */ 119101353Smikestruct autokey { /* network byte order */ 120101353Smike keyid_t key; /* key ID */ 121101353Smike int32 seq; /* key number */ 122101353Smike}; 123101353Smike 124101353Smike/* 125101353Smike * The value structure holds variable length data such as public 126101353Smike * key, agreement parameters, public valule and leapsecond table. 127101353Smike * They are in network byte order. 128101353Smike */ 129101353Smikestruct value { /* network byte order */ 130101353Smike tstamp_t tstamp; /* timestamp */ 131101353Smike tstamp_t fstamp; /* filestamp */ 132101353Smike u_int32 vallen; /* value length */ 133101353Smike void *ptr; /* data pointer (various) */ 134101353Smike u_int32 siglen; /* signature length */ 135101353Smike u_char *sig; /* signature */ 136101353Smike}; 137101353Smike 138101353Smike/* 139101353Smike * The packet extension field structures are used to hold values 140101353Smike * and signatures in network byte order. 141101353Smike */ 142101353Smikestruct exten { 143101353Smike u_int32 opcode; /* opcode */ 144101353Smike u_int32 associd; /* association ID */ 145107592Sru u_int32 tstamp; /* timestamp */ 146107592Sru u_int32 fstamp; /* filestamp */ 147101353Smike u_int32 vallen; /* value length */ 148101353Smike u_int32 pkt[1]; /* start of value field */ 149101353Smike}; 150101353Smike 151101353Smike 152101353Smike/* 153101353Smike * The certificate info/value structure 154101353Smike */ 155101353Smikestruct cert_info { 156101353Smike struct cert_info *link; /* forward link */ 157101353Smike u_int flags; /* flags that wave */ 158101353Smike EVP_PKEY *pkey; /* generic key */ 159101353Smike long version; /* X509 version */ 160107592Sru int nid; /* signature/digest ID */ 161101353Smike const EVP_MD *digest; /* message digest algorithm */ 162101353Smike u_long serial; /* serial number */ 163101353Smike struct calendar first; /* not valid before */ 164101353Smike struct calendar last; /* not valid after */ 165101353Smike char *subject; /* subject common name */ 166101353Smike char *issuer; /* issuer common name */ 167101353Smike BIGNUM *grpkey; /* GQ group key */ 168101353Smike struct value cert; /* certificate/value */ 169101353Smike}; 170101353Smike 171101353Smike/* 172107619Sru * The keys info/value structure 173101353Smike */ 174101353Smikestruct pkey_info { 175101353Smike struct pkey_info *link; /* forward link */ 176101353Smike EVP_PKEY *pkey; /* generic key */ 177101353Smike char *name; /* file name */ 178107619Sru tstamp_t fstamp; /* filestamp */ 179101353Smike}; 180101353Smike 181101353Smike/* 182107592Sru * Cryptographic values 183107592Sru */ 184101353Smikeextern u_int crypto_flags; /* status word */ 185101353Smikeextern int crypto_nid; /* digest nid */ 186101677Sschweikhextern struct value hostval; /* host name/value */ 187107619Sruextern struct cert_info *cinfo; /* host certificate information */ 188101353Smikeextern struct value tai_leap; /* leapseconds table */ 189107592Sru#endif /* AUTOKEY */ 190101353Smike#endif /* NTP_CRYPTO_H */ 191107592Sru