ntp_crypto.h revision 285612 
1101353Smike/*
2101353Smike * ntp_crypto.h - definitions for cryptographic operations
3101353Smike */
4101353Smike#ifndef NTP_CRYPTO_H
5101353Smike#define NTP_CRYPTO_H
6101353Smike
7101353Smike/*
8101353Smike * Configuration codes (also needed for parser without AUTOKEY)
9101353Smike */
10101353Smike#define CRYPTO_CONF_NONE  0	/* nothing doing */
11101353Smike#define CRYPTO_CONF_PRIV  1	/* host name */
12101353Smike#define CRYPTO_CONF_IDENT 2	/* group name */
13101353Smike#define CRYPTO_CONF_CERT  3	/* certificate file name */
14101353Smike#define CRYPTO_CONF_RAND  4	/* random seed file name */
15101353Smike#define CRYPTO_CONF_IFFPAR 5	/* IFF parameters file name */
16101353Smike#define CRYPTO_CONF_GQPAR 6	/* GQ parameters file name */
17101353Smike#define	CRYPTO_CONF_MVPAR 7	/* MV parameters file name */
18101353Smike#define CRYPTO_CONF_PW	  8	/* private key password */
19101353Smike#define	CRYPTO_CONF_NID   9	/* specify digest name */
20101353Smike
21101353Smike#ifdef AUTOKEY
22101353Smike#ifndef OPENSSL
23101353Smike#error AUTOKEY should be defined only if OPENSSL is.
24101353Smikeinvalidsyntax: AUTOKEY should be defined only if OPENSSL is.
25101353Smike#endif
26101353Smike
27101353Smike#include "openssl/evp.h"
28101353Smike#include "ntp_calendar.h"	/* for fields in the cert_info structure */
29101353Smike
30101353Smike
31101353Smike/*
32101353Smike * The following bits are set by the CRYPTO_ASSOC message from
33101353Smike * the server and are not modified by the client.
34101353Smike */
35101353Smike#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
36101353Smike#define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */
37101353Smike
38101353Smike#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
39107592Sru#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
40107592Sru#define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
41107592Sru#define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
42107592Sru#define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
43101353Smike
44101353Smike/*
45101353Smike * The following bits are used by the client during the protocol
46101353Smike * exchange.
47107592Sru */
48107619Sru#define CRYPTO_FLAG_CERT  0x0100 /* public key verified */
49101353Smike#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
50101353Smike#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
51101353Smike#define CRYPTO_FLAG_COOK  0x0800 /* cookie verifed */
52101353Smike#define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
53101353Smike#define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
54101353Smike#define CRYPTO_FLAG_LEAP  0x4000 /* leapsecond values verified */
55101353Smike#define	CRYPTO_FLAG_ALL   0x7f00 /* all mask */
56101353Smike
57101353Smike/*
58101353Smike * Flags used for certificate management
59101353Smike */
60101353Smike#define	CERT_TRUST	0x01	/* certificate is trusted */
61101353Smike#define CERT_SIGN	0x02	/* certificate is signed */
62107592Sru#define CERT_VALID	0x04	/* certificate is valid */
63107592Sru#define CERT_PRIV	0x08	/* certificate is private */
64107592Sru#define CERT_ERROR	0x80	/* certificate has errors */
65101353Smike
66101353Smike/*
67107619Sru * Extension field definitions
68101353Smike */
69101353Smike#define	CRYPTO_MAXLEN	1024	/* max extension field length */
70101353Smike#define CRYPTO_VN	2	/* current protocol version number */
71107592Sru#define CRYPTO_CMD(x)	(((CRYPTO_VN << 8) | (x)) << 16)
72107592Sru#define CRYPTO_NULL	CRYPTO_CMD(0) /* no operation */
73101353Smike#define CRYPTO_ASSOC	CRYPTO_CMD(1) /* association */
74101353Smike#define CRYPTO_CERT	CRYPTO_CMD(2) /* certificate */
75101353Smike#define CRYPTO_COOK	CRYPTO_CMD(3) /* cookie value */
76101353Smike#define CRYPTO_AUTO	CRYPTO_CMD(4) /* autokey values */
77101353Smike#define CRYPTO_LEAP	CRYPTO_CMD(5) /* leapsecond values */
78101353Smike#define	CRYPTO_SIGN	CRYPTO_CMD(6) /* certificate sign */
79101353Smike#define CRYPTO_IFF	CRYPTO_CMD(7) /* IFF identity scheme */
80107592Sru#define CRYPTO_GQ	CRYPTO_CMD(8) /* GQ identity scheme */
81107592Sru#define	CRYPTO_MV	CRYPTO_CMD(9) /* MV identity scheme */
82101353Smike#define CRYPTO_RESP	0x80000000 /* response */
83101353Smike#define CRYPTO_ERROR	0x40000000 /* error */
84101353Smike
85101353Smike/*
86101353Smike * Autokey event codes
87101353Smike */
88101353Smike#define XEVNT_CMD(x)	(CRPT_EVENT | (x))
89107592Sru#define XEVNT_OK	XEVNT_CMD(0) /* success */
90107592Sru#define XEVNT_LEN	XEVNT_CMD(1) /* bad field format or length */
91101353Smike#define XEVNT_TSP	XEVNT_CMD(2) /* bad timestamp */
92101353Smike#define XEVNT_FSP	XEVNT_CMD(3) /* bad filestamp */
93101353Smike#define XEVNT_PUB	XEVNT_CMD(4) /* bad or missing public key */
94101353Smike#define XEVNT_MD	XEVNT_CMD(5) /* unsupported digest type */
95101353Smike#define XEVNT_KEY	XEVNT_CMD(6) /* unsupported identity type */
96107592Sru#define XEVNT_SGL	XEVNT_CMD(7) /* bad signature length */
97101353Smike#define XEVNT_SIG	XEVNT_CMD(8) /* signature not verified */
98101353Smike#define XEVNT_VFY	XEVNT_CMD(9) /* certificate not verified */
99101353Smike#define XEVNT_PER	XEVNT_CMD(10) /* host certificate expired */
100101353Smike#define XEVNT_CKY	XEVNT_CMD(11) /* bad or missing cookie */
101101353Smike#define XEVNT_DAT	XEVNT_CMD(12) /* bad or missing leapseconds */
102101353Smike#define XEVNT_CRT	XEVNT_CMD(13) /* bad or missing certificate */
103101353Smike#define XEVNT_ID	XEVNT_CMD(14) /* bad or missing group key */
104101353Smike#define	XEVNT_ERR	XEVNT_CMD(15) /* protocol error */
105101677Sschweikh
106107592Sru/*
107101353Smike * Miscellaneous crypto stuff
108101353Smike */
109101353Smike#define NTP_MAXSESSION	100	/* maximum session key list entries */
110101353Smike#define	NTP_MAXEXTEN	2048	/* maximum extension field size */
111101353Smike#define	NTP_AUTOMAX	12	/* default key list timeout (log2 s) */
112101353Smike#define	KEY_REVOKE	17	/* default key revoke timeout (log2 s) */
113101353Smike#define	NTP_REFRESH	19	/* default restart timeout (log2 s) */
114101353Smike#define	NTP_MAXKEY	65535	/* maximum symmetric key ID */
115101353Smike
116101353Smike/*
117107592Sru * The autokey structure holds the values used to authenticate key IDs.
118101353Smike */
119101353Smikestruct autokey {		/* network byte order */
120101353Smike	keyid_t	key;		/* key ID */
121101353Smike	int32	seq;		/* key number */
122101353Smike};
123101353Smike
124101353Smike/*
125101353Smike * The value structure holds variable length data such as public
126101353Smike * key, agreement parameters, public valule and leapsecond table.
127101353Smike * They are in network byte order.
128101353Smike */
129101353Smikestruct value {			/* network byte order */
130101353Smike	tstamp_t tstamp;	/* timestamp */
131101353Smike	tstamp_t fstamp;	/* filestamp */
132101353Smike	u_int32	vallen;		/* value length */
133101353Smike	void	*ptr;		/* data pointer (various) */
134101353Smike	u_int32	siglen;		/* signature length */
135101353Smike	u_char	*sig;		/* signature */
136101353Smike};
137101353Smike
138101353Smike/*
139101353Smike * The packet extension field structures are used to hold values
140101353Smike * and signatures in network byte order.
141101353Smike */
142101353Smikestruct exten {
143101353Smike	u_int32	opcode;		/* opcode */
144101353Smike	u_int32	associd;	/* association ID */
145107592Sru	u_int32	tstamp;		/* timestamp */
146107592Sru	u_int32	fstamp;		/* filestamp */
147101353Smike	u_int32	vallen;		/* value length */
148101353Smike	u_int32	pkt[1];		/* start of value field */
149101353Smike};
150101353Smike
151101353Smike
152101353Smike/*
153101353Smike * The certificate info/value structure
154101353Smike */
155101353Smikestruct cert_info {
156101353Smike	struct cert_info *link;	/* forward link */
157101353Smike	u_int	flags;		/* flags that wave */
158101353Smike	EVP_PKEY *pkey;		/* generic key */
159101353Smike	long	version;	/* X509 version */
160107592Sru	int	nid;		/* signature/digest ID */
161101353Smike	const EVP_MD *digest;	/* message digest algorithm */
162101353Smike	u_long	serial;		/* serial number */
163101353Smike	struct calendar first;	/* not valid before */
164101353Smike	struct calendar last;	/* not valid after */
165101353Smike	char	*subject;	/* subject common name */
166101353Smike	char	*issuer;	/* issuer common name */
167101353Smike	BIGNUM	*grpkey;	/* GQ group key */
168101353Smike	struct value cert;	/* certificate/value */
169101353Smike};
170101353Smike
171101353Smike/*
172107619Sru * The keys info/value structure
173101353Smike */
174101353Smikestruct pkey_info {
175101353Smike	struct pkey_info *link; /* forward link */
176101353Smike	EVP_PKEY *pkey;		/* generic key */
177101353Smike	char	*name;		/* file name */
178107619Sru	tstamp_t fstamp;	/* filestamp */
179101353Smike};
180101353Smike
181101353Smike/*
182107592Sru * Cryptographic values
183107592Sru */
184101353Smikeextern	u_int	crypto_flags;	/* status word */
185101353Smikeextern	int	crypto_nid;	/* digest nid */
186101677Sschweikhextern	struct value hostval;	/* host name/value */
187107619Sruextern	struct cert_info *cinfo; /* host certificate information */
188101353Smikeextern	struct value tai_leap;	/* leapseconds table */
189107592Sru#endif /* AUTOKEY */
190101353Smike#endif /* NTP_CRYPTO_H */
191107592Sru