1/* 2 * ntp_crypto.h - definitions for cryptographic operations 3 */ 4#ifndef NTP_CRYPTO_H 5#define NTP_CRYPTO_H 6 7/* 8 * Configuration codes (also needed for parser without AUTOKEY) 9 */ 10#define CRYPTO_CONF_NONE 0 /* nothing doing */ 11#define CRYPTO_CONF_PRIV 1 /* host name */ 12#define CRYPTO_CONF_IDENT 2 /* group name */ 13#define CRYPTO_CONF_CERT 3 /* certificate file name */ 14#define CRYPTO_CONF_RAND 4 /* random seed file name */ 15#define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ 16#define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ 17#define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ 18#define CRYPTO_CONF_PW 8 /* private key password */ 19#define CRYPTO_CONF_NID 9 /* specify digest name */ 20 21#ifdef AUTOKEY 22#ifndef OPENSSL 23#error AUTOKEY should be defined only if OPENSSL is. 24invalidsyntax: AUTOKEY should be defined only if OPENSSL is. 25#endif 26 27#include "openssl/bn.h" 28#include "openssl/evp.h" 29#include "ntp_calendar.h" /* for fields in the cert_info structure */ 30 31 32/* 33 * The following bits are set by the CRYPTO_ASSOC message from 34 * the server and are not modified by the client. 35 */ 36#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ 37#define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ 38 39#define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ 40#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ 41#define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ 42#define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ 43#define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ 44 45/* 46 * The following bits are used by the client during the protocol 47 * exchange. 48 */ 49#define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ 50#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ 51#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ 52#define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ 53#define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ 54#define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ 55#define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ 56#define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ 57 58/* 59 * Flags used for certificate management 60 */ 61#define CERT_TRUST 0x01 /* certificate is trusted */ 62#define CERT_SIGN 0x02 /* certificate is signed */ 63#define CERT_VALID 0x04 /* certificate is valid */ 64#define CERT_PRIV 0x08 /* certificate is private */ 65#define CERT_ERROR 0x80 /* certificate has errors */ 66 67/* 68 * Extension field definitions 69 */ 70#define CRYPTO_MAXLEN 1024 /* max extension field length */ 71#define CRYPTO_VN 2 /* current protocol version number */ 72#define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) 73#define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ 74#define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ 75#define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ 76#define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ 77#define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ 78#define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ 79#define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ 80#define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ 81#define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ 82#define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ 83#define CRYPTO_RESP 0x80000000 /* response */ 84#define CRYPTO_ERROR 0x40000000 /* error */ 85 86/* 87 * Autokey event codes 88 */ 89#define XEVNT_CMD(x) (CRPT_EVENT | (x)) 90#define XEVNT_OK XEVNT_CMD(0) /* success */ 91#define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ 92#define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ 93#define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ 94#define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ 95#define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ 96#define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ 97#define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ 98#define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ 99#define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ 100#define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ 101#define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ 102#define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ 103#define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ 104#define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ 105#define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ 106 107/* 108 * Miscellaneous crypto stuff 109 */ 110#define NTP_MAXSESSION 100 /* maximum session key list entries */ 111#define NTP_MAXEXTEN 2048 /* maximum extension field size */ 112#define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ 113#define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ 114#define NTP_REFRESH 19 /* default restart timeout (log2 s) */ 115#define NTP_MAXKEY 65535 /* maximum symmetric key ID */ 116 117/* 118 * The autokey structure holds the values used to authenticate key IDs. 119 */ 120struct autokey { /* network byte order */ 121 keyid_t key; /* key ID */ 122 int32 seq; /* key number */ 123}; 124 125/* 126 * The value structure holds variable length data such as public 127 * key, agreement parameters, public valule and leapsecond table. 128 * They are in network byte order. 129 */ 130struct value { /* network byte order */ 131 tstamp_t tstamp; /* timestamp */ 132 tstamp_t fstamp; /* filestamp */ 133 u_int32 vallen; /* value length */ 134 void *ptr; /* data pointer (various) */ 135 u_int32 siglen; /* signature length */ 136 u_char *sig; /* signature */ 137}; 138 139/* 140 * The packet extension field structures are used to hold values 141 * and signatures in network byte order. 142 */ 143struct exten { 144 u_int32 opcode; /* opcode */ 145 u_int32 associd; /* association ID */ 146 u_int32 tstamp; /* timestamp */ 147 u_int32 fstamp; /* filestamp */ 148 u_int32 vallen; /* value length */ 149 u_int32 pkt[1]; /* start of value field */ 150}; 151 152 153/* 154 * The certificate info/value structure 155 */ 156struct cert_info { 157 struct cert_info *link; /* forward link */ 158 u_int flags; /* flags that wave */ 159 EVP_PKEY *pkey; /* generic key */ 160 long version; /* X509 version */ 161 int nid; /* signature/digest ID */ 162 const EVP_MD *digest; /* message digest algorithm */ 163 u_long serial; /* serial number */ 164 struct calendar first; /* not valid before */ 165 struct calendar last; /* not valid after */ 166 char *subject; /* subject common name */ 167 char *issuer; /* issuer common name */ 168 BIGNUM *grpkey; /* GQ group key */ 169 struct value cert; /* certificate/value */ 170}; 171 172/* 173 * The keys info/value structure 174 */ 175struct pkey_info { 176 struct pkey_info *link; /* forward link */ 177 EVP_PKEY *pkey; /* generic key */ 178 char *name; /* file name */ 179 tstamp_t fstamp; /* filestamp */ 180}; 181 182/* 183 * Cryptographic values 184 */ 185extern u_int crypto_flags; /* status word */ 186extern int crypto_nid; /* digest nid */ 187extern struct value hostval; /* host name/value */ 188extern struct cert_info *cinfo; /* host certificate information */ 189extern struct value tai_leap; /* leapseconds table */ 190#endif /* AUTOKEY */ 191#endif /* NTP_CRYPTO_H */ 192