182498Sroberto/* 282498Sroberto * ntp_crypto.c - NTP version 4 public key routines 382498Sroberto */ 482498Sroberto#ifdef HAVE_CONFIG_H 582498Sroberto#include <config.h> 682498Sroberto#endif 782498Sroberto 8290001Sglebius#ifdef AUTOKEY 982498Sroberto#include <stdio.h> 10290001Sglebius#include <stdlib.h> /* strtoul */ 1182498Sroberto#include <sys/types.h> 12132451Sroberto#include <sys/param.h> 1382498Sroberto#include <unistd.h> 1482498Sroberto#include <fcntl.h> 1582498Sroberto 1682498Sroberto#include "ntpd.h" 1782498Sroberto#include "ntp_stdlib.h" 18132451Sroberto#include "ntp_unixtime.h" 1982498Sroberto#include "ntp_string.h" 20290001Sglebius#include "ntp_random.h" 21290001Sglebius#include "ntp_assert.h" 22290001Sglebius#include "ntp_calendar.h" 23290001Sglebius#include "ntp_leapsec.h" 2482498Sroberto 25132451Sroberto#include "openssl/bn.h" 26132451Sroberto#include "openssl/err.h" 27132451Sroberto#include "openssl/evp.h" 28132451Sroberto#include "openssl/pem.h" 29132451Sroberto#include "openssl/rand.h" 30132451Sroberto#include "openssl/x509v3.h" 31310419Sdelphij#include "libssl_compat.h" 32132451Sroberto 3382498Sroberto#ifdef KERNEL_PLL 3482498Sroberto#include "ntp_syscall.h" 3582498Sroberto#endif /* KERNEL_PLL */ 3682498Sroberto 3782498Sroberto/* 38290001Sglebius * calcomp - compare two calendar structures, ignoring yearday and weekday; like strcmp 39290001Sglebius * No, it's not a plotter. If you don't understand that, you're too young. 40290001Sglebius */ 41290001Sglebiusstatic int calcomp(struct calendar *pjd1, struct calendar *pjd2) 42290001Sglebius{ 43290001Sglebius int32_t diff; /* large enough to hold the signed difference between two uint16_t values */ 44290001Sglebius 45290001Sglebius diff = pjd1->year - pjd2->year; 46290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 47290001Sglebius /* same year; compare months */ 48290001Sglebius diff = pjd1->month - pjd2->month; 49290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 50290001Sglebius /* same year and month; compare monthday */ 51290001Sglebius diff = pjd1->monthday - pjd2->monthday; 52290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 53290001Sglebius /* same year and month and monthday; compare time */ 54290001Sglebius diff = pjd1->hour - pjd2->hour; 55290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 56290001Sglebius diff = pjd1->minute - pjd2->minute; 57290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 58290001Sglebius diff = pjd1->second - pjd2->second; 59290001Sglebius if (diff < 0) return -1; else if (diff > 0) return 1; 60290001Sglebius /* identical */ 61290001Sglebius return 0; 62290001Sglebius} 63290001Sglebius 64290001Sglebius/* 65132451Sroberto * Extension field message format 6682498Sroberto * 67132451Sroberto * These are always signed and saved before sending in network byte 68132451Sroberto * order. They must be converted to and from host byte order for 69132451Sroberto * processing. 7082498Sroberto * 71132451Sroberto * +-------+-------+ 72132451Sroberto * | op | len | <- extension pointer 73132451Sroberto * +-------+-------+ 74290001Sglebius * | associd | 75132451Sroberto * +---------------+ 76132451Sroberto * | timestamp | <- value pointer 77132451Sroberto * +---------------+ 78132451Sroberto * | filestamp | 79132451Sroberto * +---------------+ 80132451Sroberto * | value len | 81132451Sroberto * +---------------+ 82132451Sroberto * | | 83132451Sroberto * = value = 84132451Sroberto * | | 85132451Sroberto * +---------------+ 86132451Sroberto * | signature len | 87132451Sroberto * +---------------+ 88132451Sroberto * | | 89132451Sroberto * = signature = 90132451Sroberto * | | 91132451Sroberto * +---------------+ 9282498Sroberto * 93132451Sroberto * The CRYPTO_RESP bit is set to 0 for requests, 1 for responses. 94132451Sroberto * Requests carry the association ID of the receiver; responses carry 95132451Sroberto * the association ID of the sender. Some messages include only the 96132451Sroberto * operation/length and association ID words and so have length 8 97132451Sroberto * octets. Ohers include the value structure and associated value and 98132451Sroberto * signature fields. These messages include the timestamp, filestamp, 99132451Sroberto * value and signature words and so have length at least 24 octets. The 100132451Sroberto * signature and/or value fields can be empty, in which case the 101132451Sroberto * respective length words are zero. An empty value with nonempty 102132451Sroberto * signature is syntactically valid, but semantically questionable. 103132451Sroberto * 104132451Sroberto * The filestamp represents the time when a cryptographic data file such 105132451Sroberto * as a public/private key pair is created. It follows every reference 106132451Sroberto * depending on that file and serves as a means to obsolete earlier data 107132451Sroberto * of the same type. The timestamp represents the time when the 108132451Sroberto * cryptographic data of the message were last signed. Creation of a 109132451Sroberto * cryptographic data file or signing a message can occur only when the 110132451Sroberto * creator or signor is synchronized to an authoritative source and 111132451Sroberto * proventicated to a trusted authority. 112132451Sroberto * 113290001Sglebius * Note there are several conditions required for server trust. First, 114290001Sglebius * the public key on the server certificate must be verified, which can 115290001Sglebius * involve a hike along the certificate trail to a trusted host. Next, 116290001Sglebius * the server trust must be confirmed by one of several identity 117290001Sglebius * schemes. Valid cryptographic values are signed with attached 118290001Sglebius * timestamp and filestamp. Individual packet trust is confirmed 119290001Sglebius * relative to these values by a message digest with keys generated by a 120290001Sglebius * reverse-order pseudorandom hash. 121290001Sglebius * 122290001Sglebius * State decomposition. These flags are lit in the order given. They are 123290001Sglebius * dim only when the association is demobilized. 124290001Sglebius * 125290001Sglebius * CRYPTO_FLAG_ENAB Lit upon acceptance of a CRYPTO_ASSOC message 126290001Sglebius * CRYPTO_FLAG_CERT Lit when a self-digned trusted certificate is 127290001Sglebius * accepted. 128290001Sglebius * CRYPTO_FLAG_VRFY Lit when identity is confirmed. 129290001Sglebius * CRYPTO_FLAG_PROV Lit when the first signature is verified. 130290001Sglebius * CRYPTO_FLAG_COOK Lit when a valid cookie is accepted. 131290001Sglebius * CRYPTO_FLAG_AUTO Lit when valid autokey values are accepted. 132290001Sglebius * CRYPTO_FLAG_SIGN Lit when the server signed certificate is 133290001Sglebius * accepted. 134290001Sglebius * CRYPTO_FLAG_LEAP Lit when the leapsecond values are accepted. 13582498Sroberto */ 13682498Sroberto/* 137132451Sroberto * Cryptodefines 13882498Sroberto */ 139132451Sroberto#define TAI_1972 10 /* initial TAI offset (s) */ 140132451Sroberto#define MAX_LEAP 100 /* max UTC leapseconds (s) */ 141132451Sroberto#define VALUE_LEN (6 * 4) /* min response field length */ 142281233Sdelphij#define MAX_VALLEN (65535 - VALUE_LEN) 143132451Sroberto#define YEAR (60 * 60 * 24 * 365) /* seconds in year */ 14482498Sroberto 14582498Sroberto/* 146132451Sroberto * Global cryptodata in host byte order 14782498Sroberto */ 148132451Srobertou_int32 crypto_flags = 0x0; /* status word */ 149290001Sglebiusint crypto_nid = KEY_TYPE_MD5; /* digest nid */ 150290001Sglebiuschar *sys_hostname = NULL; 151290001Sglebiuschar *sys_groupname = NULL; 152290001Sglebiusstatic char *host_filename = NULL; /* host file name */ 153290001Sglebiusstatic char *ident_filename = NULL; /* group file name */ 15482498Sroberto 15582498Sroberto/* 156132451Sroberto * Global cryptodata in network byte order 15782498Sroberto */ 158290001Sglebiusstruct cert_info *cinfo = NULL; /* certificate info/value cache */ 159290001Sglebiusstruct cert_info *cert_host = NULL; /* host certificate */ 160290001Sglebiusstruct pkey_info *pkinfo = NULL; /* key info/value cache */ 161132451Srobertostruct value hostval; /* host value */ 162132451Srobertostruct value pubkey; /* public key */ 163290001Sglebiusstruct value tai_leap; /* leapseconds values */ 164290001Sglebiusstruct pkey_info *iffkey_info = NULL; /* IFF keys */ 165290001Sglebiusstruct pkey_info *gqkey_info = NULL; /* GQ keys */ 166290001Sglebiusstruct pkey_info *mvkey_info = NULL; /* MV keys */ 16782498Sroberto 16882498Sroberto/* 169132451Sroberto * Private cryptodata in host byte order 17082498Sroberto */ 171132451Srobertostatic char *passwd = NULL; /* private key password */ 172132451Srobertostatic EVP_PKEY *host_pkey = NULL; /* host key */ 173132451Srobertostatic EVP_PKEY *sign_pkey = NULL; /* sign key */ 174132451Srobertostatic const EVP_MD *sign_digest = NULL; /* sign digest */ 175132451Srobertostatic u_int sign_siglen; /* sign key length */ 176132451Srobertostatic char *rand_file = NULL; /* random seed file */ 17782498Sroberto 17882498Sroberto/* 17982498Sroberto * Cryptotypes 18082498Sroberto */ 181290001Sglebiusstatic int crypto_verify (struct exten *, struct value *, 182290001Sglebius struct peer *); 183290001Sglebiusstatic int crypto_encrypt (const u_char *, u_int, keyid_t *, 184290001Sglebius struct value *); 185290001Sglebiusstatic int crypto_alice (struct peer *, struct value *); 186290001Sglebiusstatic int crypto_alice2 (struct peer *, struct value *); 187290001Sglebiusstatic int crypto_alice3 (struct peer *, struct value *); 188290001Sglebiusstatic int crypto_bob (struct exten *, struct value *); 189290001Sglebiusstatic int crypto_bob2 (struct exten *, struct value *); 190290001Sglebiusstatic int crypto_bob3 (struct exten *, struct value *); 191290001Sglebiusstatic int crypto_iff (struct exten *, struct peer *); 192290001Sglebiusstatic int crypto_gq (struct exten *, struct peer *); 193290001Sglebiusstatic int crypto_mv (struct exten *, struct peer *); 194290001Sglebiusstatic int crypto_send (struct exten *, struct value *, int); 195290001Sglebiusstatic tstamp_t crypto_time (void); 196290001Sglebiusstatic void asn_to_calendar (ASN1_TIME *, struct calendar*); 197290001Sglebiusstatic struct cert_info *cert_parse (const u_char *, long, tstamp_t); 198290001Sglebiusstatic int cert_sign (struct exten *, struct value *); 199290001Sglebiusstatic struct cert_info *cert_install (struct exten *, struct peer *); 200290001Sglebiusstatic int cert_hike (struct peer *, struct cert_info *); 201290001Sglebiusstatic void cert_free (struct cert_info *); 202290001Sglebiusstatic struct pkey_info *crypto_key (char *, char *, sockaddr_u *); 203290001Sglebiusstatic void bighash (BIGNUM *, BIGNUM *); 204290001Sglebiusstatic struct cert_info *crypto_cert (char *); 205290001Sglebiusstatic u_int exten_payload_size(const struct exten *); 20682498Sroberto 207132451Sroberto#ifdef SYS_WINNT 208132451Srobertoint 209132451Srobertoreadlink(char * link, char * file, int len) { 210132451Sroberto return (-1); 211132451Sroberto} 212132451Sroberto#endif 21382498Sroberto 21482498Sroberto/* 21582498Sroberto * session_key - generate session key 21682498Sroberto * 21782498Sroberto * This routine generates a session key from the source address, 21882498Sroberto * destination address, key ID and private value. The value of the 21982498Sroberto * session key is the MD5 hash of these values, while the next key ID is 22082498Sroberto * the first four octets of the hash. 221132451Sroberto * 222290001Sglebius * Returns the next key ID or 0 if there is no destination address. 22382498Sroberto */ 224132451Srobertokeyid_t 22582498Srobertosession_key( 226290001Sglebius sockaddr_u *srcadr, /* source address */ 227290001Sglebius sockaddr_u *dstadr, /* destination address */ 228132451Sroberto keyid_t keyno, /* key ID */ 229132451Sroberto keyid_t private, /* private value */ 230132451Sroberto u_long lifetime /* key lifetime */ 23182498Sroberto ) 23282498Sroberto{ 233310419Sdelphij EVP_MD_CTX *ctx; /* message digest context */ 234132451Sroberto u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */ 235132451Sroberto keyid_t keyid; /* key identifer */ 236132451Sroberto u_int32 header[10]; /* data in network byte order */ 237132451Sroberto u_int hdlen, len; 23882498Sroberto 239182007Sroberto if (!dstadr) 240182007Sroberto return 0; 241182007Sroberto 24282498Sroberto /* 24382498Sroberto * Generate the session key and key ID. If the lifetime is 24482498Sroberto * greater than zero, install the key and call it trusted. 24582498Sroberto */ 246132451Sroberto hdlen = 0; 247290001Sglebius switch(AF(srcadr)) { 248132451Sroberto case AF_INET: 249290001Sglebius header[0] = NSRCADR(srcadr); 250290001Sglebius header[1] = NSRCADR(dstadr); 251132451Sroberto header[2] = htonl(keyno); 252132451Sroberto header[3] = htonl(private); 253132451Sroberto hdlen = 4 * sizeof(u_int32); 254132451Sroberto break; 255182007Sroberto 256132451Sroberto case AF_INET6: 257290001Sglebius memcpy(&header[0], PSOCK_ADDR6(srcadr), 258132451Sroberto sizeof(struct in6_addr)); 259290001Sglebius memcpy(&header[4], PSOCK_ADDR6(dstadr), 260132451Sroberto sizeof(struct in6_addr)); 261132451Sroberto header[8] = htonl(keyno); 262132451Sroberto header[9] = htonl(private); 263132451Sroberto hdlen = 10 * sizeof(u_int32); 264132451Sroberto break; 265132451Sroberto } 266310419Sdelphij ctx = EVP_MD_CTX_new(); 267310419Sdelphij EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid)); 268310419Sdelphij EVP_DigestUpdate(ctx, (u_char *)header, hdlen); 269310419Sdelphij EVP_DigestFinal(ctx, dgst, &len); 270310419Sdelphij EVP_MD_CTX_free(ctx); 271132451Sroberto memcpy(&keyid, dgst, 4); 27282498Sroberto keyid = ntohl(keyid); 27382498Sroberto if (lifetime != 0) { 274294905Sdelphij MD5auth_setkey(keyno, crypto_nid, dgst, len, NULL); 27582498Sroberto authtrust(keyno, lifetime); 27682498Sroberto } 277290001Sglebius DPRINTF(2, ("session_key: %s > %s %08x %08x hash %08x life %lu\n", 278132451Sroberto stoa(srcadr), stoa(dstadr), keyno, 279290001Sglebius private, keyid, lifetime)); 280290001Sglebius 28182498Sroberto return (keyid); 28282498Sroberto} 28382498Sroberto 28482498Sroberto 28582498Sroberto/* 28682498Sroberto * make_keylist - generate key list 28782498Sroberto * 288182007Sroberto * Returns 289182007Sroberto * XEVNT_OK success 290290001Sglebius * XEVNT_ERR protocol error 291182007Sroberto * 29282498Sroberto * This routine constructs a pseudo-random sequence by repeatedly 29382498Sroberto * hashing the session key starting from a given source address, 29482498Sroberto * destination address, private value and the next key ID of the 29582498Sroberto * preceeding session key. The last entry on the list is saved along 29682498Sroberto * with its sequence number and public signature. 29782498Sroberto */ 298182007Srobertoint 29982498Srobertomake_keylist( 30082498Sroberto struct peer *peer, /* peer structure pointer */ 30182498Sroberto struct interface *dstadr /* interface */ 30282498Sroberto ) 30382498Sroberto{ 304310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 305132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 30682498Sroberto struct autokey *ap; /* autokey pointer */ 307132451Sroberto struct value *vp; /* value pointer */ 308132451Sroberto keyid_t keyid = 0; /* next key ID */ 309132451Sroberto keyid_t cookie; /* private value */ 310290001Sglebius long lifetime; 311182007Sroberto u_int len, mpoll; 312132451Sroberto int i; 31382498Sroberto 314182007Sroberto if (!dstadr) 315290001Sglebius return XEVNT_ERR; 316182007Sroberto 31782498Sroberto /* 31882498Sroberto * Allocate the key list if necessary. 31982498Sroberto */ 320132451Sroberto tstamp = crypto_time(); 32182498Sroberto if (peer->keylist == NULL) 322290001Sglebius peer->keylist = eallocarray(NTP_MAXSESSION, 323290001Sglebius sizeof(keyid_t)); 32482498Sroberto 32582498Sroberto /* 32682498Sroberto * Generate an initial key ID which is unique and greater than 32782498Sroberto * NTP_MAXKEY. 32882498Sroberto */ 32982498Sroberto while (1) { 330290001Sglebius keyid = ntp_random() & 0xffffffff; 331290001Sglebius if (keyid <= NTP_MAXKEY) 332290001Sglebius continue; 333290001Sglebius 33482498Sroberto if (authhavekey(keyid)) 33582498Sroberto continue; 33682498Sroberto break; 33782498Sroberto } 33882498Sroberto 33982498Sroberto /* 34082498Sroberto * Generate up to NTP_MAXSESSION session keys. Stop if the 34182498Sroberto * next one would not be unique or not a session key ID or if 34282498Sroberto * it would expire before the next poll. The private value 34382498Sroberto * included in the hash is zero if broadcast mode, the peer 34482498Sroberto * cookie if client mode or the host cookie if symmetric modes. 34582498Sroberto */ 346182007Sroberto mpoll = 1 << min(peer->ppoll, peer->hpoll); 347290001Sglebius lifetime = min(1U << sys_automax, NTP_MAXSESSION * mpoll); 34882498Sroberto if (peer->hmode == MODE_BROADCAST) 34982498Sroberto cookie = 0; 35082498Sroberto else 351132451Sroberto cookie = peer->pcookie; 35282498Sroberto for (i = 0; i < NTP_MAXSESSION; i++) { 35382498Sroberto peer->keylist[i] = keyid; 35482498Sroberto peer->keynumber = i; 35582498Sroberto keyid = session_key(&dstadr->sin, &peer->srcadr, keyid, 356290001Sglebius cookie, lifetime + mpoll); 357182007Sroberto lifetime -= mpoll; 35882498Sroberto if (auth_havekey(keyid) || keyid <= NTP_MAXKEY || 359290001Sglebius lifetime < 0 || tstamp == 0) 36082498Sroberto break; 36182498Sroberto } 36282498Sroberto 36382498Sroberto /* 36482498Sroberto * Save the last session key ID, sequence number and timestamp, 36582498Sroberto * then sign these values for later retrieval by the clients. Be 366132451Sroberto * careful not to use invalid key media. Use the public values 367132451Sroberto * timestamp as filestamp. 36882498Sroberto */ 369132451Sroberto vp = &peer->sndval; 370132451Sroberto if (vp->ptr == NULL) 371132451Sroberto vp->ptr = emalloc(sizeof(struct autokey)); 372132451Sroberto ap = (struct autokey *)vp->ptr; 37382498Sroberto ap->seq = htonl(peer->keynumber); 37482498Sroberto ap->key = htonl(keyid); 375132451Sroberto vp->tstamp = htonl(tstamp); 376132451Sroberto vp->fstamp = hostval.tstamp; 377132451Sroberto vp->vallen = htonl(sizeof(struct autokey)); 378132451Sroberto vp->siglen = 0; 379182007Sroberto if (tstamp != 0) { 380132451Sroberto if (vp->sig == NULL) 381132451Sroberto vp->sig = emalloc(sign_siglen); 382310419Sdelphij ctx = EVP_MD_CTX_new(); 383310419Sdelphij EVP_SignInit(ctx, sign_digest); 384310419Sdelphij EVP_SignUpdate(ctx, (u_char *)vp, 12); 385310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, sizeof(struct autokey)); 386310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 387290001Sglebius INSIST(len <= sign_siglen); 388132451Sroberto vp->siglen = htonl(len); 389290001Sglebius peer->flags |= FLAG_ASSOC; 390290001Sglebius } 391310419Sdelphij EVP_MD_CTX_free(ctx); 392132451Sroberto } 393290001Sglebius DPRINTF(1, ("make_keys: %d %08x %08x ts %u fs %u poll %d\n", 394290001Sglebius peer->keynumber, keyid, cookie, ntohl(vp->tstamp), 395290001Sglebius ntohl(vp->fstamp), peer->hpoll)); 396182007Sroberto return (XEVNT_OK); 39782498Sroberto} 39882498Sroberto 39982498Sroberto 40082498Sroberto/* 40182498Sroberto * crypto_recv - parse extension fields 40282498Sroberto * 40382498Sroberto * This routine is called when the packet has been matched to an 40482498Sroberto * association and passed sanity, format and MAC checks. We believe the 40582498Sroberto * extension field values only if the field has proper format and 40682498Sroberto * length, the timestamp and filestamp are valid and the signature has 40782498Sroberto * valid length and is verified. There are a few cases where some values 408132451Sroberto * are believed even if the signature fails, but only if the proventic 40982498Sroberto * bit is not set. 410290001Sglebius * 411290001Sglebius * Returns 412290001Sglebius * XEVNT_OK success 413290001Sglebius * XEVNT_ERR protocol error 414290001Sglebius * XEVNT_LEN bad field format or length 41582498Sroberto */ 416132451Srobertoint 41782498Srobertocrypto_recv( 41882498Sroberto struct peer *peer, /* peer structure pointer */ 41982498Sroberto struct recvbuf *rbufp /* packet buffer pointer */ 42082498Sroberto ) 42182498Sroberto{ 422132451Sroberto const EVP_MD *dp; /* message digest algorithm */ 423132451Sroberto u_int32 *pkt; /* receive packet pointer */ 424132451Sroberto struct autokey *ap, *bp; /* autokey pointer */ 425132451Sroberto struct exten *ep, *fp; /* extension pointers */ 426290001Sglebius struct cert_info *xinfo; /* certificate info pointer */ 427290001Sglebius int macbytes; /* length of MAC field, signed by intention */ 428132451Sroberto int authlen; /* offset of MAC field */ 429132451Sroberto associd_t associd; /* association ID */ 430132451Sroberto tstamp_t fstamp = 0; /* filestamp */ 431132451Sroberto u_int len; /* extension field length */ 432132451Sroberto u_int code; /* extension field opcode */ 433132451Sroberto u_int vallen = 0; /* value length */ 434132451Sroberto X509 *cert; /* X509 certificate */ 435132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 436132451Sroberto keyid_t cookie; /* crumbles */ 437182007Sroberto int hismode; /* packet mode */ 438132451Sroberto int rval = XEVNT_OK; 439290001Sglebius const u_char *puch; 440132451Sroberto u_int32 temp32; 44182498Sroberto 44282498Sroberto /* 44382498Sroberto * Initialize. Note that the packet has already been checked for 444132451Sroberto * valid format and extension field lengths. First extract the 445132451Sroberto * field length, command code and association ID in host byte 446132451Sroberto * order. These are used with all commands and modes. Then check 447132451Sroberto * the version number, which must be 2, and length, which must 448132451Sroberto * be at least 8 for requests and VALUE_LEN (24) for responses. 449132451Sroberto * Packets that fail either test sink without a trace. The 450132451Sroberto * association ID is saved only if nonzero. 45182498Sroberto */ 45282498Sroberto authlen = LEN_PKT_NOMAC; 453182007Sroberto hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode); 454290001Sglebius while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) { 455290001Sglebius /* We can be reasonably sure that we can read at least 456290001Sglebius * the opcode and the size field here. More stringent 457290001Sglebius * checks follow up shortly. 458290001Sglebius */ 459132451Sroberto pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4; 460132451Sroberto ep = (struct exten *)pkt; 461132451Sroberto code = ntohl(ep->opcode) & 0xffff0000; 462132451Sroberto len = ntohl(ep->opcode) & 0x0000ffff; 463290001Sglebius // HMS: Why pkt[1] instead of ep->associd ? 464290001Sglebius associd = (associd_t)ntohl(pkt[1]); 465132451Sroberto rval = XEVNT_OK; 466290001Sglebius DPRINTF(1, ("crypto_recv: flags 0x%x ext offset %d len %u code 0x%x associd %d\n", 467132451Sroberto peer->crypto, authlen, len, code >> 16, 468290001Sglebius associd)); 469132451Sroberto 470132451Sroberto /* 471132451Sroberto * Check version number and field length. If bad, 472132451Sroberto * quietly ignore the packet. 473132451Sroberto */ 474182007Sroberto if (((code >> 24) & 0x3f) != CRYPTO_VN || len < 8) { 475290001Sglebius sys_badlength++; 476132451Sroberto code |= CRYPTO_ERROR; 477132451Sroberto } 478132451Sroberto 479290001Sglebius /* Check if the declared size fits into the remaining 480293896Sglebius * buffer. We *know* 'macbytes' > 0 here! 481132451Sroberto */ 482293896Sglebius if (len > (u_int)macbytes) { 483290001Sglebius DPRINTF(1, ("crypto_recv: possible attack detected, associd %d\n", 484290001Sglebius associd)); 485290001Sglebius return XEVNT_LEN; 486132451Sroberto } 487290001Sglebius 488290001Sglebius /* Check if the paylod of the extension fits into the 489290001Sglebius * declared frame. 490290001Sglebius */ 491132451Sroberto if (len >= VALUE_LEN) { 492132451Sroberto fstamp = ntohl(ep->fstamp); 493132451Sroberto vallen = ntohl(ep->vallen); 494281233Sdelphij /* 495281233Sdelphij * Bug 2761: I hope this isn't too early... 496281233Sdelphij */ 497281233Sdelphij if ( vallen == 0 498281233Sdelphij || len - VALUE_LEN < vallen) 499281233Sdelphij return XEVNT_LEN; 500132451Sroberto } 50182498Sroberto switch (code) { 50282498Sroberto 50382498Sroberto /* 504132451Sroberto * Install status word, host name, signature scheme and 505132451Sroberto * association ID. In OpenSSL the signature algorithm is 506132451Sroberto * bound to the digest algorithm, so the NID completely 507132451Sroberto * defines the signature scheme. Note the request and 508132451Sroberto * response are identical, but neither is validated by 509132451Sroberto * signature. The request is processed here only in 510182007Sroberto * symmetric modes. The server name field might be 511132451Sroberto * useful to implement access controls in future. 51282498Sroberto */ 513132451Sroberto case CRYPTO_ASSOC: 514132451Sroberto 515132451Sroberto /* 516290001Sglebius * If our state machine is running when this 517290001Sglebius * message arrives, the other fellow might have 518290001Sglebius * restarted. However, this could be an 519290001Sglebius * intruder, so just clamp the poll interval and 520290001Sglebius * find out for ourselves. Otherwise, pass the 521290001Sglebius * extension field to the transmit side. 522132451Sroberto */ 523290001Sglebius if (peer->crypto & CRYPTO_FLAG_CERT) { 524182007Sroberto rval = XEVNT_ERR; 525182007Sroberto break; 526182007Sroberto } 527290001Sglebius if (peer->cmmd) { 528290001Sglebius if (peer->assoc != associd) { 529290001Sglebius rval = XEVNT_ERR; 530290001Sglebius break; 531290001Sglebius } 532290001Sglebius free(peer->cmmd); /* will be set again! */ 533290001Sglebius } 534132451Sroberto fp = emalloc(len); 535132451Sroberto memcpy(fp, ep, len); 536290001Sglebius fp->associd = htonl(peer->associd); 537132451Sroberto peer->cmmd = fp; 538132451Sroberto /* fall through */ 539132451Sroberto 54082498Sroberto case CRYPTO_ASSOC | CRYPTO_RESP: 541132451Sroberto 542132451Sroberto /* 543132451Sroberto * Discard the message if it has already been 544182007Sroberto * stored or the message has been amputated. 545132451Sroberto */ 546290001Sglebius if (peer->crypto) { 547290001Sglebius if (peer->assoc != associd) 548290001Sglebius rval = XEVNT_ERR; 549132451Sroberto break; 550290001Sglebius } 551290001Sglebius INSIST(len >= VALUE_LEN); 552182007Sroberto if (vallen == 0 || vallen > MAXHOSTNAME || 553281233Sdelphij len - VALUE_LEN < vallen) { 554132451Sroberto rval = XEVNT_LEN; 555132451Sroberto break; 55682498Sroberto } 557290001Sglebius DPRINTF(1, ("crypto_recv: ident host 0x%x %d server 0x%x %d\n", 558290001Sglebius crypto_flags, peer->associd, fstamp, 559290001Sglebius peer->assoc)); 560290001Sglebius temp32 = crypto_flags & CRYPTO_FLAG_MASK; 561132451Sroberto 562132451Sroberto /* 563290001Sglebius * If the client scheme is PC, the server scheme 564290001Sglebius * must be PC. The public key and identity are 565290001Sglebius * presumed valid, so we skip the certificate 566290001Sglebius * and identity exchanges and move immediately 567290001Sglebius * to the cookie exchange which confirms the 568290001Sglebius * server signature. 569132451Sroberto */ 570132451Sroberto if (crypto_flags & CRYPTO_FLAG_PRIV) { 571182007Sroberto if (!(fstamp & CRYPTO_FLAG_PRIV)) { 572132451Sroberto rval = XEVNT_KEY; 573182007Sroberto break; 574290001Sglebius } 575290001Sglebius fstamp |= CRYPTO_FLAG_CERT | 576290001Sglebius CRYPTO_FLAG_VRFY | CRYPTO_FLAG_SIGN; 577182007Sroberto 578182007Sroberto /* 579290001Sglebius * It is an error if either peer supports 580290001Sglebius * identity, but the other does not. 581182007Sroberto */ 582290001Sglebius } else if (hismode == MODE_ACTIVE || hismode == 583290001Sglebius MODE_PASSIVE) { 584290001Sglebius if ((temp32 && !(fstamp & 585290001Sglebius CRYPTO_FLAG_MASK)) || 586290001Sglebius (!temp32 && (fstamp & 587290001Sglebius CRYPTO_FLAG_MASK))) { 588290001Sglebius rval = XEVNT_KEY; 589290001Sglebius break; 590290001Sglebius } 591132451Sroberto } 592132451Sroberto 593132451Sroberto /* 594182007Sroberto * Discard the message if the signature digest 595182007Sroberto * NID is not supported. 596132451Sroberto */ 597132451Sroberto temp32 = (fstamp >> 16) & 0xffff; 598132451Sroberto dp = 599132451Sroberto (const EVP_MD *)EVP_get_digestbynid(temp32); 600182007Sroberto if (dp == NULL) { 601132451Sroberto rval = XEVNT_MD; 602132451Sroberto break; 603182007Sroberto } 604132451Sroberto 605132451Sroberto /* 606132451Sroberto * Save status word, host name and message 607290001Sglebius * digest/signature type. If this is from a 608290001Sglebius * broadcast and the association ID has changed, 609290001Sglebius * request the autokey values. 610132451Sroberto */ 611290001Sglebius peer->assoc = associd; 612290001Sglebius if (hismode == MODE_SERVER) 613290001Sglebius fstamp |= CRYPTO_FLAG_AUTO; 614290001Sglebius if (!(fstamp & CRYPTO_FLAG_TAI)) 615290001Sglebius fstamp |= CRYPTO_FLAG_LEAP; 616290001Sglebius RAND_bytes((u_char *)&peer->hcookie, 4); 617132451Sroberto peer->crypto = fstamp; 618132451Sroberto peer->digest = dp; 619290001Sglebius if (peer->subject != NULL) 620290001Sglebius free(peer->subject); 621132451Sroberto peer->subject = emalloc(vallen + 1); 622132451Sroberto memcpy(peer->subject, ep->pkt, vallen); 623132451Sroberto peer->subject[vallen] = '\0'; 624290001Sglebius if (peer->issuer != NULL) 625290001Sglebius free(peer->issuer); 626290001Sglebius peer->issuer = estrdup(peer->subject); 627290001Sglebius snprintf(statstr, sizeof(statstr), 628290001Sglebius "assoc %d %d host %s %s", peer->associd, 629290001Sglebius peer->assoc, peer->subject, 630290001Sglebius OBJ_nid2ln(temp32)); 631132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 632290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 63382498Sroberto break; 63482498Sroberto 63582498Sroberto /* 636132451Sroberto * Decode X509 certificate in ASN.1 format and extract 637132451Sroberto * the data containing, among other things, subject 638132451Sroberto * name and public key. In the default identification 639132451Sroberto * scheme, the certificate trail is followed to a self 640132451Sroberto * signed trusted certificate. 64182498Sroberto */ 642132451Sroberto case CRYPTO_CERT | CRYPTO_RESP: 643132451Sroberto 644132451Sroberto /* 645290001Sglebius * Discard the message if empty or invalid. 646132451Sroberto */ 647290001Sglebius if (len < VALUE_LEN) 648290001Sglebius break; 649290001Sglebius 650132451Sroberto if ((rval = crypto_verify(ep, NULL, peer)) != 651132451Sroberto XEVNT_OK) 652132451Sroberto break; 653132451Sroberto 654132451Sroberto /* 655132451Sroberto * Scan the certificate list to delete old 656132451Sroberto * versions and link the newest version first on 657290001Sglebius * the list. Then, verify the signature. If the 658290001Sglebius * certificate is bad or missing, just ignore 659290001Sglebius * it. 660132451Sroberto */ 661290001Sglebius if ((xinfo = cert_install(ep, peer)) == NULL) { 662290001Sglebius rval = XEVNT_CRT; 663132451Sroberto break; 664290001Sglebius } 665290001Sglebius if ((rval = cert_hike(peer, xinfo)) != XEVNT_OK) 666290001Sglebius break; 667132451Sroberto 668132451Sroberto /* 669182007Sroberto * We plug in the public key and lifetime from 670132451Sroberto * the first certificate received. However, note 671132451Sroberto * that this certificate might not be signed by 672132451Sroberto * the server, so we can't check the 673132451Sroberto * signature/digest NID. 674132451Sroberto */ 675132451Sroberto if (peer->pkey == NULL) { 676290001Sglebius puch = xinfo->cert.ptr; 677290001Sglebius cert = d2i_X509(NULL, &puch, 678290001Sglebius ntohl(xinfo->cert.vallen)); 679132451Sroberto peer->pkey = X509_get_pubkey(cert); 680132451Sroberto X509_free(cert); 68182498Sroberto } 682182007Sroberto peer->flash &= ~TEST8; 683290001Sglebius temp32 = xinfo->nid; 684290001Sglebius snprintf(statstr, sizeof(statstr), 685290001Sglebius "cert %s %s 0x%x %s (%u) fs %u", 686290001Sglebius xinfo->subject, xinfo->issuer, xinfo->flags, 687132451Sroberto OBJ_nid2ln(temp32), temp32, 688132451Sroberto ntohl(ep->fstamp)); 689132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 690290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 69182498Sroberto break; 69282498Sroberto 69382498Sroberto /* 694290001Sglebius * Schnorr (IFF) identity scheme. This scheme is 695290001Sglebius * designed for use with shared secret server group keys 696290001Sglebius * and where the certificate may be generated by a third 697290001Sglebius * party. The client sends a challenge to the server, 698290001Sglebius * which performs a calculation and returns the result. 699290001Sglebius * A positive result is possible only if both client and 700132451Sroberto * server contain the same secret group key. 70182498Sroberto */ 702132451Sroberto case CRYPTO_IFF | CRYPTO_RESP: 70382498Sroberto 704132451Sroberto /* 705290001Sglebius * Discard the message if invalid. 706132451Sroberto */ 707132451Sroberto if ((rval = crypto_verify(ep, NULL, peer)) != 708132451Sroberto XEVNT_OK) 709132451Sroberto break; 710132451Sroberto 71182498Sroberto /* 712290001Sglebius * If the challenge matches the response, the 713290001Sglebius * server public key, signature and identity are 714132451Sroberto * all verified at the same time. The server is 715132451Sroberto * declared trusted, so we skip further 716290001Sglebius * certificate exchanges and move immediately to 717290001Sglebius * the cookie exchange. 71882498Sroberto */ 719132451Sroberto if ((rval = crypto_iff(ep, peer)) != XEVNT_OK) 720132451Sroberto break; 721132451Sroberto 722290001Sglebius peer->crypto |= CRYPTO_FLAG_VRFY; 723182007Sroberto peer->flash &= ~TEST8; 724290001Sglebius snprintf(statstr, sizeof(statstr), "iff %s fs %u", 725290001Sglebius peer->issuer, ntohl(ep->fstamp)); 726132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 727290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 72882498Sroberto break; 72982498Sroberto 73082498Sroberto /* 731132451Sroberto * Guillou-Quisquater (GQ) identity scheme. This scheme 732132451Sroberto * is designed for use with public certificates carrying 733132451Sroberto * the GQ public key in an extension field. The client 734132451Sroberto * sends a challenge to the server, which performs a 735132451Sroberto * calculation and returns the result. A positive result 736132451Sroberto * is possible only if both client and server contain 737132451Sroberto * the same group key and the server has the matching GQ 738132451Sroberto * private key. 73982498Sroberto */ 740132451Sroberto case CRYPTO_GQ | CRYPTO_RESP: 741132451Sroberto 742132451Sroberto /* 743290001Sglebius * Discard the message if invalid 744132451Sroberto */ 745132451Sroberto if ((rval = crypto_verify(ep, NULL, peer)) != 746132451Sroberto XEVNT_OK) 747132451Sroberto break; 748132451Sroberto 749132451Sroberto /* 750290001Sglebius * If the challenge matches the response, the 751290001Sglebius * server public key, signature and identity are 752132451Sroberto * all verified at the same time. The server is 753132451Sroberto * declared trusted, so we skip further 754290001Sglebius * certificate exchanges and move immediately to 755290001Sglebius * the cookie exchange. 756132451Sroberto */ 757132451Sroberto if ((rval = crypto_gq(ep, peer)) != XEVNT_OK) 758132451Sroberto break; 759132451Sroberto 760290001Sglebius peer->crypto |= CRYPTO_FLAG_VRFY; 761182007Sroberto peer->flash &= ~TEST8; 762290001Sglebius snprintf(statstr, sizeof(statstr), "gq %s fs %u", 763290001Sglebius peer->issuer, ntohl(ep->fstamp)); 764132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 765290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 76682498Sroberto break; 76782498Sroberto 76882498Sroberto /* 769290001Sglebius * Mu-Varadharajan (MV) identity scheme. This scheme is 770290001Sglebius * designed for use with three levels of trust, trusted 771290001Sglebius * host, server and client. The trusted host key is 772290001Sglebius * opaque to servers and clients; the server keys are 773290001Sglebius * opaque to clients and each client key is different. 774290001Sglebius * Client keys can be revoked without requiring new key 775290001Sglebius * generations. 77682498Sroberto */ 777132451Sroberto case CRYPTO_MV | CRYPTO_RESP: 778132451Sroberto 779132451Sroberto /* 780290001Sglebius * Discard the message if invalid. 781132451Sroberto */ 782132451Sroberto if ((rval = crypto_verify(ep, NULL, peer)) != 783132451Sroberto XEVNT_OK) 784132451Sroberto break; 785132451Sroberto 786132451Sroberto /* 787290001Sglebius * If the challenge matches the response, the 788290001Sglebius * server public key, signature and identity are 789132451Sroberto * all verified at the same time. The server is 790132451Sroberto * declared trusted, so we skip further 791290001Sglebius * certificate exchanges and move immediately to 792290001Sglebius * the cookie exchange. 793132451Sroberto */ 794132451Sroberto if ((rval = crypto_mv(ep, peer)) != XEVNT_OK) 795132451Sroberto break; 796132451Sroberto 797290001Sglebius peer->crypto |= CRYPTO_FLAG_VRFY; 798182007Sroberto peer->flash &= ~TEST8; 799290001Sglebius snprintf(statstr, sizeof(statstr), "mv %s fs %u", 800290001Sglebius peer->issuer, ntohl(ep->fstamp)); 801132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 802290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 803132451Sroberto break; 80482498Sroberto 805132451Sroberto 806132451Sroberto /* 807132451Sroberto * Cookie response in client and symmetric modes. If the 808132451Sroberto * cookie bit is set, the working cookie is the EXOR of 809132451Sroberto * the current and new values. 810132451Sroberto */ 811132451Sroberto case CRYPTO_COOK | CRYPTO_RESP: 812132451Sroberto 81382498Sroberto /* 814290001Sglebius * Discard the message if invalid or signature 815290001Sglebius * not verified with respect to the cookie 816290001Sglebius * values. 81782498Sroberto */ 818132451Sroberto if ((rval = crypto_verify(ep, &peer->cookval, 819132451Sroberto peer)) != XEVNT_OK) 820132451Sroberto break; 821132451Sroberto 82282498Sroberto /* 823132451Sroberto * Decrypt the cookie, hunting all the time for 824132451Sroberto * errors. 82582498Sroberto */ 826290001Sglebius if (vallen == (u_int)EVP_PKEY_size(host_pkey)) { 827310419Sdelphij RSA *rsa = EVP_PKEY_get0_RSA(host_pkey); 828310419Sdelphij u_int32 *cookiebuf = malloc(RSA_size(rsa)); 829290001Sglebius if (!cookiebuf) { 830276157Sdes rval = XEVNT_CKY; 831276157Sdes break; 832276157Sdes } 833290001Sglebius 834276157Sdes if (RSA_private_decrypt(vallen, 835132451Sroberto (u_char *)ep->pkt, 836276157Sdes (u_char *)cookiebuf, 837310419Sdelphij rsa, 838276157Sdes RSA_PKCS1_OAEP_PADDING) != 4) { 839276157Sdes rval = XEVNT_CKY; 840276157Sdes free(cookiebuf); 841276157Sdes break; 842276157Sdes } else { 843276157Sdes cookie = ntohl(*cookiebuf); 844276157Sdes free(cookiebuf); 845276157Sdes } 846132451Sroberto } else { 847132451Sroberto rval = XEVNT_CKY; 848132451Sroberto break; 849132451Sroberto } 85082498Sroberto 85182498Sroberto /* 852132451Sroberto * Install cookie values and light the cookie 853132451Sroberto * bit. If this is not broadcast client mode, we 854132451Sroberto * are done here. 85582498Sroberto */ 856132451Sroberto key_expire(peer); 857290001Sglebius if (hismode == MODE_ACTIVE || hismode == 858290001Sglebius MODE_PASSIVE) 859290001Sglebius peer->pcookie = peer->hcookie ^ cookie; 860132451Sroberto else 861132451Sroberto peer->pcookie = cookie; 862290001Sglebius peer->crypto |= CRYPTO_FLAG_COOK; 863182007Sroberto peer->flash &= ~TEST8; 864290001Sglebius snprintf(statstr, sizeof(statstr), 865290001Sglebius "cook %x ts %u fs %u", peer->pcookie, 866290001Sglebius ntohl(ep->tstamp), ntohl(ep->fstamp)); 867132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 868290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 86982498Sroberto break; 87082498Sroberto 87182498Sroberto /* 872132451Sroberto * Install autokey values in broadcast client and 873132451Sroberto * symmetric modes. We have to do this every time the 874132451Sroberto * sever/peer cookie changes or a new keylist is 875132451Sroberto * rolled. Ordinarily, this is automatic as this message 876132451Sroberto * is piggybacked on the first NTP packet sent upon 877132451Sroberto * either of these events. Note that a broadcast client 878132451Sroberto * or symmetric peer can receive this response without a 879132451Sroberto * matching request. 88082498Sroberto */ 881132451Sroberto case CRYPTO_AUTO | CRYPTO_RESP: 88282498Sroberto 883132451Sroberto /* 884290001Sglebius * Discard the message if invalid or signature 885290001Sglebius * not verified with respect to the receive 886290001Sglebius * autokey values. 887132451Sroberto */ 888132451Sroberto if ((rval = crypto_verify(ep, &peer->recval, 889290001Sglebius peer)) != XEVNT_OK) 890132451Sroberto break; 891132451Sroberto 89282498Sroberto /* 893290001Sglebius * Discard the message if a broadcast client and 894290001Sglebius * the association ID does not match. This might 895290001Sglebius * happen if a broacast server restarts the 896290001Sglebius * protocol. A protocol restart will occur at 897290001Sglebius * the next ASSOC message. 898290001Sglebius */ 899290001Sglebius if ((peer->cast_flags & MDF_BCLNT) && 900290001Sglebius peer->assoc != associd) 901290001Sglebius break; 902290001Sglebius 903290001Sglebius /* 904132451Sroberto * Install autokey values and light the 905132451Sroberto * autokey bit. This is not hard. 90682498Sroberto */ 907290001Sglebius if (ep->tstamp == 0) 908290001Sglebius break; 909290001Sglebius 910132451Sroberto if (peer->recval.ptr == NULL) 911132451Sroberto peer->recval.ptr = 912132451Sroberto emalloc(sizeof(struct autokey)); 913132451Sroberto bp = (struct autokey *)peer->recval.ptr; 914132451Sroberto peer->recval.tstamp = ep->tstamp; 915132451Sroberto peer->recval.fstamp = ep->fstamp; 916132451Sroberto ap = (struct autokey *)ep->pkt; 917132451Sroberto bp->seq = ntohl(ap->seq); 918132451Sroberto bp->key = ntohl(ap->key); 919132451Sroberto peer->pkeyid = bp->key; 920132451Sroberto peer->crypto |= CRYPTO_FLAG_AUTO; 921182007Sroberto peer->flash &= ~TEST8; 922290001Sglebius snprintf(statstr, sizeof(statstr), 923132451Sroberto "auto seq %d key %x ts %u fs %u", bp->seq, 924132451Sroberto bp->key, ntohl(ep->tstamp), 925132451Sroberto ntohl(ep->fstamp)); 926132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 927290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 92882498Sroberto break; 929182007Sroberto 930182007Sroberto /* 931182007Sroberto * X509 certificate sign response. Validate the 932182007Sroberto * certificate signed by the server and install. Later 933182007Sroberto * this can be provided to clients of this server in 934182007Sroberto * lieu of the self signed certificate in order to 935182007Sroberto * validate the public key. 936182007Sroberto */ 937182007Sroberto case CRYPTO_SIGN | CRYPTO_RESP: 93882498Sroberto 939182007Sroberto /* 940290001Sglebius * Discard the message if invalid. 941182007Sroberto */ 942182007Sroberto if ((rval = crypto_verify(ep, NULL, peer)) != 943182007Sroberto XEVNT_OK) 944182007Sroberto break; 945182007Sroberto 946182007Sroberto /* 947182007Sroberto * Scan the certificate list to delete old 948182007Sroberto * versions and link the newest version first on 949182007Sroberto * the list. 950182007Sroberto */ 951290001Sglebius if ((xinfo = cert_install(ep, peer)) == NULL) { 952290001Sglebius rval = XEVNT_CRT; 953182007Sroberto break; 954290001Sglebius } 955182007Sroberto peer->crypto |= CRYPTO_FLAG_SIGN; 956182007Sroberto peer->flash &= ~TEST8; 957290001Sglebius temp32 = xinfo->nid; 958290001Sglebius snprintf(statstr, sizeof(statstr), 959290001Sglebius "sign %s %s 0x%x %s (%u) fs %u", 960290001Sglebius xinfo->subject, xinfo->issuer, xinfo->flags, 961182007Sroberto OBJ_nid2ln(temp32), temp32, 962182007Sroberto ntohl(ep->fstamp)); 963182007Sroberto record_crypto_stats(&peer->srcadr, statstr); 964290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 965182007Sroberto break; 966182007Sroberto 96782498Sroberto /* 968290001Sglebius * Install leapseconds values. While the leapsecond 969290001Sglebius * values epoch, TAI offset and values expiration epoch 970290001Sglebius * are retained, only the current TAI offset is provided 971290001Sglebius * via the kernel to other applications. 97282498Sroberto */ 973290001Sglebius case CRYPTO_LEAP | CRYPTO_RESP: 974132451Sroberto /* 975290001Sglebius * Discard the message if invalid. We can't 976290001Sglebius * compare the value timestamps here, as they 977290001Sglebius * can be updated by different servers. 978132451Sroberto */ 979290001Sglebius rval = crypto_verify(ep, NULL, peer); 980290001Sglebius if ((rval != XEVNT_OK ) || 981290001Sglebius (vallen != 3*sizeof(uint32_t)) ) 982132451Sroberto break; 983132451Sroberto 984290001Sglebius /* Check if we can update the basic TAI offset 985290001Sglebius * for our current leap frame. This is a hack 986290001Sglebius * and ignores the time stamps in the autokey 987290001Sglebius * message. 988132451Sroberto */ 989290001Sglebius if (sys_leap != LEAP_NOTINSYNC) 990290001Sglebius leapsec_autokey_tai(ntohl(ep->pkt[0]), 991290001Sglebius rbufp->recv_time.l_ui, NULL); 992290001Sglebius tai_leap.tstamp = ep->tstamp; 993290001Sglebius tai_leap.fstamp = ep->fstamp; 994290001Sglebius crypto_update(); 995290001Sglebius mprintf_event(EVNT_TAI, peer, 996290001Sglebius "%d seconds", ntohl(ep->pkt[0])); 997132451Sroberto peer->crypto |= CRYPTO_FLAG_LEAP; 998182007Sroberto peer->flash &= ~TEST8; 999290001Sglebius snprintf(statstr, sizeof(statstr), 1000290001Sglebius "leap TAI offset %d at %u expire %u fs %u", 1001290001Sglebius ntohl(ep->pkt[0]), ntohl(ep->pkt[1]), 1002290001Sglebius ntohl(ep->pkt[2]), ntohl(ep->fstamp)); 1003132451Sroberto record_crypto_stats(&peer->srcadr, statstr); 1004290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 100582498Sroberto break; 100682498Sroberto 100782498Sroberto /* 1008132451Sroberto * We come here in symmetric modes for miscellaneous 1009132451Sroberto * commands that have value fields but are processed on 1010132451Sroberto * the transmit side. All we need do here is check for 1011290001Sglebius * valid field length. Note that ASSOC is handled 1012290001Sglebius * separately. 101382498Sroberto */ 1014182007Sroberto case CRYPTO_CERT: 1015132451Sroberto case CRYPTO_IFF: 1016132451Sroberto case CRYPTO_GQ: 1017132451Sroberto case CRYPTO_MV: 1018290001Sglebius case CRYPTO_COOK: 1019132451Sroberto case CRYPTO_SIGN: 1020132451Sroberto if (len < VALUE_LEN) { 1021132451Sroberto rval = XEVNT_LEN; 102282498Sroberto break; 1023132451Sroberto } 1024132451Sroberto /* fall through */ 1025132451Sroberto 1026132451Sroberto /* 1027290001Sglebius * We come here in symmetric modes for requests 1028290001Sglebius * requiring a response (above plus AUTO and LEAP) and 1029290001Sglebius * for responses. If a request, save the extension field 1030290001Sglebius * for later; invalid requests will be caught on the 1031290001Sglebius * transmit side. If an error or invalid response, 1032290001Sglebius * declare a protocol error. 1033132451Sroberto */ 1034132451Sroberto default: 1035132451Sroberto if (code & (CRYPTO_RESP | CRYPTO_ERROR)) { 1036182007Sroberto rval = XEVNT_ERR; 1037290001Sglebius } else if (peer->cmmd == NULL) { 1038132451Sroberto fp = emalloc(len); 1039132451Sroberto memcpy(fp, ep, len); 1040132451Sroberto peer->cmmd = fp; 1041132451Sroberto } 104282498Sroberto } 1043132451Sroberto 1044132451Sroberto /* 1045132451Sroberto * The first error found terminates the extension field 1046290001Sglebius * scan and we return the laundry to the caller. 1047132451Sroberto */ 1048290001Sglebius if (rval != XEVNT_OK) { 1049290001Sglebius snprintf(statstr, sizeof(statstr), 1050290001Sglebius "%04x %d %02x %s", htonl(ep->opcode), 1051290001Sglebius associd, rval, eventstr(rval)); 1052182007Sroberto record_crypto_stats(&peer->srcadr, statstr); 1053290001Sglebius DPRINTF(1, ("crypto_recv: %s\n", statstr)); 1054290001Sglebius return (rval); 1055132451Sroberto } 1056290001Sglebius authlen += (len + 3) / 4 * 4; 105782498Sroberto } 1058132451Sroberto return (rval); 105982498Sroberto} 106082498Sroberto 106182498Sroberto 106282498Sroberto/* 106382498Sroberto * crypto_xmit - construct extension fields 106482498Sroberto * 106582498Sroberto * This routine is called both when an association is configured and 1066132451Sroberto * when one is not. The only case where this matters is to retrieve the 1067132451Sroberto * autokey information, in which case the caller has to provide the 106882498Sroberto * association ID to match the association. 1069132451Sroberto * 1070290001Sglebius * Side effect: update the packet offset. 1071290001Sglebius * 1072290001Sglebius * Errors 1073290001Sglebius * XEVNT_OK success 1074290001Sglebius * XEVNT_CRT bad or missing certificate 1075290001Sglebius * XEVNT_ERR protocol error 1076290001Sglebius * XEVNT_LEN bad field format or length 1077290001Sglebius * XEVNT_PER host certificate expired 107882498Sroberto */ 1079132451Srobertoint 108082498Srobertocrypto_xmit( 1081290001Sglebius struct peer *peer, /* peer structure pointer */ 1082132451Sroberto struct pkt *xpkt, /* transmit packet pointer */ 1083290001Sglebius struct recvbuf *rbufp, /* receive buffer pointer */ 1084132451Sroberto int start, /* offset to extension field */ 1085132451Sroberto struct exten *ep, /* extension pointer */ 1086132451Sroberto keyid_t cookie /* session cookie */ 108782498Sroberto ) 108882498Sroberto{ 1089290001Sglebius struct exten *fp; /* extension pointers */ 1090290001Sglebius struct cert_info *cp, *xp, *yp; /* cert info/value pointer */ 1091290001Sglebius sockaddr_u *srcadr_sin; /* source address */ 1092132451Sroberto u_int32 *pkt; /* packet pointer */ 1093132451Sroberto u_int opcode; /* extension field opcode */ 1094132451Sroberto char certname[MAXHOSTNAME + 1]; /* subject name buffer */ 1095132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 1096182007Sroberto tstamp_t tstamp; 1097290001Sglebius struct calendar tscal; 1098132451Sroberto u_int vallen; 1099132451Sroberto struct value vtemp; 1100132451Sroberto associd_t associd; 1101132451Sroberto int rval; 1102290001Sglebius int len; 1103132451Sroberto keyid_t tcookie; 110482498Sroberto 110582498Sroberto /* 110682498Sroberto * Generate the requested extension field request code, length 1107132451Sroberto * and association ID. If this is a response and the host is not 1108132451Sroberto * synchronized, light the error bit and go home. 110982498Sroberto */ 1110132451Sroberto pkt = (u_int32 *)xpkt + start / 4; 1111132451Sroberto fp = (struct exten *)pkt; 1112132451Sroberto opcode = ntohl(ep->opcode); 1113290001Sglebius if (peer != NULL) { 1114290001Sglebius srcadr_sin = &peer->srcadr; 1115290001Sglebius if (!(opcode & CRYPTO_RESP)) 1116290001Sglebius peer->opcode = ep->opcode; 1117290001Sglebius } else { 1118290001Sglebius srcadr_sin = &rbufp->recv_srcadr; 1119290001Sglebius } 1120132451Sroberto associd = (associd_t) ntohl(ep->associd); 112182498Sroberto len = 8; 1122290001Sglebius fp->opcode = htonl((opcode & 0xffff0000) | len); 1123290001Sglebius fp->associd = ep->associd; 1124132451Sroberto rval = XEVNT_OK; 1125182007Sroberto tstamp = crypto_time(); 1126132451Sroberto switch (opcode & 0xffff0000) { 112782498Sroberto 112882498Sroberto /* 1129132451Sroberto * Send association request and response with status word and 1130132451Sroberto * host name. Note, this message is not signed and the filestamp 1131182007Sroberto * contains only the status word. 113282498Sroberto */ 1133290001Sglebius case CRYPTO_ASSOC: 113482498Sroberto case CRYPTO_ASSOC | CRYPTO_RESP: 1135290001Sglebius len = crypto_send(fp, &hostval, start); 1136182007Sroberto fp->fstamp = htonl(crypto_flags); 1137182007Sroberto break; 1138182007Sroberto 113982498Sroberto /* 1140132451Sroberto * Send certificate request. Use the values from the extension 1141132451Sroberto * field. 114282498Sroberto */ 1143132451Sroberto case CRYPTO_CERT: 1144132451Sroberto memset(&vtemp, 0, sizeof(vtemp)); 1145132451Sroberto vtemp.tstamp = ep->tstamp; 1146132451Sroberto vtemp.fstamp = ep->fstamp; 1147132451Sroberto vtemp.vallen = ep->vallen; 1148182007Sroberto vtemp.ptr = (u_char *)ep->pkt; 1149290001Sglebius len = crypto_send(fp, &vtemp, start); 1150132451Sroberto break; 1151132451Sroberto 1152132451Sroberto /* 1153290001Sglebius * Send sign request. Use the host certificate, which is self- 1154290001Sglebius * signed and may or may not be trusted. 1155132451Sroberto */ 1156132451Sroberto case CRYPTO_SIGN: 1157290001Sglebius (void)ntpcal_ntp_to_date(&tscal, tstamp, NULL); 1158290001Sglebius if ((calcomp(&tscal, &(cert_host->first)) < 0) 1159290001Sglebius || (calcomp(&tscal, &(cert_host->last)) > 0)) 1160290001Sglebius rval = XEVNT_PER; 1161290001Sglebius else 1162290001Sglebius len = crypto_send(fp, &cert_host->cert, start); 1163290001Sglebius break; 1164290001Sglebius 1165290001Sglebius /* 1166290001Sglebius * Send certificate response. Use the name in the extension 1167290001Sglebius * field to find the certificate in the cache. If the request 1168290001Sglebius * contains no subject name, assume the name of this host. This 1169290001Sglebius * is for backwards compatibility. Private certificates are 1170290001Sglebius * never sent. 1171290001Sglebius * 1172290001Sglebius * There may be several certificates matching the request. First 1173290001Sglebius * choice is a self-signed trusted certificate; second choice is 1174290001Sglebius * any certificate signed by another host. There is no third 1175290001Sglebius * choice. 1176290001Sglebius */ 1177132451Sroberto case CRYPTO_CERT | CRYPTO_RESP: 1178290001Sglebius vallen = exten_payload_size(ep); /* Must be <64k */ 1179290001Sglebius if (vallen == 0 || vallen >= sizeof(certname) ) { 1180182007Sroberto rval = XEVNT_LEN; 118182498Sroberto break; 118282498Sroberto } 1183182007Sroberto 1184182007Sroberto /* 1185290001Sglebius * Find all public valid certificates with matching 1186290001Sglebius * subject. If a self-signed, trusted certificate is 1187290001Sglebius * found, use that certificate. If not, use the last non 1188290001Sglebius * self-signed certificate. 1189182007Sroberto */ 1190290001Sglebius memcpy(certname, ep->pkt, vallen); 1191290001Sglebius certname[vallen] = '\0'; 1192290001Sglebius xp = yp = NULL; 1193132451Sroberto for (cp = cinfo; cp != NULL; cp = cp->link) { 1194290001Sglebius if (cp->flags & (CERT_PRIV | CERT_ERROR)) 1195132451Sroberto continue; 1196182007Sroberto 1197290001Sglebius if (strcmp(certname, cp->subject) != 0) 1198290001Sglebius continue; 1199290001Sglebius 1200290001Sglebius if (strcmp(certname, cp->issuer) != 0) 1201290001Sglebius yp = cp; 1202290001Sglebius else if (cp ->flags & CERT_TRUST) 1203290001Sglebius xp = cp; 1204290001Sglebius continue; 1205132451Sroberto } 1206182007Sroberto 1207182007Sroberto /* 1208290001Sglebius * Be careful who you trust. If the certificate is not 1209290001Sglebius * found, return an empty response. Note that we dont 1210290001Sglebius * enforce lifetimes here. 1211182007Sroberto * 1212290001Sglebius * The timestamp and filestamp are taken from the 1213182007Sroberto * certificate value structure. For all certificates the 1214182007Sroberto * timestamp is the latest signature update time. For 1215182007Sroberto * host and imported certificates the filestamp is the 1216182007Sroberto * creation epoch. For signed certificates the filestamp 1217182007Sroberto * is the creation epoch of the trusted certificate at 1218290001Sglebius * the root of the certificate trail. In principle, this 1219182007Sroberto * allows strong checking for signature masquerade. 1220182007Sroberto */ 1221290001Sglebius if (xp == NULL) 1222290001Sglebius xp = yp; 1223290001Sglebius if (xp == NULL) 1224290001Sglebius break; 1225290001Sglebius 1226182007Sroberto if (tstamp == 0) 1227182007Sroberto break; 1228182007Sroberto 1229290001Sglebius len = crypto_send(fp, &xp->cert, start); 123082498Sroberto break; 123182498Sroberto 123282498Sroberto /* 1233132451Sroberto * Send challenge in Schnorr (IFF) identity scheme. 123482498Sroberto */ 1235132451Sroberto case CRYPTO_IFF: 1236290001Sglebius if (peer == NULL) 1237290001Sglebius break; /* hack attack */ 1238290001Sglebius 1239182007Sroberto if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK) { 1240290001Sglebius len = crypto_send(fp, &vtemp, start); 1241182007Sroberto value_free(&vtemp); 1242182007Sroberto } 124382498Sroberto break; 124482498Sroberto 124582498Sroberto /* 1246132451Sroberto * Send response in Schnorr (IFF) identity scheme. 124782498Sroberto */ 1248132451Sroberto case CRYPTO_IFF | CRYPTO_RESP: 1249182007Sroberto if ((rval = crypto_bob(ep, &vtemp)) == XEVNT_OK) { 1250290001Sglebius len = crypto_send(fp, &vtemp, start); 1251182007Sroberto value_free(&vtemp); 1252182007Sroberto } 1253132451Sroberto break; 1254132451Sroberto 125582498Sroberto /* 1256132451Sroberto * Send challenge in Guillou-Quisquater (GQ) identity scheme. 125782498Sroberto */ 1258132451Sroberto case CRYPTO_GQ: 1259290001Sglebius if (peer == NULL) 1260290001Sglebius break; /* hack attack */ 1261290001Sglebius 1262182007Sroberto if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK) { 1263290001Sglebius len = crypto_send(fp, &vtemp, start); 1264182007Sroberto value_free(&vtemp); 1265182007Sroberto } 126682498Sroberto break; 126782498Sroberto 126882498Sroberto /* 1269132451Sroberto * Send response in Guillou-Quisquater (GQ) identity scheme. 127082498Sroberto */ 1271132451Sroberto case CRYPTO_GQ | CRYPTO_RESP: 1272182007Sroberto if ((rval = crypto_bob2(ep, &vtemp)) == XEVNT_OK) { 1273290001Sglebius len = crypto_send(fp, &vtemp, start); 1274182007Sroberto value_free(&vtemp); 1275182007Sroberto } 1276132451Sroberto break; 1277132451Sroberto 1278132451Sroberto /* 1279132451Sroberto * Send challenge in MV identity scheme. 1280132451Sroberto */ 1281132451Sroberto case CRYPTO_MV: 1282290001Sglebius if (peer == NULL) 1283290001Sglebius break; /* hack attack */ 1284290001Sglebius 1285182007Sroberto if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK) { 1286290001Sglebius len = crypto_send(fp, &vtemp, start); 1287182007Sroberto value_free(&vtemp); 1288182007Sroberto } 128982498Sroberto break; 129082498Sroberto 129182498Sroberto /* 1292132451Sroberto * Send response in MV identity scheme. 129382498Sroberto */ 1294132451Sroberto case CRYPTO_MV | CRYPTO_RESP: 1295182007Sroberto if ((rval = crypto_bob3(ep, &vtemp)) == XEVNT_OK) { 1296290001Sglebius len = crypto_send(fp, &vtemp, start); 1297182007Sroberto value_free(&vtemp); 1298182007Sroberto } 1299132451Sroberto break; 1300132451Sroberto 1301132451Sroberto /* 1302132451Sroberto * Send certificate sign response. The integrity of the request 1303132451Sroberto * certificate has already been verified on the receive side. 1304132451Sroberto * Sign the response using the local server key. Use the 1305132451Sroberto * filestamp from the request and use the timestamp as the 1306132451Sroberto * current time. Light the error bit if the certificate is 1307132451Sroberto * invalid or contains an unverified signature. 1308132451Sroberto */ 1309132451Sroberto case CRYPTO_SIGN | CRYPTO_RESP: 1310290001Sglebius if ((rval = cert_sign(ep, &vtemp)) == XEVNT_OK) { 1311290001Sglebius len = crypto_send(fp, &vtemp, start); 1312290001Sglebius value_free(&vtemp); 1313290001Sglebius } 1314132451Sroberto break; 1315132451Sroberto 1316132451Sroberto /* 1317132451Sroberto * Send public key and signature. Use the values from the public 1318132451Sroberto * key. 1319132451Sroberto */ 1320132451Sroberto case CRYPTO_COOK: 1321290001Sglebius len = crypto_send(fp, &pubkey, start); 1322132451Sroberto break; 1323132451Sroberto 1324132451Sroberto /* 1325132451Sroberto * Encrypt and send cookie and signature. Light the error bit if 1326132451Sroberto * anything goes wrong. 1327132451Sroberto */ 1328132451Sroberto case CRYPTO_COOK | CRYPTO_RESP: 1329281233Sdelphij vallen = ntohl(ep->vallen); /* Must be <64k */ 1330281233Sdelphij if ( vallen == 0 1331281233Sdelphij || (vallen >= MAX_VALLEN) 1332281233Sdelphij || (opcode & 0x0000ffff) < VALUE_LEN + vallen) { 1333182007Sroberto rval = XEVNT_LEN; 133482498Sroberto break; 133582498Sroberto } 1336290001Sglebius if (peer == NULL) 1337132451Sroberto tcookie = cookie; 1338290001Sglebius else 1339290001Sglebius tcookie = peer->hcookie; 1340281233Sdelphij if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp)) 1341281233Sdelphij == XEVNT_OK) { 1342290001Sglebius len = crypto_send(fp, &vtemp, start); 1343281233Sdelphij value_free(&vtemp); 1344281233Sdelphij } 134582498Sroberto break; 134682498Sroberto 134782498Sroberto /* 1348132451Sroberto * Find peer and send autokey data and signature in broadcast 1349132451Sroberto * server and symmetric modes. Use the values in the autokey 1350132451Sroberto * structure. If no association is found, either the server has 1351132451Sroberto * restarted with new associations or some perp has replayed an 1352132451Sroberto * old message, in which case light the error bit. 135382498Sroberto */ 1354132451Sroberto case CRYPTO_AUTO | CRYPTO_RESP: 1355290001Sglebius if (peer == NULL) { 1356290001Sglebius if ((peer = findpeerbyassoc(associd)) == NULL) { 1357290001Sglebius rval = XEVNT_ERR; 1358290001Sglebius break; 1359290001Sglebius } 136082498Sroberto } 1361132451Sroberto peer->flags &= ~FLAG_ASSOC; 1362290001Sglebius len = crypto_send(fp, &peer->sndval, start); 136382498Sroberto break; 136482498Sroberto 136582498Sroberto /* 1366290001Sglebius * Send leapseconds values and signature. Use the values from 1367290001Sglebius * the tai structure. If no table has been loaded, just send an 1368182007Sroberto * empty request. 136982498Sroberto */ 1370290001Sglebius case CRYPTO_LEAP | CRYPTO_RESP: 1371290001Sglebius len = crypto_send(fp, &tai_leap, start); 137282498Sroberto break; 137382498Sroberto 137482498Sroberto /* 1375290001Sglebius * Default - Send a valid command for unknown requests; send 1376290001Sglebius * an error response for unknown resonses. 137782498Sroberto */ 137882498Sroberto default: 137982498Sroberto if (opcode & CRYPTO_RESP) 1380182007Sroberto rval = XEVNT_ERR; 138182498Sroberto } 138282498Sroberto 138382498Sroberto /* 1384182007Sroberto * In case of error, flame the log. If a request, toss the 1385182007Sroberto * puppy; if a response, return so the sender can flame, too. 1386132451Sroberto */ 1387182007Sroberto if (rval != XEVNT_OK) { 1388290001Sglebius u_int32 uint32; 1389290001Sglebius 1390290001Sglebius uint32 = CRYPTO_ERROR; 1391290001Sglebius opcode |= uint32; 1392290001Sglebius fp->opcode |= htonl(uint32); 1393290001Sglebius snprintf(statstr, sizeof(statstr), 1394290001Sglebius "%04x %d %02x %s", opcode, associd, rval, 1395290001Sglebius eventstr(rval)); 1396132451Sroberto record_crypto_stats(srcadr_sin, statstr); 1397290001Sglebius DPRINTF(1, ("crypto_xmit: %s\n", statstr)); 1398182007Sroberto if (!(opcode & CRYPTO_RESP)) 1399182007Sroberto return (0); 1400132451Sroberto } 1401290001Sglebius DPRINTF(1, ("crypto_xmit: flags 0x%x offset %d len %d code 0x%x associd %d\n", 1402290001Sglebius crypto_flags, start, len, opcode >> 16, associd)); 140382498Sroberto return (len); 140482498Sroberto} 140582498Sroberto 1406132451Sroberto 140782498Sroberto/* 1408290001Sglebius * crypto_verify - verify the extension field value and signature 1409132451Sroberto * 1410132451Sroberto * Returns 1411132451Sroberto * XEVNT_OK success 1412290001Sglebius * XEVNT_ERR protocol error 1413290001Sglebius * XEVNT_FSP bad filestamp 1414132451Sroberto * XEVNT_LEN bad field format or length 1415132451Sroberto * XEVNT_PUB bad or missing public key 1416132451Sroberto * XEVNT_SGL bad signature length 1417132451Sroberto * XEVNT_SIG signature not verified 1418290001Sglebius * XEVNT_TSP bad timestamp 141982498Sroberto */ 1420132451Srobertostatic int 1421132451Srobertocrypto_verify( 1422132451Sroberto struct exten *ep, /* extension pointer */ 1423132451Sroberto struct value *vp, /* value pointer */ 1424132451Sroberto struct peer *peer /* peer structure pointer */ 1425132451Sroberto ) 142682498Sroberto{ 1427132451Sroberto EVP_PKEY *pkey; /* server public key */ 1428310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 1429182007Sroberto tstamp_t tstamp, tstamp1 = 0; /* timestamp */ 1430182007Sroberto tstamp_t fstamp, fstamp1 = 0; /* filestamp */ 1431132451Sroberto u_int vallen; /* value length */ 1432132451Sroberto u_int siglen; /* signature length */ 1433132451Sroberto u_int opcode, len; 1434132451Sroberto int i; 143582498Sroberto 143682498Sroberto /* 1437290001Sglebius * We are extremely parannoyed. We require valid opcode, length, 1438290001Sglebius * association ID, timestamp, filestamp, public key, digest, 1439290001Sglebius * signature length and signature, where relevant. Note that 1440290001Sglebius * preliminary length checks are done in the main loop. 144182498Sroberto */ 1442132451Sroberto len = ntohl(ep->opcode) & 0x0000ffff; 1443132451Sroberto opcode = ntohl(ep->opcode) & 0xffff0000; 144482498Sroberto 144582498Sroberto /* 1446290001Sglebius * Check for valid value header, association ID and extension 1447290001Sglebius * field length. Remember, it is not an error to receive an 1448290001Sglebius * unsolicited response; however, the response ID must match 1449290001Sglebius * the association ID. 145082498Sroberto */ 1451132451Sroberto if (opcode & CRYPTO_ERROR) 1452182007Sroberto return (XEVNT_ERR); 1453182007Sroberto 1454290001Sglebius if (len < VALUE_LEN) 1455290001Sglebius return (XEVNT_LEN); 1456290001Sglebius 1457290001Sglebius if (opcode == (CRYPTO_AUTO | CRYPTO_RESP) && (peer->pmode == 1458290001Sglebius MODE_BROADCAST || (peer->cast_flags & MDF_BCLNT))) { 1459290001Sglebius if (ntohl(ep->associd) != peer->assoc) 1460290001Sglebius return (XEVNT_ERR); 1461132451Sroberto } else { 1462290001Sglebius if (ntohl(ep->associd) != peer->associd) 1463290001Sglebius return (XEVNT_ERR); 1464132451Sroberto } 1465182007Sroberto 1466132451Sroberto /* 1467290001Sglebius * We have a valid value header. Check for valid value and 1468290001Sglebius * signature field lengths. The extension field length must be 1469290001Sglebius * long enough to contain the value header, value and signature. 1470290001Sglebius * Note both the value and signature field lengths are rounded 1471290001Sglebius * up to the next word (4 octets). 1472132451Sroberto */ 1473132451Sroberto vallen = ntohl(ep->vallen); 1474281233Sdelphij if ( vallen == 0 1475281233Sdelphij || vallen > MAX_VALLEN) 1476281233Sdelphij return (XEVNT_LEN); 1477290001Sglebius 1478132451Sroberto i = (vallen + 3) / 4; 1479132451Sroberto siglen = ntohl(ep->pkt[i++]); 1480281233Sdelphij if ( siglen > MAX_VALLEN 1481281233Sdelphij || len - VALUE_LEN < ((vallen + 3) / 4) * 4 1482281233Sdelphij || len - VALUE_LEN - ((vallen + 3) / 4) * 4 1483281233Sdelphij < ((siglen + 3) / 4) * 4) 1484132451Sroberto return (XEVNT_LEN); 1485132451Sroberto 1486182007Sroberto /* 1487182007Sroberto * Check for valid timestamp and filestamp. If the timestamp is 1488182007Sroberto * zero, the sender is not synchronized and signatures are 1489290001Sglebius * not possible. If nonzero the timestamp must not precede the 1490182007Sroberto * filestamp. The timestamp and filestamp must not precede the 1491290001Sglebius * corresponding values in the value structure, if present. 1492290001Sglebius */ 1493182007Sroberto tstamp = ntohl(ep->tstamp); 1494182007Sroberto fstamp = ntohl(ep->fstamp); 1495182007Sroberto if (tstamp == 0) 1496290001Sglebius return (XEVNT_TSP); 1497182007Sroberto 1498182007Sroberto if (tstamp < fstamp) 1499182007Sroberto return (XEVNT_TSP); 1500182007Sroberto 1501182007Sroberto if (vp != NULL) { 1502182007Sroberto tstamp1 = ntohl(vp->tstamp); 1503182007Sroberto fstamp1 = ntohl(vp->fstamp); 1504290001Sglebius if (tstamp1 != 0 && fstamp1 != 0) { 1505290001Sglebius if (tstamp < tstamp1) 1506290001Sglebius return (XEVNT_TSP); 1507182007Sroberto 1508290001Sglebius if ((tstamp < fstamp1 || fstamp < fstamp1)) 1509290001Sglebius return (XEVNT_FSP); 1510290001Sglebius } 1511182007Sroberto } 1512182007Sroberto 1513182007Sroberto /* 1514290001Sglebius * At the time the certificate message is validated, the public 1515290001Sglebius * key in the message is not available. Thus, don't try to 1516290001Sglebius * verify the signature. 1517290001Sglebius */ 1518290001Sglebius if (opcode == (CRYPTO_CERT | CRYPTO_RESP)) 1519290001Sglebius return (XEVNT_OK); 1520290001Sglebius 1521290001Sglebius /* 1522182007Sroberto * Check for valid signature length, public key and digest 1523182007Sroberto * algorithm. 1524182007Sroberto */ 1525132451Sroberto if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV) 1526132451Sroberto pkey = sign_pkey; 1527132451Sroberto else 1528132451Sroberto pkey = peer->pkey; 1529182007Sroberto if (siglen == 0 || pkey == NULL || peer->digest == NULL) 1530290001Sglebius return (XEVNT_ERR); 1531132451Sroberto 1532182007Sroberto if (siglen != (u_int)EVP_PKEY_size(pkey)) 1533182007Sroberto return (XEVNT_SGL); 1534182007Sroberto 1535132451Sroberto /* 1536182007Sroberto * Darn, I thought we would never get here. Verify the 1537182007Sroberto * signature. If the identity exchange is verified, light the 1538290001Sglebius * proventic bit. What a relief. 1539132451Sroberto */ 1540310419Sdelphij ctx = EVP_MD_CTX_new(); 1541310419Sdelphij EVP_VerifyInit(ctx, peer->digest); 1542281233Sdelphij /* XXX: the "+ 12" needs to be at least documented... */ 1543310419Sdelphij EVP_VerifyUpdate(ctx, (u_char *)&ep->tstamp, vallen + 12); 1544310419Sdelphij if (EVP_VerifyFinal(ctx, (u_char *)&ep->pkt[i], siglen, 1545310419Sdelphij pkey) <= 0) { 1546310419Sdelphij EVP_MD_CTX_free(ctx); 1547182007Sroberto return (XEVNT_SIG); 1548310419Sdelphij } 1549310419Sdelphij EVP_MD_CTX_free(ctx); 1550182007Sroberto 1551290001Sglebius if (peer->crypto & CRYPTO_FLAG_VRFY) 1552182007Sroberto peer->crypto |= CRYPTO_FLAG_PROV; 1553182007Sroberto return (XEVNT_OK); 1554132451Sroberto} 1555132451Sroberto 1556132451Sroberto 1557132451Sroberto/* 1558281233Sdelphij * crypto_encrypt - construct vp (encrypted cookie and signature) from 1559281233Sdelphij * the public key and cookie. 1560132451Sroberto * 1561281233Sdelphij * Returns: 1562132451Sroberto * XEVNT_OK success 1563290001Sglebius * XEVNT_CKY bad or missing cookie 1564132451Sroberto * XEVNT_PUB bad or missing public key 1565132451Sroberto */ 1566132451Srobertostatic int 1567132451Srobertocrypto_encrypt( 1568281233Sdelphij const u_char *ptr, /* Public Key */ 1569281233Sdelphij u_int vallen, /* Length of Public Key */ 1570281233Sdelphij keyid_t *cookie, /* server cookie */ 1571281233Sdelphij struct value *vp /* value pointer */ 1572132451Sroberto ) 1573132451Sroberto{ 1574132451Sroberto EVP_PKEY *pkey; /* public key */ 1575310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 1576132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 1577132451Sroberto u_int32 temp32; 1578290001Sglebius u_char *puch; 1579132451Sroberto 1580132451Sroberto /* 1581132451Sroberto * Extract the public key from the request. 1582132451Sroberto */ 1583281233Sdelphij pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen); 1584132451Sroberto if (pkey == NULL) { 1585290001Sglebius msyslog(LOG_ERR, "crypto_encrypt: %s", 1586132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 1587132451Sroberto return (XEVNT_PUB); 158882498Sroberto } 158982498Sroberto 159082498Sroberto /* 1591132451Sroberto * Encrypt the cookie, encode in ASN.1 and sign. 159282498Sroberto */ 1593290001Sglebius memset(vp, 0, sizeof(struct value)); 1594132451Sroberto tstamp = crypto_time(); 1595132451Sroberto vp->tstamp = htonl(tstamp); 1596132451Sroberto vp->fstamp = hostval.tstamp; 1597281233Sdelphij vallen = EVP_PKEY_size(pkey); 1598281233Sdelphij vp->vallen = htonl(vallen); 1599281233Sdelphij vp->ptr = emalloc(vallen); 1600290001Sglebius puch = vp->ptr; 1601132451Sroberto temp32 = htonl(*cookie); 1602290001Sglebius if (RSA_public_encrypt(4, (u_char *)&temp32, puch, 1603310419Sdelphij EVP_PKEY_get0_RSA(pkey), RSA_PKCS1_OAEP_PADDING) <= 0) { 1604290001Sglebius msyslog(LOG_ERR, "crypto_encrypt: %s", 1605132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 1606290001Sglebius free(vp->ptr); 1607132451Sroberto EVP_PKEY_free(pkey); 1608132451Sroberto return (XEVNT_CKY); 1609132451Sroberto } 1610132451Sroberto EVP_PKEY_free(pkey); 1611132451Sroberto if (tstamp == 0) 1612132451Sroberto return (XEVNT_OK); 1613182007Sroberto 1614132451Sroberto vp->sig = emalloc(sign_siglen); 1615310419Sdelphij ctx = EVP_MD_CTX_new(); 1616310419Sdelphij EVP_SignInit(ctx, sign_digest); 1617310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 1618310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, vallen); 1619310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &vallen, sign_pkey)) { 1620290001Sglebius INSIST(vallen <= sign_siglen); 1621290001Sglebius vp->siglen = htonl(vallen); 1622290001Sglebius } 1623310419Sdelphij EVP_MD_CTX_free(ctx); 1624132451Sroberto return (XEVNT_OK); 1625132451Sroberto} 162682498Sroberto 1627132451Sroberto 1628132451Sroberto/* 1629132451Sroberto * crypto_ident - construct extension field for identity scheme 1630132451Sroberto * 1631132451Sroberto * This routine determines which identity scheme is in use and 1632132451Sroberto * constructs an extension field for that scheme. 1633290001Sglebius * 1634290001Sglebius * Returns 1635290001Sglebius * CRYTPO_IFF IFF scheme 1636290001Sglebius * CRYPTO_GQ GQ scheme 1637290001Sglebius * CRYPTO_MV MV scheme 1638290001Sglebius * CRYPTO_NULL no available scheme 1639132451Sroberto */ 1640132451Srobertou_int 1641132451Srobertocrypto_ident( 1642132451Sroberto struct peer *peer /* peer structure pointer */ 1643132451Sroberto ) 1644132451Sroberto{ 1645290001Sglebius char filename[MAXFILENAME]; 1646290001Sglebius const char * scheme_name; 1647290001Sglebius u_int scheme_id; 1648132451Sroberto 164982498Sroberto /* 1650290001Sglebius * We come here after the group trusted host has been found; its 1651290001Sglebius * name defines the group name. Search the key cache for all 1652290001Sglebius * keys matching the same group name in order IFF, GQ and MV. 1653290001Sglebius * Use the first one available. 165482498Sroberto */ 1655290001Sglebius scheme_name = NULL; 1656132451Sroberto if (peer->crypto & CRYPTO_FLAG_IFF) { 1657290001Sglebius scheme_name = "iff"; 1658290001Sglebius scheme_id = CRYPTO_IFF; 1659290001Sglebius } else if (peer->crypto & CRYPTO_FLAG_GQ) { 1660290001Sglebius scheme_name = "gq"; 1661290001Sglebius scheme_id = CRYPTO_GQ; 1662290001Sglebius } else if (peer->crypto & CRYPTO_FLAG_MV) { 1663290001Sglebius scheme_name = "mv"; 1664290001Sglebius scheme_id = CRYPTO_MV; 1665132451Sroberto } 1666132451Sroberto 1667290001Sglebius if (scheme_name != NULL) { 1668290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_%spar_%s", 1669290001Sglebius scheme_name, peer->ident); 1670290001Sglebius peer->ident_pkey = crypto_key(filename, NULL, 1671290001Sglebius &peer->srcadr); 1672132451Sroberto if (peer->ident_pkey != NULL) 1673290001Sglebius return scheme_id; 1674132451Sroberto } 1675132451Sroberto 1676290001Sglebius msyslog(LOG_NOTICE, 1677290001Sglebius "crypto_ident: no identity parameters found for group %s", 1678290001Sglebius peer->ident); 1679290001Sglebius 1680290001Sglebius return CRYPTO_NULL; 1681132451Sroberto} 168282498Sroberto 1683132451Sroberto 1684132451Sroberto/* 1685132451Sroberto * crypto_args - construct extension field from arguments 1686132451Sroberto * 1687132451Sroberto * This routine creates an extension field with current timestamps and 1688132451Sroberto * specified opcode, association ID and optional string. Note that the 1689132451Sroberto * extension field is created here, but freed after the crypto_xmit() 1690132451Sroberto * call in the protocol module. 1691132451Sroberto * 1692290001Sglebius * Returns extension field pointer (no errors) 1693281233Sdelphij * 1694281233Sdelphij * XXX: opcode and len should really be 32-bit quantities and 1695281233Sdelphij * we should make sure that str is not too big. 1696132451Sroberto */ 1697132451Srobertostruct exten * 1698132451Srobertocrypto_args( 1699132451Sroberto struct peer *peer, /* peer structure pointer */ 1700132451Sroberto u_int opcode, /* operation code */ 1701290001Sglebius associd_t associd, /* association ID */ 1702132451Sroberto char *str /* argument string */ 1703132451Sroberto ) 1704132451Sroberto{ 1705132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 1706132451Sroberto struct exten *ep; /* extension field pointer */ 1707132451Sroberto u_int len; /* extension field length */ 1708290001Sglebius size_t slen = 0; 1709132451Sroberto 1710132451Sroberto tstamp = crypto_time(); 1711132451Sroberto len = sizeof(struct exten); 1712281233Sdelphij if (str != NULL) { 1713281233Sdelphij slen = strlen(str); 1714290001Sglebius INSIST(slen < MAX_VALLEN); 1715281233Sdelphij len += slen; 1716281233Sdelphij } 1717290001Sglebius ep = emalloc_zero(len); 1718182007Sroberto if (opcode == 0) 1719182007Sroberto return (ep); 1720182007Sroberto 1721290001Sglebius REQUIRE(0 == (len & ~0x0000ffff)); 1722290001Sglebius REQUIRE(0 == (opcode & ~0xffff0000)); 1723290001Sglebius 1724132451Sroberto ep->opcode = htonl(opcode + len); 1725290001Sglebius ep->associd = htonl(associd); 1726132451Sroberto ep->tstamp = htonl(tstamp); 1727132451Sroberto ep->fstamp = hostval.tstamp; 1728132451Sroberto ep->vallen = 0; 1729132451Sroberto if (str != NULL) { 1730281233Sdelphij ep->vallen = htonl(slen); 1731281233Sdelphij memcpy((char *)ep->pkt, str, slen); 1732132451Sroberto } 1733132451Sroberto return (ep); 173482498Sroberto} 173582498Sroberto 173682498Sroberto 173782498Sroberto/* 1738132451Sroberto * crypto_send - construct extension field from value components 1739132451Sroberto * 1740290001Sglebius * The value and signature fields are zero-padded to a word boundary. 1741290001Sglebius * Note: it is not polite to send a nonempty signature with zero 1742290001Sglebius * timestamp or a nonzero timestamp with an empty signature, but those 1743290001Sglebius * rules are not enforced here. 1744281233Sdelphij * 1745281233Sdelphij * XXX This code won't work on a box with 16-bit ints. 174682498Sroberto */ 1747290001Sglebiusint 1748132451Srobertocrypto_send( 1749132451Sroberto struct exten *ep, /* extension field pointer */ 1750290001Sglebius struct value *vp, /* value pointer */ 1751290001Sglebius int start /* buffer offset */ 1752132451Sroberto ) 175382498Sroberto{ 1754290001Sglebius u_int len, vallen, siglen, opcode; 1755290001Sglebius u_int i, j; 175682498Sroberto 175782498Sroberto /* 1758290001Sglebius * Calculate extension field length and check for buffer 1759290001Sglebius * overflow. Leave room for the MAC. 176082498Sroberto */ 1761290001Sglebius len = 16; /* XXX Document! */ 1762290001Sglebius vallen = ntohl(vp->vallen); 1763290001Sglebius INSIST(vallen <= MAX_VALLEN); 1764290001Sglebius len += ((vallen + 3) / 4 + 1) * 4; 1765290001Sglebius siglen = ntohl(vp->siglen); 1766290001Sglebius len += ((siglen + 3) / 4 + 1) * 4; 1767290001Sglebius if (start + len > sizeof(struct pkt) - MAX_MAC_LEN) 1768290001Sglebius return (0); 1769290001Sglebius 1770290001Sglebius /* 1771290001Sglebius * Copy timestamps. 1772290001Sglebius */ 1773132451Sroberto ep->tstamp = vp->tstamp; 1774132451Sroberto ep->fstamp = vp->fstamp; 1775132451Sroberto ep->vallen = vp->vallen; 1776132451Sroberto 1777132451Sroberto /* 1778290001Sglebius * Copy value. If the data field is empty or zero length, 1779290001Sglebius * encode an empty value with length zero. 1780290001Sglebius */ 1781290001Sglebius i = 0; 1782290001Sglebius if (vallen > 0 && vp->ptr != NULL) { 1783290001Sglebius j = vallen / 4; 1784290001Sglebius if (j * 4 < vallen) 1785290001Sglebius ep->pkt[i + j++] = 0; 1786290001Sglebius memcpy(&ep->pkt[i], vp->ptr, vallen); 1787290001Sglebius i += j; 1788290001Sglebius } 1789290001Sglebius 1790290001Sglebius /* 1791132451Sroberto * Copy signature. If the signature field is empty or zero 1792132451Sroberto * length, encode an empty signature with length zero. 1793132451Sroberto */ 1794132451Sroberto ep->pkt[i++] = vp->siglen; 1795290001Sglebius if (siglen > 0 && vp->sig != NULL) { 1796290001Sglebius j = siglen / 4; 1797290001Sglebius if (j * 4 < siglen) 1798290001Sglebius ep->pkt[i + j++] = 0; 1799290001Sglebius memcpy(&ep->pkt[i], vp->sig, siglen); 1800290001Sglebius /* i += j; */ /* We don't use i after this */ 1801290001Sglebius } 1802290001Sglebius opcode = ntohl(ep->opcode); 1803290001Sglebius ep->opcode = htonl((opcode & 0xffff0000) | len); 1804290001Sglebius ENSURE(len <= MAX_VALLEN); 1805132451Sroberto return (len); 1806132451Sroberto} 1807132451Sroberto 1808132451Sroberto 1809132451Sroberto/* 1810132451Sroberto * crypto_update - compute new public value and sign extension fields 1811132451Sroberto * 1812132451Sroberto * This routine runs periodically, like once a day, and when something 1813132451Sroberto * changes. It updates the timestamps on three value structures and one 1814132451Sroberto * value structure list, then signs all the structures: 1815132451Sroberto * 1816132451Sroberto * hostval host name (not signed) 1817132451Sroberto * pubkey public key 1818132451Sroberto * cinfo certificate info/value list 1819290001Sglebius * tai_leap leap values 1820132451Sroberto * 1821290001Sglebius * Filestamps are proventic data, so this routine runs only when the 1822290001Sglebius * host is synchronized to a proventicated source. Thus, the timestamp 1823290001Sglebius * is proventic and can be used to deflect clogging attacks. 1824132451Sroberto * 1825132451Sroberto * Returns void (no errors) 1826132451Sroberto */ 1827132451Srobertovoid 1828132451Srobertocrypto_update(void) 1829132451Sroberto{ 1830310419Sdelphij EVP_MD_CTX *ctx; /* message digest context */ 1831290001Sglebius struct cert_info *cp; /* certificate info/value */ 1832132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 1833290001Sglebius u_int32 *ptr; 1834132451Sroberto u_int len; 1835290001Sglebius leap_result_t leap_data; 1836132451Sroberto 1837290001Sglebius hostval.tstamp = htonl(crypto_time()); 1838290001Sglebius if (hostval.tstamp == 0) 183982498Sroberto return; 1840182007Sroberto 1841310419Sdelphij ctx = EVP_MD_CTX_new(); 1842310419Sdelphij 184382498Sroberto /* 1844132451Sroberto * Sign public key and timestamps. The filestamp is derived from 1845132451Sroberto * the host key file extension from wherever the file was 1846132451Sroberto * generated. 184782498Sroberto */ 1848132451Sroberto if (pubkey.vallen != 0) { 1849132451Sroberto pubkey.tstamp = hostval.tstamp; 1850132451Sroberto pubkey.siglen = 0; 1851132451Sroberto if (pubkey.sig == NULL) 1852132451Sroberto pubkey.sig = emalloc(sign_siglen); 1853310419Sdelphij EVP_SignInit(ctx, sign_digest); 1854310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&pubkey, 12); 1855310419Sdelphij EVP_SignUpdate(ctx, pubkey.ptr, ntohl(pubkey.vallen)); 1856310419Sdelphij if (EVP_SignFinal(ctx, pubkey.sig, &len, sign_pkey)) { 1857290001Sglebius INSIST(len <= sign_siglen); 1858132451Sroberto pubkey.siglen = htonl(len); 1859290001Sglebius } 186082498Sroberto } 186182498Sroberto 186282498Sroberto /* 1863132451Sroberto * Sign certificates and timestamps. The filestamp is derived 1864132451Sroberto * from the certificate file extension from wherever the file 1865182007Sroberto * was generated. Note we do not throw expired certificates 1866182007Sroberto * away; they may have signed younger ones. 186782498Sroberto */ 1868290001Sglebius for (cp = cinfo; cp != NULL; cp = cp->link) { 1869182007Sroberto cp->cert.tstamp = hostval.tstamp; 1870182007Sroberto cp->cert.siglen = 0; 1871182007Sroberto if (cp->cert.sig == NULL) 1872182007Sroberto cp->cert.sig = emalloc(sign_siglen); 1873310419Sdelphij EVP_SignInit(ctx, sign_digest); 1874310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&cp->cert, 12); 1875310419Sdelphij EVP_SignUpdate(ctx, cp->cert.ptr, 1876182007Sroberto ntohl(cp->cert.vallen)); 1877310419Sdelphij if (EVP_SignFinal(ctx, cp->cert.sig, &len, sign_pkey)) { 1878290001Sglebius INSIST(len <= sign_siglen); 1879182007Sroberto cp->cert.siglen = htonl(len); 1880290001Sglebius } 188182498Sroberto } 188282498Sroberto 188382498Sroberto /* 1884290001Sglebius * Sign leapseconds values and timestamps. Note it is not an 1885290001Sglebius * error to return null values. 188682498Sroberto */ 1887290001Sglebius tai_leap.tstamp = hostval.tstamp; 1888290001Sglebius tai_leap.fstamp = hostval.fstamp; 1889290001Sglebius 1890290001Sglebius /* Get the leap second era. We might need a full lookup early 1891290001Sglebius * after start, when the cache is not yet loaded. 1892290001Sglebius */ 1893290001Sglebius leapsec_frame(&leap_data); 1894290001Sglebius if ( ! memcmp(&leap_data.ebase, &leap_data.ttime, sizeof(vint64))) { 1895290001Sglebius time_t now = time(NULL); 1896290001Sglebius uint32_t nowntp = (uint32_t)now + JAN_1970; 1897290001Sglebius leapsec_query(&leap_data, nowntp, &now); 189882498Sroberto } 1899290001Sglebius 1900290001Sglebius /* Create the data block. The protocol does not work without. */ 1901290001Sglebius len = 3 * sizeof(u_int32); 1902290001Sglebius if (tai_leap.ptr == NULL || ntohl(tai_leap.vallen) != len) { 1903290001Sglebius free(tai_leap.ptr); 1904290001Sglebius tai_leap.ptr = emalloc(len); 1905290001Sglebius tai_leap.vallen = htonl(len); 1906290001Sglebius } 1907290001Sglebius ptr = (u_int32 *)tai_leap.ptr; 1908290001Sglebius if (leap_data.tai_offs > 10) { 1909290001Sglebius /* create a TAI / leap era block. The end time is a 1910290001Sglebius * fake -- maybe we can do better. 1911290001Sglebius */ 1912290001Sglebius ptr[0] = htonl(leap_data.tai_offs); 1913290001Sglebius ptr[1] = htonl(leap_data.ebase.d_s.lo); 1914290001Sglebius if (leap_data.ttime.d_s.hi >= 0) 1915290001Sglebius ptr[2] = htonl(leap_data.ttime.D_s.lo + 7*86400); 1916290001Sglebius else 1917290001Sglebius ptr[2] = htonl(leap_data.ebase.D_s.lo + 25*86400); 1918290001Sglebius } else { 1919290001Sglebius /* no leap era available */ 1920290001Sglebius memset(ptr, 0, len); 1921290001Sglebius } 1922290001Sglebius if (tai_leap.sig == NULL) 1923290001Sglebius tai_leap.sig = emalloc(sign_siglen); 1924310419Sdelphij EVP_SignInit(ctx, sign_digest); 1925310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&tai_leap, 12); 1926310419Sdelphij EVP_SignUpdate(ctx, tai_leap.ptr, len); 1927310419Sdelphij if (EVP_SignFinal(ctx, tai_leap.sig, &len, sign_pkey)) { 1928290001Sglebius INSIST(len <= sign_siglen); 1929290001Sglebius tai_leap.siglen = htonl(len); 1930290001Sglebius } 1931290001Sglebius crypto_flags |= CRYPTO_FLAG_TAI; 1932290001Sglebius 1933290001Sglebius snprintf(statstr, sizeof(statstr), "signature update ts %u", 1934290001Sglebius ntohl(hostval.tstamp)); 1935132451Sroberto record_crypto_stats(NULL, statstr); 1936290001Sglebius DPRINTF(1, ("crypto_update: %s\n", statstr)); 1937310419Sdelphij EVP_MD_CTX_free(ctx); 193882498Sroberto} 193982498Sroberto 1940290001Sglebius/* 1941290001Sglebius * crypto_update_taichange - eventually trigger crypto_update 1942290001Sglebius * 1943290001Sglebius * This is called when a change in 'sys_tai' is detected. This will 1944290001Sglebius * happen shortly after a leap second is detected, but unhappily also 1945290001Sglebius * early after system start; also, the crypto stuff might be unused and 1946290001Sglebius * an unguarded call to crypto_update() causes a crash. 1947290001Sglebius * 1948290001Sglebius * This function makes sure that there already *is* a valid crypto block 1949290001Sglebius * for the use with autokey, and only calls 'crypto_update()' if it can 1950290001Sglebius * succeed. 1951290001Sglebius * 1952290001Sglebius * Returns void (no errors) 1953290001Sglebius */ 1954290001Sglebiusvoid 1955290001Sglebiuscrypto_update_taichange(void) 1956290001Sglebius{ 1957290001Sglebius static const u_int len = 3 * sizeof(u_int32); 195882498Sroberto 1959290001Sglebius /* check if the signing digest algo is available */ 1960290001Sglebius if (sign_digest == NULL || sign_pkey == NULL) 1961290001Sglebius return; 1962290001Sglebius 1963290001Sglebius /* check size of TAI extension block */ 1964290001Sglebius if (tai_leap.ptr == NULL || ntohl(tai_leap.vallen) != len) 1965290001Sglebius return; 1966290001Sglebius 1967290001Sglebius /* crypto_update should at least not crash here! */ 1968290001Sglebius crypto_update(); 1969290001Sglebius} 1970290001Sglebius 197182498Sroberto/* 1972132451Sroberto * value_free - free value structure components. 1973132451Sroberto * 1974132451Sroberto * Returns void (no errors) 197582498Sroberto */ 1976132451Srobertovoid 1977132451Srobertovalue_free( 1978132451Sroberto struct value *vp /* value structure */ 197982498Sroberto ) 198082498Sroberto{ 1981132451Sroberto if (vp->ptr != NULL) 1982132451Sroberto free(vp->ptr); 1983132451Sroberto if (vp->sig != NULL) 1984132451Sroberto free(vp->sig); 1985132451Sroberto memset(vp, 0, sizeof(struct value)); 1986132451Sroberto} 198782498Sroberto 1988132451Sroberto 1989132451Sroberto/* 1990290001Sglebius * crypto_time - returns current NTP time. 1991290001Sglebius * 1992290001Sglebius * Returns NTP seconds if in synch, 0 otherwise 1993132451Sroberto */ 1994132451Srobertotstamp_t 1995132451Srobertocrypto_time() 1996132451Sroberto{ 1997290001Sglebius l_fp tstamp; /* NTP time */ 1998132451Sroberto 1999132451Sroberto L_CLR(&tstamp); 2000132451Sroberto if (sys_leap != LEAP_NOTINSYNC) 2001132451Sroberto get_systime(&tstamp); 2002132451Sroberto return (tstamp.l_ui); 2003132451Sroberto} 2004132451Sroberto 2005132451Sroberto 2006132451Sroberto/* 2007290001Sglebius * asn_to_calendar - convert ASN1_TIME time structure to struct calendar. 2008290001Sglebius * 2009132451Sroberto */ 2010290001Sglebiusstatic 2011290001Sglebiusvoid 2012290001Sglebiusasn_to_calendar ( 2013290001Sglebius ASN1_TIME *asn1time, /* pointer to ASN1_TIME structure */ 2014290001Sglebius struct calendar *pjd /* pointer to result */ 2015132451Sroberto ) 2016132451Sroberto{ 2017290001Sglebius size_t len; /* length of ASN1_TIME string */ 2018290001Sglebius char v[24]; /* writable copy of ASN1_TIME string */ 2019290001Sglebius unsigned long temp; /* result from strtoul */ 2020132451Sroberto 202182498Sroberto /* 2022132451Sroberto * Extract time string YYMMDDHHMMSSZ from ASN1 time structure. 2023290001Sglebius * Or YYYYMMDDHHMMSSZ. 2024132451Sroberto * Note that the YY, MM, DD fields start with one, the HH, MM, 2025290001Sglebius * SS fields start with zero and the Z character is ignored. 2026290001Sglebius * Also note that two-digit years less than 50 map to years greater than 2027290001Sglebius * 100. Dontcha love ASN.1? Better than MIL-188. 202882498Sroberto */ 2029290001Sglebius len = asn1time->length; 2030290001Sglebius REQUIRE(len < sizeof(v)); 2031290001Sglebius (void)strncpy(v, (char *)(asn1time->data), len); 2032290001Sglebius REQUIRE(len >= 13); 2033290001Sglebius temp = strtoul(v+len-3, NULL, 10); 2034290001Sglebius pjd->second = temp; 2035290001Sglebius v[len-3] = '\0'; 2036182007Sroberto 2037290001Sglebius temp = strtoul(v+len-5, NULL, 10); 2038290001Sglebius pjd->minute = temp; 2039290001Sglebius v[len-5] = '\0'; 2040290001Sglebius 2041290001Sglebius temp = strtoul(v+len-7, NULL, 10); 2042290001Sglebius pjd->hour = temp; 2043290001Sglebius v[len-7] = '\0'; 2044290001Sglebius 2045290001Sglebius temp = strtoul(v+len-9, NULL, 10); 2046290001Sglebius pjd->monthday = temp; 2047290001Sglebius v[len-9] = '\0'; 2048290001Sglebius 2049290001Sglebius temp = strtoul(v+len-11, NULL, 10); 2050290001Sglebius pjd->month = temp; 2051290001Sglebius v[len-11] = '\0'; 2052290001Sglebius 2053290001Sglebius temp = strtoul(v, NULL, 10); 2054290001Sglebius /* handle two-digit years */ 2055290001Sglebius if (temp < 50UL) 2056290001Sglebius temp += 100UL; 2057290001Sglebius if (temp < 150UL) 2058290001Sglebius temp += 1900UL; 2059290001Sglebius pjd->year = temp; 2060290001Sglebius 2061290001Sglebius pjd->yearday = pjd->weekday = 0; 2062290001Sglebius return; 2063132451Sroberto} 2064132451Sroberto 2065132451Sroberto 2066132451Sroberto/* 2067132451Sroberto * bigdig() - compute a BIGNUM MD5 hash of a BIGNUM number. 2068290001Sglebius * 2069290001Sglebius * Returns void (no errors) 2070132451Sroberto */ 2071290001Sglebiusstatic void 2072132451Srobertobighash( 2073132451Sroberto BIGNUM *bn, /* BIGNUM * from */ 2074132451Sroberto BIGNUM *bk /* BIGNUM * to */ 2075132451Sroberto ) 2076132451Sroberto{ 2077310419Sdelphij EVP_MD_CTX *ctx; /* message digest context */ 2078132451Sroberto u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */ 2079132451Sroberto u_char *ptr; /* a BIGNUM as binary string */ 2080132451Sroberto u_int len; 2081132451Sroberto 2082132451Sroberto len = BN_num_bytes(bn); 2083132451Sroberto ptr = emalloc(len); 2084132451Sroberto BN_bn2bin(bn, ptr); 2085310419Sdelphij ctx = EVP_MD_CTX_new(); 2086310419Sdelphij EVP_DigestInit(ctx, EVP_md5()); 2087310419Sdelphij EVP_DigestUpdate(ctx, ptr, len); 2088310419Sdelphij EVP_DigestFinal(ctx, dgst, &len); 2089310419Sdelphij EVP_MD_CTX_free(ctx); 2090132451Sroberto BN_bin2bn(dgst, len, bk); 2091290001Sglebius free(ptr); 2092132451Sroberto} 2093132451Sroberto 2094132451Sroberto 2095132451Sroberto/* 2096132451Sroberto *********************************************************************** 2097132451Sroberto * * 2098132451Sroberto * The following routines implement the Schnorr (IFF) identity scheme * 2099132451Sroberto * * 2100132451Sroberto *********************************************************************** 2101132451Sroberto * 2102132451Sroberto * The Schnorr (IFF) identity scheme is intended for use when 2103290001Sglebius * certificates are generated by some other trusted certificate 2104290001Sglebius * authority and the certificate cannot be used to convey public 2105290001Sglebius * parameters. There are two kinds of files: encrypted server files that 2106290001Sglebius * contain private and public values and nonencrypted client files that 2107290001Sglebius * contain only public values. New generations of server files must be 2108290001Sglebius * securely transmitted to all servers of the group; client files can be 2109290001Sglebius * distributed by any means. The scheme is self contained and 2110290001Sglebius * independent of new generations of host keys, sign keys and 2111290001Sglebius * certificates. 2112132451Sroberto * 2113290001Sglebius * The IFF values hide in a DSA cuckoo structure which uses the same 2114290001Sglebius * parameters. The values are used by an identity scheme based on DSA 2115290001Sglebius * cryptography and described in Stimson p. 285. The p is a 512-bit 2116290001Sglebius * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1 2117290001Sglebius * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a 2118290001Sglebius * private random group key b (0 < b < q) and public key v = g^b, then 2119290001Sglebius * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients. 2120290001Sglebius * Alice challenges Bob to confirm identity using the protocol described 2121290001Sglebius * below. 2122132451Sroberto * 2123132451Sroberto * How it works 2124132451Sroberto * 2125132451Sroberto * The scheme goes like this. Both Alice and Bob have the public primes 2126132451Sroberto * p, q and generator g. The TA gives private key b to Bob and public 2127290001Sglebius * key v to Alice. 2128132451Sroberto * 2129290001Sglebius * Alice rolls new random challenge r (o < r < q) and sends to Bob in 2130290001Sglebius * the IFF request message. Bob rolls new random k (0 < k < q), then 2131290001Sglebius * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x)) 2132290001Sglebius * to Alice in the response message. Besides making the response 2133290001Sglebius * shorter, the hash makes it effectivey impossible for an intruder to 2134290001Sglebius * solve for b by observing a number of these messages. 2135132451Sroberto * 2136132451Sroberto * Alice receives the response and computes g^y v^r mod p. After a bit 2137132451Sroberto * of algebra, this simplifies to g^k. If the hash of this result 2138132451Sroberto * matches hash(x), Alice knows that Bob has the group key b. The signed 2139132451Sroberto * response binds this knowledge to Bob's private key and the public key 2140132451Sroberto * previously received in his certificate. 2141132451Sroberto * 2142132451Sroberto * crypto_alice - construct Alice's challenge in IFF scheme 2143132451Sroberto * 2144132451Sroberto * Returns 2145132451Sroberto * XEVNT_OK success 2146290001Sglebius * XEVNT_ID bad or missing group key 2147132451Sroberto * XEVNT_PUB bad or missing public key 2148132451Sroberto */ 2149132451Srobertostatic int 2150132451Srobertocrypto_alice( 2151132451Sroberto struct peer *peer, /* peer pointer */ 2152132451Sroberto struct value *vp /* value pointer */ 2153132451Sroberto ) 2154132451Sroberto{ 2155132451Sroberto DSA *dsa; /* IFF parameters */ 2156132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2157310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2158132451Sroberto tstamp_t tstamp; 2159132451Sroberto u_int len; 2160310419Sdelphij const BIGNUM *q; 2161132451Sroberto 2162132451Sroberto /* 2163132451Sroberto * The identity parameters must have correct format and content. 2164132451Sroberto */ 2165290001Sglebius if (peer->ident_pkey == NULL) { 2166290001Sglebius msyslog(LOG_NOTICE, "crypto_alice: scheme unavailable"); 2167132451Sroberto return (XEVNT_ID); 2168290001Sglebius } 2169182007Sroberto 2170310419Sdelphij if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) { 2171290001Sglebius msyslog(LOG_NOTICE, "crypto_alice: defective key"); 2172132451Sroberto return (XEVNT_PUB); 2173132451Sroberto } 2174132451Sroberto 2175132451Sroberto /* 2176290001Sglebius * Roll new random r (0 < r < q). 2177132451Sroberto */ 2178132451Sroberto if (peer->iffval != NULL) 2179132451Sroberto BN_free(peer->iffval); 2180132451Sroberto peer->iffval = BN_new(); 2181310419Sdelphij DSA_get0_pqg(dsa, NULL, &q, NULL); 2182310419Sdelphij len = BN_num_bytes(q); 2183290001Sglebius BN_rand(peer->iffval, len * 8, -1, 1); /* r mod q*/ 2184290001Sglebius bctx = BN_CTX_new(); 2185310419Sdelphij BN_mod(peer->iffval, peer->iffval, q, bctx); 2186132451Sroberto BN_CTX_free(bctx); 2187132451Sroberto 2188132451Sroberto /* 2189132451Sroberto * Sign and send to Bob. The filestamp is from the local file. 2190132451Sroberto */ 2191290001Sglebius memset(vp, 0, sizeof(struct value)); 2192132451Sroberto tstamp = crypto_time(); 2193132451Sroberto vp->tstamp = htonl(tstamp); 2194290001Sglebius vp->fstamp = htonl(peer->ident_pkey->fstamp); 2195132451Sroberto vp->vallen = htonl(len); 2196132451Sroberto vp->ptr = emalloc(len); 2197132451Sroberto BN_bn2bin(peer->iffval, vp->ptr); 2198132451Sroberto if (tstamp == 0) 2199132451Sroberto return (XEVNT_OK); 2200182007Sroberto 2201132451Sroberto vp->sig = emalloc(sign_siglen); 2202310419Sdelphij ctx = EVP_MD_CTX_new(); 2203310419Sdelphij EVP_SignInit(ctx, sign_digest); 2204310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2205310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2206310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2207290001Sglebius INSIST(len <= sign_siglen); 2208132451Sroberto vp->siglen = htonl(len); 2209290001Sglebius } 2210310419Sdelphij EVP_MD_CTX_free(ctx); 2211132451Sroberto return (XEVNT_OK); 2212132451Sroberto} 2213132451Sroberto 2214132451Sroberto 2215132451Sroberto/* 2216132451Sroberto * crypto_bob - construct Bob's response to Alice's challenge 2217132451Sroberto * 2218132451Sroberto * Returns 2219132451Sroberto * XEVNT_OK success 2220290001Sglebius * XEVNT_ERR protocol error 2221182007Sroberto * XEVNT_ID bad or missing group key 2222132451Sroberto */ 2223132451Srobertostatic int 2224132451Srobertocrypto_bob( 2225132451Sroberto struct exten *ep, /* extension pointer */ 2226132451Sroberto struct value *vp /* value pointer */ 2227132451Sroberto ) 2228132451Sroberto{ 2229132451Sroberto DSA *dsa; /* IFF parameters */ 2230132451Sroberto DSA_SIG *sdsa; /* DSA signature context fake */ 2231132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2232310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2233132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 2234132451Sroberto BIGNUM *bn, *bk, *r; 2235132451Sroberto u_char *ptr; 2236290001Sglebius u_int len; /* extension field value length */ 2237310419Sdelphij const BIGNUM *p, *q, *g; 2238310419Sdelphij const BIGNUM *priv_key; 2239132451Sroberto 2240132451Sroberto /* 2241132451Sroberto * If the IFF parameters are not valid, something awful 2242132451Sroberto * happened or we are being tormented. 2243132451Sroberto */ 2244290001Sglebius if (iffkey_info == NULL) { 2245290001Sglebius msyslog(LOG_NOTICE, "crypto_bob: scheme unavailable"); 2246182007Sroberto return (XEVNT_ID); 2247132451Sroberto } 2248310419Sdelphij dsa = EVP_PKEY_get0_DSA(iffkey_info->pkey); 2249310419Sdelphij DSA_get0_pqg(dsa, &p, &q, &g); 2250310419Sdelphij DSA_get0_key(dsa, NULL, &priv_key); 2251132451Sroberto 2252132451Sroberto /* 2253132451Sroberto * Extract r from the challenge. 2254132451Sroberto */ 2255290001Sglebius len = exten_payload_size(ep); 2256290001Sglebius if (len == 0 || len > MAX_VALLEN) 2257290001Sglebius return (XEVNT_LEN); 2258290001Sglebius if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { 2259290001Sglebius msyslog(LOG_ERR, "crypto_bob: %s", 2260132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2261182007Sroberto return (XEVNT_ERR); 2262132451Sroberto } 2263132451Sroberto 2264132451Sroberto /* 2265132451Sroberto * Bob rolls random k (0 < k < q), computes y = k + b r mod q 2266132451Sroberto * and x = g^k mod p, then sends (y, hash(x)) to Alice. 2267132451Sroberto */ 2268132451Sroberto bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new(); 2269132451Sroberto sdsa = DSA_SIG_new(); 2270290001Sglebius BN_rand(bk, len * 8, -1, 1); /* k */ 2271310419Sdelphij BN_mod_mul(bn, priv_key, r, q, bctx); /* b r mod q */ 2272132451Sroberto BN_add(bn, bn, bk); 2273310419Sdelphij BN_mod(bn, bn, q, bctx); /* k + b r mod q */ 2274310419Sdelphij BN_mod_exp(bk, g, bk, p, bctx); /* g^k mod p */ 2275132451Sroberto bighash(bk, bk); 2276310419Sdelphij DSA_SIG_set0(sdsa, bn, bk); 2277132451Sroberto BN_CTX_free(bctx); 2278310419Sdelphij BN_free(r); 2279290001Sglebius#ifdef DEBUG 2280290001Sglebius if (debug > 1) 2281290001Sglebius DSA_print_fp(stdout, dsa, 0); 2282290001Sglebius#endif 2283132451Sroberto 2284132451Sroberto /* 2285290001Sglebius * Encode the values in ASN.1 and sign. The filestamp is from 2286290001Sglebius * the local file. 2287132451Sroberto */ 2288290001Sglebius len = i2d_DSA_SIG(sdsa, NULL); 2289290001Sglebius if (len == 0) { 2290290001Sglebius msyslog(LOG_ERR, "crypto_bob: %s", 2291132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2292132451Sroberto DSA_SIG_free(sdsa); 2293182007Sroberto return (XEVNT_ERR); 2294132451Sroberto } 2295290001Sglebius if (len > MAX_VALLEN) { 2296290001Sglebius msyslog(LOG_ERR, "crypto_bob: signature is too big: %u", 2297290001Sglebius len); 2298281233Sdelphij DSA_SIG_free(sdsa); 2299281233Sdelphij return (XEVNT_LEN); 2300281233Sdelphij } 2301281233Sdelphij memset(vp, 0, sizeof(struct value)); 2302281233Sdelphij tstamp = crypto_time(); 2303281233Sdelphij vp->tstamp = htonl(tstamp); 2304290001Sglebius vp->fstamp = htonl(iffkey_info->fstamp); 2305290001Sglebius vp->vallen = htonl(len); 2306290001Sglebius ptr = emalloc(len); 2307132451Sroberto vp->ptr = ptr; 2308132451Sroberto i2d_DSA_SIG(sdsa, &ptr); 2309132451Sroberto DSA_SIG_free(sdsa); 2310132451Sroberto if (tstamp == 0) 2311132451Sroberto return (XEVNT_OK); 2312182007Sroberto 2313281233Sdelphij /* XXX: more validation to make sure the sign fits... */ 2314132451Sroberto vp->sig = emalloc(sign_siglen); 2315310419Sdelphij ctx = EVP_MD_CTX_new(); 2316310419Sdelphij EVP_SignInit(ctx, sign_digest); 2317310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2318310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2319310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2320290001Sglebius INSIST(len <= sign_siglen); 2321132451Sroberto vp->siglen = htonl(len); 2322290001Sglebius } 2323310419Sdelphij EVP_MD_CTX_free(ctx); 2324132451Sroberto return (XEVNT_OK); 2325132451Sroberto} 2326132451Sroberto 2327132451Sroberto 2328132451Sroberto/* 2329132451Sroberto * crypto_iff - verify Bob's response to Alice's challenge 2330132451Sroberto * 2331132451Sroberto * Returns 2332132451Sroberto * XEVNT_OK success 2333290001Sglebius * XEVNT_FSP bad filestamp 2334290001Sglebius * XEVNT_ID bad or missing group key 2335132451Sroberto * XEVNT_PUB bad or missing public key 2336132451Sroberto */ 2337132451Srobertoint 2338132451Srobertocrypto_iff( 2339132451Sroberto struct exten *ep, /* extension pointer */ 2340132451Sroberto struct peer *peer /* peer structure pointer */ 2341132451Sroberto ) 2342132451Sroberto{ 2343132451Sroberto DSA *dsa; /* IFF parameters */ 2344132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2345132451Sroberto DSA_SIG *sdsa; /* DSA parameters */ 2346132451Sroberto BIGNUM *bn, *bk; 2347132451Sroberto u_int len; 2348290001Sglebius const u_char *ptr; 2349132451Sroberto int temp; 2350310419Sdelphij const BIGNUM *p, *g; 2351310419Sdelphij const BIGNUM *r, *s; 2352310419Sdelphij const BIGNUM *pub_key; 2353132451Sroberto 2354132451Sroberto /* 2355132451Sroberto * If the IFF parameters are not valid or no challenge was sent, 2356132451Sroberto * something awful happened or we are being tormented. 2357132451Sroberto */ 2358132451Sroberto if (peer->ident_pkey == NULL) { 2359290001Sglebius msyslog(LOG_NOTICE, "crypto_iff: scheme unavailable"); 2360182007Sroberto return (XEVNT_ID); 2361132451Sroberto } 2362290001Sglebius if (ntohl(ep->fstamp) != peer->ident_pkey->fstamp) { 2363290001Sglebius msyslog(LOG_NOTICE, "crypto_iff: invalid filestamp %u", 2364132451Sroberto ntohl(ep->fstamp)); 2365132451Sroberto return (XEVNT_FSP); 2366132451Sroberto } 2367310419Sdelphij if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) { 2368290001Sglebius msyslog(LOG_NOTICE, "crypto_iff: defective key"); 2369132451Sroberto return (XEVNT_PUB); 2370132451Sroberto } 2371132451Sroberto if (peer->iffval == NULL) { 2372290001Sglebius msyslog(LOG_NOTICE, "crypto_iff: missing challenge"); 2373182007Sroberto return (XEVNT_ID); 2374132451Sroberto } 2375132451Sroberto 2376132451Sroberto /* 2377132451Sroberto * Extract the k + b r and g^k values from the response. 2378132451Sroberto */ 2379132451Sroberto bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new(); 2380132451Sroberto len = ntohl(ep->vallen); 2381290001Sglebius ptr = (u_char *)ep->pkt; 2382132451Sroberto if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) { 2383290001Sglebius BN_free(bn); BN_free(bk); BN_CTX_free(bctx); 2384290001Sglebius msyslog(LOG_ERR, "crypto_iff: %s", 2385132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2386182007Sroberto return (XEVNT_ERR); 2387132451Sroberto } 2388132451Sroberto 2389132451Sroberto /* 2390132451Sroberto * Compute g^(k + b r) g^(q - b)r mod p. 2391132451Sroberto */ 2392310419Sdelphij DSA_get0_key(dsa, &pub_key, NULL); 2393310419Sdelphij DSA_get0_pqg(dsa, &p, NULL, &g); 2394310419Sdelphij DSA_SIG_get0(sdsa, &r, &s); 2395310419Sdelphij BN_mod_exp(bn, pub_key, peer->iffval, p, bctx); 2396310419Sdelphij BN_mod_exp(bk, g, r, p, bctx); 2397310419Sdelphij BN_mod_mul(bn, bn, bk, p, bctx); 2398132451Sroberto 2399132451Sroberto /* 2400132451Sroberto * Verify the hash of the result matches hash(x). 2401132451Sroberto */ 2402132451Sroberto bighash(bn, bn); 2403310419Sdelphij temp = BN_cmp(bn, s); 2404132451Sroberto BN_free(bn); BN_free(bk); BN_CTX_free(bctx); 2405132451Sroberto BN_free(peer->iffval); 2406132451Sroberto peer->iffval = NULL; 2407132451Sroberto DSA_SIG_free(sdsa); 2408132451Sroberto if (temp == 0) 2409132451Sroberto return (XEVNT_OK); 2410182007Sroberto 2411290001Sglebius msyslog(LOG_NOTICE, "crypto_iff: identity not verified"); 2412290001Sglebius return (XEVNT_ID); 2413132451Sroberto} 2414132451Sroberto 2415132451Sroberto 2416132451Sroberto/* 2417132451Sroberto *********************************************************************** 2418132451Sroberto * * 2419132451Sroberto * The following routines implement the Guillou-Quisquater (GQ) * 2420132451Sroberto * identity scheme * 2421132451Sroberto * * 2422132451Sroberto *********************************************************************** 2423132451Sroberto * 2424132451Sroberto * The Guillou-Quisquater (GQ) identity scheme is intended for use when 2425290001Sglebius * the certificate can be used to convey public parameters. The scheme 2426290001Sglebius * uses a X509v3 certificate extension field do convey the public key of 2427290001Sglebius * a private key known only to servers. There are two kinds of files: 2428290001Sglebius * encrypted server files that contain private and public values and 2429290001Sglebius * nonencrypted client files that contain only public values. New 2430290001Sglebius * generations of server files must be securely transmitted to all 2431290001Sglebius * servers of the group; client files can be distributed by any means. 2432290001Sglebius * The scheme is self contained and independent of new generations of 2433290001Sglebius * host keys and sign keys. The scheme is self contained and independent 2434290001Sglebius * of new generations of host keys and sign keys. 2435132451Sroberto * 2436290001Sglebius * The GQ parameters hide in a RSA cuckoo structure which uses the same 2437290001Sglebius * parameters. The values are used by an identity scheme based on RSA 2438290001Sglebius * cryptography and described in Stimson p. 300 (with errors). The 512- 2439290001Sglebius * bit public modulus is n = p q, where p and q are secret large primes. 2440290001Sglebius * The TA rolls private random group key b as RSA exponent. These values 2441290001Sglebius * are known to all group members. 2442132451Sroberto * 2443290001Sglebius * When rolling new certificates, a server recomputes the private and 2444132451Sroberto * public keys. The private key u is a random roll, while the public key 2445132451Sroberto * is the inverse obscured by the group key v = (u^-1)^b. These values 2446132451Sroberto * replace the private and public keys normally generated by the RSA 2447132451Sroberto * scheme. Alice challenges Bob to confirm identity using the protocol 2448132451Sroberto * described below. 2449132451Sroberto * 2450132451Sroberto * How it works 2451132451Sroberto * 2452132451Sroberto * The scheme goes like this. Both Alice and Bob have the same modulus n 2453132451Sroberto * and some random b as the group key. These values are computed and 2454132451Sroberto * distributed in advance via secret means, although only the group key 2455132451Sroberto * b is truly secret. Each has a private random private key u and public 2456132451Sroberto * key (u^-1)^b, although not necessarily the same ones. Bob and Alice 2457132451Sroberto * can regenerate the key pair from time to time without affecting 2458132451Sroberto * operations. The public key is conveyed on the certificate in an 2459132451Sroberto * extension field; the private key is never revealed. 2460132451Sroberto * 2461132451Sroberto * Alice rolls new random challenge r and sends to Bob in the GQ 2462132451Sroberto * request message. Bob rolls new random k, then computes y = k u^r mod 2463132451Sroberto * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response 2464132451Sroberto * message. Besides making the response shorter, the hash makes it 2465132451Sroberto * effectivey impossible for an intruder to solve for b by observing 2466132451Sroberto * a number of these messages. 2467132451Sroberto * 2468132451Sroberto * Alice receives the response and computes y^b v^r mod n. After a bit 2469132451Sroberto * of algebra, this simplifies to k^b. If the hash of this result 2470132451Sroberto * matches hash(x), Alice knows that Bob has the group key b. The signed 2471132451Sroberto * response binds this knowledge to Bob's private key and the public key 2472132451Sroberto * previously received in his certificate. 2473132451Sroberto * 2474132451Sroberto * crypto_alice2 - construct Alice's challenge in GQ scheme 2475132451Sroberto * 2476132451Sroberto * Returns 2477132451Sroberto * XEVNT_OK success 2478290001Sglebius * XEVNT_ID bad or missing group key 2479132451Sroberto * XEVNT_PUB bad or missing public key 2480132451Sroberto */ 2481132451Srobertostatic int 2482132451Srobertocrypto_alice2( 2483132451Sroberto struct peer *peer, /* peer pointer */ 2484132451Sroberto struct value *vp /* value pointer */ 2485132451Sroberto ) 2486132451Sroberto{ 2487132451Sroberto RSA *rsa; /* GQ parameters */ 2488132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2489310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2490132451Sroberto tstamp_t tstamp; 2491132451Sroberto u_int len; 2492310419Sdelphij const BIGNUM *n; 2493132451Sroberto 2494132451Sroberto /* 2495132451Sroberto * The identity parameters must have correct format and content. 2496132451Sroberto */ 2497132451Sroberto if (peer->ident_pkey == NULL) 2498132451Sroberto return (XEVNT_ID); 2499182007Sroberto 2500310419Sdelphij if ((rsa = EVP_PKEY_get0_RSA(peer->ident_pkey->pkey)) == NULL) { 2501290001Sglebius msyslog(LOG_NOTICE, "crypto_alice2: defective key"); 2502132451Sroberto return (XEVNT_PUB); 250382498Sroberto } 250482498Sroberto 250582498Sroberto /* 2506290001Sglebius * Roll new random r (0 < r < n). 250782498Sroberto */ 2508132451Sroberto if (peer->iffval != NULL) 2509132451Sroberto BN_free(peer->iffval); 2510132451Sroberto peer->iffval = BN_new(); 2511310419Sdelphij RSA_get0_key(rsa, &n, NULL, NULL); 2512310419Sdelphij len = BN_num_bytes(n); 2513132451Sroberto BN_rand(peer->iffval, len * 8, -1, 1); /* r mod n */ 2514290001Sglebius bctx = BN_CTX_new(); 2515310419Sdelphij BN_mod(peer->iffval, peer->iffval, n, bctx); 2516132451Sroberto BN_CTX_free(bctx); 2517132451Sroberto 2518132451Sroberto /* 2519132451Sroberto * Sign and send to Bob. The filestamp is from the local file. 2520132451Sroberto */ 2521290001Sglebius memset(vp, 0, sizeof(struct value)); 2522132451Sroberto tstamp = crypto_time(); 2523132451Sroberto vp->tstamp = htonl(tstamp); 2524290001Sglebius vp->fstamp = htonl(peer->ident_pkey->fstamp); 2525132451Sroberto vp->vallen = htonl(len); 2526132451Sroberto vp->ptr = emalloc(len); 2527132451Sroberto BN_bn2bin(peer->iffval, vp->ptr); 2528132451Sroberto if (tstamp == 0) 2529132451Sroberto return (XEVNT_OK); 2530182007Sroberto 2531132451Sroberto vp->sig = emalloc(sign_siglen); 2532310419Sdelphij ctx = EVP_MD_CTX_new(); 2533310419Sdelphij EVP_SignInit(ctx, sign_digest); 2534310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2535310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2536310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2537290001Sglebius INSIST(len <= sign_siglen); 2538132451Sroberto vp->siglen = htonl(len); 2539290001Sglebius } 2540310419Sdelphij EVP_MD_CTX_free(ctx); 2541132451Sroberto return (XEVNT_OK); 2542132451Sroberto} 2543132451Sroberto 2544132451Sroberto 2545132451Sroberto/* 2546132451Sroberto * crypto_bob2 - construct Bob's response to Alice's challenge 2547132451Sroberto * 2548132451Sroberto * Returns 2549132451Sroberto * XEVNT_OK success 2550290001Sglebius * XEVNT_ERR protocol error 2551182007Sroberto * XEVNT_ID bad or missing group key 2552132451Sroberto */ 2553132451Srobertostatic int 2554132451Srobertocrypto_bob2( 2555132451Sroberto struct exten *ep, /* extension pointer */ 2556132451Sroberto struct value *vp /* value pointer */ 2557132451Sroberto ) 2558132451Sroberto{ 2559132451Sroberto RSA *rsa; /* GQ parameters */ 2560132451Sroberto DSA_SIG *sdsa; /* DSA parameters */ 2561132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2562310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2563132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 2564132451Sroberto BIGNUM *r, *k, *g, *y; 2565132451Sroberto u_char *ptr; 2566132451Sroberto u_int len; 2567290001Sglebius int s_len; 2568310419Sdelphij const BIGNUM *n, *p, *e; 2569132451Sroberto 2570132451Sroberto /* 2571132451Sroberto * If the GQ parameters are not valid, something awful 2572132451Sroberto * happened or we are being tormented. 2573132451Sroberto */ 2574290001Sglebius if (gqkey_info == NULL) { 2575290001Sglebius msyslog(LOG_NOTICE, "crypto_bob2: scheme unavailable"); 2576182007Sroberto return (XEVNT_ID); 257782498Sroberto } 2578310419Sdelphij rsa = EVP_PKEY_get0_RSA(gqkey_info->pkey); 2579310419Sdelphij RSA_get0_key(rsa, &n, &p, &e); 258082498Sroberto 258182498Sroberto /* 2582132451Sroberto * Extract r from the challenge. 258382498Sroberto */ 2584290001Sglebius len = exten_payload_size(ep); 2585290001Sglebius if (len == 0 || len > MAX_VALLEN) 2586290001Sglebius return (XEVNT_LEN); 2587132451Sroberto if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { 2588290001Sglebius msyslog(LOG_ERR, "crypto_bob2: %s", 2589132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2590182007Sroberto return (XEVNT_ERR); 2591132451Sroberto } 2592132451Sroberto 2593132451Sroberto /* 2594132451Sroberto * Bob rolls random k (0 < k < n), computes y = k u^r mod n and 2595132451Sroberto * x = k^b mod n, then sends (y, hash(x)) to Alice. 2596132451Sroberto */ 2597132451Sroberto bctx = BN_CTX_new(); k = BN_new(); g = BN_new(); y = BN_new(); 2598132451Sroberto sdsa = DSA_SIG_new(); 2599132451Sroberto BN_rand(k, len * 8, -1, 1); /* k */ 2600310419Sdelphij BN_mod(k, k, n, bctx); 2601310419Sdelphij BN_mod_exp(y, p, r, n, bctx); /* u^r mod n */ 2602310419Sdelphij BN_mod_mul(y, k, y, n, bctx); /* k u^r mod n */ 2603310419Sdelphij BN_mod_exp(g, k, e, n, bctx); /* k^b mod n */ 2604132451Sroberto bighash(g, g); 2605310419Sdelphij DSA_SIG_set0(sdsa, y, g); 2606132451Sroberto BN_CTX_free(bctx); 2607310419Sdelphij BN_free(r); BN_free(k); 2608290001Sglebius#ifdef DEBUG 2609290001Sglebius if (debug > 1) 2610290001Sglebius RSA_print_fp(stdout, rsa, 0); 2611290001Sglebius#endif 2612132451Sroberto 2613132451Sroberto /* 2614290001Sglebius * Encode the values in ASN.1 and sign. The filestamp is from 2615290001Sglebius * the local file. 2616132451Sroberto */ 2617290001Sglebius len = s_len = i2d_DSA_SIG(sdsa, NULL); 2618290001Sglebius if (s_len <= 0) { 2619290001Sglebius msyslog(LOG_ERR, "crypto_bob2: %s", 2620132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2621132451Sroberto DSA_SIG_free(sdsa); 2622182007Sroberto return (XEVNT_ERR); 2623132451Sroberto } 2624290001Sglebius memset(vp, 0, sizeof(struct value)); 2625290001Sglebius tstamp = crypto_time(); 2626290001Sglebius vp->tstamp = htonl(tstamp); 2627290001Sglebius vp->fstamp = htonl(gqkey_info->fstamp); 2628132451Sroberto vp->vallen = htonl(len); 2629132451Sroberto ptr = emalloc(len); 2630132451Sroberto vp->ptr = ptr; 2631132451Sroberto i2d_DSA_SIG(sdsa, &ptr); 2632132451Sroberto DSA_SIG_free(sdsa); 2633132451Sroberto if (tstamp == 0) 2634132451Sroberto return (XEVNT_OK); 2635182007Sroberto 2636132451Sroberto vp->sig = emalloc(sign_siglen); 2637310419Sdelphij ctx = EVP_MD_CTX_new(); 2638310419Sdelphij EVP_SignInit(ctx, sign_digest); 2639310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2640310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2641310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2642290001Sglebius INSIST(len <= sign_siglen); 2643132451Sroberto vp->siglen = htonl(len); 2644290001Sglebius } 2645310419Sdelphij EVP_MD_CTX_free(ctx); 2646132451Sroberto return (XEVNT_OK); 2647132451Sroberto} 2648132451Sroberto 2649132451Sroberto 2650132451Sroberto/* 2651132451Sroberto * crypto_gq - verify Bob's response to Alice's challenge 2652132451Sroberto * 2653132451Sroberto * Returns 2654132451Sroberto * XEVNT_OK success 2655182007Sroberto * XEVNT_ERR protocol error 2656132451Sroberto * XEVNT_FSP bad filestamp 2657290001Sglebius * XEVNT_ID bad or missing group keys 2658290001Sglebius * XEVNT_PUB bad or missing public key 2659132451Sroberto */ 2660132451Srobertoint 2661132451Srobertocrypto_gq( 2662132451Sroberto struct exten *ep, /* extension pointer */ 2663132451Sroberto struct peer *peer /* peer structure pointer */ 2664132451Sroberto ) 2665132451Sroberto{ 2666132451Sroberto RSA *rsa; /* GQ parameters */ 2667132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2668132451Sroberto DSA_SIG *sdsa; /* RSA signature context fake */ 2669132451Sroberto BIGNUM *y, *v; 2670290001Sglebius const u_char *ptr; 2671290001Sglebius long len; 2672290001Sglebius u_int temp; 2673310419Sdelphij const BIGNUM *n, *e; 2674310419Sdelphij const BIGNUM *r, *s; 2675132451Sroberto 2676132451Sroberto /* 2677132451Sroberto * If the GQ parameters are not valid or no challenge was sent, 2678290001Sglebius * something awful happened or we are being tormented. Note that 2679290001Sglebius * the filestamp on the local key file can be greater than on 2680290001Sglebius * the remote parameter file if the keys have been refreshed. 2681132451Sroberto */ 2682132451Sroberto if (peer->ident_pkey == NULL) { 2683290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: scheme unavailable"); 2684182007Sroberto return (XEVNT_ID); 2685132451Sroberto } 2686290001Sglebius if (ntohl(ep->fstamp) < peer->ident_pkey->fstamp) { 2687290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: invalid filestamp %u", 2688132451Sroberto ntohl(ep->fstamp)); 2689132451Sroberto return (XEVNT_FSP); 2690132451Sroberto } 2691310419Sdelphij if ((rsa = EVP_PKEY_get0_RSA(peer->ident_pkey->pkey)) == NULL) { 2692290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: defective key"); 2693132451Sroberto return (XEVNT_PUB); 2694132451Sroberto } 2695310419Sdelphij RSA_get0_key(rsa, &n, NULL, &e); 2696132451Sroberto if (peer->iffval == NULL) { 2697290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: missing challenge"); 2698182007Sroberto return (XEVNT_ID); 2699132451Sroberto } 2700132451Sroberto 2701132451Sroberto /* 2702132451Sroberto * Extract the y = k u^r and hash(x = k^b) values from the 2703132451Sroberto * response. 2704132451Sroberto */ 2705132451Sroberto bctx = BN_CTX_new(); y = BN_new(); v = BN_new(); 2706132451Sroberto len = ntohl(ep->vallen); 2707290001Sglebius ptr = (u_char *)ep->pkt; 2708132451Sroberto if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) { 2709290001Sglebius BN_CTX_free(bctx); BN_free(y); BN_free(v); 2710290001Sglebius msyslog(LOG_ERR, "crypto_gq: %s", 2711132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2712182007Sroberto return (XEVNT_ERR); 2713132451Sroberto } 2714310419Sdelphij DSA_SIG_get0(sdsa, &r, &s); 2715132451Sroberto 2716132451Sroberto /* 2717132451Sroberto * Compute v^r y^b mod n. 2718132451Sroberto */ 2719290001Sglebius if (peer->grpkey == NULL) { 2720290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: missing group key"); 2721290001Sglebius return (XEVNT_ID); 2722290001Sglebius } 2723310419Sdelphij BN_mod_exp(v, peer->grpkey, peer->iffval, n, bctx); 2724132451Sroberto /* v^r mod n */ 2725310419Sdelphij BN_mod_exp(y, r, e, n, bctx); /* y^b mod n */ 2726310419Sdelphij BN_mod_mul(y, v, y, n, bctx); /* v^r y^b mod n */ 2727132451Sroberto 2728132451Sroberto /* 2729132451Sroberto * Verify the hash of the result matches hash(x). 2730132451Sroberto */ 2731132451Sroberto bighash(y, y); 2732310419Sdelphij temp = BN_cmp(y, s); 2733132451Sroberto BN_CTX_free(bctx); BN_free(y); BN_free(v); 2734132451Sroberto BN_free(peer->iffval); 2735132451Sroberto peer->iffval = NULL; 2736132451Sroberto DSA_SIG_free(sdsa); 2737132451Sroberto if (temp == 0) 2738132451Sroberto return (XEVNT_OK); 2739182007Sroberto 2740290001Sglebius msyslog(LOG_NOTICE, "crypto_gq: identity not verified"); 2741290001Sglebius return (XEVNT_ID); 2742132451Sroberto} 2743132451Sroberto 2744132451Sroberto 2745132451Sroberto/* 2746132451Sroberto *********************************************************************** 2747132451Sroberto * * 2748132451Sroberto * The following routines implement the Mu-Varadharajan (MV) identity * 2749132451Sroberto * scheme * 2750132451Sroberto * * 2751132451Sroberto *********************************************************************** 2752290001Sglebius * 2753132451Sroberto * The Mu-Varadharajan (MV) cryptosystem was originally intended when 2754132451Sroberto * servers broadcast messages to clients, but clients never send 2755132451Sroberto * messages to servers. There is one encryption key for the server and a 2756132451Sroberto * separate decryption key for each client. It operated something like a 2757132451Sroberto * pay-per-view satellite broadcasting system where the session key is 2758132451Sroberto * encrypted by the broadcaster and the decryption keys are held in a 2759132451Sroberto * tamperproof set-top box. 2760132451Sroberto * 2761132451Sroberto * The MV parameters and private encryption key hide in a DSA cuckoo 2762132451Sroberto * structure which uses the same parameters, but generated in a 2763132451Sroberto * different way. The values are used in an encryption scheme similar to 2764132451Sroberto * El Gamal cryptography and a polynomial formed from the expansion of 2765132451Sroberto * product terms (x - x[j]), as described in Mu, Y., and V. 2766132451Sroberto * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001, 2767132451Sroberto * 223-231. The paper has significant errors and serious omissions. 2768132451Sroberto * 2769290001Sglebius * Let q be the product of n distinct primes s1[j] (j = 1...n), where 2770290001Sglebius * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so 2771290001Sglebius * that q and each s1[j] divide p - 1 and p has M = n * m + 1 2772290001Sglebius * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1) 2773290001Sglebius * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then 2774290001Sglebius * project into Zp* as exponents of g. Sometimes we have to compute an 2775290001Sglebius * inverse b^-1 of random b in Zq, but for that purpose we require 2776290001Sglebius * gcd(b, q) = 1. We expect M to be in the 500-bit range and n 2777290001Sglebius * relatively small, like 30. These are the parameters of the scheme and 2778290001Sglebius * they are expensive to compute. 2779132451Sroberto * 2780132451Sroberto * We set up an instance of the scheme as follows. A set of random 2781132451Sroberto * values x[j] mod q (j = 1...n), are generated as the zeros of a 2782132451Sroberto * polynomial of order n. The product terms (x - x[j]) are expanded to 2783132451Sroberto * form coefficients a[i] mod q (i = 0...n) in powers of x. These are 2784132451Sroberto * used as exponents of the generator g mod p to generate the private 2785132451Sroberto * encryption key A. The pair (gbar, ghat) of public server keys and the 2786132451Sroberto * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used 2787132451Sroberto * to construct the decryption keys. The devil is in the details. 2788132451Sroberto * 2789290001Sglebius * This routine generates a private server encryption file including the 2790290001Sglebius * private encryption key E and partial decryption keys gbar and ghat. 2791290001Sglebius * It then generates public client decryption files including the public 2792290001Sglebius * keys xbar[j] and xhat[j] for each client j. The partial decryption 2793290001Sglebius * files are used to compute the inverse of E. These values are suitably 2794290001Sglebius * blinded so secrets are not revealed. 2795290001Sglebius * 2796132451Sroberto * The distinguishing characteristic of this scheme is the capability to 2797132451Sroberto * revoke keys. Included in the calculation of E, gbar and ghat is the 2798290001Sglebius * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is 2799132451Sroberto * subsequently removed from the product and E, gbar and ghat 2800132451Sroberto * recomputed, the jth client will no longer be able to compute E^-1 and 2801290001Sglebius * thus unable to decrypt the messageblock. 2802132451Sroberto * 2803132451Sroberto * How it works 2804132451Sroberto * 2805290001Sglebius * The scheme goes like this. Bob has the server values (p, E, q, gbar, 2806290001Sglebius * ghat) and Alice has the client values (p, xbar, xhat). 2807132451Sroberto * 2808290001Sglebius * Alice rolls new random nonce r mod p and sends to Bob in the MV 2809290001Sglebius * request message. Bob rolls random nonce k mod q, encrypts y = r E^k 2810290001Sglebius * mod p and sends (y, gbar^k, ghat^k) to Alice. 2811132451Sroberto * 2812290001Sglebius * Alice receives the response and computes the inverse (E^k)^-1 from 2813290001Sglebius * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then 2814290001Sglebius * decrypts y and verifies it matches the original r. The signed 2815290001Sglebius * response binds this knowledge to Bob's private key and the public key 2816290001Sglebius * previously received in his certificate. 2817132451Sroberto * 2818132451Sroberto * crypto_alice3 - construct Alice's challenge in MV scheme 2819132451Sroberto * 2820132451Sroberto * Returns 2821132451Sroberto * XEVNT_OK success 2822290001Sglebius * XEVNT_ID bad or missing group key 2823132451Sroberto * XEVNT_PUB bad or missing public key 2824132451Sroberto */ 2825132451Srobertostatic int 2826132451Srobertocrypto_alice3( 2827132451Sroberto struct peer *peer, /* peer pointer */ 2828132451Sroberto struct value *vp /* value pointer */ 2829132451Sroberto ) 2830132451Sroberto{ 2831132451Sroberto DSA *dsa; /* MV parameters */ 2832132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2833310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2834132451Sroberto tstamp_t tstamp; 2835132451Sroberto u_int len; 2836310419Sdelphij const BIGNUM *p; 2837132451Sroberto 2838132451Sroberto /* 2839132451Sroberto * The identity parameters must have correct format and content. 2840132451Sroberto */ 2841132451Sroberto if (peer->ident_pkey == NULL) 2842132451Sroberto return (XEVNT_ID); 2843182007Sroberto 2844310419Sdelphij if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) { 2845290001Sglebius msyslog(LOG_NOTICE, "crypto_alice3: defective key"); 2846132451Sroberto return (XEVNT_PUB); 284782498Sroberto } 2848310419Sdelphij DSA_get0_pqg(dsa, &p, NULL, NULL); 284982498Sroberto 285082498Sroberto /* 2851290001Sglebius * Roll new random r (0 < r < q). 285282498Sroberto */ 2853132451Sroberto if (peer->iffval != NULL) 2854132451Sroberto BN_free(peer->iffval); 2855132451Sroberto peer->iffval = BN_new(); 2856310419Sdelphij len = BN_num_bytes(p); 2857290001Sglebius BN_rand(peer->iffval, len * 8, -1, 1); /* r mod p */ 2858290001Sglebius bctx = BN_CTX_new(); 2859310419Sdelphij BN_mod(peer->iffval, peer->iffval, p, bctx); 2860132451Sroberto BN_CTX_free(bctx); 2861132451Sroberto 2862132451Sroberto /* 2863132451Sroberto * Sign and send to Bob. The filestamp is from the local file. 2864132451Sroberto */ 2865290001Sglebius memset(vp, 0, sizeof(struct value)); 2866132451Sroberto tstamp = crypto_time(); 2867132451Sroberto vp->tstamp = htonl(tstamp); 2868290001Sglebius vp->fstamp = htonl(peer->ident_pkey->fstamp); 2869132451Sroberto vp->vallen = htonl(len); 2870132451Sroberto vp->ptr = emalloc(len); 2871132451Sroberto BN_bn2bin(peer->iffval, vp->ptr); 2872132451Sroberto if (tstamp == 0) 2873132451Sroberto return (XEVNT_OK); 2874182007Sroberto 2875132451Sroberto vp->sig = emalloc(sign_siglen); 2876310419Sdelphij ctx = EVP_MD_CTX_new(); 2877310419Sdelphij EVP_SignInit(ctx, sign_digest); 2878310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2879310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2880310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2881290001Sglebius INSIST(len <= sign_siglen); 2882132451Sroberto vp->siglen = htonl(len); 2883290001Sglebius } 2884310419Sdelphij EVP_MD_CTX_free(ctx); 2885132451Sroberto return (XEVNT_OK); 2886132451Sroberto} 2887132451Sroberto 2888132451Sroberto 2889132451Sroberto/* 2890132451Sroberto * crypto_bob3 - construct Bob's response to Alice's challenge 2891132451Sroberto * 2892132451Sroberto * Returns 2893132451Sroberto * XEVNT_OK success 2894182007Sroberto * XEVNT_ERR protocol error 2895132451Sroberto */ 2896132451Srobertostatic int 2897132451Srobertocrypto_bob3( 2898132451Sroberto struct exten *ep, /* extension pointer */ 2899132451Sroberto struct value *vp /* value pointer */ 2900132451Sroberto ) 2901132451Sroberto{ 2902132451Sroberto DSA *dsa; /* MV parameters */ 2903132451Sroberto DSA *sdsa; /* DSA signature context fake */ 2904132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 2905310419Sdelphij EVP_MD_CTX *ctx; /* signature context */ 2906132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 2907132451Sroberto BIGNUM *r, *k, *u; 2908132451Sroberto u_char *ptr; 2909132451Sroberto u_int len; 2910310419Sdelphij const BIGNUM *p, *q, *g; 2911310419Sdelphij const BIGNUM *pub_key, *priv_key; 2912310419Sdelphij BIGNUM *sp, *sq, *sg; 2913132451Sroberto 2914132451Sroberto /* 2915132451Sroberto * If the MV parameters are not valid, something awful 2916132451Sroberto * happened or we are being tormented. 2917132451Sroberto */ 2918290001Sglebius if (mvkey_info == NULL) { 2919290001Sglebius msyslog(LOG_NOTICE, "crypto_bob3: scheme unavailable"); 2920182007Sroberto return (XEVNT_ID); 292182498Sroberto } 2922310419Sdelphij dsa = EVP_PKEY_get0_DSA(mvkey_info->pkey); 2923310419Sdelphij DSA_get0_pqg(dsa, &p, &q, &g); 2924310419Sdelphij DSA_get0_key(dsa, &pub_key, &priv_key); 2925132451Sroberto 2926132451Sroberto /* 2927132451Sroberto * Extract r from the challenge. 2928132451Sroberto */ 2929290001Sglebius len = exten_payload_size(ep); 2930290001Sglebius if (len == 0 || len > MAX_VALLEN) 2931290001Sglebius return (XEVNT_LEN); 2932132451Sroberto if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) { 2933290001Sglebius msyslog(LOG_ERR, "crypto_bob3: %s", 2934132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2935182007Sroberto return (XEVNT_ERR); 2936132451Sroberto } 2937132451Sroberto 2938132451Sroberto /* 2939132451Sroberto * Bob rolls random k (0 < k < q), making sure it is not a 2940290001Sglebius * factor of q. He then computes y = r A^k and sends (y, gbar^k, 2941290001Sglebius * and ghat^k) to Alice. 2942132451Sroberto */ 2943132451Sroberto bctx = BN_CTX_new(); k = BN_new(); u = BN_new(); 2944132451Sroberto sdsa = DSA_new(); 2945310419Sdelphij sp = BN_new(); sq = BN_new(); sg = BN_new(); 2946132451Sroberto while (1) { 2947310419Sdelphij BN_rand(k, BN_num_bits(q), 0, 0); 2948310419Sdelphij BN_mod(k, k, q, bctx); 2949310419Sdelphij BN_gcd(u, k, q, bctx); 2950132451Sroberto if (BN_is_one(u)) 2951132451Sroberto break; 2952132451Sroberto } 2953310419Sdelphij BN_mod_exp(u, g, k, p, bctx); /* A^k r */ 2954310419Sdelphij BN_mod_mul(sp, u, r, p, bctx); 2955310419Sdelphij BN_mod_exp(sq, priv_key, k, p, bctx); /* gbar */ 2956310419Sdelphij BN_mod_exp(sg, pub_key, k, p, bctx); /* ghat */ 2957310419Sdelphij DSA_set0_key(sdsa, BN_dup(pub_key), NULL); 2958310419Sdelphij DSA_set0_pqg(sdsa, sp, sq, sg); 2959132451Sroberto BN_CTX_free(bctx); BN_free(k); BN_free(r); BN_free(u); 2960290001Sglebius#ifdef DEBUG 2961290001Sglebius if (debug > 1) 2962290001Sglebius DSA_print_fp(stdout, sdsa, 0); 2963290001Sglebius#endif 2964132451Sroberto 2965132451Sroberto /* 2966290001Sglebius * Encode the values in ASN.1 and sign. The filestamp is from 2967290001Sglebius * the local file. 2968132451Sroberto */ 2969290001Sglebius memset(vp, 0, sizeof(struct value)); 2970132451Sroberto tstamp = crypto_time(); 2971132451Sroberto vp->tstamp = htonl(tstamp); 2972290001Sglebius vp->fstamp = htonl(mvkey_info->fstamp); 2973132451Sroberto len = i2d_DSAparams(sdsa, NULL); 2974290001Sglebius if (len == 0) { 2975290001Sglebius msyslog(LOG_ERR, "crypto_bob3: %s", 2976132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 2977132451Sroberto DSA_free(sdsa); 2978182007Sroberto return (XEVNT_ERR); 2979132451Sroberto } 2980132451Sroberto vp->vallen = htonl(len); 2981132451Sroberto ptr = emalloc(len); 2982132451Sroberto vp->ptr = ptr; 2983132451Sroberto i2d_DSAparams(sdsa, &ptr); 2984132451Sroberto DSA_free(sdsa); 2985132451Sroberto if (tstamp == 0) 2986132451Sroberto return (XEVNT_OK); 2987182007Sroberto 2988132451Sroberto vp->sig = emalloc(sign_siglen); 2989310419Sdelphij ctx = EVP_MD_CTX_new(); 2990310419Sdelphij EVP_SignInit(ctx, sign_digest); 2991310419Sdelphij EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12); 2992310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 2993310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 2994290001Sglebius INSIST(len <= sign_siglen); 2995132451Sroberto vp->siglen = htonl(len); 2996290001Sglebius } 2997310419Sdelphij EVP_MD_CTX_free(ctx); 2998132451Sroberto return (XEVNT_OK); 2999132451Sroberto} 3000132451Sroberto 3001132451Sroberto 3002132451Sroberto/* 3003132451Sroberto * crypto_mv - verify Bob's response to Alice's challenge 3004132451Sroberto * 3005132451Sroberto * Returns 3006132451Sroberto * XEVNT_OK success 3007182007Sroberto * XEVNT_ERR protocol error 3008132451Sroberto * XEVNT_FSP bad filestamp 3009290001Sglebius * XEVNT_ID bad or missing group key 3010290001Sglebius * XEVNT_PUB bad or missing public key 3011132451Sroberto */ 3012132451Srobertoint 3013132451Srobertocrypto_mv( 3014132451Sroberto struct exten *ep, /* extension pointer */ 3015132451Sroberto struct peer *peer /* peer structure pointer */ 3016132451Sroberto ) 3017132451Sroberto{ 3018132451Sroberto DSA *dsa; /* MV parameters */ 3019132451Sroberto DSA *sdsa; /* DSA parameters */ 3020132451Sroberto BN_CTX *bctx; /* BIGNUM context */ 3021132451Sroberto BIGNUM *k, *u, *v; 3022132451Sroberto u_int len; 3023290001Sglebius const u_char *ptr; 3024132451Sroberto int temp; 3025310419Sdelphij const BIGNUM *p; 3026310419Sdelphij const BIGNUM *pub_key, *priv_key; 3027310419Sdelphij const BIGNUM *sp, *sq, *sg; 3028132451Sroberto 3029132451Sroberto /* 3030132451Sroberto * If the MV parameters are not valid or no challenge was sent, 3031132451Sroberto * something awful happened or we are being tormented. 3032132451Sroberto */ 3033132451Sroberto if (peer->ident_pkey == NULL) { 3034290001Sglebius msyslog(LOG_NOTICE, "crypto_mv: scheme unavailable"); 3035182007Sroberto return (XEVNT_ID); 3036132451Sroberto } 3037290001Sglebius if (ntohl(ep->fstamp) != peer->ident_pkey->fstamp) { 3038290001Sglebius msyslog(LOG_NOTICE, "crypto_mv: invalid filestamp %u", 3039132451Sroberto ntohl(ep->fstamp)); 3040132451Sroberto return (XEVNT_FSP); 3041132451Sroberto } 3042310419Sdelphij if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) { 3043290001Sglebius msyslog(LOG_NOTICE, "crypto_mv: defective key"); 3044132451Sroberto return (XEVNT_PUB); 3045132451Sroberto } 3046310419Sdelphij DSA_get0_pqg(dsa, &p, NULL, NULL); 3047310419Sdelphij DSA_get0_key(dsa, &pub_key, &priv_key); 3048132451Sroberto if (peer->iffval == NULL) { 3049290001Sglebius msyslog(LOG_NOTICE, "crypto_mv: missing challenge"); 3050182007Sroberto return (XEVNT_ID); 3051132451Sroberto } 3052132451Sroberto 3053132451Sroberto /* 3054290001Sglebius * Extract the y, gbar and ghat values from the response. 3055132451Sroberto */ 3056132451Sroberto bctx = BN_CTX_new(); k = BN_new(); u = BN_new(); v = BN_new(); 3057132451Sroberto len = ntohl(ep->vallen); 3058290001Sglebius ptr = (u_char *)ep->pkt; 3059132451Sroberto if ((sdsa = d2i_DSAparams(NULL, &ptr, len)) == NULL) { 3060290001Sglebius msyslog(LOG_ERR, "crypto_mv: %s", 3061132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3062182007Sroberto return (XEVNT_ERR); 3063132451Sroberto } 3064310419Sdelphij DSA_get0_pqg(sdsa, &sp, &sq, &sg); 3065132451Sroberto 3066132451Sroberto /* 3067290001Sglebius * Compute (gbar^xhat ghat^xbar) mod p. 3068132451Sroberto */ 3069310419Sdelphij BN_mod_exp(u, sq, pub_key, p, bctx); 3070310419Sdelphij BN_mod_exp(v, sg, priv_key, p, bctx); 3071310419Sdelphij BN_mod_mul(u, u, v, p, bctx); 3072310419Sdelphij BN_mod_mul(u, u, sp, p, bctx); 3073132451Sroberto 3074132451Sroberto /* 3075290001Sglebius * The result should match r. 3076132451Sroberto */ 3077290001Sglebius temp = BN_cmp(u, peer->iffval); 3078132451Sroberto BN_CTX_free(bctx); BN_free(k); BN_free(u); BN_free(v); 3079132451Sroberto BN_free(peer->iffval); 3080132451Sroberto peer->iffval = NULL; 3081132451Sroberto DSA_free(sdsa); 3082132451Sroberto if (temp == 0) 3083132451Sroberto return (XEVNT_OK); 3084182007Sroberto 3085290001Sglebius msyslog(LOG_NOTICE, "crypto_mv: identity not verified"); 3086290001Sglebius return (XEVNT_ID); 3087132451Sroberto} 3088132451Sroberto 3089132451Sroberto 3090132451Sroberto/* 3091132451Sroberto *********************************************************************** 3092132451Sroberto * * 3093132451Sroberto * The following routines are used to manipulate certificates * 3094132451Sroberto * * 3095132451Sroberto *********************************************************************** 3096132451Sroberto */ 3097132451Sroberto/* 3098182007Sroberto * cert_sign - sign x509 certificate equest and update value structure. 3099132451Sroberto * 3100182007Sroberto * The certificate request includes a copy of the host certificate, 3101182007Sroberto * which includes the version number, subject name and public key of the 3102182007Sroberto * host. The resulting certificate includes these values plus the 3103182007Sroberto * serial number, issuer name and valid interval of the server. The 3104182007Sroberto * valid interval extends from the current time to the same time one 3105182007Sroberto * year hence. This may extend the life of the signed certificate beyond 3106182007Sroberto * that of the signer certificate. 3107132451Sroberto * 3108182007Sroberto * It is convenient to use the NTP seconds of the current time as the 3109182007Sroberto * serial number. In the value structure the timestamp is the current 3110182007Sroberto * time and the filestamp is taken from the extension field. Note this 3111182007Sroberto * routine is called only when the client clock is synchronized to a 3112182007Sroberto * proventic source, so timestamp comparisons are valid. 3113182007Sroberto * 3114182007Sroberto * The host certificate is valid from the time it was generated for a 3115182007Sroberto * period of one year. A signed certificate is valid from the time of 3116182007Sroberto * signature for a period of one year, but only the host certificate (or 3117182007Sroberto * sign certificate if used) is actually used to encrypt and decrypt 3118182007Sroberto * signatures. The signature trail is built from the client via the 3119182007Sroberto * intermediate servers to the trusted server. Each signature on the 3120182007Sroberto * trail must be valid at the time of signature, but it could happen 3121182007Sroberto * that a signer certificate expire before the signed certificate, which 3122182007Sroberto * remains valid until its expiration. 3123182007Sroberto * 3124132451Sroberto * Returns 3125132451Sroberto * XEVNT_OK success 3126290001Sglebius * XEVNT_CRT bad or missing certificate 3127290001Sglebius * XEVNT_PER host certificate expired 3128132451Sroberto * XEVNT_PUB bad or missing public key 3129132451Sroberto * XEVNT_VFY certificate not verified 313082498Sroberto */ 3131132451Srobertostatic int 3132132451Srobertocert_sign( 3133132451Sroberto struct exten *ep, /* extension field pointer */ 3134132451Sroberto struct value *vp /* value pointer */ 313582498Sroberto ) 313682498Sroberto{ 3137132451Sroberto X509 *req; /* X509 certificate request */ 3138132451Sroberto X509 *cert; /* X509 certificate */ 3139132451Sroberto X509_EXTENSION *ext; /* certificate extension */ 3140132451Sroberto ASN1_INTEGER *serial; /* serial number */ 3141132451Sroberto X509_NAME *subj; /* distinguished (common) name */ 3142132451Sroberto EVP_PKEY *pkey; /* public key */ 3143310419Sdelphij EVP_MD_CTX *ctx; /* message digest context */ 3144132451Sroberto tstamp_t tstamp; /* NTP timestamp */ 3145290001Sglebius struct calendar tscal; 3146132451Sroberto u_int len; 3147290001Sglebius const u_char *cptr; 3148290001Sglebius u_char *ptr; 3149132451Sroberto int i, temp; 315082498Sroberto 315182498Sroberto /* 3152132451Sroberto * Decode ASN.1 objects and construct certificate structure. 3153182007Sroberto * Make sure the system clock is synchronized to a proventic 3154182007Sroberto * source. 315582498Sroberto */ 3156132451Sroberto tstamp = crypto_time(); 3157132451Sroberto if (tstamp == 0) 3158132451Sroberto return (XEVNT_TSP); 3159132451Sroberto 3160290001Sglebius len = exten_payload_size(ep); 3161290001Sglebius if (len == 0 || len > MAX_VALLEN) 3162290001Sglebius return (XEVNT_LEN); 3163290001Sglebius cptr = (void *)ep->pkt; 3164290001Sglebius if ((req = d2i_X509(NULL, &cptr, len)) == NULL) { 3165290001Sglebius msyslog(LOG_ERR, "cert_sign: %s", 3166132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3167132451Sroberto return (XEVNT_CRT); 316882498Sroberto } 3169132451Sroberto /* 3170132451Sroberto * Extract public key and check for errors. 3171132451Sroberto */ 3172132451Sroberto if ((pkey = X509_get_pubkey(req)) == NULL) { 3173290001Sglebius msyslog(LOG_ERR, "cert_sign: %s", 3174132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3175132451Sroberto X509_free(req); 3176132451Sroberto return (XEVNT_PUB); 3177132451Sroberto } 317882498Sroberto 317982498Sroberto /* 3180290001Sglebius * Generate X509 certificate signed by this server. If this is a 3181290001Sglebius * trusted host, the issuer name is the group name; otherwise, 3182290001Sglebius * it is the host name. Also copy any extensions that might be 3183290001Sglebius * present. 318482498Sroberto */ 3185132451Sroberto cert = X509_new(); 3186132451Sroberto X509_set_version(cert, X509_get_version(req)); 3187132451Sroberto serial = ASN1_INTEGER_new(); 3188132451Sroberto ASN1_INTEGER_set(serial, tstamp); 3189132451Sroberto X509_set_serialNumber(cert, serial); 3190132451Sroberto X509_gmtime_adj(X509_get_notBefore(cert), 0L); 3191132451Sroberto X509_gmtime_adj(X509_get_notAfter(cert), YEAR); 3192132451Sroberto subj = X509_get_issuer_name(cert); 3193132451Sroberto X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC, 3194290001Sglebius hostval.ptr, strlen((const char *)hostval.ptr), -1, 0); 3195132451Sroberto subj = X509_get_subject_name(req); 3196132451Sroberto X509_set_subject_name(cert, subj); 3197132451Sroberto X509_set_pubkey(cert, pkey); 3198132451Sroberto temp = X509_get_ext_count(req); 3199132451Sroberto for (i = 0; i < temp; i++) { 3200132451Sroberto ext = X509_get_ext(req, i); 3201290001Sglebius INSIST(X509_add_ext(cert, ext, -1)); 320282498Sroberto } 3203132451Sroberto X509_free(req); 320482498Sroberto 320582498Sroberto /* 3206290001Sglebius * Sign and verify the client certificate, but only if the host 3207290001Sglebius * certificate has not expired. 320882498Sroberto */ 3209290001Sglebius (void)ntpcal_ntp_to_date(&tscal, tstamp, NULL); 3210290001Sglebius if ((calcomp(&tscal, &(cert_host->first)) < 0) 3211290001Sglebius || (calcomp(&tscal, &(cert_host->last)) > 0)) { 3212290001Sglebius X509_free(cert); 3213290001Sglebius return (XEVNT_PER); 3214290001Sglebius } 3215132451Sroberto X509_sign(cert, sign_pkey, sign_digest); 3216290001Sglebius if (X509_verify(cert, sign_pkey) <= 0) { 3217290001Sglebius msyslog(LOG_ERR, "cert_sign: %s", 3218132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3219132451Sroberto X509_free(cert); 3220132451Sroberto return (XEVNT_VFY); 3221132451Sroberto } 3222132451Sroberto len = i2d_X509(cert, NULL); 322382498Sroberto 322482498Sroberto /* 3225132451Sroberto * Build and sign the value structure. We have to sign it here, 3226132451Sroberto * since the response has to be returned right away. This is a 3227132451Sroberto * clogging hazard. 322882498Sroberto */ 3229132451Sroberto memset(vp, 0, sizeof(struct value)); 3230132451Sroberto vp->tstamp = htonl(tstamp); 3231132451Sroberto vp->fstamp = ep->fstamp; 3232132451Sroberto vp->vallen = htonl(len); 3233132451Sroberto vp->ptr = emalloc(len); 3234132451Sroberto ptr = vp->ptr; 3235290001Sglebius i2d_X509(cert, (unsigned char **)(intptr_t)&ptr); 3236132451Sroberto vp->siglen = 0; 3237290001Sglebius if (tstamp != 0) { 3238290001Sglebius vp->sig = emalloc(sign_siglen); 3239310419Sdelphij ctx = EVP_MD_CTX_new(); 3240310419Sdelphij EVP_SignInit(ctx, sign_digest); 3241310419Sdelphij EVP_SignUpdate(ctx, (u_char *)vp, 12); 3242310419Sdelphij EVP_SignUpdate(ctx, vp->ptr, len); 3243310419Sdelphij if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) { 3244290001Sglebius INSIST(len <= sign_siglen); 3245290001Sglebius vp->siglen = htonl(len); 3246290001Sglebius } 3247310419Sdelphij EVP_MD_CTX_free(ctx); 3248290001Sglebius } 324982498Sroberto#ifdef DEBUG 3250132451Sroberto if (debug > 1) 3251132451Sroberto X509_print_fp(stdout, cert); 325282498Sroberto#endif 3253132451Sroberto X509_free(cert); 3254132451Sroberto return (XEVNT_OK); 325582498Sroberto} 325682498Sroberto 325782498Sroberto 325882498Sroberto/* 3259290001Sglebius * cert_install - install certificate in certificate cache 3260132451Sroberto * 3261132451Sroberto * This routine encodes an extension field into a certificate info/value 3262132451Sroberto * structure. It searches the certificate list for duplicates and 3263290001Sglebius * expunges whichever is older. Finally, it inserts this certificate 3264290001Sglebius * first on the list. 3265132451Sroberto * 3266290001Sglebius * Returns certificate info pointer if valid, NULL if not. 3267132451Sroberto */ 3268290001Sglebiusstruct cert_info * 3269132451Srobertocert_install( 3270132451Sroberto struct exten *ep, /* cert info/value */ 3271132451Sroberto struct peer *peer /* peer structure */ 3272132451Sroberto ) 3273132451Sroberto{ 3274290001Sglebius struct cert_info *cp, *xp, **zp; 3275132451Sroberto 327682498Sroberto /* 3277132451Sroberto * Parse and validate the signed certificate. If valid, 3278290001Sglebius * construct the info/value structure; otherwise, scamper home 3279290001Sglebius * empty handed. 328082498Sroberto */ 3281290001Sglebius if ((cp = cert_parse((u_char *)ep->pkt, (long)ntohl(ep->vallen), 3282290001Sglebius (tstamp_t)ntohl(ep->fstamp))) == NULL) 3283290001Sglebius return (NULL); 3284132451Sroberto 3285132451Sroberto /* 3286132451Sroberto * Scan certificate list looking for another certificate with 3287132451Sroberto * the same subject and issuer. If another is found with the 3288132451Sroberto * same or older filestamp, unlink it and return the goodies to 3289182007Sroberto * the heap. If another is found with a later filestamp, discard 3290290001Sglebius * the new one and leave the building with the old one. 3291182007Sroberto * 3292182007Sroberto * Make a note to study this issue again. An earlier certificate 3293182007Sroberto * with a long lifetime might be overtaken by a later 3294182007Sroberto * certificate with a short lifetime, thus invalidating the 3295182007Sroberto * earlier signature. However, we gotta find a way to leak old 3296182007Sroberto * stuff from the cache, so we do it anyway. 3297132451Sroberto */ 3298132451Sroberto zp = &cinfo; 3299132451Sroberto for (xp = cinfo; xp != NULL; xp = xp->link) { 3300132451Sroberto if (strcmp(cp->subject, xp->subject) == 0 && 3301132451Sroberto strcmp(cp->issuer, xp->issuer) == 0) { 3302132451Sroberto if (ntohl(cp->cert.fstamp) <= 3303132451Sroberto ntohl(xp->cert.fstamp)) { 3304290001Sglebius cert_free(cp); 3305290001Sglebius cp = xp; 3306290001Sglebius } else { 3307290001Sglebius *zp = xp->link; 3308132451Sroberto cert_free(xp); 3309290001Sglebius xp = NULL; 3310132451Sroberto } 3311132451Sroberto break; 3312132451Sroberto } 3313132451Sroberto zp = &xp->link; 3314132451Sroberto } 3315290001Sglebius if (xp == NULL) { 3316290001Sglebius cp->link = cinfo; 3317290001Sglebius cinfo = cp; 3318290001Sglebius } 3319290001Sglebius cp->flags |= CERT_VALID; 3320290001Sglebius crypto_update(); 3321290001Sglebius return (cp); 3322290001Sglebius} 3323132451Sroberto 3324290001Sglebius 3325290001Sglebius/* 3326290001Sglebius * cert_hike - verify the signature using the issuer public key 3327290001Sglebius * 3328290001Sglebius * Returns 3329290001Sglebius * XEVNT_OK success 3330290001Sglebius * XEVNT_CRT bad or missing certificate 3331290001Sglebius * XEVNT_PER host certificate expired 3332290001Sglebius * XEVNT_VFY certificate not verified 3333290001Sglebius */ 3334290001Sglebiusint 3335290001Sglebiuscert_hike( 3336290001Sglebius struct peer *peer, /* peer structure pointer */ 3337290001Sglebius struct cert_info *yp /* issuer certificate */ 3338290001Sglebius ) 3339290001Sglebius{ 3340290001Sglebius struct cert_info *xp; /* subject certificate */ 3341290001Sglebius X509 *cert; /* X509 certificate */ 3342290001Sglebius const u_char *ptr; 3343290001Sglebius 3344132451Sroberto /* 3345290001Sglebius * Save the issuer on the new certificate, but remember the old 3346290001Sglebius * one. 3347132451Sroberto */ 3348290001Sglebius if (peer->issuer != NULL) 3349290001Sglebius free(peer->issuer); 3350290001Sglebius peer->issuer = estrdup(yp->issuer); 3351290001Sglebius xp = peer->xinfo; 3352290001Sglebius peer->xinfo = yp; 3353132451Sroberto 3354290001Sglebius /* 3355290001Sglebius * If subject Y matches issuer Y, then the certificate trail is 3356290001Sglebius * complete. If Y is not trusted, the server certificate has yet 3357290001Sglebius * been signed, so keep trying. Otherwise, save the group key 3358290001Sglebius * and light the valid bit. If the host certificate is trusted, 3359290001Sglebius * do not execute a sign exchange. If no identity scheme is in 3360290001Sglebius * use, light the identity and proventic bits. 3361290001Sglebius */ 3362290001Sglebius if (strcmp(yp->subject, yp->issuer) == 0) { 3363290001Sglebius if (!(yp->flags & CERT_TRUST)) 3364290001Sglebius return (XEVNT_OK); 3365132451Sroberto 3366290001Sglebius /* 3367290001Sglebius * If the server has an an identity scheme, fetch the 3368290001Sglebius * identity credentials. If not, the identity is 3369290001Sglebius * verified only by the trusted certificate. The next 3370290001Sglebius * signature will set the server proventic. 3371290001Sglebius */ 3372290001Sglebius peer->crypto |= CRYPTO_FLAG_CERT; 3373290001Sglebius peer->grpkey = yp->grpkey; 3374290001Sglebius if (peer->ident == NULL || !(peer->crypto & 3375290001Sglebius CRYPTO_FLAG_MASK)) 3376290001Sglebius peer->crypto |= CRYPTO_FLAG_VRFY; 3377290001Sglebius } 3378132451Sroberto 3379290001Sglebius /* 3380290001Sglebius * If X exists, verify signature X using public key Y. 3381290001Sglebius */ 3382290001Sglebius if (xp == NULL) 3383290001Sglebius return (XEVNT_OK); 3384182007Sroberto 3385290001Sglebius ptr = (u_char *)xp->cert.ptr; 3386290001Sglebius cert = d2i_X509(NULL, &ptr, ntohl(xp->cert.vallen)); 3387290001Sglebius if (cert == NULL) { 3388290001Sglebius xp->flags |= CERT_ERROR; 3389290001Sglebius return (XEVNT_CRT); 3390290001Sglebius } 3391290001Sglebius if (X509_verify(cert, yp->pkey) <= 0) { 3392290001Sglebius X509_free(cert); 3393290001Sglebius xp->flags |= CERT_ERROR; 3394290001Sglebius return (XEVNT_VFY); 3395290001Sglebius } 3396290001Sglebius X509_free(cert); 3397182007Sroberto 3398290001Sglebius /* 3399290001Sglebius * Signature X is valid only if it begins during the 3400290001Sglebius * lifetime of Y. 3401290001Sglebius */ 3402290001Sglebius if ((calcomp(&(xp->first), &(yp->first)) < 0) 3403290001Sglebius || (calcomp(&(xp->first), &(yp->last)) > 0)) { 3404290001Sglebius xp->flags |= CERT_ERROR; 3405290001Sglebius return (XEVNT_PER); 3406290001Sglebius } 3407290001Sglebius xp->flags |= CERT_SIGN; 3408290001Sglebius return (XEVNT_OK); 3409290001Sglebius} 3410132451Sroberto 3411132451Sroberto 3412290001Sglebius/* 3413290001Sglebius * cert_parse - parse x509 certificate and create info/value structures. 3414290001Sglebius * 3415290001Sglebius * The server certificate includes the version number, issuer name, 3416290001Sglebius * subject name, public key and valid date interval. If the issuer name 3417290001Sglebius * is the same as the subject name, the certificate is self signed and 3418290001Sglebius * valid only if the server is configured as trustable. If the names are 3419290001Sglebius * different, another issuer has signed the server certificate and 3420290001Sglebius * vouched for it. In this case the server certificate is valid if 3421290001Sglebius * verified by the issuer public key. 3422290001Sglebius * 3423290001Sglebius * Returns certificate info/value pointer if valid, NULL if not. 3424290001Sglebius */ 3425290001Sglebiusstruct cert_info * /* certificate information structure */ 3426290001Sglebiuscert_parse( 3427290001Sglebius const u_char *asn1cert, /* X509 certificate */ 3428290001Sglebius long len, /* certificate length */ 3429290001Sglebius tstamp_t fstamp /* filestamp */ 3430290001Sglebius ) 3431290001Sglebius{ 3432290001Sglebius X509 *cert; /* X509 certificate */ 3433290001Sglebius struct cert_info *ret; /* certificate info/value */ 3434290001Sglebius BIO *bp; 3435290001Sglebius char pathbuf[MAXFILENAME]; 3436290001Sglebius const u_char *ptr; 3437290001Sglebius char *pch; 3438310419Sdelphij int cnt, i; 3439290001Sglebius struct calendar fscal; 3440132451Sroberto 3441290001Sglebius /* 3442290001Sglebius * Decode ASN.1 objects and construct certificate structure. 3443290001Sglebius */ 3444290001Sglebius ptr = asn1cert; 3445290001Sglebius if ((cert = d2i_X509(NULL, &ptr, len)) == NULL) { 3446290001Sglebius msyslog(LOG_ERR, "cert_parse: %s", 3447290001Sglebius ERR_error_string(ERR_get_error(), NULL)); 3448290001Sglebius return (NULL); 3449290001Sglebius } 3450290001Sglebius#ifdef DEBUG 3451290001Sglebius if (debug > 1) 3452290001Sglebius X509_print_fp(stdout, cert); 3453290001Sglebius#endif 3454132451Sroberto 3455290001Sglebius /* 3456290001Sglebius * Extract version, subject name and public key. 3457290001Sglebius */ 3458290001Sglebius ret = emalloc_zero(sizeof(*ret)); 3459290001Sglebius if ((ret->pkey = X509_get_pubkey(cert)) == NULL) { 3460290001Sglebius msyslog(LOG_ERR, "cert_parse: %s", 3461290001Sglebius ERR_error_string(ERR_get_error(), NULL)); 3462290001Sglebius cert_free(ret); 3463290001Sglebius X509_free(cert); 3464290001Sglebius return (NULL); 3465290001Sglebius } 3466290001Sglebius ret->version = X509_get_version(cert); 3467290001Sglebius X509_NAME_oneline(X509_get_subject_name(cert), pathbuf, 3468290001Sglebius sizeof(pathbuf)); 3469290001Sglebius pch = strstr(pathbuf, "CN="); 3470290001Sglebius if (NULL == pch) { 3471290001Sglebius msyslog(LOG_NOTICE, "cert_parse: invalid subject %s", 3472290001Sglebius pathbuf); 3473290001Sglebius cert_free(ret); 3474290001Sglebius X509_free(cert); 3475290001Sglebius return (NULL); 3476290001Sglebius } 3477290001Sglebius ret->subject = estrdup(pch + 3); 3478132451Sroberto 3479290001Sglebius /* 3480290001Sglebius * Extract remaining objects. Note that the NTP serial number is 3481290001Sglebius * the NTP seconds at the time of signing, but this might not be 3482290001Sglebius * the case for other authority. We don't bother to check the 3483290001Sglebius * objects at this time, since the real crunch can happen only 3484290001Sglebius * when the time is valid but not yet certificated. 3485290001Sglebius */ 3486310419Sdelphij ret->nid = X509_get_signature_nid(cert); 3487290001Sglebius ret->digest = (const EVP_MD *)EVP_get_digestbynid(ret->nid); 3488290001Sglebius ret->serial = 3489290001Sglebius (u_long)ASN1_INTEGER_get(X509_get_serialNumber(cert)); 3490290001Sglebius X509_NAME_oneline(X509_get_issuer_name(cert), pathbuf, 3491290001Sglebius sizeof(pathbuf)); 3492290001Sglebius if ((pch = strstr(pathbuf, "CN=")) == NULL) { 3493290001Sglebius msyslog(LOG_NOTICE, "cert_parse: invalid issuer %s", 3494290001Sglebius pathbuf); 3495290001Sglebius cert_free(ret); 3496290001Sglebius X509_free(cert); 3497290001Sglebius return (NULL); 3498290001Sglebius } 3499290001Sglebius ret->issuer = estrdup(pch + 3); 3500290001Sglebius asn_to_calendar(X509_get_notBefore(cert), &(ret->first)); 3501290001Sglebius asn_to_calendar(X509_get_notAfter(cert), &(ret->last)); 3502290001Sglebius 3503290001Sglebius /* 3504290001Sglebius * Extract extension fields. These are ad hoc ripoffs of 3505290001Sglebius * currently assigned functions and will certainly be changed 3506290001Sglebius * before prime time. 3507290001Sglebius */ 3508290001Sglebius cnt = X509_get_ext_count(cert); 3509290001Sglebius for (i = 0; i < cnt; i++) { 3510310419Sdelphij X509_EXTENSION *ext; 3511310419Sdelphij ASN1_OBJECT *obj; 3512310419Sdelphij int nid; 3513310419Sdelphij ASN1_OCTET_STRING *data; 3514310419Sdelphij 3515290001Sglebius ext = X509_get_ext(cert, i); 3516310419Sdelphij obj = X509_EXTENSION_get_object(ext); 3517310419Sdelphij nid = OBJ_obj2nid(obj); 3518290001Sglebius 3519310419Sdelphij switch (nid) { 3520310419Sdelphij 3521290001Sglebius /* 3522290001Sglebius * If a key_usage field is present, we decode whether 3523290001Sglebius * this is a trusted or private certificate. This is 3524290001Sglebius * dorky; all we want is to compare NIDs, but OpenSSL 3525290001Sglebius * insists on BIO text strings. 3526290001Sglebius */ 3527290001Sglebius case NID_ext_key_usage: 3528290001Sglebius bp = BIO_new(BIO_s_mem()); 3529290001Sglebius X509V3_EXT_print(bp, ext, 0, 0); 3530290001Sglebius BIO_gets(bp, pathbuf, sizeof(pathbuf)); 3531290001Sglebius BIO_free(bp); 3532290001Sglebius if (strcmp(pathbuf, "Trust Root") == 0) 3533290001Sglebius ret->flags |= CERT_TRUST; 3534290001Sglebius else if (strcmp(pathbuf, "Private") == 0) 3535290001Sglebius ret->flags |= CERT_PRIV; 3536290001Sglebius DPRINTF(1, ("cert_parse: %s: %s\n", 3537310419Sdelphij OBJ_nid2ln(nid), pathbuf)); 3538290001Sglebius break; 3539290001Sglebius 3540290001Sglebius /* 3541290001Sglebius * If a NID_subject_key_identifier field is present, it 3542290001Sglebius * contains the GQ public key. 3543290001Sglebius */ 3544290001Sglebius case NID_subject_key_identifier: 3545310419Sdelphij data = X509_EXTENSION_get_data(ext); 3546310419Sdelphij ret->grpkey = BN_bin2bn(&data->data[2], 3547310419Sdelphij data->length - 2, NULL); 3548290001Sglebius /* fall through */ 3549290001Sglebius default: 3550290001Sglebius DPRINTF(1, ("cert_parse: %s\n", 3551310419Sdelphij OBJ_nid2ln(nid))); 3552290001Sglebius break; 3553132451Sroberto } 3554132451Sroberto } 3555290001Sglebius if (strcmp(ret->subject, ret->issuer) == 0) { 3556132451Sroberto 3557290001Sglebius /* 3558290001Sglebius * If certificate is self signed, verify signature. 3559290001Sglebius */ 3560290001Sglebius if (X509_verify(cert, ret->pkey) <= 0) { 3561290001Sglebius msyslog(LOG_NOTICE, 3562290001Sglebius "cert_parse: signature not verified %s", 3563290001Sglebius ret->subject); 3564290001Sglebius cert_free(ret); 3565290001Sglebius X509_free(cert); 3566290001Sglebius return (NULL); 3567290001Sglebius } 3568290001Sglebius } else { 3569290001Sglebius 3570290001Sglebius /* 3571290001Sglebius * Check for a certificate loop. 3572290001Sglebius */ 3573290001Sglebius if (strcmp((const char *)hostval.ptr, ret->issuer) == 0) { 3574290001Sglebius msyslog(LOG_NOTICE, 3575290001Sglebius "cert_parse: certificate trail loop %s", 3576290001Sglebius ret->subject); 3577290001Sglebius cert_free(ret); 3578290001Sglebius X509_free(cert); 3579290001Sglebius return (NULL); 3580290001Sglebius } 3581290001Sglebius } 3582290001Sglebius 3583132451Sroberto /* 3584290001Sglebius * Verify certificate valid times. Note that certificates cannot 3585290001Sglebius * be retroactive. 3586132451Sroberto */ 3587290001Sglebius (void)ntpcal_ntp_to_date(&fscal, fstamp, NULL); 3588290001Sglebius if ((calcomp(&(ret->first), &(ret->last)) > 0) 3589290001Sglebius || (calcomp(&(ret->first), &fscal) < 0)) { 3590290001Sglebius msyslog(LOG_NOTICE, 3591290001Sglebius "cert_parse: invalid times %s first %u-%02u-%02uT%02u:%02u:%02u last %u-%02u-%02uT%02u:%02u:%02u fstamp %u-%02u-%02uT%02u:%02u:%02u", 3592290001Sglebius ret->subject, 3593290001Sglebius ret->first.year, ret->first.month, ret->first.monthday, 3594290001Sglebius ret->first.hour, ret->first.minute, ret->first.second, 3595290001Sglebius ret->last.year, ret->last.month, ret->last.monthday, 3596290001Sglebius ret->last.hour, ret->last.minute, ret->last.second, 3597290001Sglebius fscal.year, fscal.month, fscal.monthday, 3598290001Sglebius fscal.hour, fscal.minute, fscal.second); 3599290001Sglebius cert_free(ret); 3600290001Sglebius X509_free(cert); 3601290001Sglebius return (NULL); 3602290001Sglebius } 3603290001Sglebius 3604290001Sglebius /* 3605290001Sglebius * Build the value structure to sign and send later. 3606290001Sglebius */ 3607290001Sglebius ret->cert.fstamp = htonl(fstamp); 3608290001Sglebius ret->cert.vallen = htonl(len); 3609290001Sglebius ret->cert.ptr = emalloc(len); 3610290001Sglebius memcpy(ret->cert.ptr, asn1cert, len); 3611290001Sglebius X509_free(cert); 3612290001Sglebius return (ret); 3613132451Sroberto} 3614132451Sroberto 3615132451Sroberto 3616132451Sroberto/* 3617132451Sroberto * cert_free - free certificate information structure 3618132451Sroberto */ 3619132451Srobertovoid 3620132451Srobertocert_free( 3621132451Sroberto struct cert_info *cinf /* certificate info/value structure */ 3622132451Sroberto ) 3623132451Sroberto{ 3624132451Sroberto if (cinf->pkey != NULL) 3625132451Sroberto EVP_PKEY_free(cinf->pkey); 3626132451Sroberto if (cinf->subject != NULL) 3627132451Sroberto free(cinf->subject); 3628132451Sroberto if (cinf->issuer != NULL) 3629132451Sroberto free(cinf->issuer); 3630132451Sroberto if (cinf->grpkey != NULL) 3631290001Sglebius BN_free(cinf->grpkey); 3632132451Sroberto value_free(&cinf->cert); 3633132451Sroberto free(cinf); 3634132451Sroberto} 3635132451Sroberto 3636132451Sroberto 3637132451Sroberto/* 3638290001Sglebius * crypto_key - load cryptographic parameters and keys 3639132451Sroberto * 3640290001Sglebius * This routine searches the key cache for matching name in the form 3641290001Sglebius * ntpkey_<key>_<name>, where <key> is one of host, sign, iff, gq, mv, 3642290001Sglebius * and <name> is the host/group name. If not found, it tries to load a 3643290001Sglebius * PEM-encoded file of the same name and extracts the filestamp from 3644290001Sglebius * the first line of the file name. It returns the key pointer if valid, 3645290001Sglebius * NULL if not. 3646132451Sroberto */ 3647290001Sglebiusstatic struct pkey_info * 3648132451Srobertocrypto_key( 3649132451Sroberto char *cp, /* file name */ 3650290001Sglebius char *passwd1, /* password */ 3651290001Sglebius sockaddr_u *addr /* IP address */ 3652132451Sroberto ) 3653132451Sroberto{ 3654132451Sroberto FILE *str; /* file handle */ 3655290001Sglebius struct pkey_info *pkp; /* generic key */ 3656132451Sroberto EVP_PKEY *pkey = NULL; /* public/private key */ 3657290001Sglebius tstamp_t fstamp; 3658132451Sroberto char filename[MAXFILENAME]; /* name of key file */ 3659132451Sroberto char linkname[MAXFILENAME]; /* filestamp buffer) */ 3660132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 3661132451Sroberto char *ptr; 3662132451Sroberto 3663132451Sroberto /* 3664290001Sglebius * Search the key cache for matching key and name. 3665290001Sglebius */ 3666290001Sglebius for (pkp = pkinfo; pkp != NULL; pkp = pkp->link) { 3667290001Sglebius if (strcmp(cp, pkp->name) == 0) 3668290001Sglebius return (pkp); 3669290001Sglebius } 3670290001Sglebius 3671290001Sglebius /* 3672132451Sroberto * Open the key file. If the first character of the file name is 3673132451Sroberto * not '/', prepend the keys directory string. If something goes 3674132451Sroberto * wrong, abandon ship. 3675132451Sroberto */ 367682498Sroberto if (*cp == '/') 3677290001Sglebius strlcpy(filename, cp, sizeof(filename)); 367882498Sroberto else 3679290001Sglebius snprintf(filename, sizeof(filename), "%s/%s", keysdir, 3680290001Sglebius cp); 368182498Sroberto str = fopen(filename, "r"); 3682132451Sroberto if (str == NULL) 3683132451Sroberto return (NULL); 3684132451Sroberto 3685132451Sroberto /* 3686132451Sroberto * Read the filestamp, which is contained in the first line. 3687132451Sroberto */ 3688290001Sglebius if ((ptr = fgets(linkname, sizeof(linkname), str)) == NULL) { 3689290001Sglebius msyslog(LOG_ERR, "crypto_key: empty file %s", 3690132451Sroberto filename); 3691290001Sglebius fclose(str); 3692132451Sroberto return (NULL); 369382498Sroberto } 3694132451Sroberto if ((ptr = strrchr(ptr, '.')) == NULL) { 3695290001Sglebius msyslog(LOG_ERR, "crypto_key: no filestamp %s", 3696132451Sroberto filename); 3697290001Sglebius fclose(str); 3698132451Sroberto return (NULL); 3699132451Sroberto } 3700290001Sglebius if (sscanf(++ptr, "%u", &fstamp) != 1) { 3701290001Sglebius msyslog(LOG_ERR, "crypto_key: invalid filestamp %s", 3702132451Sroberto filename); 3703290001Sglebius fclose(str); 3704132451Sroberto return (NULL); 3705132451Sroberto } 370682498Sroberto 370782498Sroberto /* 3708290001Sglebius * Read and decrypt PEM-encoded private key. If it fails to 3709290001Sglebius * decrypt, game over. 371082498Sroberto */ 3711290001Sglebius pkey = PEM_read_PrivateKey(str, NULL, NULL, passwd1); 3712132451Sroberto fclose(str); 3713132451Sroberto if (pkey == NULL) { 3714290001Sglebius msyslog(LOG_ERR, "crypto_key: %s", 3715132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3716290001Sglebius exit (-1); 371782498Sroberto } 371882498Sroberto 371982498Sroberto /* 3720290001Sglebius * Make a new entry in the key cache. 3721290001Sglebius */ 3722290001Sglebius pkp = emalloc(sizeof(struct pkey_info)); 3723290001Sglebius pkp->link = pkinfo; 3724290001Sglebius pkinfo = pkp; 3725290001Sglebius pkp->pkey = pkey; 3726290001Sglebius pkp->name = estrdup(cp); 3727290001Sglebius pkp->fstamp = fstamp; 3728290001Sglebius 3729290001Sglebius /* 3730132451Sroberto * Leave tracks in the cryptostats. 373182498Sroberto */ 3732132451Sroberto if ((ptr = strrchr(linkname, '\n')) != NULL) 3733132451Sroberto *ptr = '\0'; 3734290001Sglebius snprintf(statstr, sizeof(statstr), "%s mod %d", &linkname[2], 3735132451Sroberto EVP_PKEY_size(pkey) * 8); 3736290001Sglebius record_crypto_stats(addr, statstr); 3737290001Sglebius 3738290001Sglebius DPRINTF(1, ("crypto_key: %s\n", statstr)); 3739132451Sroberto#ifdef DEBUG 3740132451Sroberto if (debug > 1) { 3741310419Sdelphij if (EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) 3742310419Sdelphij DSA_print_fp(stdout, EVP_PKEY_get0_DSA(pkey), 0); 3743310419Sdelphij else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) 3744310419Sdelphij RSA_print_fp(stdout, EVP_PKEY_get0_RSA(pkey), 0); 374582498Sroberto } 3746132451Sroberto#endif 3747290001Sglebius return (pkp); 3748132451Sroberto} 374982498Sroberto 3750132451Sroberto 3751132451Sroberto/* 3752290001Sglebius *********************************************************************** 3753290001Sglebius * * 3754290001Sglebius * The following routines are used only at initialization time * 3755290001Sglebius * * 3756290001Sglebius *********************************************************************** 3757290001Sglebius */ 3758290001Sglebius/* 3759132451Sroberto * crypto_cert - load certificate from file 3760132451Sroberto * 3761290001Sglebius * This routine loads an X.509 RSA or DSA certificate from a file and 3762132451Sroberto * constructs a info/cert value structure for this machine. The 3763132451Sroberto * structure includes a filestamp extracted from the file name. Later 3764290001Sglebius * the certificate can be sent to another machine on request. 3765132451Sroberto * 3766132451Sroberto * Returns certificate info/value pointer if valid, NULL if not. 3767132451Sroberto */ 3768132451Srobertostatic struct cert_info * /* certificate information */ 3769132451Srobertocrypto_cert( 3770132451Sroberto char *cp /* file name */ 3771132451Sroberto ) 3772132451Sroberto{ 3773132451Sroberto struct cert_info *ret; /* certificate information */ 3774132451Sroberto FILE *str; /* file handle */ 3775132451Sroberto char filename[MAXFILENAME]; /* name of certificate file */ 3776132451Sroberto char linkname[MAXFILENAME]; /* filestamp buffer */ 3777132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 3778132451Sroberto tstamp_t fstamp; /* filestamp */ 3779132451Sroberto long len; 3780132451Sroberto char *ptr; 3781132451Sroberto char *name, *header; 3782132451Sroberto u_char *data; 3783132451Sroberto 378482498Sroberto /* 3785132451Sroberto * Open the certificate file. If the first character of the file 3786132451Sroberto * name is not '/', prepend the keys directory string. If 3787132451Sroberto * something goes wrong, abandon ship. 378882498Sroberto */ 3789132451Sroberto if (*cp == '/') 3790290001Sglebius strlcpy(filename, cp, sizeof(filename)); 3791132451Sroberto else 3792290001Sglebius snprintf(filename, sizeof(filename), "%s/%s", keysdir, 3793290001Sglebius cp); 3794132451Sroberto str = fopen(filename, "r"); 3795132451Sroberto if (str == NULL) 3796132451Sroberto return (NULL); 379782498Sroberto 3798132451Sroberto /* 3799132451Sroberto * Read the filestamp, which is contained in the first line. 3800132451Sroberto */ 3801290001Sglebius if ((ptr = fgets(linkname, sizeof(linkname), str)) == NULL) { 3802290001Sglebius msyslog(LOG_ERR, "crypto_cert: empty file %s", 3803132451Sroberto filename); 3804290001Sglebius fclose(str); 3805132451Sroberto return (NULL); 3806132451Sroberto } 3807132451Sroberto if ((ptr = strrchr(ptr, '.')) == NULL) { 3808290001Sglebius msyslog(LOG_ERR, "crypto_cert: no filestamp %s", 3809132451Sroberto filename); 3810290001Sglebius fclose(str); 3811132451Sroberto return (NULL); 3812132451Sroberto } 3813132451Sroberto if (sscanf(++ptr, "%u", &fstamp) != 1) { 3814290001Sglebius msyslog(LOG_ERR, "crypto_cert: invalid filestamp %s", 3815132451Sroberto filename); 3816290001Sglebius fclose(str); 3817132451Sroberto return (NULL); 3818132451Sroberto } 381982498Sroberto 382082498Sroberto /* 3821132451Sroberto * Read PEM-encoded certificate and install. 382282498Sroberto */ 3823132451Sroberto if (!PEM_read(str, &name, &header, &data, &len)) { 3824290001Sglebius msyslog(LOG_ERR, "crypto_cert: %s", 3825132451Sroberto ERR_error_string(ERR_get_error(), NULL)); 3826290001Sglebius fclose(str); 3827132451Sroberto return (NULL); 3828132451Sroberto } 3829290001Sglebius fclose(str); 3830132451Sroberto free(header); 3831290001Sglebius if (strcmp(name, "CERTIFICATE") != 0) { 3832290001Sglebius msyslog(LOG_NOTICE, "crypto_cert: wrong PEM type %s", 3833132451Sroberto name); 3834132451Sroberto free(name); 3835132451Sroberto free(data); 3836132451Sroberto return (NULL); 3837132451Sroberto } 3838132451Sroberto free(name); 383982498Sroberto 384082498Sroberto /* 3841290001Sglebius * Parse certificate and generate info/value structure. The 3842290001Sglebius * pointer and copy nonsense is due something broken in Solaris. 384382498Sroberto */ 3844132451Sroberto ret = cert_parse(data, len, fstamp); 3845132451Sroberto free(data); 3846132451Sroberto if (ret == NULL) 3847132451Sroberto return (NULL); 3848182007Sroberto 3849132451Sroberto if ((ptr = strrchr(linkname, '\n')) != NULL) 3850132451Sroberto *ptr = '\0'; 3851290001Sglebius snprintf(statstr, sizeof(statstr), "%s 0x%x len %lu", 3852290001Sglebius &linkname[2], ret->flags, len); 3853132451Sroberto record_crypto_stats(NULL, statstr); 3854290001Sglebius DPRINTF(1, ("crypto_cert: %s\n", statstr)); 3855132451Sroberto return (ret); 385682498Sroberto} 385782498Sroberto 385882498Sroberto 385982498Sroberto/* 3860290001Sglebius * crypto_setup - load keys, certificate and identity parameters 3861132451Sroberto * 3862290001Sglebius * This routine loads the public/private host key and certificate. If 3863290001Sglebius * available, it loads the public/private sign key, which defaults to 3864290001Sglebius * the host key. The host key must be RSA, but the sign key can be 3865290001Sglebius * either RSA or DSA. If a trusted certificate, it loads the identity 3866290001Sglebius * parameters. In either case, the public key on the certificate must 3867290001Sglebius * agree with the sign key. 3868290001Sglebius * 3869290001Sglebius * Required but missing files and inconsistent data and errors are 3870290001Sglebius * fatal. Allowing configuration to continue would be hazardous and 3871290001Sglebius * require really messy error checks. 387282498Sroberto */ 3873290001Sglebiusvoid 3874290001Sglebiuscrypto_setup(void) 387582498Sroberto{ 3876290001Sglebius struct pkey_info *pinfo; /* private/public key */ 3877290001Sglebius char filename[MAXFILENAME]; /* file name buffer */ 3878290001Sglebius char hostname[MAXFILENAME]; /* host name buffer */ 3879290001Sglebius char *randfile; 3880132451Sroberto char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 3881290001Sglebius l_fp seed; /* crypto PRNG seed as NTP timestamp */ 3882132451Sroberto u_int len; 3883290001Sglebius int bytes; 3884290001Sglebius u_char *ptr; 388582498Sroberto 388682498Sroberto /* 3887290001Sglebius * Check for correct OpenSSL version and avoid initialization in 3888290001Sglebius * the case of multiple crypto commands. 388982498Sroberto */ 3890290001Sglebius if (crypto_flags & CRYPTO_FLAG_ENAB) { 3891290001Sglebius msyslog(LOG_NOTICE, 3892290001Sglebius "crypto_setup: spurious crypto command"); 389382498Sroberto return; 389482498Sroberto } 3895290001Sglebius ssl_check_version(); 389682498Sroberto 389782498Sroberto /* 3898290001Sglebius * Load required random seed file and seed the random number 3899290001Sglebius * generator. Be default, it is found as .rnd in the user home 3900290001Sglebius * directory. The root home directory may be / or /root, 3901290001Sglebius * depending on the system. Wiggle the contents a bit and write 3902290001Sglebius * it back so the sequence does not repeat when we next restart. 390382498Sroberto */ 3904290001Sglebius if (!RAND_status()) { 3905290001Sglebius if (rand_file == NULL) { 3906290001Sglebius RAND_file_name(filename, sizeof(filename)); 3907290001Sglebius randfile = filename; 3908290001Sglebius } else if (*rand_file != '/') { 3909290001Sglebius snprintf(filename, sizeof(filename), "%s/%s", 3910290001Sglebius keysdir, rand_file); 3911290001Sglebius randfile = filename; 3912290001Sglebius } else 3913290001Sglebius randfile = rand_file; 3914182007Sroberto 3915290001Sglebius if ((bytes = RAND_load_file(randfile, -1)) == 0) { 3916290001Sglebius msyslog(LOG_ERR, 3917290001Sglebius "crypto_setup: random seed file %s missing", 3918290001Sglebius randfile); 3919290001Sglebius exit (-1); 3920290001Sglebius } 3921290001Sglebius arc4random_buf(&seed, sizeof(l_fp)); 3922290001Sglebius RAND_seed(&seed, sizeof(l_fp)); 3923290001Sglebius RAND_write_file(randfile); 3924290001Sglebius DPRINTF(1, ("crypto_setup: OpenSSL version %lx random seed file %s bytes read %d\n", 3925290001Sglebius SSLeay(), randfile, bytes)); 392682498Sroberto } 392782498Sroberto 392882498Sroberto /* 3929132451Sroberto * Initialize structures. 393082498Sroberto */ 3931290001Sglebius gethostname(hostname, sizeof(hostname)); 3932290001Sglebius if (host_filename != NULL) 3933290001Sglebius strlcpy(hostname, host_filename, sizeof(hostname)); 3934132451Sroberto if (passwd == NULL) 3935290001Sglebius passwd = estrdup(hostname); 3936132451Sroberto memset(&hostval, 0, sizeof(hostval)); 3937132451Sroberto memset(&pubkey, 0, sizeof(pubkey)); 3938132451Sroberto memset(&tai_leap, 0, sizeof(tai_leap)); 3939132451Sroberto 3940132451Sroberto /* 3941290001Sglebius * Load required host key from file "ntpkey_host_<hostname>". If 3942290001Sglebius * no host key file is not found or has invalid password, life 3943290001Sglebius * as we know it ends. The host key also becomes the default 3944290001Sglebius * sign key. 3945132451Sroberto */ 3946290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_host_%s", hostname); 3947290001Sglebius pinfo = crypto_key(filename, passwd, NULL); 3948290001Sglebius if (pinfo == NULL) { 3949132451Sroberto msyslog(LOG_ERR, 3950132451Sroberto "crypto_setup: host key file %s not found or corrupt", 3951290001Sglebius filename); 3952132451Sroberto exit (-1); 3953132451Sroberto } 3954310419Sdelphij if (EVP_PKEY_base_id(pinfo->pkey) != EVP_PKEY_RSA) { 3955132451Sroberto msyslog(LOG_ERR, 3956132451Sroberto "crypto_setup: host key is not RSA key type"); 3957132451Sroberto exit (-1); 3958132451Sroberto } 3959290001Sglebius host_pkey = pinfo->pkey; 3960290001Sglebius sign_pkey = host_pkey; 3961290001Sglebius hostval.fstamp = htonl(pinfo->fstamp); 3962132451Sroberto 3963132451Sroberto /* 3964132451Sroberto * Construct public key extension field for agreement scheme. 3965132451Sroberto */ 3966132451Sroberto len = i2d_PublicKey(host_pkey, NULL); 3967132451Sroberto ptr = emalloc(len); 3968132451Sroberto pubkey.ptr = ptr; 3969132451Sroberto i2d_PublicKey(host_pkey, &ptr); 3970290001Sglebius pubkey.fstamp = hostval.fstamp; 3971132451Sroberto pubkey.vallen = htonl(len); 3972132451Sroberto 3973132451Sroberto /* 3974132451Sroberto * Load optional sign key from file "ntpkey_sign_<hostname>". If 3975290001Sglebius * available, it becomes the sign key. 3976132451Sroberto */ 3977290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_sign_%s", hostname); 3978290001Sglebius pinfo = crypto_key(filename, passwd, NULL); 3979290001Sglebius if (pinfo != NULL) 3980290001Sglebius sign_pkey = pinfo->pkey; 3981132451Sroberto 3982132451Sroberto /* 3983290001Sglebius * Load required certificate from file "ntpkey_cert_<hostname>". 3984132451Sroberto */ 3985290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_cert_%s", hostname); 3986290001Sglebius cinfo = crypto_cert(filename); 3987290001Sglebius if (cinfo == NULL) { 3988290001Sglebius msyslog(LOG_ERR, 3989290001Sglebius "crypto_setup: certificate file %s not found or corrupt", 3990290001Sglebius filename); 3991290001Sglebius exit (-1); 3992132451Sroberto } 3993290001Sglebius cert_host = cinfo; 3994290001Sglebius sign_digest = cinfo->digest; 3995290001Sglebius sign_siglen = EVP_PKEY_size(sign_pkey); 3996290001Sglebius if (cinfo->flags & CERT_PRIV) 3997290001Sglebius crypto_flags |= CRYPTO_FLAG_PRIV; 3998132451Sroberto 3999132451Sroberto /* 4000290001Sglebius * The certificate must be self-signed. 4001132451Sroberto */ 4002290001Sglebius if (strcmp(cinfo->subject, cinfo->issuer) != 0) { 4003290001Sglebius msyslog(LOG_ERR, 4004290001Sglebius "crypto_setup: certificate %s is not self-signed", 4005290001Sglebius filename); 4006290001Sglebius exit (-1); 4007132451Sroberto } 4008290001Sglebius hostval.ptr = estrdup(cinfo->subject); 4009290001Sglebius hostval.vallen = htonl(strlen(cinfo->subject)); 4010290001Sglebius sys_hostname = hostval.ptr; 4011290001Sglebius ptr = (u_char *)strchr(sys_hostname, '@'); 4012290001Sglebius if (ptr != NULL) 4013290001Sglebius sys_groupname = estrdup((char *)++ptr); 4014290001Sglebius if (ident_filename != NULL) 4015290001Sglebius strlcpy(hostname, ident_filename, sizeof(hostname)); 4016132451Sroberto 4017132451Sroberto /* 4018290001Sglebius * Load optional IFF parameters from file 4019290001Sglebius * "ntpkey_iffkey_<hostname>". 4020132451Sroberto */ 4021290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_iffkey_%s", 4022290001Sglebius hostname); 4023290001Sglebius iffkey_info = crypto_key(filename, passwd, NULL); 4024290001Sglebius if (iffkey_info != NULL) 4025290001Sglebius crypto_flags |= CRYPTO_FLAG_IFF; 4026132451Sroberto 4027132451Sroberto /* 4028290001Sglebius * Load optional GQ parameters from file 4029290001Sglebius * "ntpkey_gqkey_<hostname>". 4030132451Sroberto */ 4031290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_gqkey_%s", 4032290001Sglebius hostname); 4033290001Sglebius gqkey_info = crypto_key(filename, passwd, NULL); 4034290001Sglebius if (gqkey_info != NULL) 4035290001Sglebius crypto_flags |= CRYPTO_FLAG_GQ; 4036132451Sroberto 4037132451Sroberto /* 4038290001Sglebius * Load optional MV parameters from file 4039290001Sglebius * "ntpkey_mvkey_<hostname>". 4040132451Sroberto */ 4041290001Sglebius snprintf(filename, sizeof(filename), "ntpkey_mvkey_%s", 4042290001Sglebius hostname); 4043290001Sglebius mvkey_info = crypto_key(filename, passwd, NULL); 4044290001Sglebius if (mvkey_info != NULL) 4045290001Sglebius crypto_flags |= CRYPTO_FLAG_MV; 4046132451Sroberto 4047132451Sroberto /* 4048290001Sglebius * We met the enemy and he is us. Now strike up the dance. 4049132451Sroberto */ 4050290001Sglebius crypto_flags |= CRYPTO_FLAG_ENAB | (cinfo->nid << 16); 4051290001Sglebius snprintf(statstr, sizeof(statstr), "setup 0x%x host %s %s", 4052290001Sglebius crypto_flags, hostname, OBJ_nid2ln(cinfo->nid)); 4053290001Sglebius record_crypto_stats(NULL, statstr); 4054290001Sglebius DPRINTF(1, ("crypto_setup: %s\n", statstr)); 405582498Sroberto} 405682498Sroberto 405782498Sroberto 405882498Sroberto/* 4059290001Sglebius * crypto_config - configure data from the crypto command. 406082498Sroberto */ 406182498Srobertovoid 406282498Srobertocrypto_config( 4063132451Sroberto int item, /* configuration item */ 4064290001Sglebius char *cp /* item name */ 406582498Sroberto ) 406682498Sroberto{ 4067290001Sglebius int nid; 406882498Sroberto 4069290001Sglebius DPRINTF(1, ("crypto_config: item %d %s\n", item, cp)); 407082498Sroberto 4071290001Sglebius switch (item) { 4072132451Sroberto 4073132451Sroberto /* 4074290001Sglebius * Set host name (host). 4075132451Sroberto */ 407682498Sroberto case CRYPTO_CONF_PRIV: 4077290001Sglebius if (NULL != host_filename) 4078290001Sglebius free(host_filename); 4079290001Sglebius host_filename = estrdup(cp); 408082498Sroberto break; 408182498Sroberto 408282498Sroberto /* 4083290001Sglebius * Set group name (ident). 408482498Sroberto */ 4085290001Sglebius case CRYPTO_CONF_IDENT: 4086290001Sglebius if (NULL != ident_filename) 4087290001Sglebius free(ident_filename); 4088290001Sglebius ident_filename = estrdup(cp); 408982498Sroberto break; 409082498Sroberto 409182498Sroberto /* 4092290001Sglebius * Set private key password (pw). 409382498Sroberto */ 4094290001Sglebius case CRYPTO_CONF_PW: 4095290001Sglebius if (NULL != passwd) 4096290001Sglebius free(passwd); 4097290001Sglebius passwd = estrdup(cp); 409882498Sroberto break; 409982498Sroberto 410082498Sroberto /* 4101290001Sglebius * Set random seed file name (randfile). 410282498Sroberto */ 4103290001Sglebius case CRYPTO_CONF_RAND: 4104290001Sglebius if (NULL != rand_file) 4105290001Sglebius free(rand_file); 4106290001Sglebius rand_file = estrdup(cp); 410782498Sroberto break; 410882498Sroberto 410982498Sroberto /* 4110290001Sglebius * Set message digest NID. 411182498Sroberto */ 4112290001Sglebius case CRYPTO_CONF_NID: 4113290001Sglebius nid = OBJ_sn2nid(cp); 4114290001Sglebius if (nid == 0) 4115290001Sglebius msyslog(LOG_ERR, 4116290001Sglebius "crypto_config: invalid digest name %s", cp); 4117290001Sglebius else 4118290001Sglebius crypto_nid = nid; 411982498Sroberto break; 4120290001Sglebius } 4121290001Sglebius} 412282498Sroberto 4123290001Sglebius/* 4124290001Sglebius * Get the payload size (internal value length) of an extension packet. 4125290001Sglebius * If the inner value size does not match the outer packet size (that 4126290001Sglebius * is, the value would end behind the frame given by the opcode/size 4127290001Sglebius * field) the function will effectively return UINT_MAX. If the frame is 4128290001Sglebius * too short to hold a variable-sized value, the return value is zero. 4129290001Sglebius */ 4130290001Sglebiusstatic u_int 4131290001Sglebiusexten_payload_size( 4132290001Sglebius const struct exten * ep) 4133290001Sglebius{ 4134290001Sglebius typedef const u_char *BPTR; 4135290001Sglebius 4136290001Sglebius size_t extn_size; 4137290001Sglebius size_t data_size; 4138290001Sglebius size_t head_size; 4139182007Sroberto 4140290001Sglebius data_size = 0; 4141290001Sglebius if (NULL != ep) { 4142290001Sglebius head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep; 4143290001Sglebius extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff); 4144290001Sglebius if (extn_size >= head_size) { 4145290001Sglebius data_size = (uint32_t)ntohl(ep->vallen); 4146290001Sglebius if (data_size > extn_size - head_size) 4147290001Sglebius data_size = ~(size_t)0u; 4148290001Sglebius } 414982498Sroberto } 4150290001Sglebius return (u_int)data_size; 415182498Sroberto} 4152290001Sglebius# else /* !AUTOKEY follows */ 415382498Srobertoint ntp_crypto_bs_pubkey; 4154290001Sglebius# endif /* !AUTOKEY */ 4155