Lines Matching +full:mu +full:- +full:side +full:- +full:b
2 * ntp_crypto.c - NTP version 4 public key routines
42 * calcomp - compare two calendar structures, ignoring yearday and weekday; like strcmp
49 diff = pjd1->year - pjd2->year;
50 if (diff < 0) return -1; else if (diff > 0) return 1;
52 diff = pjd1->month - pjd2->month;
53 if (diff < 0) return -1; else if (diff > 0) return 1;
55 diff = pjd1->monthday - pjd2->monthday;
56 if (diff < 0) return -1; else if (diff > 0) return 1;
58 diff = pjd1->hour - pjd2->hour;
59 if (diff < 0) return -1; else if (diff > 0) return 1;
60 diff = pjd1->minute - pjd2->minute;
61 if (diff < 0) return -1; else if (diff > 0) return 1;
62 diff = pjd1->second - pjd2->second;
63 if (diff < 0) return -1; else if (diff > 0) return 1;
75 * +-------+-------+
76 * | op | len | <- extension pointer
77 * +-------+-------+
79 * +---------------+
80 * | timestamp | <- value pointer
81 * +---------------+
83 * +---------------+
85 * +---------------+
89 * +---------------+
91 * +---------------+
95 * +---------------+
124 * reverse-order pseudorandom hash.
130 * CRYPTO_FLAG_CERT Lit when a self-digned trusted certificate is
146 #define MAX_VALLEN (65535 - VALUE_LEN)
214 return (-1);
219 * session_key - generate session key
289 * make_keylist - generate key list
295 * This routine constructs a pseudo-random sequence by repeatedly
324 if (peer->keylist == NULL)
325 peer->keylist = eallocarray(NTP_MAXSESSION,
349 mpoll = 1U << min(peer->ppoll, peer->hpoll);
351 if (peer->hmode == MODE_BROADCAST)
354 cookie = peer->pcookie;
356 peer->keylist[i] = keyid;
357 peer->keynumber = i;
358 keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
360 lifetime -= mpoll;
372 vp = &peer->sndval;
373 if (vp->ptr == NULL)
374 vp->ptr = emalloc(sizeof(struct autokey));
375 ap = (struct autokey *)vp->ptr;
376 ap->seq = htonl(peer->keynumber);
377 ap->key = htonl(keyid);
378 vp->tstamp = htonl(tstamp);
379 vp->fstamp = hostval.tstamp;
380 vp->vallen = htonl(sizeof(struct autokey));
381 vp->siglen = 0;
383 if (vp->sig == NULL)
384 vp->sig = emalloc(sign_siglen);
388 EVP_SignUpdate(ctx, vp->ptr, sizeof(struct autokey));
389 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
391 vp->siglen = htonl(len);
392 peer->flags |= FLAG_ASSOC;
396 peer->keynumber, keyid, cookie, ntohl(vp->tstamp),
397 ntohl(vp->fstamp), peer->hpoll));
403 * crypto_recv - parse extension fields
455 hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode);
456 while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
461 pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
463 code = ntohl(ep->opcode) & 0xffff0000;
464 len = ntohl(ep->opcode) & 0x0000ffff;
465 // HMS: Why pkt[1] instead of ep->associd ?
469 peer->crypto, authlen, len, code >> 16,
494 fstamp = ntohl(ep->fstamp);
495 vallen = ntohl(ep->vallen);
500 || len - VALUE_LEN < vallen)
523 * extension field to the transmit side.
525 if (peer->crypto & CRYPTO_FLAG_CERT) {
529 if (peer->cmmd) {
530 if (peer->assoc != associd) {
534 free(peer->cmmd); /* will be set again! */
538 fp->associd = htonl(peer->associd);
539 peer->cmmd = fp;
548 if (peer->crypto) {
549 if (peer->assoc != associd)
555 len - VALUE_LEN < vallen) {
560 crypto_flags, peer->associd, fstamp,
561 peer->assoc));
613 peer->assoc = associd;
618 RAND_bytes((u_char *)&peer->hcookie, 4);
619 peer->crypto = fstamp;
620 peer->digest = dp;
621 if (peer->subject != NULL)
622 free(peer->subject);
623 peer->subject = emalloc(vallen + 1);
624 memcpy(peer->subject, ep->pkt, vallen);
625 peer->subject[vallen] = '\0';
626 if (peer->issuer != NULL)
627 free(peer->issuer);
628 peer->issuer = estrdup(peer->subject);
630 "assoc %d %d host %s %s", peer->associd,
631 peer->assoc, peer->subject,
633 record_crypto_stats(&peer->srcadr, statstr);
677 if (peer->pkey == NULL) {
678 puch = xinfo->cert.ptr;
680 ntohl(xinfo->cert.vallen));
681 peer->pkey = X509_get_pubkey(cert);
684 peer->flash &= ~TEST8;
685 temp32 = xinfo->nid;
688 xinfo->subject, xinfo->issuer, xinfo->flags,
690 ntohl(ep->fstamp));
691 record_crypto_stats(&peer->srcadr, statstr);
724 peer->crypto |= CRYPTO_FLAG_VRFY;
725 peer->flash &= ~TEST8;
727 peer->issuer, ntohl(ep->fstamp));
728 record_crypto_stats(&peer->srcadr, statstr);
733 * Guillou-Quisquater (GQ) identity scheme. This scheme
762 peer->crypto |= CRYPTO_FLAG_VRFY;
763 peer->flash &= ~TEST8;
765 peer->issuer, ntohl(ep->fstamp));
766 record_crypto_stats(&peer->srcadr, statstr);
771 * Mu-Varadharajan (MV) identity scheme. This scheme is
799 peer->crypto |= CRYPTO_FLAG_VRFY;
800 peer->flash &= ~TEST8;
802 peer->issuer, ntohl(ep->fstamp));
803 record_crypto_stats(&peer->srcadr, statstr);
820 if ((rval = crypto_verify(ep, &peer->cookval,
837 (u_char *)ep->pkt,
862 peer->pcookie = peer->hcookie ^ cookie;
864 peer->pcookie = cookie;
865 peer->crypto |= CRYPTO_FLAG_COOK;
866 peer->flash &= ~TEST8;
868 "cook %x ts %u fs %u", peer->pcookie,
869 ntohl(ep->tstamp), ntohl(ep->fstamp));
870 record_crypto_stats(&peer->srcadr, statstr);
891 if ((rval = crypto_verify(ep, &peer->recval,
902 if ((peer->cast_flags & MDF_BCLNT) &&
903 peer->assoc != associd)
910 if (ep->tstamp == 0)
913 if (peer->recval.ptr == NULL)
914 peer->recval.ptr =
916 bp = (struct autokey *)peer->recval.ptr;
917 peer->recval.tstamp = ep->tstamp;
918 peer->recval.fstamp = ep->fstamp;
919 ap = (struct autokey *)ep->pkt;
920 bp->seq = ntohl(ap->seq);
921 bp->key = ntohl(ap->key);
922 peer->pkeyid = bp->key;
923 peer->crypto |= CRYPTO_FLAG_AUTO;
924 peer->flash &= ~TEST8;
926 "auto seq %d key %x ts %u fs %u", bp->seq,
927 bp->key, ntohl(ep->tstamp),
928 ntohl(ep->fstamp));
929 record_crypto_stats(&peer->srcadr, statstr);
958 peer->crypto |= CRYPTO_FLAG_SIGN;
959 peer->flash &= ~TEST8;
960 temp32 = xinfo->nid;
963 xinfo->subject, xinfo->issuer, xinfo->flags,
965 ntohl(ep->fstamp));
966 record_crypto_stats(&peer->srcadr, statstr);
993 leapsec_autokey_tai(ntohl(ep->pkt[0]),
994 rbufp->recv_time.l_ui, NULL);
995 tai_leap.tstamp = ep->tstamp;
996 tai_leap.fstamp = ep->fstamp;
999 "%d seconds", ntohl(ep->pkt[0]));
1000 peer->crypto |= CRYPTO_FLAG_LEAP;
1001 peer->flash &= ~TEST8;
1004 ntohl(ep->pkt[0]), ntohl(ep->pkt[1]),
1005 ntohl(ep->pkt[2]), ntohl(ep->fstamp));
1006 record_crypto_stats(&peer->srcadr, statstr);
1013 * the transmit side. All we need do here is check for
1034 * transmit side. If an error or invalid response,
1040 } else if (peer->cmmd == NULL) {
1043 peer->cmmd = fp;
1053 "%04x %d %02x %s", htonl(ep->opcode),
1055 record_crypto_stats(&peer->srcadr, statstr);
1066 * crypto_xmit - construct extension fields
1073 * Side effect: update the packet offset.
1115 opcode = ntohl(ep->opcode);
1117 srcadr_sin = &peer->srcadr;
1119 peer->opcode = ep->opcode;
1121 srcadr_sin = &rbufp->recv_srcadr;
1123 associd = (associd_t) ntohl(ep->associd);
1125 fp->opcode = htonl((opcode & 0xffff0000) | len);
1126 fp->associd = ep->associd;
1139 fp->fstamp = htonl(crypto_flags);
1148 vtemp.tstamp = ep->tstamp;
1149 vtemp.fstamp = ep->fstamp;
1150 vtemp.vallen = ep->vallen;
1151 vtemp.ptr = (u_char *)ep->pkt;
1156 * Send sign request. Use the host certificate, which is self-
1161 if ((calcomp(&tscal, &(cert_host->first)) < 0)
1162 || (calcomp(&tscal, &(cert_host->last)) > 0))
1165 len = crypto_send(fp, &cert_host->cert, start);
1176 * choice is a self-signed trusted certificate; second choice is
1189 * subject. If a self-signed, trusted certificate is
1191 * self-signed certificate.
1193 memcpy(certname, ep->pkt, vallen);
1196 for (cp = cinfo; cp != NULL; cp = cp->link) {
1197 if (cp->flags & (CERT_PRIV | CERT_ERROR))
1200 if (strcmp(certname, cp->subject) != 0)
1203 if (strcmp(certname, cp->issuer) != 0)
1205 else if (cp ->flags & CERT_TRUST)
1232 len = crypto_send(fp, &xp->cert, start);
1259 * Send challenge in Guillou-Quisquater (GQ) identity scheme.
1272 * Send response in Guillou-Quisquater (GQ) identity scheme.
1306 * certificate has already been verified on the receive side.
1332 vallen = ntohl(ep->vallen); /* Must be <64k */
1342 tcookie = peer->hcookie;
1343 if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
1364 peer->flags &= ~FLAG_ASSOC;
1365 len = crypto_send(fp, &peer->sndval, start);
1378 * Default - Send a valid command for unknown requests; send
1395 fp->opcode |= htonl(opcode_bits);
1411 * crypto_verify - verify the extension field value and signature
1445 len = ntohl(ep->opcode) & 0x0000ffff;
1446 opcode = ntohl(ep->opcode) & 0xffff0000;
1460 if (opcode == (CRYPTO_AUTO | CRYPTO_RESP) && (peer->pmode ==
1461 MODE_BROADCAST || (peer->cast_flags & MDF_BCLNT))) {
1462 if (ntohl(ep->associd) != peer->assoc)
1465 if (ntohl(ep->associd) != peer->associd)
1476 vallen = ntohl(ep->vallen);
1482 siglen = ntohl(ep->pkt[i]);
1485 || len - VALUE_LEN < ((vallen + 3) / 4) * 4
1486 || len - VALUE_LEN - ((vallen + 3) / 4) * 4
1497 tstamp = ntohl(ep->tstamp);
1498 fstamp = ntohl(ep->fstamp);
1506 tstamp1 = ntohl(vp->tstamp);
1507 fstamp1 = ntohl(vp->fstamp);
1529 if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV)
1532 pkey = peer->pkey;
1533 if (siglen == 0 || pkey == NULL || peer->digest == NULL)
1545 EVP_VerifyInit(ctx, peer->digest);
1546 EVP_VerifyUpdate(ctx, (u_char *)&ep->tstamp, vallen +
1547 sizeof(ep->tstamp) + sizeof(ep->fstamp) +
1548 sizeof(ep->vallen));
1549 if (EVP_VerifyFinal(ctx, (u_char *)&ep->pkt[i], siglen,
1554 if (peer->crypto & CRYPTO_FLAG_VRFY)
1555 peer->crypto |= CRYPTO_FLAG_PROV;
1561 * crypto_encrypt - construct vp (encrypted cookie and signature) from
1599 vp->tstamp = htonl(tstamp);
1600 vp->fstamp = hostval.tstamp;
1602 vp->vallen = htonl(vallen);
1603 vp->ptr = emalloc(vallen);
1604 puch = vp->ptr;
1611 free(vp->ptr);
1622 vp->sig = emalloc(sign_siglen);
1625 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
1626 EVP_SignUpdate(ctx, vp->ptr, vallen);
1627 if (EVP_SignFinal(ctx, vp->sig, &vallen, sign_pkey)) {
1629 vp->siglen = htonl(vallen);
1636 * crypto_ident - construct extension field for identity scheme
1663 if (peer->crypto & CRYPTO_FLAG_IFF) {
1666 } else if (peer->crypto & CRYPTO_FLAG_GQ) {
1669 } else if (peer->crypto & CRYPTO_FLAG_MV) {
1676 scheme_name, peer->ident);
1677 peer->ident_pkey = crypto_key(filename, NULL,
1678 &peer->srcadr);
1679 if (peer->ident_pkey != NULL)
1685 peer->ident);
1692 * crypto_args - construct extension field from arguments
1701 * XXX: opcode and len should really be 32-bit quantities and
1731 ep->opcode = htonl(opcode + len);
1732 ep->associd = htonl(associd);
1733 ep->tstamp = htonl(tstamp);
1734 ep->fstamp = hostval.tstamp;
1735 ep->vallen = 0;
1737 ep->vallen = htonl(slen);
1738 memcpy((char *)ep->pkt, str, slen);
1745 * crypto_send - construct extension field from value components
1747 * The value and signature fields are zero-padded to a word boundary.
1752 * XXX This code won't work on a box with 16-bit ints.
1769 vallen = ntohl(vp->vallen);
1772 siglen = ntohl(vp->siglen);
1774 if (start + len > sizeof(struct pkt) - MAX_MAC_LEN)
1780 ep->tstamp = vp->tstamp;
1781 ep->fstamp = vp->fstamp;
1782 ep->vallen = vp->vallen;
1789 if (vallen > 0 && vp->ptr != NULL) {
1792 ep->pkt[i + j++] = 0;
1793 memcpy(&ep->pkt[i], vp->ptr, vallen);
1801 ep->pkt[i++] = vp->siglen;
1802 if (siglen > 0 && vp->sig != NULL) {
1805 ep->pkt[i + j++] = 0;
1806 memcpy(&ep->pkt[i], vp->sig, siglen);
1809 opcode = ntohl(ep->opcode);
1810 ep->opcode = htonl((opcode & 0xffff0000) | len);
1817 * crypto_update - compute new public value and sign extension fields
1875 for (cp = cinfo; cp != NULL; cp = cp->link) {
1876 cp->cert.tstamp = hostval.tstamp;
1877 cp->cert.siglen = 0;
1878 if (cp->cert.sig == NULL)
1879 cp->cert.sig = emalloc(sign_siglen);
1881 EVP_SignUpdate(ctx, (u_char *)&cp->cert, 12);
1882 EVP_SignUpdate(ctx, cp->cert.ptr,
1883 ntohl(cp->cert.vallen));
1884 if (EVP_SignFinal(ctx, cp->cert.sig, &len, sign_pkey)) {
1886 cp->cert.siglen = htonl(len);
1917 * fake -- maybe we can do better.
1947 * crypto_update_taichange - eventually trigger crypto_update
1978 * value_free - free value structure components.
1987 if (vp->ptr != NULL)
1988 free(vp->ptr);
1989 if (vp->sig != NULL)
1990 free(vp->sig);
1996 * crypto_time - returns current NTP time.
2013 * asn_to_calendar - convert ASN1_TIME time structure to struct calendar.
2032 * Also note that two-digit years less than 50 map to years greater than
2033 * 100. Dontcha love ASN.1? Better than MIL-188.
2035 len = asn1time->length;
2037 (void)strncpy(v, (char *)(asn1time->data), len);
2039 temp = strtoul(v+len-3, NULL, 10);
2040 pjd->second = temp;
2041 v[len-3] = '\0';
2043 temp = strtoul(v+len-5, NULL, 10);
2044 pjd->minute = temp;
2045 v[len-5] = '\0';
2047 temp = strtoul(v+len-7, NULL, 10);
2048 pjd->hour = temp;
2049 v[len-7] = '\0';
2051 temp = strtoul(v+len-9, NULL, 10);
2052 pjd->monthday = temp;
2053 v[len-9] = '\0';
2055 temp = strtoul(v+len-11, NULL, 10);
2056 pjd->month = temp;
2057 v[len-11] = '\0';
2060 /* handle two-digit years */
2065 pjd->year = temp;
2067 pjd->yearday = pjd->weekday = 0;
2073 * bighash() - compute a BIGNUM MD5 hash of a BIGNUM number.
2120 * cryptography and described in Stimson p. 285. The p is a 512-bit
2121 * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
2123 * private random group key b (0 < b < q) and public key v = g^b, then
2124 * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
2131 * p, q and generator g. The TA gives private key b to Bob and public
2136 * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
2139 * solve for b by observing a number of these messages.
2143 * matches hash(x), Alice knows that Bob has the group key b. The signed
2147 * crypto_alice - construct Alice's challenge in IFF scheme
2170 if (peer->ident_pkey == NULL) {
2175 if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
2183 if (peer->iffval != NULL)
2184 BN_free(peer->iffval);
2185 peer->iffval = BN_new();
2188 BN_rand(peer->iffval, len * 8, -1, 1); /* r mod q*/
2190 BN_mod(peer->iffval, peer->iffval, q, bctx);
2198 vp->tstamp = htonl(tstamp);
2199 vp->fstamp = htonl(peer->ident_pkey->fstamp);
2200 vp->vallen = htonl(len);
2201 vp->ptr = emalloc(len);
2202 BN_bn2bin(peer->iffval, vp->ptr);
2206 vp->sig = emalloc(sign_siglen);
2209 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
2210 EVP_SignUpdate(ctx, vp->ptr, len);
2211 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
2213 vp->siglen = htonl(len);
2220 * crypto_bob - construct Bob's response to Alice's challenge
2257 dsa = EVP_PKEY_get0_DSA(iffkey_info->pkey);
2267 if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2274 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
2279 BN_rand(bk, len * 8, -1, 1); /* k */
2280 BN_mod_mul(bn, priv_key, r, q, bctx); /* b r mod q */
2282 BN_mod(bn, bn, q, bctx); /* k + b r mod q */
2312 vp->tstamp = htonl(tstamp);
2313 vp->fstamp = htonl(iffkey_info->fstamp);
2314 vp->vallen = htonl(len);
2316 vp->ptr = ptr;
2324 vp->sig = emalloc(sign_siglen);
2327 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
2328 EVP_SignUpdate(ctx, vp->ptr, len);
2329 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
2331 vp->siglen = htonl(len);
2342 * crypto_iff - verify Bob's response to Alice's challenge
2371 if (peer->ident_pkey == NULL) {
2375 if (ntohl(ep->fstamp) != peer->ident_pkey->fstamp) {
2377 ntohl(ep->fstamp));
2380 if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
2384 if (peer->iffval == NULL) {
2390 * Extract the k + b r and g^k values from the response.
2393 len = ntohl(ep->vallen);
2394 ptr = (u_char *)ep->pkt;
2403 * Compute g^(k + b r) g^(q - b)r mod p.
2408 BN_mod_exp(bn, pub_key, peer->iffval, p, bctx);
2418 BN_free(peer->iffval);
2419 peer->iffval = NULL;
2432 * The following routines implement the Guillou-Quisquater (GQ) *
2437 * The Guillou-Quisquater (GQ) identity scheme is intended for use when
2451 * cryptography and described in Stimson p. 300 (with errors). The 512-
2453 * The TA rolls private random group key b as RSA exponent. These values
2458 * is the inverse obscured by the group key v = (u^-1)^b. These values
2466 * and some random b as the group key. These values are computed and
2468 * b is truly secret. Each has a private random private key u and public
2469 * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
2476 * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
2478 * effectivey impossible for an intruder to solve for b by observing
2481 * Alice receives the response and computes y^b v^r mod n. After a bit
2482 * of algebra, this simplifies to k^b. If the hash of this result
2483 * matches hash(x), Alice knows that Bob has the group key b. The signed
2487 * crypto_alice2 - construct Alice's challenge in GQ scheme
2510 if (peer->ident_pkey == NULL)
2513 if ((rsa = EVP_PKEY_get0_RSA(peer->ident_pkey->pkey)) == NULL) {
2521 if (peer->iffval != NULL)
2522 BN_free(peer->iffval);
2523 peer->iffval = BN_new();
2526 BN_rand(peer->iffval, len * 8, -1, 1); /* r mod n */
2528 BN_mod(peer->iffval, peer->iffval, n, bctx);
2536 vp->tstamp = htonl(tstamp);
2537 vp->fstamp = htonl(peer->ident_pkey->fstamp);
2538 vp->vallen = htonl(len);
2539 vp->ptr = emalloc(len);
2540 BN_bn2bin(peer->iffval, vp->ptr);
2544 vp->sig = emalloc(sign_siglen);
2547 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
2548 EVP_SignUpdate(ctx, vp->ptr, len);
2549 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
2551 vp->siglen = htonl(len);
2558 * crypto_bob2 - construct Bob's response to Alice's challenge
2590 rsa = EVP_PKEY_get0_RSA(gqkey_info->pkey);
2599 if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2607 * x = k^b mod n, then sends (y, hash(x)) to Alice.
2611 BN_rand(k, len * 8, -1, 1); /* k */
2615 BN_mod_exp(g, k, e, n, bctx); /* k^b mod n */
2638 vp->tstamp = htonl(tstamp);
2639 vp->fstamp = htonl(gqkey_info->fstamp);
2640 vp->vallen = htonl(len);
2642 vp->ptr = ptr;
2648 vp->sig = emalloc(sign_siglen);
2651 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
2652 EVP_SignUpdate(ctx, vp->ptr, len);
2653 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
2655 vp->siglen = htonl(len);
2662 * crypto_gq - verify Bob's response to Alice's challenge
2693 if (peer->ident_pkey == NULL) {
2697 if (ntohl(ep->fstamp) < peer->ident_pkey->fstamp) {
2699 ntohl(ep->fstamp));
2702 if ((rsa = EVP_PKEY_get0_RSA(peer->ident_pkey->pkey)) == NULL) {
2707 if (peer->iffval == NULL) {
2713 * Extract the y = k u^r and hash(x = k^b) values from the
2717 len = ntohl(ep->vallen);
2718 ptr = (u_char *)ep->pkt;
2728 * Compute v^r y^b mod n.
2730 if (peer->grpkey == NULL) {
2734 BN_mod_exp(v, peer->grpkey, peer->iffval, n, bctx);
2736 BN_mod_exp(y, r, e, n, bctx); /* y^b mod n */
2737 BN_mod_mul(y, v, y, n, bctx); /* v^r y^b mod n */
2745 BN_free(peer->iffval);
2746 peer->iffval = NULL;
2759 * The following routines implement the Mu-Varadharajan (MV) identity *
2764 * The Mu-Varadharajan (MV) cryptosystem was originally intended when
2768 * pay-per-view satellite broadcasting system where the session key is
2770 * tamperproof set-top box.
2776 * product terms (x - x[j]), as described in Mu, Y., and V.
2778 * 223-231. The paper has significant errors and serious omissions.
2782 * that q and each s1[j] divide p - 1 and p has M = n * m + 1
2783 * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
2786 * inverse b^-1 of random b in Zq, but for that purpose we require
2787 * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
2793 * polynomial of order n. The product terms (x - x[j]) are expanded to
2811 * recomputed, the jth client will no longer be able to compute E^-1 and
2823 * Alice receives the response and computes the inverse (E^k)^-1 from
2829 * crypto_alice3 - construct Alice's challenge in MV scheme
2852 if (peer->ident_pkey == NULL)
2855 if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
2864 if (peer->iffval != NULL)
2865 BN_free(peer->iffval);
2866 peer->iffval = BN_new();
2868 BN_rand(peer->iffval, len * 8, -1, 1); /* r mod p */
2870 BN_mod(peer->iffval, peer->iffval, p, bctx);
2878 vp->tstamp = htonl(tstamp);
2879 vp->fstamp = htonl(peer->ident_pkey->fstamp);
2880 vp->vallen = htonl(len);
2881 vp->ptr = emalloc(len);
2882 BN_bn2bin(peer->iffval, vp->ptr);
2886 vp->sig = emalloc(sign_siglen);
2889 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
2890 EVP_SignUpdate(ctx, vp->ptr, len);
2891 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
2893 vp->siglen = htonl(len);
2900 * crypto_bob3 - construct Bob's response to Alice's challenge
2932 dsa = EVP_PKEY_get0_DSA(mvkey_info->pkey);
2942 if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2981 vp->tstamp = htonl(tstamp);
2982 vp->fstamp = htonl(mvkey_info->fstamp);
2990 vp->vallen = htonl(len);
2992 vp->ptr = ptr;
2998 vp->sig = emalloc(sign_siglen);
3001 EVP_SignUpdate(ctx, (u_char *)&vp->tstamp, 12);
3002 EVP_SignUpdate(ctx, vp->ptr, len);
3003 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
3005 vp->siglen = htonl(len);
3012 * crypto_mv - verify Bob's response to Alice's challenge
3042 if (peer->ident_pkey == NULL) {
3046 if (ntohl(ep->fstamp) != peer->ident_pkey->fstamp) {
3048 ntohl(ep->fstamp));
3051 if ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
3057 if (peer->iffval == NULL) {
3066 len = ntohl(ep->vallen);
3067 ptr = (u_char *)ep->pkt;
3086 temp = BN_cmp(u, peer->iffval);
3088 BN_free(peer->iffval);
3089 peer->iffval = NULL;
3107 * cert_sign - sign x509 certificate equest and update value structure.
3172 cptr = (void *)ep->pkt;
3203 hostval.ptr, strlen((const char *)hostval.ptr), -1, 0);
3210 INSIST(X509_add_ext(cert, ext, -1));
3219 if ((calcomp(&tscal, &(cert_host->first)) < 0)
3220 || (calcomp(&tscal, &(cert_host->last)) > 0)) {
3239 vp->tstamp = htonl(tstamp);
3240 vp->fstamp = ep->fstamp;
3241 vp->vallen = htonl(len);
3242 vp->ptr = emalloc(len);
3243 ptr = vp->ptr;
3245 vp->siglen = 0;
3247 vp->sig = emalloc(sign_siglen);
3251 EVP_SignUpdate(ctx, vp->ptr, len);
3252 if (EVP_SignFinal(ctx, vp->sig, &len, sign_pkey)) {
3254 vp->siglen = htonl(len);
3267 * cert_install - install certificate in certificate cache
3289 if ((cp = cert_parse((u_char *)ep->pkt, (long)ntohl(ep->vallen),
3290 (tstamp_t)ntohl(ep->fstamp))) == NULL)
3307 for (xp = cinfo; xp != NULL; xp = xp->link) {
3308 if (strcmp(cp->subject, xp->subject) == 0 &&
3309 strcmp(cp->issuer, xp->issuer) == 0) {
3310 if (ntohl(cp->cert.fstamp) <=
3311 ntohl(xp->cert.fstamp)) {
3315 *zp = xp->link;
3321 zp = &xp->link;
3324 cp->link = cinfo;
3327 cp->flags |= CERT_VALID;
3334 * cert_hike - verify the signature using the issuer public key
3356 if (peer->issuer != NULL)
3357 free(peer->issuer);
3358 peer->issuer = estrdup(yp->issuer);
3359 xp = peer->xinfo;
3360 peer->xinfo = yp;
3370 if (strcmp(yp->subject, yp->issuer) == 0) {
3371 if (!(yp->flags & CERT_TRUST))
3380 peer->crypto |= CRYPTO_FLAG_CERT;
3381 peer->grpkey = yp->grpkey;
3382 if (peer->ident == NULL || !(peer->crypto &
3384 peer->crypto |= CRYPTO_FLAG_VRFY;
3393 ptr = (u_char *)xp->cert.ptr;
3394 cert = d2i_X509(NULL, &ptr, ntohl(xp->cert.vallen));
3396 xp->flags |= CERT_ERROR;
3399 if (X509_verify(cert, yp->pkey) <= 0) {
3401 xp->flags |= CERT_ERROR;
3410 if ((calcomp(&(xp->first), &(yp->first)) < 0)
3411 || (calcomp(&(xp->first), &(yp->last)) > 0)) {
3412 xp->flags |= CERT_ERROR;
3415 xp->flags |= CERT_SIGN;
3421 * cert_parse - parse x509 certificate and create info/value structures.
3467 if ((ret->pkey = X509_get_pubkey(cert)) == NULL) {
3474 ret->version = X509_get_version(cert);
3485 ret->subject = estrdup(pch + 3);
3494 ret->nid = X509_get_signature_nid(cert);
3495 ret->digest = (const EVP_MD *)EVP_get_digestbynid(ret->nid);
3496 ret->serial =
3507 ret->issuer = estrdup(pch + 3);
3508 asn_to_calendar(X509_get0_notBefore(cert), &(ret->first));
3509 asn_to_calendar(X509_get0_notAfter(cert), &(ret->last));
3541 ret->flags |= CERT_TRUST;
3543 ret->flags |= CERT_PRIV;
3554 ret->grpkey = BN_bin2bn(&data->data[2],
3555 data->length - 2, NULL);
3563 if (strcmp(ret->subject, ret->issuer) == 0) {
3568 if (X509_verify(cert, ret->pkey) <= 0) {
3571 ret->subject);
3581 if (strcmp((const char *)hostval.ptr, ret->issuer) == 0) {
3584 ret->subject);
3596 if ((calcomp(&(ret->first), &(ret->last)) > 0)
3597 || (calcomp(&(ret->first), &fscal) < 0)) {
3599 "cert_parse: invalid times %s first %u-%02u-%02uT%02u:%02u:%02u last %u-%02u-%02uT%02u:%02u:%02u fstamp %u-%02u-%02uT%02u:%02u:%02u",
3600 ret->subject,
3601 ret->first.year, ret->first.month, ret->first.monthday,
3602 ret->first.hour, ret->first.minute, ret->first.second,
3603 ret->last.year, ret->last.month, ret->last.monthday,
3604 ret->last.hour, ret->last.minute, ret->last.second,
3615 ret->cert.fstamp = htonl(fstamp);
3616 ret->cert.vallen = htonl(len);
3617 ret->cert.ptr = emalloc(len);
3618 memcpy(ret->cert.ptr, asn1cert, len);
3625 * cert_free - free certificate information structure
3632 if (cinf->pkey != NULL)
3633 EVP_PKEY_free(cinf->pkey);
3634 if (cinf->subject != NULL)
3635 free(cinf->subject);
3636 if (cinf->issuer != NULL)
3637 free(cinf->issuer);
3638 if (cinf->grpkey != NULL)
3639 BN_free(cinf->grpkey);
3640 value_free(&cinf->cert);
3646 * crypto_key - load cryptographic parameters and keys
3651 * PEM-encoded file of the same name and extracts the filestamp from
3674 for (pkp = pkinfo; pkp != NULL; pkp = pkp->link) {
3675 if (strcmp(cp, pkp->name) == 0)
3716 * Read and decrypt PEM-encoded private key. If it fails to
3724 exit (-1);
3731 pkp->link = pkinfo;
3733 pkp->pkey = pkey;
3734 pkp->name = estrdup(cp);
3735 pkp->fstamp = fstamp;
3767 * crypto_cert - load certificate from file
3829 * Read PEM-encoded certificate and install.
3860 &linkname[2], ret->flags, len);
3868 * crypto_setup - load keys, certificate and identity parameters
3922 if ((bytes = RAND_load_file(randfile, -1)) == 0) {
3926 exit (-1);
3960 exit (-1);
3962 if (EVP_PKEY_base_id(pinfo->pkey) != EVP_PKEY_RSA) {
3965 exit (-1);
3967 host_pkey = pinfo->pkey;
3969 hostval.fstamp = htonl(pinfo->fstamp);
3988 sign_pkey = pinfo->pkey;
3999 exit (-1);
4002 sign_digest = cinfo->digest;
4004 if (cinfo->flags & CERT_PRIV)
4008 * The certificate must be self-signed.
4010 if (strcmp(cinfo->subject, cinfo->issuer) != 0) {
4012 "crypto_setup: certificate %s is not self-signed",
4014 exit (-1);
4016 hostval.ptr = estrdup(cinfo->subject);
4017 hostval.vallen = htonl(strlen(cinfo->subject));
4058 crypto_flags |= CRYPTO_FLAG_ENAB | (cinfo->nid << 16);
4060 crypto_flags, hostname, OBJ_nid2ln(cinfo->nid));
4067 * crypto_config - configure data from the crypto command.
4136 * too short to hold a variable-sized value, the return value is zero.
4150 head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep;
4151 extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff);
4153 data_size = (uint32_t)ntohl(ep->vallen);
4154 if (data_size > extn_size - head_size)