1224ba2bdSOllivier Robert /* 2224ba2bdSOllivier Robert * ntp_crypto.h - definitions for cryptographic operations 3224ba2bdSOllivier Robert */ 42b15cb3dSCy Schubert #ifndef NTP_CRYPTO_H 52b15cb3dSCy Schubert #define NTP_CRYPTO_H 62b15cb3dSCy Schubert 72b15cb3dSCy Schubert /* 82b15cb3dSCy Schubert * Configuration codes (also needed for parser without AUTOKEY) 92b15cb3dSCy Schubert */ 102b15cb3dSCy Schubert #define CRYPTO_CONF_NONE 0 /* nothing doing */ 112b15cb3dSCy Schubert #define CRYPTO_CONF_PRIV 1 /* host name */ 122b15cb3dSCy Schubert #define CRYPTO_CONF_IDENT 2 /* group name */ 132b15cb3dSCy Schubert #define CRYPTO_CONF_CERT 3 /* certificate file name */ 142b15cb3dSCy Schubert #define CRYPTO_CONF_RAND 4 /* random seed file name */ 152b15cb3dSCy Schubert #define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ 162b15cb3dSCy Schubert #define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ 172b15cb3dSCy Schubert #define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ 182b15cb3dSCy Schubert #define CRYPTO_CONF_PW 8 /* private key password */ 192b15cb3dSCy Schubert #define CRYPTO_CONF_NID 9 /* specify digest name */ 202b15cb3dSCy Schubert 212b15cb3dSCy Schubert #ifdef AUTOKEY 222b15cb3dSCy Schubert #ifndef OPENSSL 232b15cb3dSCy Schubert #error AUTOKEY should be defined only if OPENSSL is. 242b15cb3dSCy Schubert invalidsyntax: AUTOKEY should be defined only if OPENSSL is. 252b15cb3dSCy Schubert #endif 262b15cb3dSCy Schubert 27*f0574f5cSXin LI #include "openssl/bn.h" 289c2daa00SOllivier Robert #include "openssl/evp.h" 292b15cb3dSCy Schubert #include "ntp_calendar.h" /* for fields in the cert_info structure */ 302b15cb3dSCy Schubert 312b15cb3dSCy Schubert 329c2daa00SOllivier Robert /* 339c2daa00SOllivier Robert * The following bits are set by the CRYPTO_ASSOC message from 349c2daa00SOllivier Robert * the server and are not modified by the client. 359c2daa00SOllivier Robert */ 369c2daa00SOllivier Robert #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ 379c2daa00SOllivier Robert #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ 38224ba2bdSOllivier Robert 399c2daa00SOllivier Robert #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ 409c2daa00SOllivier Robert #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ 419c2daa00SOllivier Robert #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ 429c2daa00SOllivier Robert #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ 439c2daa00SOllivier Robert #define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ 44224ba2bdSOllivier Robert 45224ba2bdSOllivier Robert /* 469c2daa00SOllivier Robert * The following bits are used by the client during the protocol 479c2daa00SOllivier Robert * exchange. 48224ba2bdSOllivier Robert */ 492b15cb3dSCy Schubert #define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ 509c2daa00SOllivier Robert #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ 519c2daa00SOllivier Robert #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ 522b15cb3dSCy Schubert #define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ 539c2daa00SOllivier Robert #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ 549c2daa00SOllivier Robert #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ 552b15cb3dSCy Schubert #define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ 562b15cb3dSCy Schubert #define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ 579c2daa00SOllivier Robert 589c2daa00SOllivier Robert /* 599c2daa00SOllivier Robert * Flags used for certificate management 609c2daa00SOllivier Robert */ 61ea906c41SOllivier Robert #define CERT_TRUST 0x01 /* certificate is trusted */ 62ea906c41SOllivier Robert #define CERT_SIGN 0x02 /* certificate is signed */ 63ea906c41SOllivier Robert #define CERT_VALID 0x04 /* certificate is valid */ 64ea906c41SOllivier Robert #define CERT_PRIV 0x08 /* certificate is private */ 659c2daa00SOllivier Robert #define CERT_ERROR 0x80 /* certificate has errors */ 66224ba2bdSOllivier Robert 67224ba2bdSOllivier Robert /* 68224ba2bdSOllivier Robert * Extension field definitions 69224ba2bdSOllivier Robert */ 709c2daa00SOllivier Robert #define CRYPTO_MAXLEN 1024 /* max extension field length */ 719c2daa00SOllivier Robert #define CRYPTO_VN 2 /* current protocol version number */ 729c2daa00SOllivier Robert #define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) 739c2daa00SOllivier Robert #define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ 749c2daa00SOllivier Robert #define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ 759c2daa00SOllivier Robert #define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ 769c2daa00SOllivier Robert #define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ 779c2daa00SOllivier Robert #define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ 782b15cb3dSCy Schubert #define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ 799c2daa00SOllivier Robert #define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ 809c2daa00SOllivier Robert #define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ 819c2daa00SOllivier Robert #define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ 829c2daa00SOllivier Robert #define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ 839c2daa00SOllivier Robert #define CRYPTO_RESP 0x80000000 /* response */ 849c2daa00SOllivier Robert #define CRYPTO_ERROR 0x40000000 /* error */ 85224ba2bdSOllivier Robert 869c2daa00SOllivier Robert /* 879c2daa00SOllivier Robert * Autokey event codes 889c2daa00SOllivier Robert */ 899c2daa00SOllivier Robert #define XEVNT_CMD(x) (CRPT_EVENT | (x)) 909c2daa00SOllivier Robert #define XEVNT_OK XEVNT_CMD(0) /* success */ 919c2daa00SOllivier Robert #define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ 929c2daa00SOllivier Robert #define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ 939c2daa00SOllivier Robert #define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ 94ea906c41SOllivier Robert #define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ 959c2daa00SOllivier Robert #define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ 969c2daa00SOllivier Robert #define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ 979c2daa00SOllivier Robert #define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ 989c2daa00SOllivier Robert #define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ 999c2daa00SOllivier Robert #define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ 100ea906c41SOllivier Robert #define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ 1019c2daa00SOllivier Robert #define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ 1022b15cb3dSCy Schubert #define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ 1039c2daa00SOllivier Robert #define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ 104ea906c41SOllivier Robert #define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ 105ea906c41SOllivier Robert #define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ 106224ba2bdSOllivier Robert 107224ba2bdSOllivier Robert /* 1089c2daa00SOllivier Robert * Miscellaneous crypto stuff 109224ba2bdSOllivier Robert */ 1109c2daa00SOllivier Robert #define NTP_MAXSESSION 100 /* maximum session key list entries */ 1112b15cb3dSCy Schubert #define NTP_MAXEXTEN 2048 /* maximum extension field size */ 1122b15cb3dSCy Schubert #define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ 1132b15cb3dSCy Schubert #define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ 1142b15cb3dSCy Schubert #define NTP_REFRESH 19 /* default restart timeout (log2 s) */ 1152b15cb3dSCy Schubert #define NTP_MAXKEY 65535 /* maximum symmetric key ID */ 1169c2daa00SOllivier Robert 1179c2daa00SOllivier Robert /* 1189c2daa00SOllivier Robert * The autokey structure holds the values used to authenticate key IDs. 1199c2daa00SOllivier Robert */ 1209c2daa00SOllivier Robert struct autokey { /* network byte order */ 1219c2daa00SOllivier Robert keyid_t key; /* key ID */ 1229c2daa00SOllivier Robert int32 seq; /* key number */ 1239c2daa00SOllivier Robert }; 1249c2daa00SOllivier Robert 1259c2daa00SOllivier Robert /* 1269c2daa00SOllivier Robert * The value structure holds variable length data such as public 1279c2daa00SOllivier Robert * key, agreement parameters, public valule and leapsecond table. 1289c2daa00SOllivier Robert * They are in network byte order. 1299c2daa00SOllivier Robert */ 1309c2daa00SOllivier Robert struct value { /* network byte order */ 1319c2daa00SOllivier Robert tstamp_t tstamp; /* timestamp */ 1329c2daa00SOllivier Robert tstamp_t fstamp; /* filestamp */ 1339c2daa00SOllivier Robert u_int32 vallen; /* value length */ 1342b15cb3dSCy Schubert void *ptr; /* data pointer (various) */ 1359c2daa00SOllivier Robert u_int32 siglen; /* signature length */ 1369c2daa00SOllivier Robert u_char *sig; /* signature */ 1379c2daa00SOllivier Robert }; 1389c2daa00SOllivier Robert 1399c2daa00SOllivier Robert /* 1409c2daa00SOllivier Robert * The packet extension field structures are used to hold values 1419c2daa00SOllivier Robert * and signatures in network byte order. 1429c2daa00SOllivier Robert */ 1439c2daa00SOllivier Robert struct exten { 1449c2daa00SOllivier Robert u_int32 opcode; /* opcode */ 1459c2daa00SOllivier Robert u_int32 associd; /* association ID */ 1469c2daa00SOllivier Robert u_int32 tstamp; /* timestamp */ 1479c2daa00SOllivier Robert u_int32 fstamp; /* filestamp */ 1489c2daa00SOllivier Robert u_int32 vallen; /* value length */ 1499c2daa00SOllivier Robert u_int32 pkt[1]; /* start of value field */ 1509c2daa00SOllivier Robert }; 1519c2daa00SOllivier Robert 1522b15cb3dSCy Schubert 1539c2daa00SOllivier Robert /* 1549c2daa00SOllivier Robert * The certificate info/value structure 1559c2daa00SOllivier Robert */ 1569c2daa00SOllivier Robert struct cert_info { 1579c2daa00SOllivier Robert struct cert_info *link; /* forward link */ 1589c2daa00SOllivier Robert u_int flags; /* flags that wave */ 1599c2daa00SOllivier Robert EVP_PKEY *pkey; /* generic key */ 1609c2daa00SOllivier Robert long version; /* X509 version */ 1619c2daa00SOllivier Robert int nid; /* signature/digest ID */ 1629c2daa00SOllivier Robert const EVP_MD *digest; /* message digest algorithm */ 1639c2daa00SOllivier Robert u_long serial; /* serial number */ 1642b15cb3dSCy Schubert struct calendar first; /* not valid before */ 1652b15cb3dSCy Schubert struct calendar last; /* not valid after */ 1669c2daa00SOllivier Robert char *subject; /* subject common name */ 1679c2daa00SOllivier Robert char *issuer; /* issuer common name */ 1682b15cb3dSCy Schubert BIGNUM *grpkey; /* GQ group key */ 1699c2daa00SOllivier Robert struct value cert; /* certificate/value */ 1709c2daa00SOllivier Robert }; 171224ba2bdSOllivier Robert 172224ba2bdSOllivier Robert /* 1732b15cb3dSCy Schubert * The keys info/value structure 1742b15cb3dSCy Schubert */ 1752b15cb3dSCy Schubert struct pkey_info { 1762b15cb3dSCy Schubert struct pkey_info *link; /* forward link */ 1772b15cb3dSCy Schubert EVP_PKEY *pkey; /* generic key */ 1782b15cb3dSCy Schubert char *name; /* file name */ 1792b15cb3dSCy Schubert tstamp_t fstamp; /* filestamp */ 1802b15cb3dSCy Schubert }; 1812b15cb3dSCy Schubert 1822b15cb3dSCy Schubert /* 183224ba2bdSOllivier Robert * Cryptographic values 184224ba2bdSOllivier Robert */ 185224ba2bdSOllivier Robert extern u_int crypto_flags; /* status word */ 1862b15cb3dSCy Schubert extern int crypto_nid; /* digest nid */ 1879c2daa00SOllivier Robert extern struct value hostval; /* host name/value */ 1889c2daa00SOllivier Robert extern struct cert_info *cinfo; /* host certificate information */ 189224ba2bdSOllivier Robert extern struct value tai_leap; /* leapseconds table */ 1902b15cb3dSCy Schubert #endif /* AUTOKEY */ 1912b15cb3dSCy Schubert #endif /* NTP_CRYPTO_H */ 192