1224ba2bdSOllivier Robert /* 2224ba2bdSOllivier Robert * ntp_crypto.h - definitions for cryptographic operations 3224ba2bdSOllivier Robert */ 4*2b15cb3dSCy Schubert #ifndef NTP_CRYPTO_H 5*2b15cb3dSCy Schubert #define NTP_CRYPTO_H 6*2b15cb3dSCy Schubert 7*2b15cb3dSCy Schubert /* 8*2b15cb3dSCy Schubert * Configuration codes (also needed for parser without AUTOKEY) 9*2b15cb3dSCy Schubert */ 10*2b15cb3dSCy Schubert #define CRYPTO_CONF_NONE 0 /* nothing doing */ 11*2b15cb3dSCy Schubert #define CRYPTO_CONF_PRIV 1 /* host name */ 12*2b15cb3dSCy Schubert #define CRYPTO_CONF_IDENT 2 /* group name */ 13*2b15cb3dSCy Schubert #define CRYPTO_CONF_CERT 3 /* certificate file name */ 14*2b15cb3dSCy Schubert #define CRYPTO_CONF_RAND 4 /* random seed file name */ 15*2b15cb3dSCy Schubert #define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ 16*2b15cb3dSCy Schubert #define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ 17*2b15cb3dSCy Schubert #define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ 18*2b15cb3dSCy Schubert #define CRYPTO_CONF_PW 8 /* private key password */ 19*2b15cb3dSCy Schubert #define CRYPTO_CONF_NID 9 /* specify digest name */ 20*2b15cb3dSCy Schubert 21*2b15cb3dSCy Schubert #ifdef AUTOKEY 22*2b15cb3dSCy Schubert #ifndef OPENSSL 23*2b15cb3dSCy Schubert #error AUTOKEY should be defined only if OPENSSL is. 24*2b15cb3dSCy Schubert invalidsyntax: AUTOKEY should be defined only if OPENSSL is. 25*2b15cb3dSCy Schubert #endif 26*2b15cb3dSCy Schubert 279c2daa00SOllivier Robert #include "openssl/evp.h" 28*2b15cb3dSCy Schubert #include "ntp_calendar.h" /* for fields in the cert_info structure */ 29*2b15cb3dSCy Schubert 30*2b15cb3dSCy Schubert 319c2daa00SOllivier Robert /* 329c2daa00SOllivier Robert * The following bits are set by the CRYPTO_ASSOC message from 339c2daa00SOllivier Robert * the server and are not modified by the client. 349c2daa00SOllivier Robert */ 359c2daa00SOllivier Robert #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ 369c2daa00SOllivier Robert #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ 37224ba2bdSOllivier Robert 389c2daa00SOllivier Robert #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ 399c2daa00SOllivier Robert #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ 409c2daa00SOllivier Robert #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ 419c2daa00SOllivier Robert #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ 429c2daa00SOllivier Robert #define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ 43224ba2bdSOllivier Robert 44224ba2bdSOllivier Robert /* 459c2daa00SOllivier Robert * The following bits are used by the client during the protocol 469c2daa00SOllivier Robert * exchange. 47224ba2bdSOllivier Robert */ 48*2b15cb3dSCy Schubert #define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ 499c2daa00SOllivier Robert #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ 509c2daa00SOllivier Robert #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ 51*2b15cb3dSCy Schubert #define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ 529c2daa00SOllivier Robert #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ 539c2daa00SOllivier Robert #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ 54*2b15cb3dSCy Schubert #define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ 55*2b15cb3dSCy Schubert #define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ 569c2daa00SOllivier Robert 579c2daa00SOllivier Robert /* 589c2daa00SOllivier Robert * Flags used for certificate management 599c2daa00SOllivier Robert */ 60ea906c41SOllivier Robert #define CERT_TRUST 0x01 /* certificate is trusted */ 61ea906c41SOllivier Robert #define CERT_SIGN 0x02 /* certificate is signed */ 62ea906c41SOllivier Robert #define CERT_VALID 0x04 /* certificate is valid */ 63ea906c41SOllivier Robert #define CERT_PRIV 0x08 /* certificate is private */ 649c2daa00SOllivier Robert #define CERT_ERROR 0x80 /* certificate has errors */ 65224ba2bdSOllivier Robert 66224ba2bdSOllivier Robert /* 67224ba2bdSOllivier Robert * Extension field definitions 68224ba2bdSOllivier Robert */ 699c2daa00SOllivier Robert #define CRYPTO_MAXLEN 1024 /* max extension field length */ 709c2daa00SOllivier Robert #define CRYPTO_VN 2 /* current protocol version number */ 719c2daa00SOllivier Robert #define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) 729c2daa00SOllivier Robert #define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ 739c2daa00SOllivier Robert #define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ 749c2daa00SOllivier Robert #define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ 759c2daa00SOllivier Robert #define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ 769c2daa00SOllivier Robert #define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ 77*2b15cb3dSCy Schubert #define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ 789c2daa00SOllivier Robert #define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ 799c2daa00SOllivier Robert #define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ 809c2daa00SOllivier Robert #define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ 819c2daa00SOllivier Robert #define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ 829c2daa00SOllivier Robert #define CRYPTO_RESP 0x80000000 /* response */ 839c2daa00SOllivier Robert #define CRYPTO_ERROR 0x40000000 /* error */ 84224ba2bdSOllivier Robert 859c2daa00SOllivier Robert /* 869c2daa00SOllivier Robert * Autokey event codes 879c2daa00SOllivier Robert */ 889c2daa00SOllivier Robert #define XEVNT_CMD(x) (CRPT_EVENT | (x)) 899c2daa00SOllivier Robert #define XEVNT_OK XEVNT_CMD(0) /* success */ 909c2daa00SOllivier Robert #define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ 919c2daa00SOllivier Robert #define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ 929c2daa00SOllivier Robert #define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ 93ea906c41SOllivier Robert #define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ 949c2daa00SOllivier Robert #define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ 959c2daa00SOllivier Robert #define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ 969c2daa00SOllivier Robert #define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ 979c2daa00SOllivier Robert #define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ 989c2daa00SOllivier Robert #define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ 99ea906c41SOllivier Robert #define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ 1009c2daa00SOllivier Robert #define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ 101*2b15cb3dSCy Schubert #define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ 1029c2daa00SOllivier Robert #define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ 103ea906c41SOllivier Robert #define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ 104ea906c41SOllivier Robert #define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ 105224ba2bdSOllivier Robert 106224ba2bdSOllivier Robert /* 1079c2daa00SOllivier Robert * Miscellaneous crypto stuff 108224ba2bdSOllivier Robert */ 1099c2daa00SOllivier Robert #define NTP_MAXSESSION 100 /* maximum session key list entries */ 110*2b15cb3dSCy Schubert #define NTP_MAXEXTEN 2048 /* maximum extension field size */ 111*2b15cb3dSCy Schubert #define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ 112*2b15cb3dSCy Schubert #define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ 113*2b15cb3dSCy Schubert #define NTP_REFRESH 19 /* default restart timeout (log2 s) */ 114*2b15cb3dSCy Schubert #define NTP_MAXKEY 65535 /* maximum symmetric key ID */ 1159c2daa00SOllivier Robert 1169c2daa00SOllivier Robert /* 1179c2daa00SOllivier Robert * The autokey structure holds the values used to authenticate key IDs. 1189c2daa00SOllivier Robert */ 1199c2daa00SOllivier Robert struct autokey { /* network byte order */ 1209c2daa00SOllivier Robert keyid_t key; /* key ID */ 1219c2daa00SOllivier Robert int32 seq; /* key number */ 1229c2daa00SOllivier Robert }; 1239c2daa00SOllivier Robert 1249c2daa00SOllivier Robert /* 1259c2daa00SOllivier Robert * The value structure holds variable length data such as public 1269c2daa00SOllivier Robert * key, agreement parameters, public valule and leapsecond table. 1279c2daa00SOllivier Robert * They are in network byte order. 1289c2daa00SOllivier Robert */ 1299c2daa00SOllivier Robert struct value { /* network byte order */ 1309c2daa00SOllivier Robert tstamp_t tstamp; /* timestamp */ 1319c2daa00SOllivier Robert tstamp_t fstamp; /* filestamp */ 1329c2daa00SOllivier Robert u_int32 vallen; /* value length */ 133*2b15cb3dSCy Schubert void *ptr; /* data pointer (various) */ 1349c2daa00SOllivier Robert u_int32 siglen; /* signature length */ 1359c2daa00SOllivier Robert u_char *sig; /* signature */ 1369c2daa00SOllivier Robert }; 1379c2daa00SOllivier Robert 1389c2daa00SOllivier Robert /* 1399c2daa00SOllivier Robert * The packet extension field structures are used to hold values 1409c2daa00SOllivier Robert * and signatures in network byte order. 1419c2daa00SOllivier Robert */ 1429c2daa00SOllivier Robert struct exten { 1439c2daa00SOllivier Robert u_int32 opcode; /* opcode */ 1449c2daa00SOllivier Robert u_int32 associd; /* association ID */ 1459c2daa00SOllivier Robert u_int32 tstamp; /* timestamp */ 1469c2daa00SOllivier Robert u_int32 fstamp; /* filestamp */ 1479c2daa00SOllivier Robert u_int32 vallen; /* value length */ 1489c2daa00SOllivier Robert u_int32 pkt[1]; /* start of value field */ 1499c2daa00SOllivier Robert }; 1509c2daa00SOllivier Robert 151*2b15cb3dSCy Schubert 1529c2daa00SOllivier Robert /* 1539c2daa00SOllivier Robert * The certificate info/value structure 1549c2daa00SOllivier Robert */ 1559c2daa00SOllivier Robert struct cert_info { 1569c2daa00SOllivier Robert struct cert_info *link; /* forward link */ 1579c2daa00SOllivier Robert u_int flags; /* flags that wave */ 1589c2daa00SOllivier Robert EVP_PKEY *pkey; /* generic key */ 1599c2daa00SOllivier Robert long version; /* X509 version */ 1609c2daa00SOllivier Robert int nid; /* signature/digest ID */ 1619c2daa00SOllivier Robert const EVP_MD *digest; /* message digest algorithm */ 1629c2daa00SOllivier Robert u_long serial; /* serial number */ 163*2b15cb3dSCy Schubert struct calendar first; /* not valid before */ 164*2b15cb3dSCy Schubert struct calendar last; /* not valid after */ 1659c2daa00SOllivier Robert char *subject; /* subject common name */ 1669c2daa00SOllivier Robert char *issuer; /* issuer common name */ 167*2b15cb3dSCy Schubert BIGNUM *grpkey; /* GQ group key */ 1689c2daa00SOllivier Robert struct value cert; /* certificate/value */ 1699c2daa00SOllivier Robert }; 170224ba2bdSOllivier Robert 171224ba2bdSOllivier Robert /* 172*2b15cb3dSCy Schubert * The keys info/value structure 173*2b15cb3dSCy Schubert */ 174*2b15cb3dSCy Schubert struct pkey_info { 175*2b15cb3dSCy Schubert struct pkey_info *link; /* forward link */ 176*2b15cb3dSCy Schubert EVP_PKEY *pkey; /* generic key */ 177*2b15cb3dSCy Schubert char *name; /* file name */ 178*2b15cb3dSCy Schubert tstamp_t fstamp; /* filestamp */ 179*2b15cb3dSCy Schubert }; 180*2b15cb3dSCy Schubert 181*2b15cb3dSCy Schubert /* 182224ba2bdSOllivier Robert * Cryptographic values 183224ba2bdSOllivier Robert */ 184224ba2bdSOllivier Robert extern u_int crypto_flags; /* status word */ 185*2b15cb3dSCy Schubert extern int crypto_nid; /* digest nid */ 1869c2daa00SOllivier Robert extern struct value hostval; /* host name/value */ 1879c2daa00SOllivier Robert extern struct cert_info *cinfo; /* host certificate information */ 188224ba2bdSOllivier Robert extern struct value tai_leap; /* leapseconds table */ 189*2b15cb3dSCy Schubert #endif /* AUTOKEY */ 190*2b15cb3dSCy Schubert #endif /* NTP_CRYPTO_H */ 191