xref: /freebsd/contrib/ntp/ntpd/ntp_crypto.c (revision c98323078dede7579020518ec84cdcb478e5c142)
1 /*
2  * ntp_crypto.c - NTP version 4 public key routines
3  */
4 #ifdef HAVE_CONFIG_H
5 #include <config.h>
6 #endif
7 
8 #ifdef OPENSSL
9 #include <stdio.h>
10 #include <sys/types.h>
11 #include <sys/param.h>
12 #include <unistd.h>
13 #include <fcntl.h>
14 
15 #include "ntpd.h"
16 #include "ntp_stdlib.h"
17 #include "ntp_unixtime.h"
18 #include "ntp_string.h"
19 
20 #include "openssl/asn1_mac.h"
21 #include "openssl/bn.h"
22 #include "openssl/err.h"
23 #include "openssl/evp.h"
24 #include "openssl/pem.h"
25 #include "openssl/rand.h"
26 #include "openssl/x509v3.h"
27 
28 #ifdef KERNEL_PLL
29 #include "ntp_syscall.h"
30 #endif /* KERNEL_PLL */
31 
32 /*
33  * Extension field message format
34  *
35  * These are always signed and saved before sending in network byte
36  * order. They must be converted to and from host byte order for
37  * processing.
38  *
39  * +-------+-------+
40  * |   op  |  len  | <- extension pointer
41  * +-------+-------+
42  * |    assocID    |
43  * +---------------+
44  * |   timestamp   | <- value pointer
45  * +---------------+
46  * |   filestamp   |
47  * +---------------+
48  * |   value len   |
49  * +---------------+
50  * |               |
51  * =     value     =
52  * |               |
53  * +---------------+
54  * | signature len |
55  * +---------------+
56  * |               |
57  * =   signature   =
58  * |               |
59  * +---------------+
60  *
61  * The CRYPTO_RESP bit is set to 0 for requests, 1 for responses.
62  * Requests carry the association ID of the receiver; responses carry
63  * the association ID of the sender. Some messages include only the
64  * operation/length and association ID words and so have length 8
65  * octets. Ohers include the value structure and associated value and
66  * signature fields. These messages include the timestamp, filestamp,
67  * value and signature words and so have length at least 24 octets. The
68  * signature and/or value fields can be empty, in which case the
69  * respective length words are zero. An empty value with nonempty
70  * signature is syntactically valid, but semantically questionable.
71  *
72  * The filestamp represents the time when a cryptographic data file such
73  * as a public/private key pair is created. It follows every reference
74  * depending on that file and serves as a means to obsolete earlier data
75  * of the same type. The timestamp represents the time when the
76  * cryptographic data of the message were last signed. Creation of a
77  * cryptographic data file or signing a message can occur only when the
78  * creator or signor is synchronized to an authoritative source and
79  * proventicated to a trusted authority.
80  *
81  * Note there are four conditions required for server trust. First, the
82  * public key on the certificate must be verified, which involves a
83  * number of format, content and consistency checks. Next, the server
84  * identity must be confirmed by one of four schemes: private
85  * certificate, IFF scheme, GQ scheme or certificate trail hike to a
86  * self signed trusted certificate. Finally, the server signature must
87  * be verified.
88  */
89 /*
90  * Cryptodefines
91  */
92 #define TAI_1972	10	/* initial TAI offset (s) */
93 #define MAX_LEAP	100	/* max UTC leapseconds (s) */
94 #define VALUE_LEN	(6 * 4) /* min response field length */
95 #define YEAR		(60 * 60 * 24 * 365) /* seconds in year */
96 
97 /*
98  * Global cryptodata in host byte order
99  */
100 u_int32	crypto_flags = 0x0;	/* status word */
101 u_int	sys_tai;		/* current UTC offset from TAI */
102 
103 /*
104  * Global cryptodata in network byte order
105  */
106 struct cert_info *cinfo = NULL;	/* certificate info/value */
107 struct value hostval;		/* host value */
108 struct value pubkey;		/* public key */
109 struct value tai_leap;		/* leapseconds table */
110 
111 /*
112  * Private cryptodata in host byte order
113  */
114 static char *passwd = NULL;	/* private key password */
115 static EVP_PKEY *host_pkey = NULL; /* host key */
116 static EVP_PKEY *sign_pkey = NULL; /* sign key */
117 static EVP_PKEY *iffpar_pkey = NULL; /* IFF parameters */
118 static EVP_PKEY	*gqpar_pkey = NULL; /* GQ parameters */
119 static EVP_PKEY	*mvpar_pkey = NULL; /* MV parameters */
120 static const EVP_MD *sign_digest = NULL; /* sign digest */
121 static u_int sign_siglen;	/* sign key length */
122 static char *rand_file = NULL;	/* random seed file */
123 static char *host_file = NULL;	/* host key file */
124 static char *sign_file = NULL;	/* sign key file */
125 static char *iffpar_file = NULL; /* IFF parameters file */
126 static char *gqpar_file = NULL;	/* GQ parameters file */
127 static char *mvpar_file = NULL;	/* MV parameters file */
128 static char *cert_file = NULL;	/* certificate file */
129 static char *leap_file = NULL;	/* leapseconds file */
130 static tstamp_t if_fstamp = 0;	/* IFF file stamp */
131 static tstamp_t gq_fstamp = 0;	/* GQ file stamp */
132 static tstamp_t mv_fstamp = 0;	/* MV file stamp */
133 
134 /*
135  * Cryptotypes
136  */
137 static	int	crypto_verify	P((struct exten *, struct value *,
138 				    struct peer *));
139 static	int	crypto_encrypt	P((struct exten *, struct value *,
140 				    keyid_t *));
141 static	int	crypto_alice	P((struct peer *, struct value *));
142 static	int	crypto_alice2	P((struct peer *, struct value *));
143 static	int	crypto_alice3	P((struct peer *, struct value *));
144 static	int	crypto_bob	P((struct exten *, struct value *));
145 static	int	crypto_bob2	P((struct exten *, struct value *));
146 static	int	crypto_bob3	P((struct exten *, struct value *));
147 static	int	crypto_iff	P((struct exten *, struct peer *));
148 static	int	crypto_gq	P((struct exten *, struct peer *));
149 static	int	crypto_mv	P((struct exten *, struct peer *));
150 static	u_int	crypto_send	P((struct exten *, struct value *));
151 static	tstamp_t crypto_time	P((void));
152 static	u_long	asn2ntp		P((ASN1_TIME *));
153 static	struct cert_info *cert_parse P((u_char *, u_int, tstamp_t));
154 static	int	cert_sign	P((struct exten *, struct value *));
155 static	int	cert_valid	P((struct cert_info *, EVP_PKEY *));
156 static	int	cert_install	P((struct exten *, struct peer *));
157 static	void	cert_free	P((struct cert_info *));
158 static	EVP_PKEY *crypto_key	P((char *, tstamp_t *));
159 static	int	bighash		P((BIGNUM *, BIGNUM *));
160 static	struct cert_info *crypto_cert P((char *));
161 static	void	crypto_tai	P((char *));
162 
163 #ifdef SYS_WINNT
164 int
165 readlink(char * link, char * file, int len) {
166 	return (-1);
167 }
168 #endif
169 
170 /*
171  * session_key - generate session key
172  *
173  * This routine generates a session key from the source address,
174  * destination address, key ID and private value. The value of the
175  * session key is the MD5 hash of these values, while the next key ID is
176  * the first four octets of the hash.
177  *
178  * Returns the next key ID
179  */
180 keyid_t
181 session_key(
182 	struct sockaddr_storage *srcadr, /* source address */
183 	struct sockaddr_storage *dstadr, /* destination address */
184 	keyid_t	keyno,		/* key ID */
185 	keyid_t	private,	/* private value */
186 	u_long	lifetime 	/* key lifetime */
187 	)
188 {
189 	EVP_MD_CTX ctx;		/* message digest context */
190 	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
191 	keyid_t	keyid;		/* key identifer */
192 	u_int32	header[10];	/* data in network byte order */
193 	u_int	hdlen, len;
194 
195 	/*
196 	 * Generate the session key and key ID. If the lifetime is
197 	 * greater than zero, install the key and call it trusted.
198 	 */
199 	hdlen = 0;
200 	switch(srcadr->ss_family) {
201 	case AF_INET:
202 		header[0] = ((struct sockaddr_in *)srcadr)->sin_addr.s_addr;
203 		header[1] = ((struct sockaddr_in *)dstadr)->sin_addr.s_addr;
204 		header[2] = htonl(keyno);
205 		header[3] = htonl(private);
206 		hdlen = 4 * sizeof(u_int32);
207 		break;
208 	case AF_INET6:
209 		memcpy(&header[0], &GET_INADDR6(*srcadr),
210 		    sizeof(struct in6_addr));
211 		memcpy(&header[4], &GET_INADDR6(*dstadr),
212 		    sizeof(struct in6_addr));
213 		header[8] = htonl(keyno);
214 		header[9] = htonl(private);
215 		hdlen = 10 * sizeof(u_int32);
216 		break;
217 	}
218 	EVP_DigestInit(&ctx, EVP_md5());
219 	EVP_DigestUpdate(&ctx, (u_char *)header, hdlen);
220 	EVP_DigestFinal(&ctx, dgst, &len);
221 	memcpy(&keyid, dgst, 4);
222 	keyid = ntohl(keyid);
223 	if (lifetime != 0) {
224 		MD5auth_setkey(keyno, dgst, len);
225 		authtrust(keyno, lifetime);
226 	}
227 #ifdef DEBUG
228 	if (debug > 1)
229 		printf(
230 		    "session_key: %s > %s %08x %08x hash %08x life %lu\n",
231 		    stoa(srcadr), stoa(dstadr), keyno,
232 		    private, keyid, lifetime);
233 #endif
234 	return (keyid);
235 }
236 
237 
238 /*
239  * make_keylist - generate key list
240  *
241  * This routine constructs a pseudo-random sequence by repeatedly
242  * hashing the session key starting from a given source address,
243  * destination address, private value and the next key ID of the
244  * preceeding session key. The last entry on the list is saved along
245  * with its sequence number and public signature.
246  */
247 void
248 make_keylist(
249 	struct peer *peer,	/* peer structure pointer */
250 	struct interface *dstadr /* interface */
251 	)
252 {
253 	EVP_MD_CTX ctx;		/* signature context */
254 	tstamp_t tstamp;	/* NTP timestamp */
255 	struct autokey *ap;	/* autokey pointer */
256 	struct value *vp;	/* value pointer */
257 	keyid_t	keyid = 0;	/* next key ID */
258 	keyid_t	cookie;		/* private value */
259 	u_long	lifetime;
260 	u_int	len;
261 	int	i;
262 
263 	/*
264 	 * Allocate the key list if necessary.
265 	 */
266 	tstamp = crypto_time();
267 	if (peer->keylist == NULL)
268 		peer->keylist = emalloc(sizeof(keyid_t) *
269 		    NTP_MAXSESSION);
270 
271 	/*
272 	 * Generate an initial key ID which is unique and greater than
273 	 * NTP_MAXKEY.
274 	 */
275 	while (1) {
276 		keyid = (u_long)RANDOM & 0xffffffff;
277 		if (keyid <= NTP_MAXKEY)
278 			continue;
279 		if (authhavekey(keyid))
280 			continue;
281 		break;
282 	}
283 
284 	/*
285 	 * Generate up to NTP_MAXSESSION session keys. Stop if the
286 	 * next one would not be unique or not a session key ID or if
287 	 * it would expire before the next poll. The private value
288 	 * included in the hash is zero if broadcast mode, the peer
289 	 * cookie if client mode or the host cookie if symmetric modes.
290 	 */
291 	lifetime = min(sys_automax, (unsigned long) NTP_MAXSESSION * (1 <<(peer->kpoll)));
292 	if (peer->hmode == MODE_BROADCAST)
293 		cookie = 0;
294 	else
295 		cookie = peer->pcookie;
296 	for (i = 0; i < NTP_MAXSESSION; i++) {
297 		peer->keylist[i] = keyid;
298 		peer->keynumber = i;
299 		keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
300 		    cookie, lifetime);
301 		lifetime -= 1 << peer->kpoll;
302 		if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
303 		    lifetime <= (unsigned long)(1 << (peer->kpoll)))
304 			break;
305 	}
306 
307 	/*
308 	 * Save the last session key ID, sequence number and timestamp,
309 	 * then sign these values for later retrieval by the clients. Be
310 	 * careful not to use invalid key media. Use the public values
311 	 * timestamp as filestamp.
312 	 */
313 	vp = &peer->sndval;
314 	if (vp->ptr == NULL)
315 		vp->ptr = emalloc(sizeof(struct autokey));
316 	ap = (struct autokey *)vp->ptr;
317 	ap->seq = htonl(peer->keynumber);
318 	ap->key = htonl(keyid);
319 	vp->tstamp = htonl(tstamp);
320 	vp->fstamp = hostval.tstamp;
321 	vp->vallen = htonl(sizeof(struct autokey));
322 	vp->siglen = 0;
323 	if (vp->tstamp != 0) {
324 		if (vp->sig == NULL)
325 			vp->sig = emalloc(sign_siglen);
326 		EVP_SignInit(&ctx, sign_digest);
327 		EVP_SignUpdate(&ctx, (u_char *)vp, 12);
328 		EVP_SignUpdate(&ctx, vp->ptr, sizeof(struct autokey));
329 		if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
330 			vp->siglen = htonl(len);
331 		else
332 			msyslog(LOG_ERR, "make_keys %s\n",
333 			    ERR_error_string(ERR_get_error(), NULL));
334 		peer->flags |= FLAG_ASSOC;
335 	}
336 #ifdef DEBUG
337 	if (debug)
338 		printf("make_keys: %d %08x %08x ts %u fs %u poll %d\n",
339 		    ntohl(ap->seq), ntohl(ap->key), cookie,
340 		    ntohl(vp->tstamp), ntohl(vp->fstamp), peer->kpoll);
341 #endif
342 }
343 
344 
345 /*
346  * crypto_recv - parse extension fields
347  *
348  * This routine is called when the packet has been matched to an
349  * association and passed sanity, format and MAC checks. We believe the
350  * extension field values only if the field has proper format and
351  * length, the timestamp and filestamp are valid and the signature has
352  * valid length and is verified. There are a few cases where some values
353  * are believed even if the signature fails, but only if the proventic
354  * bit is not set.
355  */
356 int
357 crypto_recv(
358 	struct peer *peer,	/* peer structure pointer */
359 	struct recvbuf *rbufp	/* packet buffer pointer */
360 	)
361 {
362 	const EVP_MD *dp;	/* message digest algorithm */
363 	u_int32	*pkt;		/* receive packet pointer */
364 	struct autokey *ap, *bp; /* autokey pointer */
365 	struct exten *ep, *fp;	/* extension pointers */
366 	int	has_mac;	/* length of MAC field */
367 	int	authlen;	/* offset of MAC field */
368 	associd_t associd;	/* association ID */
369 	tstamp_t tstamp = 0;	/* timestamp */
370 	tstamp_t fstamp = 0;	/* filestamp */
371 	u_int	len;		/* extension field length */
372 	u_int	code;		/* extension field opcode */
373 	u_int	vallen = 0;	/* value length */
374 	X509	*cert;		/* X509 certificate */
375 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
376 	keyid_t	cookie;		/* crumbles */
377 	int	rval = XEVNT_OK;
378 	u_char	*ptr;
379 	u_int32 temp32;
380 #ifdef KERNEL_PLL
381 #if NTP_API > 3
382 	struct timex ntv;	/* kernel interface structure */
383 #endif /* NTP_API */
384 #endif /* KERNEL_PLL */
385 
386 	/*
387 	 * Initialize. Note that the packet has already been checked for
388 	 * valid format and extension field lengths. First extract the
389 	 * field length, command code and association ID in host byte
390 	 * order. These are used with all commands and modes. Then check
391 	 * the version number, which must be 2, and length, which must
392 	 * be at least 8 for requests and VALUE_LEN (24) for responses.
393 	 * Packets that fail either test sink without a trace. The
394 	 * association ID is saved only if nonzero.
395 	 */
396 	authlen = LEN_PKT_NOMAC;
397 	while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
398 		pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
399 		ep = (struct exten *)pkt;
400 		code = ntohl(ep->opcode) & 0xffff0000;
401 		len = ntohl(ep->opcode) & 0x0000ffff;
402 		associd = (associd_t) ntohl(pkt[1]);
403 		rval = XEVNT_OK;
404 #ifdef DEBUG
405 		if (debug)
406 			printf(
407 			    "crypto_recv: flags 0x%x ext offset %d len %u code %x assocID %d\n",
408 			    peer->crypto, authlen, len, code >> 16,
409 			    associd);
410 #endif
411 
412 		/*
413 		 * Check version number and field length. If bad,
414 		 * quietly ignore the packet.
415 		 */
416 		if (((code >> 24) & 0x3f) != CRYPTO_VN || len < 8 ||
417 		    (len < VALUE_LEN && (code & CRYPTO_RESP))) {
418 			sys_unknownversion++;
419 			code |= CRYPTO_ERROR;
420 		}
421 
422 		/*
423 		 * Little vulnerability bandage here. If a perp tosses a
424 		 * fake association ID over the fence, we better toss it
425 		 * out. Only the first one counts.
426 		 */
427 		if (code & CRYPTO_RESP) {
428 			if (peer->assoc == 0)
429 				peer->assoc = associd;
430 			else if (peer->assoc != associd)
431 				code |= CRYPTO_ERROR;
432 		}
433 		if (len >= VALUE_LEN) {
434 			tstamp = ntohl(ep->tstamp);
435 			fstamp = ntohl(ep->fstamp);
436 			vallen = ntohl(ep->vallen);
437 		}
438 		switch (code) {
439 
440 		/*
441 		 * Install status word, host name, signature scheme and
442 		 * association ID. In OpenSSL the signature algorithm is
443 		 * bound to the digest algorithm, so the NID completely
444 		 * defines the signature scheme. Note the request and
445 		 * response are identical, but neither is validated by
446 		 * signature. The request is processed here only in
447 		 * symmetric modes. The server name field would be
448 		 * useful to implement access controls in future.
449 		 */
450 		case CRYPTO_ASSOC:
451 
452 			/*
453 			 * Pass the extension field to the transmit
454 			 * side.
455 			 */
456 			fp = emalloc(len);
457 			memcpy(fp, ep, len);
458 			temp32 = CRYPTO_RESP;
459 			fp->opcode |= htonl(temp32);
460 			peer->cmmd = fp;
461 			/* fall through */
462 
463 		case CRYPTO_ASSOC | CRYPTO_RESP:
464 
465 			/*
466 			 * Discard the message if it has already been
467 			 * stored or the server is not synchronized.
468 			 */
469 			if (peer->crypto || !fstamp)
470 				break;
471 
472 			if (len < VALUE_LEN + vallen) {
473 				rval = XEVNT_LEN;
474 				break;
475 			}
476 
477 			/*
478 			 * Check the identity schemes are compatible. If
479 			 * the client has PC, the server must have PC,
480 			 * in which case the server public key and
481 			 * identity are presumed valid, so we skip the
482 			 * certificate and identity exchanges and move
483 			 * immediately to the cookie exchange which
484 			 * confirms the server signature. If the client
485 			 * has IFF or GC or both, the server must have
486 			 * the same one or both. Otherwise, the default
487 			 * TC scheme is used.
488 			 */
489 			if (crypto_flags & CRYPTO_FLAG_PRIV) {
490 				if (!(fstamp & CRYPTO_FLAG_PRIV))
491 					rval = XEVNT_KEY;
492 				else
493 					fstamp |= CRYPTO_FLAG_VALID |
494 					    CRYPTO_FLAG_VRFY;
495 			} else if (crypto_flags & CRYPTO_FLAG_MASK &&
496 			    !(crypto_flags & fstamp &
497 			    CRYPTO_FLAG_MASK)) {
498 				rval = XEVNT_KEY;
499 			}
500 
501 			/*
502 			 * Discard the message if identity error.
503 			 */
504 			if (rval != XEVNT_OK)
505 				break;
506 
507 			/*
508 			 * Discard the message if the host name length
509 			 * is unreasonable or the signature digest NID
510 			 * is not supported.
511 			 */
512 			temp32 = (fstamp >> 16) & 0xffff;
513 			dp =
514 			    (const EVP_MD *)EVP_get_digestbynid(temp32);
515 			if (vallen == 0 || vallen > MAXHOSTNAME)
516 				rval = XEVNT_LEN;
517 			else if (dp == NULL)
518 				rval = XEVNT_MD;
519 			if (rval != XEVNT_OK)
520 				break;
521 
522 			/*
523 			 * Save status word, host name and message
524 			 * digest/signature type. If PC identity, be
525 			 * sure not to sign the certificate.
526 			 */
527 			if (crypto_flags & CRYPTO_FLAG_PRIV)
528 				fstamp |= CRYPTO_FLAG_SIGN;
529 			peer->crypto = fstamp;
530 			peer->digest = dp;
531 			peer->subject = emalloc(vallen + 1);
532 			memcpy(peer->subject, ep->pkt, vallen);
533 			peer->subject[vallen] = '\0';
534 			peer->issuer = emalloc(vallen + 1);
535 			strcpy(peer->issuer, peer->subject);
536 			temp32 = (fstamp >> 16) & 0xffff;
537 			sprintf(statstr,
538 			    "flags 0x%x host %s signature %s", fstamp,
539 			    peer->subject, OBJ_nid2ln(temp32));
540 			record_crypto_stats(&peer->srcadr, statstr);
541 #ifdef DEBUG
542 			if (debug)
543 				printf("crypto_recv: %s\n", statstr);
544 #endif
545 			break;
546 
547 		/*
548 		 * Decode X509 certificate in ASN.1 format and extract
549 		 * the data containing, among other things, subject
550 		 * name and public key. In the default identification
551 		 * scheme, the certificate trail is followed to a self
552 		 * signed trusted certificate.
553 		 */
554 		case CRYPTO_CERT | CRYPTO_RESP:
555 
556 			/*
557 			 * Discard the message if invalid or identity
558 			 * already confirmed.
559 			 */
560 			if (peer->crypto & CRYPTO_FLAG_VRFY)
561 				break;
562 
563 			if ((rval = crypto_verify(ep, NULL, peer)) !=
564 			    XEVNT_OK)
565 				break;
566 
567 			/*
568 			 * Scan the certificate list to delete old
569 			 * versions and link the newest version first on
570 			 * the list.
571 			 */
572 			if ((rval = cert_install(ep, peer)) != XEVNT_OK)
573 				break;
574 
575 			/*
576 			 * If we snatch the certificate before the
577 			 * server certificate has been signed by its
578 			 * server, it will be self signed. When it is,
579 			 * we chase the certificate issuer, which the
580 			 * server has, and keep going until a self
581 			 * signed trusted certificate is found. Be sure
582 			 * to update the issuer field, since it may
583 			 * change.
584 			 */
585 			if (peer->issuer != NULL)
586 				free(peer->issuer);
587 			peer->issuer = emalloc(strlen(cinfo->issuer) +
588 			    1);
589 			strcpy(peer->issuer, cinfo->issuer);
590 
591 			/*
592 			 * We plug in the public key and group key in
593 			 * the first certificate received. However, note
594 			 * that this certificate might not be signed by
595 			 * the server, so we can't check the
596 			 * signature/digest NID.
597 			 */
598 			if (peer->pkey == NULL) {
599 				ptr = (u_char *)cinfo->cert.ptr;
600 				cert = d2i_X509(NULL, &ptr,
601 				    ntohl(cinfo->cert.vallen));
602 				peer->pkey = X509_get_pubkey(cert);
603 				X509_free(cert);
604 			}
605 			peer->flash &= ~TEST10;
606 			temp32 = cinfo->nid;
607 			sprintf(statstr, "cert %s 0x%x %s (%u) fs %u",
608 			    cinfo->subject, cinfo->flags,
609 			    OBJ_nid2ln(temp32), temp32,
610 			    ntohl(ep->fstamp));
611 			record_crypto_stats(&peer->srcadr, statstr);
612 #ifdef DEBUG
613 			if (debug)
614 				printf("crypto_recv: %s\n", statstr);
615 #endif
616 			break;
617 
618 		/*
619 		 * Schnorr (IFF)identity scheme. This scheme is designed
620 		 * for use with shared secret group keys and where the
621 		 * certificate may be generated by a third party. The
622 		 * client sends a challenge to the server, which
623 		 * performs a calculation and returns the result. A
624 		 * positive result is possible only if both client and
625 		 * server contain the same secret group key.
626 		 */
627 		case CRYPTO_IFF | CRYPTO_RESP:
628 
629 			/*
630 			 * Discard the message if invalid or identity
631 			 * already confirmed.
632 			 */
633 			if (peer->crypto & CRYPTO_FLAG_VRFY)
634 				break;
635 
636 			if ((rval = crypto_verify(ep, NULL, peer)) !=
637 			    XEVNT_OK)
638 				break;
639 
640 			/*
641 			 * If the the challenge matches the response,
642 			 * the certificate public key, as well as the
643 			 * server public key, signatyre and identity are
644 			 * all verified at the same time. The server is
645 			 * declared trusted, so we skip further
646 			 * certificate stages and move immediately to
647 			 * the cookie stage.
648 			 */
649 			if ((rval = crypto_iff(ep, peer)) != XEVNT_OK)
650 				break;
651 
652 			peer->crypto |= CRYPTO_FLAG_VRFY |
653 			    CRYPTO_FLAG_PROV;
654 			peer->flash &= ~TEST10;
655 			sprintf(statstr, "iff fs %u",
656 			    ntohl(ep->fstamp));
657 			record_crypto_stats(&peer->srcadr, statstr);
658 #ifdef DEBUG
659 			if (debug)
660 				printf("crypto_recv: %s\n", statstr);
661 #endif
662 			break;
663 
664 		/*
665 		 * Guillou-Quisquater (GQ) identity scheme. This scheme
666 		 * is designed for use with public certificates carrying
667 		 * the GQ public key in an extension field. The client
668 		 * sends a challenge to the server, which performs a
669 		 * calculation and returns the result. A positive result
670 		 * is possible only if both client and server contain
671 		 * the same group key and the server has the matching GQ
672 		 * private key.
673 		 */
674 		case CRYPTO_GQ | CRYPTO_RESP:
675 
676 			/*
677 			 * Discard the message if invalid or identity
678 			 * already confirmed.
679 			 */
680 			if (peer->crypto & CRYPTO_FLAG_VRFY)
681 				break;
682 
683 			if ((rval = crypto_verify(ep, NULL, peer)) !=
684 			    XEVNT_OK)
685 				break;
686 
687 			/*
688 			 * If the the challenge matches the response,
689 			 * the certificate public key, as well as the
690 			 * server public key, signatyre and identity are
691 			 * all verified at the same time. The server is
692 			 * declared trusted, so we skip further
693 			 * certificate stages and move immediately to
694 			 * the cookie stage.
695 			 */
696 			if ((rval = crypto_gq(ep, peer)) != XEVNT_OK)
697 				break;
698 
699 			peer->crypto |= CRYPTO_FLAG_VRFY |
700 			    CRYPTO_FLAG_PROV;
701 			peer->flash &= ~TEST10;
702 			sprintf(statstr, "gq fs %u",
703 			    ntohl(ep->fstamp));
704 			record_crypto_stats(&peer->srcadr, statstr);
705 #ifdef DEBUG
706 			if (debug)
707 				printf("crypto_recv: %s\n", statstr);
708 #endif
709 			break;
710 
711 		/*
712 		 * MV
713 		 */
714 		case CRYPTO_MV | CRYPTO_RESP:
715 
716 			/*
717 			 * Discard the message if invalid or identity
718 			 * already confirmed.
719 			 */
720 			if (peer->crypto & CRYPTO_FLAG_VRFY)
721 				break;
722 
723 			if ((rval = crypto_verify(ep, NULL, peer)) !=
724 			    XEVNT_OK)
725 				break;
726 
727 			/*
728 			 * If the the challenge matches the response,
729 			 * the certificate public key, as well as the
730 			 * server public key, signatyre and identity are
731 			 * all verified at the same time. The server is
732 			 * declared trusted, so we skip further
733 			 * certificate stages and move immediately to
734 			 * the cookie stage.
735 			 */
736 			if ((rval = crypto_mv(ep, peer)) != XEVNT_OK)
737 				break;
738 
739 			peer->crypto |= CRYPTO_FLAG_VRFY |
740 			    CRYPTO_FLAG_PROV;
741 			peer->flash &= ~TEST10;
742 			sprintf(statstr, "mv fs %u",
743 			    ntohl(ep->fstamp));
744 			record_crypto_stats(&peer->srcadr, statstr);
745 #ifdef DEBUG
746 			if (debug)
747 				printf("crypto_recv: %s\n", statstr);
748 #endif
749 			break;
750 
751 		/*
752 		 * X509 certificate sign response. Validate the
753 		 * certificate signed by the server and install. Later
754 		 * this can be provided to clients of this server in
755 		 * lieu of the self signed certificate in order to
756 		 * validate the public key.
757 		 */
758 		case CRYPTO_SIGN | CRYPTO_RESP:
759 
760 			/*
761 			 * Discard the message if invalid or identity
762 			 * not confirmed.
763 			 */
764 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
765 				break;
766 
767 			if ((rval = crypto_verify(ep, NULL, peer)) !=
768 			    XEVNT_OK)
769 				break;
770 
771 			/*
772 			 * Scan the certificate list to delete old
773 			 * versions and link the newest version first on
774 			 * the list.
775 			 */
776 			if ((rval = cert_install(ep, peer)) != XEVNT_OK) 				break;
777 
778 			peer->crypto |= CRYPTO_FLAG_SIGN;
779 			peer->flash &= ~TEST10;
780 			temp32 = cinfo->nid;
781 			sprintf(statstr, "sign %s 0x%x %s (%u) fs %u",
782 			    cinfo->issuer, cinfo->flags,
783 			    OBJ_nid2ln(temp32), temp32,
784 			    ntohl(ep->fstamp));
785 			record_crypto_stats(&peer->srcadr, statstr);
786 #ifdef DEBUG
787 			if (debug)
788 				printf("crypto_recv: %s\n", statstr);
789 #endif
790 			break;
791 
792 		/*
793 		 * Cookie request in symmetric modes. Roll a random
794 		 * cookie and install in symmetric mode. Encrypt for the
795 		 * response, which is transmitted later.
796 		 */
797 		case CRYPTO_COOK:
798 
799 			/*
800 			 * Discard the message if invalid or identity
801 			 * not confirmed.
802 			 */
803 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
804 				break;
805 
806 			if ((rval = crypto_verify(ep, NULL, peer)) !=
807 			    XEVNT_OK)
808 				break;
809 
810 			/*
811 			 * Pass the extension field to the transmit
812 			 * side. If already agreed, walk away.
813 			 */
814 			fp = emalloc(len);
815 			memcpy(fp, ep, len);
816 			temp32 = CRYPTO_RESP;
817 			fp->opcode |= htonl(temp32);
818 			peer->cmmd = fp;
819 			if (peer->crypto & CRYPTO_FLAG_AGREE) {
820 				peer->flash &= ~TEST10;
821 				break;
822 			}
823 
824 			/*
825 			 * Install cookie values and light the cookie
826 			 * bit. The transmit side will pick up and
827 			 * encrypt it for the response.
828 			 */
829 			key_expire(peer);
830 			peer->cookval.tstamp = ep->tstamp;
831 			peer->cookval.fstamp = ep->fstamp;
832 			RAND_bytes((u_char *)&peer->pcookie, 4);
833 			peer->crypto &= ~CRYPTO_FLAG_AUTO;
834 			peer->crypto |= CRYPTO_FLAG_AGREE;
835 			peer->flash &= ~TEST10;
836 			sprintf(statstr, "cook %x ts %u fs %u",
837 			    peer->pcookie, ntohl(ep->tstamp),
838 			    ntohl(ep->fstamp));
839 			record_crypto_stats(&peer->srcadr, statstr);
840 #ifdef DEBUG
841 			if (debug)
842 				printf("crypto_recv: %s\n", statstr);
843 #endif
844 			break;
845 
846 		/*
847 		 * Cookie response in client and symmetric modes. If the
848 		 * cookie bit is set, the working cookie is the EXOR of
849 		 * the current and new values.
850 		 */
851 		case CRYPTO_COOK | CRYPTO_RESP:
852 
853 			/*
854 			 * Discard the message if invalid or identity
855 			 * not confirmed or signature not verified with
856 			 * respect to the cookie values.
857 			 */
858 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
859 				break;
860 
861 			if ((rval = crypto_verify(ep, &peer->cookval,
862 			    peer)) != XEVNT_OK)
863 				break;
864 
865 			/*
866 			 * Decrypt the cookie, hunting all the time for
867 			 * errors.
868 			 */
869 			if (vallen == (u_int) EVP_PKEY_size(host_pkey)) {
870 				RSA_private_decrypt(vallen,
871 				    (u_char *)ep->pkt,
872 				    (u_char *)&temp32,
873 				    host_pkey->pkey.rsa,
874 				    RSA_PKCS1_OAEP_PADDING);
875 				cookie = ntohl(temp32);
876 			} else {
877 				rval = XEVNT_CKY;
878 				break;
879 			}
880 
881 			/*
882 			 * Install cookie values and light the cookie
883 			 * bit. If this is not broadcast client mode, we
884 			 * are done here.
885 			 */
886 			key_expire(peer);
887 			peer->cookval.tstamp = ep->tstamp;
888 			peer->cookval.fstamp = ep->fstamp;
889 			if (peer->crypto & CRYPTO_FLAG_AGREE)
890 				peer->pcookie ^= cookie;
891 			else
892 				peer->pcookie = cookie;
893 			if (peer->hmode == MODE_CLIENT &&
894 			    !(peer->cast_flags & MDF_BCLNT))
895 				peer->crypto |= CRYPTO_FLAG_AUTO;
896 			else
897 				peer->crypto &= ~CRYPTO_FLAG_AUTO;
898 			peer->crypto |= CRYPTO_FLAG_AGREE;
899 			peer->flash &= ~TEST10;
900 			sprintf(statstr, "cook %x ts %u fs %u",
901 			    peer->pcookie, ntohl(ep->tstamp),
902 			    ntohl(ep->fstamp));
903 			record_crypto_stats(&peer->srcadr, statstr);
904 #ifdef DEBUG
905 			if (debug)
906 				printf("crypto_recv: %s\n", statstr);
907 #endif
908 			break;
909 
910 		/*
911 		 * Install autokey values in broadcast client and
912 		 * symmetric modes. We have to do this every time the
913 		 * sever/peer cookie changes or a new keylist is
914 		 * rolled. Ordinarily, this is automatic as this message
915 		 * is piggybacked on the first NTP packet sent upon
916 		 * either of these events. Note that a broadcast client
917 		 * or symmetric peer can receive this response without a
918 		 * matching request.
919 		 */
920 		case CRYPTO_AUTO | CRYPTO_RESP:
921 
922 			/*
923 			 * Discard the message if invalid or identity
924 			 * not confirmed or signature not verified with
925 			 * respect to the receive autokey values.
926 			 */
927 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
928 				break;
929 
930 			if ((rval = crypto_verify(ep, &peer->recval,
931 			    peer)) != XEVNT_OK)
932 				break;
933 
934 			/*
935 			 * Install autokey values and light the
936 			 * autokey bit. This is not hard.
937 			 */
938 			if (peer->recval.ptr == NULL)
939 				peer->recval.ptr =
940 				    emalloc(sizeof(struct autokey));
941 			bp = (struct autokey *)peer->recval.ptr;
942 			peer->recval.tstamp = ep->tstamp;
943 			peer->recval.fstamp = ep->fstamp;
944 			ap = (struct autokey *)ep->pkt;
945 			bp->seq = ntohl(ap->seq);
946 			bp->key = ntohl(ap->key);
947 			peer->pkeyid = bp->key;
948 			peer->crypto |= CRYPTO_FLAG_AUTO;
949 			peer->flash &= ~TEST10;
950 			sprintf(statstr,
951 			    "auto seq %d key %x ts %u fs %u", bp->seq,
952 			    bp->key, ntohl(ep->tstamp),
953 			    ntohl(ep->fstamp));
954 			record_crypto_stats(&peer->srcadr, statstr);
955 #ifdef DEBUG
956 			if (debug)
957 				printf("crypto_recv: %s\n", statstr);
958 #endif
959 			break;
960 
961 		/*
962 		 * Install leapseconds table in symmetric modes. This
963 		 * table is proventicated to the NIST primary servers,
964 		 * either by copying the file containing the table from
965 		 * a NIST server to a trusted server or directly using
966 		 * this protocol. While the entire table is installed at
967 		 * the server, presently only the current TAI offset is
968 		 * provided via the kernel to other applications.
969 		 */
970 		case CRYPTO_TAI:
971 
972 			/*
973 			 * Discard the message if invalid or identity
974 			 * not confirmed.
975 			 */
976 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
977 				break;
978 
979 			if ((rval = crypto_verify(ep, NULL, peer)) !=
980 			    XEVNT_OK)
981 				break;
982 
983 			/*
984 			 * Pass the extension field to the transmit
985 			 * side. Continue below if a leapseconds table
986 			 * accompanies the message.
987 			 */
988 			fp = emalloc(len);
989 			memcpy(fp, ep, len);
990 			temp32 = CRYPTO_RESP;
991 			fp->opcode |= htonl(temp32);
992 			peer->cmmd = fp;
993 			if (len <= VALUE_LEN) {
994 				peer->flash &= ~TEST10;
995 				break;
996 			}
997 			/* fall through */
998 
999 		case CRYPTO_TAI | CRYPTO_RESP:
1000 
1001 			/*
1002 			 * Discard the message if invalid or identity
1003 			 * not confirmed or signature not verified with
1004 			 * respect to the leapsecond table values.
1005 			 */
1006 			if (!(peer->crypto & CRYPTO_FLAG_VRFY))
1007 				break;
1008 
1009 			if ((rval = crypto_verify(ep, &peer->tai_leap,
1010 			    peer)) != XEVNT_OK)
1011 				break;
1012 
1013 			/*
1014 			 * Initialize peer variables, leapseconds
1015 			 * structure and extension field in network byte
1016 			 * order. Since a filestamp may have changed,
1017 			 * recompute the signatures.
1018 			 */
1019 			peer->tai_leap.tstamp = ep->tstamp;
1020 			peer->tai_leap.fstamp = ep->fstamp;
1021 			peer->tai_leap.vallen = ep->vallen;
1022 
1023 			/*
1024 			 * Install the new table if there is no stored
1025 			 * table or the new table is more recent than
1026 			 * the stored table. Since a filestamp may have
1027 			 * changed, recompute the signatures.
1028 			 */
1029 			if (ntohl(peer->tai_leap.fstamp) >
1030 			    ntohl(tai_leap.fstamp)) {
1031 				tai_leap.fstamp = ep->fstamp;
1032 				tai_leap.vallen = ep->vallen;
1033 				if (tai_leap.ptr != NULL)
1034 					free(tai_leap.ptr);
1035 				tai_leap.ptr = emalloc(vallen);
1036 				memcpy(tai_leap.ptr, ep->pkt, vallen);
1037 				crypto_update();
1038 				sys_tai = vallen / 4 + TAI_1972 - 1;
1039 			}
1040 			crypto_flags |= CRYPTO_FLAG_TAI;
1041 			peer->crypto |= CRYPTO_FLAG_LEAP;
1042 			peer->flash &= ~TEST10;
1043 #ifdef KERNEL_PLL
1044 #if NTP_API > 3
1045 			/*
1046 			 * If the kernel cooperates, initialize the
1047 			 * current TAI offset.
1048 			 */
1049 			ntv.modes = MOD_TAI;
1050 			ntv.constant = sys_tai;
1051 			(void)ntp_adjtime(&ntv);
1052 #endif /* NTP_API */
1053 #endif /* KERNEL_PLL */
1054 			sprintf(statstr, "leap %u ts %u fs %u",
1055 			    vallen, ntohl(ep->tstamp),
1056 			    ntohl(ep->fstamp));
1057 			record_crypto_stats(&peer->srcadr, statstr);
1058 #ifdef DEBUG
1059 			if (debug)
1060 				printf("crypto_recv: %s\n", statstr);
1061 #endif
1062 			break;
1063 
1064 		/*
1065 		 * We come here in symmetric modes for miscellaneous
1066 		 * commands that have value fields but are processed on
1067 		 * the transmit side. All we need do here is check for
1068 		 * valid field length. Remaining checks are below and on
1069 		 * the transmit side.
1070 		 */
1071 		case CRYPTO_IFF:
1072 		case CRYPTO_GQ:
1073 		case CRYPTO_MV:
1074 		case CRYPTO_SIGN:
1075 			if (len < VALUE_LEN) {
1076 				rval = XEVNT_LEN;
1077 				break;
1078 			}
1079 
1080 			/* fall through */
1081 
1082 		/*
1083 		 * We come here for miscellaneous requests and unknown
1084 		 * requests and responses. If an unknown response or
1085 		 * error, forget it. If a request, save the extension
1086 		 * field for later. Unknown requests will be caught on
1087 		 * the transmit side.
1088 		 */
1089 		default:
1090 			if (code & (CRYPTO_RESP | CRYPTO_ERROR)) {
1091 				rval = XEVNT_LEN;
1092 			} else if ((rval = crypto_verify(ep, NULL,
1093 			    peer)) == XEVNT_OK) {
1094 				fp = emalloc(len);
1095 				memcpy(fp, ep, len);
1096 				temp32 = CRYPTO_RESP;
1097 				fp->opcode |= htonl(temp32);
1098 				peer->cmmd = fp;
1099 			}
1100 		}
1101 
1102 		/*
1103 		 * We log everything except length/format errors and
1104 		 * duplicates, which are log clogging vulnerabilities.
1105 		 * The first error found terminates the extension field
1106 		 * scan and we return the laundry to the caller.
1107 		 */
1108 		if (rval != XEVNT_OK) {
1109 			sprintf(statstr,
1110 			    "error %x opcode %x ts %u fs %u", rval,
1111 			    code, tstamp, fstamp);
1112 			if (rval > XEVNT_TSP)
1113 				record_crypto_stats(&peer->srcadr,
1114 				    statstr);
1115 			report_event(rval, peer);
1116 #ifdef DEBUG
1117 			if (debug)
1118 				printf("crypto_recv: %s\n", statstr);
1119 #endif
1120 			break;
1121 		}
1122 		authlen += len;
1123 	}
1124 	return (rval);
1125 }
1126 
1127 
1128 /*
1129  * crypto_xmit - construct extension fields
1130  *
1131  * This routine is called both when an association is configured and
1132  * when one is not. The only case where this matters is to retrieve the
1133  * autokey information, in which case the caller has to provide the
1134  * association ID to match the association.
1135  *
1136  * Returns length of extension field.
1137  */
1138 int
1139 crypto_xmit(
1140 	struct pkt *xpkt,	/* transmit packet pointer */
1141 	struct sockaddr_storage *srcadr_sin,	/* active runway */
1142 	int	start,		/* offset to extension field */
1143 	struct exten *ep,	/* extension pointer */
1144 	keyid_t cookie		/* session cookie */
1145 	)
1146 {
1147 	u_int32	*pkt;		/* packet pointer */
1148 	struct peer *peer;	/* peer structure pointer */
1149 	u_int	opcode;		/* extension field opcode */
1150 	struct exten *fp;	/* extension pointers */
1151 	struct cert_info *cp;	/* certificate info/value pointer */
1152 	char	certname[MAXHOSTNAME + 1]; /* subject name buffer */
1153 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
1154 	u_int	vallen;
1155 	u_int	len;
1156 	struct value vtemp;
1157 	associd_t associd;
1158 	int	rval;
1159 	keyid_t tcookie;
1160 
1161 	/*
1162 	 * Generate the requested extension field request code, length
1163 	 * and association ID. If this is a response and the host is not
1164 	 * synchronized, light the error bit and go home.
1165 	 */
1166 	pkt = (u_int32 *)xpkt + start / 4;
1167 	fp = (struct exten *)pkt;
1168 	opcode = ntohl(ep->opcode);
1169 	associd = (associd_t) ntohl(ep->associd);
1170 	fp->associd = htonl(associd);
1171 	len = 8;
1172 	rval = XEVNT_OK;
1173 	switch (opcode & 0xffff0000) {
1174 
1175 	/*
1176 	 * Send association request and response with status word and
1177 	 * host name. Note, this message is not signed and the filestamp
1178 	 * contains only the status word. We check at this point whether
1179 	 * the identity schemes are compatible to save tears later on.
1180 	 */
1181 	case CRYPTO_ASSOC | CRYPTO_RESP:
1182 	case CRYPTO_ASSOC:
1183 		len += crypto_send(fp, &hostval);
1184 		if (crypto_time() == 0)
1185 			fp->fstamp = 0;
1186 		else
1187 			fp->fstamp = htonl(crypto_flags);
1188 		break;
1189 
1190 	/*
1191 	 * Send certificate request. Use the values from the extension
1192 	 * field.
1193 	 */
1194 	case CRYPTO_CERT:
1195 		memset(&vtemp, 0, sizeof(vtemp));
1196 		vtemp.tstamp = ep->tstamp;
1197 		vtemp.fstamp = ep->fstamp;
1198 		vtemp.vallen = ep->vallen;
1199 		vtemp.ptr = (unsigned char *)ep->pkt;
1200 		len += crypto_send(fp, &vtemp);
1201 		break;
1202 
1203 	/*
1204 	 * Send certificate response or sign request. Use the values
1205 	 * from the certificate. If the request contains no subject
1206 	 * name, assume the name of this host. This is for backwards
1207 	 * compatibility.  Light the error bit if no certificate with
1208 	 * the given subject name is found. Of course, private
1209 	 * certificates are never sent.
1210 	 */
1211 	case CRYPTO_SIGN:
1212 	case CRYPTO_CERT | CRYPTO_RESP:
1213 		vallen = ntohl(ep->vallen);
1214 		if (vallen == 8) {
1215 			strcpy(certname, sys_hostname);
1216 		} else if (vallen == 0 || vallen > MAXHOSTNAME) {
1217 			opcode |= CRYPTO_ERROR;
1218 			break;
1219 
1220 		} else {
1221 			memcpy(certname, ep->pkt, vallen);
1222 			certname[vallen] = '\0';
1223 		}
1224 		for (cp = cinfo; cp != NULL; cp = cp->link) {
1225 			if (cp->flags & CERT_PRIV)
1226 				continue;
1227 			if (strcmp(certname, cp->subject) == 0) {
1228 				len += crypto_send(fp, &cp->cert);
1229 				break;
1230 			}
1231 		}
1232 		if (cp == NULL)
1233 			opcode |= CRYPTO_ERROR;
1234 		break;
1235 
1236 	/*
1237 	 * Send challenge in Schnorr (IFF) identity scheme.
1238 	 */
1239 	case CRYPTO_IFF:
1240 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1241 			opcode |= CRYPTO_ERROR;
1242 			break;
1243 		}
1244 		if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK)
1245 			len += crypto_send(fp, &vtemp);
1246 		value_free(&vtemp);
1247 		break;
1248 
1249 	/*
1250 	 * Send response in Schnorr (IFF) identity scheme.
1251 	 */
1252 	case CRYPTO_IFF | CRYPTO_RESP:
1253 		if ((rval = crypto_bob(ep, &vtemp)) == XEVNT_OK)
1254 			len += crypto_send(fp, &vtemp);
1255 		value_free(&vtemp);
1256 		break;
1257 
1258 	/*
1259 	 * Send challenge in Guillou-Quisquater (GQ) identity scheme.
1260 	 */
1261 	case CRYPTO_GQ:
1262 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1263 			opcode |= CRYPTO_ERROR;
1264 			break;
1265 		}
1266 		if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK)
1267 			len += crypto_send(fp, &vtemp);
1268 		value_free(&vtemp);
1269 		break;
1270 
1271 	/*
1272 	 * Send response in Guillou-Quisquater (GQ) identity scheme.
1273 	 */
1274 	case CRYPTO_GQ | CRYPTO_RESP:
1275 		if ((rval = crypto_bob2(ep, &vtemp)) == XEVNT_OK)
1276 			len += crypto_send(fp, &vtemp);
1277 		value_free(&vtemp);
1278 		break;
1279 
1280 	/*
1281 	 * Send challenge in MV identity scheme.
1282 	 */
1283 	case CRYPTO_MV:
1284 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1285 			opcode |= CRYPTO_ERROR;
1286 			break;
1287 		}
1288 		if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK)
1289 			len += crypto_send(fp, &vtemp);
1290 		value_free(&vtemp);
1291 		break;
1292 
1293 	/*
1294 	 * Send response in MV identity scheme.
1295 	 */
1296 	case CRYPTO_MV | CRYPTO_RESP:
1297 		if ((rval = crypto_bob3(ep, &vtemp)) == XEVNT_OK)
1298 			len += crypto_send(fp, &vtemp);
1299 		value_free(&vtemp);
1300 		break;
1301 
1302 	/*
1303 	 * Send certificate sign response. The integrity of the request
1304 	 * certificate has already been verified on the receive side.
1305 	 * Sign the response using the local server key. Use the
1306 	 * filestamp from the request and use the timestamp as the
1307 	 * current time. Light the error bit if the certificate is
1308 	 * invalid or contains an unverified signature.
1309 	 */
1310 	case CRYPTO_SIGN | CRYPTO_RESP:
1311 		if ((rval = cert_sign(ep, &vtemp)) == XEVNT_OK)
1312 			len += crypto_send(fp, &vtemp);
1313 		value_free(&vtemp);
1314 		break;
1315 
1316 	/*
1317 	 * Send public key and signature. Use the values from the public
1318 	 * key.
1319 	 */
1320 	case CRYPTO_COOK:
1321 		len += crypto_send(fp, &pubkey);
1322 		break;
1323 
1324 	/*
1325 	 * Encrypt and send cookie and signature. Light the error bit if
1326 	 * anything goes wrong.
1327 	 */
1328 	case CRYPTO_COOK | CRYPTO_RESP:
1329 		if ((opcode & 0xffff) < VALUE_LEN) {
1330 			opcode |= CRYPTO_ERROR;
1331 			break;
1332 		}
1333 		if (PKT_MODE(xpkt->li_vn_mode) == MODE_SERVER) {
1334 			tcookie = cookie;
1335 		} else {
1336 			if ((peer = findpeerbyassoc(associd)) == NULL) {
1337 				opcode |= CRYPTO_ERROR;
1338 				break;
1339 			}
1340 			tcookie = peer->pcookie;
1341 		}
1342 		if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
1343 		    XEVNT_OK)
1344 			len += crypto_send(fp, &vtemp);
1345 		value_free(&vtemp);
1346 		break;
1347 
1348 	/*
1349 	 * Find peer and send autokey data and signature in broadcast
1350 	 * server and symmetric modes. Use the values in the autokey
1351 	 * structure. If no association is found, either the server has
1352 	 * restarted with new associations or some perp has replayed an
1353 	 * old message, in which case light the error bit.
1354 	 */
1355 	case CRYPTO_AUTO | CRYPTO_RESP:
1356 		if ((peer = findpeerbyassoc(associd)) == NULL) {
1357 			opcode |= CRYPTO_ERROR;
1358 			break;
1359 		}
1360 		peer->flags &= ~FLAG_ASSOC;
1361 		len += crypto_send(fp, &peer->sndval);
1362 		break;
1363 
1364 	/*
1365 	 * Send leapseconds table and signature. Use the values from the
1366 	 * tai structure. If no table has been loaded, just send a
1367 	 * request.
1368 	 */
1369 	case CRYPTO_TAI:
1370 	case CRYPTO_TAI | CRYPTO_RESP:
1371 		if (crypto_flags & CRYPTO_FLAG_TAI)
1372 			len += crypto_send(fp, &tai_leap);
1373 		break;
1374 
1375 	/*
1376 	 * Default - Fall through for requests; for unknown responses,
1377 	 * flag as error.
1378 	 */
1379 	default:
1380 		if (opcode & CRYPTO_RESP)
1381 			opcode |= CRYPTO_ERROR;
1382 	}
1383 
1384 	/*
1385 	 * We ignore length/format errors and duplicates. Other errors
1386 	 * are reported to the log and deny further service. To really
1387 	 * persistent rascals we toss back a kiss-of-death grenade.
1388 	 */
1389 	if (rval > XEVNT_TSP) {
1390 		opcode |= CRYPTO_ERROR;
1391 		sprintf(statstr, "error %x opcode %x", rval, opcode);
1392 		record_crypto_stats(srcadr_sin, statstr);
1393 #ifdef DEBUG
1394 		if (debug)
1395 			printf("crypto_xmit: %s\n", statstr);
1396 #endif
1397 	}
1398 
1399 	/*
1400 	 * Round up the field length to a multiple of 8 bytes and save
1401 	 * the request code and length.
1402 	 */
1403 	len = ((len + 7) / 8) * 8;
1404 	fp->opcode = htonl((opcode & 0xffff0000) | len);
1405 #ifdef DEBUG
1406 	if (debug)
1407 		printf(
1408 		    "crypto_xmit: ext offset %d len %u code %x assocID %d\n",
1409 		    start, len, opcode>> 16, associd);
1410 #endif
1411 	return (len);
1412 }
1413 
1414 
1415 /*
1416  * crypto_verify - parse and verify the extension field and value
1417  *
1418  * Returns
1419  * XEVNT_OK	success
1420  * XEVNT_LEN	bad field format or length
1421  * XEVNT_TSP	bad timestamp
1422  * XEVNT_FSP	bad filestamp
1423  * XEVNT_PUB	bad or missing public key
1424  * XEVNT_SGL	bad signature length
1425  * XEVNT_SIG	signature not verified
1426  */
1427 static int
1428 crypto_verify(
1429 	struct exten *ep,	/* extension pointer */
1430 	struct value *vp,	/* value pointer */
1431 	struct peer *peer	/* peer structure pointer */
1432 	)
1433 {
1434 	EVP_PKEY *pkey;		/* server public key */
1435 	EVP_MD_CTX ctx;		/* signature context */
1436 	tstamp_t tstamp;	/* timestamp */
1437 	tstamp_t fstamp;	/* filestamp */
1438 	u_int	vallen;		/* value length */
1439 	u_int	siglen;		/* signature length */
1440 	u_int	opcode, len;
1441 	int	rval;
1442 	int	i;
1443 
1444 	/*
1445 	 * We require valid opcode and field length, timestamp,
1446 	 * filestamp, public key, digest, signature length and
1447 	 * signature, where relevant. Note that preliminary length
1448 	 * checks are done in the main loop.
1449 	 */
1450 	len = ntohl(ep->opcode) & 0x0000ffff;
1451 	opcode = ntohl(ep->opcode) & 0xffff0000;
1452 
1453 	/*
1454 	 * Check for valid operation code and protocol. The opcode must
1455 	 * not have the error bit set. If a response, it must have a
1456 	 * value header. If a request and does not contain a value
1457 	 * header, no need for further checking.
1458 	 */
1459 	if (opcode & CRYPTO_ERROR)
1460 		return (XEVNT_LEN);
1461  	if (opcode & CRYPTO_RESP) {
1462  		if (len < VALUE_LEN)
1463 			return (XEVNT_LEN);
1464 	} else {
1465  		if (len < VALUE_LEN)
1466 			return (XEVNT_OK);
1467 	}
1468 	/*
1469 	 * We have a value header. Check for valid field lengths. The
1470 	 * field length must be long enough to contain the value header,
1471 	 * value and signature. If a request and a previous request of
1472 	 * the same type is pending, discard the previous request. If a
1473 	 * request but no signature, there is no need for further
1474 	 * checking.
1475 	 */
1476 	vallen = ntohl(ep->vallen);
1477 	if (len < ((VALUE_LEN + vallen + 3) / 4) * 4)
1478 		return (XEVNT_LEN);
1479 
1480 	i = (vallen + 3) / 4;
1481 	siglen = ntohl(ep->pkt[i++]);
1482 	if (len < VALUE_LEN + vallen + siglen)
1483 		return (XEVNT_LEN);
1484 
1485 	if (!(opcode & CRYPTO_RESP)) {
1486 		if (peer->cmmd != NULL) {
1487 			if ((opcode | CRYPTO_RESP) ==
1488 			    (ntohl(peer->cmmd->opcode) & 0xffff0000)) {
1489 				free(peer->cmmd);
1490 				peer->cmmd = NULL;
1491 			} else {
1492 				return (XEVNT_LEN);
1493 			}
1494 		}
1495 		if (siglen == 0)
1496 			return (XEVNT_OK);
1497 	}
1498 
1499 	/*
1500 	 * We have a signature. Check for valid timestamp and filestamp.
1501 	 * The timestamp must not precede the filestamp. The timestamp
1502 	 * and filestamp must not precede the corresponding values in
1503 	 * the value structure. Once the autokey values have been
1504 	 * installed, the timestamp must always be later than the
1505 	 * corresponding value in the value structure. Duplicate
1506 	 * timestamps are illegal once the cookie has been validated.
1507 	 */
1508 	rval = XEVNT_OK;
1509 	if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV)
1510 		pkey = sign_pkey;
1511 	else
1512 		pkey = peer->pkey;
1513 	tstamp = ntohl(ep->tstamp);
1514 	fstamp = ntohl(ep->fstamp);
1515 	if (tstamp == 0 || tstamp < fstamp) {
1516 		rval = XEVNT_TSP;
1517 	} else if (vp != NULL && (tstamp < ntohl(vp->tstamp) ||
1518 	    (tstamp == ntohl(vp->tstamp) && (peer->crypto &
1519 	    CRYPTO_FLAG_AUTO)))) {
1520 		rval = XEVNT_TSP;
1521 	} else if (vp != NULL && (tstamp < ntohl(vp->fstamp) || fstamp <
1522 	    ntohl(vp->fstamp))) {
1523 		rval = XEVNT_FSP;
1524 
1525 	/*
1526 	 * If a public key and digest is present, and if valid key
1527 	 * length, check for valid signature. Note that the first valid
1528 	 * signature lights the proventic bit.
1529 	 */
1530 	} else if (pkey == NULL || peer->digest == NULL) {
1531 		/* fall through */
1532 	} else if (siglen != (u_int) EVP_PKEY_size(pkey)) {
1533 		rval = XEVNT_SGL;
1534 	} else {
1535 		EVP_VerifyInit(&ctx, peer->digest);
1536 		EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen +
1537 		    12);
1538 		if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
1539 		    pkey)) {
1540 			if (peer->crypto & CRYPTO_FLAG_VRFY)
1541 				peer->crypto |= CRYPTO_FLAG_PROV;
1542 		} else {
1543 			rval = XEVNT_SIG;
1544 		}
1545 	}
1546 #ifdef DEBUG
1547 	if (debug > 1)
1548 		printf(
1549 		    "crypto_recv: verify %x vallen %u siglen %u ts %u fs %u\n",
1550 		    rval, vallen, siglen, tstamp, fstamp);
1551 #endif
1552 	return (rval);
1553 }
1554 
1555 
1556 /*
1557  * crypto_encrypt - construct encrypted cookie and signature from
1558  * extension field and cookie
1559  *
1560  * Returns
1561  * XEVNT_OK	success
1562  * XEVNT_PUB	bad or missing public key
1563  * XEVNT_CKY	bad or missing cookie
1564  */
1565 static int
1566 crypto_encrypt(
1567 	struct exten *ep,	/* extension pointer */
1568 	struct value *vp,	/* value pointer */
1569 	keyid_t	*cookie		/* server cookie */
1570 	)
1571 {
1572 	EVP_PKEY *pkey;		/* public key */
1573 	EVP_MD_CTX ctx;		/* signature context */
1574 	tstamp_t tstamp;	/* NTP timestamp */
1575 	u_int32	temp32;
1576 	u_int	len;
1577 	u_char	*ptr;
1578 
1579 	/*
1580 	 * Extract the public key from the request.
1581 	 */
1582 	len = ntohl(ep->vallen);
1583 	ptr = (u_char *)ep->pkt;
1584 	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
1585 	if (pkey == NULL) {
1586 		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1587 		    ERR_error_string(ERR_get_error(), NULL));
1588 		return (XEVNT_PUB);
1589 	}
1590 
1591 	/*
1592 	 * Encrypt the cookie, encode in ASN.1 and sign.
1593 	 */
1594 	tstamp = crypto_time();
1595 	memset(vp, 0, sizeof(struct value));
1596 	vp->tstamp = htonl(tstamp);
1597 	vp->fstamp = hostval.tstamp;
1598 	len = EVP_PKEY_size(pkey);
1599 	vp->vallen = htonl(len);
1600 	vp->ptr = emalloc(len);
1601 	temp32 = htonl(*cookie);
1602 	if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr,
1603 	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) {
1604 		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1605 		    ERR_error_string(ERR_get_error(), NULL));
1606 		EVP_PKEY_free(pkey);
1607 		return (XEVNT_CKY);
1608 	}
1609 	EVP_PKEY_free(pkey);
1610 	vp->siglen = 0;
1611 	if (tstamp == 0)
1612 		return (XEVNT_OK);
1613 	vp->sig = emalloc(sign_siglen);
1614 	EVP_SignInit(&ctx, sign_digest);
1615 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
1616 	EVP_SignUpdate(&ctx, vp->ptr, len);
1617 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
1618 		vp->siglen = htonl(len);
1619 	return (XEVNT_OK);
1620 }
1621 
1622 
1623 /*
1624  * crypto_ident - construct extension field for identity scheme
1625  *
1626  * This routine determines which identity scheme is in use and
1627  * constructs an extension field for that scheme.
1628  */
1629 u_int
1630 crypto_ident(
1631 	struct peer *peer	/* peer structure pointer */
1632 	)
1633 {
1634 	char	filename[MAXFILENAME + 1];
1635 
1636 	/*
1637 	 * If the server identity has already been verified, no further
1638 	 * action is necessary. Otherwise, try to load the identity file
1639 	 * of the certificate issuer. If the issuer file is not found,
1640 	 * try the host file. If nothing found, declare a cryptobust.
1641 	 * Note we can't get here unless the trusted certificate has
1642 	 * been found and the CRYPTO_FLAG_VALID bit is set, so the
1643 	 * certificate issuer is valid.
1644 	 */
1645 	if (peer->crypto & CRYPTO_FLAG_VRFY)
1646 		return (0);
1647 
1648 	if (peer->ident_pkey != NULL)
1649 		EVP_PKEY_free(peer->ident_pkey);
1650 	if (peer->crypto & CRYPTO_FLAG_GQ) {
1651 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1652 		    peer->issuer);
1653 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1654 		if (peer->ident_pkey != NULL)
1655 			return (CRYPTO_GQ);
1656 
1657 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1658 		    sys_hostname);
1659 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1660 		if (peer->ident_pkey != NULL)
1661 			return (CRYPTO_GQ);
1662 	}
1663 	if (peer->crypto & CRYPTO_FLAG_IFF) {
1664 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1665 		    peer->issuer);
1666 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1667 		if (peer->ident_pkey != NULL)
1668 			return (CRYPTO_IFF);
1669 
1670 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1671 		    sys_hostname);
1672 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1673 		if (peer->ident_pkey != NULL)
1674 			return (CRYPTO_IFF);
1675 	}
1676 	if (peer->crypto & CRYPTO_FLAG_MV) {
1677 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1678 		    peer->issuer);
1679 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1680 		if (peer->ident_pkey != NULL)
1681 			return (CRYPTO_MV);
1682 
1683 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1684 		    sys_hostname);
1685 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1686 		if (peer->ident_pkey != NULL)
1687 			return (CRYPTO_MV);
1688 	}
1689 
1690 	/*
1691 	 * No compatible identity scheme is available. Use the default
1692 	 * TC scheme.
1693 	 */
1694 	msyslog(LOG_INFO,
1695 	    "crypto_ident: no compatible identity scheme found");
1696 	return (0);
1697 }
1698 
1699 
1700 /*
1701  * crypto_args - construct extension field from arguments
1702  *
1703  * This routine creates an extension field with current timestamps and
1704  * specified opcode, association ID and optional string. Note that the
1705  * extension field is created here, but freed after the crypto_xmit()
1706  * call in the protocol module.
1707  *
1708  * Returns extension field pointer (no errors).
1709  */
1710 struct exten *
1711 crypto_args(
1712 	struct peer *peer,	/* peer structure pointer */
1713 	u_int	opcode,		/* operation code */
1714 	char	*str		/* argument string */
1715 	)
1716 {
1717 	tstamp_t tstamp;	/* NTP timestamp */
1718 	struct exten *ep;	/* extension field pointer */
1719 	u_int	len;		/* extension field length */
1720 
1721 	tstamp = crypto_time();
1722 	len = sizeof(struct exten);
1723 	if (str != NULL)
1724 		len += strlen(str);
1725 	ep = emalloc(len);
1726 	memset(ep, 0, len);
1727 	ep->opcode = htonl(opcode + len);
1728 
1729 	/*
1730 	 * If a response, send our ID; if a request, send the
1731 	 * responder's ID.
1732 	 */
1733 	if (opcode & CRYPTO_RESP)
1734 		ep->associd = htonl(peer->associd);
1735 	else
1736 		ep->associd = htonl(peer->assoc);
1737 	ep->tstamp = htonl(tstamp);
1738 	ep->fstamp = hostval.tstamp;
1739 	ep->vallen = 0;
1740 	if (str != NULL) {
1741 		ep->vallen = htonl(strlen(str));
1742 		memcpy((char *)ep->pkt, str, strlen(str));
1743 	} else {
1744 		ep->pkt[0] = peer->associd;
1745 	}
1746 	return (ep);
1747 }
1748 
1749 
1750 /*
1751  * crypto_send - construct extension field from value components
1752  *
1753  * Returns extension field length. Note: it is not polite to send a
1754  * nonempty signature with zero timestamp or a nonzero timestamp with
1755  * empty signature, but these rules are not enforced here.
1756  */
1757 u_int
1758 crypto_send(
1759 	struct exten *ep,	/* extension field pointer */
1760 	struct value *vp	/* value pointer */
1761 	)
1762 {
1763 	u_int	len, temp32;
1764 	int	i;
1765 
1766 	/*
1767 	 * Copy data. If the data field is empty or zero length, encode
1768 	 * an empty value with length zero.
1769 	 */
1770 	ep->tstamp = vp->tstamp;
1771 	ep->fstamp = vp->fstamp;
1772 	ep->vallen = vp->vallen;
1773 	len = 12;
1774 	temp32 = ntohl(vp->vallen);
1775 	if (temp32 > 0 && vp->ptr != NULL)
1776 		memcpy(ep->pkt, vp->ptr, temp32);
1777 
1778 	/*
1779 	 * Copy signature. If the signature field is empty or zero
1780 	 * length, encode an empty signature with length zero.
1781 	 */
1782 	i = (temp32 + 3) / 4;
1783 	len += i * 4 + 4;
1784 	ep->pkt[i++] = vp->siglen;
1785 	temp32 = ntohl(vp->siglen);
1786 	if (temp32 > 0 && vp->sig != NULL)
1787 		memcpy(&ep->pkt[i], vp->sig, temp32);
1788 	len += temp32;
1789 	return (len);
1790 }
1791 
1792 
1793 /*
1794  * crypto_update - compute new public value and sign extension fields
1795  *
1796  * This routine runs periodically, like once a day, and when something
1797  * changes. It updates the timestamps on three value structures and one
1798  * value structure list, then signs all the structures:
1799  *
1800  * hostval	host name (not signed)
1801  * pubkey	public key
1802  * cinfo	certificate info/value list
1803  * tai_leap	leapseconds file
1804  *
1805  * Filestamps are proventicated data, so this routine is run only when
1806  * the host has been synchronized to a proventicated source. Thus, the
1807  * timestamp is proventicated, too, and can be used to deflect
1808  * clogging attacks and even cook breakfast.
1809  *
1810  * Returns void (no errors)
1811  */
1812 void
1813 crypto_update(void)
1814 {
1815 	EVP_MD_CTX ctx;		/* message digest context */
1816 	struct cert_info *cp, *cpn, **zp; /* certificate info/value */
1817 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
1818 	tstamp_t tstamp;	/* NTP timestamp */
1819 	u_int	len;
1820 
1821 	if ((tstamp = crypto_time()) == 0)
1822 		return;
1823 	hostval.tstamp = htonl(tstamp);
1824 
1825 	/*
1826 	 * Sign public key and timestamps. The filestamp is derived from
1827 	 * the host key file extension from wherever the file was
1828 	 * generated.
1829 	 */
1830 	if (pubkey.vallen != 0) {
1831 		pubkey.tstamp = hostval.tstamp;
1832 		pubkey.siglen = 0;
1833 		if (pubkey.sig == NULL)
1834 			pubkey.sig = emalloc(sign_siglen);
1835 		EVP_SignInit(&ctx, sign_digest);
1836 		EVP_SignUpdate(&ctx, (u_char *)&pubkey, 12);
1837 		EVP_SignUpdate(&ctx, pubkey.ptr, ntohl(pubkey.vallen));
1838 		if (EVP_SignFinal(&ctx, pubkey.sig, &len, sign_pkey))
1839 			pubkey.siglen = htonl(len);
1840 	}
1841 
1842 	/*
1843 	 * Sign certificates and timestamps. The filestamp is derived
1844 	 * from the certificate file extension from wherever the file
1845 	 * was generated. At the same time expired certificates are
1846 	 * expunged.
1847 	 */
1848 	zp = &cinfo;
1849 	for (cp = cinfo; cp != NULL; cp = cpn) {
1850 		cpn = cp->link;
1851 		if (tstamp > cp->last) {
1852 			*zp = cpn;
1853 			cert_free(cp);
1854 		} else {
1855 			cp->cert.tstamp = hostval.tstamp;
1856 			cp->cert.siglen = 0;
1857 			if (cp->cert.sig == NULL)
1858 				cp->cert.sig = emalloc(sign_siglen);
1859 			EVP_SignInit(&ctx, sign_digest);
1860 			EVP_SignUpdate(&ctx, (u_char *)&cp->cert, 12);
1861 			EVP_SignUpdate(&ctx, cp->cert.ptr,
1862 			    ntohl(cp->cert.vallen));
1863 			if (EVP_SignFinal(&ctx, cp->cert.sig, &len,
1864 			    sign_pkey))
1865 				cp->cert.siglen = htonl(len);
1866 			zp = &cp->link;
1867 		}
1868 	}
1869 
1870 	/*
1871 	 * Sign leapseconds table and timestamps. The filestamp is
1872 	 * derived from the leapsecond file extension from wherever the
1873 	 * file was generated.
1874 	 */
1875 	if (tai_leap.vallen != 0) {
1876 		tai_leap.tstamp = hostval.tstamp;
1877 		tai_leap.siglen = 0;
1878 		if (tai_leap.sig == NULL)
1879 			tai_leap.sig = emalloc(sign_siglen);
1880 		EVP_SignInit(&ctx, sign_digest);
1881 		EVP_SignUpdate(&ctx, (u_char *)&tai_leap, 12);
1882 		EVP_SignUpdate(&ctx, tai_leap.ptr,
1883 		    ntohl(tai_leap.vallen));
1884 		if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
1885 			tai_leap.siglen = htonl(len);
1886 	}
1887 	sprintf(statstr, "update ts %u", ntohl(hostval.tstamp));
1888 	record_crypto_stats(NULL, statstr);
1889 #ifdef DEBUG
1890 	if (debug)
1891 		printf("crypto_update: %s\n", statstr);
1892 #endif
1893 }
1894 
1895 
1896 /*
1897  * value_free - free value structure components.
1898  *
1899  * Returns void (no errors)
1900  */
1901 void
1902 value_free(
1903 	struct value *vp	/* value structure */
1904 	)
1905 {
1906 	if (vp->ptr != NULL)
1907 		free(vp->ptr);
1908 	if (vp->sig != NULL)
1909 		free(vp->sig);
1910 	memset(vp, 0, sizeof(struct value));
1911 }
1912 
1913 
1914 /*
1915  * crypto_time - returns current NTP time in seconds.
1916  */
1917 tstamp_t
1918 crypto_time()
1919 {
1920 	l_fp	tstamp;		/* NTP time */	L_CLR(&tstamp);
1921 
1922 	L_CLR(&tstamp);
1923 	if (sys_leap != LEAP_NOTINSYNC)
1924 		get_systime(&tstamp);
1925 	return (tstamp.l_ui);
1926 }
1927 
1928 
1929 /*
1930  * asn2ntp - convert ASN1_TIME time structure to NTP time in seconds.
1931  */
1932 u_long
1933 asn2ntp	(
1934 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
1935 	)
1936 {
1937 	char	*v;		/* pointer to ASN1_TIME string */
1938 	struct	tm tm;		/* used to convert to NTP time */
1939 
1940 	/*
1941 	 * Extract time string YYMMDDHHMMSSZ from ASN1 time structure.
1942 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
1943 	 * SS fiels start with zero and the Z character should be 'Z'
1944 	 * for UTC. Also note that years less than 50 map to years
1945 	 * greater than 100. Dontcha love ASN.1? Better than MIL-188.
1946 	 */
1947 	if (asn1time->length > 13)
1948 		return ((u_long)(~0));	/* We can't use -1 here. It's invalid */
1949 	v = (char *)asn1time->data;
1950 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
1951 	if (tm.tm_year < 50)
1952 		tm.tm_year += 100;
1953 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
1954 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
1955 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
1956 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
1957 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
1958 	tm.tm_wday = 0;
1959 	tm.tm_yday = 0;
1960 	tm.tm_isdst = 0;
1961 	return (timegm(&tm) + JAN_1970);
1962 }
1963 
1964 
1965 /*
1966  * bigdig() - compute a BIGNUM MD5 hash of a BIGNUM number.
1967  */
1968 static int
1969 bighash(
1970 	BIGNUM	*bn,		/* BIGNUM * from */
1971 	BIGNUM	*bk		/* BIGNUM * to */
1972 	)
1973 {
1974 	EVP_MD_CTX ctx;		/* message digest context */
1975 	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
1976 	u_char	*ptr;		/* a BIGNUM as binary string */
1977 	u_int	len;
1978 
1979 	len = BN_num_bytes(bn);
1980 	ptr = emalloc(len);
1981 	BN_bn2bin(bn, ptr);
1982 	EVP_DigestInit(&ctx, EVP_md5());
1983 	EVP_DigestUpdate(&ctx, ptr, len);
1984 	EVP_DigestFinal(&ctx, dgst, &len);
1985 	BN_bin2bn(dgst, len, bk);
1986 	return (1);
1987 }
1988 
1989 
1990 /*
1991  ***********************************************************************
1992  *								       *
1993  * The following routines implement the Schnorr (IFF) identity scheme  *
1994  *								       *
1995  ***********************************************************************
1996  *
1997  * The Schnorr (IFF) identity scheme is intended for use when
1998  * the ntp-genkeys program does not generate the certificates used in
1999  * the protocol and the group key cannot be conveyed in the certificate
2000  * itself. For this purpose, new generations of IFF values must be
2001  * securely transmitted to all members of the group before use. The
2002  * scheme is self contained and independent of new generations of host
2003  * keys, sign keys and certificates.
2004  *
2005  * The IFF identity scheme is based on DSA cryptography and algorithms
2006  * described in Stinson p. 285. The IFF values hide in a DSA cuckoo
2007  * structure, but only the primes and generator are used. The p is a
2008  * 512-bit prime, q a 160-bit prime that divides p - 1 and is a qth root
2009  * of 1 mod p; that is, g^q = 1 mod p. The TA rolls primvate random
2010  * group key b disguised as a DSA structure member, then computes public
2011  * key g^(q - b). These values are shared only among group members and
2012  * never revealed in messages. Alice challenges Bob to confirm identity
2013  * using the protocol described below.
2014  *
2015  * How it works
2016  *
2017  * The scheme goes like this. Both Alice and Bob have the public primes
2018  * p, q and generator g. The TA gives private key b to Bob and public
2019  * key v = g^(q - a) mod p to Alice.
2020  *
2021  * Alice rolls new random challenge r and sends to Bob in the IFF
2022  * request message. Bob rolls new random k, then computes y = k + b r
2023  * mod q and x = g^k mod p and sends (y, hash(x)) to Alice in the
2024  * response message. Besides making the response shorter, the hash makes
2025  * it effectivey impossible for an intruder to solve for b by observing
2026  * a number of these messages.
2027  *
2028  * Alice receives the response and computes g^y v^r mod p. After a bit
2029  * of algebra, this simplifies to g^k. If the hash of this result
2030  * matches hash(x), Alice knows that Bob has the group key b. The signed
2031  * response binds this knowledge to Bob's private key and the public key
2032  * previously received in his certificate.
2033  *
2034  * crypto_alice - construct Alice's challenge in IFF scheme
2035  *
2036  * Returns
2037  * XEVNT_OK	success
2038  * XEVNT_PUB	bad or missing public key
2039  * XEVNT_ID	bad or missing identity parameters
2040  */
2041 static int
2042 crypto_alice(
2043 	struct peer *peer,	/* peer pointer */
2044 	struct value *vp	/* value pointer */
2045 	)
2046 {
2047 	DSA	*dsa;		/* IFF parameters */
2048 	BN_CTX	*bctx;		/* BIGNUM context */
2049 	EVP_MD_CTX ctx;		/* signature context */
2050 	tstamp_t tstamp;
2051 	u_int	len;
2052 
2053 	/*
2054 	 * The identity parameters must have correct format and content.
2055 	 */
2056 	if (peer->ident_pkey == NULL)
2057 		return (XEVNT_ID);
2058 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2059 		msyslog(LOG_INFO, "crypto_alice: defective key");
2060 		return (XEVNT_PUB);
2061 	}
2062 
2063 	/*
2064 	 * Roll new random r (0 < r < q). The OpenSSL library has a bug
2065 	 * omitting BN_rand_range, so we have to do it the hard way.
2066 	 */
2067 	bctx = BN_CTX_new();
2068 	len = BN_num_bytes(dsa->q);
2069 	if (peer->iffval != NULL)
2070 		BN_free(peer->iffval);
2071 	peer->iffval = BN_new();
2072 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r */
2073 	BN_mod(peer->iffval, peer->iffval, dsa->q, bctx);
2074 	BN_CTX_free(bctx);
2075 
2076 	/*
2077 	 * Sign and send to Bob. The filestamp is from the local file.
2078 	 */
2079 	tstamp = crypto_time();
2080 	memset(vp, 0, sizeof(struct value));
2081 	vp->tstamp = htonl(tstamp);
2082 	vp->fstamp = htonl(peer->fstamp);
2083 	vp->vallen = htonl(len);
2084 	vp->ptr = emalloc(len);
2085 	BN_bn2bin(peer->iffval, vp->ptr);
2086 	vp->siglen = 0;
2087 	if (tstamp == 0)
2088 		return (XEVNT_OK);
2089 	vp->sig = emalloc(sign_siglen);
2090 	EVP_SignInit(&ctx, sign_digest);
2091 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2092 	EVP_SignUpdate(&ctx, vp->ptr, len);
2093 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2094 		vp->siglen = htonl(len);
2095 	return (XEVNT_OK);
2096 }
2097 
2098 
2099 /*
2100  * crypto_bob - construct Bob's response to Alice's challenge
2101  *
2102  * Returns
2103  * XEVNT_OK	success
2104  * XEVNT_PUB	bad or missing public key
2105  */
2106 static int
2107 crypto_bob(
2108 	struct exten *ep,	/* extension pointer */
2109 	struct value *vp	/* value pointer */
2110 	)
2111 {
2112 	DSA	*dsa;		/* IFF parameters */
2113 	DSA_SIG	*sdsa;		/* DSA signature context fake */
2114 	BN_CTX	*bctx;		/* BIGNUM context */
2115 	EVP_MD_CTX ctx;		/* signature context */
2116 	tstamp_t tstamp;	/* NTP timestamp */
2117 	BIGNUM	*bn, *bk, *r;
2118 	u_char	*ptr;
2119 	u_int	len;
2120 
2121 	/*
2122 	 * If the IFF parameters are not valid, something awful
2123 	 * happened or we are being tormented.
2124 	 */
2125 	if (!(crypto_flags & CRYPTO_FLAG_IFF)) {
2126 		msyslog(LOG_INFO, "crypto_bob: scheme unavailable");
2127 		return (XEVNT_PUB);
2128 	}
2129 	dsa = iffpar_pkey->pkey.dsa;
2130 
2131 	/*
2132 	 * Extract r from the challenge.
2133 	 */
2134 	len = ntohl(ep->vallen);
2135 	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2136 		msyslog(LOG_ERR, "crypto_bob %s\n",
2137 		    ERR_error_string(ERR_get_error(), NULL));
2138 		return (XEVNT_PUB);
2139 	}
2140 
2141 	/*
2142 	 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
2143 	 * and x = g^k mod p, then sends (y, hash(x)) to Alice.
2144 	 */
2145 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
2146 	sdsa = DSA_SIG_new();
2147 	BN_rand(bk, len * 8, -1, 1);		/* k */
2148 	BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
2149 	BN_add(bn, bn, bk);
2150 	BN_mod(bn, bn, dsa->q, bctx);		/* k + b r mod q */
2151 	sdsa->r = BN_dup(bn);
2152 	BN_mod_exp(bk, dsa->g, bk, dsa->p, bctx); /* g^k mod p */
2153 	bighash(bk, bk);
2154 	sdsa->s = BN_dup(bk);
2155 	BN_CTX_free(bctx);
2156 	BN_free(r); BN_free(bn); BN_free(bk);
2157 
2158 	/*
2159 	 * Encode the values in ASN.1 and sign.
2160 	 */
2161 	tstamp = crypto_time();
2162 	memset(vp, 0, sizeof(struct value));
2163 	vp->tstamp = htonl(tstamp);
2164 	vp->fstamp = htonl(if_fstamp);
2165 	len = i2d_DSA_SIG(sdsa, NULL);
2166 	if (len <= 0) {
2167 		msyslog(LOG_ERR, "crypto_bob %s\n",
2168 		    ERR_error_string(ERR_get_error(), NULL));
2169 		DSA_SIG_free(sdsa);
2170 		return (XEVNT_PUB);
2171 	}
2172 	vp->vallen = htonl(len);
2173 	ptr = emalloc(len);
2174 	vp->ptr = ptr;
2175 	i2d_DSA_SIG(sdsa, &ptr);
2176 	DSA_SIG_free(sdsa);
2177 	vp->siglen = 0;
2178 	if (tstamp == 0)
2179 		return (XEVNT_OK);
2180 	vp->sig = emalloc(sign_siglen);
2181 	EVP_SignInit(&ctx, sign_digest);
2182 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2183 	EVP_SignUpdate(&ctx, vp->ptr, len);
2184 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2185 		vp->siglen = htonl(len);
2186 	return (XEVNT_OK);
2187 }
2188 
2189 
2190 /*
2191  * crypto_iff - verify Bob's response to Alice's challenge
2192  *
2193  * Returns
2194  * XEVNT_OK	success
2195  * XEVNT_PUB	bad or missing public key
2196  * XEVNT_FSP	bad filestamp
2197  * XEVNT_ID	bad or missing identity parameters
2198  */
2199 int
2200 crypto_iff(
2201 	struct exten *ep,	/* extension pointer */
2202 	struct peer *peer	/* peer structure pointer */
2203 	)
2204 {
2205 	DSA	*dsa;		/* IFF parameters */
2206 	BN_CTX	*bctx;		/* BIGNUM context */
2207 	DSA_SIG	*sdsa;		/* DSA parameters */
2208 	BIGNUM	*bn, *bk;
2209 	u_int	len;
2210 	const u_char	*ptr;
2211 	int	temp;
2212 
2213 	/*
2214 	 * If the IFF parameters are not valid or no challenge was sent,
2215 	 * something awful happened or we are being tormented.
2216 	 */
2217 	if (peer->ident_pkey == NULL) {
2218 		msyslog(LOG_INFO, "crypto_iff: scheme unavailable");
2219 		return (XEVNT_PUB);
2220 	}
2221 	if (ntohl(ep->fstamp) != peer->fstamp) {
2222 		msyslog(LOG_INFO, "crypto_iff: invalid filestamp %u",
2223 		    ntohl(ep->fstamp));
2224 		return (XEVNT_FSP);
2225 	}
2226 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2227 		msyslog(LOG_INFO, "crypto_iff: defective key");
2228 		return (XEVNT_PUB);
2229 	}
2230 	if (peer->iffval == NULL) {
2231 		msyslog(LOG_INFO, "crypto_iff: missing challenge");
2232 		return (XEVNT_PUB);
2233 	}
2234 
2235 	/*
2236 	 * Extract the k + b r and g^k values from the response.
2237 	 */
2238 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
2239 	len = ntohl(ep->vallen);
2240 	ptr = (const u_char *)ep->pkt;
2241 	if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
2242 		msyslog(LOG_ERR, "crypto_iff %s\n",
2243 		    ERR_error_string(ERR_get_error(), NULL));
2244 		return (XEVNT_PUB);
2245 	}
2246 
2247 	/*
2248 	 * Compute g^(k + b r) g^(q - b)r mod p.
2249 	 */
2250 	BN_mod_exp(bn, dsa->pub_key, peer->iffval, dsa->p, bctx);
2251 	BN_mod_exp(bk, dsa->g, sdsa->r, dsa->p, bctx);
2252 	BN_mod_mul(bn, bn, bk, dsa->p, bctx);
2253 
2254 	/*
2255 	 * Verify the hash of the result matches hash(x).
2256 	 */
2257 	bighash(bn, bn);
2258 	temp = BN_cmp(bn, sdsa->s);
2259 	BN_free(bn); BN_free(bk); BN_CTX_free(bctx);
2260 	BN_free(peer->iffval);
2261 	peer->iffval = NULL;
2262 	DSA_SIG_free(sdsa);
2263 	if (temp == 0)
2264 		return (XEVNT_OK);
2265 	else
2266 		return (XEVNT_ID);
2267 }
2268 
2269 
2270 /*
2271  ***********************************************************************
2272  *								       *
2273  * The following routines implement the Guillou-Quisquater (GQ)        *
2274  * identity scheme                                                     *
2275  *								       *
2276  ***********************************************************************
2277  *
2278  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
2279  * the ntp-genkeys program generates the certificates used in the
2280  * protocol and the group key can be conveyed in a certificate extension
2281  * field. The scheme is self contained and independent of new
2282  * generations of host keys, sign keys and certificates.
2283  *
2284  * The GQ identity scheme is based on RSA cryptography and algorithms
2285  * described in Stinson p. 300 (with errors). The GQ values hide in a
2286  * RSA cuckoo structure, but only the modulus is used. The 512-bit
2287  * public modulus is n = p q, where p and q are secret large primes. The
2288  * TA rolls random group key b disguised as a RSA structure member.
2289  * Except for the public key, these values are shared only among group
2290  * members and never revealed in messages.
2291  *
2292  * When rolling new certificates, Bob recomputes the private and
2293  * public keys. The private key u is a random roll, while the public key
2294  * is the inverse obscured by the group key v = (u^-1)^b. These values
2295  * replace the private and public keys normally generated by the RSA
2296  * scheme. Alice challenges Bob to confirm identity using the protocol
2297  * described below.
2298  *
2299  * How it works
2300  *
2301  * The scheme goes like this. Both Alice and Bob have the same modulus n
2302  * and some random b as the group key. These values are computed and
2303  * distributed in advance via secret means, although only the group key
2304  * b is truly secret. Each has a private random private key u and public
2305  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
2306  * can regenerate the key pair from time to time without affecting
2307  * operations. The public key is conveyed on the certificate in an
2308  * extension field; the private key is never revealed.
2309  *
2310  * Alice rolls new random challenge r and sends to Bob in the GQ
2311  * request message. Bob rolls new random k, then computes y = k u^r mod
2312  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
2313  * message. Besides making the response shorter, the hash makes it
2314  * effectivey impossible for an intruder to solve for b by observing
2315  * a number of these messages.
2316  *
2317  * Alice receives the response and computes y^b v^r mod n. After a bit
2318  * of algebra, this simplifies to k^b. If the hash of this result
2319  * matches hash(x), Alice knows that Bob has the group key b. The signed
2320  * response binds this knowledge to Bob's private key and the public key
2321  * previously received in his certificate.
2322  *
2323  * crypto_alice2 - construct Alice's challenge in GQ scheme
2324  *
2325  * Returns
2326  * XEVNT_OK	success
2327  * XEVNT_PUB	bad or missing public key
2328  * XEVNT_ID	bad or missing identity parameters
2329  */
2330 static int
2331 crypto_alice2(
2332 	struct peer *peer,	/* peer pointer */
2333 	struct value *vp	/* value pointer */
2334 	)
2335 {
2336 	RSA	*rsa;		/* GQ parameters */
2337 	BN_CTX	*bctx;		/* BIGNUM context */
2338 	EVP_MD_CTX ctx;		/* signature context */
2339 	tstamp_t tstamp;
2340 	u_int	len;
2341 
2342 	/*
2343 	 * The identity parameters must have correct format and content.
2344 	 */
2345 	if (peer->ident_pkey == NULL)
2346 		return (XEVNT_ID);
2347 	if ((rsa = peer->ident_pkey->pkey.rsa) == NULL) {
2348 		msyslog(LOG_INFO, "crypto_alice2: defective key");
2349 		return (XEVNT_PUB);
2350 	}
2351 
2352 	/*
2353 	 * Roll new random r (0 < r < n). The OpenSSL library has a bug
2354 	 * omitting BN_rand_range, so we have to do it the hard way.
2355 	 */
2356 	bctx = BN_CTX_new();
2357 	len = BN_num_bytes(rsa->n);
2358 	if (peer->iffval != NULL)
2359 		BN_free(peer->iffval);
2360 	peer->iffval = BN_new();
2361 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r mod n */
2362 	BN_mod(peer->iffval, peer->iffval, rsa->n, bctx);
2363 	BN_CTX_free(bctx);
2364 
2365 	/*
2366 	 * Sign and send to Bob. The filestamp is from the local file.
2367 	 */
2368 	tstamp = crypto_time();
2369 	memset(vp, 0, sizeof(struct value));
2370 	vp->tstamp = htonl(tstamp);
2371 	vp->fstamp = htonl(peer->fstamp);
2372 	vp->vallen = htonl(len);
2373 	vp->ptr = emalloc(len);
2374 	BN_bn2bin(peer->iffval, vp->ptr);
2375 	vp->siglen = 0;
2376 	if (tstamp == 0)
2377 		return (XEVNT_OK);
2378 	vp->sig = emalloc(sign_siglen);
2379 	EVP_SignInit(&ctx, sign_digest);
2380 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2381 	EVP_SignUpdate(&ctx, vp->ptr, len);
2382 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2383 		vp->siglen = htonl(len);
2384 	return (XEVNT_OK);
2385 }
2386 
2387 
2388 /*
2389  * crypto_bob2 - construct Bob's response to Alice's challenge
2390  *
2391  * Returns
2392  * XEVNT_OK	success
2393  * XEVNT_PUB	bad or missing public key
2394  */
2395 static int
2396 crypto_bob2(
2397 	struct exten *ep,	/* extension pointer */
2398 	struct value *vp	/* value pointer */
2399 	)
2400 {
2401 	RSA	*rsa;		/* GQ parameters */
2402 	DSA_SIG	*sdsa;		/* DSA parameters */
2403 	BN_CTX	*bctx;		/* BIGNUM context */
2404 	EVP_MD_CTX ctx;		/* signature context */
2405 	tstamp_t tstamp;	/* NTP timestamp */
2406 	BIGNUM	*r, *k, *g, *y;
2407 	u_char	*ptr;
2408 	u_int	len;
2409 
2410 	/*
2411 	 * If the GQ parameters are not valid, something awful
2412 	 * happened or we are being tormented.
2413 	 */
2414 	if (!(crypto_flags & CRYPTO_FLAG_GQ)) {
2415 		msyslog(LOG_INFO, "crypto_bob2: scheme unavailable");
2416 		return (XEVNT_PUB);
2417 	}
2418 	rsa = gqpar_pkey->pkey.rsa;
2419 
2420 	/*
2421 	 * Extract r from the challenge.
2422 	 */
2423 	len = ntohl(ep->vallen);
2424 	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2425 		msyslog(LOG_ERR, "crypto_bob2 %s\n",
2426 		    ERR_error_string(ERR_get_error(), NULL));
2427 		return (XEVNT_PUB);
2428 	}
2429 
2430 	/*
2431 	 * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
2432 	 * x = k^b mod n, then sends (y, hash(x)) to Alice.
2433 	 */
2434 	bctx = BN_CTX_new(); k = BN_new(); g = BN_new(); y = BN_new();
2435 	sdsa = DSA_SIG_new();
2436 	BN_rand(k, len * 8, -1, 1);		/* k */
2437 	BN_mod(k, k, rsa->n, bctx);
2438 	BN_mod_exp(y, rsa->p, r, rsa->n, bctx); /* u^r mod n */
2439 	BN_mod_mul(y, k, y, rsa->n, bctx);	/* k u^r mod n */
2440 	sdsa->r = BN_dup(y);
2441 	BN_mod_exp(g, k, rsa->e, rsa->n, bctx); /* k^b mod n */
2442 	bighash(g, g);
2443 	sdsa->s = BN_dup(g);
2444 	BN_CTX_free(bctx);
2445 	BN_free(r); BN_free(k); BN_free(g); BN_free(y);
2446 
2447 	/*
2448 	 * Encode the values in ASN.1 and sign.
2449 	 */
2450 	tstamp = crypto_time();
2451 	memset(vp, 0, sizeof(struct value));
2452 	vp->tstamp = htonl(tstamp);
2453 	vp->fstamp = htonl(gq_fstamp);
2454 	len = i2d_DSA_SIG(sdsa, NULL);
2455 	if (len <= 0) {
2456 		msyslog(LOG_ERR, "crypto_bob2 %s\n",
2457 		    ERR_error_string(ERR_get_error(), NULL));
2458 		DSA_SIG_free(sdsa);
2459 		return (XEVNT_PUB);
2460 	}
2461 	vp->vallen = htonl(len);
2462 	ptr = emalloc(len);
2463 	vp->ptr = ptr;
2464 	i2d_DSA_SIG(sdsa, &ptr);
2465 	DSA_SIG_free(sdsa);
2466 	vp->siglen = 0;
2467 	if (tstamp == 0)
2468 		return (XEVNT_OK);
2469 	vp->sig = emalloc(sign_siglen);
2470 	EVP_SignInit(&ctx, sign_digest);
2471 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2472 	EVP_SignUpdate(&ctx, vp->ptr, len);
2473 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2474 		vp->siglen = htonl(len);
2475 	return (XEVNT_OK);
2476 }
2477 
2478 
2479 /*
2480  * crypto_gq - verify Bob's response to Alice's challenge
2481  *
2482  * Returns
2483  * XEVNT_OK	success
2484  * XEVNT_PUB	bad or missing public key
2485  * XEVNT_FSP	bad filestamp
2486  * XEVNT_ID	bad or missing identity parameters
2487  */
2488 int
2489 crypto_gq(
2490 	struct exten *ep,	/* extension pointer */
2491 	struct peer *peer	/* peer structure pointer */
2492 	)
2493 {
2494 	RSA	*rsa;		/* GQ parameters */
2495 	BN_CTX	*bctx;		/* BIGNUM context */
2496 	DSA_SIG	*sdsa;		/* RSA signature context fake */
2497 	BIGNUM	*y, *v;
2498 	const u_char	*ptr;
2499 	u_int	len;
2500 	int	temp;
2501 
2502 	/*
2503 	 * If the GQ parameters are not valid or no challenge was sent,
2504 	 * something awful happened or we are being tormented.
2505 	 */
2506 	if (peer->ident_pkey == NULL) {
2507 		msyslog(LOG_INFO, "crypto_gq: scheme unavailable");
2508 		return (XEVNT_PUB);
2509 	}
2510 	if (ntohl(ep->fstamp) != peer->fstamp) {
2511 		msyslog(LOG_INFO, "crypto_gq: invalid filestamp %u",
2512 		    ntohl(ep->fstamp));
2513 		return (XEVNT_FSP);
2514 	}
2515 	if ((rsa = peer->ident_pkey->pkey.rsa) == NULL) {
2516 		msyslog(LOG_INFO, "crypto_gq: defective key");
2517 		return (XEVNT_PUB);
2518 	}
2519 	if (peer->iffval == NULL) {
2520 		msyslog(LOG_INFO, "crypto_gq: missing challenge");
2521 		return (XEVNT_PUB);
2522 	}
2523 
2524 	/*
2525 	 * Extract the y = k u^r and hash(x = k^b) values from the
2526 	 * response.
2527 	 */
2528 	bctx = BN_CTX_new(); y = BN_new(); v = BN_new();
2529 	len = ntohl(ep->vallen);
2530 	ptr = (const u_char *)ep->pkt;
2531 	if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
2532 		msyslog(LOG_ERR, "crypto_gq %s\n",
2533 		    ERR_error_string(ERR_get_error(), NULL));
2534 		return (XEVNT_PUB);
2535 	}
2536 
2537 	/*
2538 	 * Compute v^r y^b mod n.
2539 	 */
2540 	BN_mod_exp(v, peer->grpkey, peer->iffval, rsa->n, bctx);
2541 						/* v^r mod n */
2542 	BN_mod_exp(y, sdsa->r, rsa->e, rsa->n, bctx); /* y^b mod n */
2543 	BN_mod_mul(y, v, y, rsa->n, bctx);	/* v^r y^b mod n */
2544 
2545 	/*
2546 	 * Verify the hash of the result matches hash(x).
2547 	 */
2548 	bighash(y, y);
2549 	temp = BN_cmp(y, sdsa->s);
2550 	BN_CTX_free(bctx); BN_free(y); BN_free(v);
2551 	BN_free(peer->iffval);
2552 	peer->iffval = NULL;
2553 	DSA_SIG_free(sdsa);
2554 	if (temp == 0)
2555 		return (XEVNT_OK);
2556 	else
2557 		return (XEVNT_ID);
2558 }
2559 
2560 
2561 /*
2562  ***********************************************************************
2563  *								       *
2564  * The following routines implement the Mu-Varadharajan (MV) identity  *
2565  * scheme                                                              *
2566  *								       *
2567  ***********************************************************************
2568  */
2569 /*
2570  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
2571  * servers broadcast messages to clients, but clients never send
2572  * messages to servers. There is one encryption key for the server and a
2573  * separate decryption key for each client. It operated something like a
2574  * pay-per-view satellite broadcasting system where the session key is
2575  * encrypted by the broadcaster and the decryption keys are held in a
2576  * tamperproof set-top box.
2577  *
2578  * The MV parameters and private encryption key hide in a DSA cuckoo
2579  * structure which uses the same parameters, but generated in a
2580  * different way. The values are used in an encryption scheme similar to
2581  * El Gamal cryptography and a polynomial formed from the expansion of
2582  * product terms (x - x[j]), as described in Mu, Y., and V.
2583  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
2584  * 223-231. The paper has significant errors and serious omissions.
2585  *
2586  * Let q be the product of n distinct primes s'[j] (j = 1...n), where
2587  * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
2588  * that q and each s'[j] divide p - 1 and p has M = n * m + 1
2589  * significant bits. The elements x mod q of Zq with the elements 2 and
2590  * the primes removed form a field Zq* valid for polynomial arithetic.
2591  * Let g be a generator of Zp; that is, gcd(g, p - 1) = 1 and g^q = 1
2592  * mod p. We expect M to be in the 500-bit range and n relatively small,
2593  * like 25, so the likelihood of a randomly generated element of x mod q
2594  * of Zq colliding with a factor of p - 1 is very small and can be
2595  * avoided. Associated with each s'[j] is an element s[j] such that s[j]
2596  * s'[j] = s'[j] mod q. We find s[j] as the quotient (q + s'[j]) /
2597  * s'[j]. These are the parameters of the scheme and they are expensive
2598  * to compute.
2599  *
2600  * We set up an instance of the scheme as follows. A set of random
2601  * values x[j] mod q (j = 1...n), are generated as the zeros of a
2602  * polynomial of order n. The product terms (x - x[j]) are expanded to
2603  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
2604  * used as exponents of the generator g mod p to generate the private
2605  * encryption key A. The pair (gbar, ghat) of public server keys and the
2606  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
2607  * to construct the decryption keys. The devil is in the details.
2608  *
2609  * The distinguishing characteristic of this scheme is the capability to
2610  * revoke keys. Included in the calculation of E, gbar and ghat is the
2611  * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
2612  * subsequently removed from the product and E, gbar and ghat
2613  * recomputed, the jth client will no longer be able to compute E^-1 and
2614  * thus unable to decrypt the block.
2615  *
2616  * How it works
2617  *
2618  * The scheme goes like this. Bob has the server values (p, A, q, gbar,
2619  * ghat) and Alice the client values (p, xbar, xhat).
2620  *
2621  * Alice rolls new random challenge r (0 < r < p) and sends to Bob in
2622  * the MV request message. Bob rolls new random k (0 < k < q), encrypts
2623  * y = A^k mod p (a permutation) and sends (hash(y), gbar^k, ghat^k) to
2624  * Alice.
2625  *
2626  * Alice receives the response and computes the decryption key (the
2627  * inverse permutation) from previously obtained (xbar, xhat) and
2628  * (gbar^k, ghat^k) in the message. She computes the inverse, which is
2629  * unique by reasons explained in the ntp-keygen.c program sources. If
2630  * the hash of this result matches hash(y), Alice knows that Bob has the
2631  * group key b. The signed response binds this knowledge to Bob's
2632  * private key and the public key previously received in his
2633  * certificate.
2634  *
2635  * crypto_alice3 - construct Alice's challenge in MV scheme
2636  *
2637  * Returns
2638  * XEVNT_OK	success
2639  * XEVNT_PUB	bad or missing public key
2640  * XEVNT_ID	bad or missing identity parameters
2641  */
2642 static int
2643 crypto_alice3(
2644 	struct peer *peer,	/* peer pointer */
2645 	struct value *vp	/* value pointer */
2646 	)
2647 {
2648 	DSA	*dsa;		/* MV parameters */
2649 	BN_CTX	*bctx;		/* BIGNUM context */
2650 	EVP_MD_CTX ctx;		/* signature context */
2651 	tstamp_t tstamp;
2652 	u_int	len;
2653 
2654 	/*
2655 	 * The identity parameters must have correct format and content.
2656 	 */
2657 	if (peer->ident_pkey == NULL)
2658 		return (XEVNT_ID);
2659 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2660 		msyslog(LOG_INFO, "crypto_alice3: defective key");
2661 		return (XEVNT_PUB);
2662 	}
2663 
2664 	/*
2665 	 * Roll new random r (0 < r < q). The OpenSSL library has a bug
2666 	 * omitting BN_rand_range, so we have to do it the hard way.
2667 	 */
2668 	bctx = BN_CTX_new();
2669 	len = BN_num_bytes(dsa->p);
2670 	if (peer->iffval != NULL)
2671 		BN_free(peer->iffval);
2672 	peer->iffval = BN_new();
2673 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r */
2674 	BN_mod(peer->iffval, peer->iffval, dsa->p, bctx);
2675 	BN_CTX_free(bctx);
2676 
2677 	/*
2678 	 * Sign and send to Bob. The filestamp is from the local file.
2679 	 */
2680 	tstamp = crypto_time();
2681 	memset(vp, 0, sizeof(struct value));
2682 	vp->tstamp = htonl(tstamp);
2683 	vp->fstamp = htonl(peer->fstamp);
2684 	vp->vallen = htonl(len);
2685 	vp->ptr = emalloc(len);
2686 	BN_bn2bin(peer->iffval, vp->ptr);
2687 	vp->siglen = 0;
2688 	if (tstamp == 0)
2689 		return (XEVNT_OK);
2690 	vp->sig = emalloc(sign_siglen);
2691 	EVP_SignInit(&ctx, sign_digest);
2692 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2693 	EVP_SignUpdate(&ctx, vp->ptr, len);
2694 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2695 		vp->siglen = htonl(len);
2696 	return (XEVNT_OK);
2697 }
2698 
2699 
2700 /*
2701  * crypto_bob3 - construct Bob's response to Alice's challenge
2702  *
2703  * Returns
2704  * XEVNT_OK	success
2705  * XEVNT_PUB	bad or missing public key
2706  */
2707 static int
2708 crypto_bob3(
2709 	struct exten *ep,	/* extension pointer */
2710 	struct value *vp	/* value pointer */
2711 	)
2712 {
2713 	DSA	*dsa;		/* MV parameters */
2714 	DSA	*sdsa;		/* DSA signature context fake */
2715 	BN_CTX	*bctx;		/* BIGNUM context */
2716 	EVP_MD_CTX ctx;		/* signature context */
2717 	tstamp_t tstamp;	/* NTP timestamp */
2718 	BIGNUM	*r, *k, *u;
2719 	u_char	*ptr;
2720 	u_int	len;
2721 
2722 	/*
2723 	 * If the MV parameters are not valid, something awful
2724 	 * happened or we are being tormented.
2725 	 */
2726 	if (!(crypto_flags & CRYPTO_FLAG_MV)) {
2727 		msyslog(LOG_INFO, "crypto_bob3: scheme unavailable");
2728 		return (XEVNT_PUB);
2729 	}
2730 	dsa = mvpar_pkey->pkey.dsa;
2731 
2732 	/*
2733 	 * Extract r from the challenge.
2734 	 */
2735 	len = ntohl(ep->vallen);
2736 	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2737 		msyslog(LOG_ERR, "crypto_bob3 %s\n",
2738 		    ERR_error_string(ERR_get_error(), NULL));
2739 		return (XEVNT_PUB);
2740 	}
2741 
2742 	/*
2743 	 * Bob rolls random k (0 < k < q), making sure it is not a
2744 	 * factor of q. He then computes y = A^k r and sends (hash(y),
2745 	 * gbar^k, ghat^k) to Alice.
2746 	 */
2747 	bctx = BN_CTX_new(); k = BN_new(); u = BN_new();
2748 	sdsa = DSA_new();
2749 	sdsa->p = BN_new(); sdsa->q = BN_new(); sdsa->g = BN_new();
2750 	while (1) {
2751 		BN_rand(k, BN_num_bits(dsa->q), 0, 0);
2752 		BN_mod(k, k, dsa->q, bctx);
2753 		BN_gcd(u, k, dsa->q, bctx);
2754 		if (BN_is_one(u))
2755 			break;
2756 	}
2757 	BN_mod_exp(u, dsa->g, k, dsa->p, bctx); /* A r */
2758 	BN_mod_mul(u, u, r, dsa->p, bctx);
2759 	bighash(u, sdsa->p);
2760 	BN_mod_exp(sdsa->q, dsa->priv_key, k, dsa->p, bctx); /* gbar */
2761 	BN_mod_exp(sdsa->g, dsa->pub_key, k, dsa->p, bctx); /* ghat */
2762 	BN_CTX_free(bctx); BN_free(k); BN_free(r); BN_free(u);
2763 
2764 	/*
2765 	 * Encode the values in ASN.1 and sign.
2766 	 */
2767 	tstamp = crypto_time();
2768 	memset(vp, 0, sizeof(struct value));
2769 	vp->tstamp = htonl(tstamp);
2770 	vp->fstamp = htonl(mv_fstamp);
2771 	len = i2d_DSAparams(sdsa, NULL);
2772 	if (len <= 0) {
2773 		msyslog(LOG_ERR, "crypto_bob3 %s\n",
2774 		    ERR_error_string(ERR_get_error(), NULL));
2775 		DSA_free(sdsa);
2776 		return (XEVNT_PUB);
2777 	}
2778 	vp->vallen = htonl(len);
2779 	ptr = emalloc(len);
2780 	vp->ptr = ptr;
2781 	i2d_DSAparams(sdsa, &ptr);
2782 	DSA_free(sdsa);
2783 	vp->siglen = 0;
2784 	if (tstamp == 0)
2785 		return (XEVNT_OK);
2786 	vp->sig = emalloc(sign_siglen);
2787 	EVP_SignInit(&ctx, sign_digest);
2788 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2789 	EVP_SignUpdate(&ctx, vp->ptr, len);
2790 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2791 		vp->siglen = htonl(len);
2792 	return (XEVNT_OK);
2793 }
2794 
2795 
2796 /*
2797  * crypto_mv - verify Bob's response to Alice's challenge
2798  *
2799  * Returns
2800  * XEVNT_OK	success
2801  * XEVNT_PUB	bad or missing public key
2802  * XEVNT_FSP	bad filestamp
2803  * XEVNT_ID	bad or missing identity parameters
2804  */
2805 int
2806 crypto_mv(
2807 	struct exten *ep,	/* extension pointer */
2808 	struct peer *peer	/* peer structure pointer */
2809 	)
2810 {
2811 	DSA	*dsa;		/* MV parameters */
2812 	DSA	*sdsa;		/* DSA parameters */
2813 	BN_CTX	*bctx;		/* BIGNUM context */
2814 	BIGNUM	*k, *u, *v;
2815 	u_int	len;
2816 	const u_char	*ptr;
2817 	int	temp;
2818 
2819 	/*
2820 	 * If the MV parameters are not valid or no challenge was sent,
2821 	 * something awful happened or we are being tormented.
2822 	 */
2823 	if (peer->ident_pkey == NULL) {
2824 		msyslog(LOG_INFO, "crypto_mv: scheme unavailable");
2825 		return (XEVNT_PUB);
2826 	}
2827 	if (ntohl(ep->fstamp) != peer->fstamp) {
2828 		msyslog(LOG_INFO, "crypto_mv: invalid filestamp %u",
2829 		    ntohl(ep->fstamp));
2830 		return (XEVNT_FSP);
2831 	}
2832 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2833 		msyslog(LOG_INFO, "crypto_mv: defective key");
2834 		return (XEVNT_PUB);
2835 	}
2836 	if (peer->iffval == NULL) {
2837 		msyslog(LOG_INFO, "crypto_mv: missing challenge");
2838 		return (XEVNT_PUB);
2839 	}
2840 
2841 	/*
2842 	 * Extract the (hash(y), gbar, ghat) values from the response.
2843 	 */
2844 	bctx = BN_CTX_new(); k = BN_new(); u = BN_new(); v = BN_new();
2845 	len = ntohl(ep->vallen);
2846 	ptr = (const u_char *)ep->pkt;
2847 	if ((sdsa = d2i_DSAparams(NULL, &ptr, len)) == NULL) {
2848 		msyslog(LOG_ERR, "crypto_mv %s\n",
2849 		    ERR_error_string(ERR_get_error(), NULL));
2850 		return (XEVNT_PUB);
2851 	}
2852 
2853 	/*
2854 	 * Compute (gbar^xhat ghat^xbar)^-1 mod p.
2855 	 */
2856 	BN_mod_exp(u, sdsa->q, dsa->pub_key, dsa->p, bctx);
2857 	BN_mod_exp(v, sdsa->g, dsa->priv_key, dsa->p, bctx);
2858 	BN_mod_mul(u, u, v, dsa->p, bctx);
2859 	BN_mod_inverse(u, u, dsa->p, bctx);
2860 	BN_mod_mul(v, u, peer->iffval, dsa->p, bctx);
2861 
2862 	/*
2863 	 * The result should match the hash of r mod p.
2864 	 */
2865 	bighash(v, v);
2866 	temp = BN_cmp(v, sdsa->p);
2867 	BN_CTX_free(bctx); BN_free(k); BN_free(u); BN_free(v);
2868 	BN_free(peer->iffval);
2869 	peer->iffval = NULL;
2870 	DSA_free(sdsa);
2871 	if (temp == 0)
2872 		return (XEVNT_OK);
2873 	else
2874 		return (XEVNT_ID);
2875 }
2876 
2877 
2878 /*
2879  ***********************************************************************
2880  *								       *
2881  * The following routines are used to manipulate certificates          *
2882  *								       *
2883  ***********************************************************************
2884  */
2885 /*
2886  * cert_parse - parse x509 certificate and create info/value structures.
2887  *
2888  * The server certificate includes the version number, issuer name,
2889  * subject name, public key and valid date interval. If the issuer name
2890  * is the same as the subject name, the certificate is self signed and
2891  * valid only if the server is configured as trustable. If the names are
2892  * different, another issuer has signed the server certificate and
2893  * vouched for it. In this case the server certificate is valid if
2894  * verified by the issuer public key.
2895  *
2896  * Returns certificate info/value pointer if valid, NULL if not.
2897  */
2898 struct cert_info *		/* certificate information structure */
2899 cert_parse(
2900 	u_char	*asn1cert,	/* X509 certificate */
2901 	u_int	len,		/* certificate length */
2902 	tstamp_t fstamp		/* filestamp */
2903 	)
2904 {
2905 	X509	*cert;		/* X509 certificate */
2906 	X509_EXTENSION *ext;	/* X509v3 extension */
2907 	struct cert_info *ret;	/* certificate info/value */
2908 	BIO	*bp;
2909 	X509V3_EXT_METHOD *method;
2910 	char	pathbuf[MAXFILENAME];
2911 	u_char	*uptr;
2912 	char	*ptr;
2913 	int	temp, cnt, i;
2914 
2915 	/*
2916 	 * Decode ASN.1 objects and construct certificate structure.
2917 	 */
2918 	uptr = asn1cert;
2919 	if ((cert = d2i_X509(NULL, &uptr, len)) == NULL) {
2920 		msyslog(LOG_ERR, "cert_parse %s\n",
2921 		    ERR_error_string(ERR_get_error(), NULL));
2922 		return (NULL);
2923 	}
2924 
2925 	/*
2926 	 * Extract version, subject name and public key.
2927 	 */
2928 	ret = emalloc(sizeof(struct cert_info));
2929 	memset(ret, 0, sizeof(struct cert_info));
2930 	if ((ret->pkey = X509_get_pubkey(cert)) == NULL) {
2931 		msyslog(LOG_ERR, "cert_parse %s\n",
2932 		    ERR_error_string(ERR_get_error(), NULL));
2933 		cert_free(ret);
2934 		X509_free(cert);
2935 		return (NULL);
2936 	}
2937 	ret->version = X509_get_version(cert);
2938 	X509_NAME_oneline(X509_get_subject_name(cert), pathbuf,
2939 	    MAXFILENAME - 1);
2940 	ptr = strstr(pathbuf, "CN=");
2941 	if (ptr == NULL) {
2942 		msyslog(LOG_INFO, "cert_parse: invalid subject %s",
2943 		    pathbuf);
2944 		cert_free(ret);
2945 		X509_free(cert);
2946 		return (NULL);
2947 	}
2948 	ret->subject = emalloc(strlen(ptr) + 1);
2949 	strcpy(ret->subject, ptr + 3);
2950 
2951 	/*
2952 	 * Extract remaining objects. Note that the NTP serial number is
2953 	 * the NTP seconds at the time of signing, but this might not be
2954 	 * the case for other authority. We don't bother to check the
2955 	 * objects at this time, since the real crunch can happen only
2956 	 * when the time is valid but not yet certificated.
2957 	 */
2958 	ret->nid = OBJ_obj2nid(cert->cert_info->signature->algorithm);
2959 	ret->digest = (const EVP_MD *)EVP_get_digestbynid(ret->nid);
2960 	ret->serial =
2961 	    (u_long)ASN1_INTEGER_get(X509_get_serialNumber(cert));
2962 	X509_NAME_oneline(X509_get_issuer_name(cert), pathbuf,
2963 	    MAXFILENAME);
2964 	if ((ptr = strstr(pathbuf, "CN=")) == NULL) {
2965 		msyslog(LOG_INFO, "cert_parse: invalid issuer %s",
2966 		    pathbuf);
2967 		cert_free(ret);
2968 		X509_free(cert);
2969 		return (NULL);
2970 	}
2971 	ret->issuer = emalloc(strlen(ptr) + 1);
2972 	strcpy(ret->issuer, ptr + 3);
2973 	ret->first = asn2ntp(X509_get_notBefore(cert));
2974 	ret->last = asn2ntp(X509_get_notAfter(cert));
2975 
2976 	/*
2977 	 * Extract extension fields. These are ad hoc ripoffs of
2978 	 * currently assigned functions and will certainly be changed
2979 	 * before prime time.
2980 	 */
2981 	cnt = X509_get_ext_count(cert);
2982 	for (i = 0; i < cnt; i++) {
2983 		ext = X509_get_ext(cert, i);
2984 		method = X509V3_EXT_get(ext);
2985 		temp = OBJ_obj2nid(ext->object);
2986 		switch (temp) {
2987 
2988 		/*
2989 		 * If a key_usage field is present, we decode whether
2990 		 * this is a trusted or private certificate. This is
2991 		 * dorky; all we want is to compare NIDs, but OpenSSL
2992 		 * insists on BIO text strings.
2993 		 */
2994 		case NID_ext_key_usage:
2995 			bp = BIO_new(BIO_s_mem());
2996 			X509V3_EXT_print(bp, ext, 0, 0);
2997 			BIO_gets(bp, pathbuf, MAXFILENAME);
2998 			BIO_free(bp);
2999 #if DEBUG
3000 			if (debug)
3001 				printf("cert_parse: %s: %s\n",
3002 				    OBJ_nid2ln(temp), pathbuf);
3003 #endif
3004 			if (strcmp(pathbuf, "Trust Root") == 0)
3005 				ret->flags |= CERT_TRUST;
3006 			else if (strcmp(pathbuf, "Private") == 0)
3007 				ret->flags |= CERT_PRIV;
3008 			break;
3009 
3010 		/*
3011 		 * If a NID_subject_key_identifier field is present, it
3012 		 * contains the GQ public key.
3013 		 */
3014 		case NID_subject_key_identifier:
3015 			ret->grplen = ext->value->length - 2;
3016 			ret->grpkey = emalloc(ret->grplen);
3017 			memcpy(ret->grpkey, &ext->value->data[2],
3018 			    ret->grplen);
3019 			break;
3020 		}
3021 	}
3022 
3023 	/*
3024 	 * If certificate is self signed, verify signature.
3025 	 */
3026 	if (strcmp(ret->subject, ret->issuer) == 0) {
3027 		if (!X509_verify(cert, ret->pkey)) {
3028 			msyslog(LOG_INFO,
3029 			    "cert_parse: invalid signature not verified %s",
3030 			    pathbuf);
3031 			cert_free(ret);
3032 			X509_free(cert);
3033 			return (NULL);
3034 		}
3035 	}
3036 
3037 	/*
3038 	 * Verify certificate valid times. Note that certificates cannot
3039 	 * be retroactive.
3040 	 */
3041 	if (ret->first > ret->last || ret->first < fstamp) {
3042 		msyslog(LOG_INFO,
3043 		    "cert_parse: expired %s",
3044 		    ret->subject);
3045 		cert_free(ret);
3046 		X509_free(cert);
3047 		return (NULL);
3048 	}
3049 
3050 	/*
3051 	 * Build the value structure to sign and send later.
3052 	 */
3053 	ret->cert.fstamp = htonl(fstamp);
3054 	ret->cert.vallen = htonl(len);
3055 	ret->cert.ptr = emalloc(len);
3056 	memcpy(ret->cert.ptr, asn1cert, len);
3057 #ifdef DEBUG
3058 	if (debug > 1)
3059 		X509_print_fp(stdout, cert);
3060 #endif
3061 	X509_free(cert);
3062 	return (ret);
3063 }
3064 
3065 
3066 /*
3067  * cert_sign - sign x509 certificate and update value structure.
3068  *
3069  * The certificate request is a copy of the client certificate, which
3070  * includes the version number, subject name and public key of the
3071  * client. The resulting certificate includes these values plus the
3072  * serial number, issuer name and validity interval of the server. The
3073  * validity interval extends from the current time to the same time one
3074  * year hence. For NTP purposes, it is convenient to use the NTP seconds
3075  * of the current time as the serial number.
3076  *
3077  * Returns
3078  * XEVNT_OK	success
3079  * XEVNT_PUB	bad or missing public key
3080  * XEVNT_CRT	bad or missing certificate
3081  * XEVNT_VFY	certificate not verified
3082  */
3083 static int
3084 cert_sign(
3085 	struct exten *ep,	/* extension field pointer */
3086 	struct value *vp	/* value pointer */
3087 	)
3088 {
3089 	X509	*req;		/* X509 certificate request */
3090 	X509	*cert;		/* X509 certificate */
3091 	X509_EXTENSION *ext;	/* certificate extension */
3092 	ASN1_INTEGER *serial;	/* serial number */
3093 	X509_NAME *subj;	/* distinguished (common) name */
3094 	EVP_PKEY *pkey;		/* public key */
3095 	EVP_MD_CTX ctx;		/* message digest context */
3096 	tstamp_t tstamp;	/* NTP timestamp */
3097 	u_int	len;
3098 	u_char	*ptr;
3099 	int	i, temp;
3100 
3101 	/*
3102 	 * Decode ASN.1 objects and construct certificate structure.
3103 	 */
3104 	tstamp = crypto_time();
3105 	if (tstamp == 0)
3106 		return (XEVNT_TSP);
3107 
3108 	ptr = (u_char *)ep->pkt;
3109 	if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) {
3110 		msyslog(LOG_ERR, "cert_sign %s\n",
3111 		    ERR_error_string(ERR_get_error(), NULL));
3112 		return (XEVNT_CRT);
3113 	}
3114 	/*
3115 	 * Extract public key and check for errors.
3116 	 */
3117 	if ((pkey = X509_get_pubkey(req)) == NULL) {
3118 		msyslog(LOG_ERR, "cert_sign %s\n",
3119 		    ERR_error_string(ERR_get_error(), NULL));
3120 		X509_free(req);
3121 		return (XEVNT_PUB);
3122 	}
3123 
3124 	/*
3125 	 * Generate X509 certificate signed by this server. For this
3126 	 * prupose the issuer name is the server name. Also copy any
3127 	 * extensions that might be present.
3128 	 */
3129 	cert = X509_new();
3130 	X509_set_version(cert, X509_get_version(req));
3131 	serial = ASN1_INTEGER_new();
3132 	ASN1_INTEGER_set(serial, tstamp);
3133 	X509_set_serialNumber(cert, serial);
3134 	X509_gmtime_adj(X509_get_notBefore(cert), 0L);
3135 	X509_gmtime_adj(X509_get_notAfter(cert), YEAR);
3136 	subj = X509_get_issuer_name(cert);
3137 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
3138 	    (unsigned char *) sys_hostname, strlen(sys_hostname), -1, 0);
3139 	subj = X509_get_subject_name(req);
3140 	X509_set_subject_name(cert, subj);
3141 	X509_set_pubkey(cert, pkey);
3142 	ext = X509_get_ext(req, 0);
3143 	temp = X509_get_ext_count(req);
3144 	for (i = 0; i < temp; i++) {
3145 		ext = X509_get_ext(req, i);
3146 		X509_add_ext(cert, ext, -1);
3147 	}
3148 	X509_free(req);
3149 
3150 	/*
3151 	 * Sign and verify the certificate.
3152 	 */
3153 	X509_sign(cert, sign_pkey, sign_digest);
3154 	if (!X509_verify(cert, sign_pkey)) {
3155 		printf("cert_sign\n%s\n",
3156 		    ERR_error_string(ERR_get_error(), NULL));
3157 		X509_free(cert);
3158 		return (XEVNT_VFY);
3159 	}
3160 	len = i2d_X509(cert, NULL);
3161 
3162 	/*
3163 	 * Build and sign the value structure. We have to sign it here,
3164 	 * since the response has to be returned right away. This is a
3165 	 * clogging hazard.
3166 	 */
3167 	memset(vp, 0, sizeof(struct value));
3168 	vp->tstamp = htonl(tstamp);
3169 	vp->fstamp = ep->fstamp;
3170 	vp->vallen = htonl(len);
3171 	vp->ptr = emalloc(len);
3172 	ptr = vp->ptr;
3173 	i2d_X509(cert, &ptr);
3174 	vp->siglen = 0;
3175 	vp->sig = emalloc(sign_siglen);
3176 	EVP_SignInit(&ctx, sign_digest);
3177 	EVP_SignUpdate(&ctx, (u_char *)vp, 12);
3178 	EVP_SignUpdate(&ctx, vp->ptr, len);
3179 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
3180 		vp->siglen = htonl(len);
3181 #ifdef DEBUG
3182 	if (debug > 1)
3183 		X509_print_fp(stdout, cert);
3184 #endif
3185 	X509_free(cert);
3186 	return (XEVNT_OK);
3187 }
3188 
3189 
3190 /*
3191  * cert_valid - verify certificate with given public key
3192  *
3193  * This is pretty ugly, as the certificate has to be verified in the
3194  * OpenSSL X509 structure, not in the DER format in the info/value
3195  * structure.
3196  *
3197  * Returns
3198  * XEVNT_OK	success
3199  * XEVNT_VFY	certificate not verified
3200  */
3201 int
3202 cert_valid(
3203 	struct cert_info *cinf,	/* certificate information structure */
3204 	EVP_PKEY *pkey		/* public key */
3205 	)
3206 {
3207 	X509	*cert;		/* X509 certificate */
3208 	u_char	*ptr;
3209 
3210 	if (cinf->flags & CERT_SIGN)
3211 		return (XEVNT_OK);
3212 	ptr = (u_char *)cinf->cert.ptr;
3213 	cert = d2i_X509(NULL, &ptr, ntohl(cinf->cert.vallen));
3214 	if (!X509_verify(cert, pkey))
3215 		return (XEVNT_VFY);
3216 	cinf->flags |= CERT_SIGN;
3217 	X509_free(cert);
3218 	return (XEVNT_OK);
3219 }
3220 
3221 
3222 /*
3223  * cert - install certificate in certificate list
3224  *
3225  * This routine encodes an extension field into a certificate info/value
3226  * structure. It searches the certificate list for duplicates and
3227  * expunges whichever is older. It then searches the list for other
3228  * certificates that might be verified by this latest one. Finally, it
3229  * inserts this certificate first on the list.
3230  *
3231  * Returns
3232  * XEVNT_OK	success
3233  * XEVNT_PER	certificate expired
3234  * XEVNT_CRT	bad or missing certificate
3235  */
3236 int
3237 cert_install(
3238 	struct exten *ep,	/* cert info/value */
3239 	struct peer *peer	/* peer structure */
3240 	)
3241 {
3242 	struct cert_info *cp, *xp, *yp, **zp;
3243 	int	rval;
3244 	tstamp_t tstamp;
3245 
3246 	/*
3247 	 * Parse and validate the signed certificate. If valid,
3248 	 * construct the info/value structure; otherwise, scamper home.
3249 	 * Note this allows a certificate not-before time to be in the
3250 	 * future, but not a not-after time to be in the past.
3251 	 */
3252 	if ((cp = cert_parse((u_char *)ep->pkt, ntohl(ep->vallen),
3253 	    ntohl(ep->fstamp))) == NULL)
3254 		return (XEVNT_CRT);
3255 
3256 	tstamp = crypto_time();
3257 	if (tstamp > cp->last) {
3258 		cert_free(cp);
3259 		return (XEVNT_PER);
3260 	}
3261 
3262 	/*
3263 	 * Scan certificate list looking for another certificate with
3264 	 * the same subject and issuer. If another is found with the
3265 	 * same or older filestamp, unlink it and return the goodies to
3266 	 * the heap. If another is found with a later filetsamp, discard
3267 	 * the new one and leave the building.
3268 	 */
3269 	rval = XEVNT_OK;
3270 	yp = cp;
3271 	zp = &cinfo;
3272 	for (xp = cinfo; xp != NULL; xp = xp->link) {
3273 		if (strcmp(cp->subject, xp->subject) == 0 &&
3274 		    strcmp(cp->issuer, xp->issuer) == 0) {
3275 			if (ntohl(cp->cert.fstamp) <=
3276 			    ntohl(xp->cert.fstamp)) {
3277 				*zp = xp->link;;
3278 				cert_free(xp);
3279 			} else {
3280 				cert_free(cp);
3281 				return (XEVNT_TSP);
3282 			}
3283 			break;
3284 		}
3285 		zp = &xp->link;
3286 	}
3287 	yp->link = cinfo;
3288 	cinfo = yp;
3289 
3290 	/*
3291 	 * Scan the certificate list to see if Y is signed by X.
3292 	 */
3293 	for (yp = cinfo; yp != NULL; yp = yp->link) {
3294 		for (xp = cinfo; xp != NULL; xp = xp->link) {
3295 			if (yp->flags & CERT_ERROR)
3296 				continue;
3297 
3298 			/*
3299 			 * If issuer Y matches subject X and signature Y
3300 			 * is valid using public key X, then Y is valid.
3301 			 */
3302 			if (strcmp(yp->issuer, xp->subject) != 0)
3303 				continue;
3304 
3305 			if (cert_valid(yp, xp->pkey) != XEVNT_OK) {
3306 				yp->flags |= CERT_ERROR;
3307 				continue;
3308 			}
3309 			xp->flags |= CERT_SIGN;
3310 
3311 			/*
3312 			 * If X is trusted, then Y is trusted. Note that
3313 			 * we might stumble over a self signed
3314 			 * certificate that is not trusted, at least
3315 			 * temporarily. This can happen when a dude
3316 			 * first comes up, but has not synchronized the
3317 			 * clock and had its certificate signed by its
3318 			 * server. In case of broken certificate trail,
3319 			 * this might result in a loop that could
3320 			 * persist until timeout.
3321 			 */
3322 			if (!(xp->flags & CERT_TRUST))
3323 				continue;
3324 
3325 			yp->flags |= CERT_TRUST;
3326 
3327 			/*
3328 			 * If subject Y matches the server subject name,
3329 			 * then Y has completed the certificate trail.
3330 			 * Save the group key and light the valid bit.
3331 			 */
3332 			if (strcmp(yp->subject, peer->subject) != 0)
3333 				continue;
3334 
3335 			if (yp->grpkey != NULL) {
3336 				if (peer->grpkey != NULL)
3337 					BN_free(peer->grpkey);
3338 				peer->grpkey = BN_bin2bn(yp->grpkey,
3339 				     yp->grplen, NULL);
3340 			}
3341 			peer->crypto |= CRYPTO_FLAG_VALID;
3342 
3343 			/*
3344 			 * If the server has an an identity scheme,
3345 			 * fetch the identity credentials. If not, the
3346 			 * identity is verified only by the trusted
3347 			 * certificate. The next signature will set the
3348 			 * server proventic.
3349 			 */
3350 			if (peer->crypto & (CRYPTO_FLAG_GQ |
3351 			    CRYPTO_FLAG_IFF | CRYPTO_FLAG_MV))
3352 				continue;
3353 
3354 			peer->crypto |= CRYPTO_FLAG_VRFY;
3355 		}
3356 	}
3357 
3358 	/*
3359 	 * That was awesome. Now update the timestamps and signatures.
3360 	 */
3361 	crypto_update();
3362 	return (rval);
3363 }
3364 
3365 
3366 /*
3367  * cert_free - free certificate information structure
3368  */
3369 void
3370 cert_free(
3371 	struct cert_info *cinf	/* certificate info/value structure */
3372 	)
3373 {
3374 	if (cinf->pkey != NULL)
3375 		EVP_PKEY_free(cinf->pkey);
3376 	if (cinf->subject != NULL)
3377 		free(cinf->subject);
3378 	if (cinf->issuer != NULL)
3379 		free(cinf->issuer);
3380 	if (cinf->grpkey != NULL)
3381 		free(cinf->grpkey);
3382 	value_free(&cinf->cert);
3383 	free(cinf);
3384 }
3385 
3386 
3387 /*
3388  ***********************************************************************
3389  *								       *
3390  * The following routines are used only at initialization time         *
3391  *								       *
3392  ***********************************************************************
3393  */
3394 /*
3395  * crypto_key - load cryptographic parameters and keys from files
3396  *
3397  * This routine loads a PEM-encoded public/private key pair and extracts
3398  * the filestamp from the file name.
3399  *
3400  * Returns public key pointer if valid, NULL if not. Side effect updates
3401  * the filestamp if valid.
3402  */
3403 static EVP_PKEY *
3404 crypto_key(
3405 	char	*cp,		/* file name */
3406 	tstamp_t *fstamp	/* filestamp */
3407 	)
3408 {
3409 	FILE	*str;		/* file handle */
3410 	EVP_PKEY *pkey = NULL;	/* public/private key */
3411 	char	filename[MAXFILENAME]; /* name of key file */
3412 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
3413 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3414 	char	*ptr;
3415 
3416 	/*
3417 	 * Open the key file. If the first character of the file name is
3418 	 * not '/', prepend the keys directory string. If something goes
3419 	 * wrong, abandon ship.
3420 	 */
3421 	if (*cp == '/')
3422 		strcpy(filename, cp);
3423 	else
3424 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3425 	str = fopen(filename, "r");
3426 	if (str == NULL)
3427 		return (NULL);
3428 
3429 	/*
3430 	 * Read the filestamp, which is contained in the first line.
3431 	 */
3432 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
3433 		msyslog(LOG_ERR, "crypto_key: no data %s\n",
3434 		    filename);
3435 		return (NULL);
3436 	}
3437 	if ((ptr = strrchr(ptr, '.')) == NULL) {
3438 		msyslog(LOG_ERR, "crypto_key: no filestamp %s\n",
3439 		    filename);
3440 		return (NULL);
3441 	}
3442 	if (sscanf(++ptr, "%u", fstamp) != 1) {
3443 		msyslog(LOG_ERR, "crypto_key: invalid timestamp %s\n",
3444 		    filename);
3445 		return (NULL);
3446 	}
3447 
3448 	/*
3449 	 * Read and decrypt PEM-encoded private key.
3450 	 */
3451 	pkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
3452 	fclose(str);
3453 	if (pkey == NULL) {
3454 		msyslog(LOG_ERR, "crypto_key %s\n",
3455 		    ERR_error_string(ERR_get_error(), NULL));
3456 		return (NULL);
3457 	}
3458 
3459 	/*
3460 	 * Leave tracks in the cryptostats.
3461 	 */
3462 	if ((ptr = strrchr(linkname, '\n')) != NULL)
3463 		*ptr = '\0';
3464 	sprintf(statstr, "%s mod %d", &linkname[2],
3465 	    EVP_PKEY_size(pkey) * 8);
3466 	record_crypto_stats(NULL, statstr);
3467 #ifdef DEBUG
3468 	if (debug)
3469 		printf("crypto_key: %s\n", statstr);
3470 	if (debug > 1) {
3471 		if (EVP_MD_type(pkey) == EVP_PKEY_DSA)
3472 			DSA_print_fp(stdout, pkey->pkey.dsa, 0);
3473 		else
3474 			RSA_print_fp(stdout, pkey->pkey.rsa, 0);
3475 	}
3476 #endif
3477 	return (pkey);
3478 }
3479 
3480 
3481 /*
3482  * crypto_cert - load certificate from file
3483  *
3484  * This routine loads a X.509 RSA or DSA certificate from a file and
3485  * constructs a info/cert value structure for this machine. The
3486  * structure includes a filestamp extracted from the file name. Later
3487  * the certificate can be sent to another machine by request.
3488  *
3489  * Returns certificate info/value pointer if valid, NULL if not.
3490  */
3491 static struct cert_info *	/* certificate information */
3492 crypto_cert(
3493 	char	*cp		/* file name */
3494 	)
3495 {
3496 	struct cert_info *ret; /* certificate information */
3497 	FILE	*str;		/* file handle */
3498 	char	filename[MAXFILENAME]; /* name of certificate file */
3499 	char	linkname[MAXFILENAME]; /* filestamp buffer */
3500 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3501 	tstamp_t fstamp;	/* filestamp */
3502 	long	len;
3503 	char	*ptr;
3504 	char	*name, *header;
3505 	u_char	*data;
3506 
3507 	/*
3508 	 * Open the certificate file. If the first character of the file
3509 	 * name is not '/', prepend the keys directory string. If
3510 	 * something goes wrong, abandon ship.
3511 	 */
3512 	if (*cp == '/')
3513 		strcpy(filename, cp);
3514 	else
3515 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3516 	str = fopen(filename, "r");
3517 	if (str == NULL)
3518 		return (NULL);
3519 
3520 	/*
3521 	 * Read the filestamp, which is contained in the first line.
3522 	 */
3523 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
3524 		msyslog(LOG_ERR, "crypto_cert: no data %s\n",
3525 		    filename);
3526 		return (NULL);
3527 	}
3528 	if ((ptr = strrchr(ptr, '.')) == NULL) {
3529 		msyslog(LOG_ERR, "crypto_cert: no filestamp %s\n",
3530 		    filename);
3531 		return (NULL);
3532 	}
3533 	if (sscanf(++ptr, "%u", &fstamp) != 1) {
3534 		msyslog(LOG_ERR, "crypto_cert: invalid filestamp %s\n",
3535 		    filename);
3536 		return (NULL);
3537 	}
3538 
3539 	/*
3540 	 * Read PEM-encoded certificate and install.
3541 	 */
3542 	if (!PEM_read(str, &name, &header, &data, &len)) {
3543 		msyslog(LOG_ERR, "crypto_cert %s\n",
3544 		    ERR_error_string(ERR_get_error(), NULL));
3545 		return (NULL);
3546 	}
3547 	free(header);
3548 	if (strcmp(name, "CERTIFICATE") !=0) {
3549 		msyslog(LOG_INFO, "crypto_cert: wrong PEM type %s",
3550 		    name);
3551 		free(name);
3552 		free(data);
3553 		return (NULL);
3554 	}
3555 	free(name);
3556 
3557 	/*
3558 	 * Parse certificate and generate info/value structure.
3559 	 */
3560 	ret = cert_parse(data, len, fstamp);
3561 	free(data);
3562 	if (ret == NULL)
3563 		return (NULL);
3564 	if ((ptr = strrchr(linkname, '\n')) != NULL)
3565 		*ptr = '\0';
3566 	sprintf(statstr, "%s 0x%x len %lu", &linkname[2], ret->flags,
3567 	    len);
3568 	record_crypto_stats(NULL, statstr);
3569 #ifdef DEBUG
3570 	if (debug)
3571 		printf("crypto_cert: %s\n", statstr);
3572 #endif
3573 	return (ret);
3574 }
3575 
3576 
3577 /*
3578  * crypto_tai - load leapseconds table from file
3579  *
3580  * This routine loads the ERTS leapsecond file in NIST text format,
3581  * converts to a value structure and extracts a filestamp from the file
3582  * name. The data are used to establish the TAI offset from UTC, which
3583  * is provided to the kernel if supported. Later the data can be sent to
3584  * another machine on request.
3585  */
3586 static void
3587 crypto_tai(
3588 	char	*cp		/* file name */
3589 	)
3590 {
3591 	FILE	*str;		/* file handle */
3592 	char	buf[NTP_MAXSTRLEN];	/* file line buffer */
3593 	u_int	leapsec[MAX_LEAP]; /* NTP time at leaps */
3594 	u_int	offset;		/* offset at leap (s) */
3595 	char	filename[MAXFILENAME]; /* name of leapseconds file */
3596 	char	linkname[MAXFILENAME]; /* file link (for filestamp) */
3597 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3598 	tstamp_t fstamp;	/* filestamp */
3599 	u_int	len;
3600 	char	*ptr;
3601 	int	rval, i;
3602 #ifdef KERNEL_PLL
3603 #if NTP_API > 3
3604 	struct timex ntv;	/* kernel interface structure */
3605 #endif /* NTP_API */
3606 #endif /* KERNEL_PLL */
3607 
3608 	/*
3609 	 * Open the file and discard comment lines. If the first
3610 	 * character of the file name is not '/', prepend the keys
3611 	 * directory string. If the file is not found, not to worry; it
3612 	 * can be retrieved over the net. But, if it is found with
3613 	 * errors, we crash and burn.
3614 	 */
3615 	if (*cp == '/')
3616 		strcpy(filename, cp);
3617 	else
3618 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3619 	if ((str = fopen(filename, "r")) == NULL)
3620 		return;
3621 
3622 	/*
3623 	 * Extract filestamp if present.
3624 	 */
3625 	rval = readlink(filename, linkname, MAXFILENAME - 1);
3626 	if (rval > 0) {
3627 		linkname[rval] = '\0';
3628 		ptr = strrchr(linkname, '.');
3629 	} else {
3630 		ptr = strrchr(filename, '.');
3631 	}
3632 	if (ptr != NULL)
3633 		sscanf(++ptr, "%u", &fstamp);
3634 	else
3635 		fstamp = 0;
3636 	tai_leap.fstamp = htonl(fstamp);
3637 
3638 	/*
3639 	 * We are rather paranoid here, since an intruder might cause a
3640 	 * coredump by infiltrating naughty values. Empty lines and
3641 	 * comments are ignored. Other lines must begin with two
3642 	 * integers followed by junk or comments. The first integer is
3643 	 * the NTP seconds of leap insertion, the second is the offset
3644 	 * of TAI relative to UTC after that insertion. The second word
3645 	 * must equal the initial insertion of ten seconds on 1 January
3646 	 * 1972 plus one second for each succeeding insertion.
3647 	 */
3648 	i = 0;
3649 	while (i < MAX_LEAP) {
3650 		ptr = fgets(buf, NTP_MAXSTRLEN - 1, str);
3651 		if (ptr == NULL)
3652 			break;
3653 		if (strlen(buf) < 1)
3654 			continue;
3655 		if (*buf == '#')
3656 			continue;
3657 		if (sscanf(buf, "%u %u", &leapsec[i], &offset) != 2)
3658 			continue;
3659 		if (i != (int)(offset - TAI_1972)) {
3660 			break;
3661 		}
3662 		i++;
3663 	}
3664 	fclose(str);
3665 	if (ptr != NULL) {
3666 		msyslog(LOG_INFO,
3667 		    "crypto_tai: leapseconds file %s error %d", cp,
3668 		    rval);
3669 		exit (-1);
3670 	}
3671 
3672 	/*
3673 	 * The extension field table entries consists of the NTP seconds
3674 	 * of leap insertion in reverse order, so that the most recent
3675 	 * insertion is the first entry in the table.
3676 	 */
3677 	len = i * 4;
3678 	tai_leap.vallen = htonl(len);
3679 	ptr = emalloc(len);
3680 	tai_leap.ptr = (unsigned char *) ptr;
3681 	for (; i >= 0; i--) {
3682 		*ptr++ = (char) htonl(leapsec[i]);
3683 	}
3684 	crypto_flags |= CRYPTO_FLAG_TAI;
3685 	sys_tai = len / 4 + TAI_1972 - 1;
3686 #ifdef KERNEL_PLL
3687 #if NTP_API > 3
3688 	ntv.modes = MOD_TAI;
3689 	ntv.constant = sys_tai;
3690 	if (ntp_adjtime(&ntv) == TIME_ERROR)
3691 		msyslog(LOG_INFO,
3692 		    "crypto_tai: kernel TAI update failed");
3693 #endif /* NTP_API */
3694 #endif /* KERNEL_PLL */
3695 	sprintf(statstr, "%s link %d fs %u offset %u", cp, rval, fstamp,
3696 	    ntohl(tai_leap.vallen) / 4 + TAI_1972 - 1);
3697 	record_crypto_stats(NULL, statstr);
3698 #ifdef DEBUG
3699 	if (debug)
3700 		printf("crypto_tai: %s\n", statstr);
3701 #endif
3702 }
3703 
3704 
3705 /*
3706  * crypto_setup - load keys, certificate and leapseconds table
3707  *
3708  * This routine loads the public/private host key and certificate. If
3709  * available, it loads the public/private sign key, which defaults to
3710  * the host key, and leapseconds table. The host key must be RSA, but
3711  * the sign key can be either RSA or DSA. In either case, the public key
3712  * on the certificate must agree with the sign key.
3713  */
3714 void
3715 crypto_setup(void)
3716 {
3717 	EVP_PKEY *pkey;		/* private/public key pair */
3718 	char	filename[MAXFILENAME]; /* file name buffer */
3719 	l_fp	seed;		/* crypto PRNG seed as NTP timestamp */
3720 	tstamp_t fstamp;	/* filestamp */
3721 	tstamp_t sstamp;	/* sign filestamp */
3722 	u_int	len, bytes;
3723 	u_char	*ptr;
3724 
3725 	/*
3726 	 * Initialize structures.
3727 	 */
3728 	if (!crypto_flags)
3729 		return;
3730 	gethostname(filename, MAXFILENAME);
3731 	bytes = strlen(filename) + 1;
3732 	sys_hostname = emalloc(bytes);
3733 	memcpy(sys_hostname, filename, bytes);
3734 	if (passwd == NULL)
3735 		passwd = sys_hostname;
3736 	memset(&hostval, 0, sizeof(hostval));
3737 	memset(&pubkey, 0, sizeof(pubkey));
3738 	memset(&tai_leap, 0, sizeof(tai_leap));
3739 
3740 	/*
3741 	 * Load required random seed file and seed the random number
3742 	 * generator. Be default, it is found in the user home
3743 	 * directory. The root home directory may be / or /root,
3744 	 * depending on the system. Wiggle the contents a bit and write
3745 	 * it back so the sequence does not repeat when we next restart.
3746 	 */
3747 	ERR_load_crypto_strings();
3748 	if (rand_file == NULL) {
3749 		if ((RAND_file_name(filename, MAXFILENAME)) != NULL) {
3750 			rand_file = emalloc(strlen(filename) + 1);
3751 			strcpy(rand_file, filename);
3752 		}
3753 	} else if (*rand_file != '/') {
3754 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir,
3755 		    rand_file);
3756 		free(rand_file);
3757 		rand_file = emalloc(strlen(filename) + 1);
3758 		strcpy(rand_file, filename);
3759 	}
3760 	if (rand_file == NULL) {
3761 		msyslog(LOG_ERR,
3762 		    "crypto_setup: random seed file not specified");
3763 		exit (-1);
3764 	}
3765 	if ((bytes = RAND_load_file(rand_file, -1)) == 0) {
3766 		msyslog(LOG_ERR,
3767 		    "crypto_setup: random seed file %s not found\n",
3768 		    rand_file);
3769 		exit (-1);
3770 	}
3771 	get_systime(&seed);
3772 	RAND_seed(&seed, sizeof(l_fp));
3773 	RAND_write_file(rand_file);
3774 	OpenSSL_add_all_algorithms();
3775 #ifdef DEBUG
3776 	if (debug)
3777 		printf(
3778 		    "crypto_setup: OpenSSL version %lx random seed file %s bytes read %d\n",
3779 		    SSLeay(), rand_file, bytes);
3780 #endif
3781 
3782 	/*
3783 	 * Load required host key from file "ntpkey_host_<hostname>". It
3784 	 * also becomes the default sign key.
3785 	 */
3786 	if (host_file == NULL) {
3787 		snprintf(filename, MAXFILENAME, "ntpkey_host_%s",
3788 		    sys_hostname);
3789 		host_file = emalloc(strlen(filename) + 1);
3790 		strcpy(host_file, filename);
3791 	}
3792 	pkey = crypto_key(host_file, &fstamp);
3793 	if (pkey == NULL) {
3794 		msyslog(LOG_ERR,
3795 		    "crypto_setup: host key file %s not found or corrupt",
3796 		    host_file);
3797 		exit (-1);
3798 	}
3799 	host_pkey = pkey;
3800 	sign_pkey = pkey;
3801 	sstamp = fstamp;
3802 	hostval.fstamp = htonl(fstamp);
3803 	if (EVP_MD_type(host_pkey) != EVP_PKEY_RSA) {
3804 		msyslog(LOG_ERR,
3805 		    "crypto_setup: host key is not RSA key type");
3806 		exit (-1);
3807 	}
3808 	hostval.vallen = htonl(strlen(sys_hostname));
3809 	hostval.ptr = (unsigned char *) sys_hostname;
3810 
3811 	/*
3812 	 * Construct public key extension field for agreement scheme.
3813 	 */
3814 	len = i2d_PublicKey(host_pkey, NULL);
3815 	ptr = emalloc(len);
3816 	pubkey.ptr = ptr;
3817 	i2d_PublicKey(host_pkey, &ptr);
3818 	pubkey.vallen = htonl(len);
3819 	pubkey.fstamp = hostval.fstamp;
3820 
3821 	/*
3822 	 * Load optional sign key from file "ntpkey_sign_<hostname>". If
3823 	 * loaded, it becomes the sign key.
3824 	 */
3825 	if (sign_file == NULL) {
3826 		snprintf(filename, MAXFILENAME, "ntpkey_sign_%s",
3827 		    sys_hostname);
3828 		sign_file = emalloc(strlen(filename) + 1);
3829 		strcpy(sign_file, filename);
3830 	}
3831 	pkey = crypto_key(sign_file, &fstamp);
3832 	if (pkey != NULL) {
3833 		sign_pkey = pkey;
3834 		sstamp = fstamp;
3835 	}
3836 	sign_siglen = EVP_PKEY_size(sign_pkey);
3837 
3838 	/*
3839 	 * Load optional IFF parameters from file
3840 	 * "ntpkey_iff_<hostname>".
3841 	 */
3842 	if (iffpar_file == NULL) {
3843 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
3844 		    sys_hostname);
3845 		iffpar_file = emalloc(strlen(filename) + 1);
3846 		strcpy(iffpar_file, filename);
3847 	}
3848 	iffpar_pkey = crypto_key(iffpar_file, &if_fstamp);
3849 	if (iffpar_pkey != NULL)
3850 		crypto_flags |= CRYPTO_FLAG_IFF;
3851 
3852 	/*
3853 	 * Load optional GQ parameters from file "ntpkey_gq_<hostname>".
3854 	 */
3855 	if (gqpar_file == NULL) {
3856 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
3857 		    sys_hostname);
3858 		gqpar_file = emalloc(strlen(filename) + 1);
3859 		strcpy(gqpar_file, filename);
3860 	}
3861 	gqpar_pkey = crypto_key(gqpar_file, &gq_fstamp);
3862 	if (gqpar_pkey != NULL)
3863 		crypto_flags |= CRYPTO_FLAG_GQ;
3864 
3865 	/*
3866 	 * Load optional MV parameters from file "ntpkey_mv_<hostname>".
3867 	 */
3868 	if (mvpar_file == NULL) {
3869 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
3870 		    sys_hostname);
3871 		mvpar_file = emalloc(strlen(filename) + 1);
3872 		strcpy(mvpar_file, filename);
3873 	}
3874 	mvpar_pkey = crypto_key(mvpar_file, &mv_fstamp);
3875 	if (mvpar_pkey != NULL)
3876 		crypto_flags |= CRYPTO_FLAG_MV;
3877 
3878 	/*
3879 	 * Load required certificate from file "ntpkey_cert_<hostname>".
3880 	 */
3881 	if (cert_file == NULL) {
3882 		snprintf(filename, MAXFILENAME, "ntpkey_cert_%s",
3883 		    sys_hostname);
3884 		cert_file = emalloc(strlen(filename) + 1);
3885 		strcpy(cert_file, filename);
3886 	}
3887 	if ((cinfo = crypto_cert(cert_file)) == NULL) {
3888 		msyslog(LOG_ERR,
3889 		    "certificate file %s not found or corrupt",
3890 		    cert_file);
3891 		exit (-1);
3892 	}
3893 
3894 	/*
3895 	 * The subject name must be the same as the host name, unless
3896 	 * the certificate is private, in which case it may have come
3897 	 * from another host.
3898 	 */
3899 	if (!(cinfo->flags & CERT_PRIV) && strcmp(cinfo->subject,
3900 	    sys_hostname) != 0) {
3901 		msyslog(LOG_ERR,
3902 		    "crypto_setup: certificate %s not for this host",
3903 		    cert_file);
3904 		cert_free(cinfo);
3905 		exit (-1);
3906 	}
3907 
3908 	/*
3909 	 * It the certificate is trusted, the subject must be the same
3910 	 * as the issuer, in other words it must be self signed.
3911 	 */
3912 	if (cinfo->flags & CERT_PRIV && strcmp(cinfo->subject,
3913 	    cinfo->issuer) != 0) {
3914 		if (cert_valid(cinfo, sign_pkey) != XEVNT_OK) {
3915 			msyslog(LOG_ERR,
3916 			    "crypto_setup: certificate %s is trusted, but not self signed.",
3917 			    cert_file);
3918 			cert_free(cinfo);
3919 			exit (-1);
3920 		}
3921 	}
3922 	sign_digest = cinfo->digest;
3923 	if (cinfo->flags & CERT_PRIV)
3924 		crypto_flags |= CRYPTO_FLAG_PRIV;
3925 	crypto_flags |= cinfo->nid << 16;
3926 
3927 	/*
3928 	 * Load optional leapseconds table from file "ntpkey_leap". If
3929 	 * the file is missing or defective, the values can later be
3930 	 * retrieved from a server.
3931 	 */
3932 	if (leap_file == NULL)
3933 		leap_file = "ntpkey_leap";
3934 	crypto_tai(leap_file);
3935 #ifdef DEBUG
3936 	if (debug)
3937 		printf(
3938 		    "crypto_setup: flags 0x%x host %s signature %s\n",
3939 		    crypto_flags, sys_hostname, OBJ_nid2ln(cinfo->nid));
3940 #endif
3941 }
3942 
3943 
3944 /*
3945  * crypto_config - configure data from crypto configuration command.
3946  */
3947 void
3948 crypto_config(
3949 	int	item,		/* configuration item */
3950 	char	*cp		/* file name */
3951 	)
3952 {
3953 	switch (item) {
3954 
3955 	/*
3956 	 * Set random seed file name.
3957 	 */
3958 	case CRYPTO_CONF_RAND:
3959 		rand_file = emalloc(strlen(cp) + 1);
3960 		strcpy(rand_file, cp);
3961 		break;
3962 
3963 	/*
3964 	 * Set private key password.
3965 	 */
3966 	case CRYPTO_CONF_PW:
3967 		passwd = emalloc(strlen(cp) + 1);
3968 		strcpy(passwd, cp);
3969 		break;
3970 
3971 	/*
3972 	 * Set host file name.
3973 	 */
3974 	case CRYPTO_CONF_PRIV:
3975 		host_file = emalloc(strlen(cp) + 1);
3976 		strcpy(host_file, cp);
3977 		break;
3978 
3979 	/*
3980 	 * Set sign key file name.
3981 	 */
3982 	case CRYPTO_CONF_SIGN:
3983 		sign_file = emalloc(strlen(cp) + 1);
3984 		strcpy(sign_file, cp);
3985 		break;
3986 
3987 	/*
3988 	 * Set iff parameters file name.
3989 	 */
3990 	case CRYPTO_CONF_IFFPAR:
3991 		iffpar_file = emalloc(strlen(cp) + 1);
3992 		strcpy(iffpar_file, cp);
3993 		break;
3994 
3995 	/*
3996 	 * Set gq parameters file name.
3997 	 */
3998 	case CRYPTO_CONF_GQPAR:
3999 		gqpar_file = emalloc(strlen(cp) + 1);
4000 		strcpy(gqpar_file, cp);
4001 		break;
4002 
4003 	/*
4004 	 * Set mv parameters file name.
4005 	 */
4006 	case CRYPTO_CONF_MVPAR:
4007 		mvpar_file = emalloc(strlen(cp) + 1);
4008 		strcpy(mvpar_file, cp);
4009 		break;
4010 
4011 	/*
4012 	 * Set certificate file name.
4013 	 */
4014 	case CRYPTO_CONF_CERT:
4015 		cert_file = emalloc(strlen(cp) + 1);
4016 		strcpy(cert_file, cp);
4017 		break;
4018 
4019 	/*
4020 	 * Set leapseconds file name.
4021 	 */
4022 	case CRYPTO_CONF_LEAP:
4023 		leap_file = emalloc(strlen(cp) + 1);
4024 		strcpy(leap_file, cp);
4025 		break;
4026 	}
4027 	crypto_flags |= CRYPTO_FLAG_ENAB;
4028 }
4029 # else
4030 int ntp_crypto_bs_pubkey;
4031 # endif /* OPENSSL */
4032