xref: /freebsd/contrib/ntp/util/ntp-keygen.c (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1 /*
2  * Program to generate cryptographic keys for ntp clients and servers
3  *
4  * This program generates password encrypted data files for use with the
5  * Autokey security protocol and Network Time Protocol Version 4. Files
6  * are prefixed with a header giving the name and date of creation
7  * followed by a type-specific descriptive label and PEM-encoded data
8  * structure compatible with programs of the OpenSSL library.
9  *
10  * All file names are like "ntpkey_<type>_<hostname>.<filestamp>", where
11  * <type> is the file type, <hostname> the generating host name and
12  * <filestamp> the generation time in NTP seconds. The NTP programs
13  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
14  * association maintained by soft links. Following is a list of file
15  * types; the first line is the file name and the second link name.
16  *
17  * ntpkey_MD5key_<hostname>.<filestamp>
18  * 	MD5 (128-bit) keys used to compute message digests in symmetric
19  *	key cryptography
20  *
21  * ntpkey_RSAhost_<hostname>.<filestamp>
22  * ntpkey_host_<hostname>
23  *	RSA private/public host key pair used for public key signatures
24  *
25  * ntpkey_RSAsign_<hostname>.<filestamp>
26  * ntpkey_sign_<hostname>
27  *	RSA private/public sign key pair used for public key signatures
28  *
29  * ntpkey_DSAsign_<hostname>.<filestamp>
30  * ntpkey_sign_<hostname>
31  *	DSA Private/public sign key pair used for public key signatures
32  *
33  * Available digest/signature schemes
34  *
35  * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
36  * DSA:	DSA-SHA, DSA-SHA1
37  *
38  * ntpkey_XXXcert_<hostname>.<filestamp>
39  * ntpkey_cert_<hostname>
40  *	X509v3 certificate using RSA or DSA public keys and signatures.
41  *	XXX is a code identifying the message digest and signature
42  *	encryption algorithm
43  *
44  * Identity schemes. The key type par is used for the challenge; the key
45  * type key is used for the response.
46  *
47  * ntpkey_IFFkey_<groupname>.<filestamp>
48  * ntpkey_iffkey_<groupname>
49  *	Schnorr (IFF) identity parameters and keys
50  *
51  * ntpkey_GQkey_<groupname>.<filestamp>,
52  * ntpkey_gqkey_<groupname>
53  *	Guillou-Quisquater (GQ) identity parameters and keys
54  *
55  * ntpkey_MVkeyX_<groupname>.<filestamp>,
56  * ntpkey_mvkey_<groupname>
57  *	Mu-Varadharajan (MV) identity parameters and keys
58  *
59  * Note: Once in a while because of some statistical fluke this program
60  * fails to generate and verify some cryptographic data, as indicated by
61  * exit status -1. In this case simply run the program again. If the
62  * program does complete with exit code 0, the data are correct as
63  * verified.
64  *
65  * These cryptographic routines are characterized by the prime modulus
66  * size in bits. The default value of 512 bits is a compromise between
67  * cryptographic strength and computing time and is ordinarily
68  * considered adequate for this application. The routines have been
69  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
70  * digest and signature encryption schemes work with sizes less than 512
71  * bits. The computing time for sizes greater than 2048 bits is
72  * prohibitive on all but the fastest processors. An UltraSPARC Blade
73  * 1000 took something over nine minutes to generate and verify the
74  * values with size 2048. An old SPARC IPC would take a week.
75  *
76  * The OpenSSL library used by this program expects a random seed file.
77  * As described in the OpenSSL documentation, the file name defaults to
78  * first the RANDFILE environment variable in the user's home directory
79  * and then .rnd in the user's home directory.
80  */
81 #ifdef HAVE_CONFIG_H
82 # include <config.h>
83 #endif
84 #include <string.h>
85 #include <stdio.h>
86 #include <stdlib.h>
87 #include <unistd.h>
88 #include <sys/stat.h>
89 #include <sys/time.h>
90 #include <sys/types.h>
91 
92 #include "ntp.h"
93 #include "ntp_random.h"
94 #include "ntp_stdlib.h"
95 #include "ntp_assert.h"
96 #include "ntp_libopts.h"
97 #include "ntp_unixtime.h"
98 #include "ntp-keygen-opts.h"
99 
100 #ifdef OPENSSL
101 #include "openssl/bn.h"
102 #include "openssl/evp.h"
103 #include "openssl/err.h"
104 #include "openssl/rand.h"
105 #include "openssl/pem.h"
106 #include "openssl/x509v3.h"
107 #include <openssl/objects.h>
108 #endif	/* OPENSSL */
109 #include <ssl_applink.c>
110 
111 #define _UC(str)	((char *)(intptr_t)(str))
112 /*
113  * Cryptodefines
114  */
115 #define	MD5KEYS		10	/* number of keys generated of each type */
116 #define	MD5SIZE		20	/* maximum key size */
117 #ifdef AUTOKEY
118 #define	PLEN		512	/* default prime modulus size (bits) */
119 #define	ILEN		256	/* default identity modulus size (bits) */
120 #define	MVMAX		100	/* max MV parameters */
121 
122 /*
123  * Strings used in X509v3 extension fields
124  */
125 #define KEY_USAGE		"digitalSignature,keyCertSign"
126 #define BASIC_CONSTRAINTS	"critical,CA:TRUE"
127 #define EXT_KEY_PRIVATE		"private"
128 #define EXT_KEY_TRUST		"trustRoot"
129 #endif	/* AUTOKEY */
130 
131 /*
132  * Prototypes
133  */
134 FILE	*fheader	(const char *, const char *, const char *);
135 int	gen_md5		(const char *);
136 void	followlink	(char *, size_t);
137 #ifdef AUTOKEY
138 EVP_PKEY *gen_rsa	(const char *);
139 EVP_PKEY *gen_dsa	(const char *);
140 EVP_PKEY *gen_iffkey	(const char *);
141 EVP_PKEY *gen_gqkey	(const char *);
142 EVP_PKEY *gen_mvkey	(const char *, EVP_PKEY **);
143 void	gen_mvserv	(char *, EVP_PKEY **);
144 int	x509		(EVP_PKEY *, const EVP_MD *, char *, const char *,
145 			    char *);
146 void	cb		(int, int, void *);
147 EVP_PKEY *genkey	(const char *, const char *);
148 EVP_PKEY *readkey	(char *, char *, u_int *, EVP_PKEY **);
149 void	writekey	(char *, char *, u_int *, EVP_PKEY **);
150 u_long	asn2ntp		(ASN1_TIME *);
151 #endif	/* AUTOKEY */
152 
153 /*
154  * Program variables
155  */
156 extern char *optarg;		/* command line argument */
157 char	const *progname;
158 u_int	lifetime = DAYSPERYEAR;	/* certificate lifetime (days) */
159 int	nkeys;			/* MV keys */
160 time_t	epoch;			/* Unix epoch (seconds) since 1970 */
161 u_int	fstamp;			/* NTP filestamp */
162 char	hostbuf[MAXHOSTNAME + 1];
163 char	*hostname = NULL;	/* host, used in cert filenames */
164 char	*groupname = NULL;	/* group name */
165 char	certnamebuf[2 * sizeof(hostbuf)];
166 char	*certname = NULL;	/* certificate subject/issuer name */
167 char	*passwd1 = NULL;	/* input private key password */
168 char	*passwd2 = NULL;	/* output private key password */
169 char	filename[MAXFILENAME + 1]; /* file name */
170 #ifdef AUTOKEY
171 u_int	modulus = PLEN;		/* prime modulus size (bits) */
172 u_int	modulus2 = ILEN;	/* identity modulus size (bits) */
173 long	d0, d1, d2, d3;		/* callback counters */
174 const EVP_CIPHER * cipher = NULL;
175 #endif	/* AUTOKEY */
176 
177 #ifdef SYS_WINNT
178 BOOL init_randfile();
179 
180 /*
181  * Don't try to follow symbolic links on Windows.  Assume link == file.
182  */
183 int
184 readlink(
185 	char *	link,
186 	char *	file,
187 	int	len
188 	)
189 {
190 	return (int)strlen(file); /* assume no overflow possible */
191 }
192 
193 /*
194  * Don't try to create symbolic links on Windows, that is supported on
195  * Vista and later only.  Instead, if CreateHardLink is available (XP
196  * and later), hardlink the linkname to the original filename.  On
197  * earlier systems, user must rename file to match expected link for
198  * ntpd to find it.  To allow building a ntp-keygen.exe which loads on
199  * Windows pre-XP, runtime link to CreateHardLinkA().
200  */
201 int
202 symlink(
203 	char *	filename,
204 	char*	linkname
205 	)
206 {
207 	typedef BOOL (WINAPI *PCREATEHARDLINKA)(
208 		__in LPCSTR	lpFileName,
209 		__in LPCSTR	lpExistingFileName,
210 		__reserved LPSECURITY_ATTRIBUTES lpSA
211 		);
212 	static PCREATEHARDLINKA pCreateHardLinkA;
213 	static int		tried;
214 	HMODULE			hDll;
215 	FARPROC			pfn;
216 	int			link_created;
217 	int			saved_errno;
218 
219 	if (!tried) {
220 		tried = TRUE;
221 		hDll = LoadLibrary("kernel32");
222 		pfn = GetProcAddress(hDll, "CreateHardLinkA");
223 		pCreateHardLinkA = (PCREATEHARDLINKA)pfn;
224 	}
225 
226 	if (NULL == pCreateHardLinkA) {
227 		errno = ENOSYS;
228 		return -1;
229 	}
230 
231 	link_created = (*pCreateHardLinkA)(linkname, filename, NULL);
232 
233 	if (link_created)
234 		return 0;
235 
236 	saved_errno = GetLastError();	/* yes we play loose */
237 	mfprintf(stderr, "Create hard link %s to %s failed: %m\n",
238 		 linkname, filename);
239 	errno = saved_errno;
240 	return -1;
241 }
242 
243 void
244 InitWin32Sockets() {
245 	WORD wVersionRequested;
246 	WSADATA wsaData;
247 	wVersionRequested = MAKEWORD(2,0);
248 	if (WSAStartup(wVersionRequested, &wsaData))
249 	{
250 		fprintf(stderr, "No useable winsock.dll\n");
251 		exit(1);
252 	}
253 }
254 #endif /* SYS_WINNT */
255 
256 
257 /*
258  * followlink() - replace filename with its target if symlink.
259  *
260  * Some readlink() implementations do not null-terminate the result.
261  */
262 void
263 followlink(
264 	char *	fname,
265 	size_t	bufsiz
266 	)
267 {
268 	int len;
269 
270 	REQUIRE(bufsiz > 0);
271 
272 	len = readlink(fname, fname, (int)bufsiz);
273 	if (len < 0 ) {
274 		fname[0] = '\0';
275 		return;
276 	}
277 	if (len > (int)bufsiz - 1)
278 		len = (int)bufsiz - 1;
279 	fname[len] = '\0';
280 }
281 
282 
283 /*
284  * Main program
285  */
286 int
287 main(
288 	int	argc,		/* command line options */
289 	char	**argv
290 	)
291 {
292 	struct timeval tv;	/* initialization vector */
293 	int	md5key = 0;	/* generate MD5 keys */
294 	int	optct;		/* option count */
295 #ifdef AUTOKEY
296 	X509	*cert = NULL;	/* X509 certificate */
297 	X509_EXTENSION *ext;	/* X509v3 extension */
298 	EVP_PKEY *pkey_host = NULL; /* host key */
299 	EVP_PKEY *pkey_sign = NULL; /* sign key */
300 	EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
301 	EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
302 	EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
303 	EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
304 	int	hostkey = 0;	/* generate RSA keys */
305 	int	iffkey = 0;	/* generate IFF keys */
306 	int	gqkey = 0;	/* generate GQ keys */
307 	int	mvkey = 0;	/* update MV keys */
308 	int	mvpar = 0;	/* generate MV parameters */
309 	char	*sign = NULL;	/* sign key */
310 	EVP_PKEY *pkey = NULL;	/* temp key */
311 	const EVP_MD *ectx;	/* EVP digest */
312 	char	pathbuf[MAXFILENAME + 1];
313 	const char *scheme = NULL; /* digest/signature scheme */
314 	const char *ciphername = NULL; /* to encrypt priv. key */
315 	const char *exten = NULL;	/* private extension */
316 	char	*grpkey = NULL;	/* identity extension */
317 	int	nid;		/* X509 digest/signature scheme */
318 	FILE	*fstr = NULL;	/* file handle */
319 	char	groupbuf[MAXHOSTNAME + 1];
320 	u_int	temp;
321 	BIO *	bp;
322 	int	i, cnt;
323 	char *	ptr;
324 #endif	/* AUTOKEY */
325 
326 	progname = argv[0];
327 
328 #ifdef SYS_WINNT
329 	/* Initialize before OpenSSL checks */
330 	InitWin32Sockets();
331 	if (!init_randfile())
332 		fprintf(stderr, "Unable to initialize .rnd file\n");
333 	ssl_applink();
334 #endif
335 
336 #ifdef OPENSSL
337 	ssl_check_version();
338 #endif	/* OPENSSL */
339 
340 	ntp_crypto_srandom();
341 
342 	/*
343 	 * Process options, initialize host name and timestamp.
344 	 * gethostname() won't null-terminate if hostname is exactly the
345 	 * length provided for the buffer.
346 	 */
347 	gethostname(hostbuf, sizeof(hostbuf) - 1);
348 	hostbuf[COUNTOF(hostbuf) - 1] = '\0';
349 	hostname = hostbuf;
350 	groupname = hostbuf;
351 	passwd1 = hostbuf;
352 	passwd2 = NULL;
353 	GETTIMEOFDAY(&tv, NULL);
354 	epoch = tv.tv_sec;
355 	fstamp = (u_int)(epoch + JAN_1970);
356 
357 	optct = ntpOptionProcess(&ntp_keygenOptions, argc, argv);
358 	argc -= optct;	// Just in case we care later.
359 	argv += optct;	// Just in case we care later.
360 
361 #ifdef OPENSSL
362 	if (SSLeay() == SSLEAY_VERSION_NUMBER)
363 		fprintf(stderr, "Using OpenSSL version %s\n",
364 			SSLeay_version(SSLEAY_VERSION));
365 	else
366 		fprintf(stderr, "Built against OpenSSL %s, using version %s\n",
367 			OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION));
368 #endif /* OPENSSL */
369 
370 	debug = OPT_VALUE_SET_DEBUG_LEVEL;
371 
372 	if (HAVE_OPT( MD5KEY ))
373 		md5key++;
374 #ifdef AUTOKEY
375 	if (HAVE_OPT( PASSWORD ))
376 		passwd1 = estrdup(OPT_ARG( PASSWORD ));
377 
378 	if (HAVE_OPT( EXPORT_PASSWD ))
379 		passwd2 = estrdup(OPT_ARG( EXPORT_PASSWD ));
380 
381 	if (HAVE_OPT( HOST_KEY ))
382 		hostkey++;
383 
384 	if (HAVE_OPT( SIGN_KEY ))
385 		sign = estrdup(OPT_ARG( SIGN_KEY ));
386 
387 	if (HAVE_OPT( GQ_PARAMS ))
388 		gqkey++;
389 
390 	if (HAVE_OPT( IFFKEY ))
391 		iffkey++;
392 
393 	if (HAVE_OPT( MV_PARAMS )) {
394 		mvkey++;
395 		nkeys = OPT_VALUE_MV_PARAMS;
396 	}
397 	if (HAVE_OPT( MV_KEYS )) {
398 		mvpar++;
399 		nkeys = OPT_VALUE_MV_KEYS;
400 	}
401 
402 	if (HAVE_OPT( IMBITS ))
403 		modulus2 = OPT_VALUE_IMBITS;
404 
405 	if (HAVE_OPT( MODULUS ))
406 		modulus = OPT_VALUE_MODULUS;
407 
408 	if (HAVE_OPT( CERTIFICATE ))
409 		scheme = OPT_ARG( CERTIFICATE );
410 
411 	if (HAVE_OPT( CIPHER ))
412 		ciphername = OPT_ARG( CIPHER );
413 
414 	if (HAVE_OPT( SUBJECT_NAME ))
415 		hostname = estrdup(OPT_ARG( SUBJECT_NAME ));
416 
417 	if (HAVE_OPT( IDENT ))
418 		groupname = estrdup(OPT_ARG( IDENT ));
419 
420 	if (HAVE_OPT( LIFETIME ))
421 		lifetime = OPT_VALUE_LIFETIME;
422 
423 	if (HAVE_OPT( PVT_CERT ))
424 		exten = EXT_KEY_PRIVATE;
425 
426 	if (HAVE_OPT( TRUSTED_CERT ))
427 		exten = EXT_KEY_TRUST;
428 
429 	/*
430 	 * Remove the group name from the hostname variable used
431 	 * in host and sign certificate file names.
432 	 */
433 	if (hostname != hostbuf)
434 		ptr = strchr(hostname, '@');
435 	else
436 		ptr = NULL;
437 	if (ptr != NULL) {
438 		*ptr = '\0';
439 		groupname = estrdup(ptr + 1);
440 		/* -s @group is equivalent to -i group, host unch. */
441 		if (ptr == hostname)
442 			hostname = hostbuf;
443 	}
444 
445 	/*
446 	 * Derive host certificate issuer/subject names from host name
447 	 * and optional group.  If no groupname is provided, the issuer
448 	 * and subject is the hostname with no '@group', and the
449 	 * groupname variable is pointed to hostname for use in IFF, GQ,
450 	 * and MV parameters file names.
451 	 */
452 	if (groupname == hostbuf) {
453 		certname = hostname;
454 	} else {
455 		snprintf(certnamebuf, sizeof(certnamebuf), "%s@%s",
456 			 hostname, groupname);
457 		certname = certnamebuf;
458 	}
459 
460 	/*
461 	 * Seed random number generator and grow weeds.
462 	 */
463 	ERR_load_crypto_strings();
464 	OpenSSL_add_all_algorithms();
465 	if (!RAND_status()) {
466 		if (RAND_file_name(pathbuf, sizeof(pathbuf)) == NULL) {
467 			fprintf(stderr, "RAND_file_name %s\n",
468 			    ERR_error_string(ERR_get_error(), NULL));
469 			exit (-1);
470 		}
471 		temp = RAND_load_file(pathbuf, -1);
472 		if (temp == 0) {
473 			fprintf(stderr,
474 			    "RAND_load_file %s not found or empty\n",
475 			    pathbuf);
476 			exit (-1);
477 		}
478 		fprintf(stderr,
479 		    "Random seed file %s %u bytes\n", pathbuf, temp);
480 		RAND_add(&epoch, sizeof(epoch), 4.0);
481 	}
482 #endif	/* AUTOKEY */
483 
484 	/*
485 	 * Create new unencrypted MD5 keys file if requested. If this
486 	 * option is selected, ignore all other options.
487 	 */
488 	if (md5key) {
489 		gen_md5("md5");
490 		exit (0);
491 	}
492 
493 #ifdef AUTOKEY
494 	/*
495 	 * Load previous certificate if available.
496 	 */
497 	snprintf(filename, sizeof(filename), "ntpkey_cert_%s", hostname);
498 	if ((fstr = fopen(filename, "r")) != NULL) {
499 		cert = PEM_read_X509(fstr, NULL, NULL, NULL);
500 		fclose(fstr);
501 	}
502 	if (cert != NULL) {
503 
504 		/*
505 		 * Extract subject name.
506 		 */
507 		X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
508 		    MAXFILENAME);
509 
510 		/*
511 		 * Extract digest/signature scheme.
512 		 */
513 		if (scheme == NULL) {
514 			nid = OBJ_obj2nid(cert->cert_info->
515 			    signature->algorithm);
516 			scheme = OBJ_nid2sn(nid);
517 		}
518 
519 		/*
520 		 * If a key_usage extension field is present, determine
521 		 * whether this is a trusted or private certificate.
522 		 */
523 		if (exten == NULL) {
524 			ptr = strstr(groupbuf, "CN=");
525 			cnt = X509_get_ext_count(cert);
526 			for (i = 0; i < cnt; i++) {
527 				ext = X509_get_ext(cert, i);
528 				if (OBJ_obj2nid(ext->object) ==
529 				    NID_ext_key_usage) {
530 					bp = BIO_new(BIO_s_mem());
531 					X509V3_EXT_print(bp, ext, 0, 0);
532 					BIO_gets(bp, pathbuf,
533 					    MAXFILENAME);
534 					BIO_free(bp);
535 					if (strcmp(pathbuf,
536 					    "Trust Root") == 0)
537 						exten = EXT_KEY_TRUST;
538 					else if (strcmp(pathbuf,
539 					    "Private") == 0)
540 						exten = EXT_KEY_PRIVATE;
541 					certname = estrdup(ptr + 3);
542 				}
543 			}
544 		}
545 	}
546 	if (scheme == NULL)
547 		scheme = "RSA-MD5";
548 	if (ciphername == NULL)
549 		ciphername = "des-ede3-cbc";
550 	cipher = EVP_get_cipherbyname(ciphername);
551 	if (cipher == NULL) {
552 		fprintf(stderr, "Unknown cipher %s\n", ciphername);
553 		exit(-1);
554 	}
555 	fprintf(stderr, "Using host %s group %s\n", hostname,
556 	    groupname);
557 
558 	/*
559 	 * Create a new encrypted RSA host key file if requested;
560 	 * otherwise, look for an existing host key file. If not found,
561 	 * create a new encrypted RSA host key file. If that fails, go
562 	 * no further.
563 	 */
564 	if (hostkey)
565 		pkey_host = genkey("RSA", "host");
566 	if (pkey_host == NULL) {
567 		snprintf(filename, sizeof(filename), "ntpkey_host_%s", hostname);
568 		pkey_host = readkey(filename, passwd1, &fstamp, NULL);
569 		if (pkey_host != NULL) {
570 			followlink(filename, sizeof(filename));
571 			fprintf(stderr, "Using host key %s\n",
572 			    filename);
573 		} else {
574 			pkey_host = genkey("RSA", "host");
575 		}
576 	}
577 	if (pkey_host == NULL) {
578 		fprintf(stderr, "Generating host key fails\n");
579 		exit(-1);
580 	}
581 
582 	/*
583 	 * Create new encrypted RSA or DSA sign keys file if requested;
584 	 * otherwise, look for an existing sign key file. If not found,
585 	 * use the host key instead.
586 	 */
587 	if (sign != NULL)
588 		pkey_sign = genkey(sign, "sign");
589 	if (pkey_sign == NULL) {
590 		snprintf(filename, sizeof(filename), "ntpkey_sign_%s",
591 			 hostname);
592 		pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
593 		if (pkey_sign != NULL) {
594 			followlink(filename, sizeof(filename));
595 			fprintf(stderr, "Using sign key %s\n",
596 			    filename);
597 		} else {
598 			pkey_sign = pkey_host;
599 			fprintf(stderr, "Using host key as sign key\n");
600 		}
601 	}
602 
603 	/*
604 	 * Create new encrypted GQ server keys file if requested;
605 	 * otherwise, look for an exisiting file. If found, fetch the
606 	 * public key for the certificate.
607 	 */
608 	if (gqkey)
609 		pkey_gqkey = gen_gqkey("gqkey");
610 	if (pkey_gqkey == NULL) {
611 		snprintf(filename, sizeof(filename), "ntpkey_gqkey_%s",
612 		    groupname);
613 		pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
614 		if (pkey_gqkey != NULL) {
615 			followlink(filename, sizeof(filename));
616 			fprintf(stderr, "Using GQ parameters %s\n",
617 			    filename);
618 		}
619 	}
620 	if (pkey_gqkey != NULL)
621 		grpkey = BN_bn2hex(pkey_gqkey->pkey.rsa->q);
622 
623 	/*
624 	 * Write the nonencrypted GQ client parameters to the stdout
625 	 * stream. The parameter file is the server key file with the
626 	 * private key obscured.
627 	 */
628 	if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
629 		RSA	*rsa;
630 
631 		snprintf(filename, sizeof(filename),
632 		    "ntpkey_gqpar_%s.%u", groupname, fstamp);
633 		fprintf(stderr, "Writing GQ parameters %s to stdout\n",
634 		    filename);
635 		fprintf(stdout, "# %s\n# %s\n", filename,
636 		    ctime(&epoch));
637 		rsa = pkey_gqkey->pkey.rsa;
638 		BN_copy(rsa->p, BN_value_one());
639 		BN_copy(rsa->q, BN_value_one());
640 		pkey = EVP_PKEY_new();
641 		EVP_PKEY_assign_RSA(pkey, rsa);
642 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
643 		    NULL, NULL);
644 		fflush(stdout);
645 		if (debug)
646 			RSA_print_fp(stderr, rsa, 0);
647 	}
648 
649 	/*
650 	 * Write the encrypted GQ server keys to the stdout stream.
651 	 */
652 	if (pkey_gqkey != NULL && passwd2 != NULL) {
653 		RSA	*rsa;
654 
655 		snprintf(filename, sizeof(filename),
656 		    "ntpkey_gqkey_%s.%u", groupname, fstamp);
657 		fprintf(stderr, "Writing GQ keys %s to stdout\n",
658 		    filename);
659 		fprintf(stdout, "# %s\n# %s\n", filename,
660 		    ctime(&epoch));
661 		rsa = pkey_gqkey->pkey.rsa;
662 		pkey = EVP_PKEY_new();
663 		EVP_PKEY_assign_RSA(pkey, rsa);
664 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
665 		    NULL, passwd2);
666 		fflush(stdout);
667 		if (debug)
668 			RSA_print_fp(stderr, rsa, 0);
669 	}
670 
671 	/*
672 	 * Create new encrypted IFF server keys file if requested;
673 	 * otherwise, look for existing file.
674 	 */
675 	if (iffkey)
676 		pkey_iffkey = gen_iffkey("iffkey");
677 	if (pkey_iffkey == NULL) {
678 		snprintf(filename, sizeof(filename), "ntpkey_iffkey_%s",
679 		    groupname);
680 		pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
681 		if (pkey_iffkey != NULL) {
682 			followlink(filename, sizeof(filename));
683 			fprintf(stderr, "Using IFF keys %s\n",
684 			    filename);
685 		}
686 	}
687 
688 	/*
689 	 * Write the nonencrypted IFF client parameters to the stdout
690 	 * stream. The parameter file is the server key file with the
691 	 * private key obscured.
692 	 */
693 	if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
694 		DSA	*dsa;
695 
696 		snprintf(filename, sizeof(filename),
697 		    "ntpkey_iffpar_%s.%u", groupname, fstamp);
698 		fprintf(stderr, "Writing IFF parameters %s to stdout\n",
699 		    filename);
700 		fprintf(stdout, "# %s\n# %s\n", filename,
701 		    ctime(&epoch));
702 		dsa = pkey_iffkey->pkey.dsa;
703 		BN_copy(dsa->priv_key, BN_value_one());
704 		pkey = EVP_PKEY_new();
705 		EVP_PKEY_assign_DSA(pkey, dsa);
706 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
707 		    NULL, NULL);
708 		fflush(stdout);
709 		if (debug)
710 			DSA_print_fp(stderr, dsa, 0);
711 	}
712 
713 	/*
714 	 * Write the encrypted IFF server keys to the stdout stream.
715 	 */
716 	if (pkey_iffkey != NULL && passwd2 != NULL) {
717 		DSA	*dsa;
718 
719 		snprintf(filename, sizeof(filename),
720 		    "ntpkey_iffkey_%s.%u", groupname, fstamp);
721 		fprintf(stderr, "Writing IFF keys %s to stdout\n",
722 		    filename);
723 		fprintf(stdout, "# %s\n# %s\n", filename,
724 		    ctime(&epoch));
725 		dsa = pkey_iffkey->pkey.dsa;
726 		pkey = EVP_PKEY_new();
727 		EVP_PKEY_assign_DSA(pkey, dsa);
728 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
729 		    NULL, passwd2);
730 		fflush(stdout);
731 		if (debug)
732 			DSA_print_fp(stderr, dsa, 0);
733 	}
734 
735 	/*
736 	 * Create new encrypted MV trusted-authority keys file if
737 	 * requested; otherwise, look for existing keys file.
738 	 */
739 	if (mvkey)
740 		pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
741 	if (pkey_mvkey == NULL) {
742 		snprintf(filename, sizeof(filename), "ntpkey_mvta_%s",
743 		    groupname);
744 		pkey_mvkey = readkey(filename, passwd1, &fstamp,
745 		    pkey_mvpar);
746 		if (pkey_mvkey != NULL) {
747 			followlink(filename, sizeof(filename));
748 			fprintf(stderr, "Using MV keys %s\n",
749 			    filename);
750 		}
751 	}
752 
753 	/*
754 	 * Write the nonencrypted MV client parameters to the stdout
755 	 * stream. For the moment, we always use the client parameters
756 	 * associated with client key 1.
757 	 */
758 	if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
759 		snprintf(filename, sizeof(filename),
760 		    "ntpkey_mvpar_%s.%u", groupname, fstamp);
761 		fprintf(stderr, "Writing MV parameters %s to stdout\n",
762 		    filename);
763 		fprintf(stdout, "# %s\n# %s\n", filename,
764 		    ctime(&epoch));
765 		pkey = pkey_mvpar[2];
766 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
767 		    NULL, NULL);
768 		fflush(stdout);
769 		if (debug)
770 			DSA_print_fp(stderr, pkey->pkey.dsa, 0);
771 	}
772 
773 	/*
774 	 * Write the encrypted MV server keys to the stdout stream.
775 	 */
776 	if (pkey_mvkey != NULL && passwd2 != NULL) {
777 		snprintf(filename, sizeof(filename),
778 		    "ntpkey_mvkey_%s.%u", groupname, fstamp);
779 		fprintf(stderr, "Writing MV keys %s to stdout\n",
780 		    filename);
781 		fprintf(stdout, "# %s\n# %s\n", filename,
782 		    ctime(&epoch));
783 		pkey = pkey_mvpar[1];
784 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
785 		    NULL, passwd2);
786 		fflush(stdout);
787 		if (debug)
788 			DSA_print_fp(stderr, pkey->pkey.dsa, 0);
789 	}
790 
791 	/*
792 	 * Decode the digest/signature scheme and create the
793 	 * certificate. Do this every time we run the program.
794 	 */
795 	ectx = EVP_get_digestbyname(scheme);
796 	if (ectx == NULL) {
797 		fprintf(stderr,
798 		    "Invalid digest/signature combination %s\n",
799 		    scheme);
800 			exit (-1);
801 	}
802 	x509(pkey_sign, ectx, grpkey, exten, certname);
803 #endif	/* AUTOKEY */
804 	exit(0);
805 }
806 
807 
808 /*
809  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
810  * if OpenSSL is around, generate random SHA1 keys compatible with
811  * symmetric key cryptography.
812  */
813 int
814 gen_md5(
815 	const char *id		/* file name id */
816 	)
817 {
818 	u_char	md5key[MD5SIZE + 1];	/* MD5 key */
819 	FILE	*str;
820 	int	i, j;
821 #ifdef OPENSSL
822 	u_char	keystr[MD5SIZE];
823 	u_char	hexstr[2 * MD5SIZE + 1];
824 	u_char	hex[] = "0123456789abcdef";
825 #endif	/* OPENSSL */
826 
827 	str = fheader("MD5key", id, groupname);
828 	for (i = 1; i <= MD5KEYS; i++) {
829 		for (j = 0; j < MD5SIZE; j++) {
830 			u_char temp;
831 
832 			while (1) {
833 				int rc;
834 
835 				rc = ntp_crypto_random_buf(
836 				    &temp, sizeof(temp));
837 				if (-1 == rc) {
838 					fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
839 					exit (-1);
840 				}
841 				if (temp == '#')
842 					continue;
843 
844 				if (temp > 0x20 && temp < 0x7f)
845 					break;
846 			}
847 			md5key[j] = temp;
848 		}
849 		md5key[j] = '\0';
850 		fprintf(str, "%2d MD5 %s  # MD5 key\n", i,
851 		    md5key);
852 	}
853 #ifdef OPENSSL
854 	for (i = 1; i <= MD5KEYS; i++) {
855 		RAND_bytes(keystr, 20);
856 		for (j = 0; j < MD5SIZE; j++) {
857 			hexstr[2 * j] = hex[keystr[j] >> 4];
858 			hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
859 		}
860 		hexstr[2 * MD5SIZE] = '\0';
861 		fprintf(str, "%2d SHA1 %s  # SHA1 key\n", i + MD5KEYS,
862 		    hexstr);
863 	}
864 #endif	/* OPENSSL */
865 	fclose(str);
866 	return (1);
867 }
868 
869 
870 #ifdef AUTOKEY
871 /*
872  * readkey - load cryptographic parameters and keys
873  *
874  * This routine loads a PEM-encoded file of given name and password and
875  * extracts the filestamp from the file name. It returns a pointer to
876  * the first key if valid, NULL if not.
877  */
878 EVP_PKEY *			/* public/private key pair */
879 readkey(
880 	char	*cp,		/* file name */
881 	char	*passwd,	/* password */
882 	u_int	*estamp,	/* file stamp */
883 	EVP_PKEY **evpars	/* parameter list pointer */
884 	)
885 {
886 	FILE	*str;		/* file handle */
887 	EVP_PKEY *pkey = NULL;	/* public/private key */
888 	u_int	gstamp;		/* filestamp */
889 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
890 	EVP_PKEY *parkey;
891 	char	*ptr;
892 	int	i;
893 
894 	/*
895 	 * Open the key file.
896 	 */
897 	str = fopen(cp, "r");
898 	if (str == NULL)
899 		return (NULL);
900 
901 	/*
902 	 * Read the filestamp, which is contained in the first line.
903 	 */
904 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
905 		fprintf(stderr, "Empty key file %s\n", cp);
906 		fclose(str);
907 		return (NULL);
908 	}
909 	if ((ptr = strrchr(ptr, '.')) == NULL) {
910 		fprintf(stderr, "No filestamp found in %s\n", cp);
911 		fclose(str);
912 		return (NULL);
913 	}
914 	if (sscanf(++ptr, "%u", &gstamp) != 1) {
915 		fprintf(stderr, "Invalid filestamp found in %s\n", cp);
916 		fclose(str);
917 		return (NULL);
918 	}
919 
920 	/*
921 	 * Read and decrypt PEM-encoded private keys. The first one
922 	 * found is returned. If others are expected, add them to the
923 	 * parameter list.
924 	 */
925 	for (i = 0; i <= MVMAX - 1;) {
926 		parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
927 		if (evpars != NULL) {
928 			evpars[i++] = parkey;
929 			evpars[i] = NULL;
930 		}
931 		if (parkey == NULL)
932 			break;
933 
934 		if (pkey == NULL)
935 			pkey = parkey;
936 		if (debug) {
937 			if (parkey->type == EVP_PKEY_DSA)
938 				DSA_print_fp(stderr, parkey->pkey.dsa,
939 				    0);
940 			else if (parkey->type == EVP_PKEY_RSA)
941 				RSA_print_fp(stderr, parkey->pkey.rsa,
942 				    0);
943 		}
944 	}
945 	fclose(str);
946 	if (pkey == NULL) {
947 		fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
948 		    cp, passwd, ERR_error_string(ERR_get_error(),
949 		    NULL));
950 		exit (-1);
951 	}
952 	*estamp = gstamp;
953 	return (pkey);
954 }
955 
956 
957 /*
958  * Generate RSA public/private key pair
959  */
960 EVP_PKEY *			/* public/private key pair */
961 gen_rsa(
962 	const char *id		/* file name id */
963 	)
964 {
965 	EVP_PKEY *pkey;		/* private key */
966 	RSA	*rsa;		/* RSA parameters and key pair */
967 	FILE	*str;
968 
969 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
970 	rsa = RSA_generate_key(modulus, 65537, cb, _UC("RSA"));
971 	fprintf(stderr, "\n");
972 	if (rsa == NULL) {
973 		fprintf(stderr, "RSA generate keys fails\n%s\n",
974 		    ERR_error_string(ERR_get_error(), NULL));
975 		return (NULL);
976 	}
977 
978 	/*
979 	 * For signature encryption it is not necessary that the RSA
980 	 * parameters be strictly groomed and once in a while the
981 	 * modulus turns out to be non-prime. Just for grins, we check
982 	 * the primality.
983 	 */
984 	if (!RSA_check_key(rsa)) {
985 		fprintf(stderr, "Invalid RSA key\n%s\n",
986 		    ERR_error_string(ERR_get_error(), NULL));
987 		RSA_free(rsa);
988 		return (NULL);
989 	}
990 
991 	/*
992 	 * Write the RSA parameters and keys as a RSA private key
993 	 * encoded in PEM.
994 	 */
995 	if (strcmp(id, "sign") == 0)
996 		str = fheader("RSAsign", id, hostname);
997 	else
998 		str = fheader("RSAhost", id, hostname);
999 	pkey = EVP_PKEY_new();
1000 	EVP_PKEY_assign_RSA(pkey, rsa);
1001 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1002 	    passwd1);
1003 	fclose(str);
1004 	if (debug)
1005 		RSA_print_fp(stderr, rsa, 0);
1006 	return (pkey);
1007 }
1008 
1009 
1010 /*
1011  * Generate DSA public/private key pair
1012  */
1013 EVP_PKEY *			/* public/private key pair */
1014 gen_dsa(
1015 	const char *id		/* file name id */
1016 	)
1017 {
1018 	EVP_PKEY *pkey;		/* private key */
1019 	DSA	*dsa;		/* DSA parameters */
1020 	u_char	seed[20];	/* seed for parameters */
1021 	FILE	*str;
1022 
1023 	/*
1024 	 * Generate DSA parameters.
1025 	 */
1026 	fprintf(stderr,
1027 	    "Generating DSA parameters (%d bits)...\n", modulus);
1028 	RAND_bytes(seed, sizeof(seed));
1029 	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
1030 	    NULL, cb, _UC("DSA"));
1031 	fprintf(stderr, "\n");
1032 	if (dsa == NULL) {
1033 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
1034 		    ERR_error_string(ERR_get_error(), NULL));
1035 		return (NULL);
1036 	}
1037 
1038 	/*
1039 	 * Generate DSA keys.
1040 	 */
1041 	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
1042 	if (!DSA_generate_key(dsa)) {
1043 		fprintf(stderr, "DSA generate keys fails\n%s\n",
1044 		    ERR_error_string(ERR_get_error(), NULL));
1045 		DSA_free(dsa);
1046 		return (NULL);
1047 	}
1048 
1049 	/*
1050 	 * Write the DSA parameters and keys as a DSA private key
1051 	 * encoded in PEM.
1052 	 */
1053 	str = fheader("DSAsign", id, hostname);
1054 	pkey = EVP_PKEY_new();
1055 	EVP_PKEY_assign_DSA(pkey, dsa);
1056 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1057 	    passwd1);
1058 	fclose(str);
1059 	if (debug)
1060 		DSA_print_fp(stderr, dsa, 0);
1061 	return (pkey);
1062 }
1063 
1064 
1065 /*
1066  ***********************************************************************
1067  *								       *
1068  * The following routines implement the Schnorr (IFF) identity scheme  *
1069  *								       *
1070  ***********************************************************************
1071  *
1072  * The Schnorr (IFF) identity scheme is intended for use when
1073  * certificates are generated by some other trusted certificate
1074  * authority and the certificate cannot be used to convey public
1075  * parameters. There are two kinds of files: encrypted server files that
1076  * contain private and public values and nonencrypted client files that
1077  * contain only public values. New generations of server files must be
1078  * securely transmitted to all servers of the group; client files can be
1079  * distributed by any means. The scheme is self contained and
1080  * independent of new generations of host keys, sign keys and
1081  * certificates.
1082  *
1083  * The IFF values hide in a DSA cuckoo structure which uses the same
1084  * parameters. The values are used by an identity scheme based on DSA
1085  * cryptography and described in Stimson p. 285. The p is a 512-bit
1086  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
1087  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
1088  * private random group key b (0 < b < q) and public key v = g^b, then
1089  * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
1090  * Alice challenges Bob to confirm identity using the protocol described
1091  * below.
1092  *
1093  * How it works
1094  *
1095  * The scheme goes like this. Both Alice and Bob have the public primes
1096  * p, q and generator g. The TA gives private key b to Bob and public
1097  * key v to Alice.
1098  *
1099  * Alice rolls new random challenge r (o < r < q) and sends to Bob in
1100  * the IFF request message. Bob rolls new random k (0 < k < q), then
1101  * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
1102  * to Alice in the response message. Besides making the response
1103  * shorter, the hash makes it effectivey impossible for an intruder to
1104  * solve for b by observing a number of these messages.
1105  *
1106  * Alice receives the response and computes g^y v^r mod p. After a bit
1107  * of algebra, this simplifies to g^k. If the hash of this result
1108  * matches hash(x), Alice knows that Bob has the group key b. The signed
1109  * response binds this knowledge to Bob's private key and the public key
1110  * previously received in his certificate.
1111  */
1112 /*
1113  * Generate Schnorr (IFF) keys.
1114  */
1115 EVP_PKEY *			/* DSA cuckoo nest */
1116 gen_iffkey(
1117 	const char *id		/* file name id */
1118 	)
1119 {
1120 	EVP_PKEY *pkey;		/* private key */
1121 	DSA	*dsa;		/* DSA parameters */
1122 	u_char	seed[20];	/* seed for parameters */
1123 	BN_CTX	*ctx;		/* BN working space */
1124 	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
1125 	FILE	*str;
1126 	u_int	temp;
1127 
1128 	/*
1129 	 * Generate DSA parameters for use as IFF parameters.
1130 	 */
1131 	fprintf(stderr, "Generating IFF keys (%d bits)...\n",
1132 	    modulus2);
1133 	RAND_bytes(seed, sizeof(seed));
1134 	dsa = DSA_generate_parameters(modulus2, seed, sizeof(seed), NULL,
1135 	    NULL, cb, _UC("IFF"));
1136 	fprintf(stderr, "\n");
1137 	if (dsa == NULL) {
1138 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
1139 		    ERR_error_string(ERR_get_error(), NULL));
1140 		return (NULL);;
1141 	}
1142 
1143 	/*
1144 	 * Generate the private and public keys. The DSA parameters and
1145 	 * private key are distributed to the servers, while all except
1146 	 * the private key are distributed to the clients.
1147 	 */
1148 	b = BN_new(); r = BN_new(); k = BN_new();
1149 	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
1150 	BN_rand(b, BN_num_bits(dsa->q), -1, 0);	/* a */
1151 	BN_mod(b, b, dsa->q, ctx);
1152 	BN_sub(v, dsa->q, b);
1153 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^(q - b) mod p */
1154 	BN_mod_exp(u, dsa->g, b, dsa->p, ctx);	/* g^b mod p */
1155 	BN_mod_mul(u, u, v, dsa->p, ctx);
1156 	temp = BN_is_one(u);
1157 	fprintf(stderr,
1158 	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
1159 	    "yes" : "no");
1160 	if (!temp) {
1161 		BN_free(b); BN_free(r); BN_free(k);
1162 		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1163 		return (NULL);
1164 	}
1165 	dsa->priv_key = BN_dup(b);		/* private key */
1166 	dsa->pub_key = BN_dup(v);		/* public key */
1167 
1168 	/*
1169 	 * Here is a trial round of the protocol. First, Alice rolls
1170 	 * random nonce r mod q and sends it to Bob. She needs only
1171 	 * q from parameters.
1172 	 */
1173 	BN_rand(r, BN_num_bits(dsa->q), -1, 0);	/* r */
1174 	BN_mod(r, r, dsa->q, ctx);
1175 
1176 	/*
1177 	 * Bob rolls random nonce k mod q, computes y = k + b r mod q
1178 	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
1179 	 * p, q and b from parameters and r from Alice.
1180 	 */
1181 	BN_rand(k, BN_num_bits(dsa->q), -1, 0);	/* k, 0 < k < q  */
1182 	BN_mod(k, k, dsa->q, ctx);
1183 	BN_mod_mul(v, dsa->priv_key, r, dsa->q, ctx); /* b r mod q */
1184 	BN_add(v, v, k);
1185 	BN_mod(v, v, dsa->q, ctx);		/* y = k + b r mod q */
1186 	BN_mod_exp(u, dsa->g, k, dsa->p, ctx);	/* x = g^k mod p */
1187 
1188 	/*
1189 	 * Alice verifies x = g^y v^r to confirm that Bob has group key
1190 	 * b. She needs p, q, g from parameters, (y, x) from Bob and the
1191 	 * original r. We omit the detail here thatt only the hash of y
1192 	 * is sent.
1193 	 */
1194 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
1195 	BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
1196 	BN_mod_mul(v, w, v, dsa->p, ctx);	/* product mod p */
1197 	temp = BN_cmp(u, v);
1198 	fprintf(stderr,
1199 	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
1200 	    0 ? "yes" : "no");
1201 	BN_free(b); BN_free(r);	BN_free(k);
1202 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1203 	if (temp != 0) {
1204 		DSA_free(dsa);
1205 		return (NULL);
1206 	}
1207 
1208 	/*
1209 	 * Write the IFF keys as an encrypted DSA private key encoded in
1210 	 * PEM.
1211 	 *
1212 	 * p	modulus p
1213 	 * q	modulus q
1214 	 * g	generator g
1215 	 * priv_key b
1216 	 * public_key v
1217 	 * kinv	not used
1218 	 * r	not used
1219 	 */
1220 	str = fheader("IFFkey", id, groupname);
1221 	pkey = EVP_PKEY_new();
1222 	EVP_PKEY_assign_DSA(pkey, dsa);
1223 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1224 	    passwd1);
1225 	fclose(str);
1226 	if (debug)
1227 		DSA_print_fp(stderr, dsa, 0);
1228 	return (pkey);
1229 }
1230 
1231 
1232 /*
1233  ***********************************************************************
1234  *								       *
1235  * The following routines implement the Guillou-Quisquater (GQ)        *
1236  * identity scheme                                                     *
1237  *								       *
1238  ***********************************************************************
1239  *
1240  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
1241  * the certificate can be used to convey public parameters. The scheme
1242  * uses a X509v3 certificate extension field do convey the public key of
1243  * a private key known only to servers. There are two kinds of files:
1244  * encrypted server files that contain private and public values and
1245  * nonencrypted client files that contain only public values. New
1246  * generations of server files must be securely transmitted to all
1247  * servers of the group; client files can be distributed by any means.
1248  * The scheme is self contained and independent of new generations of
1249  * host keys and sign keys. The scheme is self contained and independent
1250  * of new generations of host keys and sign keys.
1251  *
1252  * The GQ parameters hide in a RSA cuckoo structure which uses the same
1253  * parameters. The values are used by an identity scheme based on RSA
1254  * cryptography and described in Stimson p. 300 (with errors). The 512-
1255  * bit public modulus is n = p q, where p and q are secret large primes.
1256  * The TA rolls private random group key b as RSA exponent. These values
1257  * are known to all group members.
1258  *
1259  * When rolling new certificates, a server recomputes the private and
1260  * public keys. The private key u is a random roll, while the public key
1261  * is the inverse obscured by the group key v = (u^-1)^b. These values
1262  * replace the private and public keys normally generated by the RSA
1263  * scheme. Alice challenges Bob to confirm identity using the protocol
1264  * described below.
1265  *
1266  * How it works
1267  *
1268  * The scheme goes like this. Both Alice and Bob have the same modulus n
1269  * and some random b as the group key. These values are computed and
1270  * distributed in advance via secret means, although only the group key
1271  * b is truly secret. Each has a private random private key u and public
1272  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
1273  * can regenerate the key pair from time to time without affecting
1274  * operations. The public key is conveyed on the certificate in an
1275  * extension field; the private key is never revealed.
1276  *
1277  * Alice rolls new random challenge r and sends to Bob in the GQ
1278  * request message. Bob rolls new random k, then computes y = k u^r mod
1279  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
1280  * message. Besides making the response shorter, the hash makes it
1281  * effectivey impossible for an intruder to solve for b by observing
1282  * a number of these messages.
1283  *
1284  * Alice receives the response and computes y^b v^r mod n. After a bit
1285  * of algebra, this simplifies to k^b. If the hash of this result
1286  * matches hash(x), Alice knows that Bob has the group key b. The signed
1287  * response binds this knowledge to Bob's private key and the public key
1288  * previously received in his certificate.
1289  */
1290 /*
1291  * Generate Guillou-Quisquater (GQ) parameters file.
1292  */
1293 EVP_PKEY *			/* RSA cuckoo nest */
1294 gen_gqkey(
1295 	const char *id		/* file name id */
1296 	)
1297 {
1298 	EVP_PKEY *pkey;		/* private key */
1299 	RSA	*rsa;		/* RSA parameters */
1300 	BN_CTX	*ctx;		/* BN working space */
1301 	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
1302 	FILE	*str;
1303 	u_int	temp;
1304 
1305 	/*
1306 	 * Generate RSA parameters for use as GQ parameters.
1307 	 */
1308 	fprintf(stderr,
1309 	    "Generating GQ parameters (%d bits)...\n",
1310 	     modulus2);
1311 	rsa = RSA_generate_key(modulus2, 65537, cb, _UC("GQ"));
1312 	fprintf(stderr, "\n");
1313 	if (rsa == NULL) {
1314 		fprintf(stderr, "RSA generate keys fails\n%s\n",
1315 		    ERR_error_string(ERR_get_error(), NULL));
1316 		return (NULL);
1317 	}
1318 	u = BN_new(); v = BN_new(); g = BN_new();
1319 	k = BN_new(); r = BN_new(); y = BN_new();
1320 
1321 	/*
1322 	 * Generate the group key b, which is saved in the e member of
1323 	 * the RSA structure. The group key is transmitted to each group
1324 	 * member encrypted by the member private key.
1325 	 */
1326 	ctx = BN_CTX_new();
1327 	BN_rand(rsa->e, BN_num_bits(rsa->n), -1, 0); /* b */
1328 	BN_mod(rsa->e, rsa->e, rsa->n, ctx);
1329 
1330 	/*
1331 	 * When generating his certificate, Bob rolls random private key
1332 	 * u, then computes inverse v = u^-1.
1333 	 */
1334 	BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
1335 	BN_mod(u, u, rsa->n, ctx);
1336 	BN_mod_inverse(v, u, rsa->n, ctx);	/* u^-1 mod n */
1337 	BN_mod_mul(k, v, u, rsa->n, ctx);
1338 
1339 	/*
1340 	 * Bob computes public key v = (u^-1)^b, which is saved in an
1341 	 * extension field on his certificate. We check that u^b v =
1342 	 * 1 mod n.
1343 	 */
1344 	BN_mod_exp(v, v, rsa->e, rsa->n, ctx);
1345 	BN_mod_exp(g, u, rsa->e, rsa->n, ctx); /* u^b */
1346 	BN_mod_mul(g, g, v, rsa->n, ctx); /* u^b (u^-1)^b */
1347 	temp = BN_is_one(g);
1348 	fprintf(stderr,
1349 	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1350 	    "no");
1351 	if (!temp) {
1352 		BN_free(u); BN_free(v);
1353 		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1354 		BN_CTX_free(ctx);
1355 		RSA_free(rsa);
1356 		return (NULL);
1357 	}
1358 	BN_copy(rsa->p, u);			/* private key */
1359 	BN_copy(rsa->q, v);			/* public key */
1360 
1361 	/*
1362 	 * Here is a trial run of the protocol. First, Alice rolls
1363 	 * random nonce r mod n and sends it to Bob. She needs only n
1364 	 * from parameters.
1365 	 */
1366 	BN_rand(r, BN_num_bits(rsa->n), -1, 0);	/* r */
1367 	BN_mod(r, r, rsa->n, ctx);
1368 
1369 	/*
1370 	 * Bob rolls random nonce k mod n, computes y = k u^r mod n and
1371 	 * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
1372 	 * from parameters and r from Alice.
1373 	 */
1374 	BN_rand(k, BN_num_bits(rsa->n), -1, 0);	/* k */
1375 	BN_mod(k, k, rsa->n, ctx);
1376 	BN_mod_exp(y, rsa->p, r, rsa->n, ctx);	/* u^r mod n */
1377 	BN_mod_mul(y, k, y, rsa->n, ctx);	/* y = k u^r mod n */
1378 	BN_mod_exp(g, k, rsa->e, rsa->n, ctx);	/* g = k^b mod n */
1379 
1380 	/*
1381 	 * Alice verifies g = v^r y^b mod n to confirm that Bob has
1382 	 * private key u. She needs n, g from parameters, public key v =
1383 	 * (u^-1)^b from the certificate, (y, g) from Bob and the
1384 	 * original r. We omit the detaul here that only the hash of g
1385 	 * is sent.
1386 	 */
1387 	BN_mod_exp(v, rsa->q, r, rsa->n, ctx);	/* v^r mod n */
1388 	BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
1389 	BN_mod_mul(y, v, y, rsa->n, ctx);	/* v^r y^b mod n */
1390 	temp = BN_cmp(y, g);
1391 	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1392 	    "yes" : "no");
1393 	BN_CTX_free(ctx); BN_free(u); BN_free(v);
1394 	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1395 	if (temp != 0) {
1396 		RSA_free(rsa);
1397 		return (NULL);
1398 	}
1399 
1400 	/*
1401 	 * Write the GQ parameter file as an encrypted RSA private key
1402 	 * encoded in PEM.
1403 	 *
1404 	 * n	modulus n
1405 	 * e	group key b
1406 	 * d	not used
1407 	 * p	private key u
1408 	 * q	public key (u^-1)^b
1409 	 * dmp1	not used
1410 	 * dmq1	not used
1411 	 * iqmp	not used
1412 	 */
1413 	BN_copy(rsa->d, BN_value_one());
1414 	BN_copy(rsa->dmp1, BN_value_one());
1415 	BN_copy(rsa->dmq1, BN_value_one());
1416 	BN_copy(rsa->iqmp, BN_value_one());
1417 	str = fheader("GQkey", id, groupname);
1418 	pkey = EVP_PKEY_new();
1419 	EVP_PKEY_assign_RSA(pkey, rsa);
1420 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1421 	    passwd1);
1422 	fclose(str);
1423 	if (debug)
1424 		RSA_print_fp(stderr, rsa, 0);
1425 	return (pkey);
1426 }
1427 
1428 
1429 /*
1430  ***********************************************************************
1431  *								       *
1432  * The following routines implement the Mu-Varadharajan (MV) identity  *
1433  * scheme                                                              *
1434  *								       *
1435  ***********************************************************************
1436  *
1437  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
1438  * servers broadcast messages to clients, but clients never send
1439  * messages to servers. There is one encryption key for the server and a
1440  * separate decryption key for each client. It operated something like a
1441  * pay-per-view satellite broadcasting system where the session key is
1442  * encrypted by the broadcaster and the decryption keys are held in a
1443  * tamperproof set-top box.
1444  *
1445  * The MV parameters and private encryption key hide in a DSA cuckoo
1446  * structure which uses the same parameters, but generated in a
1447  * different way. The values are used in an encryption scheme similar to
1448  * El Gamal cryptography and a polynomial formed from the expansion of
1449  * product terms (x - x[j]), as described in Mu, Y., and V.
1450  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1451  * 223-231. The paper has significant errors and serious omissions.
1452  *
1453  * Let q be the product of n distinct primes s1[j] (j = 1...n), where
1454  * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1455  * that q and each s1[j] divide p - 1 and p has M = n * m + 1
1456  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1457  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1458  * project into Zp* as exponents of g. Sometimes we have to compute an
1459  * inverse b^-1 of random b in Zq, but for that purpose we require
1460  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1461  * relatively small, like 30. These are the parameters of the scheme and
1462  * they are expensive to compute.
1463  *
1464  * We set up an instance of the scheme as follows. A set of random
1465  * values x[j] mod q (j = 1...n), are generated as the zeros of a
1466  * polynomial of order n. The product terms (x - x[j]) are expanded to
1467  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1468  * used as exponents of the generator g mod p to generate the private
1469  * encryption key A. The pair (gbar, ghat) of public server keys and the
1470  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1471  * to construct the decryption keys. The devil is in the details.
1472  *
1473  * This routine generates a private server encryption file including the
1474  * private encryption key E and partial decryption keys gbar and ghat.
1475  * It then generates public client decryption files including the public
1476  * keys xbar[j] and xhat[j] for each client j. The partial decryption
1477  * files are used to compute the inverse of E. These values are suitably
1478  * blinded so secrets are not revealed.
1479  *
1480  * The distinguishing characteristic of this scheme is the capability to
1481  * revoke keys. Included in the calculation of E, gbar and ghat is the
1482  * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
1483  * subsequently removed from the product and E, gbar and ghat
1484  * recomputed, the jth client will no longer be able to compute E^-1 and
1485  * thus unable to decrypt the messageblock.
1486  *
1487  * How it works
1488  *
1489  * The scheme goes like this. Bob has the server values (p, E, q,
1490  * gbar, ghat) and Alice has the client values (p, xbar, xhat).
1491  *
1492  * Alice rolls new random nonce r mod p and sends to Bob in the MV
1493  * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
1494  * mod p and sends (y, gbar^k, ghat^k) to Alice.
1495  *
1496  * Alice receives the response and computes the inverse (E^k)^-1 from
1497  * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
1498  * decrypts y and verifies it matches the original r. The signed
1499  * response binds this knowledge to Bob's private key and the public key
1500  * previously received in his certificate.
1501  */
1502 EVP_PKEY *			/* DSA cuckoo nest */
1503 gen_mvkey(
1504 	const char *id,		/* file name id */
1505 	EVP_PKEY **evpars	/* parameter list pointer */
1506 	)
1507 {
1508 	EVP_PKEY *pkey, *pkey1;	/* private keys */
1509 	DSA	*dsa, *dsa2, *sdsa; /* DSA parameters */
1510 	BN_CTX	*ctx;		/* BN working space */
1511 	BIGNUM	*a[MVMAX];	/* polynomial coefficient vector */
1512 	BIGNUM	*g[MVMAX];	/* public key vector */
1513 	BIGNUM	*s1[MVMAX];	/* private enabling keys */
1514 	BIGNUM	*x[MVMAX];	/* polynomial zeros vector */
1515 	BIGNUM	*xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
1516 	BIGNUM	*b;		/* group key */
1517 	BIGNUM	*b1;		/* inverse group key */
1518 	BIGNUM	*s;		/* enabling key */
1519 	BIGNUM	*biga;		/* master encryption key */
1520 	BIGNUM	*bige;		/* session encryption key */
1521 	BIGNUM	*gbar, *ghat;	/* public key */
1522 	BIGNUM	*u, *v, *w;	/* BN scratch */
1523 	int	i, j, n;
1524 	FILE	*str;
1525 	u_int	temp;
1526 
1527 	/*
1528 	 * Generate MV parameters.
1529 	 *
1530 	 * The object is to generate a multiplicative group Zp* modulo a
1531 	 * prime p and a subset Zq mod q, where q is the product of n
1532 	 * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
1533 	 * first generate n m-bit primes, where the product n m is in
1534 	 * the order of 512 bits. One or more of these may have to be
1535 	 * replaced later. As a practical matter, it is tough to find
1536 	 * more than 31 distinct primes for 512 bits or 61 primes for
1537 	 * 1024 bits. The latter can take several hundred iterations
1538 	 * and several minutes on a Sun Blade 1000.
1539 	 */
1540 	n = nkeys;
1541 	fprintf(stderr,
1542 	    "Generating MV parameters for %d keys (%d bits)...\n", n,
1543 	    modulus2 / n);
1544 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1545 	b = BN_new(); b1 = BN_new();
1546 	dsa = DSA_new();
1547 	dsa->p = BN_new(); dsa->q = BN_new(); dsa->g = BN_new();
1548 	dsa->priv_key = BN_new(); dsa->pub_key = BN_new();
1549 	temp = 0;
1550 	for (j = 1; j <= n; j++) {
1551 		s1[j] = BN_new();
1552 		while (1) {
1553 			BN_generate_prime(s1[j], modulus2 / n, 0, NULL,
1554 			    NULL, NULL, NULL);
1555 			for (i = 1; i < j; i++) {
1556 				if (BN_cmp(s1[i], s1[j]) == 0)
1557 					break;
1558 			}
1559 			if (i == j)
1560 				break;
1561 			temp++;
1562 		}
1563 	}
1564 	fprintf(stderr, "Birthday keys regenerated %d\n", temp);
1565 
1566 	/*
1567 	 * Compute the modulus q as the product of the primes. Compute
1568 	 * the modulus p as 2 * q + 1 and test p for primality. If p
1569 	 * is composite, replace one of the primes with a new distinct
1570 	 * one and try again. Note that q will hardly be a secret since
1571 	 * we have to reveal p to servers, but not clients. However,
1572 	 * factoring q to find the primes should be adequately hard, as
1573 	 * this is the same problem considered hard in RSA. Question: is
1574 	 * it as hard to find n small prime factors totalling n bits as
1575 	 * it is to find two large prime factors totalling n bits?
1576 	 * Remember, the bad guy doesn't know n.
1577 	 */
1578 	temp = 0;
1579 	while (1) {
1580 		BN_one(dsa->q);
1581 		for (j = 1; j <= n; j++)
1582 			BN_mul(dsa->q, dsa->q, s1[j], ctx);
1583 		BN_copy(dsa->p, dsa->q);
1584 		BN_add(dsa->p, dsa->p, dsa->p);
1585 		BN_add_word(dsa->p, 1);
1586 		if (BN_is_prime(dsa->p, BN_prime_checks, NULL, ctx,
1587 		    NULL))
1588 			break;
1589 
1590 		temp++;
1591 		j = temp % n + 1;
1592 		while (1) {
1593 			BN_generate_prime(u, modulus2 / n, 0, 0, NULL,
1594 			    NULL, NULL);
1595 			for (i = 1; i <= n; i++) {
1596 				if (BN_cmp(u, s1[i]) == 0)
1597 					break;
1598 			}
1599 			if (i > n)
1600 				break;
1601 		}
1602 		BN_copy(s1[j], u);
1603 	}
1604 	fprintf(stderr, "Defective keys regenerated %d\n", temp);
1605 
1606 	/*
1607 	 * Compute the generator g using a random roll such that
1608 	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1609 	 * q. This may take several iterations.
1610 	 */
1611 	BN_copy(v, dsa->p);
1612 	BN_sub_word(v, 1);
1613 	while (1) {
1614 		BN_rand(dsa->g, BN_num_bits(dsa->p) - 1, 0, 0);
1615 		BN_mod(dsa->g, dsa->g, dsa->p, ctx);
1616 		BN_gcd(u, dsa->g, v, ctx);
1617 		if (!BN_is_one(u))
1618 			continue;
1619 
1620 		BN_mod_exp(u, dsa->g, dsa->q, dsa->p, ctx);
1621 		if (BN_is_one(u))
1622 			break;
1623 	}
1624 
1625 	/*
1626 	 * Setup is now complete. Roll random polynomial roots x[j]
1627 	 * (j = 1...n) for all j. While it may not be strictly
1628 	 * necessary, Make sure each root has no factors in common with
1629 	 * q.
1630 	 */
1631 	fprintf(stderr,
1632 	    "Generating polynomial coefficients for %d roots (%d bits)\n",
1633 	    n, BN_num_bits(dsa->q));
1634 	for (j = 1; j <= n; j++) {
1635 		x[j] = BN_new();
1636 
1637 		while (1) {
1638 			BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
1639 			BN_mod(x[j], x[j], dsa->q, ctx);
1640 			BN_gcd(u, x[j], dsa->q, ctx);
1641 			if (BN_is_one(u))
1642 				break;
1643 		}
1644 	}
1645 
1646 	/*
1647 	 * Generate polynomial coefficients a[i] (i = 0...n) from the
1648 	 * expansion of root products (x - x[j]) mod q for all j. The
1649 	 * method is a present from Charlie Boncelet.
1650 	 */
1651 	for (i = 0; i <= n; i++) {
1652 		a[i] = BN_new();
1653 		BN_one(a[i]);
1654 	}
1655 	for (j = 1; j <= n; j++) {
1656 		BN_zero(w);
1657 		for (i = 0; i < j; i++) {
1658 			BN_copy(u, dsa->q);
1659 			BN_mod_mul(v, a[i], x[j], dsa->q, ctx);
1660 			BN_sub(u, u, v);
1661 			BN_add(u, u, w);
1662 			BN_copy(w, a[i]);
1663 			BN_mod(a[i], u, dsa->q, ctx);
1664 		}
1665 	}
1666 
1667 	/*
1668 	 * Generate g[i] = g^a[i] mod p for all i and the generator g.
1669 	 */
1670 	for (i = 0; i <= n; i++) {
1671 		g[i] = BN_new();
1672 		BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
1673 	}
1674 
1675 	/*
1676 	 * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
1677 	 * a[i] x[j]^i exponent is computed mod q, but the g[i] is
1678 	 * computed mod p. also note the expression given in the paper
1679 	 * is incorrect.
1680 	 */
1681 	temp = 1;
1682 	for (j = 1; j <= n; j++) {
1683 		BN_one(u);
1684 		for (i = 0; i <= n; i++) {
1685 			BN_set_word(v, i);
1686 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1687 			BN_mod_mul(v, v, a[i], dsa->q, ctx);
1688 			BN_mod_exp(v, dsa->g, v, dsa->p, ctx);
1689 			BN_mod_mul(u, u, v, dsa->p, ctx);
1690 		}
1691 		if (!BN_is_one(u))
1692 			temp = 0;
1693 	}
1694 	fprintf(stderr,
1695 	    "Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1696 	    "yes" : "no");
1697 	if (!temp) {
1698 		return (NULL);
1699 	}
1700 
1701 	/*
1702 	 * Make private encryption key A. Keep it around for awhile,
1703 	 * since it is expensive to compute.
1704 	 */
1705 	biga = BN_new();
1706 
1707 	BN_one(biga);
1708 	for (j = 1; j <= n; j++) {
1709 		for (i = 0; i < n; i++) {
1710 			BN_set_word(v, i);
1711 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1712 			BN_mod_exp(v, g[i], v, dsa->p, ctx);
1713 			BN_mod_mul(biga, biga, v, dsa->p, ctx);
1714 		}
1715 	}
1716 
1717 	/*
1718 	 * Roll private random group key b mod q (0 < b < q), where
1719 	 * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
1720 	 * mod q. If b is changed, the client keys must be recomputed.
1721 	 */
1722 	while (1) {
1723 		BN_rand(b, BN_num_bits(dsa->q), 0, 0);
1724 		BN_mod(b, b, dsa->q, ctx);
1725 		BN_gcd(u, b, dsa->q, ctx);
1726 		if (BN_is_one(u))
1727 			break;
1728 	}
1729 	BN_mod_inverse(b1, b, dsa->q, ctx);
1730 
1731 	/*
1732 	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
1733 	 * that the keys for the jth client do not s1[j] or the product
1734 	 * s1[j]) (j = 1...n) which is q by construction.
1735 	 *
1736 	 * Compute the factor w such that w s1[j] = s1[j] for all j. The
1737 	 * easy way to do this is to compute (q + s1[j]) / s1[j].
1738 	 * Exercise for the student: prove the remainder is always zero.
1739 	 */
1740 	for (j = 1; j <= n; j++) {
1741 		xbar[j] = BN_new(); xhat[j] = BN_new();
1742 
1743 		BN_add(w, dsa->q, s1[j]);
1744 		BN_div(w, u, w, s1[j], ctx);
1745 		BN_zero(xbar[j]);
1746 		BN_set_word(v, n);
1747 		for (i = 1; i <= n; i++) {
1748 			if (i == j)
1749 				continue;
1750 
1751 			BN_mod_exp(u, x[i], v, dsa->q, ctx);
1752 			BN_add(xbar[j], xbar[j], u);
1753 		}
1754 		BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
1755 		BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
1756 		BN_mod_mul(xhat[j], xhat[j], w, dsa->q, ctx);
1757 	}
1758 
1759 	/*
1760 	 * We revoke client j by dividing q by s1[j]. The quotient
1761 	 * becomes the enabling key s. Note we always have to revoke
1762 	 * one key; otherwise, the plaintext and cryptotext would be
1763 	 * identical. For the present there are no provisions to revoke
1764 	 * additional keys, so we sail on with only token revocations.
1765 	 */
1766 	s = BN_new();
1767 	BN_copy(s, dsa->q);
1768 	BN_div(s, u, s, s1[n], ctx);
1769 
1770 	/*
1771 	 * For each combination of clients to be revoked, make private
1772 	 * encryption key E = A^s and partial decryption keys gbar = g^s
1773 	 * and ghat = g^(s b), all mod p. The servers use these keys to
1774 	 * compute the session encryption key and partial decryption
1775 	 * keys. These values must be regenerated if the enabling key is
1776 	 * changed.
1777 	 */
1778 	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1779 	BN_mod_exp(bige, biga, s, dsa->p, ctx);
1780 	BN_mod_exp(gbar, dsa->g, s, dsa->p, ctx);
1781 	BN_mod_mul(v, s, b, dsa->q, ctx);
1782 	BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
1783 
1784 	/*
1785 	 * Notes: We produce the key media in three steps. The first
1786 	 * step is to generate the system parameters p, q, g, b, A and
1787 	 * the enabling keys s1[j]. Associated with each s1[j] are
1788 	 * parameters xbar[j] and xhat[j]. All of these parameters are
1789 	 * retained in a data structure protecteted by the trusted-agent
1790 	 * password. The p, xbar[j] and xhat[j] paremeters are
1791 	 * distributed to the j clients. When the client keys are to be
1792 	 * activated, the enabled keys are multipied together to form
1793 	 * the master enabling key s. This and the other parameters are
1794 	 * used to compute the server encryption key E and the partial
1795 	 * decryption keys gbar and ghat.
1796 	 *
1797 	 * In the identity exchange the client rolls random r and sends
1798 	 * it to the server. The server rolls random k, which is used
1799 	 * only once, then computes the session key E^k and partial
1800 	 * decryption keys gbar^k and ghat^k. The server sends the
1801 	 * encrypted r along with gbar^k and ghat^k to the client. The
1802 	 * client completes the decryption and verifies it matches r.
1803 	 */
1804 	/*
1805 	 * Write the MV trusted-agent parameters and keys as a DSA
1806 	 * private key encoded in PEM.
1807 	 *
1808 	 * p	modulus p
1809 	 * q	modulus q
1810 	 * g	generator g
1811 	 * priv_key A mod p
1812 	 * pub_key b mod q
1813 	 * (remaining values are not used)
1814 	 */
1815 	i = 0;
1816 	str = fheader("MVta", "mvta", groupname);
1817 	fprintf(stderr, "Generating MV trusted-authority keys\n");
1818 	BN_copy(dsa->priv_key, biga);
1819 	BN_copy(dsa->pub_key, b);
1820 	pkey = EVP_PKEY_new();
1821 	EVP_PKEY_assign_DSA(pkey, dsa);
1822 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1823 	    passwd1);
1824 	evpars[i++] = pkey;
1825 	if (debug)
1826 		DSA_print_fp(stderr, dsa, 0);
1827 
1828 	/*
1829 	 * Append the MV server parameters and keys as a DSA key encoded
1830 	 * in PEM.
1831 	 *
1832 	 * p	modulus p
1833 	 * q	modulus q (used only when generating k)
1834 	 * g	bige
1835 	 * priv_key gbar
1836 	 * pub_key ghat
1837 	 * (remaining values are not used)
1838 	 */
1839 	fprintf(stderr, "Generating MV server keys\n");
1840 	dsa2 = DSA_new();
1841 	dsa2->p = BN_dup(dsa->p);
1842 	dsa2->q = BN_dup(dsa->q);
1843 	dsa2->g = BN_dup(bige);
1844 	dsa2->priv_key = BN_dup(gbar);
1845 	dsa2->pub_key = BN_dup(ghat);
1846 	pkey1 = EVP_PKEY_new();
1847 	EVP_PKEY_assign_DSA(pkey1, dsa2);
1848 	PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0, NULL,
1849 	    passwd1);
1850 	evpars[i++] = pkey1;
1851 	if (debug)
1852 		DSA_print_fp(stderr, dsa2, 0);
1853 
1854 	/*
1855 	 * Append the MV client parameters for each client j as DSA keys
1856 	 * encoded in PEM.
1857 	 *
1858 	 * p	modulus p
1859 	 * priv_key xbar[j] mod q
1860 	 * pub_key xhat[j] mod q
1861 	 * (remaining values are not used)
1862 	 */
1863 	fprintf(stderr, "Generating %d MV client keys\n", n);
1864 	for (j = 1; j <= n; j++) {
1865 		sdsa = DSA_new();
1866 		sdsa->p = BN_dup(dsa->p);
1867 		sdsa->q = BN_dup(BN_value_one());
1868 		sdsa->g = BN_dup(BN_value_one());
1869 		sdsa->priv_key = BN_dup(xbar[j]);
1870 		sdsa->pub_key = BN_dup(xhat[j]);
1871 		pkey1 = EVP_PKEY_new();
1872 		EVP_PKEY_set1_DSA(pkey1, sdsa);
1873 		PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0,
1874 		    NULL, passwd1);
1875 		evpars[i++] = pkey1;
1876 		if (debug)
1877 			DSA_print_fp(stderr, sdsa, 0);
1878 
1879 		/*
1880 		 * The product gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
1881 		 * are inverses of each other. We check that the product
1882 		 * is one for each client except the ones that have been
1883 		 * revoked.
1884 		 */
1885 		BN_mod_exp(v, dsa2->priv_key, sdsa->pub_key, dsa->p,
1886 		    ctx);
1887 		BN_mod_exp(u, dsa2->pub_key, sdsa->priv_key, dsa->p,
1888 		    ctx);
1889 		BN_mod_mul(u, u, v, dsa->p, ctx);
1890 		BN_mod_mul(u, u, bige, dsa->p, ctx);
1891 		if (!BN_is_one(u)) {
1892 			fprintf(stderr, "Revoke key %d\n", j);
1893 			continue;
1894 		}
1895 	}
1896 	evpars[i++] = NULL;
1897 	fclose(str);
1898 
1899 	/*
1900 	 * Free the countries.
1901 	 */
1902 	for (i = 0; i <= n; i++) {
1903 		BN_free(a[i]); BN_free(g[i]);
1904 	}
1905 	for (j = 1; j <= n; j++) {
1906 		BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
1907 		BN_free(s1[j]);
1908 	}
1909 	return (pkey);
1910 }
1911 
1912 
1913 /*
1914  * Generate X509v3 certificate.
1915  *
1916  * The certificate consists of the version number, serial number,
1917  * validity interval, issuer name, subject name and public key. For a
1918  * self-signed certificate, the issuer name is the same as the subject
1919  * name and these items are signed using the subject private key. The
1920  * validity interval extends from the current time to the same time one
1921  * year hence. For NTP purposes, it is convenient to use the NTP seconds
1922  * of the current time as the serial number.
1923  */
1924 int
1925 x509	(
1926 	EVP_PKEY *pkey,		/* signing key */
1927 	const EVP_MD *md,	/* signature/digest scheme */
1928 	char	*gqpub,		/* identity extension (hex string) */
1929 	const char *exten,	/* private cert extension */
1930 	char	*name		/* subject/issuer name */
1931 	)
1932 {
1933 	X509	*cert;		/* X509 certificate */
1934 	X509_NAME *subj;	/* distinguished (common) name */
1935 	X509_EXTENSION *ex;	/* X509v3 extension */
1936 	FILE	*str;		/* file handle */
1937 	ASN1_INTEGER *serial;	/* serial number */
1938 	const char *id;		/* digest/signature scheme name */
1939 	char	pathbuf[MAXFILENAME + 1];
1940 
1941 	/*
1942 	 * Generate X509 self-signed certificate.
1943 	 *
1944 	 * Set the certificate serial to the NTP seconds for grins. Set
1945 	 * the version to 3. Set the initial validity to the current
1946 	 * time and the finalvalidity one year hence.
1947 	 */
1948  	id = OBJ_nid2sn(md->pkey_type);
1949 	fprintf(stderr, "Generating new certificate %s %s\n", name, id);
1950 	cert = X509_new();
1951 	X509_set_version(cert, 2L);
1952 	serial = ASN1_INTEGER_new();
1953 	ASN1_INTEGER_set(serial, (long)epoch + JAN_1970);
1954 	X509_set_serialNumber(cert, serial);
1955 	ASN1_INTEGER_free(serial);
1956 	X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
1957 	X509_time_adj(X509_get_notAfter(cert), lifetime * SECSPERDAY, &epoch);
1958 	subj = X509_get_subject_name(cert);
1959 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1960 	    (u_char *)name, -1, -1, 0);
1961 	subj = X509_get_issuer_name(cert);
1962 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1963 	    (u_char *)name, -1, -1, 0);
1964 	if (!X509_set_pubkey(cert, pkey)) {
1965 		fprintf(stderr, "Assign certificate signing key fails\n%s\n",
1966 		    ERR_error_string(ERR_get_error(), NULL));
1967 		X509_free(cert);
1968 		return (0);
1969 	}
1970 
1971 	/*
1972 	 * Add X509v3 extensions if present. These represent the minimum
1973 	 * set defined in RFC3280 less the certificate_policy extension,
1974 	 * which is seriously obfuscated in OpenSSL.
1975 	 */
1976 	/*
1977 	 * The basic_constraints extension CA:TRUE allows servers to
1978 	 * sign client certficitates.
1979 	 */
1980 	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
1981 	    BASIC_CONSTRAINTS);
1982 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
1983 	    _UC(BASIC_CONSTRAINTS));
1984 	if (!X509_add_ext(cert, ex, -1)) {
1985 		fprintf(stderr, "Add extension field fails\n%s\n",
1986 		    ERR_error_string(ERR_get_error(), NULL));
1987 		return (0);
1988 	}
1989 	X509_EXTENSION_free(ex);
1990 
1991 	/*
1992 	 * The key_usage extension designates the purposes the key can
1993 	 * be used for.
1994 	 */
1995 	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
1996 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, _UC(KEY_USAGE));
1997 	if (!X509_add_ext(cert, ex, -1)) {
1998 		fprintf(stderr, "Add extension field fails\n%s\n",
1999 		    ERR_error_string(ERR_get_error(), NULL));
2000 		return (0);
2001 	}
2002 	X509_EXTENSION_free(ex);
2003 	/*
2004 	 * The subject_key_identifier is used for the GQ public key.
2005 	 * This should not be controversial.
2006 	 */
2007 	if (gqpub != NULL) {
2008 		fprintf(stderr, "%s\n", LN_subject_key_identifier);
2009 		ex = X509V3_EXT_conf_nid(NULL, NULL,
2010 		    NID_subject_key_identifier, gqpub);
2011 		if (!X509_add_ext(cert, ex, -1)) {
2012 			fprintf(stderr,
2013 			    "Add extension field fails\n%s\n",
2014 			    ERR_error_string(ERR_get_error(), NULL));
2015 			return (0);
2016 		}
2017 		X509_EXTENSION_free(ex);
2018 	}
2019 
2020 	/*
2021 	 * The extended key usage extension is used for special purpose
2022 	 * here. The semantics probably do not conform to the designer's
2023 	 * intent and will likely change in future.
2024 	 *
2025 	 * "trustRoot" designates a root authority
2026 	 * "private" designates a private certificate
2027 	 */
2028 	if (exten != NULL) {
2029 		fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
2030 		ex = X509V3_EXT_conf_nid(NULL, NULL,
2031 		    NID_ext_key_usage, _UC(exten));
2032 		if (!X509_add_ext(cert, ex, -1)) {
2033 			fprintf(stderr,
2034 			    "Add extension field fails\n%s\n",
2035 			    ERR_error_string(ERR_get_error(), NULL));
2036 			return (0);
2037 		}
2038 		X509_EXTENSION_free(ex);
2039 	}
2040 
2041 	/*
2042 	 * Sign and verify.
2043 	 */
2044 	X509_sign(cert, pkey, md);
2045 	if (X509_verify(cert, pkey) <= 0) {
2046 		fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
2047 		    ERR_error_string(ERR_get_error(), NULL));
2048 		X509_free(cert);
2049 		return (0);
2050 	}
2051 
2052 	/*
2053 	 * Write the certificate encoded in PEM.
2054 	 */
2055 	snprintf(pathbuf, sizeof(pathbuf), "%scert", id);
2056 	str = fheader(pathbuf, "cert", hostname);
2057 	PEM_write_X509(str, cert);
2058 	fclose(str);
2059 	if (debug)
2060 		X509_print_fp(stderr, cert);
2061 	X509_free(cert);
2062 	return (1);
2063 }
2064 
2065 #if 0	/* asn2ntp is used only with commercial certificates */
2066 /*
2067  * asn2ntp - convert ASN1_TIME time structure to NTP time
2068  */
2069 u_long
2070 asn2ntp	(
2071 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
2072 	)
2073 {
2074 	char	*v;		/* pointer to ASN1_TIME string */
2075 	struct	tm tm;		/* time decode structure time */
2076 
2077 	/*
2078 	 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
2079 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
2080 	 * SS fiels start with zero and the Z character should be 'Z'
2081 	 * for UTC. Also note that years less than 50 map to years
2082 	 * greater than 100. Dontcha love ASN.1?
2083 	 */
2084 	if (asn1time->length > 13)
2085 		return (-1);
2086 	v = (char *)asn1time->data;
2087 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
2088 	if (tm.tm_year < 50)
2089 		tm.tm_year += 100;
2090 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
2091 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
2092 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
2093 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
2094 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
2095 	tm.tm_wday = 0;
2096 	tm.tm_yday = 0;
2097 	tm.tm_isdst = 0;
2098 	return (mktime(&tm) + JAN_1970);
2099 }
2100 #endif
2101 
2102 /*
2103  * Callback routine
2104  */
2105 void
2106 cb	(
2107 	int	n1,		/* arg 1 */
2108 	int	n2,		/* arg 2 */
2109 	void	*chr		/* arg 3 */
2110 	)
2111 {
2112 	switch (n1) {
2113 	case 0:
2114 		d0++;
2115 		fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
2116 		    d0);
2117 		break;
2118 	case 1:
2119 		d1++;
2120 		fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
2121 		    n2, d1);
2122 		break;
2123 	case 2:
2124 		d2++;
2125 		fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
2126 		    n1, n2, d2);
2127 		break;
2128 	case 3:
2129 		d3++;
2130 		fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
2131 		    (char *)chr, n1, n2, d3);
2132 		break;
2133 	}
2134 }
2135 
2136 
2137 /*
2138  * Generate key
2139  */
2140 EVP_PKEY *			/* public/private key pair */
2141 genkey(
2142 	const char *type,	/* key type (RSA or DSA) */
2143 	const char *id		/* file name id */
2144 	)
2145 {
2146 	if (type == NULL)
2147 		return (NULL);
2148 	if (strcmp(type, "RSA") == 0)
2149 		return (gen_rsa(id));
2150 
2151 	else if (strcmp(type, "DSA") == 0)
2152 		return (gen_dsa(id));
2153 
2154 	fprintf(stderr, "Invalid %s key type %s\n", id, type);
2155 	return (NULL);
2156 }
2157 #endif	/* AUTOKEY */
2158 
2159 
2160 /*
2161  * Generate file header and link
2162  */
2163 FILE *
2164 fheader	(
2165 	const char *file,	/* file name id */
2166 	const char *ulink,	/* linkname */
2167 	const char *owner	/* owner name */
2168 	)
2169 {
2170 	FILE	*str;		/* file handle */
2171 	char	linkname[MAXFILENAME]; /* link name */
2172 	int	temp;
2173 #ifdef HAVE_UMASK
2174         mode_t  orig_umask;
2175 #endif
2176 
2177 	snprintf(filename, sizeof(filename), "ntpkey_%s_%s.%u", file,
2178 	    owner, fstamp);
2179 #ifdef HAVE_UMASK
2180         orig_umask = umask( S_IWGRP | S_IRWXO );
2181         str = fopen(filename, "w");
2182         (void) umask(orig_umask);
2183 #else
2184         str = fopen(filename, "w");
2185 #endif
2186 	if (str == NULL) {
2187 		perror("Write");
2188 		exit (-1);
2189 	}
2190         if (strcmp(ulink, "md5") == 0) {
2191           strcpy(linkname,"ntp.keys");
2192         } else {
2193           snprintf(linkname, sizeof(linkname), "ntpkey_%s_%s", ulink,
2194                    hostname);
2195         }
2196 	(void)remove(linkname);		/* The symlink() line below matters */
2197 	temp = symlink(filename, linkname);
2198 	if (temp < 0)
2199 		perror(file);
2200 	fprintf(stderr, "Generating new %s file and link\n", ulink);
2201 	fprintf(stderr, "%s->%s\n", linkname, filename);
2202 	fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
2203 	return (str);
2204 }
2205