xref: /freebsd/contrib/ntp/util/ntp-keygen.c (revision 8d20be1e22095c27faf8fe8b2f0d089739cc742e)
1 /*
2  * Program to generate cryptographic keys for NTP clients and servers
3  *
4  * This program generates files "ntpkey_<type>_<hostname>.<filestamp>",
5  * where <type> is the file type, <hostname> is the generating host and
6  * <filestamp> is the NTP seconds in decimal format. The NTP programs
7  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
8  * association maintained by soft links.
9  *
10  * Files are prefixed with a header giving the name and date of creation
11  * followed by a type-specific descriptive label and PEM-encoded data
12  * string compatible with programs of the OpenSSL library.
13  *
14  * Note that private keys can be password encrypted as per OpenSSL
15  * conventions.
16  *
17  * The file types include
18  *
19  * ntpkey_MD5key_<hostname>.<filestamp>
20  * 	MD5 (128-bit) keys used to compute message digests in symmetric
21  *	key cryptography
22  *
23  * ntpkey_RSAkey_<hostname>.<filestamp>
24  * ntpkey_host_<hostname> (RSA) link
25  *	RSA private/public host key pair used for public key signatures
26  *	and data encryption
27  *
28  * ntpkey_DSAkey_<hostname>.<filestamp>
29  * ntpkey_sign_<hostname> (RSA or DSA) link
30  *	DSA private/public sign key pair used for public key signatures,
31  *	but not data encryption
32  *
33  * ntpkey_IFFpar_<hostname>.<filestamp>
34  * ntpkey_iff_<hostname> (IFF server/client) link
35  * ntpkey_iffkey_<hostname> (IFF client) link
36  *	Schnorr (IFF) server/client identity parameters
37  *
38  * ntpkey_IFFkey_<hostname>.<filestamp>
39  *	Schnorr (IFF) client identity parameters
40  *
41  * ntpkey_GQpar_<hostname>.<filestamp>,
42  * ntpkey_gq_<hostname> (GQ) link
43  *	Guillou-Quisquater (GQ) identity parameters
44  *
45  * ntpkey_MVpar_<hostname>.<filestamp>,
46  *	Mu-Varadharajan (MV) server identity parameters
47  *
48  * ntpkey_MVkeyX_<hostname>.<filestamp>,
49  * ntpkey_mv_<hostname> (MV server) link
50  * ntpkey_mvkey_<hostname> (MV client) link
51  *	Mu-Varadharajan (MV) client identity parameters
52  *
53  * ntpkey_XXXcert_<hostname>.<filestamp>
54  * ntpkey_cert_<hostname> (RSA or DSA) link
55  *	X509v3 certificate using RSA or DSA public keys and signatures.
56  *	XXX is a code identifying the message digest and signature
57  *	encryption algorithm
58  *
59  * Available digest/signature schemes
60  *
61  * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
62  * DSA:	DSA-SHA, DSA-SHA1
63  *
64  * Note: Once in a while because of some statistical fluke this program
65  * fails to generate and verify some cryptographic data, as indicated by
66  * exit status -1. In this case simply run the program again. If the
67  * program does complete with return code 0, the data are correct as
68  * verified.
69  *
70  * These cryptographic routines are characterized by the prime modulus
71  * size in bits. The default value of 512 bits is a compromise between
72  * cryptographic strength and computing time and is ordinarily
73  * considered adequate for this application. The routines have been
74  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
75  * digest and signature encryption schemes work with sizes less than 512
76  * bits. The computing time for sizes greater than 2048 bits is
77  * prohibitive on all but the fastest processors. An UltraSPARC Blade
78  * 1000 took something over nine minutes to generate and verify the
79  * values with size 2048. An old SPARC IPC would take a week.
80  *
81  * The OpenSSL library used by this program expects a random seed file.
82  * As described in the OpenSSL documentation, the file name defaults to
83  * first the RANDFILE environment variable in the user's home directory
84  * and then .rnd in the user's home directory.
85  */
86 #ifdef HAVE_CONFIG_H
87 # include <config.h>
88 #endif
89 #include <string.h>
90 #include <stdio.h>
91 #include <stdlib.h>
92 #include <unistd.h>
93 #include <sys/stat.h>
94 #include <sys/time.h>
95 #if HAVE_SYS_TYPES_H
96 # include <sys/types.h>
97 #endif
98 #include "ntp_types.h"
99 #include "ntp_random.h"
100 #include "l_stdlib.h"
101 
102 #include "ntp-keygen-opts.h"
103 
104 #ifdef SYS_WINNT
105 extern	int	ntp_getopt	P((int, char **, const char *));
106 #define getopt ntp_getopt
107 #define optarg ntp_optarg
108 #endif
109 
110 #ifdef OPENSSL
111 #include "openssl/bn.h"
112 #include "openssl/evp.h"
113 #include "openssl/err.h"
114 #include "openssl/rand.h"
115 #include "openssl/pem.h"
116 #include "openssl/x509v3.h"
117 #include <openssl/objects.h>
118 #endif /* OPENSSL */
119 
120 /*
121  * Cryptodefines
122  */
123 #define	MD5KEYS		16	/* number of MD5 keys generated */
124 #define	JAN_1970	ULONG_CONST(2208988800) /* NTP seconds */
125 #define YEAR		((long)60*60*24*365) /* one year in seconds */
126 #define MAXFILENAME	256	/* max file name length */
127 #define MAXHOSTNAME	256	/* max host name length */
128 #ifdef OPENSSL
129 #define	PLEN		512	/* default prime modulus size (bits) */
130 
131 /*
132  * Strings used in X509v3 extension fields
133  */
134 #define KEY_USAGE		"digitalSignature,keyCertSign"
135 #define BASIC_CONSTRAINTS	"critical,CA:TRUE"
136 #define EXT_KEY_PRIVATE		"private"
137 #define EXT_KEY_TRUST		"trustRoot"
138 #endif /* OPENSSL */
139 
140 /*
141  * Prototypes
142  */
143 FILE	*fheader	P((const char *, const char *));
144 void	fslink		P((const char *, const char *));
145 int	gen_md5		P((char *));
146 #ifdef OPENSSL
147 EVP_PKEY *gen_rsa	P((char *));
148 EVP_PKEY *gen_dsa	P((char *));
149 EVP_PKEY *gen_iff	P((char *));
150 EVP_PKEY *gen_gqpar	P((char *));
151 EVP_PKEY *gen_gqkey	P((char *, EVP_PKEY *));
152 EVP_PKEY *gen_mv	P((char *));
153 int	x509		P((EVP_PKEY *, const EVP_MD *, char *, char *));
154 void	cb		P((int, int, void *));
155 EVP_PKEY *genkey	P((char *, char *));
156 u_long	asn2ntp		P((ASN1_TIME *));
157 #endif /* OPENSSL */
158 
159 /*
160  * Program variables
161  */
162 extern char *optarg;		/* command line argument */
163 int	debug = 0;		/* debug, not de bug */
164 int	rval;			/* return status */
165 #ifdef OPENSSL
166 u_int	modulus = PLEN;		/* prime modulus size (bits) */
167 #endif
168 int	nkeys = 0;		/* MV keys */
169 time_t	epoch;			/* Unix epoch (seconds) since 1970 */
170 char	*hostname;		/* host name (subject name) */
171 char	*trustname;		/* trusted host name (issuer name) */
172 char	filename[MAXFILENAME + 1]; /* file name */
173 char	*passwd1 = NULL;	/* input private key password */
174 char	*passwd2 = NULL;	/* output private key password */
175 #ifdef OPENSSL
176 long	d0, d1, d2, d3;		/* callback counters */
177 #endif /* OPENSSL */
178 
179 #ifdef SYS_WINNT
180 BOOL init_randfile();
181 
182 /*
183  * Don't try to follow symbolic links
184  */
185 int
186 readlink(char * link, char * file, int len) {
187 	return (-1);
188 }
189 /*
190  * Don't try to create a symbolic link for now.
191  * Just move the file to the name you need.
192  */
193 int
194 symlink(char *filename, char *linkname) {
195 	DeleteFile(linkname);
196 	MoveFile(filename, linkname);
197 	return 0;
198 }
199 void
200 InitWin32Sockets() {
201 	WORD wVersionRequested;
202 	WSADATA wsaData;
203 	wVersionRequested = MAKEWORD(2,0);
204 	if (WSAStartup(wVersionRequested, &wsaData))
205 	{
206 		fprintf(stderr, "No useable winsock.dll");
207 		exit(1);
208 	}
209 }
210 #endif /* SYS_WINNT */
211 
212 /*
213  * Main program
214  */
215 int
216 main(
217 	int	argc,		/* command line options */
218 	char	**argv
219 	)
220 {
221 	struct timeval tv;	/* initialization vector */
222 	int	md5key = 0;	/* generate MD5 keys */
223 #ifdef OPENSSL
224 	X509	*cert = NULL;	/* X509 certificate */
225 	EVP_PKEY *pkey_host = NULL; /* host key */
226 	EVP_PKEY *pkey_sign = NULL; /* sign key */
227 	EVP_PKEY *pkey_iff = NULL; /* IFF parameters */
228 	EVP_PKEY *pkey_gq = NULL; /* GQ parameters */
229 	EVP_PKEY *pkey_mv = NULL; /* MV parameters */
230 	int	hostkey = 0;	/* generate RSA keys */
231 	int	iffkey = 0;	/* generate IFF parameters */
232 	int	gqpar = 0;	/* generate GQ parameters */
233 	int	gqkey = 0;	/* update GQ keys */
234 	int	mvpar = 0;	/* generate MV parameters */
235 	int	mvkey = 0;	/* update MV keys */
236 	char	*sign = NULL;	/* sign key */
237 	EVP_PKEY *pkey = NULL;	/* temp key */
238 	const EVP_MD *ectx;	/* EVP digest */
239 	char	pathbuf[MAXFILENAME + 1];
240 	const char *scheme = NULL; /* digest/signature scheme */
241 	char	*exten = NULL;	/* private extension */
242 	char	*grpkey = NULL;	/* identity extension */
243 	int	nid;		/* X509 digest/signature scheme */
244 	FILE	*fstr = NULL;	/* file handle */
245 	u_int	temp;
246 #define iffsw   HAVE_OPT(ID_KEY)
247 #endif /* OPENSSL */
248 	char	hostbuf[MAXHOSTNAME + 1];
249 
250 #ifdef SYS_WINNT
251 	/* Initialize before OpenSSL checks */
252 	InitWin32Sockets();
253 	if(!init_randfile())
254 		fprintf(stderr, "Unable to initialize .rnd file\n");
255 #endif
256 
257 #ifdef OPENSSL
258 	/*
259 	 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
260 	 * We match major, minor, fix and status (not patch)
261 	 */
262 	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
263 		fprintf(stderr,
264 		    "OpenSSL version mismatch. Built against %lx, you have %lx\n",
265 		    OPENSSL_VERSION_NUMBER, SSLeay());
266 		return (-1);
267 
268 	} else {
269 		fprintf(stderr,
270 		    "Using OpenSSL version %lx\n", SSLeay());
271 	}
272 #endif /* OPENSSL */
273 
274 	/*
275 	 * Process options, initialize host name and timestamp.
276 	 */
277 	gethostname(hostbuf, MAXHOSTNAME);
278 	hostname = hostbuf;
279 #ifdef OPENSSL
280 	trustname = hostbuf;
281 	passwd1 = hostbuf;
282 #endif
283 #ifndef SYS_WINNT
284 	gettimeofday(&tv, 0);
285 #else
286 	gettimeofday(&tv);
287 #endif
288 	epoch = tv.tv_sec;
289 	rval = 0;
290 
291 	{
292 		int optct = optionProcess(&ntp_keygenOptions, argc, argv);
293 		argc -= optct;
294 		argv += optct;
295 	}
296 
297 #ifdef OPENSSL
298 	if (HAVE_OPT( CERTIFICATE ))
299 	    scheme = OPT_ARG( CERTIFICATE );
300 #endif
301 
302 	debug = DESC(DEBUG_LEVEL).optOccCt;
303 
304 #ifdef OPENSSL
305 	if (HAVE_OPT( GQ_PARAMS ))
306 	    gqpar++;
307 
308 	if (HAVE_OPT( GQ_KEYS ))
309 	    gqkey++;
310 
311 	if (HAVE_OPT( HOST_KEY ))
312 	    hostkey++;
313 
314 	if (HAVE_OPT( IFFKEY ))
315 	    iffkey++;
316 
317 	if (HAVE_OPT( ISSUER_NAME ))
318 	    trustname = OPT_ARG( ISSUER_NAME );
319 #endif
320 
321 	if (HAVE_OPT( MD5KEY ))
322 	    md5key++;
323 
324 #ifdef OPENSSL
325 	if (HAVE_OPT( MODULUS ))
326 	    modulus = OPT_VALUE_MODULUS;
327 
328 	if (HAVE_OPT( PVT_CERT ))
329 	    exten = EXT_KEY_PRIVATE;
330 
331 	if (HAVE_OPT( PVT_PASSWD ))
332 	    passwd2 = OPT_ARG( PVT_PASSWD );
333 
334 	if (HAVE_OPT( GET_PVT_PASSWD ))
335 	    passwd1 = OPT_ARG( GET_PVT_PASSWD );
336 
337 	if (HAVE_OPT( SIGN_KEY ))
338 	    sign = OPT_ARG( SIGN_KEY );
339 
340 	if (HAVE_OPT( SUBJECT_NAME ))
341 	    hostname = OPT_ARG( SUBJECT_NAME );
342 
343 	if (HAVE_OPT( TRUSTED_CERT ))
344 	    exten = EXT_KEY_TRUST;
345 
346 	if (HAVE_OPT( MV_PARAMS )) {
347 		mvpar++;
348 		nkeys = OPT_VALUE_MV_PARAMS;
349 	}
350 
351 	if (HAVE_OPT( MV_KEYS )) {
352 		mvkey++;
353 		nkeys = OPT_VALUE_MV_KEYS;
354 	}
355 #endif
356 
357 	if (passwd1 != NULL && passwd2 == NULL)
358 		passwd2 = passwd1;
359 #ifdef OPENSSL
360 	/*
361 	 * Seed random number generator and grow weeds.
362 	 */
363 	ERR_load_crypto_strings();
364 	OpenSSL_add_all_algorithms();
365 	if (RAND_file_name(pathbuf, MAXFILENAME) == NULL) {
366 		fprintf(stderr, "RAND_file_name %s\n",
367 		    ERR_error_string(ERR_get_error(), NULL));
368 		return (-1);
369 	}
370 	temp = RAND_load_file(pathbuf, -1);
371 	if (temp == 0) {
372 		fprintf(stderr,
373 		    "RAND_load_file %s not found or empty\n", pathbuf);
374 		return (-1);
375 	}
376 	fprintf(stderr,
377 	    "Random seed file %s %u bytes\n", pathbuf, temp);
378 	RAND_add(&epoch, sizeof(epoch), 4.0);
379 #endif
380 
381 	/*
382 	 * Generate new parameters and keys as requested. These replace
383 	 * any values already generated.
384 	 */
385 	if (md5key)
386 		gen_md5("MD5");
387 #ifdef OPENSSL
388 	if (hostkey)
389 		pkey_host = genkey("RSA", "host");
390 	if (sign != NULL)
391 		pkey_sign = genkey(sign, "sign");
392 	if (iffkey)
393 		pkey_iff = gen_iff("iff");
394 	if (gqpar)
395 		pkey_gq = gen_gqpar("gq");
396 	if (mvpar)
397 		pkey_mv = gen_mv("mv");
398 
399 	/*
400 	 * If there is no new host key, look for an existing one. If not
401 	 * found, create it.
402 	 */
403 	while (pkey_host == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
404 		sprintf(filename, "ntpkey_host_%s", hostname);
405 		if ((fstr = fopen(filename, "r")) != NULL) {
406 			pkey_host = PEM_read_PrivateKey(fstr, NULL,
407 			    NULL, passwd1);
408 			fclose(fstr);
409 			readlink(filename, filename,  sizeof(filename));
410 			if (pkey_host == NULL) {
411 				fprintf(stderr, "Host key\n%s\n",
412 				    ERR_error_string(ERR_get_error(),
413 				    NULL));
414 				rval = -1;
415 			} else {
416 				fprintf(stderr,
417 				    "Using host key %s\n", filename);
418 			}
419 			break;
420 
421 		} else if ((pkey_host = genkey("RSA", "host")) ==
422 		    NULL) {
423 			rval = -1;
424 			break;
425 		}
426 	}
427 
428 	/*
429 	 * If there is no new sign key, look for an existing one. If not
430 	 * found, use the host key instead.
431 	 */
432 	pkey = pkey_sign;
433 	while (pkey_sign == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
434 		sprintf(filename, "ntpkey_sign_%s", hostname);
435 		if ((fstr = fopen(filename, "r")) != NULL) {
436 			pkey_sign = PEM_read_PrivateKey(fstr, NULL,
437 			    NULL, passwd1);
438 			fclose(fstr);
439 			readlink(filename, filename, sizeof(filename));
440 			if (pkey_sign == NULL) {
441 				fprintf(stderr, "Sign key\n%s\n",
442 				    ERR_error_string(ERR_get_error(),
443 				    NULL));
444 				rval = -1;
445 			} else {
446 				fprintf(stderr, "Using sign key %s\n",
447 				    filename);
448 			}
449 			break;
450 		} else {
451 			pkey = pkey_host;
452 			fprintf(stderr, "Using host key as sign key\n");
453 			break;
454 		}
455 	}
456 
457 	/*
458 	 * If there is no new IFF file, look for an existing one.
459 	 */
460 	if (pkey_iff == NULL && rval == 0) {
461 		sprintf(filename, "ntpkey_iff_%s", hostname);
462 		if ((fstr = fopen(filename, "r")) != NULL) {
463 			pkey_iff = PEM_read_PrivateKey(fstr, NULL,
464 			    NULL, passwd1);
465 			fclose(fstr);
466 			readlink(filename, filename, sizeof(filename));
467 			if (pkey_iff == NULL) {
468 				fprintf(stderr, "IFF parameters\n%s\n",
469 				    ERR_error_string(ERR_get_error(),
470 				    NULL));
471 				rval = -1;
472 			} else {
473 				fprintf(stderr,
474 				    "Using IFF parameters %s\n",
475 				    filename);
476 			}
477 		}
478 	}
479 
480 	/*
481 	 * If there is no new GQ file, look for an existing one.
482 	 */
483 	if (pkey_gq == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
484 		sprintf(filename, "ntpkey_gq_%s", hostname);
485 		if ((fstr = fopen(filename, "r")) != NULL) {
486 			pkey_gq = PEM_read_PrivateKey(fstr, NULL, NULL,
487 			    passwd1);
488 			fclose(fstr);
489 			readlink(filename, filename, sizeof(filename));
490 			if (pkey_gq == NULL) {
491 				fprintf(stderr, "GQ parameters\n%s\n",
492 				    ERR_error_string(ERR_get_error(),
493 				    NULL));
494 				rval = -1;
495 			} else {
496 				fprintf(stderr,
497 				    "Using GQ parameters %s\n",
498 				    filename);
499 			}
500 		}
501 	}
502 
503 	/*
504 	 * If there is a GQ parameter file, create GQ private/public
505 	 * keys and extract the public key for the certificate.
506 	 */
507 	if (pkey_gq != NULL && rval == 0) {
508 		gen_gqkey("gq", pkey_gq);
509 		grpkey = BN_bn2hex(pkey_gq->pkey.rsa->q);
510 	}
511 
512 	/*
513 	 * Generate a X509v3 certificate.
514 	 */
515 	while (scheme == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
516 		sprintf(filename, "ntpkey_cert_%s", hostname);
517 		if ((fstr = fopen(filename, "r")) != NULL) {
518 			cert = PEM_read_X509(fstr, NULL, NULL, NULL);
519 			fclose(fstr);
520 			readlink(filename, filename, sizeof(filename));
521 			if (cert == NULL) {
522 				fprintf(stderr, "Cert \n%s\n",
523 				    ERR_error_string(ERR_get_error(),
524 				    NULL));
525 				rval = -1;
526 			} else {
527 				nid = OBJ_obj2nid(
528 				 cert->cert_info->signature->algorithm);
529 				scheme = OBJ_nid2sn(nid);
530 				fprintf(stderr,
531 				    "Using scheme %s from %s\n", scheme,
532 				     filename);
533 				break;
534 			}
535 		}
536 		scheme = "RSA-MD5";
537 	}
538 	if (pkey != NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
539 		ectx = EVP_get_digestbyname(scheme);
540 		if (ectx == NULL) {
541 			fprintf(stderr,
542 			    "Invalid digest/signature combination %s\n",
543 			    scheme);
544 			rval = -1;
545 		} else {
546 			x509(pkey, ectx, grpkey, exten);
547 		}
548 	}
549 
550 	/*
551 	 * Write the IFF client parameters and keys as a DSA private key
552 	 * encoded in PEM. Note the private key is obscured.
553 	 */
554 	if (pkey_iff != NULL && rval == 0 && HAVE_OPT(ID_KEY)) {
555 		DSA	*dsa;
556 		char	*sptr;
557 		char	*tld;
558 
559 		sptr = strrchr(filename, '.');
560 		tld = malloc(strlen(sptr));	/* we have an extra byte ... */
561 		strcpy(tld, 1+sptr);		/* ... see? */
562 		sprintf(filename, "ntpkey_IFFkey_%s.%s", trustname,
563 		    tld);
564 		free(tld);
565 		fprintf(stderr, "Writing new IFF key %s\n", filename);
566 		fprintf(stdout, "# %s\n# %s", filename, ctime(&epoch));
567 		dsa = pkey_iff->pkey.dsa;
568 		BN_copy(dsa->priv_key, BN_value_one());
569 		pkey = EVP_PKEY_new();
570 		EVP_PKEY_assign_DSA(pkey, dsa);
571 		PEM_write_PrivateKey(stdout, pkey, passwd2 ?
572 		    EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
573 		fclose(stdout);
574 		if (debug)
575 			DSA_print_fp(stdout, dsa, 0);
576 	}
577 
578 	/*
579 	 * Return the marbles.
580 	 */
581 	if (grpkey != NULL)
582 		OPENSSL_free(grpkey);
583 	if (pkey_host != NULL)
584 		EVP_PKEY_free(pkey_host);
585 	if (pkey_sign != NULL)
586 		EVP_PKEY_free(pkey_sign);
587 	if (pkey_iff != NULL)
588 		EVP_PKEY_free(pkey_iff);
589 	if (pkey_gq != NULL)
590 		EVP_PKEY_free(pkey_gq);
591 	if (pkey_mv != NULL)
592 		EVP_PKEY_free(pkey_mv);
593 #endif /* OPENSSL */
594 	return (rval);
595 }
596 
597 
598 #if 0
599 /*
600  * Generate random MD5 key with password.
601  */
602 int
603 gen_md5(
604 	char	*id		/* file name id */
605 	)
606 {
607 	BIGNUM	*key;
608 	BIGNUM	*keyid;
609 	FILE	*str;
610 	u_char	bin[16];
611 
612 	fprintf(stderr, "Generating MD5 keys...\n");
613 	str = fheader("MD5key", hostname);
614 	keyid = BN_new(); key = BN_new();
615 	BN_rand(keyid, 16, -1, 0);
616 	BN_rand(key, 128, -1, 0);
617 	BN_bn2bin(key, bin);
618 	PEM_write_fp(str, MD5, NULL, bin);
619 	fclose(str);
620 	fslink(id, hostname);
621 	return (1);
622 }
623 
624 
625 #else
626 /*
627  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4
628  */
629 int
630 gen_md5(
631 	char	*id		/* file name id */
632 	)
633 {
634 	u_char	md5key[16];	/* MD5 key */
635 	FILE	*str;
636 	u_int	temp = 0;	/* Initialize to prevent warnings during compile */
637 	int	i, j;
638 
639 	fprintf(stderr, "Generating MD5 keys...\n");
640 	str = fheader("MD5key", hostname);
641 	ntp_srandom(epoch);
642 	for (i = 1; i <= MD5KEYS; i++) {
643 		for (j = 0; j < 16; j++) {
644 			while (1) {
645 				temp = ntp_random() & 0xff;
646 				if (temp == '#')
647 					continue;
648 				if (temp > 0x20 && temp < 0x7f)
649 					break;
650 			}
651 			md5key[j] = (u_char)temp;
652 		}
653 		md5key[15] = '\0';
654 		fprintf(str, "%2d MD5 %16s	# MD5 key\n", i,
655 		    md5key);
656 	}
657 	fclose(str);
658 	fslink(id, hostname);
659 	return (1);
660 }
661 #endif /* OPENSSL */
662 
663 
664 #ifdef OPENSSL
665 /*
666  * Generate RSA public/private key pair
667  */
668 EVP_PKEY *			/* public/private key pair */
669 gen_rsa(
670 	char	*id		/* file name id */
671 	)
672 {
673 	EVP_PKEY *pkey;		/* private key */
674 	RSA	*rsa;		/* RSA parameters and key pair */
675 	FILE	*str;
676 
677 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
678 	rsa = RSA_generate_key(modulus, 3, cb, "RSA");
679 	fprintf(stderr, "\n");
680 	if (rsa == NULL) {
681 		fprintf(stderr, "RSA generate keys fails\n%s\n",
682 		    ERR_error_string(ERR_get_error(), NULL));
683 		rval = -1;
684 		return (NULL);
685 	}
686 
687 	/*
688 	 * For signature encryption it is not necessary that the RSA
689 	 * parameters be strictly groomed and once in a while the
690 	 * modulus turns out to be non-prime. Just for grins, we check
691 	 * the primality.
692 	 */
693 	if (!RSA_check_key(rsa)) {
694 		fprintf(stderr, "Invalid RSA key\n%s\n",
695 		    ERR_error_string(ERR_get_error(), NULL));
696 		RSA_free(rsa);
697 		rval = -1;
698 		return (NULL);
699 	}
700 
701 	/*
702 	 * Write the RSA parameters and keys as a RSA private key
703 	 * encoded in PEM.
704 	 */
705 	str = fheader("RSAkey", hostname);
706 	pkey = EVP_PKEY_new();
707 	EVP_PKEY_assign_RSA(pkey, rsa);
708 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
709 	    NULL, 0, NULL, passwd2);
710 	fclose(str);
711 	if (debug)
712 		RSA_print_fp(stdout, rsa, 0);
713 	fslink(id, hostname);
714 	return (pkey);
715 }
716 
717 
718 /*
719  * Generate DSA public/private key pair
720  */
721 EVP_PKEY *			/* public/private key pair */
722 gen_dsa(
723 	char	*id		/* file name id */
724 	)
725 {
726 	EVP_PKEY *pkey;		/* private key */
727 	DSA	*dsa;		/* DSA parameters */
728 	u_char	seed[20];	/* seed for parameters */
729 	FILE	*str;
730 
731 	/*
732 	 * Generate DSA parameters.
733 	 */
734 	fprintf(stderr,
735 	    "Generating DSA parameters (%d bits)...\n", modulus);
736 	RAND_bytes(seed, sizeof(seed));
737 	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
738 	    NULL, cb, "DSA");
739 	fprintf(stderr, "\n");
740 	if (dsa == NULL) {
741 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
742 		    ERR_error_string(ERR_get_error(), NULL));
743 		rval = -1;
744 		return (NULL);
745 	}
746 
747 	/*
748 	 * Generate DSA keys.
749 	 */
750 	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
751 	if (!DSA_generate_key(dsa)) {
752 		fprintf(stderr, "DSA generate keys fails\n%s\n",
753 		    ERR_error_string(ERR_get_error(), NULL));
754 		DSA_free(dsa);
755 		rval = -1;
756 		return (NULL);
757 	}
758 
759 	/*
760 	 * Write the DSA parameters and keys as a DSA private key
761 	 * encoded in PEM.
762 	 */
763 	str = fheader("DSAkey", hostname);
764 	pkey = EVP_PKEY_new();
765 	EVP_PKEY_assign_DSA(pkey, dsa);
766 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
767 	    NULL, 0, NULL, passwd2);
768 	fclose(str);
769 	if (debug)
770 		DSA_print_fp(stdout, dsa, 0);
771 	fslink(id, hostname);
772 	return (pkey);
773 }
774 
775 
776 /*
777  * Generate Schnorr (IFF) parameters and keys
778  *
779  * The Schnorr (IFF)identity scheme is intended for use when
780  * certificates are generated by some other trusted certificate
781  * authority and the parameters cannot be conveyed in the certificate
782  * itself. For this purpose, new generations of IFF values must be
783  * securely transmitted to all members of the group before use. There
784  * are two kinds of files: server/client files that include private and
785  * public parameters and client files that include only public
786  * parameters. The scheme is self contained and independent of new
787  * generations of host keys, sign keys and certificates.
788  *
789  * The IFF values hide in a DSA cuckoo structure which uses the same
790  * parameters. The values are used by an identity scheme based on DSA
791  * cryptography and described in Stimson p. 285. The p is a 512-bit
792  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
793  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
794  * private random group key b (0 < b < q), then computes public
795  * v = g^(q - a). All values except the group key are known to all group
796  * members; the group key is known to the group servers, but not the
797  * group clients. Alice challenges Bob to confirm identity using the
798  * protocol described below.
799  */
800 EVP_PKEY *			/* DSA cuckoo nest */
801 gen_iff(
802 	char	*id		/* file name id */
803 	)
804 {
805 	EVP_PKEY *pkey;		/* private key */
806 	DSA	*dsa;		/* DSA parameters */
807 	u_char	seed[20];	/* seed for parameters */
808 	BN_CTX	*ctx;		/* BN working space */
809 	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
810 	FILE	*str;
811 	u_int	temp;
812 
813 	/*
814 	 * Generate DSA parameters for use as IFF parameters.
815 	 */
816 	fprintf(stderr, "Generating IFF parameters (%d bits)...\n",
817 	    modulus);
818 	RAND_bytes(seed, sizeof(seed));
819 	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
820 	    NULL, cb, "IFF");
821 	fprintf(stderr, "\n");
822 	if (dsa == NULL) {
823 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
824 		    ERR_error_string(ERR_get_error(), NULL));
825 		rval = -1;
826 		return (NULL);;
827 	}
828 
829 	/*
830 	 * Generate the private and public keys. The DSA parameters and
831 	 * these keys are distributed to all members of the group.
832 	 */
833 	fprintf(stderr, "Generating IFF keys (%d bits)...\n", modulus);
834 	b = BN_new(); r = BN_new(); k = BN_new();
835 	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
836 	BN_rand(b, BN_num_bits(dsa->q), -1, 0);	/* a */
837 	BN_mod(b, b, dsa->q, ctx);
838 	BN_sub(v, dsa->q, b);
839 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^(q - b) mod p */
840 	BN_mod_exp(u, dsa->g, b, dsa->p, ctx);	/* g^b mod p */
841 	BN_mod_mul(u, u, v, dsa->p, ctx);
842 	temp = BN_is_one(u);
843 	fprintf(stderr,
844 	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
845 	    "yes" : "no");
846 	if (!temp) {
847 		BN_free(b); BN_free(r); BN_free(k);
848 		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
849 		rval = -1;
850 		return (NULL);
851 	}
852 	dsa->priv_key = BN_dup(b);		/* private key */
853 	dsa->pub_key = BN_dup(v);		/* public key */
854 
855 	/*
856 	 * Here is a trial round of the protocol. First, Alice rolls
857 	 * random r (0 < r < q) and sends it to Bob. She needs only
858 	 * modulus q.
859 	 */
860 	BN_rand(r, BN_num_bits(dsa->q), -1, 0);	/* r */
861 	BN_mod(r, r, dsa->q, ctx);
862 
863 	/*
864 	 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
865 	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
866 	 * moduli p, q and the group key b.
867 	 */
868 	BN_rand(k, BN_num_bits(dsa->q), -1, 0);	/* k, 0 < k < q  */
869 	BN_mod(k, k, dsa->q, ctx);
870 	BN_mod_mul(v, dsa->priv_key, r, dsa->q, ctx); /* b r mod q */
871 	BN_add(v, v, k);
872 	BN_mod(v, v, dsa->q, ctx);		/* y = k + b r mod q */
873 	BN_mod_exp(u, dsa->g, k, dsa->p, ctx);	/* x = g^k mod p */
874 
875 	/*
876 	 * Alice computes g^y v^r and verifies the result is equal to x.
877 	 * She needs modulus p, generator g, and the public key v, as
878 	 * well as her original r.
879 	 */
880 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
881 	BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
882 	BN_mod_mul(v, w, v, dsa->p, ctx);	/* product mod p */
883 	temp = BN_cmp(u, v);
884 	fprintf(stderr,
885 	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
886 	    0 ? "yes" : "no");
887 	BN_free(b); BN_free(r);	BN_free(k);
888 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
889 	if (temp != 0) {
890 		DSA_free(dsa);
891 		rval = -1;
892 		return (NULL);
893 	}
894 
895 	/*
896 	 * Write the IFF server parameters and keys as a DSA private key
897 	 * encoded in PEM.
898 	 *
899 	 * p	modulus p
900 	 * q	modulus q
901 	 * g	generator g
902 	 * priv_key b
903 	 * public_key v
904 	 */
905 	str = fheader("IFFpar", trustname);
906 	pkey = EVP_PKEY_new();
907 	EVP_PKEY_assign_DSA(pkey, dsa);
908 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
909 	    NULL, 0, NULL, passwd2);
910 	fclose(str);
911 	if (debug)
912 		DSA_print_fp(stdout, dsa, 0);
913 	fslink(id, trustname);
914 	return (pkey);
915 }
916 
917 
918 /*
919  * Generate Guillou-Quisquater (GQ) parameters and keys
920  *
921  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
922  * the parameters, keys and certificates are generated by this program.
923  * The scheme uses a certificate extension field do convey the public
924  * key of a particular group identified by a group key known only to
925  * members of the group. The scheme is self contained and independent of
926  * new generations of host keys and sign keys.
927  *
928  * The GQ parameters hide in a RSA cuckoo structure which uses the same
929  * parameters. The values are used by an identity scheme based on RSA
930  * cryptography and described in Stimson p. 300 (with errors). The 512-
931  * bit public modulus is n = p q, where p and q are secret large primes.
932  * The TA rolls private random group key b as RSA exponent. These values
933  * are known to all group members.
934  *
935  * When rolling new certificates, a member recomputes the private and
936  * public keys. The private key u is a random roll, while the public key
937  * is the inverse obscured by the group key v = (u^-1)^b. These values
938  * replace the private and public keys normally generated by the RSA
939  * scheme. Alice challenges Bob to confirm identity using the protocol
940  * described below.
941  */
942 EVP_PKEY *			/* RSA cuckoo nest */
943 gen_gqpar(
944 	char	*id		/* file name id */
945 	)
946 {
947 	EVP_PKEY *pkey;		/* private key */
948 	RSA	*rsa;		/* GQ parameters */
949 	BN_CTX	*ctx;		/* BN working space */
950 	FILE	*str;
951 
952 	/*
953 	 * Generate RSA parameters for use as GQ parameters.
954 	 */
955 	fprintf(stderr,
956 	    "Generating GQ parameters (%d bits)...\n", modulus);
957 	rsa = RSA_generate_key(modulus, 3, cb, "GQ");
958 	fprintf(stderr, "\n");
959 	if (rsa == NULL) {
960 		fprintf(stderr, "RSA generate keys fails\n%s\n",
961 		    ERR_error_string(ERR_get_error(), NULL));
962 		rval = -1;
963 		return (NULL);
964 	}
965 
966 	/*
967 	 * Generate the group key b, which is saved in the e member of
968 	 * the RSA structure. These values are distributed to all
969 	 * members of the group, but shielded from all other groups. We
970 	 * don't use all the parameters, but set the unused ones to a
971 	 * small number to minimize the file size.
972 	 */
973 	ctx = BN_CTX_new();
974 	BN_rand(rsa->e, BN_num_bits(rsa->n), -1, 0); /* b */
975 	BN_mod(rsa->e, rsa->e, rsa->n, ctx);
976 	BN_copy(rsa->d, BN_value_one());
977 	BN_copy(rsa->p, BN_value_one());
978 	BN_copy(rsa->q, BN_value_one());
979 	BN_copy(rsa->dmp1, BN_value_one());
980 	BN_copy(rsa->dmq1, BN_value_one());
981 	BN_copy(rsa->iqmp, BN_value_one());
982 
983 	/*
984 	 * Write the GQ parameters as a RSA private key encoded in PEM.
985 	 * The public and private keys are filled in later.
986 	 *
987 	 * n	modulus n
988 	 * e	group key b
989 	 * (remaining values are not used)
990 	 */
991 	str = fheader("GQpar", trustname);
992 	pkey = EVP_PKEY_new();
993 	EVP_PKEY_assign_RSA(pkey, rsa);
994 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
995 	    NULL, 0, NULL, passwd2);
996 	fclose(str);
997 	if (debug)
998 		RSA_print_fp(stdout, rsa, 0);
999 	fslink(id, trustname);
1000 	return (pkey);
1001 }
1002 
1003 
1004 /*
1005  * Update Guillou-Quisquater (GQ) parameters
1006  */
1007 EVP_PKEY *			/* RSA cuckoo nest */
1008 gen_gqkey(
1009 	char	*id,		/* file name id */
1010 	EVP_PKEY *gqpar		/* GQ parameters */
1011 	)
1012 {
1013 	EVP_PKEY *pkey;		/* private key */
1014 	RSA	*rsa;		/* RSA parameters */
1015 	BN_CTX	*ctx;		/* BN working space */
1016 	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
1017 	FILE	*str;
1018 	u_int	temp;
1019 
1020 	/*
1021 	 * Generate GQ keys. Note that the group key b is the e member
1022 	 * of
1023 	 * the GQ parameters.
1024 	 */
1025 	fprintf(stderr, "Updating GQ keys (%d bits)...\n", modulus);
1026 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new();
1027 	g = BN_new(); k = BN_new(); r = BN_new(); y = BN_new();
1028 
1029 	/*
1030 	 * When generating his certificate, Bob rolls random private key
1031 	 * u.
1032 	 */
1033 	rsa = gqpar->pkey.rsa;
1034 	BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
1035 	BN_mod(u, u, rsa->n, ctx);
1036 	BN_mod_inverse(v, u, rsa->n, ctx);	/* u^-1 mod n */
1037 	BN_mod_mul(k, v, u, rsa->n, ctx);
1038 
1039 	/*
1040 	 * Bob computes public key v = (u^-1)^b, which is saved in an
1041 	 * extension field on his certificate. We check that u^b v =
1042 	 * 1 mod n.
1043 	 */
1044 	BN_mod_exp(v, v, rsa->e, rsa->n, ctx);
1045 	BN_mod_exp(g, u, rsa->e, rsa->n, ctx); /* u^b */
1046 	BN_mod_mul(g, g, v, rsa->n, ctx); /* u^b (u^-1)^b */
1047 	temp = BN_is_one(g);
1048 	fprintf(stderr,
1049 	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1050 	    "no");
1051 	if (!temp) {
1052 		BN_free(u); BN_free(v);
1053 		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1054 		BN_CTX_free(ctx);
1055 		RSA_free(rsa);
1056 		rval = -1;
1057 		return (NULL);
1058 	}
1059 	BN_copy(rsa->p, u);			/* private key */
1060 	BN_copy(rsa->q, v);			/* public key */
1061 
1062 	/*
1063 	 * Here is a trial run of the protocol. First, Alice rolls
1064 	 * random r (0 < r < n) and sends it to Bob. She needs only
1065 	 * modulus n from the parameters.
1066 	 */
1067 	BN_rand(r, BN_num_bits(rsa->n), -1, 0);	/* r */
1068 	BN_mod(r, r, rsa->n, ctx);
1069 
1070 	/*
1071 	 * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
1072 	 * g = k^b mod n, then sends (y, g) to Alice. He needs modulus n
1073 	 * from the parameters and his private key u.
1074 	 */
1075 	BN_rand(k, BN_num_bits(rsa->n), -1, 0);	/* k */
1076 	BN_mod(k, k, rsa->n, ctx);
1077 	BN_mod_exp(y, rsa->p, r, rsa->n, ctx);	/* u^r mod n */
1078 	BN_mod_mul(y, k, y, rsa->n, ctx);	/* y = k u^r mod n */
1079 	BN_mod_exp(g, k, rsa->e, rsa->n, ctx); /* g = k^b mod n */
1080 
1081 	/*
1082 	 * Alice computes v^r y^b mod n and verifies the result is equal
1083 	 * to g. She needs modulus n, generator g and group key b from
1084 	 * the parameters and Bob's public key v = (u^-1)^b from his
1085 	 * certificate.
1086 	 */
1087 	BN_mod_exp(v, rsa->q, r, rsa->n, ctx);	/* v^r mod n */
1088 	BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
1089 	BN_mod_mul(y, v, y, rsa->n, ctx);	/* v^r y^b mod n */
1090 	temp = BN_cmp(y, g);
1091 	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1092 	    "yes" : "no");
1093 	BN_CTX_free(ctx); BN_free(u); BN_free(v);
1094 	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1095 	if (temp != 0) {
1096 		RSA_free(rsa);
1097 		rval = -1;
1098 		return (NULL);
1099 	}
1100 
1101 	/*
1102 	 * Write the GQ parameters and keys as a RSA private key encoded
1103 	 * in PEM.
1104 	 *
1105 	 * n	modulus n
1106 	 * e	group key b
1107 	 * p	private key u
1108 	 * q	public key (u^-1)^b
1109 	 * (remaining values are not used)
1110 	 */
1111 	str = fheader("GQpar", trustname);
1112 	pkey = EVP_PKEY_new();
1113 	EVP_PKEY_assign_RSA(pkey, rsa);
1114 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1115 	    NULL, 0, NULL, passwd2);
1116 	fclose(str);
1117 	if (debug)
1118 		RSA_print_fp(stdout, rsa, 0);
1119 	fslink(id, trustname);
1120 	return (pkey);
1121 }
1122 
1123 
1124 /*
1125  * Generate Mu-Varadharajan (MV) parameters and keys
1126  *
1127  * The Mu-Varadharajan (MV) cryptosystem is useful when servers
1128  * broadcast messages to clients, but clients never send messages to
1129  * servers. There is one encryption key for the server and a separate
1130  * decryption key for each client. It operates something like a
1131  * pay-per-view satellite broadcasting system where the session key is
1132  * encrypted by the broadcaster and the decryption keys are held in a
1133  * tamperproof set-top box. We don't use it this way, but read on.
1134  *
1135  * The MV parameters and private encryption key hide in a DSA cuckoo
1136  * structure which uses the same parameters, but generated in a
1137  * different way. The values are used in an encryption scheme similar to
1138  * El Gamal cryptography and a polynomial formed from the expansion of
1139  * product terms (x - x[j]), as described in Mu, Y., and V.
1140  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1141  * 223-231. The paper has significant errors and serious omissions.
1142  *
1143  * Let q be the product of n distinct primes s'[j] (j = 1...n), where
1144  * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1145  * that q and each s'[j] divide p - 1 and p has M = n * m + 1
1146  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1147  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1148  * project into Zp* as exponents of g. Sometimes we have to compute an
1149  * inverse b^-1 of random b in Zq, but for that purpose we require
1150  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1151  * relatively small, like 30. Associated with each s'[j] is an element
1152  * s[j] such that s[j] s'[j] = s'[j] mod q. We find s[j] as the quotient
1153  * (q + s'[j]) / s'[j]. These are the parameters of the scheme and they
1154  * are expensive to compute.
1155  *
1156  * We set up an instance of the scheme as follows. A set of random
1157  * values x[j] mod q (j = 1...n), are generated as the zeros of a
1158  * polynomial of order n. The product terms (x - x[j]) are expanded to
1159  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1160  * used as exponents of the generator g mod p to generate the private
1161  * encryption key A. The pair (gbar, ghat) of public server keys and the
1162  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1163  * to construct the decryption keys. The devil is in the details.
1164  *
1165  * This routine generates a private encryption file including the
1166  * private encryption key E and public key (gbar, ghat). It then
1167  * generates decryption files including the private key (xbar[j],
1168  * xhat[j]) for each client. E is a permutation that encrypts a block
1169  * y = E x. The jth client computes the inverse permutation E^-1 =
1170  * gbar^xhat[j] ghat^xbar[j] and decrypts the block x = E^-1 y.
1171  *
1172  * The distinguishing characteristic of this scheme is the capability to
1173  * revoke keys. Included in the calculation of E, gbar and ghat is the
1174  * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
1175  * subsequently removed from the product and E, gbar and ghat
1176  * recomputed, the jth client will no longer be able to compute E^-1 and
1177  * thus unable to decrypt the block.
1178  */
1179 EVP_PKEY *			/* DSA cuckoo nest */
1180 gen_mv(
1181 	char	*id		/* file name id */
1182 	)
1183 {
1184 	EVP_PKEY *pkey, *pkey1;	/* private key */
1185 	DSA	*dsa;		/* DSA parameters */
1186 	DSA	*sdsa;		/* DSA parameters */
1187 	BN_CTX	*ctx;		/* BN working space */
1188 	BIGNUM	**x;		/* polynomial zeros vector */
1189 	BIGNUM	**a;		/* polynomial coefficient vector */
1190 	BIGNUM	**g;		/* public key vector */
1191 	BIGNUM	**s, **s1;	/* private enabling keys */
1192 	BIGNUM	**xbar, **xhat;	/* private keys vector */
1193 	BIGNUM	*b;		/* group key */
1194 	BIGNUM	*b1;		/* inverse group key */
1195 	BIGNUM	*ss;		/* enabling key */
1196 	BIGNUM	*biga;		/* master encryption key */
1197 	BIGNUM	*bige;		/* session encryption key */
1198 	BIGNUM	*gbar, *ghat;	/* public key */
1199 	BIGNUM	*u, *v, *w;	/* BN scratch */
1200 	int	i, j, n;
1201 	FILE	*str;
1202 	u_int	temp;
1203 	char	ident[20];
1204 
1205 	/*
1206 	 * Generate MV parameters.
1207 	 *
1208 	 * The object is to generate a multiplicative group Zp* modulo a
1209 	 * prime p and a subset Zq mod q, where q is the product of n
1210 	 * distinct primes s'[j] (j = 1...n) and q divides p - 1. We
1211 	 * first generate n distinct primes, which may have to be
1212 	 * regenerated later. As a practical matter, it is tough to find
1213 	 * more than 31 distinct primes for modulus 512 or 61 primes for
1214 	 * modulus 1024. The latter can take several hundred iterations
1215 	 * and several minutes on a Sun Blade 1000.
1216 	 */
1217 	n = nkeys;
1218 	fprintf(stderr,
1219 	    "Generating MV parameters for %d keys (%d bits)...\n", n,
1220 	    modulus / n);
1221 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1222 	b = BN_new(); b1 = BN_new();
1223 	dsa = DSA_new();
1224 	dsa->p = BN_new();
1225 	dsa->q = BN_new();
1226 	dsa->g = BN_new();
1227 	s = malloc((n + 1) * sizeof(BIGNUM));
1228 	s1 = malloc((n + 1) * sizeof(BIGNUM));
1229 	for (j = 1; j <= n; j++)
1230 		s1[j] = BN_new();
1231 	temp = 0;
1232 	for (j = 1; j <= n; j++) {
1233 		while (1) {
1234 			fprintf(stderr, "Birthdays %d\r", temp);
1235 			BN_generate_prime(s1[j], modulus / n, 0, NULL,
1236 			    NULL, NULL, NULL);
1237 			for (i = 1; i < j; i++) {
1238 				if (BN_cmp(s1[i], s1[j]) == 0)
1239 					break;
1240 			}
1241 			if (i == j)
1242 				break;
1243 			temp++;
1244 		}
1245 	}
1246 	fprintf(stderr, "Birthday keys rejected %d\n", temp);
1247 
1248 	/*
1249 	 * Compute the modulus q as the product of the primes. Compute
1250 	 * the modulus p as 2 * q + 1 and test p for primality. If p
1251 	 * is composite, replace one of the primes with a new distinct
1252 	 * one and try again. Note that q will hardly be a secret since
1253 	 * we have to reveal p to servers and clients. However,
1254 	 * factoring q to find the primes should be adequately hard, as
1255 	 * this is the same problem considered hard in RSA. Question: is
1256 	 * it as hard to find n small prime factors totalling n bits as
1257 	 * it is to find two large prime factors totalling n bits?
1258 	 * Remember, the bad guy doesn't know n.
1259 	 */
1260 	temp = 0;
1261 	while (1) {
1262 		fprintf(stderr, "Duplicate keys rejected %d\r", ++temp);
1263 		BN_one(dsa->q);
1264 		for (j = 1; j <= n; j++)
1265 			BN_mul(dsa->q, dsa->q, s1[j], ctx);
1266 		BN_copy(dsa->p, dsa->q);
1267 		BN_add(dsa->p, dsa->p, dsa->p);
1268 		BN_add_word(dsa->p, 1);
1269 		if (BN_is_prime(dsa->p, BN_prime_checks, NULL, ctx,
1270 		    NULL))
1271 			break;
1272 
1273 		j = temp % n + 1;
1274 		while (1) {
1275 			BN_generate_prime(u, modulus / n, 0, 0, NULL,
1276 			    NULL, NULL);
1277 			for (i = 1; i <= n; i++) {
1278 				if (BN_cmp(u, s1[i]) == 0)
1279 					break;
1280 			}
1281 			if (i > n)
1282 				break;
1283 		}
1284 		BN_copy(s1[j], u);
1285 	}
1286 	fprintf(stderr, "Duplicate keys rejected %d\n", temp);
1287 
1288 	/*
1289 	 * Compute the generator g using a random roll such that
1290 	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1291 	 * q.
1292 	 */
1293 	BN_copy(v, dsa->p);
1294 	BN_sub_word(v, 1);
1295 	while (1) {
1296 		BN_rand(dsa->g, BN_num_bits(dsa->p) - 1, 0, 0);
1297 		BN_mod(dsa->g, dsa->g, dsa->p, ctx);
1298 		BN_gcd(u, dsa->g, v, ctx);
1299 		if (!BN_is_one(u))
1300 			continue;
1301 
1302 		BN_mod_exp(u, dsa->g, dsa->q, dsa->p, ctx);
1303 		if (BN_is_one(u))
1304 			break;
1305 	}
1306 
1307 	/*
1308 	 * Compute s[j] such that s[j] * s'[j] = s'[j] for all j. The
1309 	 * easy way to do this is to compute q + s'[j] and divide the
1310 	 * result by s'[j]. Exercise for the student: prove the
1311 	 * remainder is always zero.
1312 	 */
1313 	for (j = 1; j <= n; j++) {
1314 		s[j] = BN_new();
1315 		BN_add(s[j], dsa->q, s1[j]);
1316 		BN_div(s[j], u, s[j], s1[j], ctx);
1317 	}
1318 
1319 	/*
1320 	 * Setup is now complete. Roll random polynomial roots x[j]
1321 	 * (0 < x[j] < q) for all j. While it may not be strictly
1322 	 * necessary, Make sure each root has no factors in common with
1323 	 * q.
1324 	 */
1325 	fprintf(stderr,
1326 	    "Generating polynomial coefficients for %d roots (%d bits)\n",
1327 	    n, BN_num_bits(dsa->q));
1328 	x = malloc((n + 1) * sizeof(BIGNUM));
1329 	for (j = 1; j <= n; j++) {
1330 		x[j] = BN_new();
1331 		while (1) {
1332 			BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
1333 			BN_mod(x[j], x[j], dsa->q, ctx);
1334 			BN_gcd(u, x[j], dsa->q, ctx);
1335 			if (BN_is_one(u))
1336 				break;
1337 		}
1338 	}
1339 
1340 	/*
1341 	 * Generate polynomial coefficients a[i] (i = 0...n) from the
1342 	 * expansion of root products (x - x[j]) mod q for all j. The
1343 	 * method is a present from Charlie Boncelet.
1344 	 */
1345 	a = malloc((n + 1) * sizeof(BIGNUM));
1346 	for (i = 0; i <= n; i++) {
1347 		a[i] = BN_new();
1348 		BN_one(a[i]);
1349 	}
1350 	for (j = 1; j <= n; j++) {
1351 		BN_zero(w);
1352 		for (i = 0; i < j; i++) {
1353 			BN_copy(u, dsa->q);
1354 			BN_mod_mul(v, a[i], x[j], dsa->q, ctx);
1355 			BN_sub(u, u, v);
1356 			BN_add(u, u, w);
1357 			BN_copy(w, a[i]);
1358 			BN_mod(a[i], u, dsa->q, ctx);
1359 		}
1360 	}
1361 
1362 	/*
1363 	 * Generate g[i] = g^a[i] mod p for all i and the generator g.
1364 	 */
1365 	fprintf(stderr, "Generating g[i] parameters\n");
1366 	g = malloc((n + 1) * sizeof(BIGNUM));
1367 	for (i = 0; i <= n; i++) {
1368 		g[i] = BN_new();
1369 		BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
1370 	}
1371 
1372 	/*
1373 	 * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j; otherwise,
1374 	 * exit. Note the a[i] x[j]^i exponent is computed mod q, but
1375 	 * the g[i] is computed mod p. also note the expression given in
1376 	 * the paper is incorrect.
1377 	 */
1378 	temp = 1;
1379 	for (j = 1; j <= n; j++) {
1380 		BN_one(u);
1381 		for (i = 0; i <= n; i++) {
1382 			BN_set_word(v, i);
1383 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1384 			BN_mod_mul(v, v, a[i], dsa->q, ctx);
1385 			BN_mod_exp(v, dsa->g, v, dsa->p, ctx);
1386 			BN_mod_mul(u, u, v, dsa->p, ctx);
1387 		}
1388 		if (!BN_is_one(u))
1389 			temp = 0;
1390 	}
1391 	fprintf(stderr,
1392 	    "Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1393 	    "yes" : "no");
1394 	if (!temp) {
1395 		rval = -1;
1396 		return (NULL);
1397 	}
1398 
1399 	/*
1400 	 * Make private encryption key A. Keep it around for awhile,
1401 	 * since it is expensive to compute.
1402 	 */
1403 	biga = BN_new();
1404 	BN_one(biga);
1405 	for (j = 1; j <= n; j++) {
1406 		for (i = 0; i < n; i++) {
1407 			BN_set_word(v, i);
1408 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1409 			BN_mod_exp(v, g[i], v, dsa->p, ctx);
1410 			BN_mod_mul(biga, biga, v, dsa->p, ctx);
1411 		}
1412 	}
1413 
1414 	/*
1415 	 * Roll private random group key b mod q (0 < b < q), where
1416 	 * gcd(b, q) = 1 to guarantee b^1 exists, then compute b^-1
1417 	 * mod q. If b is changed, the client keys must be recomputed.
1418 	 */
1419 	while (1) {
1420 		BN_rand(b, BN_num_bits(dsa->q), 0, 0);
1421 		BN_mod(b, b, dsa->q, ctx);
1422 		BN_gcd(u, b, dsa->q, ctx);
1423 		if (BN_is_one(u))
1424 			break;
1425 	}
1426 	BN_mod_inverse(b1, b, dsa->q, ctx);
1427 
1428 	/*
1429 	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
1430 	 * that the keys for the jth client involve s[j], but not s'[j]
1431 	 * or the product s = prod(s'[j]) mod q, which is the enabling
1432 	 * key.
1433 	 */
1434 	xbar = malloc((n + 1) * sizeof(BIGNUM));
1435 	xhat = malloc((n + 1) * sizeof(BIGNUM));
1436 	for (j = 1; j <= n; j++) {
1437 		xbar[j] = BN_new(); xhat[j] = BN_new();
1438 		BN_zero(xbar[j]);
1439 		BN_set_word(v, n);
1440 		for (i = 1; i <= n; i++) {
1441 			if (i == j)
1442 				continue;
1443 			BN_mod_exp(u, x[i], v, dsa->q, ctx);
1444 			BN_add(xbar[j], xbar[j], u);
1445 		}
1446 		BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
1447 		BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
1448 		BN_mod_mul(xhat[j], xhat[j], s[j], dsa->q, ctx);
1449 	}
1450 
1451 	/*
1452 	 * The enabling key is initially q by construction. We can
1453 	 * revoke client j by dividing q by s'[j]. The quotient becomes
1454 	 * the enabling key s. Note we always have to revoke one key;
1455 	 * otherwise, the plaintext and cryptotext would be identical.
1456 	 */
1457 	ss = BN_new();
1458 	BN_copy(ss, dsa->q);
1459 	BN_div(ss, u, dsa->q, s1[n], ctx);
1460 
1461 	/*
1462 	 * Make private server encryption key E = A^s and public server
1463 	 * keys gbar = g^s mod p and ghat = g^(s b) mod p. The (gbar,
1464 	 * ghat) is the public key provided to the server, which uses it
1465 	 * to compute the session encryption key and public key included
1466 	 * in its messages. These values must be regenerated if the
1467 	 * enabling key is changed.
1468 	 */
1469 	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1470 	BN_mod_exp(bige, biga, ss, dsa->p, ctx);
1471 	BN_mod_exp(gbar, dsa->g, ss, dsa->p, ctx);
1472 	BN_mod_mul(v, ss, b, dsa->q, ctx);
1473 	BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
1474 
1475 	/*
1476 	 * We produce the key media in three steps. The first step is to
1477 	 * generate the private values that do not depend on the
1478 	 * enabling key. These include the server values p, q, g, b, A
1479 	 * and the client values s'[j], xbar[j] and xhat[j] for each j.
1480 	 * The p, xbar[j] and xhat[j] values are encoded in private
1481 	 * files which are distributed to respective clients. The p, q,
1482 	 * g, A and s'[j] values (will be) written to a secret file to
1483 	 * be read back later.
1484 	 *
1485 	 * The secret file (will be) read back at some later time to
1486 	 * enable/disable individual keys and generate/regenerate the
1487 	 * enabling key s. The p, q, E, gbar and ghat values are written
1488 	 * to a secret file to be read back later by the server.
1489 	 *
1490 	 * The server reads the secret file and rolls the session key
1491 	 * k, which is used only once, then computes E^k, gbar^k and
1492 	 * ghat^k. The E^k is the session encryption key. The encrypted
1493 	 * data, gbar^k and ghat^k are transmtted to clients in an
1494 	 * extension field. The client receives the message and computes
1495 	 * x = (gbar^k)^xbar[j] (ghat^k)^xhat[j], finds the session
1496 	 * encryption key E^k as the inverse x^-1 and decrypts the data.
1497 	 */
1498 	BN_copy(dsa->g, bige);
1499 	dsa->priv_key = BN_dup(gbar);
1500 	dsa->pub_key = BN_dup(ghat);
1501 
1502 	/*
1503 	 * Write the MV server parameters and keys as a DSA private key
1504 	 * encoded in PEM.
1505 	 *
1506 	 * p	modulus p
1507 	 * q	modulus q (used only to generate k)
1508 	 * g	E mod p
1509 	 * priv_key gbar mod p
1510 	 * pub_key ghat mod p
1511 	 */
1512 	str = fheader("MVpar", trustname);
1513 	pkey = EVP_PKEY_new();
1514 	EVP_PKEY_assign_DSA(pkey, dsa);
1515 	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1516 	    NULL, 0, NULL, passwd2);
1517 	fclose(str);
1518 	if (debug)
1519 		DSA_print_fp(stdout, dsa, 0);
1520 	fslink(id, trustname);
1521 
1522 	/*
1523 	 * Write the parameters and private key (xbar[j], xhat[j]) for
1524 	 * all j as a DSA private key encoded in PEM. It is used only by
1525 	 * the designated recipient(s) who pay a suitably outrageous fee
1526 	 * for its use.
1527 	 */
1528 	sdsa = DSA_new();
1529 	sdsa->p = BN_dup(dsa->p);
1530 	sdsa->q = BN_dup(BN_value_one());
1531 	sdsa->g = BN_dup(BN_value_one());
1532 	sdsa->priv_key = BN_new();
1533 	sdsa->pub_key = BN_new();
1534 	for (j = 1; j <= n; j++) {
1535 		BN_copy(sdsa->priv_key, xbar[j]);
1536 		BN_copy(sdsa->pub_key, xhat[j]);
1537 		BN_mod_exp(v, dsa->priv_key, sdsa->pub_key, dsa->p,
1538 		    ctx);
1539 		BN_mod_exp(u, dsa->pub_key, sdsa->priv_key, dsa->p,
1540 		    ctx);
1541 		BN_mod_mul(u, u, v, dsa->p, ctx);
1542 		BN_mod_mul(u, u, dsa->g, dsa->p, ctx);
1543 		BN_free(xbar[j]); BN_free(xhat[j]);
1544 		BN_free(x[j]); BN_free(s[j]); BN_free(s1[j]);
1545 		if (!BN_is_one(u)) {
1546 			fprintf(stderr, "Revoke key %d\n", j);
1547 			continue;
1548 		}
1549 
1550 		/*
1551 		 * Write the client parameters as a DSA private key
1552 		 * encoded in PEM. We don't make links for these.
1553 		 *
1554 		 * p	modulus p
1555 		 * priv_key xbar[j] mod q
1556 		 * pub_key xhat[j] mod q
1557 		 * (remaining values are not used)
1558 		 */
1559 		sprintf(ident, "MVkey%d", j);
1560 		str = fheader(ident, trustname);
1561 		pkey1 = EVP_PKEY_new();
1562 		EVP_PKEY_set1_DSA(pkey1, sdsa);
1563 		PEM_write_PrivateKey(str, pkey1, passwd2 ?
1564 		    EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
1565 		fclose(str);
1566 		fprintf(stderr, "ntpkey_%s_%s.%lu\n", ident, trustname,
1567 		    epoch + JAN_1970);
1568 		if (debug)
1569 			DSA_print_fp(stdout, sdsa, 0);
1570 		EVP_PKEY_free(pkey1);
1571 	}
1572 
1573 	/*
1574 	 * Free the countries.
1575 	 */
1576 	for (i = 0; i <= n; i++) {
1577 		BN_free(a[i]);
1578 		BN_free(g[i]);
1579 	}
1580 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1581 	BN_free(b); BN_free(b1); BN_free(biga); BN_free(bige);
1582 	BN_free(ss); BN_free(gbar); BN_free(ghat);
1583 	DSA_free(sdsa);
1584 
1585 	/*
1586 	 * Free the world.
1587 	 */
1588 	free(x); free(a); free(g); free(s); free(s1);
1589 	free(xbar); free(xhat);
1590 	return (pkey);
1591 }
1592 
1593 
1594 /*
1595  * Generate X509v3 scertificate.
1596  *
1597  * The certificate consists of the version number, serial number,
1598  * validity interval, issuer name, subject name and public key. For a
1599  * self-signed certificate, the issuer name is the same as the subject
1600  * name and these items are signed using the subject private key. The
1601  * validity interval extends from the current time to the same time one
1602  * year hence. For NTP purposes, it is convenient to use the NTP seconds
1603  * of the current time as the serial number.
1604  */
1605 int
1606 x509	(
1607 	EVP_PKEY *pkey,		/* generic signature algorithm */
1608 	const EVP_MD *md,	/* generic digest algorithm */
1609 	char	*gqpub,		/* identity extension (hex string) */
1610 	char	*exten		/* private cert extension */
1611 	)
1612 {
1613 	X509	*cert;		/* X509 certificate */
1614 	X509_NAME *subj;	/* distinguished (common) name */
1615 	X509_EXTENSION *ex;	/* X509v3 extension */
1616 	FILE	*str;		/* file handle */
1617 	ASN1_INTEGER *serial;	/* serial number */
1618 	const char *id;		/* digest/signature scheme name */
1619 	char	pathbuf[MAXFILENAME + 1];
1620 
1621 	/*
1622 	 * Generate X509 self-signed certificate.
1623 	 *
1624 	 * Set the certificate serial to the NTP seconds for grins. Set
1625 	 * the version to 3. Set the subject name and issuer name to the
1626 	 * subject name in the request. Set the initial validity to the
1627 	 * current time and the final validity one year hence.
1628 	 */
1629 	id = OBJ_nid2sn(md->pkey_type);
1630 	fprintf(stderr, "Generating certificate %s\n", id);
1631 	cert = X509_new();
1632 	X509_set_version(cert, 2L);
1633 	serial = ASN1_INTEGER_new();
1634 	ASN1_INTEGER_set(serial, epoch + JAN_1970);
1635 	X509_set_serialNumber(cert, serial);
1636 	ASN1_INTEGER_free(serial);
1637 	X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
1638 	X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
1639 	subj = X509_get_subject_name(cert);
1640 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1641 	    (unsigned char *) hostname, strlen(hostname), -1, 0);
1642 	subj = X509_get_issuer_name(cert);
1643 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1644 	    (unsigned char *) trustname, strlen(trustname), -1, 0);
1645 	if (!X509_set_pubkey(cert, pkey)) {
1646 		fprintf(stderr, "Assign key fails\n%s\n",
1647 		    ERR_error_string(ERR_get_error(), NULL));
1648 		X509_free(cert);
1649 		rval = -1;
1650 		return (0);
1651 	}
1652 
1653 	/*
1654 	 * Add X509v3 extensions if present. These represent the minimum
1655 	 * set defined in RFC3280 less the certificate_policy extension,
1656 	 * which is seriously obfuscated in OpenSSL.
1657 	 */
1658 	/*
1659 	 * The basic_constraints extension CA:TRUE allows servers to
1660 	 * sign client certficitates.
1661 	 */
1662 	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
1663 	    BASIC_CONSTRAINTS);
1664 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
1665 	    BASIC_CONSTRAINTS);
1666 	if (!X509_add_ext(cert, ex, -1)) {
1667 		fprintf(stderr, "Add extension field fails\n%s\n",
1668 		    ERR_error_string(ERR_get_error(), NULL));
1669 		rval = -1;
1670 		return (0);
1671 	}
1672 	X509_EXTENSION_free(ex);
1673 
1674 	/*
1675 	 * The key_usage extension designates the purposes the key can
1676 	 * be used for.
1677 	 */
1678 	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
1679 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, KEY_USAGE);
1680 	if (!X509_add_ext(cert, ex, -1)) {
1681 		fprintf(stderr, "Add extension field fails\n%s\n",
1682 		    ERR_error_string(ERR_get_error(), NULL));
1683 		rval = -1;
1684 		return (0);
1685 	}
1686 	X509_EXTENSION_free(ex);
1687 	/*
1688 	 * The subject_key_identifier is used for the GQ public key.
1689 	 * This should not be controversial.
1690 	 */
1691 	if (gqpub != NULL) {
1692 		fprintf(stderr, "%s\n", LN_subject_key_identifier);
1693 		ex = X509V3_EXT_conf_nid(NULL, NULL,
1694 		    NID_subject_key_identifier, gqpub);
1695 		if (!X509_add_ext(cert, ex, -1)) {
1696 			fprintf(stderr,
1697 			    "Add extension field fails\n%s\n",
1698 			    ERR_error_string(ERR_get_error(), NULL));
1699 			rval = -1;
1700 			return (0);
1701 		}
1702 		X509_EXTENSION_free(ex);
1703 	}
1704 
1705 	/*
1706 	 * The extended key usage extension is used for special purpose
1707 	 * here. The semantics probably do not conform to the designer's
1708 	 * intent and will likely change in future.
1709 	 *
1710 	 * "trustRoot" designates a root authority
1711 	 * "private" designates a private certificate
1712 	 */
1713 	if (exten != NULL) {
1714 		fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
1715 		ex = X509V3_EXT_conf_nid(NULL, NULL,
1716 		    NID_ext_key_usage, exten);
1717 		if (!X509_add_ext(cert, ex, -1)) {
1718 			fprintf(stderr,
1719 			    "Add extension field fails\n%s\n",
1720 			    ERR_error_string(ERR_get_error(), NULL));
1721 			rval = -1;
1722 			return (0);
1723 		}
1724 		X509_EXTENSION_free(ex);
1725 	}
1726 
1727 	/*
1728 	 * Sign and verify.
1729 	 */
1730 	X509_sign(cert, pkey, md);
1731 	if (!X509_verify(cert, pkey)) {
1732 		fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
1733 		    ERR_error_string(ERR_get_error(), NULL));
1734 		X509_free(cert);
1735 		rval = -1;
1736 		return (0);
1737 	}
1738 
1739 	/*
1740 	 * Write the certificate encoded in PEM.
1741 	 */
1742 	sprintf(pathbuf, "%scert", id);
1743 	str = fheader(pathbuf, hostname);
1744 	PEM_write_X509(str, cert);
1745 	fclose(str);
1746 	if (debug)
1747 		X509_print_fp(stdout, cert);
1748 	X509_free(cert);
1749 	fslink("cert", hostname);
1750 	return (1);
1751 }
1752 
1753 #if 0	/* asn2ntp is not used */
1754 /*
1755  * asn2ntp - convert ASN1_TIME time structure to NTP time
1756  */
1757 u_long
1758 asn2ntp	(
1759 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
1760 	)
1761 {
1762 	char	*v;		/* pointer to ASN1_TIME string */
1763 	struct	tm tm;		/* time decode structure time */
1764 
1765 	/*
1766 	 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
1767 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
1768 	 * SS fiels start with zero and the Z character should be 'Z'
1769 	 * for UTC. Also note that years less than 50 map to years
1770 	 * greater than 100. Dontcha love ASN.1?
1771 	 */
1772 	if (asn1time->length > 13)
1773 		return (-1);
1774 	v = (char *)asn1time->data;
1775 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
1776 	if (tm.tm_year < 50)
1777 		tm.tm_year += 100;
1778 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
1779 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
1780 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
1781 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
1782 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
1783 	tm.tm_wday = 0;
1784 	tm.tm_yday = 0;
1785 	tm.tm_isdst = 0;
1786 	return (mktime(&tm) + JAN_1970);
1787 }
1788 #endif
1789 
1790 /*
1791  * Callback routine
1792  */
1793 void
1794 cb	(
1795 	int	n1,		/* arg 1 */
1796 	int	n2,		/* arg 2 */
1797 	void	*chr		/* arg 3 */
1798 	)
1799 {
1800 	switch (n1) {
1801 	case 0:
1802 		d0++;
1803 		fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
1804 		    d0);
1805 		break;
1806 	case 1:
1807 		d1++;
1808 		fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
1809 		    n2, d1);
1810 		break;
1811 	case 2:
1812 		d2++;
1813 		fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
1814 		    n1, n2, d2);
1815 		break;
1816 	case 3:
1817 		d3++;
1818 		fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
1819 		    (char *)chr, n1, n2, d3);
1820 		break;
1821 	}
1822 }
1823 
1824 
1825 /*
1826  * Generate key
1827  */
1828 EVP_PKEY *			/* public/private key pair */
1829 genkey(
1830 	char	*type,		/* key type (RSA or DSA) */
1831 	char	*id		/* file name id */
1832 	)
1833 {
1834 	if (type == NULL)
1835 		return (NULL);
1836 	if (strcmp(type, "RSA") == 0)
1837 		return (gen_rsa(id));
1838 
1839 	else if (strcmp(type, "DSA") == 0)
1840 		return (gen_dsa(id));
1841 
1842 	fprintf(stderr, "Invalid %s key type %s\n", id, type);
1843 	rval = -1;
1844 	return (NULL);
1845 }
1846 #endif /* OPENSSL */
1847 
1848 
1849 /*
1850  * Generate file header
1851  */
1852 FILE *
1853 fheader	(
1854 	const char *id,		/* file name id */
1855 	const char *name	/* owner name */
1856 	)
1857 {
1858 	FILE	*str;		/* file handle */
1859 
1860 	sprintf(filename, "ntpkey_%s_%s.%lu", id, name, epoch +
1861 	    JAN_1970);
1862 	if ((str = fopen(filename, "w")) == NULL) {
1863 		perror("Write");
1864 		exit (-1);
1865 	}
1866 	fprintf(str, "# %s\n# %s", filename, ctime(&epoch));
1867 	return (str);
1868 }
1869 
1870 
1871 /*
1872  * Generate symbolic links
1873  */
1874 void
1875 fslink(
1876 	const char *id,		/* file name id */
1877 	const char *name	/* owner name */
1878 	)
1879 {
1880 	char	linkname[MAXFILENAME]; /* link name */
1881 	int	temp;
1882 
1883 	sprintf(linkname, "ntpkey_%s_%s", id, name);
1884 	remove(linkname);
1885 	temp = symlink(filename, linkname);
1886 	if (temp < 0)
1887 		perror(id);
1888 	fprintf(stderr, "Generating new %s file and link\n", id);
1889 	fprintf(stderr, "%s->%s\n", linkname, filename);
1890 }
1891