xref: /freebsd/contrib/ntp/util/ntp-keygen.c (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1 /*
2  * Program to generate cryptographic keys for ntp clients and servers
3  *
4  * This program generates password encrypted data files for use with the
5  * Autokey security protocol and Network Time Protocol Version 4. Files
6  * are prefixed with a header giving the name and date of creation
7  * followed by a type-specific descriptive label and PEM-encoded data
8  * structure compatible with programs of the OpenSSL library.
9  *
10  * All file names are like "ntpkey_<type>_<hostname>.<filestamp>", where
11  * <type> is the file type, <hostname> the generating host name and
12  * <filestamp> the generation time in NTP seconds. The NTP programs
13  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
14  * association maintained by soft links. Following is a list of file
15  * types; the first line is the file name and the second link name.
16  *
17  * ntpkey_MD5key_<hostname>.<filestamp>
18  * 	MD5 (128-bit) keys used to compute message digests in symmetric
19  *	key cryptography
20  *
21  * ntpkey_RSAhost_<hostname>.<filestamp>
22  * ntpkey_host_<hostname>
23  *	RSA private/public host key pair used for public key signatures
24  *
25  * ntpkey_RSAsign_<hostname>.<filestamp>
26  * ntpkey_sign_<hostname>
27  *	RSA private/public sign key pair used for public key signatures
28  *
29  * ntpkey_DSAsign_<hostname>.<filestamp>
30  * ntpkey_sign_<hostname>
31  *	DSA Private/public sign key pair used for public key signatures
32  *
33  * Available digest/signature schemes
34  *
35  * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
36  * DSA:	DSA-SHA, DSA-SHA1
37  *
38  * ntpkey_XXXcert_<hostname>.<filestamp>
39  * ntpkey_cert_<hostname>
40  *	X509v3 certificate using RSA or DSA public keys and signatures.
41  *	XXX is a code identifying the message digest and signature
42  *	encryption algorithm
43  *
44  * Identity schemes. The key type par is used for the challenge; the key
45  * type key is used for the response.
46  *
47  * ntpkey_IFFkey_<groupname>.<filestamp>
48  * ntpkey_iffkey_<groupname>
49  *	Schnorr (IFF) identity parameters and keys
50  *
51  * ntpkey_GQkey_<groupname>.<filestamp>,
52  * ntpkey_gqkey_<groupname>
53  *	Guillou-Quisquater (GQ) identity parameters and keys
54  *
55  * ntpkey_MVkeyX_<groupname>.<filestamp>,
56  * ntpkey_mvkey_<groupname>
57  *	Mu-Varadharajan (MV) identity parameters and keys
58  *
59  * Note: Once in a while because of some statistical fluke this program
60  * fails to generate and verify some cryptographic data, as indicated by
61  * exit status -1. In this case simply run the program again. If the
62  * program does complete with exit code 0, the data are correct as
63  * verified.
64  *
65  * These cryptographic routines are characterized by the prime modulus
66  * size in bits. The default value of 512 bits is a compromise between
67  * cryptographic strength and computing time and is ordinarily
68  * considered adequate for this application. The routines have been
69  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
70  * digest and signature encryption schemes work with sizes less than 512
71  * bits. The computing time for sizes greater than 2048 bits is
72  * prohibitive on all but the fastest processors. An UltraSPARC Blade
73  * 1000 took something over nine minutes to generate and verify the
74  * values with size 2048. An old SPARC IPC would take a week.
75  *
76  * The OpenSSL library used by this program expects a random seed file.
77  * As described in the OpenSSL documentation, the file name defaults to
78  * first the RANDFILE environment variable in the user's home directory
79  * and then .rnd in the user's home directory.
80  */
81 #ifdef HAVE_CONFIG_H
82 # include <config.h>
83 #endif
84 #include <string.h>
85 #include <stdio.h>
86 #include <stdlib.h>
87 #include <unistd.h>
88 #include <sys/stat.h>
89 #include <sys/time.h>
90 #include <sys/types.h>
91 
92 #include "ntp.h"
93 #include "ntp_random.h"
94 #include "ntp_stdlib.h"
95 #include "ntp_assert.h"
96 #include "ntp_libopts.h"
97 #include "ntp_unixtime.h"
98 #include "ntp-keygen-opts.h"
99 
100 #ifdef OPENSSL
101 #include "openssl/asn1.h"
102 #include "openssl/bn.h"
103 #include "openssl/crypto.h"
104 #include "openssl/evp.h"
105 #include "openssl/err.h"
106 #include "openssl/rand.h"
107 #include "openssl/opensslv.h"
108 #include "openssl/pem.h"
109 #include "openssl/x509.h"
110 #include "openssl/x509v3.h"
111 #include <openssl/objects.h>
112 #include "libssl_compat.h"
113 #endif	/* OPENSSL */
114 #include <ssl_applink.c>
115 
116 #define _UC(str)	((char *)(intptr_t)(str))
117 /*
118  * Cryptodefines
119  */
120 #define	MD5KEYS		10	/* number of keys generated of each type */
121 #define	MD5SIZE		20	/* maximum key size */
122 #ifdef AUTOKEY
123 #define	PLEN		512	/* default prime modulus size (bits) */
124 #define	ILEN		512	/* default identity modulus size (bits) */
125 #define	MVMAX		100	/* max MV parameters */
126 
127 /*
128  * Strings used in X509v3 extension fields
129  */
130 #define KEY_USAGE		"digitalSignature,keyCertSign"
131 #define BASIC_CONSTRAINTS	"critical,CA:TRUE"
132 #define EXT_KEY_PRIVATE		"private"
133 #define EXT_KEY_TRUST		"trustRoot"
134 #endif	/* AUTOKEY */
135 
136 /*
137  * Prototypes
138  */
139 FILE	*fheader	(const char *, const char *, const char *);
140 int	gen_md5		(const char *);
141 void	followlink	(char *, size_t);
142 #ifdef AUTOKEY
143 EVP_PKEY *gen_rsa	(const char *);
144 EVP_PKEY *gen_dsa	(const char *);
145 EVP_PKEY *gen_iffkey	(const char *);
146 EVP_PKEY *gen_gqkey	(const char *);
147 EVP_PKEY *gen_mvkey	(const char *, EVP_PKEY **);
148 void	gen_mvserv	(char *, EVP_PKEY **);
149 int	x509		(EVP_PKEY *, const EVP_MD *, char *, const char *,
150 			    char *);
151 void	cb		(int, int, void *);
152 EVP_PKEY *genkey	(const char *, const char *);
153 EVP_PKEY *readkey	(char *, char *, u_int *, EVP_PKEY **);
154 void	writekey	(char *, char *, u_int *, EVP_PKEY **);
155 u_long	asn2ntp		(ASN1_TIME *);
156 
157 static DSA* genDsaParams(int, char*);
158 static RSA* genRsaKeyPair(int, char*);
159 
160 #endif	/* AUTOKEY */
161 
162 /*
163  * Program variables
164  */
165 extern char *optarg;		/* command line argument */
166 char	const *progname;
167 u_int	lifetime = DAYSPERYEAR;	/* certificate lifetime (days) */
168 int	nkeys;			/* MV keys */
169 time_t	epoch;			/* Unix epoch (seconds) since 1970 */
170 u_int	fstamp;			/* NTP filestamp */
171 char	hostbuf[MAXHOSTNAME + 1];
172 char	*hostname = NULL;	/* host, used in cert filenames */
173 char	*groupname = NULL;	/* group name */
174 char	certnamebuf[2 * sizeof(hostbuf)];
175 char	*certname = NULL;	/* certificate subject/issuer name */
176 char	*passwd1 = NULL;	/* input private key password */
177 char	*passwd2 = NULL;	/* output private key password */
178 char	filename[MAXFILENAME + 1]; /* file name */
179 #ifdef AUTOKEY
180 u_int	modulus = PLEN;		/* prime modulus size (bits) */
181 u_int	modulus2 = ILEN;	/* identity modulus size (bits) */
182 long	d0, d1, d2, d3;		/* callback counters */
183 const EVP_CIPHER * cipher = NULL;
184 #endif	/* AUTOKEY */
185 
186 #ifdef SYS_WINNT
187 BOOL init_randfile();
188 
189 /*
190  * Don't try to follow symbolic links on Windows.  Assume link == file.
191  */
192 int
193 readlink(
194 	char *	link,
195 	char *	file,
196 	int	len
197 	)
198 {
199 	return (int)strlen(file); /* assume no overflow possible */
200 }
201 
202 /*
203  * Don't try to create symbolic links on Windows, that is supported on
204  * Vista and later only.  Instead, if CreateHardLink is available (XP
205  * and later), hardlink the linkname to the original filename.  On
206  * earlier systems, user must rename file to match expected link for
207  * ntpd to find it.  To allow building a ntp-keygen.exe which loads on
208  * Windows pre-XP, runtime link to CreateHardLinkA().
209  */
210 int
211 symlink(
212 	char *	filename,
213 	char*	linkname
214 	)
215 {
216 	typedef BOOL (WINAPI *PCREATEHARDLINKA)(
217 		__in LPCSTR	lpFileName,
218 		__in LPCSTR	lpExistingFileName,
219 		__reserved LPSECURITY_ATTRIBUTES lpSA
220 		);
221 	static PCREATEHARDLINKA pCreateHardLinkA;
222 	static int		tried;
223 	HMODULE			hDll;
224 	FARPROC			pfn;
225 	int			link_created;
226 	int			saved_errno;
227 
228 	if (!tried) {
229 		tried = TRUE;
230 		hDll = LoadLibrary("kernel32");
231 		pfn = GetProcAddress(hDll, "CreateHardLinkA");
232 		pCreateHardLinkA = (PCREATEHARDLINKA)pfn;
233 	}
234 
235 	if (NULL == pCreateHardLinkA) {
236 		errno = ENOSYS;
237 		return -1;
238 	}
239 
240 	link_created = (*pCreateHardLinkA)(linkname, filename, NULL);
241 
242 	if (link_created)
243 		return 0;
244 
245 	saved_errno = GetLastError();	/* yes we play loose */
246 	mfprintf(stderr, "Create hard link %s to %s failed: %m\n",
247 		 linkname, filename);
248 	errno = saved_errno;
249 	return -1;
250 }
251 
252 void
253 InitWin32Sockets() {
254 	WORD wVersionRequested;
255 	WSADATA wsaData;
256 	wVersionRequested = MAKEWORD(2,0);
257 	if (WSAStartup(wVersionRequested, &wsaData))
258 	{
259 		fprintf(stderr, "No useable winsock.dll\n");
260 		exit(1);
261 	}
262 }
263 #endif /* SYS_WINNT */
264 
265 
266 /*
267  * followlink() - replace filename with its target if symlink.
268  *
269  * readlink() does not null-terminate the result.
270  */
271 void
272 followlink(
273 	char *	fname,
274 	size_t	bufsiz
275 	)
276 {
277 	ssize_t	len;
278 	char *	target;
279 
280 	REQUIRE(bufsiz > 0 && bufsiz <= SSIZE_MAX);
281 
282 	target = emalloc(bufsiz);
283 	len = readlink(fname, target, bufsiz);
284 	if (len < 0) {
285 		fname[0] = '\0';
286 		return;
287 	}
288 	if ((size_t)len > bufsiz - 1)
289 		len = bufsiz - 1;
290 	memcpy(fname, target, len);
291 	fname[len] = '\0';
292 	free(target);
293 }
294 
295 
296 /*
297  * Main program
298  */
299 int
300 main(
301 	int	argc,		/* command line options */
302 	char	**argv
303 	)
304 {
305 	struct timeval tv;	/* initialization vector */
306 	int	md5key = 0;	/* generate MD5 keys */
307 	int	optct;		/* option count */
308 #ifdef AUTOKEY
309 	X509	*cert = NULL;	/* X509 certificate */
310 	EVP_PKEY *pkey_host = NULL; /* host key */
311 	EVP_PKEY *pkey_sign = NULL; /* sign key */
312 	EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
313 	EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
314 	EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
315 	EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
316 	int	hostkey = 0;	/* generate RSA keys */
317 	int	iffkey = 0;	/* generate IFF keys */
318 	int	gqkey = 0;	/* generate GQ keys */
319 	int	mvkey = 0;	/* update MV keys */
320 	int	mvpar = 0;	/* generate MV parameters */
321 	char	*sign = NULL;	/* sign key */
322 	EVP_PKEY *pkey = NULL;	/* temp key */
323 	const EVP_MD *ectx;	/* EVP digest */
324 	char	pathbuf[MAXFILENAME + 1];
325 	const char *scheme = NULL; /* digest/signature scheme */
326 	const char *ciphername = NULL; /* to encrypt priv. key */
327 	const char *exten = NULL;	/* private extension */
328 	char	*grpkey = NULL;	/* identity extension */
329 	int	nid;		/* X509 digest/signature scheme */
330 	FILE	*fstr = NULL;	/* file handle */
331 	char	groupbuf[MAXHOSTNAME + 1];
332 	u_int	temp;
333 	BIO *	bp;
334 	int	i, cnt;
335 	char *	ptr;
336 #endif	/* AUTOKEY */
337 #ifdef OPENSSL
338 	const char *sslvtext;
339 	int sslvmatch;
340 #endif /* OPENSSL */
341 
342 	progname = argv[0];
343 
344 #ifdef SYS_WINNT
345 	/* Initialize before OpenSSL checks */
346 	InitWin32Sockets();
347 	if (!init_randfile())
348 		fprintf(stderr, "Unable to initialize .rnd file\n");
349 	ssl_applink();
350 #endif
351 
352 #ifdef OPENSSL
353 	ssl_check_version();
354 #endif	/* OPENSSL */
355 
356 	ntp_crypto_srandom();
357 
358 	/*
359 	 * Process options, initialize host name and timestamp.
360 	 * gethostname() won't null-terminate if hostname is exactly the
361 	 * length provided for the buffer.
362 	 */
363 	gethostname(hostbuf, sizeof(hostbuf) - 1);
364 	hostbuf[COUNTOF(hostbuf) - 1] = '\0';
365 	hostname = hostbuf;
366 	groupname = hostbuf;
367 	passwd1 = hostbuf;
368 	passwd2 = NULL;
369 	GETTIMEOFDAY(&tv, NULL);
370 	epoch = tv.tv_sec;
371 	fstamp = (u_int)(epoch + JAN_1970);
372 
373 	optct = ntpOptionProcess(&ntp_keygenOptions, argc, argv);
374 	argc -= optct;	// Just in case we care later.
375 	argv += optct;	// Just in case we care later.
376 
377 #ifdef OPENSSL
378 	sslvtext = OpenSSL_version(OPENSSL_VERSION);
379 	sslvmatch = OpenSSL_version_num() == OPENSSL_VERSION_NUMBER;
380 	if (sslvmatch)
381 		fprintf(stderr, "Using OpenSSL version %s\n",
382 			sslvtext);
383 	else
384 		fprintf(stderr, "Built against OpenSSL %s, using version %s\n",
385 			OPENSSL_VERSION_TEXT, sslvtext);
386 #endif /* OPENSSL */
387 
388 	debug = OPT_VALUE_SET_DEBUG_LEVEL;
389 
390 	if (HAVE_OPT( MD5KEY ))
391 		md5key++;
392 #ifdef AUTOKEY
393 	if (HAVE_OPT( PASSWORD ))
394 		passwd1 = estrdup(OPT_ARG( PASSWORD ));
395 
396 	if (HAVE_OPT( EXPORT_PASSWD ))
397 		passwd2 = estrdup(OPT_ARG( EXPORT_PASSWD ));
398 
399 	if (HAVE_OPT( HOST_KEY ))
400 		hostkey++;
401 
402 	if (HAVE_OPT( SIGN_KEY ))
403 		sign = estrdup(OPT_ARG( SIGN_KEY ));
404 
405 	if (HAVE_OPT( GQ_PARAMS ))
406 		gqkey++;
407 
408 	if (HAVE_OPT( IFFKEY ))
409 		iffkey++;
410 
411 	if (HAVE_OPT( MV_PARAMS )) {
412 		mvkey++;
413 		nkeys = OPT_VALUE_MV_PARAMS;
414 	}
415 	if (HAVE_OPT( MV_KEYS )) {
416 		mvpar++;
417 		nkeys = OPT_VALUE_MV_KEYS;
418 	}
419 
420 	if (HAVE_OPT( IMBITS ))
421 		modulus2 = OPT_VALUE_IMBITS;
422 
423 	if (HAVE_OPT( MODULUS ))
424 		modulus = OPT_VALUE_MODULUS;
425 
426 	if (HAVE_OPT( CERTIFICATE ))
427 		scheme = OPT_ARG( CERTIFICATE );
428 
429 	if (HAVE_OPT( CIPHER ))
430 		ciphername = OPT_ARG( CIPHER );
431 
432 	if (HAVE_OPT( SUBJECT_NAME ))
433 		hostname = estrdup(OPT_ARG( SUBJECT_NAME ));
434 
435 	if (HAVE_OPT( IDENT ))
436 		groupname = estrdup(OPT_ARG( IDENT ));
437 
438 	if (HAVE_OPT( LIFETIME ))
439 		lifetime = OPT_VALUE_LIFETIME;
440 
441 	if (HAVE_OPT( PVT_CERT ))
442 		exten = EXT_KEY_PRIVATE;
443 
444 	if (HAVE_OPT( TRUSTED_CERT ))
445 		exten = EXT_KEY_TRUST;
446 
447 	/*
448 	 * Remove the group name from the hostname variable used
449 	 * in host and sign certificate file names.
450 	 */
451 	if (hostname != hostbuf)
452 		ptr = strchr(hostname, '@');
453 	else
454 		ptr = NULL;
455 	if (ptr != NULL) {
456 		*ptr = '\0';
457 		groupname = estrdup(ptr + 1);
458 		/* -s @group is equivalent to -i group, host unch. */
459 		if (ptr == hostname)
460 			hostname = hostbuf;
461 	}
462 
463 	/*
464 	 * Derive host certificate issuer/subject names from host name
465 	 * and optional group.  If no groupname is provided, the issuer
466 	 * and subject is the hostname with no '@group', and the
467 	 * groupname variable is pointed to hostname for use in IFF, GQ,
468 	 * and MV parameters file names.
469 	 */
470 	if (groupname == hostbuf) {
471 		certname = hostname;
472 	} else {
473 		snprintf(certnamebuf, sizeof(certnamebuf), "%s@%s",
474 			 hostname, groupname);
475 		certname = certnamebuf;
476 	}
477 
478 	/*
479 	 * Seed random number generator and grow weeds.
480 	 */
481 #if OPENSSL_VERSION_NUMBER < 0x10100000L
482 	ERR_load_crypto_strings();
483 	OpenSSL_add_all_algorithms();
484 #endif /* OPENSSL_VERSION_NUMBER */
485 	if (!RAND_status()) {
486 		if (RAND_file_name(pathbuf, sizeof(pathbuf)) == NULL) {
487 			fprintf(stderr, "RAND_file_name %s\n",
488 			    ERR_error_string(ERR_get_error(), NULL));
489 			exit (-1);
490 		}
491 		temp = RAND_load_file(pathbuf, -1);
492 		if (temp == 0) {
493 			fprintf(stderr,
494 			    "RAND_load_file %s not found or empty\n",
495 			    pathbuf);
496 			exit (-1);
497 		}
498 		fprintf(stderr,
499 		    "Random seed file %s %u bytes\n", pathbuf, temp);
500 		RAND_add(&epoch, sizeof(epoch), 4.0);
501 	}
502 #endif	/* AUTOKEY */
503 
504 	/*
505 	 * Create new unencrypted MD5 keys file if requested. If this
506 	 * option is selected, ignore all other options.
507 	 */
508 	if (md5key) {
509 		gen_md5("md5");
510 		exit (0);
511 	}
512 
513 #ifdef AUTOKEY
514 	/*
515 	 * Load previous certificate if available.
516 	 */
517 	snprintf(filename, sizeof(filename), "ntpkey_cert_%s", hostname);
518 	if ((fstr = fopen(filename, "r")) != NULL) {
519 		cert = PEM_read_X509(fstr, NULL, NULL, NULL);
520 		fclose(fstr);
521 	}
522 	if (cert != NULL) {
523 
524 		/*
525 		 * Extract subject name.
526 		 */
527 		X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
528 		    MAXFILENAME);
529 
530 		/*
531 		 * Extract digest/signature scheme.
532 		 */
533 		if (scheme == NULL) {
534 			nid = X509_get_signature_nid(cert);
535 			scheme = OBJ_nid2sn(nid);
536 		}
537 
538 		/*
539 		 * If a key_usage extension field is present, determine
540 		 * whether this is a trusted or private certificate.
541 		 */
542 		if (exten == NULL) {
543 			ptr = strstr(groupbuf, "CN=");
544 			cnt = X509_get_ext_count(cert);
545 			for (i = 0; i < cnt; i++) {
546 				X509_EXTENSION *ext;
547 				ASN1_OBJECT *obj;
548 
549 				ext = X509_get_ext(cert, i);
550 				obj = X509_EXTENSION_get_object(ext);
551 
552 				if (OBJ_obj2nid(obj) ==
553 				    NID_ext_key_usage) {
554 					bp = BIO_new(BIO_s_mem());
555 					X509V3_EXT_print(bp, ext, 0, 0);
556 					BIO_gets(bp, pathbuf,
557 					    MAXFILENAME);
558 					BIO_free(bp);
559 					if (strcmp(pathbuf,
560 					    "Trust Root") == 0)
561 						exten = EXT_KEY_TRUST;
562 					else if (strcmp(pathbuf,
563 					    "Private") == 0)
564 						exten = EXT_KEY_PRIVATE;
565 					certname = estrdup(ptr + 3);
566 				}
567 			}
568 		}
569 	}
570 	if (scheme == NULL)
571 		scheme = "RSA-MD5";
572 	if (ciphername == NULL)
573 		ciphername = "des-ede3-cbc";
574 	cipher = EVP_get_cipherbyname(ciphername);
575 	if (cipher == NULL) {
576 		fprintf(stderr, "Unknown cipher %s\n", ciphername);
577 		exit(-1);
578 	}
579 	fprintf(stderr, "Using host %s group %s\n", hostname,
580 	    groupname);
581 
582 	/*
583 	 * Create a new encrypted RSA host key file if requested;
584 	 * otherwise, look for an existing host key file. If not found,
585 	 * create a new encrypted RSA host key file. If that fails, go
586 	 * no further.
587 	 */
588 	if (hostkey)
589 		pkey_host = genkey("RSA", "host");
590 	if (pkey_host == NULL) {
591 		snprintf(filename, sizeof(filename), "ntpkey_host_%s", hostname);
592 		pkey_host = readkey(filename, passwd1, &fstamp, NULL);
593 		if (pkey_host != NULL) {
594 			followlink(filename, sizeof(filename));
595 			fprintf(stderr, "Using host key %s\n",
596 			    filename);
597 		} else {
598 			pkey_host = genkey("RSA", "host");
599 		}
600 	}
601 	if (pkey_host == NULL) {
602 		fprintf(stderr, "Generating host key fails\n");
603 		exit(-1);
604 	}
605 
606 	/*
607 	 * Create new encrypted RSA or DSA sign keys file if requested;
608 	 * otherwise, look for an existing sign key file. If not found,
609 	 * use the host key instead.
610 	 */
611 	if (sign != NULL)
612 		pkey_sign = genkey(sign, "sign");
613 	if (pkey_sign == NULL) {
614 		snprintf(filename, sizeof(filename), "ntpkey_sign_%s",
615 			 hostname);
616 		pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
617 		if (pkey_sign != NULL) {
618 			followlink(filename, sizeof(filename));
619 			fprintf(stderr, "Using sign key %s\n",
620 			    filename);
621 		} else {
622 			pkey_sign = pkey_host;
623 			fprintf(stderr, "Using host key as sign key\n");
624 		}
625 	}
626 
627 	/*
628 	 * Create new encrypted GQ server keys file if requested;
629 	 * otherwise, look for an exisiting file. If found, fetch the
630 	 * public key for the certificate.
631 	 */
632 	if (gqkey)
633 		pkey_gqkey = gen_gqkey("gqkey");
634 	if (pkey_gqkey == NULL) {
635 		snprintf(filename, sizeof(filename), "ntpkey_gqkey_%s",
636 		    groupname);
637 		pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
638 		if (pkey_gqkey != NULL) {
639 			followlink(filename, sizeof(filename));
640 			fprintf(stderr, "Using GQ parameters %s\n",
641 			    filename);
642 		}
643 	}
644 	if (pkey_gqkey != NULL) {
645 		RSA	*rsa;
646 		const BIGNUM *q;
647 
648 		rsa = EVP_PKEY_get0_RSA(pkey_gqkey);
649 		RSA_get0_factors(rsa, NULL, &q);
650 		grpkey = BN_bn2hex(q);
651 	}
652 
653 	/*
654 	 * Write the nonencrypted GQ client parameters to the stdout
655 	 * stream. The parameter file is the server key file with the
656 	 * private key obscured.
657 	 */
658 	if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
659 		RSA	*rsa;
660 
661 		snprintf(filename, sizeof(filename),
662 		    "ntpkey_gqpar_%s.%u", groupname, fstamp);
663 		fprintf(stderr, "Writing GQ parameters %s to stdout\n",
664 		    filename);
665 		fprintf(stdout, "# %s\n# %s\n", filename,
666 		    ctime(&epoch));
667 		/* XXX: This modifies the private key and should probably use a
668 		 * copy of it instead. */
669 		rsa = EVP_PKEY_get0_RSA(pkey_gqkey);
670 		RSA_set0_factors(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()));
671 		pkey = EVP_PKEY_new();
672 		EVP_PKEY_assign_RSA(pkey, rsa);
673 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
674 		    NULL, NULL);
675 		fflush(stdout);
676 		if (debug)
677 			RSA_print_fp(stderr, rsa, 0);
678 	}
679 
680 	/*
681 	 * Write the encrypted GQ server keys to the stdout stream.
682 	 */
683 	if (pkey_gqkey != NULL && passwd2 != NULL) {
684 		RSA	*rsa;
685 
686 		snprintf(filename, sizeof(filename),
687 		    "ntpkey_gqkey_%s.%u", groupname, fstamp);
688 		fprintf(stderr, "Writing GQ keys %s to stdout\n",
689 		    filename);
690 		fprintf(stdout, "# %s\n# %s\n", filename,
691 		    ctime(&epoch));
692 		rsa = EVP_PKEY_get0_RSA(pkey_gqkey);
693 		pkey = EVP_PKEY_new();
694 		EVP_PKEY_assign_RSA(pkey, rsa);
695 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
696 		    NULL, passwd2);
697 		fflush(stdout);
698 		if (debug)
699 			RSA_print_fp(stderr, rsa, 0);
700 	}
701 
702 	/*
703 	 * Create new encrypted IFF server keys file if requested;
704 	 * otherwise, look for existing file.
705 	 */
706 	if (iffkey)
707 		pkey_iffkey = gen_iffkey("iffkey");
708 	if (pkey_iffkey == NULL) {
709 		snprintf(filename, sizeof(filename), "ntpkey_iffkey_%s",
710 		    groupname);
711 		pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
712 		if (pkey_iffkey != NULL) {
713 			followlink(filename, sizeof(filename));
714 			fprintf(stderr, "Using IFF keys %s\n",
715 			    filename);
716 		}
717 	}
718 
719 	/*
720 	 * Write the nonencrypted IFF client parameters to the stdout
721 	 * stream. The parameter file is the server key file with the
722 	 * private key obscured.
723 	 */
724 	if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
725 		DSA	*dsa;
726 
727 		snprintf(filename, sizeof(filename),
728 		    "ntpkey_iffpar_%s.%u", groupname, fstamp);
729 		fprintf(stderr, "Writing IFF parameters %s to stdout\n",
730 		    filename);
731 		fprintf(stdout, "# %s\n# %s\n", filename,
732 		    ctime(&epoch));
733 		/* XXX: This modifies the private key and should probably use a
734 		 * copy of it instead. */
735 		dsa = EVP_PKEY_get0_DSA(pkey_iffkey);
736 		DSA_set0_key(dsa, NULL, BN_dup(BN_value_one()));
737 		pkey = EVP_PKEY_new();
738 		EVP_PKEY_assign_DSA(pkey, dsa);
739 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
740 		    NULL, NULL);
741 		fflush(stdout);
742 		if (debug)
743 			DSA_print_fp(stderr, dsa, 0);
744 	}
745 
746 	/*
747 	 * Write the encrypted IFF server keys to the stdout stream.
748 	 */
749 	if (pkey_iffkey != NULL && passwd2 != NULL) {
750 		DSA	*dsa;
751 
752 		snprintf(filename, sizeof(filename),
753 		    "ntpkey_iffkey_%s.%u", groupname, fstamp);
754 		fprintf(stderr, "Writing IFF keys %s to stdout\n",
755 		    filename);
756 		fprintf(stdout, "# %s\n# %s\n", filename,
757 		    ctime(&epoch));
758 		dsa = EVP_PKEY_get0_DSA(pkey_iffkey);
759 		pkey = EVP_PKEY_new();
760 		EVP_PKEY_assign_DSA(pkey, dsa);
761 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
762 		    NULL, passwd2);
763 		fflush(stdout);
764 		if (debug)
765 			DSA_print_fp(stderr, dsa, 0);
766 	}
767 
768 	/*
769 	 * Create new encrypted MV trusted-authority keys file if
770 	 * requested; otherwise, look for existing keys file.
771 	 */
772 	if (mvkey)
773 		pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
774 	if (pkey_mvkey == NULL) {
775 		snprintf(filename, sizeof(filename), "ntpkey_mvta_%s",
776 		    groupname);
777 		pkey_mvkey = readkey(filename, passwd1, &fstamp,
778 		    pkey_mvpar);
779 		if (pkey_mvkey != NULL) {
780 			followlink(filename, sizeof(filename));
781 			fprintf(stderr, "Using MV keys %s\n",
782 			    filename);
783 		}
784 	}
785 
786 	/*
787 	 * Write the nonencrypted MV client parameters to the stdout
788 	 * stream. For the moment, we always use the client parameters
789 	 * associated with client key 1.
790 	 */
791 	if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
792 		snprintf(filename, sizeof(filename),
793 		    "ntpkey_mvpar_%s.%u", groupname, fstamp);
794 		fprintf(stderr, "Writing MV parameters %s to stdout\n",
795 		    filename);
796 		fprintf(stdout, "# %s\n# %s\n", filename,
797 		    ctime(&epoch));
798 		pkey = pkey_mvpar[2];
799 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
800 		    NULL, NULL);
801 		fflush(stdout);
802 		if (debug)
803 			DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
804 	}
805 
806 	/*
807 	 * Write the encrypted MV server keys to the stdout stream.
808 	 */
809 	if (pkey_mvkey != NULL && passwd2 != NULL) {
810 		snprintf(filename, sizeof(filename),
811 		    "ntpkey_mvkey_%s.%u", groupname, fstamp);
812 		fprintf(stderr, "Writing MV keys %s to stdout\n",
813 		    filename);
814 		fprintf(stdout, "# %s\n# %s\n", filename,
815 		    ctime(&epoch));
816 		pkey = pkey_mvpar[1];
817 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
818 		    NULL, passwd2);
819 		fflush(stdout);
820 		if (debug)
821 			DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
822 	}
823 
824 	/*
825 	 * Decode the digest/signature scheme and create the
826 	 * certificate. Do this every time we run the program.
827 	 */
828 	ectx = EVP_get_digestbyname(scheme);
829 	if (ectx == NULL) {
830 		fprintf(stderr,
831 		    "Invalid digest/signature combination %s\n",
832 		    scheme);
833 			exit (-1);
834 	}
835 	x509(pkey_sign, ectx, grpkey, exten, certname);
836 #endif	/* AUTOKEY */
837 	exit(0);
838 }
839 
840 
841 /*
842  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
843  * if OpenSSL is around, generate random SHA1 keys compatible with
844  * symmetric key cryptography.
845  */
846 int
847 gen_md5(
848 	const char *id		/* file name id */
849 	)
850 {
851 	u_char	md5key[MD5SIZE + 1];	/* MD5 key */
852 	FILE	*str;
853 	int	i, j;
854 #ifdef OPENSSL
855 	u_char	keystr[MD5SIZE];
856 	u_char	hexstr[2 * MD5SIZE + 1];
857 	u_char	hex[] = "0123456789abcdef";
858 #endif	/* OPENSSL */
859 
860 	str = fheader("MD5key", id, groupname);
861 	for (i = 1; i <= MD5KEYS; i++) {
862 		for (j = 0; j < MD5SIZE; j++) {
863 			u_char temp;
864 
865 			while (1) {
866 				int rc;
867 
868 				rc = ntp_crypto_random_buf(
869 				    &temp, sizeof(temp));
870 				if (-1 == rc) {
871 					fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
872 					exit (-1);
873 				}
874 				if (temp == '#')
875 					continue;
876 
877 				if (temp > 0x20 && temp < 0x7f)
878 					break;
879 			}
880 			md5key[j] = temp;
881 		}
882 		md5key[j] = '\0';
883 		fprintf(str, "%2d MD5 %s  # MD5 key\n", i,
884 		    md5key);
885 	}
886 #ifdef OPENSSL
887 	for (i = 1; i <= MD5KEYS; i++) {
888 		RAND_bytes(keystr, 20);
889 		for (j = 0; j < MD5SIZE; j++) {
890 			hexstr[2 * j] = hex[keystr[j] >> 4];
891 			hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
892 		}
893 		hexstr[2 * MD5SIZE] = '\0';
894 		fprintf(str, "%2d SHA1 %s  # SHA1 key\n", i + MD5KEYS,
895 		    hexstr);
896 	}
897 #endif	/* OPENSSL */
898 	fclose(str);
899 	return (1);
900 }
901 
902 
903 #ifdef AUTOKEY
904 /*
905  * readkey - load cryptographic parameters and keys
906  *
907  * This routine loads a PEM-encoded file of given name and password and
908  * extracts the filestamp from the file name. It returns a pointer to
909  * the first key if valid, NULL if not.
910  */
911 EVP_PKEY *			/* public/private key pair */
912 readkey(
913 	char	*cp,		/* file name */
914 	char	*passwd,	/* password */
915 	u_int	*estamp,	/* file stamp */
916 	EVP_PKEY **evpars	/* parameter list pointer */
917 	)
918 {
919 	FILE	*str;		/* file handle */
920 	EVP_PKEY *pkey = NULL;	/* public/private key */
921 	u_int	gstamp;		/* filestamp */
922 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
923 	EVP_PKEY *parkey;
924 	char	*ptr;
925 	int	i;
926 
927 	/*
928 	 * Open the key file.
929 	 */
930 	str = fopen(cp, "r");
931 	if (str == NULL)
932 		return (NULL);
933 
934 	/*
935 	 * Read the filestamp, which is contained in the first line.
936 	 */
937 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
938 		fprintf(stderr, "Empty key file %s\n", cp);
939 		fclose(str);
940 		return (NULL);
941 	}
942 	if ((ptr = strrchr(ptr, '.')) == NULL) {
943 		fprintf(stderr, "No filestamp found in %s\n", cp);
944 		fclose(str);
945 		return (NULL);
946 	}
947 	if (sscanf(++ptr, "%u", &gstamp) != 1) {
948 		fprintf(stderr, "Invalid filestamp found in %s\n", cp);
949 		fclose(str);
950 		return (NULL);
951 	}
952 
953 	/*
954 	 * Read and decrypt PEM-encoded private keys. The first one
955 	 * found is returned. If others are expected, add them to the
956 	 * parameter list.
957 	 */
958 	for (i = 0; i <= MVMAX - 1;) {
959 		parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
960 		if (evpars != NULL) {
961 			evpars[i++] = parkey;
962 			evpars[i] = NULL;
963 		}
964 		if (parkey == NULL)
965 			break;
966 
967 		if (pkey == NULL)
968 			pkey = parkey;
969 		if (debug) {
970 			if (EVP_PKEY_base_id(parkey) == EVP_PKEY_DSA)
971 				DSA_print_fp(stderr, EVP_PKEY_get0_DSA(parkey),
972 				    0);
973 			else if (EVP_PKEY_base_id(parkey) == EVP_PKEY_RSA)
974 				RSA_print_fp(stderr, EVP_PKEY_get0_RSA(parkey),
975 				    0);
976 		}
977 	}
978 	fclose(str);
979 	if (pkey == NULL) {
980 		fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
981 		    cp, passwd, ERR_error_string(ERR_get_error(),
982 		    NULL));
983 		exit (-1);
984 	}
985 	*estamp = gstamp;
986 	return (pkey);
987 }
988 
989 
990 /*
991  * Generate RSA public/private key pair
992  */
993 EVP_PKEY *			/* public/private key pair */
994 gen_rsa(
995 	const char *id		/* file name id */
996 	)
997 {
998 	EVP_PKEY *pkey;		/* private key */
999 	RSA	*rsa;		/* RSA parameters and key pair */
1000 	FILE	*str;
1001 
1002 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
1003 	rsa = genRsaKeyPair(modulus, _UC("RSA"));
1004 	fprintf(stderr, "\n");
1005 	if (rsa == NULL) {
1006 		fprintf(stderr, "RSA generate keys fails\n%s\n",
1007 		    ERR_error_string(ERR_get_error(), NULL));
1008 		return (NULL);
1009 	}
1010 
1011 	/*
1012 	 * For signature encryption it is not necessary that the RSA
1013 	 * parameters be strictly groomed and once in a while the
1014 	 * modulus turns out to be non-prime. Just for grins, we check
1015 	 * the primality.
1016 	 */
1017 	if (!RSA_check_key(rsa)) {
1018 		fprintf(stderr, "Invalid RSA key\n%s\n",
1019 		    ERR_error_string(ERR_get_error(), NULL));
1020 		RSA_free(rsa);
1021 		return (NULL);
1022 	}
1023 
1024 	/*
1025 	 * Write the RSA parameters and keys as a RSA private key
1026 	 * encoded in PEM.
1027 	 */
1028 	if (strcmp(id, "sign") == 0)
1029 		str = fheader("RSAsign", id, hostname);
1030 	else
1031 		str = fheader("RSAhost", id, hostname);
1032 	pkey = EVP_PKEY_new();
1033 	EVP_PKEY_assign_RSA(pkey, rsa);
1034 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1035 	    passwd1);
1036 	fclose(str);
1037 	if (debug)
1038 		RSA_print_fp(stderr, rsa, 0);
1039 	return (pkey);
1040 }
1041 
1042 
1043 /*
1044  * Generate DSA public/private key pair
1045  */
1046 EVP_PKEY *			/* public/private key pair */
1047 gen_dsa(
1048 	const char *id		/* file name id */
1049 	)
1050 {
1051 	EVP_PKEY *pkey;		/* private key */
1052 	DSA	*dsa;		/* DSA parameters */
1053 	FILE	*str;
1054 
1055 	/*
1056 	 * Generate DSA parameters.
1057 	 */
1058 	fprintf(stderr,
1059 	    "Generating DSA parameters (%d bits)...\n", modulus);
1060 	dsa = genDsaParams(modulus, _UC("DSA"));
1061 	fprintf(stderr, "\n");
1062 	if (dsa == NULL) {
1063 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
1064 		    ERR_error_string(ERR_get_error(), NULL));
1065 		return (NULL);
1066 	}
1067 
1068 	/*
1069 	 * Generate DSA keys.
1070 	 */
1071 	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
1072 	if (!DSA_generate_key(dsa)) {
1073 		fprintf(stderr, "DSA generate keys fails\n%s\n",
1074 		    ERR_error_string(ERR_get_error(), NULL));
1075 		DSA_free(dsa);
1076 		return (NULL);
1077 	}
1078 
1079 	/*
1080 	 * Write the DSA parameters and keys as a DSA private key
1081 	 * encoded in PEM.
1082 	 */
1083 	str = fheader("DSAsign", id, hostname);
1084 	pkey = EVP_PKEY_new();
1085 	EVP_PKEY_assign_DSA(pkey, dsa);
1086 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1087 	    passwd1);
1088 	fclose(str);
1089 	if (debug)
1090 		DSA_print_fp(stderr, dsa, 0);
1091 	return (pkey);
1092 }
1093 
1094 
1095 /*
1096  ***********************************************************************
1097  *								       *
1098  * The following routines implement the Schnorr (IFF) identity scheme  *
1099  *								       *
1100  ***********************************************************************
1101  *
1102  * The Schnorr (IFF) identity scheme is intended for use when
1103  * certificates are generated by some other trusted certificate
1104  * authority and the certificate cannot be used to convey public
1105  * parameters. There are two kinds of files: encrypted server files that
1106  * contain private and public values and nonencrypted client files that
1107  * contain only public values. New generations of server files must be
1108  * securely transmitted to all servers of the group; client files can be
1109  * distributed by any means. The scheme is self contained and
1110  * independent of new generations of host keys, sign keys and
1111  * certificates.
1112  *
1113  * The IFF values hide in a DSA cuckoo structure which uses the same
1114  * parameters. The values are used by an identity scheme based on DSA
1115  * cryptography and described in Stimson p. 285. The p is a 512-bit
1116  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
1117  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
1118  * private random group key b (0 < b < q) and public key v = g^b, then
1119  * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
1120  * Alice challenges Bob to confirm identity using the protocol described
1121  * below.
1122  *
1123  * How it works
1124  *
1125  * The scheme goes like this. Both Alice and Bob have the public primes
1126  * p, q and generator g. The TA gives private key b to Bob and public
1127  * key v to Alice.
1128  *
1129  * Alice rolls new random challenge r (o < r < q) and sends to Bob in
1130  * the IFF request message. Bob rolls new random k (0 < k < q), then
1131  * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
1132  * to Alice in the response message. Besides making the response
1133  * shorter, the hash makes it effectivey impossible for an intruder to
1134  * solve for b by observing a number of these messages.
1135  *
1136  * Alice receives the response and computes g^y v^r mod p. After a bit
1137  * of algebra, this simplifies to g^k. If the hash of this result
1138  * matches hash(x), Alice knows that Bob has the group key b. The signed
1139  * response binds this knowledge to Bob's private key and the public key
1140  * previously received in his certificate.
1141  */
1142 /*
1143  * Generate Schnorr (IFF) keys.
1144  */
1145 EVP_PKEY *			/* DSA cuckoo nest */
1146 gen_iffkey(
1147 	const char *id		/* file name id */
1148 	)
1149 {
1150 	EVP_PKEY *pkey;		/* private key */
1151 	DSA	*dsa;		/* DSA parameters */
1152 	BN_CTX	*ctx;		/* BN working space */
1153 	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
1154 	FILE	*str;
1155 	u_int	temp;
1156 	const BIGNUM *p, *q, *g;
1157 	BIGNUM *pub_key, *priv_key;
1158 
1159 	/*
1160 	 * Generate DSA parameters for use as IFF parameters.
1161 	 */
1162 	fprintf(stderr, "Generating IFF keys (%d bits)...\n",
1163 	    modulus2);
1164 	dsa = genDsaParams(modulus2, _UC("IFF"));
1165 	fprintf(stderr, "\n");
1166 	if (dsa == NULL) {
1167 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
1168 		    ERR_error_string(ERR_get_error(), NULL));
1169 		return (NULL);
1170 	}
1171 	DSA_get0_pqg(dsa, &p, &q, &g);
1172 
1173 	/*
1174 	 * Generate the private and public keys. The DSA parameters and
1175 	 * private key are distributed to the servers, while all except
1176 	 * the private key are distributed to the clients.
1177 	 */
1178 	b = BN_new(); r = BN_new(); k = BN_new();
1179 	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
1180 	BN_rand(b, BN_num_bits(q), -1, 0);	/* a */
1181 	BN_mod(b, b, q, ctx);
1182 	BN_sub(v, q, b);
1183 	BN_mod_exp(v, g, v, p, ctx); /* g^(q - b) mod p */
1184 	BN_mod_exp(u, g, b, p, ctx);	/* g^b mod p */
1185 	BN_mod_mul(u, u, v, p, ctx);
1186 	temp = BN_is_one(u);
1187 	fprintf(stderr,
1188 	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
1189 	    "yes" : "no");
1190 	if (!temp) {
1191 		BN_free(b); BN_free(r); BN_free(k);
1192 		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1193 		return (NULL);
1194 	}
1195 	pub_key = BN_dup(v);
1196 	priv_key = BN_dup(b);
1197 	DSA_set0_key(dsa, pub_key, priv_key);
1198 
1199 	/*
1200 	 * Here is a trial round of the protocol. First, Alice rolls
1201 	 * random nonce r mod q and sends it to Bob. She needs only
1202 	 * q from parameters.
1203 	 */
1204 	BN_rand(r, BN_num_bits(q), -1, 0);	/* r */
1205 	BN_mod(r, r, q, ctx);
1206 
1207 	/*
1208 	 * Bob rolls random nonce k mod q, computes y = k + b r mod q
1209 	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
1210 	 * p, q and b from parameters and r from Alice.
1211 	 */
1212 	BN_rand(k, BN_num_bits(q), -1, 0);	/* k, 0 < k < q  */
1213 	BN_mod(k, k, q, ctx);
1214 	BN_mod_mul(v, priv_key, r, q, ctx); /* b r mod q */
1215 	BN_add(v, v, k);
1216 	BN_mod(v, v, q, ctx);		/* y = k + b r mod q */
1217 	BN_mod_exp(u, g, k, p, ctx);	/* x = g^k mod p */
1218 
1219 	/*
1220 	 * Alice verifies x = g^y v^r to confirm that Bob has group key
1221 	 * b. She needs p, q, g from parameters, (y, x) from Bob and the
1222 	 * original r. We omit the detail here thatt only the hash of y
1223 	 * is sent.
1224 	 */
1225 	BN_mod_exp(v, g, v, p, ctx); /* g^y mod p */
1226 	BN_mod_exp(w, pub_key, r, p, ctx); /* v^r */
1227 	BN_mod_mul(v, w, v, p, ctx);	/* product mod p */
1228 	temp = BN_cmp(u, v);
1229 	fprintf(stderr,
1230 	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
1231 	    0 ? "yes" : "no");
1232 	BN_free(b); BN_free(r);	BN_free(k);
1233 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1234 	if (temp != 0) {
1235 		DSA_free(dsa);
1236 		return (NULL);
1237 	}
1238 
1239 	/*
1240 	 * Write the IFF keys as an encrypted DSA private key encoded in
1241 	 * PEM.
1242 	 *
1243 	 * p	modulus p
1244 	 * q	modulus q
1245 	 * g	generator g
1246 	 * priv_key b
1247 	 * public_key v
1248 	 * kinv	not used
1249 	 * r	not used
1250 	 */
1251 	str = fheader("IFFkey", id, groupname);
1252 	pkey = EVP_PKEY_new();
1253 	EVP_PKEY_assign_DSA(pkey, dsa);
1254 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1255 	    passwd1);
1256 	fclose(str);
1257 	if (debug)
1258 		DSA_print_fp(stderr, dsa, 0);
1259 	return (pkey);
1260 }
1261 
1262 
1263 /*
1264  ***********************************************************************
1265  *								       *
1266  * The following routines implement the Guillou-Quisquater (GQ)        *
1267  * identity scheme                                                     *
1268  *								       *
1269  ***********************************************************************
1270  *
1271  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
1272  * the certificate can be used to convey public parameters. The scheme
1273  * uses a X509v3 certificate extension field do convey the public key of
1274  * a private key known only to servers. There are two kinds of files:
1275  * encrypted server files that contain private and public values and
1276  * nonencrypted client files that contain only public values. New
1277  * generations of server files must be securely transmitted to all
1278  * servers of the group; client files can be distributed by any means.
1279  * The scheme is self contained and independent of new generations of
1280  * host keys and sign keys. The scheme is self contained and independent
1281  * of new generations of host keys and sign keys.
1282  *
1283  * The GQ parameters hide in a RSA cuckoo structure which uses the same
1284  * parameters. The values are used by an identity scheme based on RSA
1285  * cryptography and described in Stimson p. 300 (with errors). The 512-
1286  * bit public modulus is n = p q, where p and q are secret large primes.
1287  * The TA rolls private random group key b as RSA exponent. These values
1288  * are known to all group members.
1289  *
1290  * When rolling new certificates, a server recomputes the private and
1291  * public keys. The private key u is a random roll, while the public key
1292  * is the inverse obscured by the group key v = (u^-1)^b. These values
1293  * replace the private and public keys normally generated by the RSA
1294  * scheme. Alice challenges Bob to confirm identity using the protocol
1295  * described below.
1296  *
1297  * How it works
1298  *
1299  * The scheme goes like this. Both Alice and Bob have the same modulus n
1300  * and some random b as the group key. These values are computed and
1301  * distributed in advance via secret means, although only the group key
1302  * b is truly secret. Each has a private random private key u and public
1303  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
1304  * can regenerate the key pair from time to time without affecting
1305  * operations. The public key is conveyed on the certificate in an
1306  * extension field; the private key is never revealed.
1307  *
1308  * Alice rolls new random challenge r and sends to Bob in the GQ
1309  * request message. Bob rolls new random k, then computes y = k u^r mod
1310  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
1311  * message. Besides making the response shorter, the hash makes it
1312  * effectivey impossible for an intruder to solve for b by observing
1313  * a number of these messages.
1314  *
1315  * Alice receives the response and computes y^b v^r mod n. After a bit
1316  * of algebra, this simplifies to k^b. If the hash of this result
1317  * matches hash(x), Alice knows that Bob has the group key b. The signed
1318  * response binds this knowledge to Bob's private key and the public key
1319  * previously received in his certificate.
1320  */
1321 /*
1322  * Generate Guillou-Quisquater (GQ) parameters file.
1323  */
1324 EVP_PKEY *			/* RSA cuckoo nest */
1325 gen_gqkey(
1326 	const char *id		/* file name id */
1327 	)
1328 {
1329 	EVP_PKEY *pkey;		/* private key */
1330 	RSA	*rsa;		/* RSA parameters */
1331 	BN_CTX	*ctx;		/* BN working space */
1332 	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
1333 	FILE	*str;
1334 	u_int	temp;
1335 	BIGNUM	*b;
1336 	const BIGNUM	*n;
1337 
1338 	/*
1339 	 * Generate RSA parameters for use as GQ parameters.
1340 	 */
1341 	fprintf(stderr,
1342 	    "Generating GQ parameters (%d bits)...\n",
1343 	     modulus2);
1344 	rsa = genRsaKeyPair(modulus2, _UC("GQ"));
1345 	fprintf(stderr, "\n");
1346 	if (rsa == NULL) {
1347 		fprintf(stderr, "RSA generate keys fails\n%s\n",
1348 		    ERR_error_string(ERR_get_error(), NULL));
1349 		return (NULL);
1350 	}
1351 	RSA_get0_key(rsa, &n, NULL, NULL);
1352 	u = BN_new(); v = BN_new(); g = BN_new();
1353 	k = BN_new(); r = BN_new(); y = BN_new();
1354 	b = BN_new();
1355 
1356 	/*
1357 	 * Generate the group key b, which is saved in the e member of
1358 	 * the RSA structure. The group key is transmitted to each group
1359 	 * member encrypted by the member private key.
1360 	 */
1361 	ctx = BN_CTX_new();
1362 	BN_rand(b, BN_num_bits(n), -1, 0); /* b */
1363 	BN_mod(b, b, n, ctx);
1364 
1365 	/*
1366 	 * When generating his certificate, Bob rolls random private key
1367 	 * u, then computes inverse v = u^-1.
1368 	 */
1369 	BN_rand(u, BN_num_bits(n), -1, 0); /* u */
1370 	BN_mod(u, u, n, ctx);
1371 	BN_mod_inverse(v, u, n, ctx);	/* u^-1 mod n */
1372 	BN_mod_mul(k, v, u, n, ctx);
1373 
1374 	/*
1375 	 * Bob computes public key v = (u^-1)^b, which is saved in an
1376 	 * extension field on his certificate. We check that u^b v =
1377 	 * 1 mod n.
1378 	 */
1379 	BN_mod_exp(v, v, b, n, ctx);
1380 	BN_mod_exp(g, u, b, n, ctx); /* u^b */
1381 	BN_mod_mul(g, g, v, n, ctx); /* u^b (u^-1)^b */
1382 	temp = BN_is_one(g);
1383 	fprintf(stderr,
1384 	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1385 	    "no");
1386 	if (!temp) {
1387 		BN_free(u); BN_free(v);
1388 		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1389 		BN_CTX_free(ctx);
1390 		RSA_free(rsa);
1391 		return (NULL);
1392 	}
1393 	/* setting 'u' and 'v' into a RSA object takes over ownership.
1394 	 * Since we use these values again, we have to pass in dupes,
1395 	 * or we'll corrupt the program!
1396 	 */
1397 	RSA_set0_factors(rsa, BN_dup(u), BN_dup(v));
1398 
1399 	/*
1400 	 * Here is a trial run of the protocol. First, Alice rolls
1401 	 * random nonce r mod n and sends it to Bob. She needs only n
1402 	 * from parameters.
1403 	 */
1404 	BN_rand(r, BN_num_bits(n), -1, 0);	/* r */
1405 	BN_mod(r, r, n, ctx);
1406 
1407 	/*
1408 	 * Bob rolls random nonce k mod n, computes y = k u^r mod n and
1409 	 * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
1410 	 * from parameters and r from Alice.
1411 	 */
1412 	BN_rand(k, BN_num_bits(n), -1, 0);	/* k */
1413 	BN_mod(k, k, n, ctx);
1414 	BN_mod_exp(y, u, r, n, ctx);	/* u^r mod n */
1415 	BN_mod_mul(y, k, y, n, ctx);	/* y = k u^r mod n */
1416 	BN_mod_exp(g, k, b, n, ctx);	/* g = k^b mod n */
1417 
1418 	/*
1419 	 * Alice verifies g = v^r y^b mod n to confirm that Bob has
1420 	 * private key u. She needs n, g from parameters, public key v =
1421 	 * (u^-1)^b from the certificate, (y, g) from Bob and the
1422 	 * original r. We omit the detaul here that only the hash of g
1423 	 * is sent.
1424 	 */
1425 	BN_mod_exp(v, v, r, n, ctx);	/* v^r mod n */
1426 	BN_mod_exp(y, y, b, n, ctx);	/* y^b mod n */
1427 	BN_mod_mul(y, v, y, n, ctx);	/* v^r y^b mod n */
1428 	temp = BN_cmp(y, g);
1429 	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1430 	    "yes" : "no");
1431 	BN_CTX_free(ctx); BN_free(u); BN_free(v);
1432 	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1433 	if (temp != 0) {
1434 		RSA_free(rsa);
1435 		return (NULL);
1436 	}
1437 
1438 	/*
1439 	 * Write the GQ parameter file as an encrypted RSA private key
1440 	 * encoded in PEM.
1441 	 *
1442 	 * n	modulus n
1443 	 * e	group key b
1444 	 * d	not used
1445 	 * p	private key u
1446 	 * q	public key (u^-1)^b
1447 	 * dmp1	not used
1448 	 * dmq1	not used
1449 	 * iqmp	not used
1450 	 */
1451 	RSA_set0_key(rsa, NULL, b, BN_dup(BN_value_one()));
1452 	RSA_set0_crt_params(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()),
1453 		BN_dup(BN_value_one()));
1454 	str = fheader("GQkey", id, groupname);
1455 	pkey = EVP_PKEY_new();
1456 	EVP_PKEY_assign_RSA(pkey, rsa);
1457 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1458 	    passwd1);
1459 	fclose(str);
1460 	if (debug)
1461 		RSA_print_fp(stderr, rsa, 0);
1462 	return (pkey);
1463 }
1464 
1465 
1466 /*
1467  ***********************************************************************
1468  *								       *
1469  * The following routines implement the Mu-Varadharajan (MV) identity  *
1470  * scheme                                                              *
1471  *								       *
1472  ***********************************************************************
1473  *
1474  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
1475  * servers broadcast messages to clients, but clients never send
1476  * messages to servers. There is one encryption key for the server and a
1477  * separate decryption key for each client. It operated something like a
1478  * pay-per-view satellite broadcasting system where the session key is
1479  * encrypted by the broadcaster and the decryption keys are held in a
1480  * tamperproof set-top box.
1481  *
1482  * The MV parameters and private encryption key hide in a DSA cuckoo
1483  * structure which uses the same parameters, but generated in a
1484  * different way. The values are used in an encryption scheme similar to
1485  * El Gamal cryptography and a polynomial formed from the expansion of
1486  * product terms (x - x[j]), as described in Mu, Y., and V.
1487  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1488  * 223-231. The paper has significant errors and serious omissions.
1489  *
1490  * Let q be the product of n distinct primes s1[j] (j = 1...n), where
1491  * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1492  * that q and each s1[j] divide p - 1 and p has M = n * m + 1
1493  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1494  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1495  * project into Zp* as exponents of g. Sometimes we have to compute an
1496  * inverse b^-1 of random b in Zq, but for that purpose we require
1497  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1498  * relatively small, like 30. These are the parameters of the scheme and
1499  * they are expensive to compute.
1500  *
1501  * We set up an instance of the scheme as follows. A set of random
1502  * values x[j] mod q (j = 1...n), are generated as the zeros of a
1503  * polynomial of order n. The product terms (x - x[j]) are expanded to
1504  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1505  * used as exponents of the generator g mod p to generate the private
1506  * encryption key A. The pair (gbar, ghat) of public server keys and the
1507  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1508  * to construct the decryption keys. The devil is in the details.
1509  *
1510  * This routine generates a private server encryption file including the
1511  * private encryption key E and partial decryption keys gbar and ghat.
1512  * It then generates public client decryption files including the public
1513  * keys xbar[j] and xhat[j] for each client j. The partial decryption
1514  * files are used to compute the inverse of E. These values are suitably
1515  * blinded so secrets are not revealed.
1516  *
1517  * The distinguishing characteristic of this scheme is the capability to
1518  * revoke keys. Included in the calculation of E, gbar and ghat is the
1519  * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
1520  * subsequently removed from the product and E, gbar and ghat
1521  * recomputed, the jth client will no longer be able to compute E^-1 and
1522  * thus unable to decrypt the messageblock.
1523  *
1524  * How it works
1525  *
1526  * The scheme goes like this. Bob has the server values (p, E, q,
1527  * gbar, ghat) and Alice has the client values (p, xbar, xhat).
1528  *
1529  * Alice rolls new random nonce r mod p and sends to Bob in the MV
1530  * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
1531  * mod p and sends (y, gbar^k, ghat^k) to Alice.
1532  *
1533  * Alice receives the response and computes the inverse (E^k)^-1 from
1534  * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
1535  * decrypts y and verifies it matches the original r. The signed
1536  * response binds this knowledge to Bob's private key and the public key
1537  * previously received in his certificate.
1538  */
1539 EVP_PKEY *			/* DSA cuckoo nest */
1540 gen_mvkey(
1541 	const char *id,		/* file name id */
1542 	EVP_PKEY **evpars	/* parameter list pointer */
1543 	)
1544 {
1545 	EVP_PKEY *pkey, *pkey1;	/* private keys */
1546 	DSA	*dsa, *dsa2, *sdsa; /* DSA parameters */
1547 	BN_CTX	*ctx;		/* BN working space */
1548 	BIGNUM	*a[MVMAX];	/* polynomial coefficient vector */
1549 	BIGNUM	*gs[MVMAX];	/* public key vector */
1550 	BIGNUM	*s1[MVMAX];	/* private enabling keys */
1551 	BIGNUM	*x[MVMAX];	/* polynomial zeros vector */
1552 	BIGNUM	*xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
1553 	BIGNUM	*b;		/* group key */
1554 	BIGNUM	*b1;		/* inverse group key */
1555 	BIGNUM	*s;		/* enabling key */
1556 	BIGNUM	*biga;		/* master encryption key */
1557 	BIGNUM	*bige;		/* session encryption key */
1558 	BIGNUM	*gbar, *ghat;	/* public key */
1559 	BIGNUM	*u, *v, *w;	/* BN scratch */
1560 	BIGNUM	*p, *q, *g, *priv_key, *pub_key;
1561 	int	i, j, n;
1562 	FILE	*str;
1563 	u_int	temp;
1564 
1565 	/*
1566 	 * Generate MV parameters.
1567 	 *
1568 	 * The object is to generate a multiplicative group Zp* modulo a
1569 	 * prime p and a subset Zq mod q, where q is the product of n
1570 	 * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
1571 	 * first generate n m-bit primes, where the product n m is in
1572 	 * the order of 512 bits. One or more of these may have to be
1573 	 * replaced later. As a practical matter, it is tough to find
1574 	 * more than 31 distinct primes for 512 bits or 61 primes for
1575 	 * 1024 bits. The latter can take several hundred iterations
1576 	 * and several minutes on a Sun Blade 1000.
1577 	 */
1578 	n = nkeys;
1579 	fprintf(stderr,
1580 	    "Generating MV parameters for %d keys (%d bits)...\n", n,
1581 	    modulus2 / n);
1582 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1583 	b = BN_new(); b1 = BN_new();
1584 	dsa = DSA_new();
1585 	p = BN_new(); q = BN_new(); g = BN_new();
1586 	priv_key = BN_new(); pub_key = BN_new();
1587 	temp = 0;
1588 	for (j = 1; j <= n; j++) {
1589 		s1[j] = BN_new();
1590 		while (1) {
1591 			BN_generate_prime_ex(s1[j], modulus2 / n, 0,
1592 					     NULL, NULL, NULL);
1593 			for (i = 1; i < j; i++) {
1594 				if (BN_cmp(s1[i], s1[j]) == 0)
1595 					break;
1596 			}
1597 			if (i == j)
1598 				break;
1599 			temp++;
1600 		}
1601 	}
1602 	fprintf(stderr, "Birthday keys regenerated %d\n", temp);
1603 
1604 	/*
1605 	 * Compute the modulus q as the product of the primes. Compute
1606 	 * the modulus p as 2 * q + 1 and test p for primality. If p
1607 	 * is composite, replace one of the primes with a new distinct
1608 	 * one and try again. Note that q will hardly be a secret since
1609 	 * we have to reveal p to servers, but not clients. However,
1610 	 * factoring q to find the primes should be adequately hard, as
1611 	 * this is the same problem considered hard in RSA. Question: is
1612 	 * it as hard to find n small prime factors totalling n bits as
1613 	 * it is to find two large prime factors totalling n bits?
1614 	 * Remember, the bad guy doesn't know n.
1615 	 */
1616 	temp = 0;
1617 	while (1) {
1618 		BN_one(q);
1619 		for (j = 1; j <= n; j++)
1620 			BN_mul(q, q, s1[j], ctx);
1621 		BN_copy(p, q);
1622 		BN_add(p, p, p);
1623 		BN_add_word(p, 1);
1624 		if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
1625 			break;
1626 
1627 		temp++;
1628 		j = temp % n + 1;
1629 		while (1) {
1630 			BN_generate_prime_ex(u, modulus2 / n, 0,
1631 					     NULL, NULL, NULL);
1632 			for (i = 1; i <= n; i++) {
1633 				if (BN_cmp(u, s1[i]) == 0)
1634 					break;
1635 			}
1636 			if (i > n)
1637 				break;
1638 		}
1639 		BN_copy(s1[j], u);
1640 	}
1641 	fprintf(stderr, "Defective keys regenerated %d\n", temp);
1642 
1643 	/*
1644 	 * Compute the generator g using a random roll such that
1645 	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1646 	 * q. This may take several iterations.
1647 	 */
1648 	BN_copy(v, p);
1649 	BN_sub_word(v, 1);
1650 	while (1) {
1651 		BN_rand(g, BN_num_bits(p) - 1, 0, 0);
1652 		BN_mod(g, g, p, ctx);
1653 		BN_gcd(u, g, v, ctx);
1654 		if (!BN_is_one(u))
1655 			continue;
1656 
1657 		BN_mod_exp(u, g, q, p, ctx);
1658 		if (BN_is_one(u))
1659 			break;
1660 	}
1661 
1662 	DSA_set0_pqg(dsa, p, q, g);
1663 
1664 	/*
1665 	 * Setup is now complete. Roll random polynomial roots x[j]
1666 	 * (j = 1...n) for all j. While it may not be strictly
1667 	 * necessary, Make sure each root has no factors in common with
1668 	 * q.
1669 	 */
1670 	fprintf(stderr,
1671 	    "Generating polynomial coefficients for %d roots (%d bits)\n",
1672 	    n, BN_num_bits(q));
1673 	for (j = 1; j <= n; j++) {
1674 		x[j] = BN_new();
1675 
1676 		while (1) {
1677 			BN_rand(x[j], BN_num_bits(q), 0, 0);
1678 			BN_mod(x[j], x[j], q, ctx);
1679 			BN_gcd(u, x[j], q, ctx);
1680 			if (BN_is_one(u))
1681 				break;
1682 		}
1683 	}
1684 
1685 	/*
1686 	 * Generate polynomial coefficients a[i] (i = 0...n) from the
1687 	 * expansion of root products (x - x[j]) mod q for all j. The
1688 	 * method is a present from Charlie Boncelet.
1689 	 */
1690 	for (i = 0; i <= n; i++) {
1691 		a[i] = BN_new();
1692 		BN_one(a[i]);
1693 	}
1694 	for (j = 1; j <= n; j++) {
1695 		BN_zero(w);
1696 		for (i = 0; i < j; i++) {
1697 			BN_copy(u, q);
1698 			BN_mod_mul(v, a[i], x[j], q, ctx);
1699 			BN_sub(u, u, v);
1700 			BN_add(u, u, w);
1701 			BN_copy(w, a[i]);
1702 			BN_mod(a[i], u, q, ctx);
1703 		}
1704 	}
1705 
1706 	/*
1707 	 * Generate gs[i] = g^a[i] mod p for all i and the generator g.
1708 	 */
1709 	for (i = 0; i <= n; i++) {
1710 		gs[i] = BN_new();
1711 		BN_mod_exp(gs[i], g, a[i], p, ctx);
1712 	}
1713 
1714 	/*
1715 	 * Verify prod(gs[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
1716 	 * a[i] x[j]^i exponent is computed mod q, but the gs[i] is
1717 	 * computed mod p. also note the expression given in the paper
1718 	 * is incorrect.
1719 	 */
1720 	temp = 1;
1721 	for (j = 1; j <= n; j++) {
1722 		BN_one(u);
1723 		for (i = 0; i <= n; i++) {
1724 			BN_set_word(v, i);
1725 			BN_mod_exp(v, x[j], v, q, ctx);
1726 			BN_mod_mul(v, v, a[i], q, ctx);
1727 			BN_mod_exp(v, g, v, p, ctx);
1728 			BN_mod_mul(u, u, v, p, ctx);
1729 		}
1730 		if (!BN_is_one(u))
1731 			temp = 0;
1732 	}
1733 	fprintf(stderr,
1734 	    "Confirm prod(gs[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1735 	    "yes" : "no");
1736 	if (!temp) {
1737 		return (NULL);
1738 	}
1739 
1740 	/*
1741 	 * Make private encryption key A. Keep it around for awhile,
1742 	 * since it is expensive to compute.
1743 	 */
1744 	biga = BN_new();
1745 
1746 	BN_one(biga);
1747 	for (j = 1; j <= n; j++) {
1748 		for (i = 0; i < n; i++) {
1749 			BN_set_word(v, i);
1750 			BN_mod_exp(v, x[j], v, q, ctx);
1751 			BN_mod_exp(v, gs[i], v, p, ctx);
1752 			BN_mod_mul(biga, biga, v, p, ctx);
1753 		}
1754 	}
1755 
1756 	/*
1757 	 * Roll private random group key b mod q (0 < b < q), where
1758 	 * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
1759 	 * mod q. If b is changed, the client keys must be recomputed.
1760 	 */
1761 	while (1) {
1762 		BN_rand(b, BN_num_bits(q), 0, 0);
1763 		BN_mod(b, b, q, ctx);
1764 		BN_gcd(u, b, q, ctx);
1765 		if (BN_is_one(u))
1766 			break;
1767 	}
1768 	BN_mod_inverse(b1, b, q, ctx);
1769 
1770 	/*
1771 	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
1772 	 * that the keys for the jth client do not s1[j] or the product
1773 	 * s1[j]) (j = 1...n) which is q by construction.
1774 	 *
1775 	 * Compute the factor w such that w s1[j] = s1[j] for all j. The
1776 	 * easy way to do this is to compute (q + s1[j]) / s1[j].
1777 	 * Exercise for the student: prove the remainder is always zero.
1778 	 */
1779 	for (j = 1; j <= n; j++) {
1780 		xbar[j] = BN_new(); xhat[j] = BN_new();
1781 
1782 		BN_add(w, q, s1[j]);
1783 		BN_div(w, u, w, s1[j], ctx);
1784 		BN_zero(xbar[j]);
1785 		BN_set_word(v, n);
1786 		for (i = 1; i <= n; i++) {
1787 			if (i == j)
1788 				continue;
1789 
1790 			BN_mod_exp(u, x[i], v, q, ctx);
1791 			BN_add(xbar[j], xbar[j], u);
1792 		}
1793 		BN_mod_mul(xbar[j], xbar[j], b1, q, ctx);
1794 		BN_mod_exp(xhat[j], x[j], v, q, ctx);
1795 		BN_mod_mul(xhat[j], xhat[j], w, q, ctx);
1796 	}
1797 
1798 	/*
1799 	 * We revoke client j by dividing q by s1[j]. The quotient
1800 	 * becomes the enabling key s. Note we always have to revoke
1801 	 * one key; otherwise, the plaintext and cryptotext would be
1802 	 * identical. For the present there are no provisions to revoke
1803 	 * additional keys, so we sail on with only token revocations.
1804 	 */
1805 	s = BN_new();
1806 	BN_copy(s, q);
1807 	BN_div(s, u, s, s1[n], ctx);
1808 
1809 	/*
1810 	 * For each combination of clients to be revoked, make private
1811 	 * encryption key E = A^s and partial decryption keys gbar = g^s
1812 	 * and ghat = g^(s b), all mod p. The servers use these keys to
1813 	 * compute the session encryption key and partial decryption
1814 	 * keys. These values must be regenerated if the enabling key is
1815 	 * changed.
1816 	 */
1817 	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1818 	BN_mod_exp(bige, biga, s, p, ctx);
1819 	BN_mod_exp(gbar, g, s, p, ctx);
1820 	BN_mod_mul(v, s, b, q, ctx);
1821 	BN_mod_exp(ghat, g, v, p, ctx);
1822 
1823 	/*
1824 	 * Notes: We produce the key media in three steps. The first
1825 	 * step is to generate the system parameters p, q, g, b, A and
1826 	 * the enabling keys s1[j]. Associated with each s1[j] are
1827 	 * parameters xbar[j] and xhat[j]. All of these parameters are
1828 	 * retained in a data structure protecteted by the trusted-agent
1829 	 * password. The p, xbar[j] and xhat[j] paremeters are
1830 	 * distributed to the j clients. When the client keys are to be
1831 	 * activated, the enabled keys are multipied together to form
1832 	 * the master enabling key s. This and the other parameters are
1833 	 * used to compute the server encryption key E and the partial
1834 	 * decryption keys gbar and ghat.
1835 	 *
1836 	 * In the identity exchange the client rolls random r and sends
1837 	 * it to the server. The server rolls random k, which is used
1838 	 * only once, then computes the session key E^k and partial
1839 	 * decryption keys gbar^k and ghat^k. The server sends the
1840 	 * encrypted r along with gbar^k and ghat^k to the client. The
1841 	 * client completes the decryption and verifies it matches r.
1842 	 */
1843 	/*
1844 	 * Write the MV trusted-agent parameters and keys as a DSA
1845 	 * private key encoded in PEM.
1846 	 *
1847 	 * p	modulus p
1848 	 * q	modulus q
1849 	 * g	generator g
1850 	 * priv_key A mod p
1851 	 * pub_key b mod q
1852 	 * (remaining values are not used)
1853 	 */
1854 	i = 0;
1855 	str = fheader("MVta", "mvta", groupname);
1856 	fprintf(stderr, "Generating MV trusted-authority keys\n");
1857 	BN_copy(priv_key, biga);
1858 	BN_copy(pub_key, b);
1859 	DSA_set0_key(dsa, pub_key, priv_key);
1860 	pkey = EVP_PKEY_new();
1861 	EVP_PKEY_assign_DSA(pkey, dsa);
1862 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
1863 	    passwd1);
1864 	evpars[i++] = pkey;
1865 	if (debug)
1866 		DSA_print_fp(stderr, dsa, 0);
1867 
1868 	/*
1869 	 * Append the MV server parameters and keys as a DSA key encoded
1870 	 * in PEM.
1871 	 *
1872 	 * p	modulus p
1873 	 * q	modulus q (used only when generating k)
1874 	 * g	bige
1875 	 * priv_key gbar
1876 	 * pub_key ghat
1877 	 * (remaining values are not used)
1878 	 */
1879 	fprintf(stderr, "Generating MV server keys\n");
1880 	dsa2 = DSA_new();
1881 	DSA_set0_pqg(dsa2, BN_dup(p), BN_dup(q), BN_dup(bige));
1882 	DSA_set0_key(dsa2, BN_dup(ghat), BN_dup(gbar));
1883 	pkey1 = EVP_PKEY_new();
1884 	EVP_PKEY_assign_DSA(pkey1, dsa2);
1885 	PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0, NULL,
1886 	    passwd1);
1887 	evpars[i++] = pkey1;
1888 	if (debug)
1889 		DSA_print_fp(stderr, dsa2, 0);
1890 
1891 	/*
1892 	 * Append the MV client parameters for each client j as DSA keys
1893 	 * encoded in PEM.
1894 	 *
1895 	 * p	modulus p
1896 	 * priv_key xbar[j] mod q
1897 	 * pub_key xhat[j] mod q
1898 	 * (remaining values are not used)
1899 	 */
1900 	fprintf(stderr, "Generating %d MV client keys\n", n);
1901 	for (j = 1; j <= n; j++) {
1902 		sdsa = DSA_new();
1903 		DSA_set0_pqg(sdsa, BN_dup(p), BN_dup(BN_value_one()),
1904 			BN_dup(BN_value_one()));
1905 		DSA_set0_key(sdsa, BN_dup(xhat[j]), BN_dup(xbar[j]));
1906 		pkey1 = EVP_PKEY_new();
1907 		EVP_PKEY_set1_DSA(pkey1, sdsa);
1908 		PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0,
1909 		    NULL, passwd1);
1910 		evpars[i++] = pkey1;
1911 		if (debug)
1912 			DSA_print_fp(stderr, sdsa, 0);
1913 
1914 		/*
1915 		 * The product (gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
1916 		 * are inverses of each other. We check that the product
1917 		 * is one for each client except the ones that have been
1918 		 * revoked.
1919 		 */
1920 		BN_mod_exp(v, gbar, xhat[j], p, ctx);
1921 		BN_mod_exp(u, ghat, xbar[j], p, ctx);
1922 		BN_mod_mul(u, u, v, p, ctx);
1923 		BN_mod_mul(u, u, bige, p, ctx);
1924 		if (!BN_is_one(u)) {
1925 			fprintf(stderr, "Revoke key %d\n", j);
1926 			continue;
1927 		}
1928 	}
1929 	evpars[i++] = NULL;
1930 	fclose(str);
1931 
1932 	/*
1933 	 * Free the countries.
1934 	 */
1935 	for (i = 0; i <= n; i++) {
1936 		BN_free(a[i]); BN_free(gs[i]);
1937 	}
1938 	for (j = 1; j <= n; j++) {
1939 		BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
1940 		BN_free(s1[j]);
1941 	}
1942 	return (pkey);
1943 }
1944 
1945 
1946 /*
1947  * Generate X509v3 certificate.
1948  *
1949  * The certificate consists of the version number, serial number,
1950  * validity interval, issuer name, subject name and public key. For a
1951  * self-signed certificate, the issuer name is the same as the subject
1952  * name and these items are signed using the subject private key. The
1953  * validity interval extends from the current time to the same time one
1954  * year hence. For NTP purposes, it is convenient to use the NTP seconds
1955  * of the current time as the serial number.
1956  */
1957 int
1958 x509	(
1959 	EVP_PKEY *pkey,		/* signing key */
1960 	const EVP_MD *md,	/* signature/digest scheme */
1961 	char	*gqpub,		/* identity extension (hex string) */
1962 	const char *exten,	/* private cert extension */
1963 	char	*name		/* subject/issuer name */
1964 	)
1965 {
1966 	X509	*cert;		/* X509 certificate */
1967 	X509_NAME *subj;	/* distinguished (common) name */
1968 	X509_EXTENSION *ex;	/* X509v3 extension */
1969 	FILE	*str;		/* file handle */
1970 	ASN1_INTEGER *serial;	/* serial number */
1971 	const char *id;		/* digest/signature scheme name */
1972 	char	pathbuf[MAXFILENAME + 1];
1973 
1974 	/*
1975 	 * Generate X509 self-signed certificate.
1976 	 *
1977 	 * Set the certificate serial to the NTP seconds for grins. Set
1978 	 * the version to 3. Set the initial validity to the current
1979 	 * time and the finalvalidity one year hence.
1980 	 */
1981  	id = OBJ_nid2sn(EVP_MD_pkey_type(md));
1982 	fprintf(stderr, "Generating new certificate %s %s\n", name, id);
1983 	cert = X509_new();
1984 	X509_set_version(cert, 2L);
1985 	serial = ASN1_INTEGER_new();
1986 	ASN1_INTEGER_set(serial, (long)epoch + JAN_1970);
1987 	X509_set_serialNumber(cert, serial);
1988 	ASN1_INTEGER_free(serial);
1989 	X509_time_adj(X509_getm_notBefore(cert), 0L, &epoch);
1990 	X509_time_adj(X509_getm_notAfter(cert), lifetime * SECSPERDAY, &epoch);
1991 	subj = X509_get_subject_name(cert);
1992 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1993 	    (u_char *)name, -1, -1, 0);
1994 	subj = X509_get_issuer_name(cert);
1995 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1996 	    (u_char *)name, -1, -1, 0);
1997 	if (!X509_set_pubkey(cert, pkey)) {
1998 		fprintf(stderr, "Assign certificate signing key fails\n%s\n",
1999 		    ERR_error_string(ERR_get_error(), NULL));
2000 		X509_free(cert);
2001 		return (0);
2002 	}
2003 
2004 	/*
2005 	 * Add X509v3 extensions if present. These represent the minimum
2006 	 * set defined in RFC3280 less the certificate_policy extension,
2007 	 * which is seriously obfuscated in OpenSSL.
2008 	 */
2009 	/*
2010 	 * The basic_constraints extension CA:TRUE allows servers to
2011 	 * sign client certficitates.
2012 	 */
2013 	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
2014 	    BASIC_CONSTRAINTS);
2015 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
2016 	    _UC(BASIC_CONSTRAINTS));
2017 	if (!X509_add_ext(cert, ex, -1)) {
2018 		fprintf(stderr, "Add extension field fails\n%s\n",
2019 		    ERR_error_string(ERR_get_error(), NULL));
2020 		return (0);
2021 	}
2022 	X509_EXTENSION_free(ex);
2023 
2024 	/*
2025 	 * The key_usage extension designates the purposes the key can
2026 	 * be used for.
2027 	 */
2028 	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
2029 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, _UC(KEY_USAGE));
2030 	if (!X509_add_ext(cert, ex, -1)) {
2031 		fprintf(stderr, "Add extension field fails\n%s\n",
2032 		    ERR_error_string(ERR_get_error(), NULL));
2033 		return (0);
2034 	}
2035 	X509_EXTENSION_free(ex);
2036 	/*
2037 	 * The subject_key_identifier is used for the GQ public key.
2038 	 * This should not be controversial.
2039 	 */
2040 	if (gqpub != NULL) {
2041 		fprintf(stderr, "%s\n", LN_subject_key_identifier);
2042 		ex = X509V3_EXT_conf_nid(NULL, NULL,
2043 		    NID_subject_key_identifier, gqpub);
2044 		if (!X509_add_ext(cert, ex, -1)) {
2045 			fprintf(stderr,
2046 			    "Add extension field fails\n%s\n",
2047 			    ERR_error_string(ERR_get_error(), NULL));
2048 			return (0);
2049 		}
2050 		X509_EXTENSION_free(ex);
2051 	}
2052 
2053 	/*
2054 	 * The extended key usage extension is used for special purpose
2055 	 * here. The semantics probably do not conform to the designer's
2056 	 * intent and will likely change in future.
2057 	 *
2058 	 * "trustRoot" designates a root authority
2059 	 * "private" designates a private certificate
2060 	 */
2061 	if (exten != NULL) {
2062 		fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
2063 		ex = X509V3_EXT_conf_nid(NULL, NULL,
2064 		    NID_ext_key_usage, _UC(exten));
2065 		if (!X509_add_ext(cert, ex, -1)) {
2066 			fprintf(stderr,
2067 			    "Add extension field fails\n%s\n",
2068 			    ERR_error_string(ERR_get_error(), NULL));
2069 			return (0);
2070 		}
2071 		X509_EXTENSION_free(ex);
2072 	}
2073 
2074 	/*
2075 	 * Sign and verify.
2076 	 */
2077 	X509_sign(cert, pkey, md);
2078 	if (X509_verify(cert, pkey) <= 0) {
2079 		fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
2080 		    ERR_error_string(ERR_get_error(), NULL));
2081 		X509_free(cert);
2082 		return (0);
2083 	}
2084 
2085 	/*
2086 	 * Write the certificate encoded in PEM.
2087 	 */
2088 	snprintf(pathbuf, sizeof(pathbuf), "%scert", id);
2089 	str = fheader(pathbuf, "cert", hostname);
2090 	PEM_write_X509(str, cert);
2091 	fclose(str);
2092 	if (debug)
2093 		X509_print_fp(stderr, cert);
2094 	X509_free(cert);
2095 	return (1);
2096 }
2097 
2098 #if 0	/* asn2ntp is used only with commercial certificates */
2099 /*
2100  * asn2ntp - convert ASN1_TIME time structure to NTP time
2101  */
2102 u_long
2103 asn2ntp	(
2104 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
2105 	)
2106 {
2107 	char	*v;		/* pointer to ASN1_TIME string */
2108 	struct	tm tm;		/* time decode structure time */
2109 
2110 	/*
2111 	 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
2112 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
2113 	 * SS fiels start with zero and the Z character should be 'Z'
2114 	 * for UTC. Also note that years less than 50 map to years
2115 	 * greater than 100. Dontcha love ASN.1?
2116 	 */
2117 	if (asn1time->length > 13)
2118 		return (-1);
2119 	v = (char *)asn1time->data;
2120 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
2121 	if (tm.tm_year < 50)
2122 		tm.tm_year += 100;
2123 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
2124 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
2125 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
2126 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
2127 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
2128 	tm.tm_wday = 0;
2129 	tm.tm_yday = 0;
2130 	tm.tm_isdst = 0;
2131 	return (mktime(&tm) + JAN_1970);
2132 }
2133 #endif
2134 
2135 /*
2136  * Callback routine
2137  */
2138 void
2139 cb	(
2140 	int	n1,		/* arg 1 */
2141 	int	n2,		/* arg 2 */
2142 	void	*chr		/* arg 3 */
2143 	)
2144 {
2145 	switch (n1) {
2146 	case 0:
2147 		d0++;
2148 		fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
2149 		    d0);
2150 		break;
2151 	case 1:
2152 		d1++;
2153 		fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
2154 		    n2, d1);
2155 		break;
2156 	case 2:
2157 		d2++;
2158 		fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
2159 		    n1, n2, d2);
2160 		break;
2161 	case 3:
2162 		d3++;
2163 		fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
2164 		    (char *)chr, n1, n2, d3);
2165 		break;
2166 	}
2167 }
2168 
2169 
2170 /*
2171  * Generate key
2172  */
2173 EVP_PKEY *			/* public/private key pair */
2174 genkey(
2175 	const char *type,	/* key type (RSA or DSA) */
2176 	const char *id		/* file name id */
2177 	)
2178 {
2179 	if (type == NULL)
2180 		return (NULL);
2181 	if (strcmp(type, "RSA") == 0)
2182 		return (gen_rsa(id));
2183 
2184 	else if (strcmp(type, "DSA") == 0)
2185 		return (gen_dsa(id));
2186 
2187 	fprintf(stderr, "Invalid %s key type %s\n", id, type);
2188 	return (NULL);
2189 }
2190 
2191 static RSA*
2192 genRsaKeyPair(
2193 	int	bits,
2194 	char *	what
2195 	)
2196 {
2197 	RSA *		rsa = RSA_new();
2198 	BN_GENCB *	gcb = BN_GENCB_new();
2199 	BIGNUM *	bne = BN_new();
2200 
2201 	if (gcb)
2202 		BN_GENCB_set_old(gcb, cb, what);
2203 	if (bne)
2204 		BN_set_word(bne, 65537);
2205 	if (!(rsa && gcb && bne && RSA_generate_key_ex(
2206 		      rsa, bits, bne, gcb)))
2207 	{
2208 		RSA_free(rsa);
2209 		rsa = NULL;
2210 	}
2211 	BN_GENCB_free(gcb);
2212 	BN_free(bne);
2213 	return rsa;
2214 }
2215 
2216 static DSA*
2217 genDsaParams(
2218 	int	bits,
2219 	char *	what
2220 	)
2221 {
2222 
2223 	DSA *		dsa = DSA_new();
2224 	BN_GENCB *	gcb = BN_GENCB_new();
2225 	u_char		seed[20];
2226 
2227 	if (gcb)
2228 		BN_GENCB_set_old(gcb, cb, what);
2229 	RAND_bytes(seed, sizeof(seed));
2230 	if (!(dsa && gcb && DSA_generate_parameters_ex(
2231 		      dsa, bits, seed, sizeof(seed), NULL, NULL, gcb)))
2232 	{
2233 		DSA_free(dsa);
2234 		dsa = NULL;
2235 	}
2236 	BN_GENCB_free(gcb);
2237 	return dsa;
2238 }
2239 
2240 #endif	/* AUTOKEY */
2241 
2242 
2243 /*
2244  * Generate file header and link
2245  */
2246 FILE *
2247 fheader	(
2248 	const char *file,	/* file name id */
2249 	const char *ulink,	/* linkname */
2250 	const char *owner	/* owner name */
2251 	)
2252 {
2253 	FILE	*str;		/* file handle */
2254 	char	linkname[MAXFILENAME]; /* link name */
2255 	int	temp;
2256 #ifdef HAVE_UMASK
2257         mode_t  orig_umask;
2258 #endif
2259 
2260 	snprintf(filename, sizeof(filename), "ntpkey_%s_%s.%u", file,
2261 	    owner, fstamp);
2262 #ifdef HAVE_UMASK
2263         orig_umask = umask( S_IWGRP | S_IRWXO );
2264         str = fopen(filename, "w");
2265         (void) umask(orig_umask);
2266 #else
2267         str = fopen(filename, "w");
2268 #endif
2269 	if (str == NULL) {
2270 		perror("Write");
2271 		exit (-1);
2272 	}
2273         if (strcmp(ulink, "md5") == 0) {
2274           strcpy(linkname,"ntp.keys");
2275         } else {
2276           snprintf(linkname, sizeof(linkname), "ntpkey_%s_%s", ulink,
2277                    hostname);
2278         }
2279 	(void)remove(linkname);		/* The symlink() line below matters */
2280 	temp = symlink(filename, linkname);
2281 	if (temp < 0)
2282 		perror(file);
2283 	fprintf(stderr, "Generating new %s file and link\n", ulink);
2284 	fprintf(stderr, "%s->%s\n", linkname, filename);
2285 	fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
2286 	return (str);
2287 }
2288