freebsd-skq/contrib/ntp/ntpd/ntp_crypto.c
2002-10-29 19:58:12 +00:00

2059 lines
53 KiB
C

/*
* ntp_crypto.c - NTP version 4 public key routines
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef AUTOKEY
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include "ntpd.h"
#include "ntp_stdlib.h"
#include "ntp_string.h"
#include "ntp_crypto.h"
#ifdef KERNEL_PLL
#include "ntp_syscall.h"
#endif /* KERNEL_PLL */
/*
* Extension field message formats
*
* +-------+-------+ +-------+-------+ +-------+-------+
* 0 | 3 | len | | 2,4 | len | | 5-9 | len |
* +-------+-------+ +-------+-------+ +-------+-------+
* 1 | assocID | | assocID | | assocID |
* +---------------+ +---------------+ +---------------+
* 2 | timestamp | | timestamp | | timestamp |
* +---------------+ +---------------+ +---------------+
* 3 | final seq | | cookie/flags | | filestamp |
* +---------------+ +---------------+ +---------------+
* 4 | final key | | signature len | | value len |
* +---------------+ +---------------+ +---------------+
* 5 | signature len | | | | |
* +---------------+ = signature = = value =
* 6 | | | | | |
* = signature = +---------------+ +---------------+
* 7 | | CRYPTO_ASSOC rsp | signature len |
* +---------------+ CRYPTO_PRIV rsp +---------------+
* CRYPTO_AUTO rsp | |
* = signature =
* | |
* +---------------+
* CRYPTO_DHPAR rsp
* CRYPTO_DH rsp
* CRYPTO_NAME rsp
* CRYPTO_CERT rsp
* CRYPTO_TAI rsp
*
* CRYPTO_STAT 1 - offer/select
* CRYPTO_ASSOC 2 20 association ID
* CRYPTO_AUTO 3 88 autokey values
* CRYPTO_PRIV 4 84 cookie value
* CRYPTO_DHPAR 5 220 agreement parameters
* CRYPTO_DH 6 152 public value
* CRYPTO_NAME 7 460 host name/public key
* CRYPTO_CERT 8 ? certificate
* CRYPTO_TAI 9 144 leapseconds table
*
* Note: requests carry the association ID of the receiver; responses
* carry the association ID of the sender.
*/
/*
* Minimum sizes of fields
*/
#define COOKIE_LEN (5 * 4)
#define AUTOKEY_LEN (6 * 4)
#define VALUE_LEN (6 * 4)
/*
* Global cryptodata in host byte order.
*/
u_int crypto_flags; /* status word */
u_int sys_tai; /* current UTC offset from TAI */
#ifdef PUBKEY
/*
* Cryptodefines
*/
#define TAI_1972 10 /* initial TAI offset */
#define MAX_LEAP 100 /* max UTC leapseconds */
#define MAX_LINLEN 1024 /* max line */
#define MAX_KEYLEN 1024 /* max key */
#define MAX_ENCLEN (ENCODED_CONTENT_LEN(1024)) /* max enc key */
/*
* Private cryptodata in network byte order.
*/
static R_RSA_PRIVATE_KEY private_key; /* private key */
static R_RSA_PUBLIC_KEY public_key; /* public key */
static R_DH_PARAMS dh_params; /* agreement parameters */
static u_char *dh_private; /* private value */
static u_int dh_keyLen; /* private value length */
static char *keysdir = NTP_KEYSDIR; /* crypto keys directory */
static char *private_key_file = NULL; /* private key file */
static char *public_key_file = NULL; /* public key file */
static char *certif_file = NULL; /* certificate file */
static char *dh_params_file = NULL; /* agreement parameters file */
static char *tai_leap_file = NULL; /* leapseconds file */
/*
* Global cryptodata in network byte order
*/
struct value host; /* host name/public key */
struct value certif; /* certificate */
struct value dhparam; /* agreement parameters */
struct value dhpub; /* public value */
struct value tai_leap; /* leapseconds table */
/*
* Cryptotypes
*/
static u_int crypto_rsa P((char *, u_char *, u_int));
static void crypto_cert P((char *));
static void crypto_dh P((char *));
static void crypto_tai P((char *));
#endif /* PUBKEY */
/*
* Autokey protocol status codes
*/
#define RV_OK 0 /* success */
#define RV_LEN 1 /* invalid field length */
#define RV_TSP 2 /* invalid timestamp */
#define RV_FSP 3 /* invalid filestamp */
#define RV_PUB 4 /* missing public key */
#define RV_KEY 5 /* invalid RSA modulus */
#define RV_SIG 6 /* invalid signature length */
#define RV_DH 7 /* invalid agreement parameters */
#define RV_FIL 8 /* missing or corrupted key file */
#define RV_DAT 9 /* missing or corrupted data */
#define RV_DEC 10 /* PEM decoding error */
#define RV_DUP 11 /* duplicate flags */
#define RV_VN 12 /* incorrect version */
/*
* session_key - generate session key
*
* This routine generates a session key from the source address,
* destination address, key ID and private value. The value of the
* session key is the MD5 hash of these values, while the next key ID is
* the first four octets of the hash.
*/
keyid_t /* returns next key ID */
session_key(
struct sockaddr_in *srcadr, /* source address */
struct sockaddr_in *dstadr, /* destination address */
keyid_t keyno, /* key ID */
keyid_t private, /* private value */
u_long lifetime /* key lifetime */
)
{
MD5_CTX ctx; /* MD5 context */
keyid_t keyid; /* key identifer */
u_int32 header[4]; /* data in network byte order */
u_char digest[16]; /* message digest */
/*
* Generate the session key and key ID. If the lifetime is
* greater than zero, install the key and call it trusted.
*/
header[0] = srcadr->sin_addr.s_addr;
header[1] = dstadr->sin_addr.s_addr;
header[2] = htonl(keyno);
header[3] = htonl(private);
MD5Init(&ctx);
MD5Update(&ctx, (u_char *)header, sizeof(header));
MD5Final(digest, &ctx);
memcpy(&keyid, digest, 4);
keyid = ntohl(keyid);
if (lifetime != 0) {
MD5auth_setkey(keyno, digest, 16);
authtrust(keyno, lifetime);
}
#ifdef DEBUG
if (debug > 1)
printf(
"session_key: %s > %s %08x %08x hash %08x life %lu\n",
numtoa(header[0]), numtoa(header[1]), keyno,
private, keyid, lifetime);
#endif
return (keyid);
}
/*
* make_keylist - generate key list
*
* This routine constructs a pseudo-random sequence by repeatedly
* hashing the session key starting from a given source address,
* destination address, private value and the next key ID of the
* preceeding session key. The last entry on the list is saved along
* with its sequence number and public signature.
*/
void
make_keylist(
struct peer *peer, /* peer structure pointer */
struct interface *dstadr /* interface */
)
{
struct autokey *ap; /* autokey pointer */
keyid_t keyid; /* next key ID */
keyid_t cookie; /* private value */
l_fp tstamp; /* NTP timestamp */
u_long ltemp;
int i;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
int rval; /* return value */
u_int len;
#endif /* PUBKEY */
/*
* Allocate the key list if necessary.
*/
L_CLR(&tstamp);
if (sys_leap != LEAP_NOTINSYNC)
get_systime(&tstamp);
if (peer->keylist == NULL)
peer->keylist = (keyid_t *)emalloc(sizeof(keyid_t) *
NTP_MAXSESSION);
/*
* Generate an initial key ID which is unique and greater than
* NTP_MAXKEY.
*/
while (1) {
keyid = (u_long)RANDOM & 0xffffffff;
if (keyid <= NTP_MAXKEY)
continue;
if (authhavekey(keyid))
continue;
break;
}
/*
* Generate up to NTP_MAXSESSION session keys. Stop if the
* next one would not be unique or not a session key ID or if
* it would expire before the next poll. The private value
* included in the hash is zero if broadcast mode, the peer
* cookie if client mode or the host cookie if symmetric modes.
*/
ltemp = min(sys_automax, NTP_MAXSESSION * (1 << (peer->kpoll)));
peer->hcookie = session_key(&dstadr->sin, &peer->srcadr, 0,
sys_private, 0);
if (peer->hmode == MODE_BROADCAST)
cookie = 0;
else
cookie = peer->pcookie.key;
for (i = 0; i < NTP_MAXSESSION; i++) {
peer->keylist[i] = keyid;
peer->keynumber = i;
keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
cookie, ltemp);
ltemp -= 1 << peer->kpoll;
if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
ltemp <= (1 << (peer->kpoll)))
break;
}
/*
* Save the last session key ID, sequence number and timestamp,
* then sign these values for later retrieval by the clients. Be
* careful not to use invalid key media.
*/
ap = &peer->sndauto;
ap->tstamp = htonl(tstamp.l_ui);
ap->seq = htonl(peer->keynumber);
ap->key = htonl(keyid);
ap->siglen = 0;
#if DEBUG
if (debug)
printf("make_keys: %d %08x %08x ts %u poll %d\n",
ntohl(ap->seq), ntohl(ap->key), cookie,
ntohl(ap->tstamp), peer->kpoll);
#endif
#ifdef PUBKEY
if(!crypto_flags)
return;
if (ap->sig == NULL)
ap->sig = emalloc(private_key.bits / 8);
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)ap, 12);
rval = EVP_SignFinal(&ctx, ap->sig, &len, &private_key);
if (rval != RV_OK)
msyslog(LOG_ERR, "crypto: keylist signature fails %x",
rval);
else
ap->siglen = htonl(len);
peer->flags |= FLAG_ASSOC;
#endif /* PUBKEY */
}
/*
* crypto_recv - parse extension fields
*
* This routine is called when the packet has been matched to an
* association and passed sanity, format and MAC checks. We believe the
* extension field values only if the field has proper format and
* length, the timestamp and filestamp are valid and the signature has
* valid length and is verified. There are a few cases where some values
* are believed even if the signature fails, but only if the authentic
* bit is not set.
*/
void
crypto_recv(
struct peer *peer, /* peer structure pointer */
struct recvbuf *rbufp /* packet buffer pointer */
)
{
u_int32 *pkt; /* packet pointer */
struct autokey *ap; /* autokey pointer */
struct cookie *cp; /* cookie pointer */
int has_mac; /* length of MAC field */
int authlen; /* offset of MAC field */
int len; /* extension field length */
u_int code; /* extension field opcode */
tstamp_t tstamp; /* timestamp */
int i, rval;
u_int temp;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
struct value *vp; /* value pointer */
u_char dh_key[MAX_KEYLEN]; /* agreed key */
R_RSA_PUBLIC_KEY *kp; /* temporary public key pointer */
tstamp_t fstamp; /* filestamp */
u_int32 *pp; /* packet pointer */
u_int rsalen = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int) + 4;
u_int bits;
int j;
#ifdef KERNEL_PLL
#if NTP_API > 3
struct timex ntv; /* kernel interface structure */
#endif /* NTP_API */
#endif /* KERNEL_PLL */
#endif /* PUBKEY */
/*
* Initialize. Note that the packet has already been checked for
* valid format and extension field lengths. We first extract
* the field length, command code and timestamp in host byte
* order. These are used with all commands and modes. We discard
* old timestamps and filestamps; but, for duplicate timestamps
* we discard only if the authentic bit is set. Cute.
*/
pkt = (u_int32 *)&rbufp->recv_pkt;
authlen = LEN_PKT_NOMAC;
while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
i = authlen / 4;
len = ntohl(pkt[i]) & 0xffff;
code = (ntohl(pkt[i]) >> 16) & 0xffff;
temp = (code >> 8) & 0x3f;
if (temp != CRYPTO_VN) {
sys_unknownversion++;
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: incorrect version %d should be %d\n",
temp, CRYPTO_VN);
#endif
return;
}
tstamp = ntohl(pkt[i + 2]);
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: ext offset %d len %d code %x assocID %d\n",
authlen, len, code, (u_int32)ntohl(pkt[i +
1]));
#endif
switch (code) {
/*
* Install association ID and status word.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
cp = (struct cookie *)&pkt[i + 2];
temp = ntohl(cp->key);
if (len < COOKIE_LEN) {
rval = RV_LEN;
} else if (tstamp == 0) {
rval = RV_TSP;
} else {
if (!peer->crypto)
peer->crypto = temp;
if (ntohl(pkt[i + 1]) != 0)
peer->assoc = ntohl(pkt[i + 1]);
rval = RV_OK;
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %d flags 0x%x ts %u\n",
rval, temp, tstamp);
#endif
break;
/*
* Install autokey values in broadcast client and
* symmetric modes.
*/
case CRYPTO_AUTO | CRYPTO_RESP:
if (!(peer->flags & FLAG_AUTOKEY) &&
ntohl(pkt[i + 1]) != 0)
peer->assoc = ntohl(pkt[i + 1]);
ap = (struct autokey *)&pkt[i + 2];
#ifdef PUBKEY
temp = ntohl(ap->siglen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
if (len < AUTOKEY_LEN) {
rval = RV_LEN;
} else if (tstamp == 0 || tstamp <
peer->recauto.tstamp || (tstamp ==
peer->recauto.tstamp && (peer->flags &
FLAG_AUTOKEY))) {
rval = RV_TSP;
} else if (!crypto_flags) {
rval = RV_OK;
} else if (kp == NULL) {
rval = RV_PUB;
} else if (temp != kp->bits / 8) {
rval = RV_SIG;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)ap,
12);
rval = EVP_VerifyFinal(&ctx,
(u_char *)ap->pkt, temp, kp);
}
#else /* PUBKEY */
if (tstamp < peer->recauto.tstamp || (tstamp ==
peer->recauto.tstamp && (peer->flags &
FLAG_AUTOKEY)))
rval = RV_TSP;
else
rval = RV_OK;
#endif /* PUBKEY */
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x autokey %d %08x ts %u (%u)\n",
rval, ntohl(ap->seq),
ntohl(ap->key), tstamp,
peer->recauto.tstamp);
#endif
if (rval != RV_OK) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x autokey %d %08x ts %u (%u)\n",
rval, ntohl(ap->seq),
ntohl(ap->key), tstamp,
peer->recauto.tstamp);
break;
}
peer->flags |= FLAG_AUTOKEY;
peer->flash &= ~TEST10;
peer->assoc = ntohl(pkt[i + 1]);
peer->recauto.tstamp = tstamp;
peer->recauto.seq = ntohl(ap->seq);
peer->recauto.key = ntohl(ap->key);
peer->pkeyid = peer->recauto.key;
break;
/*
* Install session cookie in client mode. Use this also
* in symmetric modes for test when rsaref20 has not
* been installed.
*/
case CRYPTO_PRIV:
peer->cmmd = ntohl(pkt[i]);
/* fall through */
case CRYPTO_PRIV | CRYPTO_RESP:
cp = (struct cookie *)&pkt[i + 2];
#ifdef PUBKEY
temp = ntohl(cp->siglen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
if (len < COOKIE_LEN) {
rval = RV_LEN;
} else if (tstamp == 0 || tstamp <
peer->pcookie.tstamp || (tstamp ==
peer->pcookie.tstamp && (peer->flags &
FLAG_AUTOKEY))) {
rval = RV_TSP;
} else if (!crypto_flags) {
rval = RV_OK;
} else if (kp == NULL) {
rval = RV_PUB;
} else if (temp != kp->bits / 8) {
rval = RV_SIG;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)cp, 8);
rval = EVP_VerifyFinal(&ctx,
(u_char *)cp->pkt, temp, kp);
}
#else /* PUBKEY */
if (tstamp <= peer->pcookie.tstamp || (tstamp ==
peer->pcookie.tstamp && (peer->flags &
FLAG_AUTOKEY)))
rval = RV_TSP;
else
rval = RV_OK;
#endif /* PUBKEY */
/*
* Tricky here. If in client mode, use the
* server cookie; otherwise, use EXOR of both
* peer cookies. We call this Daffy-Hooligan
* agreement.
*/
if (peer->hmode == MODE_CLIENT)
temp = ntohl(cp->key);
else
temp = ntohl(cp->key) ^ peer->hcookie;
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x cookie %08x ts %u (%u)\n",
rval, temp, tstamp,
peer->pcookie.tstamp);
#endif
if (rval != RV_OK) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x cookie %08x ts %u (%u)\n",
rval, temp, tstamp,
peer->pcookie.tstamp);
peer->cmmd |= CRYPTO_ERROR;
break;
}
if (!(peer->cast_flags & MDF_BCLNT))
peer->flags |= FLAG_AUTOKEY;
peer->flash &= ~TEST10;
peer->assoc = ntohl(pkt[i + 1]);
peer->pcookie.tstamp = tstamp;
if (temp != peer->pcookie.key) {
peer->pcookie.key = temp;
key_expire(peer);
}
break;
/*
* The following commands and responses work only when
* public-key cryptography has been configured. If
* configured, but disabled due to no crypto command in
* the configuration file, they are ignored.
*/
#ifdef PUBKEY
/*
* Install public key and host name.
*/
case CRYPTO_NAME | CRYPTO_RESP:
if (!crypto_flags)
break;
vp = (struct value *)&pkt[i + 2];
fstamp = ntohl(vp->fstamp);
temp = ntohl(vp->vallen);
j = i + 5 + ntohl(vp->vallen) / 4;
bits = ntohl(pkt[i + 5]);
if (len < VALUE_LEN) {
rval = RV_LEN;
} else if (temp < rsalen || bits <
MIN_RSA_MODULUS_BITS || bits >
MAX_RSA_MODULUS_BITS) {
rval = RV_KEY;
} else if (ntohl(pkt[j]) != bits / 8) {
rval = RV_SIG;
} else if (tstamp == 0 || tstamp <
peer->pubkey.tstamp || (tstamp ==
peer->pubkey.tstamp && (peer->flags &
FLAG_AUTOKEY))) {
rval = RV_TSP;
} else if (tstamp < peer->pubkey.fstamp ||
fstamp < peer->pubkey.fstamp) {
rval = RV_FSP;
} else if (fstamp == peer->pubkey.fstamp &&
(peer->flags & FLAG_AUTOKEY)) {
rval = RV_FSP;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)vp,
temp + 12);
kp = emalloc(sizeof(R_RSA_PUBLIC_KEY));
kp->bits = bits;
memcpy(kp->modulus, &pkt[i + 6],
rsalen - 4);
rval = EVP_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
ntohl(pkt[j]), kp);
if (rval != 0) {
free(kp);
} else {
j = i + 5 + rsalen / 4;
peer->pubkey.ptr = (u_char *)kp;
temp = strlen((char *)&pkt[j]);
peer->keystr = emalloc(temp +
1);
strcpy(peer->keystr,
(char *)&pkt[j]);
peer->pubkey.tstamp = tstamp;
peer->pubkey.fstamp = fstamp;
peer->flash &= ~TEST10;
if (!(peer->crypto &
CRYPTO_FLAG_CERT))
peer->flags |=
FLAG_PROVEN;
}
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x host %s ts %u fs %u\n",
rval, (char *)&pkt[i + 5 + rsalen /
4], tstamp, fstamp);
#endif
if (rval != RV_OK) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x host %s ts %u fs %u\n",
rval, (char *)&pkt[i + 5 +
rsalen / 4], tstamp,
fstamp);
}
break;
/*
* Install certificate.
*/
case CRYPTO_CERT | CRYPTO_RESP:
if (!crypto_flags)
break;
vp = (struct value *)&pkt[i + 2];
fstamp = ntohl(vp->fstamp);
temp = ntohl(vp->vallen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
j = i + 5 + temp / 4;
if (len < VALUE_LEN) {
rval = RV_LEN;
} else if (kp == NULL) {
rval = RV_PUB;
} else if (ntohl(pkt[j]) != kp->bits / 8) {
rval = RV_SIG;
} else if (tstamp == 0) {
rval = RV_TSP;
} else if (tstamp <
ntohl(peer->certif.fstamp) || fstamp <
ntohl(peer->certif.fstamp)) {
rval = RV_FSP;
} else if (fstamp ==
ntohl(peer->certif.fstamp) && (peer->flags &
FLAG_AUTOKEY)) {
peer->crypto &= ~CRYPTO_FLAG_CERT;
rval = RV_FSP;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)vp,
temp + 12);
rval = EVP_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
ntohl(pkt[j]), kp);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x certificate %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
#endif
/*
* If the peer data are newer than the host
* data, replace the host data. Otherwise,
* wait for the peer to fetch the host data.
*/
if (rval != RV_OK || temp == 0) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x certificate %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
break;
}
peer->flash &= ~TEST10;
peer->flags |= FLAG_PROVEN;
peer->crypto &= ~CRYPTO_FLAG_CERT;
/*
* Initialize agreement parameters and extension
* field in network byte order. Note the private
* key length is set arbitrarily at half the
* prime length.
*/
peer->certif.tstamp = vp->tstamp;
peer->certif.fstamp = vp->fstamp;
peer->certif.vallen = vp->vallen;
if (peer->certif.ptr == NULL)
free(peer->certif.ptr);
peer->certif.ptr = emalloc(temp);
memcpy(peer->certif.ptr, vp->pkt, temp);
crypto_agree();
break;
/*
* Install agreement parameters in symmetric modes.
*/
case CRYPTO_DHPAR | CRYPTO_RESP:
if (!crypto_flags)
break;
vp = (struct value *)&pkt[i + 2];
fstamp = ntohl(vp->fstamp);
temp = ntohl(vp->vallen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
j = i + 5 + temp / 4;
if (len < VALUE_LEN) {
rval = RV_LEN;
} else if (kp == NULL) {
rval = RV_PUB;
} else if (ntohl(pkt[j]) != kp->bits / 8) {
rval = RV_SIG;
} else if (tstamp == 0) {
rval = RV_TSP;
} else if (tstamp < ntohl(dhparam.fstamp) ||
fstamp < ntohl(dhparam.fstamp)) {
rval = RV_FSP;
} else if (fstamp == ntohl(dhparam.fstamp) &&
(peer->flags & FLAG_AUTOKEY)) {
peer->crypto &= ~CRYPTO_FLAG_DH;
rval = RV_FSP;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)vp,
temp + 12);
rval = EVP_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
ntohl(pkt[j]), kp);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x parameters %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
#endif
/*
* If the peer data are newer than the host
* data, replace the host data. Otherwise,
* wait for the peer to fetch the host data.
*/
if (rval != RV_OK || temp == 0) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x parameters %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
break;
}
peer->flash &= ~TEST10;
crypto_flags |= CRYPTO_FLAG_DH;
peer->crypto &= ~CRYPTO_FLAG_DH;
/*
* Initialize agreement parameters and extension
* field in network byte order. Note the private
* key length is set arbitrarily at half the
* prime length.
*/
dhparam.tstamp = vp->tstamp;
dhparam.fstamp = vp->fstamp;
dhparam.vallen = vp->vallen;
if (dhparam.ptr != NULL)
free(dhparam.ptr);
pp = emalloc(temp);
dhparam.ptr = (u_char *)pp;
memcpy(pp, vp->pkt, temp);
dh_params.primeLen = ntohl(*pp++);
dh_params.prime = (u_char *)pp;
pp += dh_params.primeLen / 4;
dh_params.generatorLen = ntohl(*pp++);
dh_params.generator = (u_char *)pp;
dh_keyLen = dh_params.primeLen / 2;
if (dh_private != NULL)
free(dh_private);
dh_private = emalloc(dh_keyLen);
if (dhparam.sig == NULL)
dhparam.sig = emalloc(private_key.bits /
8);
/*
* Initialize public value extension field.
*/
dhpub.tstamp = vp->tstamp;
dhpub.fstamp = vp->fstamp;
dhpub.vallen = htonl(dh_params.primeLen);
if (dhpub.ptr != NULL)
free(dhpub.ptr);
dhpub.ptr = emalloc(dh_params.primeLen);
if (dhpub.sig == NULL)
dhpub.sig = emalloc(private_key.bits /
8);
crypto_agree();
break;
/*
* Verify public value and compute agreed key in
* symmetric modes.
*/
case CRYPTO_DH:
peer->cmmd = ntohl(pkt[i]);
if (!crypto_flags)
peer->cmmd |= CRYPTO_ERROR;
/* fall through */
case CRYPTO_DH | CRYPTO_RESP:
if (!crypto_flags)
break;
vp = (struct value *)&pkt[i + 2];
fstamp = ntohl(vp->fstamp);
temp = ntohl(vp->vallen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
j = i + 5 + temp / 4;
if (len < VALUE_LEN) {
rval = RV_LEN;
} else if (temp != dh_params.primeLen) {
rval = RV_DH;
} else if (kp == NULL) {
rval = RV_PUB;
} else if (ntohl(pkt[j]) != kp->bits / 8) {
rval = RV_SIG;
} else if (tstamp == 0 || tstamp <
peer->pcookie.tstamp || (tstamp ==
peer->pcookie.tstamp && (peer->flags &
FLAG_AUTOKEY))) {
rval = RV_TSP;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)vp,
temp + 12);
rval = EVP_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
ntohl(pkt[j]), kp);
}
/*
* Run the agreement algorithm and stash the key
* value. We use only the first u_int32 for the
* host cookie. Wasteful. If the association ID
* is zero, the other guy hasn't seen us as
* synchronized, in which case both of us should
* be using a zero cookie.
*/
if (rval != RV_OK) {
temp = 0;
} else if (fstamp > dhparam.fstamp) {
crypto_flags &= ~CRYPTO_FLAG_DH;
rval = RV_FSP;
} else {
rval = R_ComputeDHAgreedKey(dh_key,
(u_char *)&pkt[i + 5], dh_private,
dh_keyLen, &dh_params);
temp = ntohl(*(u_int32 *)dh_key);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x agreement %08x ts %u (%u) fs %u\n",
rval, temp, tstamp,
peer->pcookie.tstamp, fstamp);
#endif
if (rval != RV_OK) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x agreement %08x ts %u (%u) fs %u\n",
rval, temp, tstamp,
peer->pcookie.tstamp,
fstamp);
peer->cmmd |= CRYPTO_ERROR;
break;
}
peer->flash &= ~TEST10;
peer->flags &= ~FLAG_AUTOKEY;
peer->assoc = ntohl(pkt[i + 1]);
peer->pcookie.tstamp = tstamp;
if (temp != peer->pcookie.key) {
peer->pcookie.key = temp;
key_expire(peer);
}
break;
/*
* Install leapseconds table.
*/
case CRYPTO_TAI | CRYPTO_RESP:
if (!crypto_flags)
break;
vp = (struct value *)&pkt[i + 2];
fstamp = ntohl(vp->fstamp);
temp = ntohl(vp->vallen);
kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
j = i + 5 + temp / 4;
if (len < VALUE_LEN) {
rval = RV_LEN;
} if (kp == NULL) {
rval = RV_PUB;
} else if (ntohl(pkt[j]) != kp->bits / 8) {
rval = RV_SIG;
} else if (tstamp == 0) {
rval = RV_TSP;
} else if (tstamp < ntohl(tai_leap.fstamp) ||
fstamp < ntohl(tai_leap.fstamp)) {
rval = RV_FSP;
} else if (fstamp == ntohl(tai_leap.fstamp) &&
(peer->flags & FLAG_AUTOKEY)) {
peer->crypto &= ~CRYPTO_FLAG_TAI;
rval = RV_FSP;
} else {
EVP_VerifyInit(&ctx, DA_MD5);
EVP_VerifyUpdate(&ctx, (u_char *)vp,
temp + 12);
rval = EVP_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
ntohl(pkt[j]), kp);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x leapseconds %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
#endif
/*
* If the peer data are newer than the host
* data, replace the host data. Otherwise,
* wait for the peer to fetch the host data.
*/
if (rval != RV_OK || temp == 0) {
if (rval != RV_TSP)
msyslog(LOG_ERR,
"crypto: %x leapseconds %u ts %u fs %u\n",
rval, temp, tstamp, fstamp);
break;
}
peer->flash &= ~TEST10;
crypto_flags |= CRYPTO_FLAG_TAI;
peer->crypto &= ~CRYPTO_FLAG_TAI;
sys_tai = temp / 4 + TAI_1972 - 1;
#ifdef KERNEL_PLL
#if NTP_API > 3
ntv.modes = MOD_TAI;
ntv.constant = sys_tai;
(void)ntp_adjtime(&ntv);
#endif /* NTP_API */
#endif /* KERNEL_PLL */
/*
* Initialize leapseconds table and extension
* field in network byte order.
*/
tai_leap.tstamp = vp->tstamp;
tai_leap.fstamp = vp->fstamp;
tai_leap.vallen = vp->vallen;
if (tai_leap.ptr == NULL)
free(tai_leap.ptr);
tai_leap.ptr = emalloc(temp);
memcpy(tai_leap.ptr, vp->pkt, temp);
if (tai_leap.sig == NULL)
tai_leap.sig =
emalloc(private_key.bits / 8);
crypto_agree();
break;
#endif /* PUBKEY */
/*
* For other requests, save the request code for later;
* for unknown responses or errors, just ignore for now.
*/
default:
if (code & (CRYPTO_RESP | CRYPTO_ERROR))
break;
peer->cmmd = ntohl(pkt[i]);
break;
}
authlen += len;
}
}
/*
* crypto_xmit - construct extension fields
*
* This routine is called both when an association is configured and
* when one is not. The only case where this matters now is to retrieve
* the autokey information, in which case the caller has to provide the
* association ID to match the association.
*/
int /* return length of extension field */
crypto_xmit(
u_int32 *xpkt, /* packet pointer */
int start, /* offset to extension field */
u_int code, /* extension field code */
keyid_t cookie, /* session cookie */
u_int associd /* association ID */
)
{
struct peer *peer; /* peer structure pointer */
struct autokey *ap; /* autokey pointer */
struct cookie *cp; /* cookie pointer */
int len; /* extension field length */
u_int opcode; /* extension field opcode */
int i;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
struct value *vp; /* value pointer */
int rval; /* return value */
u_int temp;
int j;
#endif /* PUBKEY */
/*
* Generate the requested extension field request code, length
* and association ID. Note that several extension fields are
* used with and without public-key cryptography. If public-key
* cryptography has not been configured, we do the same thing,
* but leave off the signature.
*/
i = start / 4;
opcode = code;
xpkt[i + 1] = htonl(associd);
len = 8;
switch (opcode) {
/*
* Send association ID, timestamp and status word.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
cp = (struct cookie *)&xpkt[i + 2];
#ifdef PUBKEY
cp->tstamp = host.tstamp;
#else
cp->tstamp = 0;
#endif /* PUBKEY */
cp->key = htonl(crypto_flags);
cp->siglen = 0;
len += 12;
break;
/*
* Find peer and send autokey data and signature in broadcast
* server and symmetric modes. If no association is found,
* either the server has restarted with new associations or some
* perp has replayed an old message.
*/
case CRYPTO_AUTO | CRYPTO_RESP:
peer = findpeerbyassoc(associd);
if (peer == NULL) {
opcode |= CRYPTO_ERROR;
break;
}
peer->flags &= ~FLAG_ASSOC;
ap = (struct autokey *)&xpkt[i + 2];
ap->tstamp = peer->sndauto.tstamp;
ap->seq = peer->sndauto.seq;
ap->key = peer->sndauto.key;
ap->siglen = peer->sndauto.siglen;
len += 16;
#ifdef PUBKEY
if (!crypto_flags)
break;
temp = ntohl(ap->siglen);
if (temp != 0)
memcpy(ap->pkt, peer->sndauto.sig, temp);
len += temp;
#endif /* PUBKEY */
break;
/*
* Send peer cookie and signature in server mode.
*/
case CRYPTO_PRIV:
case CRYPTO_PRIV | CRYPTO_RESP:
cp = (struct cookie *)&xpkt[i + 2];
cp->key = htonl(cookie);
cp->siglen = 0;
len += 12;
#ifdef PUBKEY
cp->tstamp = host.tstamp;
if (!crypto_flags)
break;
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)cp, 8);
rval = EVP_SignFinal(&ctx, (u_char *)cp->pkt, &temp,
&private_key);
if (rval != RV_OK) {
msyslog(LOG_ERR,
"crypto: cookie signature fails %x", rval);
break;
}
cp->siglen = htonl(temp);
len += temp;
#endif /* PUBKEY */
break;
#ifdef PUBKEY
/*
* The following commands and responses work only when public-
* key cryptography has been configured. If configured, but
* disabled due to no crypto command in the configuration file,
* they are ignored and an error response is returned.
*/
/*
* Send certificate, timestamp and signature.
*/
case CRYPTO_CERT | CRYPTO_RESP:
if (!crypto_flags) {
opcode |= CRYPTO_ERROR;
break;
}
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = certif.tstamp;
vp->fstamp = certif.fstamp;
vp->vallen = 0;
len += 12;
temp = ntohl(certif.vallen);
if (temp == 0)
break;
vp->vallen = htonl(temp);
memcpy(vp->pkt, certif.ptr, temp);
len += temp;
j = i + 5 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy(&xpkt[j], certif.sig, temp);
len += temp + 4;
break;
/*
* Send agreement parameters, timestamp and signature.
*/
case CRYPTO_DHPAR | CRYPTO_RESP:
if (!crypto_flags) {
opcode |= CRYPTO_ERROR;
break;
}
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = dhparam.tstamp;
vp->fstamp = dhparam.fstamp;
vp->vallen = 0;
len += 12;
temp = ntohl(dhparam.vallen);
if (temp == 0)
break;
vp->vallen = htonl(temp);
memcpy(vp->pkt, dhparam.ptr, temp);
len += temp;
j = i + 5 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy(&xpkt[j], dhparam.sig, temp);
len += temp + 4;
break;
/*
* Send public value, timestamp and signature.
*/
case CRYPTO_DH:
case CRYPTO_DH | CRYPTO_RESP:
if (!crypto_flags) {
opcode |= CRYPTO_ERROR;
break;
}
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = dhpub.tstamp;
vp->fstamp = dhpub.fstamp;
vp->vallen = 0;
len += 12;
temp = ntohl(dhpub.vallen);
if (temp == 0)
break;
vp->vallen = htonl(temp);
memcpy(vp->pkt, dhpub.ptr, temp);
len += temp;
j = i + 5 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy(&xpkt[j], dhpub.sig, temp);
len += temp + 4;
break;
/*
* Send public key, host name, timestamp and signature.
*/
case CRYPTO_NAME | CRYPTO_RESP:
if (!crypto_flags) {
opcode |= CRYPTO_ERROR;
break;
}
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = host.tstamp;
vp->fstamp = host.fstamp;
vp->vallen = 0;
len += 12;
temp = ntohl(host.vallen);
if (temp == 0)
break;
vp->vallen = htonl(temp);
memcpy(vp->pkt, host.ptr, temp);
len += temp;
j = i + 5 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy(&xpkt[j], host.sig, temp);
len += temp + 4;
break;
/*
* Send leapseconds table, timestamp and signature.
*/
case CRYPTO_TAI | CRYPTO_RESP:
if (!crypto_flags) {
opcode |= CRYPTO_ERROR;
break;
}
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = tai_leap.tstamp;
vp->fstamp = tai_leap.fstamp;
vp->vallen = 0;
len += 12;
temp = ntohl(tai_leap.vallen);
if (temp == 0)
break;
vp->vallen = htonl(temp);
memcpy(vp->pkt, tai_leap.ptr, temp);
len += temp;
j = i + 5 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy(&xpkt[j], tai_leap.sig, temp);
len += temp + 4;
break;
#endif /* PUBKEY */
/*
* Default - Fall through for requests; for unknown responses,
* flag as error.
*/
default:
if (opcode & CRYPTO_RESP)
opcode |= CRYPTO_ERROR;
break;
}
/*
* Round up the field length to a multiple of 8 octets and save
* the request code and length.
*/
len = ((len + 7) / 8) * 8;
if (len >= 4) {
xpkt[i] = htonl((u_int32)((opcode << 16) | len));
#ifdef DEBUG
if (debug)
printf(
"crypto_xmit: ext offset %d len %d code %x assocID %d\n",
start, len, code, associd);
#endif
}
return (len);
}
#ifdef PUBKEY
/*
* crypto_setup - load private key, public key, optional agreement
* parameters and optional leapseconds table, then initialize extension
* fields for later signatures.
*/
void
crypto_setup(void)
{
char filename[MAXFILENAME];
u_int fstamp; /* filestamp */
u_int len, temp;
u_int32 *pp;
/*
* Initialize structures.
*/
memset(&private_key, 0, sizeof(private_key));
memset(&public_key, 0, sizeof(public_key));
memset(&certif, 0, sizeof(certif));
memset(&dh_params, 0, sizeof(dh_params));
memset(&host, 0, sizeof(host));
memset(&dhparam, 0, sizeof(dhparam));
memset(&dhpub, 0, sizeof(dhpub));
memset(&tai_leap, 0, sizeof(tai_leap));
if (!crypto_flags)
return;
/*
* Load required private key from file, default "ntpkey".
*/
if (private_key_file == NULL)
private_key_file = "ntpkey";
host.fstamp = htonl(crypto_rsa(private_key_file,
(u_char *)&private_key, sizeof(R_RSA_PRIVATE_KEY)));
/*
* Load required public key from file, default
* "ntpkey_host", where "host" is the canonical name of this
* machine.
*/
if (public_key_file == NULL) {
snprintf(filename, MAXFILENAME, "ntpkey_%s",
sys_hostname);
public_key_file = emalloc(strlen(filename) + 1);
strcpy(public_key_file, filename);
}
fstamp = htonl(crypto_rsa(public_key_file,
(u_char *)&public_key, sizeof(R_RSA_PUBLIC_KEY)));
if (fstamp != host.fstamp || strstr(public_key_file,
sys_hostname) == NULL) {
msyslog(LOG_ERR,
"crypto: public/private key files mismatch");
exit (-1);
}
crypto_flags |= CRYPTO_FLAG_RSA;
/*
* Assemble public key and host name in network byte order.
* These data will later be signed and sent in response to
* a client request. Note that the modulus must be a u_int32 in
* network byte order independent of the host order or u_int
* size.
*/
strcpy(filename, sys_hostname);
for (len = strlen(filename) + 1; len % 4 != 0; len++)
filename[len - 1] = 0;
temp = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int) + 4;
host.vallen = htonl(temp + len);
pp = emalloc(temp + len);
host.ptr = (u_char *)pp;
*pp++ = htonl(public_key.bits);
memcpy(pp--, public_key.modulus, temp - 4);
pp += temp / 4;
memcpy(pp, filename, len);
host.sig = emalloc(private_key.bits / 8);
/*
* Load optional certificate from file, default "ntpkey_certif".
* If the file is missing or defective, the values can later be
* retrieved from a server.
*/
if (certif_file == NULL)
snprintf(filename, MAXFILENAME, "ntpkey_certif_%s",
sys_hostname);
certif_file = emalloc(strlen(filename) + 1);
strcpy(certif_file, filename);
crypto_cert(certif_file);
/*
* Load optional agreement parameters from file, default
* "ntpkey_dh". If the file is missing or defective, the values
* can later be retrieved from a server.
*/
if (dh_params_file == NULL)
dh_params_file = "ntpkey_dh";
crypto_dh(dh_params_file);
/*
* Load optional leapseconds from file, default "ntpkey_leap".
* If the file is missing or defective, the values can later be
* retrieved from a server.
*/
if (tai_leap_file == NULL)
tai_leap_file = "ntpkey_leap";
crypto_tai(tai_leap_file);
}
/*
* crypto_agree - compute new public value and sign extension fields.
*/
void
crypto_agree(void)
{
R_RANDOM_STRUCT randomstr; /* wiggle bits */
R_SIGNATURE_CTX ctx; /* signature context */
l_fp lstamp; /* NTP time */
tstamp_t tstamp; /* seconds timestamp */
u_int len, temp;
int rval, i;
/*
* Sign host name and timestamps, but only if the clock is
* synchronized.
*/
if (sys_leap == LEAP_NOTINSYNC)
return;
get_systime(&lstamp);
tstamp = lstamp.l_ui;
host.tstamp = htonl(tstamp);
if (!crypto_flags)
return;
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)&host, 12);
EVP_SignUpdate(&ctx, host.ptr, ntohl(host.vallen));
rval = EVP_SignFinal(&ctx, host.sig, &len, &private_key);
if (rval != RV_OK || len != private_key.bits / 8) {
msyslog(LOG_ERR, "crypto: host signature fails %x",
rval);
exit (-1);
}
host.siglen = ntohl(len);
/*
* Sign certificate and timestamps.
*/
if (certif.vallen != 0) {
certif.tstamp = htonl(tstamp);
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)&certif, 12);
EVP_SignUpdate(&ctx, certif.ptr,
ntohl(certif.vallen));
rval = EVP_SignFinal(&ctx, certif.sig, &len,
&private_key);
if (rval != RV_OK || len != private_key.bits / 8) {
msyslog(LOG_ERR,
"crypto: certificate signature fails %x",
rval);
exit (-1);
}
certif.siglen = ntohl(len);
}
/*
* Sign agreement parameters and timestamps.
*/
if (dhparam.vallen != 0) {
dhparam.tstamp = htonl(tstamp);
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)&dhparam, 12);
EVP_SignUpdate(&ctx, dhparam.ptr,
ntohl(dhparam.vallen));
rval = EVP_SignFinal(&ctx, dhparam.sig, &len,
&private_key);
if (rval != RV_OK || len != private_key.bits / 8) {
msyslog(LOG_ERR,
"crypto: parameters signature fails %x",
rval);
exit (-11);
}
dhparam.siglen = ntohl(len);
/*
* Compute public value.
*/
R_RandomInit(&randomstr);
R_GetRandomBytesNeeded(&len, &randomstr);
for (i = 0; i < len; i++) {
temp = RANDOM;
R_RandomUpdate(&randomstr, (u_char *)&temp, 1);
}
rval = R_SetupDHAgreement(dhpub.ptr, dh_private,
dh_keyLen, &dh_params, &randomstr);
if (rval != RV_OK) {
msyslog(LOG_ERR,
"crypto: invalid public value");
exit (-1);
}
/*
* Sign public value and timestamps.
*/
dhpub.tstamp = htonl(tstamp);
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)&dhpub, 12);
EVP_SignUpdate(&ctx, dhpub.ptr, ntohl(dhpub.vallen));
rval = EVP_SignFinal(&ctx, dhpub.sig, &len,
&private_key);
if (rval != RV_OK || len != private_key.bits / 8) {
msyslog(LOG_ERR,
"crypto: public value signature fails %x",
rval);
exit (-1);
}
dhpub.siglen = ntohl(len);
}
/*
* Sign leapseconds table and timestamps.
*/
if (tai_leap.vallen != 0) {
tai_leap.tstamp = htonl(tstamp);
EVP_SignInit(&ctx, DA_MD5);
EVP_SignUpdate(&ctx, (u_char *)&tai_leap, 12);
EVP_SignUpdate(&ctx, tai_leap.ptr,
ntohl(tai_leap.vallen));
rval = EVP_SignFinal(&ctx, tai_leap.sig, &len,
&private_key);
if (rval != RV_OK || len != private_key.bits / 8) {
msyslog(LOG_ERR,
"crypto: leapseconds signature fails %x",
rval);
exit (-1);
}
tai_leap.siglen = ntohl(len);
}
#ifdef DEBUG
if (debug)
printf(
"cypto_agree: ts %u host %u par %u pub %u leap %u\n",
tstamp, ntohl(host.fstamp), ntohl(dhparam.fstamp),
ntohl(dhpub.fstamp), ntohl(tai_leap.fstamp));
#endif
}
/*
* crypto_rsa - read RSA key, decode and check for errors.
*/
static u_int
crypto_rsa(
char *cp, /* file name */
u_char *key, /* key pointer */
u_int keylen /* key length */
)
{
FILE *str; /* file handle */
u_char buf[MAX_LINLEN]; /* file line buffer */
u_char encoded_key[MAX_ENCLEN]; /* encoded key buffer */
char filename[MAXFILENAME]; /* name of parameter file */
char linkname[MAXFILENAME]; /* file link (for filestamp) */
u_int fstamp; /* filestamp */
u_int bits, len;
char *rptr;
int rval;
/*
* Open the file and discard comment lines. If the first
* character of the file name is not '/', prepend the keys
* directory string.
*/
if (*cp == '/')
strcpy(filename, cp);
else
snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
str = fopen(filename, "r");
if (str == NULL) {
msyslog(LOG_ERR, "crypto: RSA file %s not found",
filename);
exit (-1);
}
/*
* Ignore initial comments and empty lines.
*/
while ((rptr = fgets(buf, MAX_LINLEN - 1, str)) != NULL) {
len = strlen(buf);
if (len < 1)
continue;
if (*buf == '#' || *buf == '\r' || *buf == '\0')
continue;
break;
}
/*
* We are rather paranoid here, since an intruder might cause a
* coredump by infiltrating a naughty key. The line must contain
* a single integer followed by a PEM encoded, null-terminated
* string.
*/
if (rptr == NULL)
rval = RV_DAT;
else if (sscanf(buf, "%d %s", &bits, encoded_key) != 2)
rval = RV_DAT;
else if (R_DecodePEMBlock(&buf[sizeof(u_int)], &len,
encoded_key, strlen(encoded_key)))
rval = RV_DEC;
else if ((len += sizeof(u_int)) != keylen)
rval = RV_KEY;
else if (bits < MIN_RSA_MODULUS_BITS || bits >
MAX_RSA_MODULUS_BITS)
rval = RV_KEY;
else
rval = RV_OK;
if (rval != RV_OK) {
fclose(str);
msyslog(LOG_ERR, "crypto: RSA file %s error %x", cp,
rval);
exit (-1);
}
fclose(str);
*(u_int *)buf = bits;
memcpy(key, buf, keylen);
/*
* Extract filestamp if present.
*/
rval = readlink(filename, linkname, MAXFILENAME - 1);
if (rval > 0) {
linkname[rval] = '\0';
rptr = strrchr(linkname, '.');
} else {
rptr = strrchr(filename, '.');
}
if (rptr != NULL)
sscanf(++rptr, "%u", &fstamp);
else
fstamp = 0;
#ifdef DEBUG
if (debug)
printf(
"crypto_rsa: key file %s link %d fs %u modulus %d\n",
cp, rval, fstamp, bits);
#endif
return (fstamp);
}
/*
* crypto_cert - read certificate
*/
static void
crypto_cert(
char *cp /* file name */
)
{
u_char buf[5000]; /* file line buffer */
char filename[MAXFILENAME]; /* name of certificate file */
char linkname[MAXFILENAME]; /* file link (for filestamp) */
u_int fstamp; /* filestamp */
u_int32 *pp;
u_int len;
char *rptr;
int rval, fd;
/*
* Open the file and discard comment lines. If the first
* character of the file name is not '/', prepend the keys
* directory string. If the file is not found, not to worry; it
* can be retrieved over the net. But, if it is found with
* errors, we crash and burn.
*/
if (*cp == '/')
strcpy(filename, cp);
else
snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
fd = open(filename, O_RDONLY, 0777);
if (fd <= 0) {
msyslog(LOG_INFO,
"crypto: certificate file %s not found",
filename);
return;
}
/*
* We are rather paranoid here, since an intruder might cause a
* coredump by infiltrating naughty values.
*/
rval = RV_OK;
len = read(fd, buf, 5000);
close(fd);
if (rval != RV_OK) {
msyslog(LOG_ERR,
"crypto: certificate file %s error %d", cp,
rval);
exit (-1);
}
/*
* The extension field entry consists of the raw certificate.
*/
certif.vallen = htonl(200); /* xxxxxxxxxxxxxxxxxx */
pp = emalloc(len);
certif.ptr = (u_char *)pp;
memcpy(pp, buf, len);
certif.sig = emalloc(private_key.bits / 8);
crypto_flags |= CRYPTO_FLAG_CERT;
/*
* Extract filestamp if present.
*/
rval = readlink(filename, linkname, MAXFILENAME - 1);
if (rval > 0) {
linkname[rval] = '\0';
rptr = strrchr(linkname, '.');
} else {
rptr = strrchr(filename, '.');
}
if (rptr != NULL)
sscanf(++rptr, "%u", &fstamp);
else
fstamp = 0;
certif.fstamp = htonl(fstamp);
#ifdef DEBUG
if (debug)
printf(
"crypto_cert: certif file %s link %d fs %u len %d\n",
cp, rval, fstamp, len);
#endif
}
/*
* crypto_dh - read agreement parameters, decode and check for errors.
*/
static void
crypto_dh(
char *cp /* file name */
)
{
FILE *str; /* file handle */
u_char buf[MAX_LINLEN]; /* file line buffer */
u_char encoded_key[MAX_ENCLEN]; /* encoded key buffer */
u_char prime[MAX_KEYLEN]; /* decoded prime */
u_char generator[MAX_KEYLEN]; /* decode generator */
u_int primelen; /* prime length (octets) */
u_int generatorlen; /* generator length (octets) */
char filename[MAXFILENAME]; /* name of parameter file */
char linkname[MAXFILENAME]; /* file link (for filestamp) */
u_int fstamp; /* filestamp */
u_int32 *pp;
u_int len;
char *rptr;
int rval;
/*
* Open the file and discard comment lines. If the first
* character of the file name is not '/', prepend the keys
* directory string. If the file is not found, not to worry; it
* can be retrieved over the net. But, if it is found with
* errors, we crash and burn.
*/
if (*cp == '/')
strcpy(filename, cp);
else
snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
str = fopen(filename, "r");
if (str == NULL) {
msyslog(LOG_INFO,
"crypto: parameters file %s not found", filename);
return;
}
/*
* Ignore initial comments and empty lines.
*/
while ((rptr = fgets(buf, MAX_LINLEN - 1, str)) != NULL) {
if (strlen(buf) < 1)
continue;
if (*buf == '#' || *buf == '\r' || *buf == '\0')
continue;
break;
}
/*
* We are rather paranoid here, since an intruder might cause a
* coredump by infiltrating a naughty key. There must be two
* lines; the first contains the prime, the second the
* generator. Each line must contain a single integer followed
* by a PEM encoded, null-terminated string.
*/
if (rptr == NULL)
rval = RV_DAT;
else if (sscanf(buf, "%u %s", &primelen, encoded_key) != 2)
rval = RV_DAT;
else if (primelen > MAX_KEYLEN)
rval = RV_KEY;
else if (R_DecodePEMBlock(prime, &len, encoded_key,
strlen(encoded_key)))
rval = RV_DEC;
else if (primelen != len || primelen >
DECODED_CONTENT_LEN(strlen(encoded_key)))
rval = RV_DAT;
else if (fscanf(str, "%u %s", &generatorlen, encoded_key) != 2)
rval = RV_DAT;
else if (generatorlen > MAX_KEYLEN)
rval = RV_KEY;
else if (R_DecodePEMBlock(generator, &len, encoded_key,
strlen(encoded_key)))
rval = RV_DEC;
else if (generatorlen != len || generatorlen >
DECODED_CONTENT_LEN(strlen(encoded_key)))
rval = RV_DAT;
else
rval = RV_OK;
if (rval != RV_OK) {
msyslog(LOG_ERR,
"crypto: parameters file %s error %x", cp,
rval);
exit (-1);
}
fclose(str);
/*
* Initialize agreement parameters and extension field in
* network byte order. Note the private key length is set
* arbitrarily at half the prime length.
*/
len = 4 + primelen + 4 + generatorlen;
dhparam.vallen = htonl(len);
pp = emalloc(len);
dhparam.ptr = (u_char *)pp;
*pp++ = htonl(primelen);
memcpy(pp, prime, primelen);
dh_params.prime = (u_char *)pp;
pp += primelen / 4;
*pp++ = htonl(generatorlen);
memcpy(pp, &generator, generatorlen);
dh_params.generator = (u_char *)pp;
dh_params.primeLen = primelen;
dh_params.generatorLen = generatorlen;
dh_keyLen = primelen / 2;
dh_private = emalloc(dh_keyLen);
dhparam.sig = emalloc(private_key.bits / 8);
crypto_flags |= CRYPTO_FLAG_DH;
/*
* Initialize public value extension field.
*/
dhpub.vallen = htonl(dh_params.primeLen);
dhpub.ptr = emalloc(dh_params.primeLen);
dhpub.sig = emalloc(private_key.bits / 8);
/*
* Extract filestamp if present.
*/
rval = readlink(filename, linkname, MAXFILENAME - 1);
if (rval > 0) {
linkname[rval] = '\0';
rptr = strrchr(linkname, '.');
} else {
rptr = strrchr(filename, '.');
}
if (rptr != NULL)
sscanf(++rptr, "%u", &fstamp);
else
fstamp = 0;
dhparam.fstamp = htonl(fstamp);
dhpub.fstamp = htonl(fstamp);
#ifdef DEBUG
if (debug)
printf(
"crypto_dh: pars file %s link %d fs %u prime %u gen %u\n",
cp, rval, fstamp, dh_params.primeLen,
dh_params.generatorLen);
#endif
}
/*
* crypto_tai - read leapseconds table and check for errors.
*/
static void
crypto_tai(
char *cp /* file name */
)
{
FILE *str; /* file handle */
u_char buf[MAX_LINLEN]; /* file line buffer */
u_int leapsec[MAX_LEAP]; /* NTP time at leaps */
u_int offset; /* offset at leap (s) */
char filename[MAXFILENAME]; /* name of leapseconds file */
char linkname[MAXFILENAME]; /* file link (for filestamp) */
u_int fstamp; /* filestamp */
u_int32 *pp;
u_int len;
char *rptr;
int rval, i;
#ifdef KERNEL_PLL
#if NTP_API > 3
struct timex ntv; /* kernel interface structure */
#endif /* NTP_API */
#endif /* KERNEL_PLL */
/*
* Open the file and discard comment lines. If the first
* character of the file name is not '/', prepend the keys
* directory string. If the file is not found, not to worry; it
* can be retrieved over the net. But, if it is found with
* errors, we crash and burn.
*/
if (*cp == '/')
strcpy(filename, cp);
else
snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
str = fopen(filename, "r");
if (str == NULL) {
msyslog(LOG_INFO,
"crypto: leapseconds file %s not found",
filename);
return;
}
/*
* We are rather paranoid here, since an intruder might cause a
* coredump by infiltrating naughty values. Empty lines and
* comments are ignored. Other lines must begin with two
* integers followed by junk or comments. The first integer is
* the NTP seconds of leap insertion, the second is the offset
* of TAI relative to UTC after that insertion. The second word
* must equal the initial insertion of ten seconds on 1 January
* 1972 plus one second for each succeeding insertion.
*/
i = 0;
rval = RV_OK;
while (i < MAX_LEAP) {
rptr = fgets(buf, MAX_LINLEN - 1, str);
if (rptr == NULL)
break;
if (strlen(buf) < 1)
continue;
if (*buf == '#')
continue;
if (sscanf(buf, "%u %u", &leapsec[i], &offset) != 2)
continue;
if (i != offset - TAI_1972) {
rval = RV_DAT;
break;
}
i++;
}
fclose(str);
if (rval != RV_OK || i == 0) {
msyslog(LOG_ERR,
"crypto: leapseconds file %s error %d", cp,
rval);
exit (-1);
}
/*
* The extension field table entries consists of the NTP seconds
* of leap insertion in reverse order, so that the most recent
* insertion is the first entry in the table.
*/
len = i * 4;
tai_leap.vallen = htonl(len);
pp = emalloc(len);
tai_leap.ptr = (u_char *)pp;
for (; i >= 0; i--) {
*pp++ = htonl(leapsec[i]);
}
tai_leap.sig = emalloc(private_key.bits / 8);
crypto_flags |= CRYPTO_FLAG_TAI;
sys_tai = len / 4 + TAI_1972 - 1;
#ifdef KERNEL_PLL
#if NTP_API > 3
ntv.modes = MOD_TAI;
ntv.constant = sys_tai;
if (ntp_adjtime(&ntv) == TIME_ERROR)
msyslog(LOG_ERR,
"crypto: kernel TAI update failed");
#endif /* NTP_API */
#endif /* KERNEL_PLL */
/*
* Extract filestamp if present.
*/
rval = readlink(filename, linkname, MAXFILENAME - 1);
if (rval > 0) {
linkname[rval] = '\0';
rptr = strrchr(linkname, '.');
} else {
rptr = strrchr(filename, '.');
}
if (rptr != NULL)
sscanf(++rptr, "%u", &fstamp);
else
fstamp = 0;
tai_leap.fstamp = htonl(fstamp);
#ifdef DEBUG
if (debug)
printf(
"crypto_tai: leapseconds file %s link %d fs %u offset %u\n",
cp, rval, fstamp, ntohl(tai_leap.vallen) / 4 +
TAI_1972);
#endif
}
/*
* crypto_config - configure crypto data from crypto configuration
* command.
*/
void
crypto_config(
int item, /* configuration item */
char *cp /* file name */
)
{
switch (item) {
/*
* Initialize flags
*/
case CRYPTO_CONF_FLAGS:
sscanf(cp, "%x", &crypto_flags);
break;
/*
* Set private key file name.
*/
case CRYPTO_CONF_PRIV:
private_key_file = emalloc(strlen(cp) + 1);
strcpy(private_key_file, cp);
break;
/*
* Set public key file name.
*/
case CRYPTO_CONF_PUBL:
public_key_file = emalloc(strlen(cp) + 1);
strcpy(public_key_file, cp);
break;
/*
* Set certificate file name.
*/
case CRYPTO_CONF_CERT:
certif_file = emalloc(strlen(cp) + 1);
strcpy(certif_file, cp);
break;
/*
* Set agreement parameter file name.
*/
case CRYPTO_CONF_DH:
dh_params_file = emalloc(strlen(cp) + 1);
strcpy(dh_params_file, cp);
break;
/*
* Set leapseconds table file name.
*/
case CRYPTO_CONF_LEAP:
tai_leap_file = emalloc(strlen(cp) + 1);
strcpy(tai_leap_file, cp);
break;
/*
* Set crypto keys directory.
*/
case CRYPTO_CONF_KEYS:
keysdir = emalloc(strlen(cp) + 1);
strcpy(keysdir, cp);
break;
}
crypto_flags |= CRYPTO_FLAG_ENAB;
}
# else
int ntp_crypto_bs_pubkey;
# endif /* PUBKEY */
#else
int ntp_crypto_bs_autokey;
#endif /* AUTOKEY */