xref: /trueos/contrib/ntp/ntpd/ntp_crypto.c (revision 8cee81c05db1904906f988fe4ecb93dd8565cf85)
1 /*
2  * ntp_crypto.c - NTP version 4 public key routines
3  */
4 #ifdef HAVE_CONFIG_H
5 #include <config.h>
6 #endif
7 
8 #ifdef OPENSSL
9 #include <stdio.h>
10 #include <sys/types.h>
11 #include <sys/param.h>
12 #include <unistd.h>
13 #include <fcntl.h>
14 
15 #include "ntpd.h"
16 #include "ntp_stdlib.h"
17 #include "ntp_unixtime.h"
18 #include "ntp_string.h"
19 #include <ntp_random.h>
20 
21 #include "openssl/asn1_mac.h"
22 #include "openssl/bn.h"
23 #include "openssl/err.h"
24 #include "openssl/evp.h"
25 #include "openssl/pem.h"
26 #include "openssl/rand.h"
27 #include "openssl/x509v3.h"
28 
29 #ifdef KERNEL_PLL
30 #include "ntp_syscall.h"
31 #endif /* KERNEL_PLL */
32 
33 /*
34  * Extension field message format
35  *
36  * These are always signed and saved before sending in network byte
37  * order. They must be converted to and from host byte order for
38  * processing.
39  *
40  * +-------+-------+
41  * |   op  |  len  | <- extension pointer
42  * +-------+-------+
43  * |    assocID    |
44  * +---------------+
45  * |   timestamp   | <- value pointer
46  * +---------------+
47  * |   filestamp   |
48  * +---------------+
49  * |   value len   |
50  * +---------------+
51  * |               |
52  * =     value     =
53  * |               |
54  * +---------------+
55  * | signature len |
56  * +---------------+
57  * |               |
58  * =   signature   =
59  * |               |
60  * +---------------+
61  *
62  * The CRYPTO_RESP bit is set to 0 for requests, 1 for responses.
63  * Requests carry the association ID of the receiver; responses carry
64  * the association ID of the sender. Some messages include only the
65  * operation/length and association ID words and so have length 8
66  * octets. Ohers include the value structure and associated value and
67  * signature fields. These messages include the timestamp, filestamp,
68  * value and signature words and so have length at least 24 octets. The
69  * signature and/or value fields can be empty, in which case the
70  * respective length words are zero. An empty value with nonempty
71  * signature is syntactically valid, but semantically questionable.
72  *
73  * The filestamp represents the time when a cryptographic data file such
74  * as a public/private key pair is created. It follows every reference
75  * depending on that file and serves as a means to obsolete earlier data
76  * of the same type. The timestamp represents the time when the
77  * cryptographic data of the message were last signed. Creation of a
78  * cryptographic data file or signing a message can occur only when the
79  * creator or signor is synchronized to an authoritative source and
80  * proventicated to a trusted authority.
81  *
82  * Note there are four conditions required for server trust. First, the
83  * public key on the certificate must be verified, which involves a
84  * number of format, content and consistency checks. Next, the server
85  * identity must be confirmed by one of four schemes: private
86  * certificate, IFF scheme, GQ scheme or certificate trail hike to a
87  * self signed trusted certificate. Finally, the server signature must
88  * be verified.
89  */
90 /*
91  * Cryptodefines
92  */
93 #define TAI_1972	10	/* initial TAI offset (s) */
94 #define MAX_LEAP	100	/* max UTC leapseconds (s) */
95 #define VALUE_LEN	(6 * 4) /* min response field length */
96 #define MAX_VALLEN	(65535 - VALUE_LEN)
97 #define YEAR		(60 * 60 * 24 * 365) /* seconds in year */
98 
99 /*
100  * Global cryptodata in host byte order
101  */
102 u_int32	crypto_flags = 0x0;	/* status word */
103 
104 /*
105  * Global cryptodata in network byte order
106  */
107 struct cert_info *cinfo = NULL;	/* certificate info/value */
108 struct value hostval;		/* host value */
109 struct value pubkey;		/* public key */
110 struct value tai_leap;		/* leapseconds table */
111 EVP_PKEY *iffpar_pkey = NULL;	/* IFF parameters */
112 EVP_PKEY *gqpar_pkey = NULL;	/* GQ parameters */
113 EVP_PKEY *mvpar_pkey = NULL;	/* MV parameters */
114 char	*iffpar_file = NULL; /* IFF parameters file */
115 char	*gqpar_file = NULL;	/* GQ parameters file */
116 char	*mvpar_file = NULL;	/* MV parameters file */
117 
118 /*
119  * Private cryptodata in host byte order
120  */
121 static char *passwd = NULL;	/* private key password */
122 static EVP_PKEY *host_pkey = NULL; /* host key */
123 static EVP_PKEY *sign_pkey = NULL; /* sign key */
124 static const EVP_MD *sign_digest = NULL; /* sign digest */
125 static u_int sign_siglen;	/* sign key length */
126 static char *rand_file = NULL;	/* random seed file */
127 static char *host_file = NULL;	/* host key file */
128 static char *sign_file = NULL;	/* sign key file */
129 static char *cert_file = NULL;	/* certificate file */
130 static char *leap_file = NULL;	/* leapseconds file */
131 static tstamp_t if_fstamp = 0;	/* IFF filestamp */
132 static tstamp_t gq_fstamp = 0;	/* GQ file stamp */
133 static tstamp_t mv_fstamp = 0;	/* MV filestamp */
134 static u_int ident_scheme = 0;	/* server identity scheme */
135 
136 /*
137  * Cryptotypes
138  */
139 static	int	crypto_verify	P((struct exten *, struct value *,
140 				    struct peer *));
141 static	int	crypto_encrypt	P((const u_char *, u_int, keyid_t *,
142 				    struct value *));
143 static	int	crypto_alice	P((struct peer *, struct value *));
144 static	int	crypto_alice2	P((struct peer *, struct value *));
145 static	int	crypto_alice3	P((struct peer *, struct value *));
146 static	int	crypto_bob	P((struct exten *, struct value *));
147 static	int	crypto_bob2	P((struct exten *, struct value *));
148 static	int	crypto_bob3	P((struct exten *, struct value *));
149 static	int	crypto_iff	P((struct exten *, struct peer *));
150 static	int	crypto_gq	P((struct exten *, struct peer *));
151 static	int	crypto_mv	P((struct exten *, struct peer *));
152 static	u_int	crypto_send	P((struct exten *, struct value *));
153 static	tstamp_t crypto_time	P((void));
154 static	u_long	asn2ntp		P((ASN1_TIME *));
155 static	struct cert_info *cert_parse P((u_char *, u_int, tstamp_t));
156 static	int	cert_sign	P((struct exten *, struct value *));
157 static	int	cert_valid	P((struct cert_info *, EVP_PKEY *));
158 static	int	cert_install	P((struct exten *, struct peer *));
159 static	void	cert_free	P((struct cert_info *));
160 static	EVP_PKEY *crypto_key	P((char *, tstamp_t *));
161 static	int	bighash		P((BIGNUM *, BIGNUM *));
162 static	struct cert_info *crypto_cert P((char *));
163 static	void	crypto_tai	P((char *));
164 
165 #ifdef SYS_WINNT
166 int
readlink(char * link,char * file,int len)167 readlink(char * link, char * file, int len) {
168 	return (-1);
169 }
170 #endif
171 
172 /*
173  * session_key - generate session key
174  *
175  * This routine generates a session key from the source address,
176  * destination address, key ID and private value. The value of the
177  * session key is the MD5 hash of these values, while the next key ID is
178  * the first four octets of the hash.
179  *
180  * Returns the next key ID
181  */
182 keyid_t
session_key(struct sockaddr_storage * srcadr,struct sockaddr_storage * dstadr,keyid_t keyno,keyid_t private,u_long lifetime)183 session_key(
184 	struct sockaddr_storage *srcadr, /* source address */
185 	struct sockaddr_storage *dstadr, /* destination address */
186 	keyid_t	keyno,		/* key ID */
187 	keyid_t	private,	/* private value */
188 	u_long	lifetime 	/* key lifetime */
189 	)
190 {
191 	EVP_MD_CTX ctx;		/* message digest context */
192 	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
193 	keyid_t	keyid;		/* key identifer */
194 	u_int32	header[10];	/* data in network byte order */
195 	u_int	hdlen, len;
196 
197 	if (!dstadr)
198 		return 0;
199 
200 	/*
201 	 * Generate the session key and key ID. If the lifetime is
202 	 * greater than zero, install the key and call it trusted.
203 	 */
204 	hdlen = 0;
205 	switch(srcadr->ss_family) {
206 	case AF_INET:
207 		header[0] = ((struct sockaddr_in *)srcadr)->sin_addr.s_addr;
208 		header[1] = ((struct sockaddr_in *)dstadr)->sin_addr.s_addr;
209 		header[2] = htonl(keyno);
210 		header[3] = htonl(private);
211 		hdlen = 4 * sizeof(u_int32);
212 		break;
213 
214 	case AF_INET6:
215 		memcpy(&header[0], &GET_INADDR6(*srcadr),
216 		    sizeof(struct in6_addr));
217 		memcpy(&header[4], &GET_INADDR6(*dstadr),
218 		    sizeof(struct in6_addr));
219 		header[8] = htonl(keyno);
220 		header[9] = htonl(private);
221 		hdlen = 10 * sizeof(u_int32);
222 		break;
223 	}
224 	EVP_DigestInit(&ctx, EVP_md5());
225 	EVP_DigestUpdate(&ctx, (u_char *)header, hdlen);
226 	EVP_DigestFinal(&ctx, dgst, &len);
227 	memcpy(&keyid, dgst, 4);
228 	keyid = ntohl(keyid);
229 	if (lifetime != 0) {
230 		MD5auth_setkey(keyno, dgst, len);
231 		authtrust(keyno, lifetime);
232 	}
233 #ifdef DEBUG
234 	if (debug > 1)
235 		printf(
236 		    "session_key: %s > %s %08x %08x hash %08x life %lu\n",
237 		    stoa(srcadr), stoa(dstadr), keyno,
238 		    private, keyid, lifetime);
239 #endif
240 	return (keyid);
241 }
242 
243 
244 /*
245  * make_keylist - generate key list
246  *
247  * Returns
248  * XEVNT_OK	success
249  * XEVNT_PER	host certificate expired
250  *
251  * This routine constructs a pseudo-random sequence by repeatedly
252  * hashing the session key starting from a given source address,
253  * destination address, private value and the next key ID of the
254  * preceeding session key. The last entry on the list is saved along
255  * with its sequence number and public signature.
256  */
257 int
make_keylist(struct peer * peer,struct interface * dstadr)258 make_keylist(
259 	struct peer *peer,	/* peer structure pointer */
260 	struct interface *dstadr /* interface */
261 	)
262 {
263 	EVP_MD_CTX ctx;		/* signature context */
264 	tstamp_t tstamp;	/* NTP timestamp */
265 	struct autokey *ap;	/* autokey pointer */
266 	struct value *vp;	/* value pointer */
267 	keyid_t	keyid = 0;	/* next key ID */
268 	keyid_t	cookie;		/* private value */
269 	u_long	lifetime;
270 	u_int	len, mpoll;
271 	int	i;
272 
273 	if (!dstadr)
274 		return XEVNT_OK;
275 
276 	/*
277 	 * Allocate the key list if necessary.
278 	 */
279 	tstamp = crypto_time();
280 	if (peer->keylist == NULL)
281 		peer->keylist = emalloc(sizeof(keyid_t) *
282 		    NTP_MAXSESSION);
283 
284 	/*
285 	 * Generate an initial key ID which is unique and greater than
286 	 * NTP_MAXKEY.
287 	 */
288 	while (1) {
289 		keyid = (ntp_random() + NTP_MAXKEY + 1) & ((1 <<
290 		    sizeof(keyid_t)) - 1);
291 		if (authhavekey(keyid))
292 			continue;
293 		break;
294 	}
295 
296 	/*
297 	 * Generate up to NTP_MAXSESSION session keys. Stop if the
298 	 * next one would not be unique or not a session key ID or if
299 	 * it would expire before the next poll. The private value
300 	 * included in the hash is zero if broadcast mode, the peer
301 	 * cookie if client mode or the host cookie if symmetric modes.
302 	 */
303 	mpoll = 1 << min(peer->ppoll, peer->hpoll);
304 	lifetime = min(sys_automax, NTP_MAXSESSION * mpoll);
305 	if (peer->hmode == MODE_BROADCAST)
306 		cookie = 0;
307 	else
308 		cookie = peer->pcookie;
309 	for (i = 0; i < NTP_MAXSESSION; i++) {
310 		peer->keylist[i] = keyid;
311 		peer->keynumber = i;
312 		keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
313 		    cookie, lifetime);
314 		lifetime -= mpoll;
315 		if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
316 		    lifetime <= mpoll)
317 			break;
318 	}
319 
320 	/*
321 	 * Save the last session key ID, sequence number and timestamp,
322 	 * then sign these values for later retrieval by the clients. Be
323 	 * careful not to use invalid key media. Use the public values
324 	 * timestamp as filestamp.
325 	 */
326 	vp = &peer->sndval;
327 	if (vp->ptr == NULL)
328 		vp->ptr = emalloc(sizeof(struct autokey));
329 	ap = (struct autokey *)vp->ptr;
330 	ap->seq = htonl(peer->keynumber);
331 	ap->key = htonl(keyid);
332 	vp->tstamp = htonl(tstamp);
333 	vp->fstamp = hostval.tstamp;
334 	vp->vallen = htonl(sizeof(struct autokey));
335 	vp->siglen = 0;
336 	if (tstamp != 0) {
337 		if (tstamp < cinfo->first || tstamp > cinfo->last)
338 			return (XEVNT_PER);
339 
340 		if (vp->sig == NULL)
341 			vp->sig = emalloc(sign_siglen);
342 		EVP_SignInit(&ctx, sign_digest);
343 		EVP_SignUpdate(&ctx, (u_char *)vp, 12);
344 		EVP_SignUpdate(&ctx, vp->ptr, sizeof(struct autokey));
345 		if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
346 			vp->siglen = htonl(len);
347 		else
348 			msyslog(LOG_ERR, "make_keys %s\n",
349 			    ERR_error_string(ERR_get_error(), NULL));
350 		peer->flags |= FLAG_ASSOC;
351 	}
352 #ifdef DEBUG
353 	if (debug)
354 		printf("make_keys: %d %08x %08x ts %u fs %u poll %d\n",
355 		    ntohl(ap->seq), ntohl(ap->key), cookie,
356 		    ntohl(vp->tstamp), ntohl(vp->fstamp), peer->hpoll);
357 #endif
358 	return (XEVNT_OK);
359 }
360 
361 
362 /*
363  * crypto_recv - parse extension fields
364  *
365  * This routine is called when the packet has been matched to an
366  * association and passed sanity, format and MAC checks. We believe the
367  * extension field values only if the field has proper format and
368  * length, the timestamp and filestamp are valid and the signature has
369  * valid length and is verified. There are a few cases where some values
370  * are believed even if the signature fails, but only if the proventic
371  * bit is not set.
372  */
373 int
crypto_recv(struct peer * peer,struct recvbuf * rbufp)374 crypto_recv(
375 	struct peer *peer,	/* peer structure pointer */
376 	struct recvbuf *rbufp	/* packet buffer pointer */
377 	)
378 {
379 	const EVP_MD *dp;	/* message digest algorithm */
380 	u_int32	*pkt;		/* receive packet pointer */
381 	struct autokey *ap, *bp; /* autokey pointer */
382 	struct exten *ep, *fp;	/* extension pointers */
383 	int	has_mac;	/* length of MAC field */
384 	int	authlen;	/* offset of MAC field */
385 	associd_t associd;	/* association ID */
386 	tstamp_t tstamp = 0;	/* timestamp */
387 	tstamp_t fstamp = 0;	/* filestamp */
388 	u_int	len;		/* extension field length */
389 	u_int	code;		/* extension field opcode */
390 	u_int	vallen = 0;	/* value length */
391 	X509	*cert;		/* X509 certificate */
392 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
393 	keyid_t	cookie;		/* crumbles */
394 	int	hismode;	/* packet mode */
395 	int	rval = XEVNT_OK;
396 	u_char	*ptr;
397 	u_int32 temp32;
398 
399 	/*
400 	 * Initialize. Note that the packet has already been checked for
401 	 * valid format and extension field lengths. First extract the
402 	 * field length, command code and association ID in host byte
403 	 * order. These are used with all commands and modes. Then check
404 	 * the version number, which must be 2, and length, which must
405 	 * be at least 8 for requests and VALUE_LEN (24) for responses.
406 	 * Packets that fail either test sink without a trace. The
407 	 * association ID is saved only if nonzero.
408 	 */
409 	authlen = LEN_PKT_NOMAC;
410 	hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode);
411 	while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
412 		pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
413 		ep = (struct exten *)pkt;
414 		code = ntohl(ep->opcode) & 0xffff0000;
415 		len = ntohl(ep->opcode) & 0x0000ffff;
416 		associd = (associd_t) ntohl(pkt[1]);
417 		rval = XEVNT_OK;
418 #ifdef DEBUG
419 		if (debug)
420 			printf(
421 			    "crypto_recv: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n",
422 			    peer->crypto, authlen, len, code >> 16,
423 			    associd);
424 #endif
425 
426 		/*
427 		 * Check version number and field length. If bad,
428 		 * quietly ignore the packet.
429 		 */
430 		if (((code >> 24) & 0x3f) != CRYPTO_VN || len < 8) {
431 			sys_unknownversion++;
432 			code |= CRYPTO_ERROR;
433 		}
434 
435 		/*
436 		 * Little vulnerability bandage here. If a perp tosses a
437 		 * fake association ID over the fence, we better toss it
438 		 * out. Only the first one counts.
439 		 */
440 		if (code & CRYPTO_RESP) {
441 			if (peer->assoc == 0)
442 				peer->assoc = associd;
443 			else if (peer->assoc != associd)
444 				code |= CRYPTO_ERROR;
445 		}
446 		if (len >= VALUE_LEN) {
447 			tstamp = ntohl(ep->tstamp);
448 			fstamp = ntohl(ep->fstamp);
449 			vallen = ntohl(ep->vallen);
450 			/*
451 			 * Bug 2761: I hope this isn't too early...
452 			 */
453 			if (   vallen == 0
454 			    || len - VALUE_LEN < vallen)
455 				return XEVNT_LEN;
456 		}
457 		switch (code) {
458 
459 		/*
460 		 * Install status word, host name, signature scheme and
461 		 * association ID. In OpenSSL the signature algorithm is
462 		 * bound to the digest algorithm, so the NID completely
463 		 * defines the signature scheme. Note the request and
464 		 * response are identical, but neither is validated by
465 		 * signature. The request is processed here only in
466 		 * symmetric modes. The server name field might be
467 		 * useful to implement access controls in future.
468 		 */
469 		case CRYPTO_ASSOC:
470 
471 			/*
472 			 * If the machine is running when this message
473 			 * arrives, the other fellow has reset and so
474 			 * must we. Otherwise, pass the extension field
475 			 * to the transmit side.
476 			 */
477 			if (peer->crypto) {
478 				rval = XEVNT_ERR;
479 				break;
480 			}
481 			fp = emalloc(len);
482 			memcpy(fp, ep, len);
483 			temp32 = CRYPTO_RESP;
484 			fp->opcode |= htonl(temp32);
485 			peer->cmmd = fp;
486 			/* fall through */
487 
488 		case CRYPTO_ASSOC | CRYPTO_RESP:
489 
490 			/*
491 			 * Discard the message if it has already been
492 			 * stored or the message has been amputated.
493 			 */
494 			if (peer->crypto)
495 				break;
496 
497 			if (vallen == 0 || vallen > MAXHOSTNAME ||
498 			    len - VALUE_LEN < vallen) {
499 				rval = XEVNT_LEN;
500 				break;
501 			}
502 
503 			/*
504 			 * Check the identity schemes are compatible. If
505 			 * the client has PC, the server must have PC,
506 			 * in which case the server public key and
507 			 * identity are presumed valid, so we skip the
508 			 * certificate and identity exchanges and move
509 			 * immediately to the cookie exchange which
510 			 * confirms the server signature.
511 			 */
512 #ifdef DEBUG
513 			if (debug)
514 				printf(
515 				    "crypto_recv: ident host 0x%x server 0x%x\n",
516 				    crypto_flags, fstamp);
517 #endif
518 			temp32 = (crypto_flags | ident_scheme) &
519 			    fstamp & CRYPTO_FLAG_MASK;
520 			if (crypto_flags & CRYPTO_FLAG_PRIV) {
521 				if (!(fstamp & CRYPTO_FLAG_PRIV)) {
522 					rval = XEVNT_KEY;
523 					break;
524 
525 				} else {
526 					fstamp |= CRYPTO_FLAG_VALID |
527 					    CRYPTO_FLAG_VRFY |
528 					    CRYPTO_FLAG_SIGN;
529 				}
530 			/*
531 			 * In symmetric modes it is an error if either
532 			 * peer requests identity and the other peer
533 			 * does not support it.
534 			 */
535 			} else if ((hismode == MODE_ACTIVE || hismode ==
536 			    MODE_PASSIVE) && ((crypto_flags | fstamp) &
537 			    CRYPTO_FLAG_MASK) && !temp32) {
538 				rval = XEVNT_KEY;
539 				break;
540 			/*
541 			 * It is an error if the client requests
542 			 * identity and the server does not support it.
543 			 */
544 			} else if (hismode == MODE_CLIENT && (fstamp &
545 			    CRYPTO_FLAG_MASK) && !temp32) {
546 				rval = XEVNT_KEY;
547 				break;
548 			}
549 
550 			/*
551 			 * Otherwise, the identity scheme(s) are those
552 			 * that both client and server support.
553 			 */
554 			fstamp = temp32 | (fstamp & ~CRYPTO_FLAG_MASK);
555 
556 			/*
557 			 * Discard the message if the signature digest
558 			 * NID is not supported.
559 			 */
560 			temp32 = (fstamp >> 16) & 0xffff;
561 			dp =
562 			    (const EVP_MD *)EVP_get_digestbynid(temp32);
563 			if (dp == NULL) {
564 				rval = XEVNT_MD;
565 				break;
566 			}
567 
568 			/*
569 			 * Save status word, host name and message
570 			 * digest/signature type.
571 			 */
572 			peer->crypto = fstamp;
573 			peer->digest = dp;
574 			peer->subject = emalloc(vallen + 1);
575 			memcpy(peer->subject, ep->pkt, vallen);
576 			peer->subject[vallen] = '\0';
577 			peer->issuer = emalloc(vallen + 1);
578 			strcpy(peer->issuer, peer->subject);
579 			temp32 = (fstamp >> 16) & 0xffff;
580 			snprintf(statstr, NTP_MAXSTRLEN,
581 			    "flags 0x%x host %s signature %s", fstamp,
582 			    peer->subject, OBJ_nid2ln(temp32));
583 			record_crypto_stats(&peer->srcadr, statstr);
584 #ifdef DEBUG
585 			if (debug)
586 				printf("crypto_recv: %s\n", statstr);
587 #endif
588 			break;
589 
590 		/*
591 		 * Decode X509 certificate in ASN.1 format and extract
592 		 * the data containing, among other things, subject
593 		 * name and public key. In the default identification
594 		 * scheme, the certificate trail is followed to a self
595 		 * signed trusted certificate.
596 		 */
597 		case CRYPTO_CERT | CRYPTO_RESP:
598 
599 			/*
600 			 * Discard the message if invalid.
601 			 */
602 			if ((rval = crypto_verify(ep, NULL, peer)) !=
603 			    XEVNT_OK)
604 				break;
605 
606 			/*
607 			 * Scan the certificate list to delete old
608 			 * versions and link the newest version first on
609 			 * the list.
610 			 */
611 			if ((rval = cert_install(ep, peer)) != XEVNT_OK)
612 				break;
613 
614 			/*
615 			 * If we snatch the certificate before the
616 			 * server certificate has been signed by its
617 			 * server, it will be self signed. When it is,
618 			 * we chase the certificate issuer, which the
619 			 * server has, and keep going until a self
620 			 * signed trusted certificate is found. Be sure
621 			 * to update the issuer field, since it may
622 			 * change.
623 			 */
624 			if (peer->issuer != NULL)
625 				free(peer->issuer);
626 			peer->issuer = emalloc(strlen(cinfo->issuer) +
627 			    1);
628 			strcpy(peer->issuer, cinfo->issuer);
629 
630 			/*
631 			 * We plug in the public key and lifetime from
632 			 * the first certificate received. However, note
633 			 * that this certificate might not be signed by
634 			 * the server, so we can't check the
635 			 * signature/digest NID.
636 			 */
637 			if (peer->pkey == NULL) {
638 				ptr = (u_char *)cinfo->cert.ptr;
639 				cert = d2i_X509(NULL, &ptr,
640 				    ntohl(cinfo->cert.vallen));
641 				peer->pkey = X509_get_pubkey(cert);
642 				X509_free(cert);
643 			}
644 			peer->flash &= ~TEST8;
645 			temp32 = cinfo->nid;
646 			snprintf(statstr, NTP_MAXSTRLEN,
647 			    "cert %s 0x%x %s (%u) fs %u",
648 			    cinfo->subject, cinfo->flags,
649 			    OBJ_nid2ln(temp32), temp32,
650 			    ntohl(ep->fstamp));
651 			record_crypto_stats(&peer->srcadr, statstr);
652 #ifdef DEBUG
653 			if (debug)
654 				printf("crypto_recv: %s\n", statstr);
655 #endif
656 			break;
657 
658 		/*
659 		 * Schnorr (IFF)identity scheme. This scheme is designed
660 		 * for use with shared secret group keys and where the
661 		 * certificate may be generated by a third party. The
662 		 * client sends a challenge to the server, which
663 		 * performs a calculation and returns the result. A
664 		 * positive result is possible only if both client and
665 		 * server contain the same secret group key.
666 		 */
667 		case CRYPTO_IFF | CRYPTO_RESP:
668 
669 			/*
670 			 * Discard the message if invalid or certificate
671 			 * trail not trusted.
672 			 */
673 			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
674 				rval = XEVNT_ERR;
675 				break;
676 			}
677 			if ((rval = crypto_verify(ep, NULL, peer)) !=
678 			    XEVNT_OK)
679 				break;
680 
681 			/*
682 			 * If the the challenge matches the response,
683 			 * the certificate public key, as well as the
684 			 * server public key, signatyre and identity are
685 			 * all verified at the same time. The server is
686 			 * declared trusted, so we skip further
687 			 * certificate stages and move immediately to
688 			 * the cookie stage.
689 			 */
690 			if ((rval = crypto_iff(ep, peer)) != XEVNT_OK)
691 				break;
692 
693 			peer->crypto |= CRYPTO_FLAG_VRFY |
694 			    CRYPTO_FLAG_PROV;
695 			peer->flash &= ~TEST8;
696 			snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
697 			    ntohl(ep->fstamp));
698 			record_crypto_stats(&peer->srcadr, statstr);
699 #ifdef DEBUG
700 			if (debug)
701 				printf("crypto_recv: %s\n", statstr);
702 #endif
703 			break;
704 
705 		/*
706 		 * Guillou-Quisquater (GQ) identity scheme. This scheme
707 		 * is designed for use with public certificates carrying
708 		 * the GQ public key in an extension field. The client
709 		 * sends a challenge to the server, which performs a
710 		 * calculation and returns the result. A positive result
711 		 * is possible only if both client and server contain
712 		 * the same group key and the server has the matching GQ
713 		 * private key.
714 		 */
715 		case CRYPTO_GQ | CRYPTO_RESP:
716 
717 			/*
718 			 * Discard the message if invalid or certificate
719 			 * trail not trusted.
720 			 */
721 			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
722 				rval = XEVNT_ERR;
723 				break;
724 			}
725 			if ((rval = crypto_verify(ep, NULL, peer)) !=
726 			    XEVNT_OK)
727 				break;
728 
729 			/*
730 			 * If the the challenge matches the response,
731 			 * the certificate public key, as well as the
732 			 * server public key, signatyre and identity are
733 			 * all verified at the same time. The server is
734 			 * declared trusted, so we skip further
735 			 * certificate stages and move immediately to
736 			 * the cookie stage.
737 			 */
738 			if ((rval = crypto_gq(ep, peer)) != XEVNT_OK)
739 				break;
740 
741 			peer->crypto |= CRYPTO_FLAG_VRFY |
742 			    CRYPTO_FLAG_PROV;
743 			peer->flash &= ~TEST8;
744 			snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
745 			    ntohl(ep->fstamp));
746 			record_crypto_stats(&peer->srcadr, statstr);
747 #ifdef DEBUG
748 			if (debug)
749 				printf("crypto_recv: %s\n", statstr);
750 #endif
751 			break;
752 
753 		/*
754 		 * MV
755 		 */
756 		case CRYPTO_MV | CRYPTO_RESP:
757 
758 			/*
759 			 * Discard the message if invalid or certificate
760 			 * trail not trusted.
761 			 */
762 			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
763 				rval = XEVNT_ERR;
764 				break;
765 			}
766 			if ((rval = crypto_verify(ep, NULL, peer)) !=
767 			    XEVNT_OK)
768 				break;
769 
770 			/*
771 			 * If the the challenge matches the response,
772 			 * the certificate public key, as well as the
773 			 * server public key, signatyre and identity are
774 			 * all verified at the same time. The server is
775 			 * declared trusted, so we skip further
776 			 * certificate stages and move immediately to
777 			 * the cookie stage.
778 			 */
779 			if ((rval = crypto_mv(ep, peer)) != XEVNT_OK)
780 				break;
781 
782 			peer->crypto |= CRYPTO_FLAG_VRFY |
783 			    CRYPTO_FLAG_PROV;
784 			peer->flash &= ~TEST8;
785 			snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
786 			    ntohl(ep->fstamp));
787 			record_crypto_stats(&peer->srcadr, statstr);
788 #ifdef DEBUG
789 			if (debug)
790 				printf("crypto_recv: %s\n", statstr);
791 #endif
792 			break;
793 
794 		/*
795 		 * Cookie request in symmetric modes. Roll a random
796 		 * cookie and install in symmetric mode. Encrypt for the
797 		 * response, which is transmitted later.
798 		 */
799 		case CRYPTO_COOK:
800 
801 			/*
802 			 * Discard the message if invalid or certificate
803 			 * trail not trusted.
804 			 */
805 			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
806 				rval = XEVNT_ERR;
807 				break;
808 			}
809 			if ((rval = crypto_verify(ep, NULL, peer)) !=
810 			    XEVNT_OK)
811 				break;
812 
813 			/*
814 			 * Pass the extension field to the transmit
815 			 * side. If already agreed, walk away.
816 			 */
817 			fp = emalloc(len);
818 			memcpy(fp, ep, len);
819 			temp32 = CRYPTO_RESP;
820 			fp->opcode |= htonl(temp32);
821 			peer->cmmd = fp;
822 			if (peer->crypto & CRYPTO_FLAG_AGREE) {
823 				peer->flash &= ~TEST8;
824 				break;
825 			}
826 
827 			/*
828 			 * Install cookie values and light the cookie
829 			 * bit. The transmit side will pick up and
830 			 * encrypt it for the response.
831 			 */
832 			key_expire(peer);
833 			peer->cookval.tstamp = ep->tstamp;
834 			peer->cookval.fstamp = ep->fstamp;
835 			RAND_bytes((u_char *)&peer->pcookie, 4);
836 			peer->crypto &= ~CRYPTO_FLAG_AUTO;
837 			peer->crypto |= CRYPTO_FLAG_AGREE;
838 			peer->flash &= ~TEST8;
839 			snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
840 			    peer->pcookie, ntohl(ep->tstamp),
841 			    ntohl(ep->fstamp));
842 			record_crypto_stats(&peer->srcadr, statstr);
843 #ifdef DEBUG
844 			if (debug)
845 				printf("crypto_recv: %s\n", statstr);
846 #endif
847 			break;
848 
849 		/*
850 		 * Cookie response in client and symmetric modes. If the
851 		 * cookie bit is set, the working cookie is the EXOR of
852 		 * the current and new values.
853 		 */
854 		case CRYPTO_COOK | CRYPTO_RESP:
855 
856 			/*
857 			 * Discard the message if invalid or identity
858 			 * not confirmed or signature not verified with
859 			 * respect to the cookie values.
860 			 */
861 			if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
862 				rval = XEVNT_ERR;
863 				break;
864 			}
865 			if ((rval = crypto_verify(ep, &peer->cookval,
866 			    peer)) != XEVNT_OK)
867 				break;
868 
869 			/*
870 			 * Decrypt the cookie, hunting all the time for
871 			 * errors.
872 			 */
873 			if (vallen == (u_int) EVP_PKEY_size(host_pkey)) {
874 				u_int32 *cookiebuf = malloc(
875 					RSA_size(host_pkey->pkey.rsa));
876 				if (cookiebuf == NULL) {
877 					rval = XEVNT_CKY;
878 					break;
879 				}
880 				if (RSA_private_decrypt(vallen,
881 				    (u_char *)ep->pkt,
882 				    (u_char *)cookiebuf,
883 				    host_pkey->pkey.rsa,
884 				    RSA_PKCS1_OAEP_PADDING) != 4) {
885 					rval = XEVNT_CKY;
886 					free(cookiebuf);
887 					break;
888 				} else {
889 					cookie = ntohl(*cookiebuf);
890 					free(cookiebuf);
891 				}
892 			} else {
893 				rval = XEVNT_CKY;
894 				break;
895 			}
896 
897 			/*
898 			 * Install cookie values and light the cookie
899 			 * bit. If this is not broadcast client mode, we
900 			 * are done here.
901 			 */
902 			key_expire(peer);
903 			peer->cookval.tstamp = ep->tstamp;
904 			peer->cookval.fstamp = ep->fstamp;
905 			if (peer->crypto & CRYPTO_FLAG_AGREE)
906 				peer->pcookie ^= cookie;
907 			else
908 				peer->pcookie = cookie;
909 			if (peer->hmode == MODE_CLIENT &&
910 			    !(peer->cast_flags & MDF_BCLNT))
911 				peer->crypto |= CRYPTO_FLAG_AUTO;
912 			else
913 				peer->crypto &= ~CRYPTO_FLAG_AUTO;
914 			peer->crypto |= CRYPTO_FLAG_AGREE;
915 			peer->flash &= ~TEST8;
916 			snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
917 			    peer->pcookie, ntohl(ep->tstamp),
918 			    ntohl(ep->fstamp));
919 			record_crypto_stats(&peer->srcadr, statstr);
920 #ifdef DEBUG
921 			if (debug)
922 				printf("crypto_recv: %s\n", statstr);
923 #endif
924 			break;
925 
926 		/*
927 		 * Install autokey values in broadcast client and
928 		 * symmetric modes. We have to do this every time the
929 		 * sever/peer cookie changes or a new keylist is
930 		 * rolled. Ordinarily, this is automatic as this message
931 		 * is piggybacked on the first NTP packet sent upon
932 		 * either of these events. Note that a broadcast client
933 		 * or symmetric peer can receive this response without a
934 		 * matching request.
935 		 */
936 		case CRYPTO_AUTO | CRYPTO_RESP:
937 
938 			/*
939 			 * Discard the message if invalid or identity
940 			 * not confirmed or signature not verified with
941 			 * respect to the receive autokey values.
942 			 */
943 			if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
944 				rval = XEVNT_ERR;
945 				break;
946 			}
947 			if ((rval = crypto_verify(ep, &peer->recval,
948 			    peer)) != XEVNT_OK)
949 				break;
950 
951 			/*
952 			 * Install autokey values and light the
953 			 * autokey bit. This is not hard.
954 			 */
955 			if (peer->recval.ptr == NULL)
956 				peer->recval.ptr =
957 				    emalloc(sizeof(struct autokey));
958 			bp = (struct autokey *)peer->recval.ptr;
959 			peer->recval.tstamp = ep->tstamp;
960 			peer->recval.fstamp = ep->fstamp;
961 			ap = (struct autokey *)ep->pkt;
962 			bp->seq = ntohl(ap->seq);
963 			bp->key = ntohl(ap->key);
964 			peer->pkeyid = bp->key;
965 			peer->crypto |= CRYPTO_FLAG_AUTO;
966 			peer->flash &= ~TEST8;
967 			snprintf(statstr, NTP_MAXSTRLEN,
968 			    "auto seq %d key %x ts %u fs %u", bp->seq,
969 			    bp->key, ntohl(ep->tstamp),
970 			    ntohl(ep->fstamp));
971 			record_crypto_stats(&peer->srcadr, statstr);
972 #ifdef DEBUG
973 			if (debug)
974 				printf("crypto_recv: %s\n", statstr);
975 #endif
976 			break;
977 
978 		/*
979 		 * X509 certificate sign response. Validate the
980 		 * certificate signed by the server and install. Later
981 		 * this can be provided to clients of this server in
982 		 * lieu of the self signed certificate in order to
983 		 * validate the public key.
984 		 */
985 		case CRYPTO_SIGN | CRYPTO_RESP:
986 
987 			/*
988 			 * Discard the message if invalid or not
989 			 * proventic.
990 			 */
991 			if (!(peer->crypto & CRYPTO_FLAG_PROV)) {
992 				rval = XEVNT_ERR;
993 				break;
994 			}
995 			if ((rval = crypto_verify(ep, NULL, peer)) !=
996 			    XEVNT_OK)
997 				break;
998 
999 			/*
1000 			 * Scan the certificate list to delete old
1001 			 * versions and link the newest version first on
1002 			 * the list.
1003 			 */
1004 			if ((rval = cert_install(ep, peer)) != XEVNT_OK)
1005 				break;
1006 
1007 			peer->crypto |= CRYPTO_FLAG_SIGN;
1008 			peer->flash &= ~TEST8;
1009 			temp32 = cinfo->nid;
1010 			snprintf(statstr, NTP_MAXSTRLEN,
1011 			    "sign %s 0x%x %s (%u) fs %u",
1012 			    cinfo->issuer, cinfo->flags,
1013 			    OBJ_nid2ln(temp32), temp32,
1014 			    ntohl(ep->fstamp));
1015 			record_crypto_stats(&peer->srcadr, statstr);
1016 #ifdef DEBUG
1017 			if (debug)
1018 				printf("crypto_recv: %s\n", statstr);
1019 #endif
1020 			break;
1021 
1022 		/*
1023 		 * Install leapseconds table in symmetric modes. This
1024 		 * table is proventicated to the NIST primary servers,
1025 		 * either by copying the file containing the table from
1026 		 * a NIST server to a trusted server or directly using
1027 		 * this protocol. While the entire table is installed at
1028 		 * the server, presently only the current TAI offset is
1029 		 * provided via the kernel to other applications.
1030 		 */
1031 		case CRYPTO_TAI:
1032 
1033 			/*
1034 			 * Discard the message if invalid.
1035 			 */
1036 			if ((rval = crypto_verify(ep, NULL, peer)) !=
1037 			    XEVNT_OK)
1038 				break;
1039 
1040 			/*
1041 			 * Pass the extension field to the transmit
1042 			 * side. Continue below if a leapseconds table
1043 			 * accompanies the message.
1044 			 */
1045 			fp = emalloc(len);
1046 			memcpy(fp, ep, len);
1047 			temp32 = CRYPTO_RESP;
1048 			fp->opcode |= htonl(temp32);
1049 			peer->cmmd = fp;
1050 			if (len <= VALUE_LEN) {
1051 				peer->flash &= ~TEST8;
1052 				break;
1053 			}
1054 			/* fall through */
1055 
1056 		case CRYPTO_TAI | CRYPTO_RESP:
1057 
1058 			/*
1059 			 * If this is a response, discard the message if
1060 			 * signature not verified with respect to the
1061 			 * leapsecond table values.
1062 			 */
1063 			if (peer->cmmd == NULL) {
1064 				if ((rval = crypto_verify(ep,
1065 				    &peer->tai_leap, peer)) != XEVNT_OK)
1066 					break;
1067 			}
1068 
1069 			/*
1070 			 * Initialize peer variables with latest update.
1071 			 */
1072 			peer->tai_leap.tstamp = ep->tstamp;
1073 			peer->tai_leap.fstamp = ep->fstamp;
1074 			peer->tai_leap.vallen = ep->vallen;
1075 
1076 			/*
1077 			 * Install the new table if there is no stored
1078 			 * table or the new table is more recent than
1079 			 * the stored table. Since a filestamp may have
1080 			 * changed, recompute the signatures.
1081 			 */
1082 			if (ntohl(peer->tai_leap.fstamp) >
1083 			    ntohl(tai_leap.fstamp)) {
1084 				tai_leap.fstamp = ep->fstamp;
1085 				tai_leap.vallen = ep->vallen;
1086 				if (tai_leap.ptr != NULL)
1087 					free(tai_leap.ptr);
1088 				tai_leap.ptr = emalloc(vallen);
1089 				memcpy(tai_leap.ptr, ep->pkt, vallen);
1090 				crypto_update();
1091 			}
1092 			crypto_flags |= CRYPTO_FLAG_TAI;
1093 			peer->crypto |= CRYPTO_FLAG_LEAP;
1094 			peer->flash &= ~TEST8;
1095 			snprintf(statstr, NTP_MAXSTRLEN,
1096 			    "leap %u ts %u fs %u", vallen,
1097 			    ntohl(ep->tstamp), ntohl(ep->fstamp));
1098 			record_crypto_stats(&peer->srcadr, statstr);
1099 #ifdef DEBUG
1100 			if (debug)
1101 				printf("crypto_recv: %s\n", statstr);
1102 #endif
1103 			break;
1104 
1105 		/*
1106 		 * We come here in symmetric modes for miscellaneous
1107 		 * commands that have value fields but are processed on
1108 		 * the transmit side. All we need do here is check for
1109 		 * valid field length. Remaining checks are below and on
1110 		 * the transmit side.
1111 		 */
1112 		case CRYPTO_CERT:
1113 		case CRYPTO_IFF:
1114 		case CRYPTO_GQ:
1115 		case CRYPTO_MV:
1116 		case CRYPTO_SIGN:
1117 			if (len < VALUE_LEN) {
1118 				rval = XEVNT_LEN;
1119 				break;
1120 			}
1121 			/* fall through */
1122 
1123 		/*
1124 		 * We come here for miscellaneous requests and unknown
1125 		 * requests and responses. If an unknown response or
1126 		 * error, forget it. If a request, save the extension
1127 		 * field for later. Unknown requests will be caught on
1128 		 * the transmit side.
1129 		 */
1130 		default:
1131 			if (code & (CRYPTO_RESP | CRYPTO_ERROR)) {
1132 				rval = XEVNT_ERR;
1133 			} else if ((rval = crypto_verify(ep, NULL,
1134 			    peer)) == XEVNT_OK) {
1135 				fp = emalloc(len);
1136 				memcpy(fp, ep, len);
1137 				temp32 = CRYPTO_RESP;
1138 				fp->opcode |= htonl(temp32);
1139 				peer->cmmd = fp;
1140 			}
1141 		}
1142 
1143 		/*
1144 		 * We don't log length/format/timestamp errors and
1145 		 * duplicates, which are log clogging vulnerabilities.
1146 		 * The first error found terminates the extension field
1147 		 * scan and we return the laundry to the caller. A
1148 		 * length/format/timestamp error on transmit is
1149 		 * cheerfully ignored, as the message is not sent.
1150 		 */
1151 		if (rval > XEVNT_TSP) {
1152 			snprintf(statstr, NTP_MAXSTRLEN,
1153 			    "error %x opcode %x ts %u fs %u", rval,
1154 			    code, tstamp, fstamp);
1155 			record_crypto_stats(&peer->srcadr, statstr);
1156 			report_event(rval, peer);
1157 #ifdef DEBUG
1158 			if (debug)
1159 				printf("crypto_recv: %s\n", statstr);
1160 #endif
1161 			break;
1162 
1163 		} else if (rval > XEVNT_OK && (code & CRYPTO_RESP)) {
1164 			rval = XEVNT_OK;
1165 		}
1166 		authlen += len;
1167 	}
1168 	return (rval);
1169 }
1170 
1171 
1172 /*
1173  * crypto_xmit - construct extension fields
1174  *
1175  * This routine is called both when an association is configured and
1176  * when one is not. The only case where this matters is to retrieve the
1177  * autokey information, in which case the caller has to provide the
1178  * association ID to match the association.
1179  *
1180  * Returns length of extension field.
1181  */
1182 int
crypto_xmit(struct pkt * xpkt,struct sockaddr_storage * srcadr_sin,int start,struct exten * ep,keyid_t cookie)1183 crypto_xmit(
1184 	struct pkt *xpkt,	/* transmit packet pointer */
1185 	struct sockaddr_storage *srcadr_sin,	/* active runway */
1186 	int	start,		/* offset to extension field */
1187 	struct exten *ep,	/* extension pointer */
1188 	keyid_t cookie		/* session cookie */
1189 	)
1190 {
1191 	u_int32	*pkt;		/* packet pointer */
1192 	struct peer *peer;	/* peer structure pointer */
1193 	u_int	opcode;		/* extension field opcode */
1194 	struct exten *fp;	/* extension pointers */
1195 	struct cert_info *cp, *xp; /* certificate info/value pointer */
1196 	char	certname[MAXHOSTNAME + 1]; /* subject name buffer */
1197 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
1198 	tstamp_t tstamp;
1199 	u_int	vallen;
1200 	u_int	len;
1201 	struct value vtemp;
1202 	associd_t associd;
1203 	int	rval;
1204 	keyid_t tcookie;
1205 
1206 	/*
1207 	 * Generate the requested extension field request code, length
1208 	 * and association ID. If this is a response and the host is not
1209 	 * synchronized, light the error bit and go home.
1210 	 */
1211 	pkt = (u_int32 *)xpkt + start / 4;
1212 	fp = (struct exten *)pkt;
1213 	opcode = ntohl(ep->opcode);
1214 	associd = (associd_t) ntohl(ep->associd);
1215 	fp->associd = htonl(associd);
1216 	len = 8;
1217 	rval = XEVNT_OK;
1218 	tstamp = crypto_time();
1219 	switch (opcode & 0xffff0000) {
1220 
1221 	/*
1222 	 * Send association request and response with status word and
1223 	 * host name. Note, this message is not signed and the filestamp
1224 	 * contains only the status word.
1225 	 */
1226 	case CRYPTO_ASSOC | CRYPTO_RESP:
1227 		len += crypto_send(fp, &hostval);
1228 		fp->fstamp = htonl(crypto_flags);
1229 		break;
1230 
1231 	case CRYPTO_ASSOC:
1232 		len += crypto_send(fp, &hostval);
1233 		fp->fstamp = htonl(crypto_flags | ident_scheme);
1234 		break;
1235 
1236 	/*
1237 	 * Send certificate request. Use the values from the extension
1238 	 * field.
1239 	 */
1240 	case CRYPTO_CERT:
1241 		memset(&vtemp, 0, sizeof(vtemp));
1242 		vtemp.tstamp = ep->tstamp;
1243 		vtemp.fstamp = ep->fstamp;
1244 		vtemp.vallen = ep->vallen;
1245 		vtemp.ptr = (u_char *)ep->pkt;
1246 		len += crypto_send(fp, &vtemp);
1247 		break;
1248 
1249 	/*
1250 	 * Send certificate response or sign request. Use the values
1251 	 * from the certificate cache. If the request contains no
1252 	 * subject name, assume the name of this host. This is for
1253 	 * backwards compatibility. Private certificates are never sent.
1254 	 */
1255 	case CRYPTO_SIGN:
1256 	case CRYPTO_CERT | CRYPTO_RESP:
1257 		vallen = ntohl(ep->vallen);
1258 		if (vallen == 8) {
1259 			strcpy(certname, sys_hostname);
1260 		} else if (vallen == 0 || vallen > MAXHOSTNAME ||
1261 		    len - VALUE_LEN < vallen) {
1262 			rval = XEVNT_LEN;
1263 			break;
1264 
1265 		} else {
1266 			memcpy(certname, ep->pkt, vallen);
1267 			certname[vallen] = '\0';
1268 		}
1269 
1270 		/*
1271 		 * Find all certificates with matching subject. If a
1272 		 * self-signed, trusted certificate is found, use that.
1273 		 * If not, use the first one with matching subject. A
1274 		 * private certificate is never divulged or signed.
1275 		 */
1276 		xp = NULL;
1277 		for (cp = cinfo; cp != NULL; cp = cp->link) {
1278 			if (cp->flags & CERT_PRIV)
1279 				continue;
1280 
1281 			if (strcmp(certname, cp->subject) == 0) {
1282 				if (xp == NULL)
1283 					xp = cp;
1284 				if (strcmp(certname, cp->issuer) ==
1285 				    0 && cp->flags & CERT_TRUST) {
1286 					xp = cp;
1287 					break;
1288 				}
1289 			}
1290 		}
1291 
1292 		/*
1293 		 * Be careful who you trust. If not yet synchronized,
1294 		 * give back an empty response. If certificate not found
1295 		 * or beyond the lifetime, return an error. This is to
1296 		 * avoid a bad dude trying to get an expired certificate
1297 		 * re-signed. Otherwise, send it.
1298 		 *
1299 		 * Note the timestamp and filestamp are taken from the
1300 		 * certificate value structure. For all certificates the
1301 		 * timestamp is the latest signature update time. For
1302 		 * host and imported certificates the filestamp is the
1303 		 * creation epoch. For signed certificates the filestamp
1304 		 * is the creation epoch of the trusted certificate at
1305 		 * the base of the certificate trail. In principle, this
1306 		 * allows strong checking for signature masquerade.
1307 		 */
1308 		if (tstamp == 0)
1309 			break;
1310 
1311 		if (xp == NULL)
1312 			rval = XEVNT_CRT;
1313 		else if (tstamp < xp->first || tstamp > xp->last)
1314 			rval = XEVNT_SRV;
1315 		else
1316 			len += crypto_send(fp, &xp->cert);
1317 		break;
1318 
1319 	/*
1320 	 * Send challenge in Schnorr (IFF) identity scheme.
1321 	 */
1322 	case CRYPTO_IFF:
1323 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1324 			rval = XEVNT_ERR;
1325 			break;
1326 		}
1327 		if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK) {
1328 			len += crypto_send(fp, &vtemp);
1329 			value_free(&vtemp);
1330 		}
1331 		break;
1332 
1333 	/*
1334 	 * Send response in Schnorr (IFF) identity scheme.
1335 	 */
1336 	case CRYPTO_IFF | CRYPTO_RESP:
1337 		if ((rval = crypto_bob(ep, &vtemp)) == XEVNT_OK) {
1338 			len += crypto_send(fp, &vtemp);
1339 			value_free(&vtemp);
1340 		}
1341 		break;
1342 
1343 	/*
1344 	 * Send challenge in Guillou-Quisquater (GQ) identity scheme.
1345 	 */
1346 	case CRYPTO_GQ:
1347 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1348 			rval = XEVNT_ERR;
1349 			break;
1350 		}
1351 		if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK) {
1352 			len += crypto_send(fp, &vtemp);
1353 			value_free(&vtemp);
1354 		}
1355 		break;
1356 
1357 	/*
1358 	 * Send response in Guillou-Quisquater (GQ) identity scheme.
1359 	 */
1360 	case CRYPTO_GQ | CRYPTO_RESP:
1361 		if ((rval = crypto_bob2(ep, &vtemp)) == XEVNT_OK) {
1362 			len += crypto_send(fp, &vtemp);
1363 			value_free(&vtemp);
1364 		}
1365 		break;
1366 
1367 	/*
1368 	 * Send challenge in MV identity scheme.
1369 	 */
1370 	case CRYPTO_MV:
1371 		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1372 			rval = XEVNT_ERR;
1373 			break;
1374 		}
1375 		if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK) {
1376 			len += crypto_send(fp, &vtemp);
1377 			value_free(&vtemp);
1378 		}
1379 		break;
1380 
1381 	/*
1382 	 * Send response in MV identity scheme.
1383 	 */
1384 	case CRYPTO_MV | CRYPTO_RESP:
1385 		if ((rval = crypto_bob3(ep, &vtemp)) == XEVNT_OK) {
1386 			len += crypto_send(fp, &vtemp);
1387 			value_free(&vtemp);
1388 		}
1389 		break;
1390 
1391 	/*
1392 	 * Send certificate sign response. The integrity of the request
1393 	 * certificate has already been verified on the receive side.
1394 	 * Sign the response using the local server key. Use the
1395 	 * filestamp from the request and use the timestamp as the
1396 	 * current time. Light the error bit if the certificate is
1397 	 * invalid or contains an unverified signature.
1398 	 */
1399 	case CRYPTO_SIGN | CRYPTO_RESP:
1400 		if ((rval = cert_sign(ep, &vtemp)) == XEVNT_OK)
1401 			len += crypto_send(fp, &vtemp);
1402 		value_free(&vtemp);
1403 		break;
1404 
1405 	/*
1406 	 * Send public key and signature. Use the values from the public
1407 	 * key.
1408 	 */
1409 	case CRYPTO_COOK:
1410 		len += crypto_send(fp, &pubkey);
1411 		break;
1412 
1413 	/*
1414 	 * Encrypt and send cookie and signature. Light the error bit if
1415 	 * anything goes wrong.
1416 	 */
1417 	case CRYPTO_COOK | CRYPTO_RESP:
1418 		vallen = ntohl(ep->vallen);	/* Must be <64k */
1419 		if (   vallen == 0
1420 		    || (vallen >= MAX_VALLEN)
1421 		    || (opcode & 0x0000ffff)  < VALUE_LEN + vallen) {
1422 			rval = XEVNT_LEN;
1423 			break;
1424 		}
1425 		if (PKT_MODE(xpkt->li_vn_mode) == MODE_SERVER) {
1426 			tcookie = cookie;
1427 		} else {
1428 			if ((peer = findpeerbyassoc(associd)) == NULL) {
1429 				rval = XEVNT_ERR;
1430 				break;
1431 			}
1432 			tcookie = peer->pcookie;
1433 		}
1434 		if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
1435 		    == XEVNT_OK) {
1436 			len += crypto_send(fp, &vtemp);
1437 			value_free(&vtemp);
1438 		}
1439 		break;
1440 
1441 	/*
1442 	 * Find peer and send autokey data and signature in broadcast
1443 	 * server and symmetric modes. Use the values in the autokey
1444 	 * structure. If no association is found, either the server has
1445 	 * restarted with new associations or some perp has replayed an
1446 	 * old message, in which case light the error bit.
1447 	 */
1448 	case CRYPTO_AUTO | CRYPTO_RESP:
1449 		if ((peer = findpeerbyassoc(associd)) == NULL) {
1450 			rval = XEVNT_ERR;
1451 			break;
1452 		}
1453 		peer->flags &= ~FLAG_ASSOC;
1454 		len += crypto_send(fp, &peer->sndval);
1455 		break;
1456 
1457 	/*
1458 	 * Send leapseconds table and signature. Use the values from the
1459 	 * tai structure. If no table has been loaded, just send an
1460 	 * empty request.
1461 	 */
1462 	case CRYPTO_TAI:
1463 	case CRYPTO_TAI | CRYPTO_RESP:
1464 		if (crypto_flags & CRYPTO_FLAG_TAI)
1465 			len += crypto_send(fp, &tai_leap);
1466 		break;
1467 
1468 	/*
1469 	 * Default - Fall through for requests; for unknown responses,
1470 	 * flag as error.
1471 	 */
1472 	default:
1473 		if (opcode & CRYPTO_RESP)
1474 			rval = XEVNT_ERR;
1475 	}
1476 
1477 	/*
1478 	 * In case of error, flame the log. If a request, toss the
1479 	 * puppy; if a response, return so the sender can flame, too.
1480 	 */
1481 	if (rval != XEVNT_OK) {
1482 		opcode |= CRYPTO_ERROR;
1483 		snprintf(statstr, NTP_MAXSTRLEN,
1484 		    "error %x opcode %x", rval, opcode);
1485 		record_crypto_stats(srcadr_sin, statstr);
1486 		report_event(rval, NULL);
1487 #ifdef DEBUG
1488 		if (debug)
1489 			printf("crypto_xmit: %s\n", statstr);
1490 #endif
1491 		if (!(opcode & CRYPTO_RESP))
1492 			return (0);
1493 	}
1494 
1495 	/*
1496 	 * Round up the field length to a multiple of 8 bytes and save
1497 	 * the request code and length.
1498 	 */
1499 	len = ((len + 7) / 8) * 8;
1500 	fp->opcode = htonl((opcode & 0xffff0000) | len);
1501 #ifdef DEBUG
1502 	if (debug)
1503 		printf(
1504 		    "crypto_xmit: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n",
1505 		    crypto_flags, start, len, opcode >> 16, associd);
1506 #endif
1507 	return (len);
1508 }
1509 
1510 
1511 /*
1512  * crypto_verify - parse and verify the extension field and value
1513  *
1514  * Returns
1515  * XEVNT_OK	success
1516  * XEVNT_LEN	bad field format or length
1517  * XEVNT_TSP	bad timestamp
1518  * XEVNT_FSP	bad filestamp
1519  * XEVNT_PUB	bad or missing public key
1520  * XEVNT_SGL	bad signature length
1521  * XEVNT_SIG	signature not verified
1522  * XEVNT_ERR	protocol error
1523  */
1524 static int
crypto_verify(struct exten * ep,struct value * vp,struct peer * peer)1525 crypto_verify(
1526 	struct exten *ep,	/* extension pointer */
1527 	struct value *vp,	/* value pointer */
1528 	struct peer *peer	/* peer structure pointer */
1529 	)
1530 {
1531 	EVP_PKEY *pkey;		/* server public key */
1532 	EVP_MD_CTX ctx;		/* signature context */
1533 	tstamp_t tstamp, tstamp1 = 0; /* timestamp */
1534 	tstamp_t fstamp, fstamp1 = 0; /* filestamp */
1535 	u_int	vallen;		/* value length */
1536 	u_int	siglen;		/* signature length */
1537 	u_int	opcode, len;
1538 	int	i;
1539 
1540 	/*
1541 	 * We require valid opcode and field lengths, timestamp,
1542 	 * filestamp, public key, digest, signature length and
1543 	 * signature, where relevant. Note that preliminary length
1544 	 * checks are done in the main loop.
1545 	 */
1546 	len = ntohl(ep->opcode) & 0x0000ffff;
1547 	opcode = ntohl(ep->opcode) & 0xffff0000;
1548 
1549 	/*
1550 	 * Check for valid operation code and protocol. The opcode must
1551 	 * not have the error bit set. If a response, it must have a
1552 	 * value header. If a request and does not contain a value
1553 	 * header, no need for further checking.
1554 	 */
1555 	if (opcode & CRYPTO_ERROR)
1556 		return (XEVNT_ERR);
1557 
1558  	if (opcode & CRYPTO_RESP) {
1559  		if (len < VALUE_LEN)
1560 			return (XEVNT_LEN);
1561 	} else {
1562  		if (len < VALUE_LEN)
1563 			return (XEVNT_OK);
1564 	}
1565 
1566 	/*
1567 	 * We have a value header. Check for valid field lengths. The
1568 	 * field length must be long enough to contain the value header,
1569 	 * value and signature. Note both the value and signature fields
1570 	 * are rounded up to the next word.
1571 	 */
1572 	vallen = ntohl(ep->vallen);
1573 	if (   vallen == 0
1574 	    || vallen > MAX_VALLEN)
1575 		return (XEVNT_LEN);
1576 	i = (vallen + 3) / 4;
1577 	siglen = ntohl(ep->pkt[i++]);
1578 	if (   siglen > MAX_VALLEN
1579 	    || len - VALUE_LEN < ((vallen + 3) / 4) * 4
1580 	    || len - VALUE_LEN - ((vallen + 3) / 4) * 4
1581 	      < ((siglen + 3) / 4) * 4)
1582 		return (XEVNT_LEN);
1583 
1584 	/*
1585 	 * Punt if this is a response with no data. Punt if this is a
1586 	 * request and a previous response is pending.
1587 	 */
1588 	if (opcode & CRYPTO_RESP) {
1589 		if (vallen == 0)
1590 			return (XEVNT_LEN);
1591 	} else {
1592 		if (peer->cmmd != NULL)
1593 			return (XEVNT_LEN);
1594 	}
1595 
1596 	/*
1597 	 * Check for valid timestamp and filestamp. If the timestamp is
1598 	 * zero, the sender is not synchronized and signatures are
1599 	 * disregarded. If not, the timestamp must not precede the
1600 	 * filestamp. The timestamp and filestamp must not precede the
1601 	 * corresponding values in the value structure, if present. Once
1602 	 * the autokey values have been installed, the timestamp must
1603 	 * always be later than the corresponding value in the value
1604 	 * structure. Duplicate timestamps are illegal once the cookie
1605 	 * has been validated.
1606 	 */
1607 	tstamp = ntohl(ep->tstamp);
1608 	fstamp = ntohl(ep->fstamp);
1609 	if (tstamp == 0)
1610 		return (XEVNT_OK);
1611 
1612 	if (tstamp < fstamp)
1613 		return (XEVNT_TSP);
1614 
1615 	if (vp != NULL) {
1616 		tstamp1 = ntohl(vp->tstamp);
1617 		fstamp1 = ntohl(vp->fstamp);
1618 		if ((tstamp < tstamp1 || (tstamp == tstamp1 &&
1619 		    (peer->crypto & CRYPTO_FLAG_AUTO))))
1620 			return (XEVNT_TSP);
1621 
1622 		if ((tstamp < fstamp1 || fstamp < fstamp1))
1623 			return (XEVNT_FSP);
1624 	}
1625 
1626 	/*
1627 	 * Check for valid signature length, public key and digest
1628 	 * algorithm.
1629 	 */
1630 	if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV)
1631 		pkey = sign_pkey;
1632 	else
1633 		pkey = peer->pkey;
1634 	if (siglen == 0 || pkey == NULL || peer->digest == NULL)
1635 		return (XEVNT_OK);
1636 
1637 	if (siglen != (u_int)EVP_PKEY_size(pkey))
1638 		return (XEVNT_SGL);
1639 
1640 	/*
1641 	 * Darn, I thought we would never get here. Verify the
1642 	 * signature. If the identity exchange is verified, light the
1643 	 * proventic bit. If no client identity scheme is specified,
1644 	 * avoid doing the sign exchange.
1645 	 */
1646 	EVP_VerifyInit(&ctx, peer->digest);
1647 	/* XXX: the "+ 12" needs to be at least documented... */
1648 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
1649 	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
1650 		return (XEVNT_SIG);
1651 
1652 	if (peer->crypto & CRYPTO_FLAG_VRFY) {
1653 		peer->crypto |= CRYPTO_FLAG_PROV;
1654 		if (!(crypto_flags & CRYPTO_FLAG_MASK))
1655 			peer->crypto |= CRYPTO_FLAG_SIGN;
1656 	}
1657 	return (XEVNT_OK);
1658 }
1659 
1660 
1661 /*
1662  * crypto_encrypt - construct vp (encrypted cookie and signature) from
1663  * the public key and cookie.
1664  *
1665  * Returns:
1666  * XEVNT_OK	success
1667  * XEVNT_PUB	bad or missing public key
1668  * XEVNT_CKY	bad or missing cookie
1669  * XEVNT_PER	host certificate expired
1670  */
1671 static int
crypto_encrypt(const u_char * ptr,u_int vallen,keyid_t * cookie,struct value * vp)1672 crypto_encrypt(
1673 	const u_char *ptr,	/* Public Key */
1674 	u_int	vallen,		/* Length of Public Key */
1675 	keyid_t	*cookie,	/* server cookie */
1676 	struct value *vp	/* value pointer */
1677 	)
1678 {
1679 	EVP_PKEY *pkey;		/* public key */
1680 	EVP_MD_CTX ctx;		/* signature context */
1681 	tstamp_t tstamp;	/* NTP timestamp */
1682 	u_int32	temp32;
1683 
1684 	/*
1685 	 * Extract the public key from the request.
1686 	 */
1687 	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
1688 	if (pkey == NULL) {
1689 		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1690 		    ERR_error_string(ERR_get_error(), NULL));
1691 		return (XEVNT_PUB);
1692 	}
1693 
1694 	/*
1695 	 * Encrypt the cookie, encode in ASN.1 and sign.
1696 	 */
1697 	tstamp = crypto_time();
1698 	memset(vp, 0, sizeof(struct value));
1699 	vp->tstamp = htonl(tstamp);
1700 	vp->fstamp = hostval.tstamp;
1701 	vallen = EVP_PKEY_size(pkey);
1702 	vp->vallen = htonl(vallen);
1703 	vp->ptr = emalloc(vallen);
1704 	temp32 = htonl(*cookie);
1705 	if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr,
1706 	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) {
1707 		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1708 		    ERR_error_string(ERR_get_error(), NULL));
1709 		EVP_PKEY_free(pkey);
1710 		return (XEVNT_CKY);
1711 	}
1712 	EVP_PKEY_free(pkey);
1713 	vp->siglen = 0;
1714 	if (tstamp == 0)
1715 		return (XEVNT_OK);
1716 
1717 	if (tstamp < cinfo->first || tstamp > cinfo->last)
1718 		return (XEVNT_PER);
1719 
1720 	vp->sig = emalloc(sign_siglen);
1721 	EVP_SignInit(&ctx, sign_digest);
1722 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
1723 	EVP_SignUpdate(&ctx, vp->ptr, vallen);
1724 	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
1725 		vp->siglen = htonl(sign_siglen);
1726 	return (XEVNT_OK);
1727 }
1728 
1729 
1730 /*
1731  * crypto_ident - construct extension field for identity scheme
1732  *
1733  * This routine determines which identity scheme is in use and
1734  * constructs an extension field for that scheme.
1735  */
1736 u_int
crypto_ident(struct peer * peer)1737 crypto_ident(
1738 	struct peer *peer	/* peer structure pointer */
1739 	)
1740 {
1741 	char	filename[MAXFILENAME + 1];
1742 
1743 	/*
1744 	 * If the server identity has already been verified, no further
1745 	 * action is necessary. Otherwise, try to load the identity file
1746 	 * of the certificate issuer. If the issuer file is not found,
1747 	 * try the host file. If nothing found, declare a cryptobust.
1748 	 * Note we can't get here unless the trusted certificate has
1749 	 * been found and the CRYPTO_FLAG_VALID bit is set, so the
1750 	 * certificate issuer is valid.
1751 	 */
1752 	if (peer->ident_pkey != NULL)
1753 		EVP_PKEY_free(peer->ident_pkey);
1754 	if (peer->crypto & CRYPTO_FLAG_GQ) {
1755 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1756 		    peer->issuer);
1757 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1758 		if (peer->ident_pkey != NULL)
1759 			return (CRYPTO_GQ);
1760 
1761 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1762 		    sys_hostname);
1763 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1764 		if (peer->ident_pkey != NULL)
1765 			return (CRYPTO_GQ);
1766 	}
1767 	if (peer->crypto & CRYPTO_FLAG_IFF) {
1768 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1769 		    peer->issuer);
1770 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1771 		if (peer->ident_pkey != NULL)
1772 			return (CRYPTO_IFF);
1773 
1774 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1775 		    sys_hostname);
1776 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1777 		if (peer->ident_pkey != NULL)
1778 			return (CRYPTO_IFF);
1779 	}
1780 	if (peer->crypto & CRYPTO_FLAG_MV) {
1781 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1782 		    peer->issuer);
1783 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1784 		if (peer->ident_pkey != NULL)
1785 			return (CRYPTO_MV);
1786 
1787 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1788 		    sys_hostname);
1789 		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1790 		if (peer->ident_pkey != NULL)
1791 			return (CRYPTO_MV);
1792 	}
1793 
1794 	/*
1795 	 * No compatible identity scheme is available. Life is hard.
1796 	 */
1797 	msyslog(LOG_INFO,
1798 	    "crypto_ident: no compatible identity scheme found");
1799 	return (0);
1800 }
1801 
1802 
1803 /*
1804  * crypto_args - construct extension field from arguments
1805  *
1806  * This routine creates an extension field with current timestamps and
1807  * specified opcode, association ID and optional string. Note that the
1808  * extension field is created here, but freed after the crypto_xmit()
1809  * call in the protocol module.
1810  *
1811  * Returns extension field pointer (no errors).
1812  *
1813  * XXX: opcode and len should really be 32-bit quantities and
1814  * we should make sure that str is not too big.
1815  */
1816 struct exten *
crypto_args(struct peer * peer,u_int opcode,char * str)1817 crypto_args(
1818 	struct peer *peer,	/* peer structure pointer */
1819 	u_int	opcode,		/* operation code */
1820 	char	*str		/* argument string */
1821 	)
1822 {
1823 	tstamp_t tstamp;	/* NTP timestamp */
1824 	struct exten *ep;	/* extension field pointer */
1825 	u_int	len;		/* extension field length */
1826 	size_t	slen;
1827 
1828 	tstamp = crypto_time();
1829 	len = sizeof(struct exten);
1830 	if (str != NULL) {
1831 		slen = strlen(str);
1832 		len += slen;
1833 	}
1834 	ep = emalloc(len);
1835 	memset(ep, 0, len);
1836 	if (opcode == 0)
1837 		return (ep);
1838 
1839 	ep->opcode = htonl(opcode + len);
1840 
1841 	/*
1842 	 * If a response, send our ID; if a request, send the
1843 	 * responder's ID.
1844 	 */
1845 	if (opcode & CRYPTO_RESP)
1846 		ep->associd = htonl(peer->associd);
1847 	else
1848 		ep->associd = htonl(peer->assoc);
1849 	ep->tstamp = htonl(tstamp);
1850 	ep->fstamp = hostval.tstamp;
1851 	ep->vallen = 0;
1852 	if (str != NULL) {
1853 		ep->vallen = htonl(slen);
1854 		memcpy((char *)ep->pkt, str, slen);
1855 	} else {
1856 		ep->pkt[0] = peer->associd;
1857 	}
1858 	return (ep);
1859 }
1860 
1861 
1862 /*
1863  * crypto_send - construct extension field from value components
1864  *
1865  * Returns extension field length. Note: it is not polite to send a
1866  * nonempty signature with zero timestamp or a nonzero timestamp with
1867  * empty signature, but these rules are not enforced here.
1868  *
1869  * XXX This code won't work on a box with 16-bit ints.
1870  */
1871 u_int
crypto_send(struct exten * ep,struct value * vp)1872 crypto_send(
1873 	struct exten *ep,	/* extension field pointer */
1874 	struct value *vp	/* value pointer */
1875 	)
1876 {
1877 	u_int	len, temp32;
1878 	int	i;
1879 
1880 	/*
1881 	 * Copy data. If the data field is empty or zero length, encode
1882 	 * an empty value with length zero.
1883 	 */
1884 	ep->tstamp = vp->tstamp;
1885 	ep->fstamp = vp->fstamp;
1886 	ep->vallen = vp->vallen;
1887 	len = 12;
1888 	temp32 = ntohl(vp->vallen);
1889 	if (temp32 > 0 && vp->ptr != NULL)
1890 		memcpy(ep->pkt, vp->ptr, temp32);
1891 
1892 	/*
1893 	 * Copy signature. If the signature field is empty or zero
1894 	 * length, encode an empty signature with length zero.
1895 	 */
1896 	i = (temp32 + 3) / 4;
1897 	len += i * 4 + 4;
1898 	ep->pkt[i++] = vp->siglen;
1899 	temp32 = ntohl(vp->siglen);
1900 	if (temp32 > 0 && vp->sig != NULL)
1901 		memcpy(&ep->pkt[i], vp->sig, temp32);
1902 	len += temp32;
1903 	return (len);
1904 }
1905 
1906 
1907 /*
1908  * crypto_update - compute new public value and sign extension fields
1909  *
1910  * This routine runs periodically, like once a day, and when something
1911  * changes. It updates the timestamps on three value structures and one
1912  * value structure list, then signs all the structures:
1913  *
1914  * hostval	host name (not signed)
1915  * pubkey	public key
1916  * cinfo	certificate info/value list
1917  * tai_leap	leapseconds file
1918  *
1919  * Filestamps are proventicated data, so this routine is run only when
1920  * the host has been synchronized to a proventicated source. Thus, the
1921  * timestamp is proventicated, too, and can be used to deflect
1922  * clogging attacks and even cook breakfast.
1923  *
1924  * Returns void (no errors)
1925  */
1926 void
crypto_update(void)1927 crypto_update(void)
1928 {
1929 	EVP_MD_CTX ctx;		/* message digest context */
1930 	struct cert_info *cp, *cpn; /* certificate info/value */
1931 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
1932 	tstamp_t tstamp;	/* NTP timestamp */
1933 	u_int	len;
1934 
1935 	if ((tstamp = crypto_time()) == 0)
1936 		return;
1937 
1938 	hostval.tstamp = htonl(tstamp);
1939 
1940 	/*
1941 	 * Sign public key and timestamps. The filestamp is derived from
1942 	 * the host key file extension from wherever the file was
1943 	 * generated.
1944 	 */
1945 	if (pubkey.vallen != 0) {
1946 		pubkey.tstamp = hostval.tstamp;
1947 		pubkey.siglen = 0;
1948 		if (pubkey.sig == NULL)
1949 			pubkey.sig = emalloc(sign_siglen);
1950 		EVP_SignInit(&ctx, sign_digest);
1951 		EVP_SignUpdate(&ctx, (u_char *)&pubkey, 12);
1952 		EVP_SignUpdate(&ctx, pubkey.ptr, ntohl(pubkey.vallen));
1953 		if (EVP_SignFinal(&ctx, pubkey.sig, &len, sign_pkey))
1954 			pubkey.siglen = htonl(len);
1955 	}
1956 
1957 	/*
1958 	 * Sign certificates and timestamps. The filestamp is derived
1959 	 * from the certificate file extension from wherever the file
1960 	 * was generated. Note we do not throw expired certificates
1961 	 * away; they may have signed younger ones.
1962 	 */
1963 	for (cp = cinfo; cp != NULL; cp = cpn) {
1964 		cpn = cp->link;
1965 		cp->cert.tstamp = hostval.tstamp;
1966 		cp->cert.siglen = 0;
1967 		if (cp->cert.sig == NULL)
1968 			cp->cert.sig = emalloc(sign_siglen);
1969 		EVP_SignInit(&ctx, sign_digest);
1970 		EVP_SignUpdate(&ctx, (u_char *)&cp->cert, 12);
1971 		EVP_SignUpdate(&ctx, cp->cert.ptr,
1972 		    ntohl(cp->cert.vallen));
1973 		if (EVP_SignFinal(&ctx, cp->cert.sig, &len, sign_pkey))
1974 			cp->cert.siglen = htonl(len);
1975 	}
1976 
1977 	/*
1978 	 * Sign leapseconds table and timestamps. The filestamp is
1979 	 * derived from the leapsecond file extension from wherever the
1980 	 * file was generated.
1981 	 */
1982 	if (tai_leap.vallen != 0) {
1983 		tai_leap.tstamp = hostval.tstamp;
1984 		tai_leap.siglen = 0;
1985 		if (tai_leap.sig == NULL)
1986 			tai_leap.sig = emalloc(sign_siglen);
1987 		EVP_SignInit(&ctx, sign_digest);
1988 		EVP_SignUpdate(&ctx, (u_char *)&tai_leap, 12);
1989 		EVP_SignUpdate(&ctx, tai_leap.ptr,
1990 		    ntohl(tai_leap.vallen));
1991 		if (EVP_SignFinal(&ctx, tai_leap.sig, &len, sign_pkey))
1992 			tai_leap.siglen = htonl(len);
1993 	}
1994 	snprintf(statstr, NTP_MAXSTRLEN,
1995 	    "update ts %u", ntohl(hostval.tstamp));
1996 	record_crypto_stats(NULL, statstr);
1997 #ifdef DEBUG
1998 	if (debug)
1999 		printf("crypto_update: %s\n", statstr);
2000 #endif
2001 }
2002 
2003 
2004 /*
2005  * value_free - free value structure components.
2006  *
2007  * Returns void (no errors)
2008  */
2009 void
value_free(struct value * vp)2010 value_free(
2011 	struct value *vp	/* value structure */
2012 	)
2013 {
2014 	if (vp->ptr != NULL)
2015 		free(vp->ptr);
2016 	if (vp->sig != NULL)
2017 		free(vp->sig);
2018 	memset(vp, 0, sizeof(struct value));
2019 }
2020 
2021 
2022 /*
2023  * crypto_time - returns current NTP time in seconds.
2024  */
2025 tstamp_t
crypto_time()2026 crypto_time()
2027 {
2028 	l_fp	tstamp;		/* NTP time */	L_CLR(&tstamp);
2029 
2030 	L_CLR(&tstamp);
2031 	if (sys_leap != LEAP_NOTINSYNC)
2032 		get_systime(&tstamp);
2033 	return (tstamp.l_ui);
2034 }
2035 
2036 
2037 /*
2038  * asn2ntp - convert ASN1_TIME time structure to NTP time in seconds.
2039  */
2040 u_long
asn2ntp(ASN1_TIME * asn1time)2041 asn2ntp	(
2042 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
2043 	)
2044 {
2045 	char	*v;		/* pointer to ASN1_TIME string */
2046 	struct	tm tm;		/* used to convert to NTP time */
2047 
2048 	/*
2049 	 * Extract time string YYMMDDHHMMSSZ from ASN1 time structure.
2050 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
2051 	 * SS fiels start with zero and the Z character should be 'Z'
2052 	 * for UTC. Also note that years less than 50 map to years
2053 	 * greater than 100. Dontcha love ASN.1? Better than MIL-188.
2054 	 */
2055 	if (asn1time->length > 13)
2056 		return ((u_long)(~0));	/* We can't use -1 here. It's invalid */
2057 
2058 	v = (char *)asn1time->data;
2059 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
2060 	if (tm.tm_year < 50)
2061 		tm.tm_year += 100;
2062 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
2063 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
2064 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
2065 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
2066 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
2067 	tm.tm_wday = 0;
2068 	tm.tm_yday = 0;
2069 	tm.tm_isdst = 0;
2070 	return (timegm(&tm) + JAN_1970);
2071 }
2072 
2073 
2074 /*
2075  * bigdig() - compute a BIGNUM MD5 hash of a BIGNUM number.
2076  */
2077 static int
bighash(BIGNUM * bn,BIGNUM * bk)2078 bighash(
2079 	BIGNUM	*bn,		/* BIGNUM * from */
2080 	BIGNUM	*bk		/* BIGNUM * to */
2081 	)
2082 {
2083 	EVP_MD_CTX ctx;		/* message digest context */
2084 	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
2085 	u_char	*ptr;		/* a BIGNUM as binary string */
2086 	u_int	len;
2087 
2088 	len = BN_num_bytes(bn);
2089 	ptr = emalloc(len);
2090 	BN_bn2bin(bn, ptr);
2091 	EVP_DigestInit(&ctx, EVP_md5());
2092 	EVP_DigestUpdate(&ctx, ptr, len);
2093 	EVP_DigestFinal(&ctx, dgst, &len);
2094 	BN_bin2bn(dgst, len, bk);
2095 
2096 	/* XXX MEMLEAK? free ptr? */
2097 
2098 	return (1);
2099 }
2100 
2101 
2102 /*
2103  ***********************************************************************
2104  *								       *
2105  * The following routines implement the Schnorr (IFF) identity scheme  *
2106  *								       *
2107  ***********************************************************************
2108  *
2109  * The Schnorr (IFF) identity scheme is intended for use when
2110  * the ntp-genkeys program does not generate the certificates used in
2111  * the protocol and the group key cannot be conveyed in the certificate
2112  * itself. For this purpose, new generations of IFF values must be
2113  * securely transmitted to all members of the group before use. The
2114  * scheme is self contained and independent of new generations of host
2115  * keys, sign keys and certificates.
2116  *
2117  * The IFF identity scheme is based on DSA cryptography and algorithms
2118  * described in Stinson p. 285. The IFF values hide in a DSA cuckoo
2119  * structure, but only the primes and generator are used. The p is a
2120  * 512-bit prime, q a 160-bit prime that divides p - 1 and is a qth root
2121  * of 1 mod p; that is, g^q = 1 mod p. The TA rolls primvate random
2122  * group key b disguised as a DSA structure member, then computes public
2123  * key g^(q - b). These values are shared only among group members and
2124  * never revealed in messages. Alice challenges Bob to confirm identity
2125  * using the protocol described below.
2126  *
2127  * How it works
2128  *
2129  * The scheme goes like this. Both Alice and Bob have the public primes
2130  * p, q and generator g. The TA gives private key b to Bob and public
2131  * key v = g^(q - a) mod p to Alice.
2132  *
2133  * Alice rolls new random challenge r and sends to Bob in the IFF
2134  * request message. Bob rolls new random k, then computes y = k + b r
2135  * mod q and x = g^k mod p and sends (y, hash(x)) to Alice in the
2136  * response message. Besides making the response shorter, the hash makes
2137  * it effectivey impossible for an intruder to solve for b by observing
2138  * a number of these messages.
2139  *
2140  * Alice receives the response and computes g^y v^r mod p. After a bit
2141  * of algebra, this simplifies to g^k. If the hash of this result
2142  * matches hash(x), Alice knows that Bob has the group key b. The signed
2143  * response binds this knowledge to Bob's private key and the public key
2144  * previously received in his certificate.
2145  *
2146  * crypto_alice - construct Alice's challenge in IFF scheme
2147  *
2148  * Returns
2149  * XEVNT_OK	success
2150  * XEVNT_PUB	bad or missing public key
2151  * XEVNT_ID	bad or missing group key
2152  */
2153 static int
crypto_alice(struct peer * peer,struct value * vp)2154 crypto_alice(
2155 	struct peer *peer,	/* peer pointer */
2156 	struct value *vp	/* value pointer */
2157 	)
2158 {
2159 	DSA	*dsa;		/* IFF parameters */
2160 	BN_CTX	*bctx;		/* BIGNUM context */
2161 	EVP_MD_CTX ctx;		/* signature context */
2162 	tstamp_t tstamp;
2163 	u_int	len;
2164 
2165 	/*
2166 	 * The identity parameters must have correct format and content.
2167 	 */
2168 	if (peer->ident_pkey == NULL)
2169 		return (XEVNT_ID);
2170 
2171 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2172 		msyslog(LOG_INFO, "crypto_alice: defective key");
2173 		return (XEVNT_PUB);
2174 	}
2175 
2176 	/*
2177 	 * Roll new random r (0 < r < q). The OpenSSL library has a bug
2178 	 * omitting BN_rand_range, so we have to do it the hard way.
2179 	 */
2180 	bctx = BN_CTX_new();
2181 	len = BN_num_bytes(dsa->q);
2182 	if (peer->iffval != NULL)
2183 		BN_free(peer->iffval);
2184 	peer->iffval = BN_new();
2185 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r */
2186 	BN_mod(peer->iffval, peer->iffval, dsa->q, bctx);
2187 	BN_CTX_free(bctx);
2188 
2189 	/*
2190 	 * Sign and send to Bob. The filestamp is from the local file.
2191 	 */
2192 	tstamp = crypto_time();
2193 	memset(vp, 0, sizeof(struct value));
2194 	vp->tstamp = htonl(tstamp);
2195 	vp->fstamp = htonl(peer->fstamp);
2196 	vp->vallen = htonl(len);
2197 	vp->ptr = emalloc(len);
2198 	BN_bn2bin(peer->iffval, vp->ptr);
2199 	vp->siglen = 0;
2200 	if (tstamp == 0)
2201 		return (XEVNT_OK);
2202 
2203 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2204 		return (XEVNT_PER);
2205 
2206 	vp->sig = emalloc(sign_siglen);
2207 	EVP_SignInit(&ctx, sign_digest);
2208 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2209 	EVP_SignUpdate(&ctx, vp->ptr, len);
2210 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2211 		vp->siglen = htonl(len);
2212 	return (XEVNT_OK);
2213 }
2214 
2215 
2216 /*
2217  * crypto_bob - construct Bob's response to Alice's challenge
2218  *
2219  * Returns
2220  * XEVNT_OK	success
2221  * XEVNT_ID	bad or missing group key
2222  * XEVNT_ERR	protocol error
2223  * XEVNT_PER	host expired certificate
2224  */
2225 static int
crypto_bob(struct exten * ep,struct value * vp)2226 crypto_bob(
2227 	struct exten *ep,	/* extension pointer */
2228 	struct value *vp	/* value pointer */
2229 	)
2230 {
2231 	DSA	*dsa;		/* IFF parameters */
2232 	DSA_SIG	*sdsa;		/* DSA signature context fake */
2233 	BN_CTX	*bctx;		/* BIGNUM context */
2234 	EVP_MD_CTX ctx;		/* signature context */
2235 	tstamp_t tstamp;	/* NTP timestamp */
2236 	BIGNUM	*bn, *bk, *r;
2237 	u_char	*ptr;
2238 	u_int	len;		/* extension field length */
2239 	u_int	vallen = 0;	/* value length */
2240 
2241 	/*
2242 	 * If the IFF parameters are not valid, something awful
2243 	 * happened or we are being tormented.
2244 	 */
2245 	if (iffpar_pkey == NULL) {
2246 		msyslog(LOG_INFO, "crypto_bob: scheme unavailable");
2247 		return (XEVNT_ID);
2248 	}
2249 	dsa = iffpar_pkey->pkey.dsa;
2250 
2251 	/*
2252 	 * Extract r from the challenge.
2253 	 */
2254 	vallen = ntohl(ep->vallen);
2255 	len = ntohl(ep->opcode) & 0x0000ffff;
2256 	if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
2257 		return XEVNT_LEN;
2258 	if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
2259 		msyslog(LOG_ERR, "crypto_bob %s\n",
2260 		    ERR_error_string(ERR_get_error(), NULL));
2261 		return (XEVNT_ERR);
2262 	}
2263 
2264 	/*
2265 	 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
2266 	 * and x = g^k mod p, then sends (y, hash(x)) to Alice.
2267 	 */
2268 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
2269 	sdsa = DSA_SIG_new();
2270 	BN_rand(bk, vallen * 8, -1, 1);		/* k */
2271 	BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
2272 	BN_add(bn, bn, bk);
2273 	BN_mod(bn, bn, dsa->q, bctx);		/* k + b r mod q */
2274 	sdsa->r = BN_dup(bn);
2275 	BN_mod_exp(bk, dsa->g, bk, dsa->p, bctx); /* g^k mod p */
2276 	bighash(bk, bk);
2277 	sdsa->s = BN_dup(bk);
2278 	BN_CTX_free(bctx);
2279 	BN_free(r); BN_free(bn); BN_free(bk);
2280 
2281 	/*
2282 	 * Encode the values in ASN.1 and sign.
2283 	 */
2284 	vallen = i2d_DSA_SIG(sdsa, NULL);
2285 	if (vallen == 0) {
2286 		msyslog(LOG_ERR, "crypto_bob %s\n",
2287 		    ERR_error_string(ERR_get_error(), NULL));
2288 		DSA_SIG_free(sdsa);
2289 		return (XEVNT_ERR);
2290 	}
2291 	if (vallen > MAX_VALLEN) {
2292 		msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
2293 		    vallen);
2294 		DSA_SIG_free(sdsa);
2295 		return (XEVNT_LEN);
2296 	}
2297 	memset(vp, 0, sizeof(struct value));
2298 	tstamp = crypto_time();
2299 	vp->tstamp = htonl(tstamp);
2300 	vp->fstamp = htonl(if_fstamp);
2301 	vp->vallen = htonl(vallen);
2302 	ptr = emalloc(vallen);
2303 	vp->ptr = ptr;
2304 	i2d_DSA_SIG(sdsa, &ptr);
2305 	DSA_SIG_free(sdsa);
2306 	vp->siglen = 0;
2307 	if (tstamp == 0)
2308 		return (XEVNT_OK);
2309 
2310 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2311 		return (XEVNT_PER);
2312 
2313 	/* XXX: more validation to make sure the sign fits... */
2314 	vp->sig = emalloc(sign_siglen);
2315 	EVP_SignInit(&ctx, sign_digest);
2316 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2317 	EVP_SignUpdate(&ctx, vp->ptr, vallen);
2318 	if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
2319 		vp->siglen = htonl(len);
2320 	return (XEVNT_OK);
2321 }
2322 
2323 
2324 /*
2325  * crypto_iff - verify Bob's response to Alice's challenge
2326  *
2327  * Returns
2328  * XEVNT_OK	success
2329  * XEVNT_PUB	bad or missing public key
2330  * XEVNT_ID	bad or missing group key
2331  * XEVNT_FSP	bad filestamp
2332  */
2333 int
crypto_iff(struct exten * ep,struct peer * peer)2334 crypto_iff(
2335 	struct exten *ep,	/* extension pointer */
2336 	struct peer *peer	/* peer structure pointer */
2337 	)
2338 {
2339 	DSA	*dsa;		/* IFF parameters */
2340 	BN_CTX	*bctx;		/* BIGNUM context */
2341 	DSA_SIG	*sdsa;		/* DSA parameters */
2342 	BIGNUM	*bn, *bk;
2343 	u_int	len;
2344 	const u_char	*ptr;
2345 	int	temp;
2346 
2347 	/*
2348 	 * If the IFF parameters are not valid or no challenge was sent,
2349 	 * something awful happened or we are being tormented.
2350 	 */
2351 	if (peer->ident_pkey == NULL) {
2352 		msyslog(LOG_INFO, "crypto_iff: scheme unavailable");
2353 		return (XEVNT_ID);
2354 	}
2355 	if (ntohl(ep->fstamp) != peer->fstamp) {
2356 		msyslog(LOG_INFO, "crypto_iff: invalid filestamp %u",
2357 		    ntohl(ep->fstamp));
2358 		return (XEVNT_FSP);
2359 	}
2360 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2361 		msyslog(LOG_INFO, "crypto_iff: defective key");
2362 		return (XEVNT_PUB);
2363 	}
2364 	if (peer->iffval == NULL) {
2365 		msyslog(LOG_INFO, "crypto_iff: missing challenge");
2366 		return (XEVNT_ID);
2367 	}
2368 
2369 	/*
2370 	 * Extract the k + b r and g^k values from the response.
2371 	 */
2372 	bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
2373 	len = ntohl(ep->vallen);
2374 	ptr = (const u_char *)ep->pkt;
2375 	if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
2376 		msyslog(LOG_ERR, "crypto_iff %s\n",
2377 		    ERR_error_string(ERR_get_error(), NULL));
2378 		return (XEVNT_ERR);
2379 	}
2380 
2381 	/*
2382 	 * Compute g^(k + b r) g^(q - b)r mod p.
2383 	 */
2384 	BN_mod_exp(bn, dsa->pub_key, peer->iffval, dsa->p, bctx);
2385 	BN_mod_exp(bk, dsa->g, sdsa->r, dsa->p, bctx);
2386 	BN_mod_mul(bn, bn, bk, dsa->p, bctx);
2387 
2388 	/*
2389 	 * Verify the hash of the result matches hash(x).
2390 	 */
2391 	bighash(bn, bn);
2392 	temp = BN_cmp(bn, sdsa->s);
2393 	BN_free(bn); BN_free(bk); BN_CTX_free(bctx);
2394 	BN_free(peer->iffval);
2395 	peer->iffval = NULL;
2396 	DSA_SIG_free(sdsa);
2397 	if (temp == 0)
2398 		return (XEVNT_OK);
2399 
2400 	else
2401 		return (XEVNT_ID);
2402 }
2403 
2404 
2405 /*
2406  ***********************************************************************
2407  *								       *
2408  * The following routines implement the Guillou-Quisquater (GQ)        *
2409  * identity scheme                                                     *
2410  *								       *
2411  ***********************************************************************
2412  *
2413  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
2414  * the ntp-genkeys program generates the certificates used in the
2415  * protocol and the group key can be conveyed in a certificate extension
2416  * field. The scheme is self contained and independent of new
2417  * generations of host keys, sign keys and certificates.
2418  *
2419  * The GQ identity scheme is based on RSA cryptography and algorithms
2420  * described in Stinson p. 300 (with errors). The GQ values hide in a
2421  * RSA cuckoo structure, but only the modulus is used. The 512-bit
2422  * public modulus is n = p q, where p and q are secret large primes. The
2423  * TA rolls random group key b disguised as a RSA structure member.
2424  * Except for the public key, these values are shared only among group
2425  * members and never revealed in messages.
2426  *
2427  * When rolling new certificates, Bob recomputes the private and
2428  * public keys. The private key u is a random roll, while the public key
2429  * is the inverse obscured by the group key v = (u^-1)^b. These values
2430  * replace the private and public keys normally generated by the RSA
2431  * scheme. Alice challenges Bob to confirm identity using the protocol
2432  * described below.
2433  *
2434  * How it works
2435  *
2436  * The scheme goes like this. Both Alice and Bob have the same modulus n
2437  * and some random b as the group key. These values are computed and
2438  * distributed in advance via secret means, although only the group key
2439  * b is truly secret. Each has a private random private key u and public
2440  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
2441  * can regenerate the key pair from time to time without affecting
2442  * operations. The public key is conveyed on the certificate in an
2443  * extension field; the private key is never revealed.
2444  *
2445  * Alice rolls new random challenge r and sends to Bob in the GQ
2446  * request message. Bob rolls new random k, then computes y = k u^r mod
2447  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
2448  * message. Besides making the response shorter, the hash makes it
2449  * effectivey impossible for an intruder to solve for b by observing
2450  * a number of these messages.
2451  *
2452  * Alice receives the response and computes y^b v^r mod n. After a bit
2453  * of algebra, this simplifies to k^b. If the hash of this result
2454  * matches hash(x), Alice knows that Bob has the group key b. The signed
2455  * response binds this knowledge to Bob's private key and the public key
2456  * previously received in his certificate.
2457  *
2458  * crypto_alice2 - construct Alice's challenge in GQ scheme
2459  *
2460  * Returns
2461  * XEVNT_OK	success
2462  * XEVNT_PUB	bad or missing public key
2463  * XEVNT_ID	bad or missing group key
2464  * XEVNT_PER	host certificate expired
2465  */
2466 static int
crypto_alice2(struct peer * peer,struct value * vp)2467 crypto_alice2(
2468 	struct peer *peer,	/* peer pointer */
2469 	struct value *vp	/* value pointer */
2470 	)
2471 {
2472 	RSA	*rsa;		/* GQ parameters */
2473 	BN_CTX	*bctx;		/* BIGNUM context */
2474 	EVP_MD_CTX ctx;		/* signature context */
2475 	tstamp_t tstamp;
2476 	u_int	len;
2477 
2478 	/*
2479 	 * The identity parameters must have correct format and content.
2480 	 */
2481 	if (peer->ident_pkey == NULL)
2482 		return (XEVNT_ID);
2483 
2484 	if ((rsa = peer->ident_pkey->pkey.rsa) == NULL) {
2485 		msyslog(LOG_INFO, "crypto_alice2: defective key");
2486 		return (XEVNT_PUB);
2487 	}
2488 
2489 	/*
2490 	 * Roll new random r (0 < r < n). The OpenSSL library has a bug
2491 	 * omitting BN_rand_range, so we have to do it the hard way.
2492 	 */
2493 	bctx = BN_CTX_new();
2494 	len = BN_num_bytes(rsa->n);
2495 	if (peer->iffval != NULL)
2496 		BN_free(peer->iffval);
2497 	peer->iffval = BN_new();
2498 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r mod n */
2499 	BN_mod(peer->iffval, peer->iffval, rsa->n, bctx);
2500 	BN_CTX_free(bctx);
2501 
2502 	/*
2503 	 * Sign and send to Bob. The filestamp is from the local file.
2504 	 */
2505 	tstamp = crypto_time();
2506 	memset(vp, 0, sizeof(struct value));
2507 	vp->tstamp = htonl(tstamp);
2508 	vp->fstamp = htonl(peer->fstamp);
2509 	vp->vallen = htonl(len);
2510 	vp->ptr = emalloc(len);
2511 	BN_bn2bin(peer->iffval, vp->ptr);
2512 	vp->siglen = 0;
2513 	if (tstamp == 0)
2514 		return (XEVNT_OK);
2515 
2516 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2517 		return (XEVNT_PER);
2518 
2519 	vp->sig = emalloc(sign_siglen);
2520 	EVP_SignInit(&ctx, sign_digest);
2521 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2522 	EVP_SignUpdate(&ctx, vp->ptr, len);
2523 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2524 		vp->siglen = htonl(len);
2525 	return (XEVNT_OK);
2526 }
2527 
2528 
2529 /*
2530  * crypto_bob2 - construct Bob's response to Alice's challenge
2531  *
2532  * Returns
2533  * XEVNT_OK	success
2534  * XEVNT_ID	bad or missing group key
2535  * XEVNT_ERR	protocol error
2536  * XEVNT_PER	host certificate expired
2537  */
2538 static int
crypto_bob2(struct exten * ep,struct value * vp)2539 crypto_bob2(
2540 	struct exten *ep,	/* extension pointer */
2541 	struct value *vp	/* value pointer */
2542 	)
2543 {
2544 	RSA	*rsa;		/* GQ parameters */
2545 	DSA_SIG	*sdsa;		/* DSA parameters */
2546 	BN_CTX	*bctx;		/* BIGNUM context */
2547 	EVP_MD_CTX ctx;		/* signature context */
2548 	tstamp_t tstamp;	/* NTP timestamp */
2549 	BIGNUM	*r, *k, *g, *y;
2550 	u_char	*ptr;
2551 	u_int	len;
2552 
2553 	/*
2554 	 * If the GQ parameters are not valid, something awful
2555 	 * happened or we are being tormented.
2556 	 */
2557 	if (gqpar_pkey == NULL) {
2558 		msyslog(LOG_INFO, "crypto_bob2: scheme unavailable");
2559 		return (XEVNT_ID);
2560 	}
2561 	rsa = gqpar_pkey->pkey.rsa;
2562 
2563 	/*
2564 	 * Extract r from the challenge.
2565 	 */
2566 	len = ntohl(ep->vallen);
2567 	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2568 		msyslog(LOG_ERR, "crypto_bob2 %s\n",
2569 		    ERR_error_string(ERR_get_error(), NULL));
2570 		return (XEVNT_ERR);
2571 	}
2572 
2573 	/*
2574 	 * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
2575 	 * x = k^b mod n, then sends (y, hash(x)) to Alice.
2576 	 */
2577 	bctx = BN_CTX_new(); k = BN_new(); g = BN_new(); y = BN_new();
2578 	sdsa = DSA_SIG_new();
2579 	BN_rand(k, len * 8, -1, 1);		/* k */
2580 	BN_mod(k, k, rsa->n, bctx);
2581 	BN_mod_exp(y, rsa->p, r, rsa->n, bctx); /* u^r mod n */
2582 	BN_mod_mul(y, k, y, rsa->n, bctx);	/* k u^r mod n */
2583 	sdsa->r = BN_dup(y);
2584 	BN_mod_exp(g, k, rsa->e, rsa->n, bctx); /* k^b mod n */
2585 	bighash(g, g);
2586 	sdsa->s = BN_dup(g);
2587 	BN_CTX_free(bctx);
2588 	BN_free(r); BN_free(k); BN_free(g); BN_free(y);
2589 
2590 	/*
2591 	 * Encode the values in ASN.1 and sign.
2592 	 */
2593 	tstamp = crypto_time();
2594 	memset(vp, 0, sizeof(struct value));
2595 	vp->tstamp = htonl(tstamp);
2596 	vp->fstamp = htonl(gq_fstamp);
2597 	len = i2d_DSA_SIG(sdsa, NULL);
2598 	if (len <= 0) {
2599 		msyslog(LOG_ERR, "crypto_bob2 %s\n",
2600 		    ERR_error_string(ERR_get_error(), NULL));
2601 		DSA_SIG_free(sdsa);
2602 		return (XEVNT_ERR);
2603 	}
2604 	vp->vallen = htonl(len);
2605 	ptr = emalloc(len);
2606 	vp->ptr = ptr;
2607 	i2d_DSA_SIG(sdsa, &ptr);
2608 	DSA_SIG_free(sdsa);
2609 	vp->siglen = 0;
2610 	if (tstamp == 0)
2611 		return (XEVNT_OK);
2612 
2613 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2614 		return (XEVNT_PER);
2615 
2616 	vp->sig = emalloc(sign_siglen);
2617 	EVP_SignInit(&ctx, sign_digest);
2618 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2619 	EVP_SignUpdate(&ctx, vp->ptr, len);
2620 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2621 		vp->siglen = htonl(len);
2622 	return (XEVNT_OK);
2623 }
2624 
2625 
2626 /*
2627  * crypto_gq - verify Bob's response to Alice's challenge
2628  *
2629  * Returns
2630  * XEVNT_OK	success
2631  * XEVNT_PUB	bad or missing public key
2632  * XEVNT_ID	bad or missing group keys
2633  * XEVNT_ERR	protocol error
2634  * XEVNT_FSP	bad filestamp
2635  */
2636 int
crypto_gq(struct exten * ep,struct peer * peer)2637 crypto_gq(
2638 	struct exten *ep,	/* extension pointer */
2639 	struct peer *peer	/* peer structure pointer */
2640 	)
2641 {
2642 	RSA	*rsa;		/* GQ parameters */
2643 	BN_CTX	*bctx;		/* BIGNUM context */
2644 	DSA_SIG	*sdsa;		/* RSA signature context fake */
2645 	BIGNUM	*y, *v;
2646 	const u_char	*ptr;
2647 	u_int	len;
2648 	int	temp;
2649 
2650 	/*
2651 	 * If the GQ parameters are not valid or no challenge was sent,
2652 	 * something awful happened or we are being tormented.
2653 	 */
2654 	if (peer->ident_pkey == NULL) {
2655 		msyslog(LOG_INFO, "crypto_gq: scheme unavailable");
2656 		return (XEVNT_ID);
2657 	}
2658 	if (ntohl(ep->fstamp) != peer->fstamp) {
2659 		msyslog(LOG_INFO, "crypto_gq: invalid filestamp %u",
2660 		    ntohl(ep->fstamp));
2661 		return (XEVNT_FSP);
2662 	}
2663 	if ((rsa = peer->ident_pkey->pkey.rsa) == NULL) {
2664 		msyslog(LOG_INFO, "crypto_gq: defective key");
2665 		return (XEVNT_PUB);
2666 	}
2667 	if (peer->iffval == NULL) {
2668 		msyslog(LOG_INFO, "crypto_gq: missing challenge");
2669 		return (XEVNT_ID);
2670 	}
2671 
2672 	/*
2673 	 * Extract the y = k u^r and hash(x = k^b) values from the
2674 	 * response.
2675 	 */
2676 	bctx = BN_CTX_new(); y = BN_new(); v = BN_new();
2677 	len = ntohl(ep->vallen);
2678 	ptr = (const u_char *)ep->pkt;
2679 	if ((sdsa = d2i_DSA_SIG(NULL, &ptr, len)) == NULL) {
2680 		msyslog(LOG_ERR, "crypto_gq %s\n",
2681 		    ERR_error_string(ERR_get_error(), NULL));
2682 		return (XEVNT_ERR);
2683 	}
2684 
2685 	/*
2686 	 * Compute v^r y^b mod n.
2687 	 */
2688 	BN_mod_exp(v, peer->grpkey, peer->iffval, rsa->n, bctx);
2689 						/* v^r mod n */
2690 	BN_mod_exp(y, sdsa->r, rsa->e, rsa->n, bctx); /* y^b mod n */
2691 	BN_mod_mul(y, v, y, rsa->n, bctx);	/* v^r y^b mod n */
2692 
2693 	/*
2694 	 * Verify the hash of the result matches hash(x).
2695 	 */
2696 	bighash(y, y);
2697 	temp = BN_cmp(y, sdsa->s);
2698 	BN_CTX_free(bctx); BN_free(y); BN_free(v);
2699 	BN_free(peer->iffval);
2700 	peer->iffval = NULL;
2701 	DSA_SIG_free(sdsa);
2702 	if (temp == 0)
2703 		return (XEVNT_OK);
2704 
2705 	else
2706 		return (XEVNT_ID);
2707 }
2708 
2709 
2710 /*
2711  ***********************************************************************
2712  *								       *
2713  * The following routines implement the Mu-Varadharajan (MV) identity  *
2714  * scheme                                                              *
2715  *								       *
2716  ***********************************************************************
2717  */
2718 /*
2719  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
2720  * servers broadcast messages to clients, but clients never send
2721  * messages to servers. There is one encryption key for the server and a
2722  * separate decryption key for each client. It operated something like a
2723  * pay-per-view satellite broadcasting system where the session key is
2724  * encrypted by the broadcaster and the decryption keys are held in a
2725  * tamperproof set-top box.
2726  *
2727  * The MV parameters and private encryption key hide in a DSA cuckoo
2728  * structure which uses the same parameters, but generated in a
2729  * different way. The values are used in an encryption scheme similar to
2730  * El Gamal cryptography and a polynomial formed from the expansion of
2731  * product terms (x - x[j]), as described in Mu, Y., and V.
2732  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
2733  * 223-231. The paper has significant errors and serious omissions.
2734  *
2735  * Let q be the product of n distinct primes s'[j] (j = 1...n), where
2736  * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
2737  * that q and each s'[j] divide p - 1 and p has M = n * m + 1
2738  * significant bits. The elements x mod q of Zq with the elements 2 and
2739  * the primes removed form a field Zq* valid for polynomial arithetic.
2740  * Let g be a generator of Zp; that is, gcd(g, p - 1) = 1 and g^q = 1
2741  * mod p. We expect M to be in the 500-bit range and n relatively small,
2742  * like 25, so the likelihood of a randomly generated element of x mod q
2743  * of Zq colliding with a factor of p - 1 is very small and can be
2744  * avoided. Associated with each s'[j] is an element s[j] such that s[j]
2745  * s'[j] = s'[j] mod q. We find s[j] as the quotient (q + s'[j]) /
2746  * s'[j]. These are the parameters of the scheme and they are expensive
2747  * to compute.
2748  *
2749  * We set up an instance of the scheme as follows. A set of random
2750  * values x[j] mod q (j = 1...n), are generated as the zeros of a
2751  * polynomial of order n. The product terms (x - x[j]) are expanded to
2752  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
2753  * used as exponents of the generator g mod p to generate the private
2754  * encryption key A. The pair (gbar, ghat) of public server keys and the
2755  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
2756  * to construct the decryption keys. The devil is in the details.
2757  *
2758  * The distinguishing characteristic of this scheme is the capability to
2759  * revoke keys. Included in the calculation of E, gbar and ghat is the
2760  * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
2761  * subsequently removed from the product and E, gbar and ghat
2762  * recomputed, the jth client will no longer be able to compute E^-1 and
2763  * thus unable to decrypt the block.
2764  *
2765  * How it works
2766  *
2767  * The scheme goes like this. Bob has the server values (p, A, q, gbar,
2768  * ghat) and Alice the client values (p, xbar, xhat).
2769  *
2770  * Alice rolls new random challenge r (0 < r < p) and sends to Bob in
2771  * the MV request message. Bob rolls new random k (0 < k < q), encrypts
2772  * y = A^k mod p (a permutation) and sends (hash(y), gbar^k, ghat^k) to
2773  * Alice.
2774  *
2775  * Alice receives the response and computes the decryption key (the
2776  * inverse permutation) from previously obtained (xbar, xhat) and
2777  * (gbar^k, ghat^k) in the message. She computes the inverse, which is
2778  * unique by reasons explained in the ntp-keygen.c program sources. If
2779  * the hash of this result matches hash(y), Alice knows that Bob has the
2780  * group key b. The signed response binds this knowledge to Bob's
2781  * private key and the public key previously received in his
2782  * certificate.
2783  *
2784  * crypto_alice3 - construct Alice's challenge in MV scheme
2785  *
2786  * Returns
2787  * XEVNT_OK	success
2788  * XEVNT_PUB	bad or missing public key
2789  * XEVNT_ID	bad or missing group key
2790  * XEVNT_PER	host certificate expired
2791  */
2792 static int
crypto_alice3(struct peer * peer,struct value * vp)2793 crypto_alice3(
2794 	struct peer *peer,	/* peer pointer */
2795 	struct value *vp	/* value pointer */
2796 	)
2797 {
2798 	DSA	*dsa;		/* MV parameters */
2799 	BN_CTX	*bctx;		/* BIGNUM context */
2800 	EVP_MD_CTX ctx;		/* signature context */
2801 	tstamp_t tstamp;
2802 	u_int	len;
2803 
2804 	/*
2805 	 * The identity parameters must have correct format and content.
2806 	 */
2807 	if (peer->ident_pkey == NULL)
2808 		return (XEVNT_ID);
2809 
2810 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2811 		msyslog(LOG_INFO, "crypto_alice3: defective key");
2812 		return (XEVNT_PUB);
2813 	}
2814 
2815 	/*
2816 	 * Roll new random r (0 < r < q). The OpenSSL library has a bug
2817 	 * omitting BN_rand_range, so we have to do it the hard way.
2818 	 */
2819 	bctx = BN_CTX_new();
2820 	len = BN_num_bytes(dsa->p);
2821 	if (peer->iffval != NULL)
2822 		BN_free(peer->iffval);
2823 	peer->iffval = BN_new();
2824 	BN_rand(peer->iffval, len * 8, -1, 1);	/* r */
2825 	BN_mod(peer->iffval, peer->iffval, dsa->p, bctx);
2826 	BN_CTX_free(bctx);
2827 
2828 	/*
2829 	 * Sign and send to Bob. The filestamp is from the local file.
2830 	 */
2831 	tstamp = crypto_time();
2832 	memset(vp, 0, sizeof(struct value));
2833 	vp->tstamp = htonl(tstamp);
2834 	vp->fstamp = htonl(peer->fstamp);
2835 	vp->vallen = htonl(len);
2836 	vp->ptr = emalloc(len);
2837 	BN_bn2bin(peer->iffval, vp->ptr);
2838 	vp->siglen = 0;
2839 	if (tstamp == 0)
2840 		return (XEVNT_OK);
2841 
2842 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2843 		return (XEVNT_PER);
2844 
2845 	vp->sig = emalloc(sign_siglen);
2846 	EVP_SignInit(&ctx, sign_digest);
2847 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2848 	EVP_SignUpdate(&ctx, vp->ptr, len);
2849 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2850 		vp->siglen = htonl(len);
2851 	return (XEVNT_OK);
2852 }
2853 
2854 
2855 /*
2856  * crypto_bob3 - construct Bob's response to Alice's challenge
2857  *
2858  * Returns
2859  * XEVNT_OK	success
2860  * XEVNT_ERR	protocol error
2861  * XEVNT_PER	host certificate expired
2862  */
2863 static int
crypto_bob3(struct exten * ep,struct value * vp)2864 crypto_bob3(
2865 	struct exten *ep,	/* extension pointer */
2866 	struct value *vp	/* value pointer */
2867 	)
2868 {
2869 	DSA	*dsa;		/* MV parameters */
2870 	DSA	*sdsa;		/* DSA signature context fake */
2871 	BN_CTX	*bctx;		/* BIGNUM context */
2872 	EVP_MD_CTX ctx;		/* signature context */
2873 	tstamp_t tstamp;	/* NTP timestamp */
2874 	BIGNUM	*r, *k, *u;
2875 	u_char	*ptr;
2876 	u_int	len;
2877 
2878 	/*
2879 	 * If the MV parameters are not valid, something awful
2880 	 * happened or we are being tormented.
2881 	 */
2882 	if (mvpar_pkey == NULL) {
2883 		msyslog(LOG_INFO, "crypto_bob3: scheme unavailable");
2884 		return (XEVNT_ID);
2885 	}
2886 	dsa = mvpar_pkey->pkey.dsa;
2887 
2888 	/*
2889 	 * Extract r from the challenge.
2890 	 */
2891 	len = ntohl(ep->vallen);
2892 	if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
2893 		msyslog(LOG_ERR, "crypto_bob3 %s\n",
2894 		    ERR_error_string(ERR_get_error(), NULL));
2895 		return (XEVNT_ERR);
2896 	}
2897 
2898 	/*
2899 	 * Bob rolls random k (0 < k < q), making sure it is not a
2900 	 * factor of q. He then computes y = A^k r and sends (hash(y),
2901 	 * gbar^k, ghat^k) to Alice.
2902 	 */
2903 	bctx = BN_CTX_new(); k = BN_new(); u = BN_new();
2904 	sdsa = DSA_new();
2905 	sdsa->p = BN_new(); sdsa->q = BN_new(); sdsa->g = BN_new();
2906 	while (1) {
2907 		BN_rand(k, BN_num_bits(dsa->q), 0, 0);
2908 		BN_mod(k, k, dsa->q, bctx);
2909 		BN_gcd(u, k, dsa->q, bctx);
2910 		if (BN_is_one(u))
2911 			break;
2912 	}
2913 	BN_mod_exp(u, dsa->g, k, dsa->p, bctx); /* A r */
2914 	BN_mod_mul(u, u, r, dsa->p, bctx);
2915 	bighash(u, sdsa->p);
2916 	BN_mod_exp(sdsa->q, dsa->priv_key, k, dsa->p, bctx); /* gbar */
2917 	BN_mod_exp(sdsa->g, dsa->pub_key, k, dsa->p, bctx); /* ghat */
2918 	BN_CTX_free(bctx); BN_free(k); BN_free(r); BN_free(u);
2919 
2920 	/*
2921 	 * Encode the values in ASN.1 and sign.
2922 	 */
2923 	tstamp = crypto_time();
2924 	memset(vp, 0, sizeof(struct value));
2925 	vp->tstamp = htonl(tstamp);
2926 	vp->fstamp = htonl(mv_fstamp);
2927 	len = i2d_DSAparams(sdsa, NULL);
2928 	if (len <= 0) {
2929 		msyslog(LOG_ERR, "crypto_bob3 %s\n",
2930 		    ERR_error_string(ERR_get_error(), NULL));
2931 		DSA_free(sdsa);
2932 		return (XEVNT_ERR);
2933 	}
2934 	vp->vallen = htonl(len);
2935 	ptr = emalloc(len);
2936 	vp->ptr = ptr;
2937 	i2d_DSAparams(sdsa, &ptr);
2938 	DSA_free(sdsa);
2939 	vp->siglen = 0;
2940 	if (tstamp == 0)
2941 		return (XEVNT_OK);
2942 
2943 	if (tstamp < cinfo->first || tstamp > cinfo->last)
2944 		return (XEVNT_PER);
2945 
2946 	vp->sig = emalloc(sign_siglen);
2947 	EVP_SignInit(&ctx, sign_digest);
2948 	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
2949 	EVP_SignUpdate(&ctx, vp->ptr, len);
2950 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
2951 		vp->siglen = htonl(len);
2952 	return (XEVNT_OK);
2953 }
2954 
2955 
2956 /*
2957  * crypto_mv - verify Bob's response to Alice's challenge
2958  *
2959  * Returns
2960  * XEVNT_OK	success
2961  * XEVNT_PUB	bad or missing public key
2962  * XEVNT_ID	bad or missing group key
2963  * XEVNT_ERR	protocol error
2964  * XEVNT_FSP	bad filestamp
2965  */
2966 int
crypto_mv(struct exten * ep,struct peer * peer)2967 crypto_mv(
2968 	struct exten *ep,	/* extension pointer */
2969 	struct peer *peer	/* peer structure pointer */
2970 	)
2971 {
2972 	DSA	*dsa;		/* MV parameters */
2973 	DSA	*sdsa;		/* DSA parameters */
2974 	BN_CTX	*bctx;		/* BIGNUM context */
2975 	BIGNUM	*k, *u, *v;
2976 	u_int	len;
2977 	const u_char	*ptr;
2978 	int	temp;
2979 
2980 	/*
2981 	 * If the MV parameters are not valid or no challenge was sent,
2982 	 * something awful happened or we are being tormented.
2983 	 */
2984 	if (peer->ident_pkey == NULL) {
2985 		msyslog(LOG_INFO, "crypto_mv: scheme unavailable");
2986 		return (XEVNT_ID);
2987 	}
2988 	if (ntohl(ep->fstamp) != peer->fstamp) {
2989 		msyslog(LOG_INFO, "crypto_mv: invalid filestamp %u",
2990 		    ntohl(ep->fstamp));
2991 		return (XEVNT_FSP);
2992 	}
2993 	if ((dsa = peer->ident_pkey->pkey.dsa) == NULL) {
2994 		msyslog(LOG_INFO, "crypto_mv: defective key");
2995 		return (XEVNT_PUB);
2996 	}
2997 	if (peer->iffval == NULL) {
2998 		msyslog(LOG_INFO, "crypto_mv: missing challenge");
2999 		return (XEVNT_ID);
3000 	}
3001 
3002 	/*
3003 	 * Extract the (hash(y), gbar, ghat) values from the response.
3004 	 */
3005 	bctx = BN_CTX_new(); k = BN_new(); u = BN_new(); v = BN_new();
3006 	len = ntohl(ep->vallen);
3007 	ptr = (const u_char *)ep->pkt;
3008 	if ((sdsa = d2i_DSAparams(NULL, &ptr, len)) == NULL) {
3009 		msyslog(LOG_ERR, "crypto_mv %s\n",
3010 		    ERR_error_string(ERR_get_error(), NULL));
3011 		return (XEVNT_ERR);
3012 	}
3013 
3014 	/*
3015 	 * Compute (gbar^xhat ghat^xbar)^-1 mod p.
3016 	 */
3017 	BN_mod_exp(u, sdsa->q, dsa->pub_key, dsa->p, bctx);
3018 	BN_mod_exp(v, sdsa->g, dsa->priv_key, dsa->p, bctx);
3019 	BN_mod_mul(u, u, v, dsa->p, bctx);
3020 	BN_mod_inverse(u, u, dsa->p, bctx);
3021 	BN_mod_mul(v, u, peer->iffval, dsa->p, bctx);
3022 
3023 	/*
3024 	 * The result should match the hash of r mod p.
3025 	 */
3026 	bighash(v, v);
3027 	temp = BN_cmp(v, sdsa->p);
3028 	BN_CTX_free(bctx); BN_free(k); BN_free(u); BN_free(v);
3029 	BN_free(peer->iffval);
3030 	peer->iffval = NULL;
3031 	DSA_free(sdsa);
3032 	if (temp == 0)
3033 		return (XEVNT_OK);
3034 
3035 	else
3036 		return (XEVNT_ID);
3037 }
3038 
3039 
3040 /*
3041  ***********************************************************************
3042  *								       *
3043  * The following routines are used to manipulate certificates          *
3044  *								       *
3045  ***********************************************************************
3046  */
3047 /*
3048  * cert_parse - parse x509 certificate and create info/value structures.
3049  *
3050  * The server certificate includes the version number, issuer name,
3051  * subject name, public key and valid date interval. If the issuer name
3052  * is the same as the subject name, the certificate is self signed and
3053  * valid only if the server is configured as trustable. If the names are
3054  * different, another issuer has signed the server certificate and
3055  * vouched for it. In this case the server certificate is valid if
3056  * verified by the issuer public key.
3057  *
3058  * Returns certificate info/value pointer if valid, NULL if not.
3059  */
3060 struct cert_info *		/* certificate information structure */
cert_parse(u_char * asn1cert,u_int len,tstamp_t fstamp)3061 cert_parse(
3062 	u_char	*asn1cert,	/* X509 certificate */
3063 	u_int	len,		/* certificate length */
3064 	tstamp_t fstamp		/* filestamp */
3065 	)
3066 {
3067 	X509	*cert;		/* X509 certificate */
3068 	X509_EXTENSION *ext;	/* X509v3 extension */
3069 	struct cert_info *ret;	/* certificate info/value */
3070 	BIO	*bp;
3071 	X509V3_EXT_METHOD *method;
3072 	char	pathbuf[MAXFILENAME];
3073 	u_char	*uptr;
3074 	char	*ptr;
3075 	int	temp, cnt, i;
3076 
3077 	/*
3078 	 * Decode ASN.1 objects and construct certificate structure.
3079 	 */
3080 	uptr = asn1cert;
3081 	if ((cert = d2i_X509(NULL, &uptr, len)) == NULL) {
3082 		msyslog(LOG_ERR, "cert_parse %s\n",
3083 		    ERR_error_string(ERR_get_error(), NULL));
3084 		return (NULL);
3085 	}
3086 
3087 	/*
3088 	 * Extract version, subject name and public key.
3089 	 */
3090 	ret = emalloc(sizeof(struct cert_info));
3091 	memset(ret, 0, sizeof(struct cert_info));
3092 	if ((ret->pkey = X509_get_pubkey(cert)) == NULL) {
3093 		msyslog(LOG_ERR, "cert_parse %s\n",
3094 		    ERR_error_string(ERR_get_error(), NULL));
3095 		cert_free(ret);
3096 		X509_free(cert);
3097 		return (NULL);
3098 	}
3099 	ret->version = X509_get_version(cert);
3100 	X509_NAME_oneline(X509_get_subject_name(cert), pathbuf,
3101 	    MAXFILENAME - 1);
3102 	ptr = strstr(pathbuf, "CN=");
3103 	if (ptr == NULL) {
3104 		msyslog(LOG_INFO, "cert_parse: invalid subject %s",
3105 		    pathbuf);
3106 		cert_free(ret);
3107 		X509_free(cert);
3108 		return (NULL);
3109 	}
3110 	ret->subject = emalloc(strlen(ptr) + 1);
3111 	strcpy(ret->subject, ptr + 3);
3112 
3113 	/*
3114 	 * Extract remaining objects. Note that the NTP serial number is
3115 	 * the NTP seconds at the time of signing, but this might not be
3116 	 * the case for other authority. We don't bother to check the
3117 	 * objects at this time, since the real crunch can happen only
3118 	 * when the time is valid but not yet certificated.
3119 	 */
3120 	ret->nid = OBJ_obj2nid(cert->cert_info->signature->algorithm);
3121 	ret->digest = (const EVP_MD *)EVP_get_digestbynid(ret->nid);
3122 	ret->serial =
3123 	    (u_long)ASN1_INTEGER_get(X509_get_serialNumber(cert));
3124 	X509_NAME_oneline(X509_get_issuer_name(cert), pathbuf,
3125 	    MAXFILENAME);
3126 	if ((ptr = strstr(pathbuf, "CN=")) == NULL) {
3127 		msyslog(LOG_INFO, "cert_parse: invalid issuer %s",
3128 		    pathbuf);
3129 		cert_free(ret);
3130 		X509_free(cert);
3131 		return (NULL);
3132 	}
3133 	ret->issuer = emalloc(strlen(ptr) + 1);
3134 	strcpy(ret->issuer, ptr + 3);
3135 	ret->first = asn2ntp(X509_get_notBefore(cert));
3136 	ret->last = asn2ntp(X509_get_notAfter(cert));
3137 
3138 	/*
3139 	 * Extract extension fields. These are ad hoc ripoffs of
3140 	 * currently assigned functions and will certainly be changed
3141 	 * before prime time.
3142 	 */
3143 	cnt = X509_get_ext_count(cert);
3144 	for (i = 0; i < cnt; i++) {
3145 		ext = X509_get_ext(cert, i);
3146 		method = X509V3_EXT_get(ext);
3147 		temp = OBJ_obj2nid(ext->object);
3148 		switch (temp) {
3149 
3150 		/*
3151 		 * If a key_usage field is present, we decode whether
3152 		 * this is a trusted or private certificate. This is
3153 		 * dorky; all we want is to compare NIDs, but OpenSSL
3154 		 * insists on BIO text strings.
3155 		 */
3156 		case NID_ext_key_usage:
3157 			bp = BIO_new(BIO_s_mem());
3158 			X509V3_EXT_print(bp, ext, 0, 0);
3159 			BIO_gets(bp, pathbuf, MAXFILENAME);
3160 			BIO_free(bp);
3161 #if DEBUG
3162 			if (debug)
3163 				printf("cert_parse: %s: %s\n",
3164 				    OBJ_nid2ln(temp), pathbuf);
3165 #endif
3166 			if (strcmp(pathbuf, "Trust Root") == 0)
3167 				ret->flags |= CERT_TRUST;
3168 			else if (strcmp(pathbuf, "Private") == 0)
3169 				ret->flags |= CERT_PRIV;
3170 			break;
3171 
3172 		/*
3173 		 * If a NID_subject_key_identifier field is present, it
3174 		 * contains the GQ public key.
3175 		 */
3176 		case NID_subject_key_identifier:
3177 			ret->grplen = ext->value->length - 2;
3178 			ret->grpkey = emalloc(ret->grplen);
3179 			memcpy(ret->grpkey, &ext->value->data[2],
3180 			    ret->grplen);
3181 			break;
3182 		}
3183 	}
3184 
3185 	/*
3186 	 * If certificate is self signed, verify signature.
3187 	 */
3188 	if (strcmp(ret->subject, ret->issuer) == 0) {
3189 		if (!X509_verify(cert, ret->pkey)) {
3190 			msyslog(LOG_INFO,
3191 			    "cert_parse: signature not verified %s",
3192 			    pathbuf);
3193 			cert_free(ret);
3194 			X509_free(cert);
3195 			return (NULL);
3196 		}
3197 	}
3198 
3199 	/*
3200 	 * Verify certificate valid times. Note that certificates cannot
3201 	 * be retroactive.
3202 	 */
3203 	if (ret->first > ret->last || ret->first < fstamp) {
3204 		msyslog(LOG_INFO,
3205 		    "cert_parse: invalid certificate %s first %u last %u fstamp %u",
3206 		    ret->subject, ret->first, ret->last, fstamp);
3207 		cert_free(ret);
3208 		X509_free(cert);
3209 		return (NULL);
3210 	}
3211 
3212 	/*
3213 	 * Build the value structure to sign and send later.
3214 	 */
3215 	ret->cert.fstamp = htonl(fstamp);
3216 	ret->cert.vallen = htonl(len);
3217 	ret->cert.ptr = emalloc(len);
3218 	memcpy(ret->cert.ptr, asn1cert, len);
3219 #ifdef DEBUG
3220 	if (debug > 1)
3221 		X509_print_fp(stdout, cert);
3222 #endif
3223 	X509_free(cert);
3224 	return (ret);
3225 }
3226 
3227 
3228 /*
3229  * cert_sign - sign x509 certificate equest and update value structure.
3230  *
3231  * The certificate request includes a copy of the host certificate,
3232  * which includes the version number, subject name and public key of the
3233  * host. The resulting certificate includes these values plus the
3234  * serial number, issuer name and valid interval of the server. The
3235  * valid interval extends from the current time to the same time one
3236  * year hence. This may extend the life of the signed certificate beyond
3237  * that of the signer certificate.
3238  *
3239  * It is convenient to use the NTP seconds of the current time as the
3240  * serial number. In the value structure the timestamp is the current
3241  * time and the filestamp is taken from the extension field. Note this
3242  * routine is called only when the client clock is synchronized to a
3243  * proventic source, so timestamp comparisons are valid.
3244  *
3245  * The host certificate is valid from the time it was generated for a
3246  * period of one year. A signed certificate is valid from the time of
3247  * signature for a period of one year, but only the host certificate (or
3248  * sign certificate if used) is actually used to encrypt and decrypt
3249  * signatures. The signature trail is built from the client via the
3250  * intermediate servers to the trusted server. Each signature on the
3251  * trail must be valid at the time of signature, but it could happen
3252  * that a signer certificate expire before the signed certificate, which
3253  * remains valid until its expiration.
3254  *
3255  * Returns
3256  * XEVNT_OK	success
3257  * XEVNT_PUB	bad or missing public key
3258  * XEVNT_CRT	bad or missing certificate
3259  * XEVNT_VFY	certificate not verified
3260  * XEVNT_PER	host certificate expired
3261  */
3262 static int
cert_sign(struct exten * ep,struct value * vp)3263 cert_sign(
3264 	struct exten *ep,	/* extension field pointer */
3265 	struct value *vp	/* value pointer */
3266 	)
3267 {
3268 	X509	*req;		/* X509 certificate request */
3269 	X509	*cert;		/* X509 certificate */
3270 	X509_EXTENSION *ext;	/* certificate extension */
3271 	ASN1_INTEGER *serial;	/* serial number */
3272 	X509_NAME *subj;	/* distinguished (common) name */
3273 	EVP_PKEY *pkey;		/* public key */
3274 	EVP_MD_CTX ctx;		/* message digest context */
3275 	tstamp_t tstamp;	/* NTP timestamp */
3276 	u_int	len;
3277 	u_char	*ptr;
3278 	int	i, temp;
3279 
3280 	/*
3281 	 * Decode ASN.1 objects and construct certificate structure.
3282 	 * Make sure the system clock is synchronized to a proventic
3283 	 * source.
3284 	 */
3285 	tstamp = crypto_time();
3286 	if (tstamp == 0)
3287 		return (XEVNT_TSP);
3288 
3289 	if (tstamp < cinfo->first || tstamp > cinfo->last)
3290 		return (XEVNT_PER);
3291 
3292 	ptr = (u_char *)ep->pkt;
3293 	if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) {
3294 		msyslog(LOG_ERR, "cert_sign %s\n",
3295 		    ERR_error_string(ERR_get_error(), NULL));
3296 		return (XEVNT_CRT);
3297 	}
3298 	/*
3299 	 * Extract public key and check for errors.
3300 	 */
3301 	if ((pkey = X509_get_pubkey(req)) == NULL) {
3302 		msyslog(LOG_ERR, "cert_sign %s\n",
3303 		    ERR_error_string(ERR_get_error(), NULL));
3304 		X509_free(req);
3305 		return (XEVNT_PUB);
3306 	}
3307 
3308 	/*
3309 	 * Generate X509 certificate signed by this server. For this
3310 	 * purpose the issuer name is the server name. Also copy any
3311 	 * extensions that might be present.
3312 	 */
3313 	cert = X509_new();
3314 	X509_set_version(cert, X509_get_version(req));
3315 	serial = ASN1_INTEGER_new();
3316 	ASN1_INTEGER_set(serial, tstamp);
3317 	X509_set_serialNumber(cert, serial);
3318 	X509_gmtime_adj(X509_get_notBefore(cert), 0L);
3319 	X509_gmtime_adj(X509_get_notAfter(cert), YEAR);
3320 	subj = X509_get_issuer_name(cert);
3321 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
3322 	    (u_char *)sys_hostname, strlen(sys_hostname), -1, 0);
3323 	subj = X509_get_subject_name(req);
3324 	X509_set_subject_name(cert, subj);
3325 	X509_set_pubkey(cert, pkey);
3326 	ext = X509_get_ext(req, 0);
3327 	temp = X509_get_ext_count(req);
3328 	for (i = 0; i < temp; i++) {
3329 		ext = X509_get_ext(req, i);
3330 		X509_add_ext(cert, ext, -1);
3331 	}
3332 	X509_free(req);
3333 
3334 	/*
3335 	 * Sign and verify the certificate.
3336 	 */
3337 	X509_sign(cert, sign_pkey, sign_digest);
3338 	if (!X509_verify(cert, sign_pkey)) {
3339 		printf("cert_sign\n%s\n",
3340 		    ERR_error_string(ERR_get_error(), NULL));
3341 		X509_free(cert);
3342 		return (XEVNT_VFY);
3343 	}
3344 	len = i2d_X509(cert, NULL);
3345 
3346 	/*
3347 	 * Build and sign the value structure. We have to sign it here,
3348 	 * since the response has to be returned right away. This is a
3349 	 * clogging hazard.
3350 	 */
3351 	memset(vp, 0, sizeof(struct value));
3352 	vp->tstamp = htonl(tstamp);
3353 	vp->fstamp = ep->fstamp;
3354 	vp->vallen = htonl(len);
3355 	vp->ptr = emalloc(len);
3356 	ptr = vp->ptr;
3357 	i2d_X509(cert, &ptr);
3358 	vp->siglen = 0;
3359 	vp->sig = emalloc(sign_siglen);
3360 	EVP_SignInit(&ctx, sign_digest);
3361 	EVP_SignUpdate(&ctx, (u_char *)vp, 12);
3362 	EVP_SignUpdate(&ctx, vp->ptr, len);
3363 	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
3364 		vp->siglen = htonl(len);
3365 #ifdef DEBUG
3366 	if (debug > 1)
3367 		X509_print_fp(stdout, cert);
3368 #endif
3369 	X509_free(cert);
3370 	return (XEVNT_OK);
3371 }
3372 
3373 
3374 /*
3375  * cert_valid - verify certificate with given public key
3376  *
3377  * This is pretty ugly, as the certificate has to be verified in the
3378  * OpenSSL X509 structure, not in the DER format in the info/value
3379  * structure.
3380  *
3381  * Returns
3382  * XEVNT_OK	success
3383  * XEVNT_VFY	certificate not verified
3384  */
3385 int
cert_valid(struct cert_info * cinf,EVP_PKEY * pkey)3386 cert_valid(
3387 	struct cert_info *cinf,	/* certificate information structure */
3388 	EVP_PKEY *pkey		/* public key */
3389 	)
3390 {
3391 	X509	*cert;		/* X509 certificate */
3392 	u_char	*ptr;
3393 
3394 	if (cinf->flags & CERT_SIGN)
3395 		return (XEVNT_OK);
3396 
3397 	ptr = (u_char *)cinf->cert.ptr;
3398 	cert = d2i_X509(NULL, &ptr, ntohl(cinf->cert.vallen));
3399 	if (cert == NULL || !X509_verify(cert, pkey))
3400 		return (XEVNT_VFY);
3401 
3402 	X509_free(cert);
3403 	return (XEVNT_OK);
3404 }
3405 
3406 
3407 /*
3408  * cert - install certificate in certificate list
3409  *
3410  * This routine encodes an extension field into a certificate info/value
3411  * structure. It searches the certificate list for duplicates and
3412  * expunges whichever is older. It then searches the list for other
3413  * certificates that might be verified by this latest one. Finally, it
3414  * inserts this certificate first on the list.
3415  *
3416  * Returns
3417  * XEVNT_OK	success
3418  * XEVNT_FSP	bad or missing filestamp
3419  * XEVNT_CRT	bad or missing certificate
3420  */
3421 int
cert_install(struct exten * ep,struct peer * peer)3422 cert_install(
3423 	struct exten *ep,	/* cert info/value */
3424 	struct peer *peer	/* peer structure */
3425 	)
3426 {
3427 	struct cert_info *cp, *xp, *yp, **zp;
3428 
3429 	/*
3430 	 * Parse and validate the signed certificate. If valid,
3431 	 * construct the info/value structure; otherwise, scamper home.
3432 	 */
3433 	if ((cp = cert_parse((u_char *)ep->pkt, ntohl(ep->vallen),
3434 	    ntohl(ep->fstamp))) == NULL)
3435 		return (XEVNT_CRT);
3436 
3437 	/*
3438 	 * Scan certificate list looking for another certificate with
3439 	 * the same subject and issuer. If another is found with the
3440 	 * same or older filestamp, unlink it and return the goodies to
3441 	 * the heap. If another is found with a later filestamp, discard
3442 	 * the new one and leave the building.
3443 	 *
3444 	 * Make a note to study this issue again. An earlier certificate
3445 	 * with a long lifetime might be overtaken by a later
3446 	 * certificate with a short lifetime, thus invalidating the
3447 	 * earlier signature. However, we gotta find a way to leak old
3448 	 * stuff from the cache, so we do it anyway.
3449 	 */
3450 	yp = cp;
3451 	zp = &cinfo;
3452 	for (xp = cinfo; xp != NULL; xp = xp->link) {
3453 		if (strcmp(cp->subject, xp->subject) == 0 &&
3454 		    strcmp(cp->issuer, xp->issuer) == 0) {
3455 			if (ntohl(cp->cert.fstamp) <=
3456 			    ntohl(xp->cert.fstamp)) {
3457 				*zp = xp->link;;
3458 				cert_free(xp);
3459 			} else {
3460 				cert_free(cp);
3461 				return (XEVNT_FSP);
3462 			}
3463 			break;
3464 		}
3465 		zp = &xp->link;
3466 	}
3467 	yp->link = cinfo;
3468 	cinfo = yp;
3469 
3470 	/*
3471 	 * Scan the certificate list to see if Y is signed by X. This is
3472 	 * independent of order.
3473 	 */
3474 	for (yp = cinfo; yp != NULL; yp = yp->link) {
3475 		for (xp = cinfo; xp != NULL; xp = xp->link) {
3476 
3477 			/*
3478 			 * If the issuer of certificate Y matches the
3479 			 * subject of certificate X, verify the
3480 			 * signature of Y using the public key of X. If
3481 			 * so, X signs Y.
3482 			 */
3483 			if (strcmp(yp->issuer, xp->subject) != 0 ||
3484 				xp->flags & CERT_ERROR)
3485 				continue;
3486 
3487 			if (cert_valid(yp, xp->pkey) != XEVNT_OK) {
3488 				yp->flags |= CERT_ERROR;
3489 				continue;
3490 			}
3491 
3492 			/*
3493 			 * The signature Y is valid only if it begins
3494 			 * during the lifetime of X; however, it is not
3495 			 * necessarily an error, since some other
3496 			 * certificate might sign Y.
3497 			 */
3498 			if (yp->first < xp->first || yp->first >
3499 			    xp->last)
3500 				continue;
3501 
3502 			yp->flags |= CERT_SIGN;
3503 
3504 			/*
3505 			 * If X is trusted, then Y is trusted. Note that
3506 			 * we might stumble over a self-signed
3507 			 * certificate that is not trusted, at least
3508 			 * temporarily. This can happen when a dude
3509 			 * first comes up, but has not synchronized the
3510 			 * clock and had its certificate signed by its
3511 			 * server. In case of broken certificate trail,
3512 			 * this might result in a loop that could
3513 			 * persist until timeout.
3514 			 */
3515 			if (!(xp->flags & (CERT_TRUST | CERT_VALID)))
3516 				continue;
3517 
3518 			yp->flags |= CERT_VALID;
3519 
3520 			/*
3521 			 * If subject Y matches the server subject name,
3522 			 * then Y has completed the certificate trail.
3523 			 * Save the group key and light the valid bit.
3524 			 */
3525 			if (strcmp(yp->subject, peer->subject) != 0)
3526 				continue;
3527 
3528 			if (yp->grpkey != NULL) {
3529 				if (peer->grpkey != NULL)
3530 					BN_free(peer->grpkey);
3531 				peer->grpkey = BN_bin2bn(yp->grpkey,
3532 				     yp->grplen, NULL);
3533 			}
3534 			peer->crypto |= CRYPTO_FLAG_VALID;
3535 
3536 			/*
3537 			 * If the server has an an identity scheme,
3538 			 * fetch the identity credentials. If not, the
3539 			 * identity is verified only by the trusted
3540 			 * certificate. The next signature will set the
3541 			 * server proventic.
3542 			 */
3543 			if (peer->crypto & (CRYPTO_FLAG_GQ |
3544 			    CRYPTO_FLAG_IFF | CRYPTO_FLAG_MV))
3545 				continue;
3546 
3547 			peer->crypto |= CRYPTO_FLAG_VRFY;
3548 		}
3549 	}
3550 
3551 	/*
3552 	 * That was awesome. Now update the timestamps and signatures.
3553 	 */
3554 	crypto_update();
3555 	return (XEVNT_OK);
3556 }
3557 
3558 
3559 /*
3560  * cert_free - free certificate information structure
3561  */
3562 void
cert_free(struct cert_info * cinf)3563 cert_free(
3564 	struct cert_info *cinf	/* certificate info/value structure */
3565 	)
3566 {
3567 	if (cinf->pkey != NULL)
3568 		EVP_PKEY_free(cinf->pkey);
3569 	if (cinf->subject != NULL)
3570 		free(cinf->subject);
3571 	if (cinf->issuer != NULL)
3572 		free(cinf->issuer);
3573 	if (cinf->grpkey != NULL)
3574 		free(cinf->grpkey);
3575 	value_free(&cinf->cert);
3576 	free(cinf);
3577 }
3578 
3579 
3580 /*
3581  ***********************************************************************
3582  *								       *
3583  * The following routines are used only at initialization time         *
3584  *								       *
3585  ***********************************************************************
3586  */
3587 /*
3588  * crypto_key - load cryptographic parameters and keys from files
3589  *
3590  * This routine loads a PEM-encoded public/private key pair and extracts
3591  * the filestamp from the file name.
3592  *
3593  * Returns public key pointer if valid, NULL if not. Side effect updates
3594  * the filestamp if valid.
3595  */
3596 static EVP_PKEY *
crypto_key(char * cp,tstamp_t * fstamp)3597 crypto_key(
3598 	char	*cp,		/* file name */
3599 	tstamp_t *fstamp	/* filestamp */
3600 	)
3601 {
3602 	FILE	*str;		/* file handle */
3603 	EVP_PKEY *pkey = NULL;	/* public/private key */
3604 	char	filename[MAXFILENAME]; /* name of key file */
3605 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
3606 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3607 	char	*ptr;
3608 
3609 	/*
3610 	 * Open the key file. If the first character of the file name is
3611 	 * not '/', prepend the keys directory string. If something goes
3612 	 * wrong, abandon ship.
3613 	 */
3614 	if (*cp == '/')
3615 		strcpy(filename, cp);
3616 	else
3617 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3618 	str = fopen(filename, "r");
3619 	if (str == NULL)
3620 		return (NULL);
3621 
3622 	/*
3623 	 * Read the filestamp, which is contained in the first line.
3624 	 */
3625 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
3626 		msyslog(LOG_ERR, "crypto_key: no data %s\n",
3627 		    filename);
3628 		(void)fclose(str);
3629 		return (NULL);
3630 	}
3631 	if ((ptr = strrchr(ptr, '.')) == NULL) {
3632 		msyslog(LOG_ERR, "crypto_key: no filestamp %s\n",
3633 		    filename);
3634 		(void)fclose(str);
3635 		return (NULL);
3636 	}
3637 	if (sscanf(++ptr, "%u", fstamp) != 1) {
3638 		msyslog(LOG_ERR, "crypto_key: invalid timestamp %s\n",
3639 		    filename);
3640 		(void)fclose(str);
3641 		return (NULL);
3642 	}
3643 
3644 	/*
3645 	 * Read and decrypt PEM-encoded private key.
3646 	 */
3647 	pkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
3648 	fclose(str);
3649 	if (pkey == NULL) {
3650 		msyslog(LOG_ERR, "crypto_key %s\n",
3651 		    ERR_error_string(ERR_get_error(), NULL));
3652 		return (NULL);
3653 	}
3654 
3655 	/*
3656 	 * Leave tracks in the cryptostats.
3657 	 */
3658 	if ((ptr = strrchr(linkname, '\n')) != NULL)
3659 		*ptr = '\0';
3660 	snprintf(statstr, NTP_MAXSTRLEN, "%s mod %d", &linkname[2],
3661 	    EVP_PKEY_size(pkey) * 8);
3662 	record_crypto_stats(NULL, statstr);
3663 #ifdef DEBUG
3664 	if (debug)
3665 		printf("crypto_key: %s\n", statstr);
3666 	if (debug > 1) {
3667 		if (pkey->type == EVP_PKEY_DSA)
3668 			DSA_print_fp(stdout, pkey->pkey.dsa, 0);
3669 		else
3670 			RSA_print_fp(stdout, pkey->pkey.rsa, 0);
3671 	}
3672 #endif
3673 	return (pkey);
3674 }
3675 
3676 
3677 /*
3678  * crypto_cert - load certificate from file
3679  *
3680  * This routine loads a X.509 RSA or DSA certificate from a file and
3681  * constructs a info/cert value structure for this machine. The
3682  * structure includes a filestamp extracted from the file name. Later
3683  * the certificate can be sent to another machine by request.
3684  *
3685  * Returns certificate info/value pointer if valid, NULL if not.
3686  */
3687 static struct cert_info *	/* certificate information */
crypto_cert(char * cp)3688 crypto_cert(
3689 	char	*cp		/* file name */
3690 	)
3691 {
3692 	struct cert_info *ret; /* certificate information */
3693 	FILE	*str;		/* file handle */
3694 	char	filename[MAXFILENAME]; /* name of certificate file */
3695 	char	linkname[MAXFILENAME]; /* filestamp buffer */
3696 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3697 	tstamp_t fstamp;	/* filestamp */
3698 	long	len;
3699 	char	*ptr;
3700 	char	*name, *header;
3701 	u_char	*data;
3702 
3703 	/*
3704 	 * Open the certificate file. If the first character of the file
3705 	 * name is not '/', prepend the keys directory string. If
3706 	 * something goes wrong, abandon ship.
3707 	 */
3708 	if (*cp == '/')
3709 		strcpy(filename, cp);
3710 	else
3711 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3712 	str = fopen(filename, "r");
3713 	if (str == NULL)
3714 		return (NULL);
3715 
3716 	/*
3717 	 * Read the filestamp, which is contained in the first line.
3718 	 */
3719 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
3720 		msyslog(LOG_ERR, "crypto_cert: no data %s\n",
3721 		    filename);
3722 		(void)fclose(str);
3723 		return (NULL);
3724 	}
3725 	if ((ptr = strrchr(ptr, '.')) == NULL) {
3726 		msyslog(LOG_ERR, "crypto_cert: no filestamp %s\n",
3727 		    filename);
3728 		(void)fclose(str);
3729 		return (NULL);
3730 	}
3731 	if (sscanf(++ptr, "%u", &fstamp) != 1) {
3732 		msyslog(LOG_ERR, "crypto_cert: invalid filestamp %s\n",
3733 		    filename);
3734 		(void)fclose(str);
3735 		return (NULL);
3736 	}
3737 
3738 	/*
3739 	 * Read PEM-encoded certificate and install.
3740 	 */
3741 	if (!PEM_read(str, &name, &header, &data, &len)) {
3742 		msyslog(LOG_ERR, "crypto_cert %s\n",
3743 		    ERR_error_string(ERR_get_error(), NULL));
3744 		(void)fclose(str);
3745 		return (NULL);
3746 	}
3747 	free(header);
3748 	if (strcmp(name, "CERTIFICATE") !=0) {
3749 		msyslog(LOG_INFO, "crypto_cert: wrong PEM type %s",
3750 		    name);
3751 		free(name);
3752 		free(data);
3753 		(void)fclose(str);
3754 		return (NULL);
3755 	}
3756 	free(name);
3757 
3758 	/*
3759 	 * Parse certificate and generate info/value structure.
3760 	 */
3761 	ret = cert_parse(data, len, fstamp);
3762 	free(data);
3763 	(void)fclose(str);
3764 	if (ret == NULL)
3765 		return (NULL);
3766 
3767 	if ((ptr = strrchr(linkname, '\n')) != NULL)
3768 		*ptr = '\0';
3769 	snprintf(statstr, NTP_MAXSTRLEN,
3770 	    "%s 0x%x len %lu", &linkname[2], ret->flags, len);
3771 	record_crypto_stats(NULL, statstr);
3772 #ifdef DEBUG
3773 	if (debug)
3774 		printf("crypto_cert: %s\n", statstr);
3775 #endif
3776 	return (ret);
3777 }
3778 
3779 
3780 /*
3781  * crypto_tai - load leapseconds table from file
3782  *
3783  * This routine loads the ERTS leapsecond file in NIST text format,
3784  * converts to a value structure and extracts a filestamp from the file
3785  * name. The data are used to establish the TAI offset from UTC, which
3786  * is provided to the kernel if supported. Later the data can be sent to
3787  * another machine on request.
3788  */
3789 static void
crypto_tai(char * cp)3790 crypto_tai(
3791 	char	*cp		/* file name */
3792 	)
3793 {
3794 	FILE	*str;		/* file handle */
3795 	char	buf[NTP_MAXSTRLEN];	/* file line buffer */
3796 	u_int32	leapsec[MAX_LEAP]; /* NTP time at leaps */
3797 	int	offset;		/* offset at leap (s) */
3798 	char	filename[MAXFILENAME]; /* name of leapseconds file */
3799 	char	linkname[MAXFILENAME]; /* file link (for filestamp) */
3800 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
3801 	tstamp_t fstamp;	/* filestamp */
3802 	u_int	len;
3803 	u_int32	*ptr;
3804 	char	*dp;
3805 	int	rval, i, j;
3806 
3807 	/*
3808 	 * Open the file and discard comment lines. If the first
3809 	 * character of the file name is not '/', prepend the keys
3810 	 * directory string. If the file is not found, not to worry; it
3811 	 * can be retrieved over the net. But, if it is found with
3812 	 * errors, we crash and burn.
3813 	 */
3814 	if (*cp == '/')
3815 		strcpy(filename, cp);
3816 	else
3817 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
3818 	if ((str = fopen(filename, "r")) == NULL)
3819 		return;
3820 
3821 	/*
3822 	 * Extract filestamp if present.
3823 	 */
3824 	rval = readlink(filename, linkname, MAXFILENAME - 1);
3825 	if (rval > 0) {
3826 		linkname[rval] = '\0';
3827 		dp = strrchr(linkname, '.');
3828 	} else {
3829 		dp = strrchr(filename, '.');
3830 	}
3831 	if (dp != NULL)
3832 		sscanf(++dp, "%u", &fstamp);
3833 	else
3834 		fstamp = 0;
3835 	tai_leap.fstamp = htonl(fstamp);
3836 
3837 	/*
3838 	 * We are rather paranoid here, since an intruder might cause a
3839 	 * coredump by infiltrating naughty values. Empty lines and
3840 	 * comments are ignored. Other lines must begin with two
3841 	 * integers followed by junk or comments. The first integer is
3842 	 * the NTP seconds of leap insertion, the second is the offset
3843 	 * of TAI relative to UTC after that insertion. The second word
3844 	 * must equal the initial insertion of ten seconds on 1 January
3845 	 * 1972 plus one second for each succeeding insertion.
3846 	 */
3847 	i = 0;
3848 	while (i < MAX_LEAP) {
3849 		dp = fgets(buf, NTP_MAXSTRLEN - 1, str);
3850 		if (dp == NULL)
3851 			break;
3852 
3853 		if (strlen(buf) < 1)
3854 			continue;
3855 
3856 		if (*buf == '#')
3857 			continue;
3858 
3859 		if (sscanf(buf, "%u %d", &leapsec[i], &offset) != 2)
3860 			continue;
3861 
3862 		if (i != offset - TAI_1972)
3863 			break;
3864 
3865 		i++;
3866 	}
3867 	fclose(str);
3868 	if (dp != NULL) {
3869 		msyslog(LOG_INFO,
3870 		    "crypto_tai: leapseconds file %s error %d", cp,
3871 		    rval);
3872 		exit (-1);
3873 	}
3874 
3875 	/*
3876 	 * The extension field table entries consists of the NTP seconds
3877 	 * of leap insertion in network byte order.
3878 	 */
3879 	len = i * sizeof(u_int32);
3880 	tai_leap.vallen = htonl(len);
3881 	ptr = emalloc(len);
3882 	tai_leap.ptr = (u_char *)ptr;
3883 	for (j = 0; j < i; j++)
3884 		*ptr++ = htonl(leapsec[j]);
3885 	crypto_flags |= CRYPTO_FLAG_TAI;
3886 	snprintf(statstr, NTP_MAXSTRLEN, "%s fs %u leap %u len %u", cp, fstamp,
3887 	   leapsec[--j], len);
3888 	record_crypto_stats(NULL, statstr);
3889 #ifdef DEBUG
3890 	if (debug)
3891 		printf("crypto_tai: %s\n", statstr);
3892 #endif
3893 }
3894 
3895 
3896 /*
3897  * crypto_setup - load keys, certificate and leapseconds table
3898  *
3899  * This routine loads the public/private host key and certificate. If
3900  * available, it loads the public/private sign key, which defaults to
3901  * the host key, and leapseconds table. The host key must be RSA, but
3902  * the sign key can be either RSA or DSA. In either case, the public key
3903  * on the certificate must agree with the sign key.
3904  */
3905 void
crypto_setup(void)3906 crypto_setup(void)
3907 {
3908 	EVP_PKEY *pkey;		/* private/public key pair */
3909 	char	filename[MAXFILENAME]; /* file name buffer */
3910 	l_fp	seed;		/* crypto PRNG seed as NTP timestamp */
3911 	tstamp_t fstamp;	/* filestamp */
3912 	tstamp_t sstamp;	/* sign filestamp */
3913 	u_int	len, bytes;
3914 	u_char	*ptr;
3915 
3916 	/*
3917 	 * Initialize structures.
3918 	 */
3919 	if (!crypto_flags)
3920 		return;
3921 
3922 	gethostname(filename, MAXFILENAME);
3923 	bytes = strlen(filename) + 1;
3924 	sys_hostname = emalloc(bytes);
3925 	memcpy(sys_hostname, filename, bytes);
3926 	if (passwd == NULL)
3927 		passwd = sys_hostname;
3928 	memset(&hostval, 0, sizeof(hostval));
3929 	memset(&pubkey, 0, sizeof(pubkey));
3930 	memset(&tai_leap, 0, sizeof(tai_leap));
3931 
3932 	/*
3933 	 * Load required random seed file and seed the random number
3934 	 * generator. Be default, it is found in the user home
3935 	 * directory. The root home directory may be / or /root,
3936 	 * depending on the system. Wiggle the contents a bit and write
3937 	 * it back so the sequence does not repeat when we next restart.
3938 	 */
3939 	ERR_load_crypto_strings();
3940 	if (rand_file == NULL) {
3941 		if ((RAND_file_name(filename, MAXFILENAME)) != NULL) {
3942 			rand_file = emalloc(strlen(filename) + 1);
3943 			strcpy(rand_file, filename);
3944 		}
3945 	} else if (*rand_file != '/') {
3946 		snprintf(filename, MAXFILENAME, "%s/%s", keysdir,
3947 		    rand_file);
3948 		free(rand_file);
3949 		rand_file = emalloc(strlen(filename) + 1);
3950 		strcpy(rand_file, filename);
3951 	}
3952 	if (rand_file == NULL) {
3953 		msyslog(LOG_ERR,
3954 		    "crypto_setup: random seed file not specified");
3955 		exit (-1);
3956 	}
3957 	if ((bytes = RAND_load_file(rand_file, -1)) == 0) {
3958 		msyslog(LOG_ERR,
3959 		    "crypto_setup: random seed file %s not found\n",
3960 		    rand_file);
3961 		exit (-1);
3962 	}
3963 	arc4random_buf(&seed, sizeof(l_fp));
3964 	RAND_seed(&seed, sizeof(l_fp));
3965 	RAND_write_file(rand_file);
3966 	OpenSSL_add_all_algorithms();
3967 #ifdef DEBUG
3968 	if (debug)
3969 		printf(
3970 		    "crypto_setup: OpenSSL version %lx random seed file %s bytes read %d\n",
3971 		    SSLeay(), rand_file, bytes);
3972 #endif
3973 
3974 	/*
3975 	 * Load required host key from file "ntpkey_host_<hostname>". It
3976 	 * also becomes the default sign key.
3977 	 */
3978 	if (host_file == NULL) {
3979 		snprintf(filename, MAXFILENAME, "ntpkey_host_%s",
3980 		    sys_hostname);
3981 		host_file = emalloc(strlen(filename) + 1);
3982 		strcpy(host_file, filename);
3983 	}
3984 	pkey = crypto_key(host_file, &fstamp);
3985 	if (pkey == NULL) {
3986 		msyslog(LOG_ERR,
3987 		    "crypto_setup: host key file %s not found or corrupt",
3988 		    host_file);
3989 		exit (-1);
3990 	}
3991 	host_pkey = pkey;
3992 	sign_pkey = pkey;
3993 	sstamp = fstamp;
3994 	hostval.fstamp = htonl(fstamp);
3995 	if (host_pkey->type != EVP_PKEY_RSA) {
3996 		msyslog(LOG_ERR,
3997 		    "crypto_setup: host key is not RSA key type");
3998 		exit (-1);
3999 	}
4000 	hostval.vallen = htonl(strlen(sys_hostname));
4001 	hostval.ptr = (u_char *)sys_hostname;
4002 
4003 	/*
4004 	 * Construct public key extension field for agreement scheme.
4005 	 */
4006 	len = i2d_PublicKey(host_pkey, NULL);
4007 	ptr = emalloc(len);
4008 	pubkey.ptr = ptr;
4009 	i2d_PublicKey(host_pkey, &ptr);
4010 	pubkey.vallen = htonl(len);
4011 	pubkey.fstamp = hostval.fstamp;
4012 
4013 	/*
4014 	 * Load optional sign key from file "ntpkey_sign_<hostname>". If
4015 	 * loaded, it becomes the sign key.
4016 	 */
4017 	if (sign_file == NULL) {
4018 		snprintf(filename, MAXFILENAME, "ntpkey_sign_%s",
4019 		    sys_hostname);
4020 		sign_file = emalloc(strlen(filename) + 1);
4021 		strcpy(sign_file, filename);
4022 	}
4023 	pkey = crypto_key(sign_file, &fstamp);
4024 	if (pkey != NULL) {
4025 		sign_pkey = pkey;
4026 		sstamp = fstamp;
4027 	}
4028 	sign_siglen = EVP_PKEY_size(sign_pkey);
4029 
4030 	/*
4031 	 * Load optional IFF parameters from file
4032 	 * "ntpkey_iff_<hostname>".
4033 	 */
4034 	if (iffpar_file == NULL) {
4035 		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
4036 		    sys_hostname);
4037 		iffpar_file = emalloc(strlen(filename) + 1);
4038 		strcpy(iffpar_file, filename);
4039 	}
4040 	iffpar_pkey = crypto_key(iffpar_file, &if_fstamp);
4041 	if (iffpar_pkey != NULL)
4042 		crypto_flags |= CRYPTO_FLAG_IFF;
4043 
4044 	/*
4045 	 * Load optional GQ parameters from file "ntpkey_gq_<hostname>".
4046 	 */
4047 	if (gqpar_file == NULL) {
4048 		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
4049 		    sys_hostname);
4050 		gqpar_file = emalloc(strlen(filename) + 1);
4051 		strcpy(gqpar_file, filename);
4052 	}
4053 	gqpar_pkey = crypto_key(gqpar_file, &gq_fstamp);
4054 	if (gqpar_pkey != NULL)
4055 		crypto_flags |= CRYPTO_FLAG_GQ;
4056 
4057 	/*
4058 	 * Load optional MV parameters from file "ntpkey_mv_<hostname>".
4059 	 */
4060 	if (mvpar_file == NULL) {
4061 		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
4062 		    sys_hostname);
4063 		mvpar_file = emalloc(strlen(filename) + 1);
4064 		strcpy(mvpar_file, filename);
4065 	}
4066 	mvpar_pkey = crypto_key(mvpar_file, &mv_fstamp);
4067 	if (mvpar_pkey != NULL)
4068 		crypto_flags |= CRYPTO_FLAG_MV;
4069 
4070 	/*
4071 	 * Load required certificate from file "ntpkey_cert_<hostname>".
4072 	 */
4073 	if (cert_file == NULL) {
4074 		snprintf(filename, MAXFILENAME, "ntpkey_cert_%s",
4075 		    sys_hostname);
4076 		cert_file = emalloc(strlen(filename) + 1);
4077 		strcpy(cert_file, filename);
4078 	}
4079 	if ((cinfo = crypto_cert(cert_file)) == NULL) {
4080 		msyslog(LOG_ERR,
4081 		    "certificate file %s not found or corrupt",
4082 		    cert_file);
4083 		exit (-1);
4084 	}
4085 
4086 	/*
4087 	 * The subject name must be the same as the host name, unless
4088 	 * the certificate is private, in which case it may have come
4089 	 * from another host.
4090 	 */
4091 	if (!(cinfo->flags & CERT_PRIV) && strcmp(cinfo->subject,
4092 	    sys_hostname) != 0) {
4093 		msyslog(LOG_ERR,
4094 		    "crypto_setup: certificate %s not for this host",
4095 		    cert_file);
4096 		cert_free(cinfo);
4097 		exit (-1);
4098 	}
4099 
4100 	/*
4101 	 * It the certificate is trusted, the subject must be the same
4102 	 * as the issuer, in other words it must be self signed.
4103 	 */
4104 	if (cinfo->flags & CERT_TRUST && strcmp(cinfo->subject,
4105 	    cinfo->issuer) != 0) {
4106 		if (cert_valid(cinfo, sign_pkey) != XEVNT_OK) {
4107 			msyslog(LOG_ERR,
4108 			    "crypto_setup: certificate %s is trusted, but not self signed.",
4109 			    cert_file);
4110 			cert_free(cinfo);
4111 			exit (-1);
4112 		}
4113 	}
4114 	sign_digest = cinfo->digest;
4115 	if (cinfo->flags & CERT_PRIV)
4116 		crypto_flags |= CRYPTO_FLAG_PRIV;
4117 	crypto_flags |= cinfo->nid << 16;
4118 
4119 	/*
4120 	 * Load optional leapseconds table from file "ntpkey_leap". If
4121 	 * the file is missing or defective, the values can later be
4122 	 * retrieved from a server.
4123 	 */
4124 	if (leap_file == NULL)
4125 		leap_file = "ntpkey_leap";
4126 	crypto_tai(leap_file);
4127 #ifdef DEBUG
4128 	if (debug)
4129 		printf(
4130 		    "crypto_setup: flags 0x%x host %s signature %s\n",
4131 		    crypto_flags, sys_hostname, OBJ_nid2ln(cinfo->nid));
4132 #endif
4133 }
4134 
4135 
4136 /*
4137  * crypto_config - configure data from crypto configuration command.
4138  */
4139 void
crypto_config(int item,char * cp)4140 crypto_config(
4141 	int	item,		/* configuration item */
4142 	char	*cp		/* file name */
4143 	)
4144 {
4145 	switch (item) {
4146 
4147 	/*
4148 	 * Set random seed file name.
4149 	 */
4150 	case CRYPTO_CONF_RAND:
4151 		rand_file = emalloc(strlen(cp) + 1);
4152 		strcpy(rand_file, cp);
4153 		break;
4154 
4155 	/*
4156 	 * Set private key password.
4157 	 */
4158 	case CRYPTO_CONF_PW:
4159 		passwd = emalloc(strlen(cp) + 1);
4160 		strcpy(passwd, cp);
4161 		break;
4162 
4163 	/*
4164 	 * Set host file name.
4165 	 */
4166 	case CRYPTO_CONF_PRIV:
4167 		host_file = emalloc(strlen(cp) + 1);
4168 		strcpy(host_file, cp);
4169 		break;
4170 
4171 	/*
4172 	 * Set sign key file name.
4173 	 */
4174 	case CRYPTO_CONF_SIGN:
4175 		sign_file = emalloc(strlen(cp) + 1);
4176 		strcpy(sign_file, cp);
4177 		break;
4178 
4179 	/*
4180 	 * Set iff parameters file name.
4181 	 */
4182 	case CRYPTO_CONF_IFFPAR:
4183 		iffpar_file = emalloc(strlen(cp) + 1);
4184 		strcpy(iffpar_file, cp);
4185 		break;
4186 
4187 	/*
4188 	 * Set gq parameters file name.
4189 	 */
4190 	case CRYPTO_CONF_GQPAR:
4191 		gqpar_file = emalloc(strlen(cp) + 1);
4192 		strcpy(gqpar_file, cp);
4193 		break;
4194 
4195 	/*
4196 	 * Set mv parameters file name.
4197 	 */
4198 	case CRYPTO_CONF_MVPAR:
4199 		mvpar_file = emalloc(strlen(cp) + 1);
4200 		strcpy(mvpar_file, cp);
4201 		break;
4202 
4203 	/*
4204 	 * Set identity scheme.
4205 	 */
4206 	case CRYPTO_CONF_IDENT:
4207 		if (!strcasecmp(cp, "iff"))
4208 			ident_scheme |= CRYPTO_FLAG_IFF;
4209 		else if (!strcasecmp(cp, "gq"))
4210 			ident_scheme |= CRYPTO_FLAG_GQ;
4211 		else if (!strcasecmp(cp, "mv"))
4212 			ident_scheme |= CRYPTO_FLAG_MV;
4213 		break;
4214 
4215 	/*
4216 	 * Set certificate file name.
4217 	 */
4218 	case CRYPTO_CONF_CERT:
4219 		cert_file = emalloc(strlen(cp) + 1);
4220 		strcpy(cert_file, cp);
4221 		break;
4222 
4223 	/*
4224 	 * Set leapseconds file name.
4225 	 */
4226 	case CRYPTO_CONF_LEAP:
4227 		leap_file = emalloc(strlen(cp) + 1);
4228 		strcpy(leap_file, cp);
4229 		break;
4230 	}
4231 	crypto_flags |= CRYPTO_FLAG_ENAB;
4232 }
4233 # else
4234 int ntp_crypto_bs_pubkey;
4235 # endif /* OPENSSL */
4236