PageRenderTime 118ms CodeModel.GetById 42ms app.highlight 60ms RepoModel.GetById 1ms app.codeStats 1ms

/contrib/ntp/ntpd/ntp_crypto.c

https://bitbucket.org/freebsd/freebsd-head/
C | 4189 lines | 2414 code | 326 blank | 1449 comment | 577 complexity | 24628f797239e75d9f4988848ef9a38c MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1/*
   2 * ntp_crypto.c - NTP version 4 public key routines
   3 */
   4#ifdef HAVE_CONFIG_H
   5#include <config.h>
   6#endif
   7
   8#ifdef OPENSSL
   9#include <stdio.h>
  10#include <sys/types.h>
  11#include <sys/param.h>
  12#include <unistd.h>
  13#include <fcntl.h>
  14
  15#include "ntpd.h"
  16#include "ntp_stdlib.h"
  17#include "ntp_unixtime.h"
  18#include "ntp_string.h"
  19#include <ntp_random.h>
  20
  21#include "openssl/asn1_mac.h"
  22#include "openssl/bn.h"
  23#include "openssl/err.h"
  24#include "openssl/evp.h"
  25#include "openssl/pem.h"
  26#include "openssl/rand.h"
  27#include "openssl/x509v3.h"
  28
  29#ifdef KERNEL_PLL
  30#include "ntp_syscall.h"
  31#endif /* KERNEL_PLL */
  32
  33/*
  34 * Extension field message format
  35 *
  36 * These are always signed and saved before sending in network byte
  37 * order. They must be converted to and from host byte order for
  38 * processing.
  39 *
  40 * +-------+-------+
  41 * |   op  |  len  | <- extension pointer
  42 * +-------+-------+
  43 * |    assocID    |
  44 * +---------------+
  45 * |   timestamp   | <- value pointer
  46 * +---------------+
  47 * |   filestamp   |
  48 * +---------------+
  49 * |   value len   |
  50 * +---------------+
  51 * |               |
  52 * =     value     =
  53 * |               |
  54 * +---------------+
  55 * | signature len |
  56 * +---------------+
  57 * |               |
  58 * =   signature   =
  59 * |               |
  60 * +---------------+
  61 *
  62 * The CRYPTO_RESP bit is set to 0 for requests, 1 for responses.
  63 * Requests carry the association ID of the receiver; responses carry
  64 * the association ID of the sender. Some messages include only the
  65 * operation/length and association ID words and so have length 8
  66 * octets. Ohers include the value structure and associated value and
  67 * signature fields. These messages include the timestamp, filestamp,
  68 * value and signature words and so have length at least 24 octets. The
  69 * signature and/or value fields can be empty, in which case the
  70 * respective length words are zero. An empty value with nonempty
  71 * signature is syntactically valid, but semantically questionable.
  72 *
  73 * The filestamp represents the time when a cryptographic data file such
  74 * as a public/private key pair is created. It follows every reference
  75 * depending on that file and serves as a means to obsolete earlier data
  76 * of the same type. The timestamp represents the time when the
  77 * cryptographic data of the message were last signed. Creation of a
  78 * cryptographic data file or signing a message can occur only when the
  79 * creator or signor is synchronized to an authoritative source and
  80 * proventicated to a trusted authority.
  81 *
  82 * Note there are four conditions required for server trust. First, the
  83 * public key on the certificate must be verified, which involves a
  84 * number of format, content and consistency checks. Next, the server
  85 * identity must be confirmed by one of four schemes: private
  86 * certificate, IFF scheme, GQ scheme or certificate trail hike to a
  87 * self signed trusted certificate. Finally, the server signature must
  88 * be verified.
  89 */
  90/*
  91 * Cryptodefines
  92 */
  93#define TAI_1972	10	/* initial TAI offset (s) */
  94#define MAX_LEAP	100	/* max UTC leapseconds (s) */
  95#define VALUE_LEN	(6 * 4) /* min response field length */
  96#define YEAR		(60 * 60 * 24 * 365) /* seconds in year */
  97
  98/*
  99 * Global cryptodata in host byte order
 100 */
 101u_int32	crypto_flags = 0x0;	/* status word */
 102
 103/*
 104 * Global cryptodata in network byte order
 105 */
 106struct cert_info *cinfo = NULL;	/* certificate info/value */
 107struct value hostval;		/* host value */
 108struct value pubkey;		/* public key */
 109struct value tai_leap;		/* leapseconds table */
 110EVP_PKEY *iffpar_pkey = NULL;	/* IFF parameters */
 111EVP_PKEY *gqpar_pkey = NULL;	/* GQ parameters */
 112EVP_PKEY *mvpar_pkey = NULL;	/* MV parameters */
 113char	*iffpar_file = NULL; /* IFF parameters file */
 114char	*gqpar_file = NULL;	/* GQ parameters file */
 115char	*mvpar_file = NULL;	/* MV parameters file */
 116
 117/*
 118 * Private cryptodata in host byte order
 119 */
 120static char *passwd = NULL;	/* private key password */
 121static EVP_PKEY *host_pkey = NULL; /* host key */
 122static EVP_PKEY *sign_pkey = NULL; /* sign key */
 123static const EVP_MD *sign_digest = NULL; /* sign digest */
 124static u_int sign_siglen;	/* sign key length */
 125static char *rand_file = NULL;	/* random seed file */
 126static char *host_file = NULL;	/* host key file */
 127static char *sign_file = NULL;	/* sign key file */
 128static char *cert_file = NULL;	/* certificate file */
 129static char *leap_file = NULL;	/* leapseconds file */
 130static tstamp_t if_fstamp = 0;	/* IFF filestamp */
 131static tstamp_t gq_fstamp = 0;	/* GQ file stamp */
 132static tstamp_t mv_fstamp = 0;	/* MV filestamp */
 133static u_int ident_scheme = 0;	/* server identity scheme */
 134
 135/*
 136 * Cryptotypes
 137 */
 138static	int	crypto_verify	P((struct exten *, struct value *,
 139				    struct peer *));
 140static	int	crypto_encrypt	P((struct exten *, struct value *,
 141				    keyid_t *));
 142static	int	crypto_alice	P((struct peer *, struct value *));
 143static	int	crypto_alice2	P((struct peer *, struct value *));
 144static	int	crypto_alice3	P((struct peer *, struct value *));
 145static	int	crypto_bob	P((struct exten *, struct value *));
 146static	int	crypto_bob2	P((struct exten *, struct value *));
 147static	int	crypto_bob3	P((struct exten *, struct value *));
 148static	int	crypto_iff	P((struct exten *, struct peer *));
 149static	int	crypto_gq	P((struct exten *, struct peer *));
 150static	int	crypto_mv	P((struct exten *, struct peer *));
 151static	u_int	crypto_send	P((struct exten *, struct value *));
 152static	tstamp_t crypto_time	P((void));
 153static	u_long	asn2ntp		P((ASN1_TIME *));
 154static	struct cert_info *cert_parse P((u_char *, u_int, tstamp_t));
 155static	int	cert_sign	P((struct exten *, struct value *));
 156static	int	cert_valid	P((struct cert_info *, EVP_PKEY *));
 157static	int	cert_install	P((struct exten *, struct peer *));
 158static	void	cert_free	P((struct cert_info *));
 159static	EVP_PKEY *crypto_key	P((char *, tstamp_t *));
 160static	int	bighash		P((BIGNUM *, BIGNUM *));
 161static	struct cert_info *crypto_cert P((char *));
 162static	void	crypto_tai	P((char *));
 163
 164#ifdef SYS_WINNT
 165int
 166readlink(char * link, char * file, int len) {
 167	return (-1);
 168}
 169#endif
 170
 171/*
 172 * session_key - generate session key
 173 *
 174 * This routine generates a session key from the source address,
 175 * destination address, key ID and private value. The value of the
 176 * session key is the MD5 hash of these values, while the next key ID is
 177 * the first four octets of the hash.
 178 *
 179 * Returns the next key ID
 180 */
 181keyid_t
 182session_key(
 183	struct sockaddr_storage *srcadr, /* source address */
 184	struct sockaddr_storage *dstadr, /* destination address */
 185	keyid_t	keyno,		/* key ID */
 186	keyid_t	private,	/* private value */
 187	u_long	lifetime 	/* key lifetime */
 188	)
 189{
 190	EVP_MD_CTX ctx;		/* message digest context */
 191	u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */
 192	keyid_t	keyid;		/* key identifer */
 193	u_int32	header[10];	/* data in network byte order */
 194	u_int	hdlen, len;
 195
 196	if (!dstadr)
 197		return 0;
 198	
 199	/*
 200	 * Generate the session key and key ID. If the lifetime is
 201	 * greater than zero, install the key and call it trusted.
 202	 */
 203	hdlen = 0;
 204	switch(srcadr->ss_family) {
 205	case AF_INET:
 206		header[0] = ((struct sockaddr_in *)srcadr)->sin_addr.s_addr;
 207		header[1] = ((struct sockaddr_in *)dstadr)->sin_addr.s_addr;
 208		header[2] = htonl(keyno);
 209		header[3] = htonl(private);
 210		hdlen = 4 * sizeof(u_int32);
 211		break;
 212
 213	case AF_INET6:
 214		memcpy(&header[0], &GET_INADDR6(*srcadr),
 215		    sizeof(struct in6_addr));
 216		memcpy(&header[4], &GET_INADDR6(*dstadr),
 217		    sizeof(struct in6_addr));
 218		header[8] = htonl(keyno);
 219		header[9] = htonl(private);
 220		hdlen = 10 * sizeof(u_int32);
 221		break;
 222	}
 223	EVP_DigestInit(&ctx, EVP_md5());
 224	EVP_DigestUpdate(&ctx, (u_char *)header, hdlen);
 225	EVP_DigestFinal(&ctx, dgst, &len);
 226	memcpy(&keyid, dgst, 4);
 227	keyid = ntohl(keyid);
 228	if (lifetime != 0) {
 229		MD5auth_setkey(keyno, dgst, len);
 230		authtrust(keyno, lifetime);
 231	}
 232#ifdef DEBUG
 233	if (debug > 1)
 234		printf(
 235		    "session_key: %s > %s %08x %08x hash %08x life %lu\n",
 236		    stoa(srcadr), stoa(dstadr), keyno,
 237		    private, keyid, lifetime);
 238#endif
 239	return (keyid);
 240}
 241
 242
 243/*
 244 * make_keylist - generate key list
 245 *
 246 * Returns
 247 * XEVNT_OK	success
 248 * XEVNT_PER	host certificate expired
 249 *
 250 * This routine constructs a pseudo-random sequence by repeatedly
 251 * hashing the session key starting from a given source address,
 252 * destination address, private value and the next key ID of the
 253 * preceeding session key. The last entry on the list is saved along
 254 * with its sequence number and public signature.
 255 */
 256int
 257make_keylist(
 258	struct peer *peer,	/* peer structure pointer */
 259	struct interface *dstadr /* interface */
 260	)
 261{
 262	EVP_MD_CTX ctx;		/* signature context */
 263	tstamp_t tstamp;	/* NTP timestamp */
 264	struct autokey *ap;	/* autokey pointer */
 265	struct value *vp;	/* value pointer */
 266	keyid_t	keyid = 0;	/* next key ID */
 267	keyid_t	cookie;		/* private value */
 268	u_long	lifetime;
 269	u_int	len, mpoll;
 270	int	i;
 271
 272	if (!dstadr)
 273		return XEVNT_OK;
 274	
 275	/*
 276	 * Allocate the key list if necessary.
 277	 */
 278	tstamp = crypto_time();
 279	if (peer->keylist == NULL)
 280		peer->keylist = emalloc(sizeof(keyid_t) *
 281		    NTP_MAXSESSION);
 282
 283	/*
 284	 * Generate an initial key ID which is unique and greater than
 285	 * NTP_MAXKEY.
 286	 */
 287	while (1) {
 288		keyid = (ntp_random() + NTP_MAXKEY + 1) & ((1 <<
 289		    sizeof(keyid_t)) - 1);
 290		if (authhavekey(keyid))
 291			continue;
 292		break;
 293	}
 294
 295	/*
 296	 * Generate up to NTP_MAXSESSION session keys. Stop if the
 297	 * next one would not be unique or not a session key ID or if
 298	 * it would expire before the next poll. The private value
 299	 * included in the hash is zero if broadcast mode, the peer
 300	 * cookie if client mode or the host cookie if symmetric modes.
 301	 */
 302	mpoll = 1 << min(peer->ppoll, peer->hpoll);
 303	lifetime = min(sys_automax, NTP_MAXSESSION * mpoll);
 304	if (peer->hmode == MODE_BROADCAST)
 305		cookie = 0;
 306	else
 307		cookie = peer->pcookie;
 308	for (i = 0; i < NTP_MAXSESSION; i++) {
 309		peer->keylist[i] = keyid;
 310		peer->keynumber = i;
 311		keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
 312		    cookie, lifetime);
 313		lifetime -= mpoll;
 314		if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
 315		    lifetime <= mpoll)
 316			break;
 317	}
 318
 319	/*
 320	 * Save the last session key ID, sequence number and timestamp,
 321	 * then sign these values for later retrieval by the clients. Be
 322	 * careful not to use invalid key media. Use the public values
 323	 * timestamp as filestamp. 
 324	 */
 325	vp = &peer->sndval;
 326	if (vp->ptr == NULL)
 327		vp->ptr = emalloc(sizeof(struct autokey));
 328	ap = (struct autokey *)vp->ptr;
 329	ap->seq = htonl(peer->keynumber);
 330	ap->key = htonl(keyid);
 331	vp->tstamp = htonl(tstamp);
 332	vp->fstamp = hostval.tstamp;
 333	vp->vallen = htonl(sizeof(struct autokey));
 334	vp->siglen = 0;
 335	if (tstamp != 0) {
 336		if (tstamp < cinfo->first || tstamp > cinfo->last)
 337			return (XEVNT_PER);
 338
 339		if (vp->sig == NULL)
 340			vp->sig = emalloc(sign_siglen);
 341		EVP_SignInit(&ctx, sign_digest);
 342		EVP_SignUpdate(&ctx, (u_char *)vp, 12);
 343		EVP_SignUpdate(&ctx, vp->ptr, sizeof(struct autokey));
 344		if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
 345			vp->siglen = htonl(len);
 346		else
 347			msyslog(LOG_ERR, "make_keys %s\n",
 348			    ERR_error_string(ERR_get_error(), NULL));
 349		peer->flags |= FLAG_ASSOC;
 350	}
 351#ifdef DEBUG
 352	if (debug)
 353		printf("make_keys: %d %08x %08x ts %u fs %u poll %d\n",
 354		    ntohl(ap->seq), ntohl(ap->key), cookie,
 355		    ntohl(vp->tstamp), ntohl(vp->fstamp), peer->hpoll);
 356#endif
 357	return (XEVNT_OK);
 358}
 359
 360
 361/*
 362 * crypto_recv - parse extension fields
 363 *
 364 * This routine is called when the packet has been matched to an
 365 * association and passed sanity, format and MAC checks. We believe the
 366 * extension field values only if the field has proper format and
 367 * length, the timestamp and filestamp are valid and the signature has
 368 * valid length and is verified. There are a few cases where some values
 369 * are believed even if the signature fails, but only if the proventic
 370 * bit is not set.
 371 */
 372int
 373crypto_recv(
 374	struct peer *peer,	/* peer structure pointer */
 375	struct recvbuf *rbufp	/* packet buffer pointer */
 376	)
 377{
 378	const EVP_MD *dp;	/* message digest algorithm */
 379	u_int32	*pkt;		/* receive packet pointer */
 380	struct autokey *ap, *bp; /* autokey pointer */
 381	struct exten *ep, *fp;	/* extension pointers */
 382	int	has_mac;	/* length of MAC field */
 383	int	authlen;	/* offset of MAC field */
 384	associd_t associd;	/* association ID */
 385	tstamp_t tstamp = 0;	/* timestamp */
 386	tstamp_t fstamp = 0;	/* filestamp */
 387	u_int	len;		/* extension field length */
 388	u_int	code;		/* extension field opcode */
 389	u_int	vallen = 0;	/* value length */
 390	X509	*cert;		/* X509 certificate */
 391	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
 392	keyid_t	cookie;		/* crumbles */
 393	int	hismode;	/* packet mode */
 394	int	rval = XEVNT_OK;
 395	u_char	*ptr;
 396	u_int32 temp32;
 397
 398	/*
 399	 * Initialize. Note that the packet has already been checked for
 400	 * valid format and extension field lengths. First extract the
 401	 * field length, command code and association ID in host byte
 402	 * order. These are used with all commands and modes. Then check
 403	 * the version number, which must be 2, and length, which must
 404	 * be at least 8 for requests and VALUE_LEN (24) for responses.
 405	 * Packets that fail either test sink without a trace. The
 406	 * association ID is saved only if nonzero.
 407	 */
 408	authlen = LEN_PKT_NOMAC;
 409	hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode);
 410	while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
 411		pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
 412		ep = (struct exten *)pkt;
 413		code = ntohl(ep->opcode) & 0xffff0000;
 414		len = ntohl(ep->opcode) & 0x0000ffff;
 415		associd = (associd_t) ntohl(pkt[1]);
 416		rval = XEVNT_OK;
 417#ifdef DEBUG
 418		if (debug)
 419			printf(
 420			    "crypto_recv: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n",
 421			    peer->crypto, authlen, len, code >> 16,
 422			    associd);
 423#endif
 424
 425		/*
 426		 * Check version number and field length. If bad,
 427		 * quietly ignore the packet.
 428		 */
 429		if (((code >> 24) & 0x3f) != CRYPTO_VN || len < 8) {
 430			sys_unknownversion++;
 431			code |= CRYPTO_ERROR;
 432		}
 433
 434		/*
 435		 * Little vulnerability bandage here. If a perp tosses a
 436		 * fake association ID over the fence, we better toss it
 437		 * out. Only the first one counts.
 438		 */
 439		if (code & CRYPTO_RESP) {
 440			if (peer->assoc == 0)
 441				peer->assoc = associd;
 442			else if (peer->assoc != associd)
 443				code |= CRYPTO_ERROR;
 444		}
 445		if (len >= VALUE_LEN) {
 446			tstamp = ntohl(ep->tstamp);
 447			fstamp = ntohl(ep->fstamp);
 448			vallen = ntohl(ep->vallen);
 449		}
 450		switch (code) {
 451
 452		/*
 453		 * Install status word, host name, signature scheme and
 454		 * association ID. In OpenSSL the signature algorithm is
 455		 * bound to the digest algorithm, so the NID completely
 456		 * defines the signature scheme. Note the request and
 457		 * response are identical, but neither is validated by
 458		 * signature. The request is processed here only in
 459		 * symmetric modes. The server name field might be
 460		 * useful to implement access controls in future.
 461		 */
 462		case CRYPTO_ASSOC:
 463
 464			/*
 465			 * If the machine is running when this message
 466			 * arrives, the other fellow has reset and so
 467			 * must we. Otherwise, pass the extension field
 468			 * to the transmit side.
 469			 */
 470			if (peer->crypto) {
 471				rval = XEVNT_ERR;
 472				break;
 473			}
 474			fp = emalloc(len);
 475			memcpy(fp, ep, len);
 476			temp32 = CRYPTO_RESP;
 477			fp->opcode |= htonl(temp32);
 478			peer->cmmd = fp;
 479			/* fall through */
 480
 481		case CRYPTO_ASSOC | CRYPTO_RESP:
 482
 483			/*
 484			 * Discard the message if it has already been
 485			 * stored or the message has been amputated.
 486			 */
 487			if (peer->crypto)
 488				break;
 489
 490			if (vallen == 0 || vallen > MAXHOSTNAME ||
 491			    len < VALUE_LEN + vallen) {
 492				rval = XEVNT_LEN;
 493				break;
 494			}
 495
 496			/*
 497			 * Check the identity schemes are compatible. If
 498			 * the client has PC, the server must have PC,
 499			 * in which case the server public key and
 500			 * identity are presumed valid, so we skip the
 501			 * certificate and identity exchanges and move
 502			 * immediately to the cookie exchange which
 503			 * confirms the server signature.
 504			 */
 505#ifdef DEBUG
 506			if (debug)
 507				printf(
 508				    "crypto_recv: ident host 0x%x server 0x%x\n",
 509				    crypto_flags, fstamp);
 510#endif
 511			temp32 = (crypto_flags | ident_scheme) &
 512			    fstamp & CRYPTO_FLAG_MASK;
 513			if (crypto_flags & CRYPTO_FLAG_PRIV) {
 514				if (!(fstamp & CRYPTO_FLAG_PRIV)) {
 515					rval = XEVNT_KEY;
 516					break;
 517
 518				} else {
 519					fstamp |= CRYPTO_FLAG_VALID |
 520					    CRYPTO_FLAG_VRFY |
 521					    CRYPTO_FLAG_SIGN;
 522				}
 523			/*
 524			 * In symmetric modes it is an error if either
 525			 * peer requests identity and the other peer
 526			 * does not support it.
 527			 */
 528			} else if ((hismode == MODE_ACTIVE || hismode ==
 529			    MODE_PASSIVE) && ((crypto_flags | fstamp) &
 530			    CRYPTO_FLAG_MASK) && !temp32) {
 531				rval = XEVNT_KEY;
 532				break;
 533			/*
 534			 * It is an error if the client requests
 535			 * identity and the server does not support it.
 536			 */
 537			} else if (hismode == MODE_CLIENT && (fstamp &
 538			    CRYPTO_FLAG_MASK) && !temp32) {
 539				rval = XEVNT_KEY;
 540				break;
 541			}
 542
 543			/*
 544			 * Otherwise, the identity scheme(s) are those
 545			 * that both client and server support.
 546			 */
 547			fstamp = temp32 | (fstamp & ~CRYPTO_FLAG_MASK);
 548
 549			/*
 550			 * Discard the message if the signature digest
 551			 * NID is not supported.
 552			 */
 553			temp32 = (fstamp >> 16) & 0xffff;
 554			dp =
 555			    (const EVP_MD *)EVP_get_digestbynid(temp32);
 556			if (dp == NULL) {
 557				rval = XEVNT_MD;
 558				break;
 559			}
 560
 561			/*
 562			 * Save status word, host name and message
 563			 * digest/signature type.
 564			 */
 565			peer->crypto = fstamp;
 566			peer->digest = dp;
 567			peer->subject = emalloc(vallen + 1);
 568			memcpy(peer->subject, ep->pkt, vallen);
 569			peer->subject[vallen] = '\0';
 570			peer->issuer = emalloc(vallen + 1);
 571			strcpy(peer->issuer, peer->subject);
 572			temp32 = (fstamp >> 16) & 0xffff;
 573			snprintf(statstr, NTP_MAXSTRLEN,
 574			    "flags 0x%x host %s signature %s", fstamp,
 575			    peer->subject, OBJ_nid2ln(temp32));
 576			record_crypto_stats(&peer->srcadr, statstr);
 577#ifdef DEBUG
 578			if (debug)
 579				printf("crypto_recv: %s\n", statstr);
 580#endif
 581			break;
 582
 583		/*
 584		 * Decode X509 certificate in ASN.1 format and extract
 585		 * the data containing, among other things, subject
 586		 * name and public key. In the default identification
 587		 * scheme, the certificate trail is followed to a self
 588		 * signed trusted certificate.
 589		 */
 590		case CRYPTO_CERT | CRYPTO_RESP:
 591
 592			/*
 593			 * Discard the message if invalid.
 594			 */
 595			if ((rval = crypto_verify(ep, NULL, peer)) !=
 596			    XEVNT_OK)
 597				break;
 598
 599			/*
 600			 * Scan the certificate list to delete old
 601			 * versions and link the newest version first on
 602			 * the list.
 603			 */
 604			if ((rval = cert_install(ep, peer)) != XEVNT_OK)
 605				break;
 606
 607			/*
 608			 * If we snatch the certificate before the
 609			 * server certificate has been signed by its
 610			 * server, it will be self signed. When it is,
 611			 * we chase the certificate issuer, which the
 612			 * server has, and keep going until a self
 613			 * signed trusted certificate is found. Be sure
 614			 * to update the issuer field, since it may
 615			 * change.
 616			 */
 617			if (peer->issuer != NULL)
 618				free(peer->issuer);
 619			peer->issuer = emalloc(strlen(cinfo->issuer) +
 620			    1);
 621			strcpy(peer->issuer, cinfo->issuer);
 622
 623			/*
 624			 * We plug in the public key and lifetime from
 625			 * the first certificate received. However, note
 626			 * that this certificate might not be signed by
 627			 * the server, so we can't check the
 628			 * signature/digest NID.
 629			 */
 630			if (peer->pkey == NULL) {
 631				ptr = (u_char *)cinfo->cert.ptr;
 632				cert = d2i_X509(NULL, &ptr,
 633				    ntohl(cinfo->cert.vallen));
 634				peer->pkey = X509_get_pubkey(cert);
 635				X509_free(cert);
 636			}
 637			peer->flash &= ~TEST8;
 638			temp32 = cinfo->nid;
 639			snprintf(statstr, NTP_MAXSTRLEN,
 640			    "cert %s 0x%x %s (%u) fs %u",
 641			    cinfo->subject, cinfo->flags,
 642			    OBJ_nid2ln(temp32), temp32,
 643			    ntohl(ep->fstamp));
 644			record_crypto_stats(&peer->srcadr, statstr);
 645#ifdef DEBUG
 646			if (debug)
 647				printf("crypto_recv: %s\n", statstr);
 648#endif
 649			break;
 650
 651		/*
 652		 * Schnorr (IFF)identity scheme. This scheme is designed
 653		 * for use with shared secret group keys and where the
 654		 * certificate may be generated by a third party. The
 655		 * client sends a challenge to the server, which
 656		 * performs a calculation and returns the result. A
 657		 * positive result is possible only if both client and
 658		 * server contain the same secret group key.
 659		 */
 660		case CRYPTO_IFF | CRYPTO_RESP:
 661
 662			/*
 663			 * Discard the message if invalid or certificate
 664			 * trail not trusted.
 665			 */
 666			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
 667				rval = XEVNT_ERR;
 668				break;
 669			}
 670			if ((rval = crypto_verify(ep, NULL, peer)) !=
 671			    XEVNT_OK)
 672				break;
 673
 674			/*
 675			 * If the the challenge matches the response,
 676			 * the certificate public key, as well as the
 677			 * server public key, signatyre and identity are
 678			 * all verified at the same time. The server is
 679			 * declared trusted, so we skip further
 680			 * certificate stages and move immediately to
 681			 * the cookie stage.
 682			 */
 683			if ((rval = crypto_iff(ep, peer)) != XEVNT_OK)
 684				break;
 685
 686			peer->crypto |= CRYPTO_FLAG_VRFY |
 687			    CRYPTO_FLAG_PROV;
 688			peer->flash &= ~TEST8;
 689			snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u",
 690			    ntohl(ep->fstamp));
 691			record_crypto_stats(&peer->srcadr, statstr);
 692#ifdef DEBUG
 693			if (debug)
 694				printf("crypto_recv: %s\n", statstr);
 695#endif
 696			break;
 697
 698		/*
 699		 * Guillou-Quisquater (GQ) identity scheme. This scheme
 700		 * is designed for use with public certificates carrying
 701		 * the GQ public key in an extension field. The client
 702		 * sends a challenge to the server, which performs a
 703		 * calculation and returns the result. A positive result
 704		 * is possible only if both client and server contain
 705		 * the same group key and the server has the matching GQ
 706		 * private key.
 707		 */
 708		case CRYPTO_GQ | CRYPTO_RESP:
 709
 710			/*
 711			 * Discard the message if invalid or certificate
 712			 * trail not trusted.
 713			 */
 714			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
 715				rval = XEVNT_ERR;
 716				break;
 717			}
 718			if ((rval = crypto_verify(ep, NULL, peer)) !=
 719			    XEVNT_OK)
 720				break;
 721
 722			/*
 723			 * If the the challenge matches the response,
 724			 * the certificate public key, as well as the
 725			 * server public key, signatyre and identity are
 726			 * all verified at the same time. The server is
 727			 * declared trusted, so we skip further
 728			 * certificate stages and move immediately to
 729			 * the cookie stage.
 730			 */
 731			if ((rval = crypto_gq(ep, peer)) != XEVNT_OK)
 732				break;
 733
 734			peer->crypto |= CRYPTO_FLAG_VRFY |
 735			    CRYPTO_FLAG_PROV;
 736			peer->flash &= ~TEST8;
 737			snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u",
 738			    ntohl(ep->fstamp));
 739			record_crypto_stats(&peer->srcadr, statstr);
 740#ifdef DEBUG
 741			if (debug)
 742				printf("crypto_recv: %s\n", statstr);
 743#endif
 744			break;
 745
 746		/*
 747		 * MV
 748		 */
 749		case CRYPTO_MV | CRYPTO_RESP:
 750
 751			/*
 752			 * Discard the message if invalid or certificate
 753			 * trail not trusted.
 754			 */
 755			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
 756				rval = XEVNT_ERR;
 757				break;
 758			}
 759			if ((rval = crypto_verify(ep, NULL, peer)) !=
 760			    XEVNT_OK)
 761				break;
 762
 763			/*
 764			 * If the the challenge matches the response,
 765			 * the certificate public key, as well as the
 766			 * server public key, signatyre and identity are
 767			 * all verified at the same time. The server is
 768			 * declared trusted, so we skip further
 769			 * certificate stages and move immediately to
 770			 * the cookie stage.
 771			 */
 772			if ((rval = crypto_mv(ep, peer)) != XEVNT_OK)
 773				break;
 774
 775			peer->crypto |= CRYPTO_FLAG_VRFY |
 776			    CRYPTO_FLAG_PROV;
 777			peer->flash &= ~TEST8;
 778			snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u",
 779			    ntohl(ep->fstamp));
 780			record_crypto_stats(&peer->srcadr, statstr);
 781#ifdef DEBUG
 782			if (debug)
 783				printf("crypto_recv: %s\n", statstr);
 784#endif
 785			break;
 786
 787		/*
 788		 * Cookie request in symmetric modes. Roll a random
 789		 * cookie and install in symmetric mode. Encrypt for the
 790		 * response, which is transmitted later.
 791		 */
 792		case CRYPTO_COOK:
 793
 794			/*
 795			 * Discard the message if invalid or certificate
 796			 * trail not trusted.
 797			 */
 798			if (!(peer->crypto & CRYPTO_FLAG_VALID)) {
 799				rval = XEVNT_ERR;
 800				break;
 801			}
 802			if ((rval = crypto_verify(ep, NULL, peer)) !=
 803			    XEVNT_OK)
 804				break;
 805
 806			/*
 807			 * Pass the extension field to the transmit
 808			 * side. If already agreed, walk away.
 809			 */
 810			fp = emalloc(len);
 811			memcpy(fp, ep, len);
 812			temp32 = CRYPTO_RESP;
 813			fp->opcode |= htonl(temp32);
 814			peer->cmmd = fp;
 815			if (peer->crypto & CRYPTO_FLAG_AGREE) {
 816				peer->flash &= ~TEST8;
 817				break;
 818			}
 819
 820			/*
 821			 * Install cookie values and light the cookie
 822			 * bit. The transmit side will pick up and
 823			 * encrypt it for the response.
 824			 */
 825			key_expire(peer);
 826			peer->cookval.tstamp = ep->tstamp;
 827			peer->cookval.fstamp = ep->fstamp;
 828			RAND_bytes((u_char *)&peer->pcookie, 4);
 829			peer->crypto &= ~CRYPTO_FLAG_AUTO;
 830			peer->crypto |= CRYPTO_FLAG_AGREE;
 831			peer->flash &= ~TEST8;
 832			snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
 833			    peer->pcookie, ntohl(ep->tstamp),
 834			    ntohl(ep->fstamp));
 835			record_crypto_stats(&peer->srcadr, statstr);
 836#ifdef DEBUG
 837			if (debug)
 838				printf("crypto_recv: %s\n", statstr);
 839#endif
 840			break;
 841
 842		/*
 843		 * Cookie response in client and symmetric modes. If the
 844		 * cookie bit is set, the working cookie is the EXOR of
 845		 * the current and new values.
 846		 */
 847		case CRYPTO_COOK | CRYPTO_RESP:
 848
 849			/*
 850			 * Discard the message if invalid or identity
 851			 * not confirmed or signature not verified with
 852			 * respect to the cookie values.
 853			 */
 854			if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
 855				rval = XEVNT_ERR;
 856				break;
 857			}
 858			if ((rval = crypto_verify(ep, &peer->cookval,
 859			    peer)) != XEVNT_OK)
 860				break;
 861
 862			/*
 863			 * Decrypt the cookie, hunting all the time for
 864			 * errors.
 865			 */
 866			if (vallen == (u_int) EVP_PKEY_size(host_pkey)) {
 867				RSA_private_decrypt(vallen,
 868				    (u_char *)ep->pkt,
 869				    (u_char *)&temp32,
 870				    host_pkey->pkey.rsa,
 871				    RSA_PKCS1_OAEP_PADDING);
 872				cookie = ntohl(temp32);
 873			} else {
 874				rval = XEVNT_CKY;
 875				break;
 876			}
 877
 878			/*
 879			 * Install cookie values and light the cookie
 880			 * bit. If this is not broadcast client mode, we
 881			 * are done here.
 882			 */
 883			key_expire(peer);
 884			peer->cookval.tstamp = ep->tstamp;
 885			peer->cookval.fstamp = ep->fstamp;
 886			if (peer->crypto & CRYPTO_FLAG_AGREE)
 887				peer->pcookie ^= cookie;
 888			else
 889				peer->pcookie = cookie;
 890			if (peer->hmode == MODE_CLIENT &&
 891			    !(peer->cast_flags & MDF_BCLNT))
 892				peer->crypto |= CRYPTO_FLAG_AUTO;
 893			else
 894				peer->crypto &= ~CRYPTO_FLAG_AUTO;
 895			peer->crypto |= CRYPTO_FLAG_AGREE;
 896			peer->flash &= ~TEST8;
 897			snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u",
 898			    peer->pcookie, ntohl(ep->tstamp),
 899			    ntohl(ep->fstamp));
 900			record_crypto_stats(&peer->srcadr, statstr);
 901#ifdef DEBUG
 902			if (debug)
 903				printf("crypto_recv: %s\n", statstr);
 904#endif
 905			break;
 906
 907		/*
 908		 * Install autokey values in broadcast client and
 909		 * symmetric modes. We have to do this every time the
 910		 * sever/peer cookie changes or a new keylist is
 911		 * rolled. Ordinarily, this is automatic as this message
 912		 * is piggybacked on the first NTP packet sent upon
 913		 * either of these events. Note that a broadcast client
 914		 * or symmetric peer can receive this response without a
 915		 * matching request.
 916		 */
 917		case CRYPTO_AUTO | CRYPTO_RESP:
 918
 919			/*
 920			 * Discard the message if invalid or identity
 921			 * not confirmed or signature not verified with
 922			 * respect to the receive autokey values.
 923			 */
 924			if (!(peer->crypto & CRYPTO_FLAG_VRFY)) {
 925				rval = XEVNT_ERR;
 926				break;
 927			}
 928			if ((rval = crypto_verify(ep, &peer->recval,
 929			    peer)) != XEVNT_OK)
 930				break;
 931
 932			/*
 933			 * Install autokey values and light the
 934			 * autokey bit. This is not hard.
 935			 */
 936			if (peer->recval.ptr == NULL)
 937				peer->recval.ptr =
 938				    emalloc(sizeof(struct autokey));
 939			bp = (struct autokey *)peer->recval.ptr;
 940			peer->recval.tstamp = ep->tstamp;
 941			peer->recval.fstamp = ep->fstamp;
 942			ap = (struct autokey *)ep->pkt;
 943			bp->seq = ntohl(ap->seq);
 944			bp->key = ntohl(ap->key);
 945			peer->pkeyid = bp->key;
 946			peer->crypto |= CRYPTO_FLAG_AUTO;
 947			peer->flash &= ~TEST8;
 948			snprintf(statstr, NTP_MAXSTRLEN,
 949			    "auto seq %d key %x ts %u fs %u", bp->seq,
 950			    bp->key, ntohl(ep->tstamp),
 951			    ntohl(ep->fstamp));
 952			record_crypto_stats(&peer->srcadr, statstr);
 953#ifdef DEBUG
 954			if (debug)
 955				printf("crypto_recv: %s\n", statstr);
 956#endif
 957			break;
 958	
 959		/*
 960		 * X509 certificate sign response. Validate the
 961		 * certificate signed by the server and install. Later
 962		 * this can be provided to clients of this server in
 963		 * lieu of the self signed certificate in order to
 964		 * validate the public key.
 965		 */
 966		case CRYPTO_SIGN | CRYPTO_RESP:
 967
 968			/*
 969			 * Discard the message if invalid or not
 970			 * proventic.
 971			 */
 972			if (!(peer->crypto & CRYPTO_FLAG_PROV)) {
 973				rval = XEVNT_ERR;
 974				break;
 975			}
 976			if ((rval = crypto_verify(ep, NULL, peer)) !=
 977			    XEVNT_OK)
 978				break;
 979
 980			/*
 981			 * Scan the certificate list to delete old
 982			 * versions and link the newest version first on
 983			 * the list.
 984			 */
 985			if ((rval = cert_install(ep, peer)) != XEVNT_OK)
 986				break;
 987
 988			peer->crypto |= CRYPTO_FLAG_SIGN;
 989			peer->flash &= ~TEST8;
 990			temp32 = cinfo->nid;
 991			snprintf(statstr, NTP_MAXSTRLEN,
 992			    "sign %s 0x%x %s (%u) fs %u",
 993			    cinfo->issuer, cinfo->flags,
 994			    OBJ_nid2ln(temp32), temp32,
 995			    ntohl(ep->fstamp));
 996			record_crypto_stats(&peer->srcadr, statstr);
 997#ifdef DEBUG
 998			if (debug)
 999				printf("crypto_recv: %s\n", statstr);
1000#endif
1001			break;
1002
1003		/*
1004		 * Install leapseconds table in symmetric modes. This
1005		 * table is proventicated to the NIST primary servers,
1006		 * either by copying the file containing the table from
1007		 * a NIST server to a trusted server or directly using
1008		 * this protocol. While the entire table is installed at
1009		 * the server, presently only the current TAI offset is
1010		 * provided via the kernel to other applications.
1011		 */
1012		case CRYPTO_TAI:
1013
1014			/*
1015			 * Discard the message if invalid.
1016			 */
1017			if ((rval = crypto_verify(ep, NULL, peer)) !=
1018			    XEVNT_OK)
1019				break;
1020
1021			/*
1022			 * Pass the extension field to the transmit
1023			 * side. Continue below if a leapseconds table
1024			 * accompanies the message.
1025			 */
1026			fp = emalloc(len);
1027			memcpy(fp, ep, len);
1028			temp32 = CRYPTO_RESP;
1029			fp->opcode |= htonl(temp32);
1030			peer->cmmd = fp;
1031			if (len <= VALUE_LEN) {
1032				peer->flash &= ~TEST8;
1033				break;
1034			}
1035			/* fall through */
1036
1037		case CRYPTO_TAI | CRYPTO_RESP:
1038
1039			/*
1040			 * If this is a response, discard the message if
1041			 * signature not verified with respect to the
1042			 * leapsecond table values.
1043			 */
1044			if (peer->cmmd == NULL) {
1045				if ((rval = crypto_verify(ep,
1046				    &peer->tai_leap, peer)) != XEVNT_OK)
1047					break;
1048			}
1049
1050			/*
1051			 * Initialize peer variables with latest update.
1052			 */
1053			peer->tai_leap.tstamp = ep->tstamp;
1054			peer->tai_leap.fstamp = ep->fstamp;
1055			peer->tai_leap.vallen = ep->vallen;
1056
1057			/*
1058			 * Install the new table if there is no stored
1059			 * table or the new table is more recent than
1060			 * the stored table. Since a filestamp may have
1061			 * changed, recompute the signatures.
1062			 */
1063			if (ntohl(peer->tai_leap.fstamp) >
1064			    ntohl(tai_leap.fstamp)) {
1065				tai_leap.fstamp = ep->fstamp;
1066				tai_leap.vallen = ep->vallen;
1067				if (tai_leap.ptr != NULL)
1068					free(tai_leap.ptr);
1069				tai_leap.ptr = emalloc(vallen);
1070				memcpy(tai_leap.ptr, ep->pkt, vallen);
1071				crypto_update();
1072			}
1073			crypto_flags |= CRYPTO_FLAG_TAI;
1074			peer->crypto |= CRYPTO_FLAG_LEAP;
1075			peer->flash &= ~TEST8;
1076			snprintf(statstr, NTP_MAXSTRLEN,
1077			    "leap %u ts %u fs %u", vallen,
1078			    ntohl(ep->tstamp), ntohl(ep->fstamp));
1079			record_crypto_stats(&peer->srcadr, statstr);
1080#ifdef DEBUG
1081			if (debug)
1082				printf("crypto_recv: %s\n", statstr);
1083#endif
1084			break;
1085
1086		/*
1087		 * We come here in symmetric modes for miscellaneous
1088		 * commands that have value fields but are processed on
1089		 * the transmit side. All we need do here is check for
1090		 * valid field length. Remaining checks are below and on
1091		 * the transmit side.
1092		 */
1093		case CRYPTO_CERT:
1094		case CRYPTO_IFF:
1095		case CRYPTO_GQ:
1096		case CRYPTO_MV:
1097		case CRYPTO_SIGN:
1098			if (len < VALUE_LEN) {
1099				rval = XEVNT_LEN;
1100				break;
1101			}
1102			/* fall through */
1103
1104		/*
1105		 * We come here for miscellaneous requests and unknown
1106		 * requests and responses. If an unknown response or
1107		 * error, forget it. If a request, save the extension
1108		 * field for later. Unknown requests will be caught on
1109		 * the transmit side.
1110		 */
1111		default:
1112			if (code & (CRYPTO_RESP | CRYPTO_ERROR)) {
1113				rval = XEVNT_ERR;
1114			} else if ((rval = crypto_verify(ep, NULL,
1115			    peer)) == XEVNT_OK) {
1116				fp = emalloc(len);
1117				memcpy(fp, ep, len);
1118				temp32 = CRYPTO_RESP;
1119				fp->opcode |= htonl(temp32);
1120				peer->cmmd = fp;
1121			}
1122		}
1123
1124		/*
1125		 * We don't log length/format/timestamp errors and
1126		 * duplicates, which are log clogging vulnerabilities.
1127		 * The first error found terminates the extension field
1128		 * scan and we return the laundry to the caller. A
1129		 * length/format/timestamp error on transmit is
1130		 * cheerfully ignored, as the message is not sent.
1131		 */
1132		if (rval > XEVNT_TSP) {
1133			snprintf(statstr, NTP_MAXSTRLEN,
1134			    "error %x opcode %x ts %u fs %u", rval,
1135			    code, tstamp, fstamp);
1136			record_crypto_stats(&peer->srcadr, statstr);
1137			report_event(rval, peer);
1138#ifdef DEBUG
1139			if (debug)
1140				printf("crypto_recv: %s\n", statstr);
1141#endif
1142			break;
1143
1144		} else if (rval > XEVNT_OK && (code & CRYPTO_RESP)) {
1145			rval = XEVNT_OK;
1146		}
1147		authlen += len;
1148	}
1149	return (rval);
1150}
1151
1152
1153/*
1154 * crypto_xmit - construct extension fields
1155 *
1156 * This routine is called both when an association is configured and
1157 * when one is not. The only case where this matters is to retrieve the
1158 * autokey information, in which case the caller has to provide the
1159 * association ID to match the association.
1160 *
1161 * Returns length of extension field.
1162 */
1163int
1164crypto_xmit(
1165	struct pkt *xpkt,	/* transmit packet pointer */
1166	struct sockaddr_storage *srcadr_sin,	/* active runway */
1167	int	start,		/* offset to extension field */
1168	struct exten *ep,	/* extension pointer */
1169	keyid_t cookie		/* session cookie */
1170	)
1171{
1172	u_int32	*pkt;		/* packet pointer */
1173	struct peer *peer;	/* peer structure pointer */
1174	u_int	opcode;		/* extension field opcode */
1175	struct exten *fp;	/* extension pointers */
1176	struct cert_info *cp, *xp; /* certificate info/value pointer */
1177	char	certname[MAXHOSTNAME + 1]; /* subject name buffer */
1178	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
1179	tstamp_t tstamp;
1180	u_int	vallen;
1181	u_int	len;
1182	struct value vtemp;
1183	associd_t associd;
1184	int	rval;
1185	keyid_t tcookie;
1186
1187	/*
1188	 * Generate the requested extension field request code, length
1189	 * and association ID. If this is a response and the host is not
1190	 * synchronized, light the error bit and go home.
1191	 */
1192	pkt = (u_int32 *)xpkt + start / 4;
1193	fp = (struct exten *)pkt;
1194	opcode = ntohl(ep->opcode);
1195	associd = (associd_t) ntohl(ep->associd);
1196	fp->associd = htonl(associd);
1197	len = 8;
1198	rval = XEVNT_OK;
1199	tstamp = crypto_time();
1200	switch (opcode & 0xffff0000) {
1201
1202	/*
1203	 * Send association request and response with status word and
1204	 * host name. Note, this message is not signed and the filestamp
1205	 * contains only the status word.
1206	 */
1207	case CRYPTO_ASSOC | CRYPTO_RESP:
1208		len += crypto_send(fp, &hostval);
1209		fp->fstamp = htonl(crypto_flags);
1210		break;
1211
1212	case CRYPTO_ASSOC:
1213		len += crypto_send(fp, &hostval);
1214		fp->fstamp = htonl(crypto_flags | ident_scheme);
1215		break;
1216
1217	/*
1218	 * Send certificate request. Use the values from the extension
1219	 * field.
1220	 */
1221	case CRYPTO_CERT:
1222		memset(&vtemp, 0, sizeof(vtemp));
1223		vtemp.tstamp = ep->tstamp;
1224		vtemp.fstamp = ep->fstamp;
1225		vtemp.vallen = ep->vallen;
1226		vtemp.ptr = (u_char *)ep->pkt;
1227		len += crypto_send(fp, &vtemp);
1228		break;
1229
1230	/*
1231	 * Send certificate response or sign request. Use the values
1232	 * from the certificate cache. If the request contains no
1233	 * subject name, assume the name of this host. This is for
1234	 * backwards compatibility. Private certificates are never sent.
1235	 */
1236	case CRYPTO_SIGN:
1237	case CRYPTO_CERT | CRYPTO_RESP:
1238		vallen = ntohl(ep->vallen);
1239		if (vallen == 8) {
1240			strcpy(certname, sys_hostname);
1241		} else if (vallen == 0 || vallen > MAXHOSTNAME) {
1242			rval = XEVNT_LEN;
1243			break;
1244
1245		} else {
1246			memcpy(certname, ep->pkt, vallen);
1247			certname[vallen] = '\0';
1248		}
1249
1250		/*
1251		 * Find all certificates with matching subject. If a
1252		 * self-signed, trusted certificate is found, use that.
1253		 * If not, use the first one with matching subject. A
1254		 * private certificate is never divulged or signed.
1255		 */
1256		xp = NULL;
1257		for (cp = cinfo; cp != NULL; cp = cp->link) {
1258			if (cp->flags & CERT_PRIV)
1259				continue;
1260
1261			if (strcmp(certname, cp->subject) == 0) {
1262				if (xp == NULL)
1263					xp = cp;
1264				if (strcmp(certname, cp->issuer) ==
1265				    0 && cp->flags & CERT_TRUST) {
1266					xp = cp;
1267					break;
1268				}
1269			}
1270		}
1271
1272		/*
1273		 * Be careful who you trust. If not yet synchronized,
1274		 * give back an empty response. If certificate not found
1275		 * or beyond the lifetime, return an error. This is to
1276		 * avoid a bad dude trying to get an expired certificate
1277		 * re-signed. Otherwise, send it.
1278		 *
1279		 * Note the timestamp and filestamp are taken from the
1280		 * certificate value structure. For all certificates the
1281		 * timestamp is the latest signature update time. For
1282		 * host and imported certificates the filestamp is the
1283		 * creation epoch. For signed certificates the filestamp
1284		 * is the creation epoch of the trusted certificate at
1285		 * the base of the certificate trail. In principle, this
1286		 * allows strong checking for signature masquerade.
1287		 */
1288		if (tstamp == 0)
1289			break;
1290
1291		if (xp == NULL)
1292			rval = XEVNT_CRT;
1293		else if (tstamp < xp->first || tstamp > xp->last)
1294			rval = XEVNT_SRV;
1295		else
1296			len += crypto_send(fp, &xp->cert);
1297		break;
1298
1299	/*
1300	 * Send challenge in Schnorr (IFF) identity scheme.
1301	 */
1302	case CRYPTO_IFF:
1303		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1304			rval = XEVNT_ERR;
1305			break;
1306		}
1307		if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK) {
1308			len += crypto_send(fp, &vtemp);
1309			value_free(&vtemp);
1310		}
1311		break;
1312
1313	/*
1314	 * Send response in Schnorr (IFF) identity scheme.
1315	 */
1316	case CRYPTO_IFF | CRYPTO_RESP:
1317		if ((rval = crypto_bob(ep, &vtemp)) == XEVNT_OK) {
1318			len += crypto_send(fp, &vtemp);
1319			value_free(&vtemp);
1320		}
1321		break;
1322
1323	/*
1324	 * Send challenge in Guillou-Quisquater (GQ) identity scheme.
1325	 */
1326	case CRYPTO_GQ:
1327		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1328			rval = XEVNT_ERR;
1329			break;
1330		}
1331		if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK) {
1332			len += crypto_send(fp, &vtemp);
1333			value_free(&vtemp);
1334		}
1335		break;
1336
1337	/*
1338	 * Send response in Guillou-Quisquater (GQ) identity scheme.
1339	 */
1340	case CRYPTO_GQ | CRYPTO_RESP:
1341		if ((rval = crypto_bob2(ep, &vtemp)) == XEVNT_OK) {
1342			len += crypto_send(fp, &vtemp);
1343			value_free(&vtemp);
1344		}
1345		break;
1346
1347	/*
1348	 * Send challenge in MV identity scheme.
1349	 */
1350	case CRYPTO_MV:
1351		if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) {
1352			rval = XEVNT_ERR;
1353			break;
1354		}
1355		if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK) {
1356			len += crypto_send(fp, &vtemp);
1357			value_free(&vtemp);
1358		}
1359		break;
1360
1361	/*
1362	 * Send response in MV identity scheme.
1363	 */
1364	case CRYPTO_MV | CRYPTO_RESP:
1365		if ((rval = crypto_bob3(ep, &vtemp)) == XEVNT_OK) {
1366			len += crypto_send(fp, &vtemp);
1367			value_free(&vtemp);
1368		}
1369		break;
1370
1371	/*
1372	 * Send certificate sign response. The integrity of the request
1373	 * certificate has already been verified on the receive side.
1374	 * Sign the response using the local server key. Use the
1375	 * filestamp from the request and use the timestamp as the
1376	 * current time. Light the error bit if the certificate is
1377	 * invalid or contains an unverified signature.
1378	 */
1379	case CRYPTO_SIGN | CRYPTO_RESP:
1380		if ((rval = cert_sign(ep, &vtemp)) == XEVNT_OK)
1381			len += crypto_send(fp, &vtemp);
1382		value_free(&vtemp);
1383		break;
1384
1385	/*
1386	 * Send public key and signature. Use the values from the public
1387	 * key.
1388	 */
1389	case CRYPTO_COOK:
1390		len += crypto_send(fp, &pubkey);
1391		break;
1392
1393	/*
1394	 * Encrypt and send cookie and signature. Light the error bit if
1395	 * anything goes wrong.
1396	 */
1397	case CRYPTO_COOK | CRYPTO_RESP:
1398		if ((opcode & 0xffff) < VALUE_LEN) {
1399			rval = XEVNT_LEN;
1400			break;
1401		}
1402		if (PKT_MODE(xpkt->li_vn_mode) == MODE_SERVER) {
1403			tcookie = cookie;
1404		} else {
1405			if ((peer = findpeerbyassoc(associd)) == NULL) {
1406				rval = XEVNT_ERR;
1407				break;
1408			}
1409			tcookie = peer->pcookie;
1410		}
1411		if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
1412		    XEVNT_OK)
1413			len += crypto_send(fp, &vtemp);
1414		value_free(&vtemp);
1415		break;
1416
1417	/*
1418	 * Find peer and send autokey data and signature in broadcast
1419	 * server and symmetric modes. Use the values in the autokey
1420	 * structure. If no association is found, either the server has
1421	 * restarted with new associations or some perp has replayed an
1422	 * old message, in which case light the error bit.
1423	 */
1424	case CRYPTO_AUTO | CRYPTO_RESP:
1425		if ((peer = findpeerbyassoc(associd)) == NULL) {
1426			rval = XEVNT_ERR;
1427			break;
1428		}
1429		peer->flags &= ~FLAG_ASSOC;
1430		len += crypto_send(fp, &peer->sndval);
1431		break;
1432
1433	/*
1434	 * Send leapseconds table and signature. Use the values from the
1435	 * tai structure. If no table has been loaded, just send an
1436	 * empty request.
1437	 */
1438	case CRYPTO_TAI:
1439	case CRYPTO_TAI | CRYPTO_RESP:
1440		if (crypto_flags & CRYPTO_FLAG_TAI)
1441			len += crypto_send(fp, &tai_leap);
1442		break;
1443
1444	/*
1445	 * Default - Fall through for requests; for unknown responses,
1446	 * flag as error.
1447	 */
1448	default:
1449		if (opcode & CRYPTO_RESP)
1450			rval = XEVNT_ERR;
1451	}
1452
1453	/*
1454	 * In case of error, flame the log. If a request, toss the
1455	 * puppy; if a response, return so the sender can flame, too.
1456	 */
1457	if (rval != XEVNT_OK) {
1458		opcode |= CRYPTO_ERROR;
1459		snprintf(statstr, NTP_MAXSTRLEN,
1460		    "error %x opcode %x", rval, opcode);
1461		record_crypto_stats(srcadr_sin, statstr);
1462		report_event(rval, NULL);
1463#ifdef DEBUG
1464		if (debug)
1465			printf("crypto_xmit: %s\n", statstr);
1466#endif
1467		if (!(opcode & CRYPTO_RESP))
1468			return (0);
1469	}
1470
1471	/*
1472	 * Round up the field length to a multiple of 8 bytes and save
1473	 * the request code and length.
1474	 */
1475	len = ((len + 7) / 8) * 8;
1476	fp->opcode = htonl((opcode & 0xffff0000) | len);
1477#ifdef DEBUG
1478	if (debug)
1479		printf(
1480		    "crypto_xmit: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n",
1481		    crypto_flags, start, len, opcode >> 16, associd);
1482#endif
1483	return (len);
1484}
1485
1486
1487/*
1488 * crypto_verify - parse and verify the extension field and value
1489 *
1490 * Returns
1491 * XEVNT_OK	success
1492 * XEVNT_LEN	bad field format or length
1493 * XEVNT_TSP	bad timestamp
1494 * XEVNT_FSP	bad filestamp
1495 * XEVNT_PUB	bad or missing public key
1496 * XEVNT_SGL	bad signature length
1497 * XEVNT_SIG	signature not verified
1498 * XEVNT_ERR	protocol error
1499 */
1500static int
1501crypto_verify(
1502	struct exten *ep,	/* extension pointer */
1503	struct value *vp,	/* value pointer */
1504	struct peer *peer	/* peer structure pointer */
1505	)
1506{
1507	EVP_PKEY *pkey;		/* server public key */
1508	EVP_MD_CTX ctx;		/* signature context */
1509	tstamp_t tstamp, tstamp1 = 0; /* timestamp */
1510	tstamp_t fstamp, fstamp1 = 0; /* filestamp */
1511	u_int	vallen;		/* value length */
1512	u_int	siglen;		/* signature length */
1513	u_int	opcode, len;
1514	int	i;
1515
1516	/*
1517	 * We require valid opcode and field lengths, timestamp,
1518	 * filestamp, public key, digest, signature length and
1519	 * signature, where relevant. Note that preliminary length
1520	 * checks are done in the main loop.
1521	 */
1522	len = ntohl(ep->opcode) & 0x0000ffff;
1523	opcode = ntohl(ep->opcode) & 0xffff0000;
1524
1525	/*
1526	 * Check for valid operation code and protocol. The opcode must
1527	 * not have the error bit set. If a response, it must have a
1528	 * value header. If a request and does not contain a value
1529	 * header, no need for further checking.
1530	 */
1531	if (opcode & CRYPTO_ERROR)
1532		return (XEVNT_ERR);
1533
1534 	if (opcode & CRYPTO_RESP) {
1535 		if (len < VALUE_LEN)
1536			return (XEVNT_LEN);
1537	} else {
1538 		if (len < VALUE_LEN)
1539			return (XEVNT_OK);
1540	}
1541
1542	/*
1543	 * We have a value header. Check for valid field lengths. The
1544	 * field length must be long enough to contain the value header,
1545	 * value and signature. Note both the value and signature fields
1546	 * are rounded up to the next word.
1547	 */
1548	vallen = ntohl(ep->vallen);
1549	i = (vallen + 3) / 4;
1550	siglen = ntohl(ep->pkt[i++]);
1551	if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
1552	    4) * 4)
1553		return (XEVNT_LEN);
1554
1555	/*
1556	 * Punt if this is a response with no data. Punt if this is a
1557	 * request and a previous response is pending. 
1558	 */
1559	if (opcode & CRYPTO_RESP) {
1560		if (vallen == 0)
1561			return (XEVNT_LEN);
1562	} else {
1563		if (peer->cmmd != NULL)
1564			return (XEVNT_LEN);
1565	}
1566
1567	/*
1568	 * Check for valid timestamp and filestamp. If the timestamp is
1569	 * zero, the sender is not synchronized and signatures are
1570	 * disregarded. If not, the timestamp must not precede the
1571	 * filestamp. The timestamp and filestamp must not precede the
1572	 * corresponding values in the value structure, if present. Once
1573	 * the autokey values have been installed, the timestamp must
1574	 * always be later than the corresponding value in the value
1575	 * structure. Duplicate timestamps are illegal once the cookie
1576	 * has been validated.
1577	 */
1578	tstamp = ntohl(ep->tstamp);
1579	fstamp = ntohl(ep->fstamp);
1580	if (tstamp == 0)
1581		return (XEVNT_OK);
1582
1583	if (tstamp < fstamp)
1584		return (XEVNT_TSP);
1585
1586	if (vp != NULL) {
1587		tstamp1 = ntohl(vp->tstamp);
1588		fstamp1 = ntohl(vp->fstamp);
1589		if ((tstamp < tstamp1 || (tstamp == tstamp1 &&
1590		    (peer->crypto & CRYPTO_FLAG_AUTO))))
1591			return (XEVNT_TSP);
1592
1593		if ((tstamp < fstamp1 || fstamp < fstamp1))
1594			return (XEVNT_FSP);
1595	}
1596
1597	/*
1598	 * Check for valid signature length, public key and digest
1599	 * algorithm.
1600	 */
1601	if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV)
1602		pkey = sign_pkey;
1603	else
1604		pkey = peer->pkey;
1605	if (siglen == 0 || pkey == NULL || peer->digest == NULL)
1606		return (XEVNT_OK);
1607
1608	if (siglen != (u_int)EVP_PKEY_size(pkey))
1609		return (XEVNT_SGL);
1610
1611	/*
1612	 * Darn, I thought we would never get here. Verify the
1613	 * signature. If the identity exchange is verified, light the
1614	 * proventic bit. If no client identity scheme is specified,
1615	 * avoid doing the sign exchange.
1616	 */
1617	EVP_VerifyInit(&ctx, peer->digest);
1618	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
1619	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
1620		return (XEVNT_SIG);
1621
1622	if (peer->crypto & CRYPTO_FLAG_VRFY) {
1623		peer->crypto |= CRYPTO_FLAG_PROV;
1624		if (!(crypto_flags & CRYPTO_FLAG_MASK))
1625			peer->crypto |= CRYPTO_FLAG_SIGN;
1626	}
1627	return (XEVNT_OK);
1628}
1629
1630
1631/*
1632 * crypto_encrypt - construct encrypted cookie and signature from
1633 * extension field and cookie
1634 *
1635 * Returns
1636 * XEVNT_OK	success
1637 * XEVNT_PUB	bad or missing public key
1638 * XEVNT_CKY	bad or missing cookie
1639 * XEVNT_PER	host certificate expired
1640 */
1641static int
1642crypto_encrypt(
1643	struct exten *ep,	/* extension pointer */
1644	struct value *vp,	/* value pointer */
1645	keyid_t	*cookie		/* server cookie */
1646	)
1647{
1648	EVP_PKEY *pkey;		/* public key */
1649	EVP_MD_CTX ctx;		/* signature context */
1650	tstamp_t tstamp;	/* NTP timestamp */
1651	u_int32	temp32;
1652	u_int	len;
1653	u_char	*ptr;
1654
1655	/*
1656	 * Extract the public key from the request.
1657	 */
1658	len = ntohl(ep->vallen);
1659	ptr = (u_char *)ep->pkt;
1660	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
1661	if (pkey == NULL) {
1662		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1663		    ERR_error_string(ERR_get_error(), NULL));
1664		return (XEVNT_PUB);
1665	}
1666
1667	/*
1668	 * Encrypt the cookie, encode in ASN.1 and sign.
1669	 */
1670	tstamp = crypto_time();
1671	memset(vp, 0, sizeof(struct value));
1672	vp->tstamp = htonl(tstamp);
1673	vp->fstamp = hostval.tstamp;
1674	len = EVP_PKEY_size(pkey);
1675	vp->vallen = htonl(len);
1676	vp->ptr = emalloc(len);
1677	temp32 = htonl(*cookie);
1678	if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr,
1679	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) {
1680		msyslog(LOG_ERR, "crypto_encrypt %s\n",
1681		    ERR_error_string(ERR_get_error(), NULL));
1682		EVP_PKEY_free(pkey);
1683		return (XEVNT_CKY);
1684	}
1685	EVP_PKEY_free(pkey);
1686	vp->siglen = 0;
1687	if (tstamp == 0)
1688		return (XEVNT_OK);
1689
1690	if (tstamp < cinfo->first || tstamp > cinfo->last)
1691		return (XEVNT_PER);
1692
1693	vp->sig = emalloc(sign_siglen);
1694	EVP_SignInit(&ctx, sign_digest);
1695	EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
1696	EVP_SignUpdate(&ctx, vp->ptr, len);
1697	if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
1698		vp->siglen = htonl(len);
1699	return (XEVNT_OK);
1700}
1701
1702
1703/*
1704 * crypto_ident - construct extension field for identity scheme
1705 *
1706 * This routine determines which identity scheme is in use and
1707 * constructs an extension field for that scheme.
1708 */
1709u_int
1710crypto_ident(
1711	struct peer *peer	/* peer structure pointer */
1712	)
1713{
1714	char	filename[MAXFILENAME + 1];
1715
1716	/*
1717	 * If the server identity has already been verified, no further
1718	 * action is necessary. Otherwise, try to load the identity file
1719	 * of the certificate issuer. If the issuer file is not found,
1720	 * try the host file. If nothing found, declare a cryptobust.
1721	 * Note we can't get here unless the trusted certificate has
1722	 * been found and the CRYPTO_FLAG_VALID bit is set, so the
1723	 * certificate issuer is valid.
1724	 */
1725	if (peer->ident_pkey != NULL)
1726		EVP_PKEY_free(peer->ident_pkey);
1727	if (peer->crypto & CRYPTO_FLAG_GQ) {
1728		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1729		    peer->issuer);
1730		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1731		if (peer->ident_pkey != NULL)
1732			return (CRYPTO_GQ);
1733
1734		snprintf(filename, MAXFILENAME, "ntpkey_gq_%s",
1735		    sys_hostname);
1736		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1737		if (peer->ident_pkey != NULL)
1738			return (CRYPTO_GQ);
1739	}
1740	if (peer->crypto & CRYPTO_FLAG_IFF) {
1741		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1742		    peer->issuer);
1743		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1744		if (peer->ident_pkey != NULL)
1745			return (CRYPTO_IFF);
1746
1747		snprintf(filename, MAXFILENAME, "ntpkey_iff_%s",
1748		    sys_hostname);
1749		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1750		if (peer->ident_pkey != NULL)
1751			return (CRYPTO_IFF);
1752	}
1753	if (peer->crypto & CRYPTO_FLAG_MV) {
1754		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1755		    peer->issuer);
1756		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1757		if (peer->ident_pkey != NULL)
1758			return (CRYPTO_MV);
1759
1760		snprintf(filename, MAXFILENAME, "ntpkey_mv_%s",
1761		    sys_hostname);
1762		peer->ident_pkey = crypto_key(filename, &peer->fstamp);
1763		if (p

Large files files are truncated, but you can click here to view the full file