/contrib/ntp/ntpd/ntp_crypto.c
C | 4189 lines | 2414 code | 326 blank | 1449 comment | 577 complexity | 24628f797239e75d9f4988848ef9a38c MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
Large files files are truncated, but you can click here to view the full file
1/* 2 * ntp_crypto.c - NTP version 4 public key routines 3 */ 4#ifdef HAVE_CONFIG_H 5#include <config.h> 6#endif 7 8#ifdef OPENSSL 9#include <stdio.h> 10#include <sys/types.h> 11#include <sys/param.h> 12#include <unistd.h> 13#include <fcntl.h> 14 15#include "ntpd.h" 16#include "ntp_stdlib.h" 17#include "ntp_unixtime.h" 18#include "ntp_string.h" 19#include <ntp_random.h> 20 21#include "openssl/asn1_mac.h" 22#include "openssl/bn.h" 23#include "openssl/err.h" 24#include "openssl/evp.h" 25#include "openssl/pem.h" 26#include "openssl/rand.h" 27#include "openssl/x509v3.h" 28 29#ifdef KERNEL_PLL 30#include "ntp_syscall.h" 31#endif /* KERNEL_PLL */ 32 33/* 34 * Extension field message format 35 * 36 * These are always signed and saved before sending in network byte 37 * order. They must be converted to and from host byte order for 38 * processing. 39 * 40 * +-------+-------+ 41 * | op | len | <- extension pointer 42 * +-------+-------+ 43 * | assocID | 44 * +---------------+ 45 * | timestamp | <- value pointer 46 * +---------------+ 47 * | filestamp | 48 * +---------------+ 49 * | value len | 50 * +---------------+ 51 * | | 52 * = value = 53 * | | 54 * +---------------+ 55 * | signature len | 56 * +---------------+ 57 * | | 58 * = signature = 59 * | | 60 * +---------------+ 61 * 62 * The CRYPTO_RESP bit is set to 0 for requests, 1 for responses. 63 * Requests carry the association ID of the receiver; responses carry 64 * the association ID of the sender. Some messages include only the 65 * operation/length and association ID words and so have length 8 66 * octets. Ohers include the value structure and associated value and 67 * signature fields. These messages include the timestamp, filestamp, 68 * value and signature words and so have length at least 24 octets. The 69 * signature and/or value fields can be empty, in which case the 70 * respective length words are zero. An empty value with nonempty 71 * signature is syntactically valid, but semantically questionable. 72 * 73 * The filestamp represents the time when a cryptographic data file such 74 * as a public/private key pair is created. It follows every reference 75 * depending on that file and serves as a means to obsolete earlier data 76 * of the same type. The timestamp represents the time when the 77 * cryptographic data of the message were last signed. Creation of a 78 * cryptographic data file or signing a message can occur only when the 79 * creator or signor is synchronized to an authoritative source and 80 * proventicated to a trusted authority. 81 * 82 * Note there are four conditions required for server trust. First, the 83 * public key on the certificate must be verified, which involves a 84 * number of format, content and consistency checks. Next, the server 85 * identity must be confirmed by one of four schemes: private 86 * certificate, IFF scheme, GQ scheme or certificate trail hike to a 87 * self signed trusted certificate. Finally, the server signature must 88 * be verified. 89 */ 90/* 91 * Cryptodefines 92 */ 93#define TAI_1972 10 /* initial TAI offset (s) */ 94#define MAX_LEAP 100 /* max UTC leapseconds (s) */ 95#define VALUE_LEN (6 * 4) /* min response field length */ 96#define YEAR (60 * 60 * 24 * 365) /* seconds in year */ 97 98/* 99 * Global cryptodata in host byte order 100 */ 101u_int32 crypto_flags = 0x0; /* status word */ 102 103/* 104 * Global cryptodata in network byte order 105 */ 106struct cert_info *cinfo = NULL; /* certificate info/value */ 107struct value hostval; /* host value */ 108struct value pubkey; /* public key */ 109struct value tai_leap; /* leapseconds table */ 110EVP_PKEY *iffpar_pkey = NULL; /* IFF parameters */ 111EVP_PKEY *gqpar_pkey = NULL; /* GQ parameters */ 112EVP_PKEY *mvpar_pkey = NULL; /* MV parameters */ 113char *iffpar_file = NULL; /* IFF parameters file */ 114char *gqpar_file = NULL; /* GQ parameters file */ 115char *mvpar_file = NULL; /* MV parameters file */ 116 117/* 118 * Private cryptodata in host byte order 119 */ 120static char *passwd = NULL; /* private key password */ 121static EVP_PKEY *host_pkey = NULL; /* host key */ 122static EVP_PKEY *sign_pkey = NULL; /* sign key */ 123static const EVP_MD *sign_digest = NULL; /* sign digest */ 124static u_int sign_siglen; /* sign key length */ 125static char *rand_file = NULL; /* random seed file */ 126static char *host_file = NULL; /* host key file */ 127static char *sign_file = NULL; /* sign key file */ 128static char *cert_file = NULL; /* certificate file */ 129static char *leap_file = NULL; /* leapseconds file */ 130static tstamp_t if_fstamp = 0; /* IFF filestamp */ 131static tstamp_t gq_fstamp = 0; /* GQ file stamp */ 132static tstamp_t mv_fstamp = 0; /* MV filestamp */ 133static u_int ident_scheme = 0; /* server identity scheme */ 134 135/* 136 * Cryptotypes 137 */ 138static int crypto_verify P((struct exten *, struct value *, 139 struct peer *)); 140static int crypto_encrypt P((struct exten *, struct value *, 141 keyid_t *)); 142static int crypto_alice P((struct peer *, struct value *)); 143static int crypto_alice2 P((struct peer *, struct value *)); 144static int crypto_alice3 P((struct peer *, struct value *)); 145static int crypto_bob P((struct exten *, struct value *)); 146static int crypto_bob2 P((struct exten *, struct value *)); 147static int crypto_bob3 P((struct exten *, struct value *)); 148static int crypto_iff P((struct exten *, struct peer *)); 149static int crypto_gq P((struct exten *, struct peer *)); 150static int crypto_mv P((struct exten *, struct peer *)); 151static u_int crypto_send P((struct exten *, struct value *)); 152static tstamp_t crypto_time P((void)); 153static u_long asn2ntp P((ASN1_TIME *)); 154static struct cert_info *cert_parse P((u_char *, u_int, tstamp_t)); 155static int cert_sign P((struct exten *, struct value *)); 156static int cert_valid P((struct cert_info *, EVP_PKEY *)); 157static int cert_install P((struct exten *, struct peer *)); 158static void cert_free P((struct cert_info *)); 159static EVP_PKEY *crypto_key P((char *, tstamp_t *)); 160static int bighash P((BIGNUM *, BIGNUM *)); 161static struct cert_info *crypto_cert P((char *)); 162static void crypto_tai P((char *)); 163 164#ifdef SYS_WINNT 165int 166readlink(char * link, char * file, int len) { 167 return (-1); 168} 169#endif 170 171/* 172 * session_key - generate session key 173 * 174 * This routine generates a session key from the source address, 175 * destination address, key ID and private value. The value of the 176 * session key is the MD5 hash of these values, while the next key ID is 177 * the first four octets of the hash. 178 * 179 * Returns the next key ID 180 */ 181keyid_t 182session_key( 183 struct sockaddr_storage *srcadr, /* source address */ 184 struct sockaddr_storage *dstadr, /* destination address */ 185 keyid_t keyno, /* key ID */ 186 keyid_t private, /* private value */ 187 u_long lifetime /* key lifetime */ 188 ) 189{ 190 EVP_MD_CTX ctx; /* message digest context */ 191 u_char dgst[EVP_MAX_MD_SIZE]; /* message digest */ 192 keyid_t keyid; /* key identifer */ 193 u_int32 header[10]; /* data in network byte order */ 194 u_int hdlen, len; 195 196 if (!dstadr) 197 return 0; 198 199 /* 200 * Generate the session key and key ID. If the lifetime is 201 * greater than zero, install the key and call it trusted. 202 */ 203 hdlen = 0; 204 switch(srcadr->ss_family) { 205 case AF_INET: 206 header[0] = ((struct sockaddr_in *)srcadr)->sin_addr.s_addr; 207 header[1] = ((struct sockaddr_in *)dstadr)->sin_addr.s_addr; 208 header[2] = htonl(keyno); 209 header[3] = htonl(private); 210 hdlen = 4 * sizeof(u_int32); 211 break; 212 213 case AF_INET6: 214 memcpy(&header[0], &GET_INADDR6(*srcadr), 215 sizeof(struct in6_addr)); 216 memcpy(&header[4], &GET_INADDR6(*dstadr), 217 sizeof(struct in6_addr)); 218 header[8] = htonl(keyno); 219 header[9] = htonl(private); 220 hdlen = 10 * sizeof(u_int32); 221 break; 222 } 223 EVP_DigestInit(&ctx, EVP_md5()); 224 EVP_DigestUpdate(&ctx, (u_char *)header, hdlen); 225 EVP_DigestFinal(&ctx, dgst, &len); 226 memcpy(&keyid, dgst, 4); 227 keyid = ntohl(keyid); 228 if (lifetime != 0) { 229 MD5auth_setkey(keyno, dgst, len); 230 authtrust(keyno, lifetime); 231 } 232#ifdef DEBUG 233 if (debug > 1) 234 printf( 235 "session_key: %s > %s %08x %08x hash %08x life %lu\n", 236 stoa(srcadr), stoa(dstadr), keyno, 237 private, keyid, lifetime); 238#endif 239 return (keyid); 240} 241 242 243/* 244 * make_keylist - generate key list 245 * 246 * Returns 247 * XEVNT_OK success 248 * XEVNT_PER host certificate expired 249 * 250 * This routine constructs a pseudo-random sequence by repeatedly 251 * hashing the session key starting from a given source address, 252 * destination address, private value and the next key ID of the 253 * preceeding session key. The last entry on the list is saved along 254 * with its sequence number and public signature. 255 */ 256int 257make_keylist( 258 struct peer *peer, /* peer structure pointer */ 259 struct interface *dstadr /* interface */ 260 ) 261{ 262 EVP_MD_CTX ctx; /* signature context */ 263 tstamp_t tstamp; /* NTP timestamp */ 264 struct autokey *ap; /* autokey pointer */ 265 struct value *vp; /* value pointer */ 266 keyid_t keyid = 0; /* next key ID */ 267 keyid_t cookie; /* private value */ 268 u_long lifetime; 269 u_int len, mpoll; 270 int i; 271 272 if (!dstadr) 273 return XEVNT_OK; 274 275 /* 276 * Allocate the key list if necessary. 277 */ 278 tstamp = crypto_time(); 279 if (peer->keylist == NULL) 280 peer->keylist = emalloc(sizeof(keyid_t) * 281 NTP_MAXSESSION); 282 283 /* 284 * Generate an initial key ID which is unique and greater than 285 * NTP_MAXKEY. 286 */ 287 while (1) { 288 keyid = (ntp_random() + NTP_MAXKEY + 1) & ((1 << 289 sizeof(keyid_t)) - 1); 290 if (authhavekey(keyid)) 291 continue; 292 break; 293 } 294 295 /* 296 * Generate up to NTP_MAXSESSION session keys. Stop if the 297 * next one would not be unique or not a session key ID or if 298 * it would expire before the next poll. The private value 299 * included in the hash is zero if broadcast mode, the peer 300 * cookie if client mode or the host cookie if symmetric modes. 301 */ 302 mpoll = 1 << min(peer->ppoll, peer->hpoll); 303 lifetime = min(sys_automax, NTP_MAXSESSION * mpoll); 304 if (peer->hmode == MODE_BROADCAST) 305 cookie = 0; 306 else 307 cookie = peer->pcookie; 308 for (i = 0; i < NTP_MAXSESSION; i++) { 309 peer->keylist[i] = keyid; 310 peer->keynumber = i; 311 keyid = session_key(&dstadr->sin, &peer->srcadr, keyid, 312 cookie, lifetime); 313 lifetime -= mpoll; 314 if (auth_havekey(keyid) || keyid <= NTP_MAXKEY || 315 lifetime <= mpoll) 316 break; 317 } 318 319 /* 320 * Save the last session key ID, sequence number and timestamp, 321 * then sign these values for later retrieval by the clients. Be 322 * careful not to use invalid key media. Use the public values 323 * timestamp as filestamp. 324 */ 325 vp = &peer->sndval; 326 if (vp->ptr == NULL) 327 vp->ptr = emalloc(sizeof(struct autokey)); 328 ap = (struct autokey *)vp->ptr; 329 ap->seq = htonl(peer->keynumber); 330 ap->key = htonl(keyid); 331 vp->tstamp = htonl(tstamp); 332 vp->fstamp = hostval.tstamp; 333 vp->vallen = htonl(sizeof(struct autokey)); 334 vp->siglen = 0; 335 if (tstamp != 0) { 336 if (tstamp < cinfo->first || tstamp > cinfo->last) 337 return (XEVNT_PER); 338 339 if (vp->sig == NULL) 340 vp->sig = emalloc(sign_siglen); 341 EVP_SignInit(&ctx, sign_digest); 342 EVP_SignUpdate(&ctx, (u_char *)vp, 12); 343 EVP_SignUpdate(&ctx, vp->ptr, sizeof(struct autokey)); 344 if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) 345 vp->siglen = htonl(len); 346 else 347 msyslog(LOG_ERR, "make_keys %s\n", 348 ERR_error_string(ERR_get_error(), NULL)); 349 peer->flags |= FLAG_ASSOC; 350 } 351#ifdef DEBUG 352 if (debug) 353 printf("make_keys: %d %08x %08x ts %u fs %u poll %d\n", 354 ntohl(ap->seq), ntohl(ap->key), cookie, 355 ntohl(vp->tstamp), ntohl(vp->fstamp), peer->hpoll); 356#endif 357 return (XEVNT_OK); 358} 359 360 361/* 362 * crypto_recv - parse extension fields 363 * 364 * This routine is called when the packet has been matched to an 365 * association and passed sanity, format and MAC checks. We believe the 366 * extension field values only if the field has proper format and 367 * length, the timestamp and filestamp are valid and the signature has 368 * valid length and is verified. There are a few cases where some values 369 * are believed even if the signature fails, but only if the proventic 370 * bit is not set. 371 */ 372int 373crypto_recv( 374 struct peer *peer, /* peer structure pointer */ 375 struct recvbuf *rbufp /* packet buffer pointer */ 376 ) 377{ 378 const EVP_MD *dp; /* message digest algorithm */ 379 u_int32 *pkt; /* receive packet pointer */ 380 struct autokey *ap, *bp; /* autokey pointer */ 381 struct exten *ep, *fp; /* extension pointers */ 382 int has_mac; /* length of MAC field */ 383 int authlen; /* offset of MAC field */ 384 associd_t associd; /* association ID */ 385 tstamp_t tstamp = 0; /* timestamp */ 386 tstamp_t fstamp = 0; /* filestamp */ 387 u_int len; /* extension field length */ 388 u_int code; /* extension field opcode */ 389 u_int vallen = 0; /* value length */ 390 X509 *cert; /* X509 certificate */ 391 char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 392 keyid_t cookie; /* crumbles */ 393 int hismode; /* packet mode */ 394 int rval = XEVNT_OK; 395 u_char *ptr; 396 u_int32 temp32; 397 398 /* 399 * Initialize. Note that the packet has already been checked for 400 * valid format and extension field lengths. First extract the 401 * field length, command code and association ID in host byte 402 * order. These are used with all commands and modes. Then check 403 * the version number, which must be 2, and length, which must 404 * be at least 8 for requests and VALUE_LEN (24) for responses. 405 * Packets that fail either test sink without a trace. The 406 * association ID is saved only if nonzero. 407 */ 408 authlen = LEN_PKT_NOMAC; 409 hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode); 410 while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) { 411 pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4; 412 ep = (struct exten *)pkt; 413 code = ntohl(ep->opcode) & 0xffff0000; 414 len = ntohl(ep->opcode) & 0x0000ffff; 415 associd = (associd_t) ntohl(pkt[1]); 416 rval = XEVNT_OK; 417#ifdef DEBUG 418 if (debug) 419 printf( 420 "crypto_recv: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n", 421 peer->crypto, authlen, len, code >> 16, 422 associd); 423#endif 424 425 /* 426 * Check version number and field length. If bad, 427 * quietly ignore the packet. 428 */ 429 if (((code >> 24) & 0x3f) != CRYPTO_VN || len < 8) { 430 sys_unknownversion++; 431 code |= CRYPTO_ERROR; 432 } 433 434 /* 435 * Little vulnerability bandage here. If a perp tosses a 436 * fake association ID over the fence, we better toss it 437 * out. Only the first one counts. 438 */ 439 if (code & CRYPTO_RESP) { 440 if (peer->assoc == 0) 441 peer->assoc = associd; 442 else if (peer->assoc != associd) 443 code |= CRYPTO_ERROR; 444 } 445 if (len >= VALUE_LEN) { 446 tstamp = ntohl(ep->tstamp); 447 fstamp = ntohl(ep->fstamp); 448 vallen = ntohl(ep->vallen); 449 } 450 switch (code) { 451 452 /* 453 * Install status word, host name, signature scheme and 454 * association ID. In OpenSSL the signature algorithm is 455 * bound to the digest algorithm, so the NID completely 456 * defines the signature scheme. Note the request and 457 * response are identical, but neither is validated by 458 * signature. The request is processed here only in 459 * symmetric modes. The server name field might be 460 * useful to implement access controls in future. 461 */ 462 case CRYPTO_ASSOC: 463 464 /* 465 * If the machine is running when this message 466 * arrives, the other fellow has reset and so 467 * must we. Otherwise, pass the extension field 468 * to the transmit side. 469 */ 470 if (peer->crypto) { 471 rval = XEVNT_ERR; 472 break; 473 } 474 fp = emalloc(len); 475 memcpy(fp, ep, len); 476 temp32 = CRYPTO_RESP; 477 fp->opcode |= htonl(temp32); 478 peer->cmmd = fp; 479 /* fall through */ 480 481 case CRYPTO_ASSOC | CRYPTO_RESP: 482 483 /* 484 * Discard the message if it has already been 485 * stored or the message has been amputated. 486 */ 487 if (peer->crypto) 488 break; 489 490 if (vallen == 0 || vallen > MAXHOSTNAME || 491 len < VALUE_LEN + vallen) { 492 rval = XEVNT_LEN; 493 break; 494 } 495 496 /* 497 * Check the identity schemes are compatible. If 498 * the client has PC, the server must have PC, 499 * in which case the server public key and 500 * identity are presumed valid, so we skip the 501 * certificate and identity exchanges and move 502 * immediately to the cookie exchange which 503 * confirms the server signature. 504 */ 505#ifdef DEBUG 506 if (debug) 507 printf( 508 "crypto_recv: ident host 0x%x server 0x%x\n", 509 crypto_flags, fstamp); 510#endif 511 temp32 = (crypto_flags | ident_scheme) & 512 fstamp & CRYPTO_FLAG_MASK; 513 if (crypto_flags & CRYPTO_FLAG_PRIV) { 514 if (!(fstamp & CRYPTO_FLAG_PRIV)) { 515 rval = XEVNT_KEY; 516 break; 517 518 } else { 519 fstamp |= CRYPTO_FLAG_VALID | 520 CRYPTO_FLAG_VRFY | 521 CRYPTO_FLAG_SIGN; 522 } 523 /* 524 * In symmetric modes it is an error if either 525 * peer requests identity and the other peer 526 * does not support it. 527 */ 528 } else if ((hismode == MODE_ACTIVE || hismode == 529 MODE_PASSIVE) && ((crypto_flags | fstamp) & 530 CRYPTO_FLAG_MASK) && !temp32) { 531 rval = XEVNT_KEY; 532 break; 533 /* 534 * It is an error if the client requests 535 * identity and the server does not support it. 536 */ 537 } else if (hismode == MODE_CLIENT && (fstamp & 538 CRYPTO_FLAG_MASK) && !temp32) { 539 rval = XEVNT_KEY; 540 break; 541 } 542 543 /* 544 * Otherwise, the identity scheme(s) are those 545 * that both client and server support. 546 */ 547 fstamp = temp32 | (fstamp & ~CRYPTO_FLAG_MASK); 548 549 /* 550 * Discard the message if the signature digest 551 * NID is not supported. 552 */ 553 temp32 = (fstamp >> 16) & 0xffff; 554 dp = 555 (const EVP_MD *)EVP_get_digestbynid(temp32); 556 if (dp == NULL) { 557 rval = XEVNT_MD; 558 break; 559 } 560 561 /* 562 * Save status word, host name and message 563 * digest/signature type. 564 */ 565 peer->crypto = fstamp; 566 peer->digest = dp; 567 peer->subject = emalloc(vallen + 1); 568 memcpy(peer->subject, ep->pkt, vallen); 569 peer->subject[vallen] = '\0'; 570 peer->issuer = emalloc(vallen + 1); 571 strcpy(peer->issuer, peer->subject); 572 temp32 = (fstamp >> 16) & 0xffff; 573 snprintf(statstr, NTP_MAXSTRLEN, 574 "flags 0x%x host %s signature %s", fstamp, 575 peer->subject, OBJ_nid2ln(temp32)); 576 record_crypto_stats(&peer->srcadr, statstr); 577#ifdef DEBUG 578 if (debug) 579 printf("crypto_recv: %s\n", statstr); 580#endif 581 break; 582 583 /* 584 * Decode X509 certificate in ASN.1 format and extract 585 * the data containing, among other things, subject 586 * name and public key. In the default identification 587 * scheme, the certificate trail is followed to a self 588 * signed trusted certificate. 589 */ 590 case CRYPTO_CERT | CRYPTO_RESP: 591 592 /* 593 * Discard the message if invalid. 594 */ 595 if ((rval = crypto_verify(ep, NULL, peer)) != 596 XEVNT_OK) 597 break; 598 599 /* 600 * Scan the certificate list to delete old 601 * versions and link the newest version first on 602 * the list. 603 */ 604 if ((rval = cert_install(ep, peer)) != XEVNT_OK) 605 break; 606 607 /* 608 * If we snatch the certificate before the 609 * server certificate has been signed by its 610 * server, it will be self signed. When it is, 611 * we chase the certificate issuer, which the 612 * server has, and keep going until a self 613 * signed trusted certificate is found. Be sure 614 * to update the issuer field, since it may 615 * change. 616 */ 617 if (peer->issuer != NULL) 618 free(peer->issuer); 619 peer->issuer = emalloc(strlen(cinfo->issuer) + 620 1); 621 strcpy(peer->issuer, cinfo->issuer); 622 623 /* 624 * We plug in the public key and lifetime from 625 * the first certificate received. However, note 626 * that this certificate might not be signed by 627 * the server, so we can't check the 628 * signature/digest NID. 629 */ 630 if (peer->pkey == NULL) { 631 ptr = (u_char *)cinfo->cert.ptr; 632 cert = d2i_X509(NULL, &ptr, 633 ntohl(cinfo->cert.vallen)); 634 peer->pkey = X509_get_pubkey(cert); 635 X509_free(cert); 636 } 637 peer->flash &= ~TEST8; 638 temp32 = cinfo->nid; 639 snprintf(statstr, NTP_MAXSTRLEN, 640 "cert %s 0x%x %s (%u) fs %u", 641 cinfo->subject, cinfo->flags, 642 OBJ_nid2ln(temp32), temp32, 643 ntohl(ep->fstamp)); 644 record_crypto_stats(&peer->srcadr, statstr); 645#ifdef DEBUG 646 if (debug) 647 printf("crypto_recv: %s\n", statstr); 648#endif 649 break; 650 651 /* 652 * Schnorr (IFF)identity scheme. This scheme is designed 653 * for use with shared secret group keys and where the 654 * certificate may be generated by a third party. The 655 * client sends a challenge to the server, which 656 * performs a calculation and returns the result. A 657 * positive result is possible only if both client and 658 * server contain the same secret group key. 659 */ 660 case CRYPTO_IFF | CRYPTO_RESP: 661 662 /* 663 * Discard the message if invalid or certificate 664 * trail not trusted. 665 */ 666 if (!(peer->crypto & CRYPTO_FLAG_VALID)) { 667 rval = XEVNT_ERR; 668 break; 669 } 670 if ((rval = crypto_verify(ep, NULL, peer)) != 671 XEVNT_OK) 672 break; 673 674 /* 675 * If the the challenge matches the response, 676 * the certificate public key, as well as the 677 * server public key, signatyre and identity are 678 * all verified at the same time. The server is 679 * declared trusted, so we skip further 680 * certificate stages and move immediately to 681 * the cookie stage. 682 */ 683 if ((rval = crypto_iff(ep, peer)) != XEVNT_OK) 684 break; 685 686 peer->crypto |= CRYPTO_FLAG_VRFY | 687 CRYPTO_FLAG_PROV; 688 peer->flash &= ~TEST8; 689 snprintf(statstr, NTP_MAXSTRLEN, "iff fs %u", 690 ntohl(ep->fstamp)); 691 record_crypto_stats(&peer->srcadr, statstr); 692#ifdef DEBUG 693 if (debug) 694 printf("crypto_recv: %s\n", statstr); 695#endif 696 break; 697 698 /* 699 * Guillou-Quisquater (GQ) identity scheme. This scheme 700 * is designed for use with public certificates carrying 701 * the GQ public key in an extension field. The client 702 * sends a challenge to the server, which performs a 703 * calculation and returns the result. A positive result 704 * is possible only if both client and server contain 705 * the same group key and the server has the matching GQ 706 * private key. 707 */ 708 case CRYPTO_GQ | CRYPTO_RESP: 709 710 /* 711 * Discard the message if invalid or certificate 712 * trail not trusted. 713 */ 714 if (!(peer->crypto & CRYPTO_FLAG_VALID)) { 715 rval = XEVNT_ERR; 716 break; 717 } 718 if ((rval = crypto_verify(ep, NULL, peer)) != 719 XEVNT_OK) 720 break; 721 722 /* 723 * If the the challenge matches the response, 724 * the certificate public key, as well as the 725 * server public key, signatyre and identity are 726 * all verified at the same time. The server is 727 * declared trusted, so we skip further 728 * certificate stages and move immediately to 729 * the cookie stage. 730 */ 731 if ((rval = crypto_gq(ep, peer)) != XEVNT_OK) 732 break; 733 734 peer->crypto |= CRYPTO_FLAG_VRFY | 735 CRYPTO_FLAG_PROV; 736 peer->flash &= ~TEST8; 737 snprintf(statstr, NTP_MAXSTRLEN, "gq fs %u", 738 ntohl(ep->fstamp)); 739 record_crypto_stats(&peer->srcadr, statstr); 740#ifdef DEBUG 741 if (debug) 742 printf("crypto_recv: %s\n", statstr); 743#endif 744 break; 745 746 /* 747 * MV 748 */ 749 case CRYPTO_MV | CRYPTO_RESP: 750 751 /* 752 * Discard the message if invalid or certificate 753 * trail not trusted. 754 */ 755 if (!(peer->crypto & CRYPTO_FLAG_VALID)) { 756 rval = XEVNT_ERR; 757 break; 758 } 759 if ((rval = crypto_verify(ep, NULL, peer)) != 760 XEVNT_OK) 761 break; 762 763 /* 764 * If the the challenge matches the response, 765 * the certificate public key, as well as the 766 * server public key, signatyre and identity are 767 * all verified at the same time. The server is 768 * declared trusted, so we skip further 769 * certificate stages and move immediately to 770 * the cookie stage. 771 */ 772 if ((rval = crypto_mv(ep, peer)) != XEVNT_OK) 773 break; 774 775 peer->crypto |= CRYPTO_FLAG_VRFY | 776 CRYPTO_FLAG_PROV; 777 peer->flash &= ~TEST8; 778 snprintf(statstr, NTP_MAXSTRLEN, "mv fs %u", 779 ntohl(ep->fstamp)); 780 record_crypto_stats(&peer->srcadr, statstr); 781#ifdef DEBUG 782 if (debug) 783 printf("crypto_recv: %s\n", statstr); 784#endif 785 break; 786 787 /* 788 * Cookie request in symmetric modes. Roll a random 789 * cookie and install in symmetric mode. Encrypt for the 790 * response, which is transmitted later. 791 */ 792 case CRYPTO_COOK: 793 794 /* 795 * Discard the message if invalid or certificate 796 * trail not trusted. 797 */ 798 if (!(peer->crypto & CRYPTO_FLAG_VALID)) { 799 rval = XEVNT_ERR; 800 break; 801 } 802 if ((rval = crypto_verify(ep, NULL, peer)) != 803 XEVNT_OK) 804 break; 805 806 /* 807 * Pass the extension field to the transmit 808 * side. If already agreed, walk away. 809 */ 810 fp = emalloc(len); 811 memcpy(fp, ep, len); 812 temp32 = CRYPTO_RESP; 813 fp->opcode |= htonl(temp32); 814 peer->cmmd = fp; 815 if (peer->crypto & CRYPTO_FLAG_AGREE) { 816 peer->flash &= ~TEST8; 817 break; 818 } 819 820 /* 821 * Install cookie values and light the cookie 822 * bit. The transmit side will pick up and 823 * encrypt it for the response. 824 */ 825 key_expire(peer); 826 peer->cookval.tstamp = ep->tstamp; 827 peer->cookval.fstamp = ep->fstamp; 828 RAND_bytes((u_char *)&peer->pcookie, 4); 829 peer->crypto &= ~CRYPTO_FLAG_AUTO; 830 peer->crypto |= CRYPTO_FLAG_AGREE; 831 peer->flash &= ~TEST8; 832 snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u", 833 peer->pcookie, ntohl(ep->tstamp), 834 ntohl(ep->fstamp)); 835 record_crypto_stats(&peer->srcadr, statstr); 836#ifdef DEBUG 837 if (debug) 838 printf("crypto_recv: %s\n", statstr); 839#endif 840 break; 841 842 /* 843 * Cookie response in client and symmetric modes. If the 844 * cookie bit is set, the working cookie is the EXOR of 845 * the current and new values. 846 */ 847 case CRYPTO_COOK | CRYPTO_RESP: 848 849 /* 850 * Discard the message if invalid or identity 851 * not confirmed or signature not verified with 852 * respect to the cookie values. 853 */ 854 if (!(peer->crypto & CRYPTO_FLAG_VRFY)) { 855 rval = XEVNT_ERR; 856 break; 857 } 858 if ((rval = crypto_verify(ep, &peer->cookval, 859 peer)) != XEVNT_OK) 860 break; 861 862 /* 863 * Decrypt the cookie, hunting all the time for 864 * errors. 865 */ 866 if (vallen == (u_int) EVP_PKEY_size(host_pkey)) { 867 RSA_private_decrypt(vallen, 868 (u_char *)ep->pkt, 869 (u_char *)&temp32, 870 host_pkey->pkey.rsa, 871 RSA_PKCS1_OAEP_PADDING); 872 cookie = ntohl(temp32); 873 } else { 874 rval = XEVNT_CKY; 875 break; 876 } 877 878 /* 879 * Install cookie values and light the cookie 880 * bit. If this is not broadcast client mode, we 881 * are done here. 882 */ 883 key_expire(peer); 884 peer->cookval.tstamp = ep->tstamp; 885 peer->cookval.fstamp = ep->fstamp; 886 if (peer->crypto & CRYPTO_FLAG_AGREE) 887 peer->pcookie ^= cookie; 888 else 889 peer->pcookie = cookie; 890 if (peer->hmode == MODE_CLIENT && 891 !(peer->cast_flags & MDF_BCLNT)) 892 peer->crypto |= CRYPTO_FLAG_AUTO; 893 else 894 peer->crypto &= ~CRYPTO_FLAG_AUTO; 895 peer->crypto |= CRYPTO_FLAG_AGREE; 896 peer->flash &= ~TEST8; 897 snprintf(statstr, NTP_MAXSTRLEN, "cook %x ts %u fs %u", 898 peer->pcookie, ntohl(ep->tstamp), 899 ntohl(ep->fstamp)); 900 record_crypto_stats(&peer->srcadr, statstr); 901#ifdef DEBUG 902 if (debug) 903 printf("crypto_recv: %s\n", statstr); 904#endif 905 break; 906 907 /* 908 * Install autokey values in broadcast client and 909 * symmetric modes. We have to do this every time the 910 * sever/peer cookie changes or a new keylist is 911 * rolled. Ordinarily, this is automatic as this message 912 * is piggybacked on the first NTP packet sent upon 913 * either of these events. Note that a broadcast client 914 * or symmetric peer can receive this response without a 915 * matching request. 916 */ 917 case CRYPTO_AUTO | CRYPTO_RESP: 918 919 /* 920 * Discard the message if invalid or identity 921 * not confirmed or signature not verified with 922 * respect to the receive autokey values. 923 */ 924 if (!(peer->crypto & CRYPTO_FLAG_VRFY)) { 925 rval = XEVNT_ERR; 926 break; 927 } 928 if ((rval = crypto_verify(ep, &peer->recval, 929 peer)) != XEVNT_OK) 930 break; 931 932 /* 933 * Install autokey values and light the 934 * autokey bit. This is not hard. 935 */ 936 if (peer->recval.ptr == NULL) 937 peer->recval.ptr = 938 emalloc(sizeof(struct autokey)); 939 bp = (struct autokey *)peer->recval.ptr; 940 peer->recval.tstamp = ep->tstamp; 941 peer->recval.fstamp = ep->fstamp; 942 ap = (struct autokey *)ep->pkt; 943 bp->seq = ntohl(ap->seq); 944 bp->key = ntohl(ap->key); 945 peer->pkeyid = bp->key; 946 peer->crypto |= CRYPTO_FLAG_AUTO; 947 peer->flash &= ~TEST8; 948 snprintf(statstr, NTP_MAXSTRLEN, 949 "auto seq %d key %x ts %u fs %u", bp->seq, 950 bp->key, ntohl(ep->tstamp), 951 ntohl(ep->fstamp)); 952 record_crypto_stats(&peer->srcadr, statstr); 953#ifdef DEBUG 954 if (debug) 955 printf("crypto_recv: %s\n", statstr); 956#endif 957 break; 958 959 /* 960 * X509 certificate sign response. Validate the 961 * certificate signed by the server and install. Later 962 * this can be provided to clients of this server in 963 * lieu of the self signed certificate in order to 964 * validate the public key. 965 */ 966 case CRYPTO_SIGN | CRYPTO_RESP: 967 968 /* 969 * Discard the message if invalid or not 970 * proventic. 971 */ 972 if (!(peer->crypto & CRYPTO_FLAG_PROV)) { 973 rval = XEVNT_ERR; 974 break; 975 } 976 if ((rval = crypto_verify(ep, NULL, peer)) != 977 XEVNT_OK) 978 break; 979 980 /* 981 * Scan the certificate list to delete old 982 * versions and link the newest version first on 983 * the list. 984 */ 985 if ((rval = cert_install(ep, peer)) != XEVNT_OK) 986 break; 987 988 peer->crypto |= CRYPTO_FLAG_SIGN; 989 peer->flash &= ~TEST8; 990 temp32 = cinfo->nid; 991 snprintf(statstr, NTP_MAXSTRLEN, 992 "sign %s 0x%x %s (%u) fs %u", 993 cinfo->issuer, cinfo->flags, 994 OBJ_nid2ln(temp32), temp32, 995 ntohl(ep->fstamp)); 996 record_crypto_stats(&peer->srcadr, statstr); 997#ifdef DEBUG 998 if (debug) 999 printf("crypto_recv: %s\n", statstr); 1000#endif 1001 break; 1002 1003 /* 1004 * Install leapseconds table in symmetric modes. This 1005 * table is proventicated to the NIST primary servers, 1006 * either by copying the file containing the table from 1007 * a NIST server to a trusted server or directly using 1008 * this protocol. While the entire table is installed at 1009 * the server, presently only the current TAI offset is 1010 * provided via the kernel to other applications. 1011 */ 1012 case CRYPTO_TAI: 1013 1014 /* 1015 * Discard the message if invalid. 1016 */ 1017 if ((rval = crypto_verify(ep, NULL, peer)) != 1018 XEVNT_OK) 1019 break; 1020 1021 /* 1022 * Pass the extension field to the transmit 1023 * side. Continue below if a leapseconds table 1024 * accompanies the message. 1025 */ 1026 fp = emalloc(len); 1027 memcpy(fp, ep, len); 1028 temp32 = CRYPTO_RESP; 1029 fp->opcode |= htonl(temp32); 1030 peer->cmmd = fp; 1031 if (len <= VALUE_LEN) { 1032 peer->flash &= ~TEST8; 1033 break; 1034 } 1035 /* fall through */ 1036 1037 case CRYPTO_TAI | CRYPTO_RESP: 1038 1039 /* 1040 * If this is a response, discard the message if 1041 * signature not verified with respect to the 1042 * leapsecond table values. 1043 */ 1044 if (peer->cmmd == NULL) { 1045 if ((rval = crypto_verify(ep, 1046 &peer->tai_leap, peer)) != XEVNT_OK) 1047 break; 1048 } 1049 1050 /* 1051 * Initialize peer variables with latest update. 1052 */ 1053 peer->tai_leap.tstamp = ep->tstamp; 1054 peer->tai_leap.fstamp = ep->fstamp; 1055 peer->tai_leap.vallen = ep->vallen; 1056 1057 /* 1058 * Install the new table if there is no stored 1059 * table or the new table is more recent than 1060 * the stored table. Since a filestamp may have 1061 * changed, recompute the signatures. 1062 */ 1063 if (ntohl(peer->tai_leap.fstamp) > 1064 ntohl(tai_leap.fstamp)) { 1065 tai_leap.fstamp = ep->fstamp; 1066 tai_leap.vallen = ep->vallen; 1067 if (tai_leap.ptr != NULL) 1068 free(tai_leap.ptr); 1069 tai_leap.ptr = emalloc(vallen); 1070 memcpy(tai_leap.ptr, ep->pkt, vallen); 1071 crypto_update(); 1072 } 1073 crypto_flags |= CRYPTO_FLAG_TAI; 1074 peer->crypto |= CRYPTO_FLAG_LEAP; 1075 peer->flash &= ~TEST8; 1076 snprintf(statstr, NTP_MAXSTRLEN, 1077 "leap %u ts %u fs %u", vallen, 1078 ntohl(ep->tstamp), ntohl(ep->fstamp)); 1079 record_crypto_stats(&peer->srcadr, statstr); 1080#ifdef DEBUG 1081 if (debug) 1082 printf("crypto_recv: %s\n", statstr); 1083#endif 1084 break; 1085 1086 /* 1087 * We come here in symmetric modes for miscellaneous 1088 * commands that have value fields but are processed on 1089 * the transmit side. All we need do here is check for 1090 * valid field length. Remaining checks are below and on 1091 * the transmit side. 1092 */ 1093 case CRYPTO_CERT: 1094 case CRYPTO_IFF: 1095 case CRYPTO_GQ: 1096 case CRYPTO_MV: 1097 case CRYPTO_SIGN: 1098 if (len < VALUE_LEN) { 1099 rval = XEVNT_LEN; 1100 break; 1101 } 1102 /* fall through */ 1103 1104 /* 1105 * We come here for miscellaneous requests and unknown 1106 * requests and responses. If an unknown response or 1107 * error, forget it. If a request, save the extension 1108 * field for later. Unknown requests will be caught on 1109 * the transmit side. 1110 */ 1111 default: 1112 if (code & (CRYPTO_RESP | CRYPTO_ERROR)) { 1113 rval = XEVNT_ERR; 1114 } else if ((rval = crypto_verify(ep, NULL, 1115 peer)) == XEVNT_OK) { 1116 fp = emalloc(len); 1117 memcpy(fp, ep, len); 1118 temp32 = CRYPTO_RESP; 1119 fp->opcode |= htonl(temp32); 1120 peer->cmmd = fp; 1121 } 1122 } 1123 1124 /* 1125 * We don't log length/format/timestamp errors and 1126 * duplicates, which are log clogging vulnerabilities. 1127 * The first error found terminates the extension field 1128 * scan and we return the laundry to the caller. A 1129 * length/format/timestamp error on transmit is 1130 * cheerfully ignored, as the message is not sent. 1131 */ 1132 if (rval > XEVNT_TSP) { 1133 snprintf(statstr, NTP_MAXSTRLEN, 1134 "error %x opcode %x ts %u fs %u", rval, 1135 code, tstamp, fstamp); 1136 record_crypto_stats(&peer->srcadr, statstr); 1137 report_event(rval, peer); 1138#ifdef DEBUG 1139 if (debug) 1140 printf("crypto_recv: %s\n", statstr); 1141#endif 1142 break; 1143 1144 } else if (rval > XEVNT_OK && (code & CRYPTO_RESP)) { 1145 rval = XEVNT_OK; 1146 } 1147 authlen += len; 1148 } 1149 return (rval); 1150} 1151 1152 1153/* 1154 * crypto_xmit - construct extension fields 1155 * 1156 * This routine is called both when an association is configured and 1157 * when one is not. The only case where this matters is to retrieve the 1158 * autokey information, in which case the caller has to provide the 1159 * association ID to match the association. 1160 * 1161 * Returns length of extension field. 1162 */ 1163int 1164crypto_xmit( 1165 struct pkt *xpkt, /* transmit packet pointer */ 1166 struct sockaddr_storage *srcadr_sin, /* active runway */ 1167 int start, /* offset to extension field */ 1168 struct exten *ep, /* extension pointer */ 1169 keyid_t cookie /* session cookie */ 1170 ) 1171{ 1172 u_int32 *pkt; /* packet pointer */ 1173 struct peer *peer; /* peer structure pointer */ 1174 u_int opcode; /* extension field opcode */ 1175 struct exten *fp; /* extension pointers */ 1176 struct cert_info *cp, *xp; /* certificate info/value pointer */ 1177 char certname[MAXHOSTNAME + 1]; /* subject name buffer */ 1178 char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ 1179 tstamp_t tstamp; 1180 u_int vallen; 1181 u_int len; 1182 struct value vtemp; 1183 associd_t associd; 1184 int rval; 1185 keyid_t tcookie; 1186 1187 /* 1188 * Generate the requested extension field request code, length 1189 * and association ID. If this is a response and the host is not 1190 * synchronized, light the error bit and go home. 1191 */ 1192 pkt = (u_int32 *)xpkt + start / 4; 1193 fp = (struct exten *)pkt; 1194 opcode = ntohl(ep->opcode); 1195 associd = (associd_t) ntohl(ep->associd); 1196 fp->associd = htonl(associd); 1197 len = 8; 1198 rval = XEVNT_OK; 1199 tstamp = crypto_time(); 1200 switch (opcode & 0xffff0000) { 1201 1202 /* 1203 * Send association request and response with status word and 1204 * host name. Note, this message is not signed and the filestamp 1205 * contains only the status word. 1206 */ 1207 case CRYPTO_ASSOC | CRYPTO_RESP: 1208 len += crypto_send(fp, &hostval); 1209 fp->fstamp = htonl(crypto_flags); 1210 break; 1211 1212 case CRYPTO_ASSOC: 1213 len += crypto_send(fp, &hostval); 1214 fp->fstamp = htonl(crypto_flags | ident_scheme); 1215 break; 1216 1217 /* 1218 * Send certificate request. Use the values from the extension 1219 * field. 1220 */ 1221 case CRYPTO_CERT: 1222 memset(&vtemp, 0, sizeof(vtemp)); 1223 vtemp.tstamp = ep->tstamp; 1224 vtemp.fstamp = ep->fstamp; 1225 vtemp.vallen = ep->vallen; 1226 vtemp.ptr = (u_char *)ep->pkt; 1227 len += crypto_send(fp, &vtemp); 1228 break; 1229 1230 /* 1231 * Send certificate response or sign request. Use the values 1232 * from the certificate cache. If the request contains no 1233 * subject name, assume the name of this host. This is for 1234 * backwards compatibility. Private certificates are never sent. 1235 */ 1236 case CRYPTO_SIGN: 1237 case CRYPTO_CERT | CRYPTO_RESP: 1238 vallen = ntohl(ep->vallen); 1239 if (vallen == 8) { 1240 strcpy(certname, sys_hostname); 1241 } else if (vallen == 0 || vallen > MAXHOSTNAME) { 1242 rval = XEVNT_LEN; 1243 break; 1244 1245 } else { 1246 memcpy(certname, ep->pkt, vallen); 1247 certname[vallen] = '\0'; 1248 } 1249 1250 /* 1251 * Find all certificates with matching subject. If a 1252 * self-signed, trusted certificate is found, use that. 1253 * If not, use the first one with matching subject. A 1254 * private certificate is never divulged or signed. 1255 */ 1256 xp = NULL; 1257 for (cp = cinfo; cp != NULL; cp = cp->link) { 1258 if (cp->flags & CERT_PRIV) 1259 continue; 1260 1261 if (strcmp(certname, cp->subject) == 0) { 1262 if (xp == NULL) 1263 xp = cp; 1264 if (strcmp(certname, cp->issuer) == 1265 0 && cp->flags & CERT_TRUST) { 1266 xp = cp; 1267 break; 1268 } 1269 } 1270 } 1271 1272 /* 1273 * Be careful who you trust. If not yet synchronized, 1274 * give back an empty response. If certificate not found 1275 * or beyond the lifetime, return an error. This is to 1276 * avoid a bad dude trying to get an expired certificate 1277 * re-signed. Otherwise, send it. 1278 * 1279 * Note the timestamp and filestamp are taken from the 1280 * certificate value structure. For all certificates the 1281 * timestamp is the latest signature update time. For 1282 * host and imported certificates the filestamp is the 1283 * creation epoch. For signed certificates the filestamp 1284 * is the creation epoch of the trusted certificate at 1285 * the base of the certificate trail. In principle, this 1286 * allows strong checking for signature masquerade. 1287 */ 1288 if (tstamp == 0) 1289 break; 1290 1291 if (xp == NULL) 1292 rval = XEVNT_CRT; 1293 else if (tstamp < xp->first || tstamp > xp->last) 1294 rval = XEVNT_SRV; 1295 else 1296 len += crypto_send(fp, &xp->cert); 1297 break; 1298 1299 /* 1300 * Send challenge in Schnorr (IFF) identity scheme. 1301 */ 1302 case CRYPTO_IFF: 1303 if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) { 1304 rval = XEVNT_ERR; 1305 break; 1306 } 1307 if ((rval = crypto_alice(peer, &vtemp)) == XEVNT_OK) { 1308 len += crypto_send(fp, &vtemp); 1309 value_free(&vtemp); 1310 } 1311 break; 1312 1313 /* 1314 * Send response in Schnorr (IFF) identity scheme. 1315 */ 1316 case CRYPTO_IFF | CRYPTO_RESP: 1317 if ((rval = crypto_bob(ep, &vtemp)) == XEVNT_OK) { 1318 len += crypto_send(fp, &vtemp); 1319 value_free(&vtemp); 1320 } 1321 break; 1322 1323 /* 1324 * Send challenge in Guillou-Quisquater (GQ) identity scheme. 1325 */ 1326 case CRYPTO_GQ: 1327 if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) { 1328 rval = XEVNT_ERR; 1329 break; 1330 } 1331 if ((rval = crypto_alice2(peer, &vtemp)) == XEVNT_OK) { 1332 len += crypto_send(fp, &vtemp); 1333 value_free(&vtemp); 1334 } 1335 break; 1336 1337 /* 1338 * Send response in Guillou-Quisquater (GQ) identity scheme. 1339 */ 1340 case CRYPTO_GQ | CRYPTO_RESP: 1341 if ((rval = crypto_bob2(ep, &vtemp)) == XEVNT_OK) { 1342 len += crypto_send(fp, &vtemp); 1343 value_free(&vtemp); 1344 } 1345 break; 1346 1347 /* 1348 * Send challenge in MV identity scheme. 1349 */ 1350 case CRYPTO_MV: 1351 if ((peer = findpeerbyassoc(ep->pkt[0])) == NULL) { 1352 rval = XEVNT_ERR; 1353 break; 1354 } 1355 if ((rval = crypto_alice3(peer, &vtemp)) == XEVNT_OK) { 1356 len += crypto_send(fp, &vtemp); 1357 value_free(&vtemp); 1358 } 1359 break; 1360 1361 /* 1362 * Send response in MV identity scheme. 1363 */ 1364 case CRYPTO_MV | CRYPTO_RESP: 1365 if ((rval = crypto_bob3(ep, &vtemp)) == XEVNT_OK) { 1366 len += crypto_send(fp, &vtemp); 1367 value_free(&vtemp); 1368 } 1369 break; 1370 1371 /* 1372 * Send certificate sign response. The integrity of the request 1373 * certificate has already been verified on the receive side. 1374 * Sign the response using the local server key. Use the 1375 * filestamp from the request and use the timestamp as the 1376 * current time. Light the error bit if the certificate is 1377 * invalid or contains an unverified signature. 1378 */ 1379 case CRYPTO_SIGN | CRYPTO_RESP: 1380 if ((rval = cert_sign(ep, &vtemp)) == XEVNT_OK) 1381 len += crypto_send(fp, &vtemp); 1382 value_free(&vtemp); 1383 break; 1384 1385 /* 1386 * Send public key and signature. Use the values from the public 1387 * key. 1388 */ 1389 case CRYPTO_COOK: 1390 len += crypto_send(fp, &pubkey); 1391 break; 1392 1393 /* 1394 * Encrypt and send cookie and signature. Light the error bit if 1395 * anything goes wrong. 1396 */ 1397 case CRYPTO_COOK | CRYPTO_RESP: 1398 if ((opcode & 0xffff) < VALUE_LEN) { 1399 rval = XEVNT_LEN; 1400 break; 1401 } 1402 if (PKT_MODE(xpkt->li_vn_mode) == MODE_SERVER) { 1403 tcookie = cookie; 1404 } else { 1405 if ((peer = findpeerbyassoc(associd)) == NULL) { 1406 rval = XEVNT_ERR; 1407 break; 1408 } 1409 tcookie = peer->pcookie; 1410 } 1411 if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) == 1412 XEVNT_OK) 1413 len += crypto_send(fp, &vtemp); 1414 value_free(&vtemp); 1415 break; 1416 1417 /* 1418 * Find peer and send autokey data and signature in broadcast 1419 * server and symmetric modes. Use the values in the autokey 1420 * structure. If no association is found, either the server has 1421 * restarted with new associations or some perp has replayed an 1422 * old message, in which case light the error bit. 1423 */ 1424 case CRYPTO_AUTO | CRYPTO_RESP: 1425 if ((peer = findpeerbyassoc(associd)) == NULL) { 1426 rval = XEVNT_ERR; 1427 break; 1428 } 1429 peer->flags &= ~FLAG_ASSOC; 1430 len += crypto_send(fp, &peer->sndval); 1431 break; 1432 1433 /* 1434 * Send leapseconds table and signature. Use the values from the 1435 * tai structure. If no table has been loaded, just send an 1436 * empty request. 1437 */ 1438 case CRYPTO_TAI: 1439 case CRYPTO_TAI | CRYPTO_RESP: 1440 if (crypto_flags & CRYPTO_FLAG_TAI) 1441 len += crypto_send(fp, &tai_leap); 1442 break; 1443 1444 /* 1445 * Default - Fall through for requests; for unknown responses, 1446 * flag as error. 1447 */ 1448 default: 1449 if (opcode & CRYPTO_RESP) 1450 rval = XEVNT_ERR; 1451 } 1452 1453 /* 1454 * In case of error, flame the log. If a request, toss the 1455 * puppy; if a response, return so the sender can flame, too. 1456 */ 1457 if (rval != XEVNT_OK) { 1458 opcode |= CRYPTO_ERROR; 1459 snprintf(statstr, NTP_MAXSTRLEN, 1460 "error %x opcode %x", rval, opcode); 1461 record_crypto_stats(srcadr_sin, statstr); 1462 report_event(rval, NULL); 1463#ifdef DEBUG 1464 if (debug) 1465 printf("crypto_xmit: %s\n", statstr); 1466#endif 1467 if (!(opcode & CRYPTO_RESP)) 1468 return (0); 1469 } 1470 1471 /* 1472 * Round up the field length to a multiple of 8 bytes and save 1473 * the request code and length. 1474 */ 1475 len = ((len + 7) / 8) * 8; 1476 fp->opcode = htonl((opcode & 0xffff0000) | len); 1477#ifdef DEBUG 1478 if (debug) 1479 printf( 1480 "crypto_xmit: flags 0x%x ext offset %d len %u code 0x%x assocID %d\n", 1481 crypto_flags, start, len, opcode >> 16, associd); 1482#endif 1483 return (len); 1484} 1485 1486 1487/* 1488 * crypto_verify - parse and verify the extension field and value 1489 * 1490 * Returns 1491 * XEVNT_OK success 1492 * XEVNT_LEN bad field format or length 1493 * XEVNT_TSP bad timestamp 1494 * XEVNT_FSP bad filestamp 1495 * XEVNT_PUB bad or missing public key 1496 * XEVNT_SGL bad signature length 1497 * XEVNT_SIG signature not verified 1498 * XEVNT_ERR protocol error 1499 */ 1500static int 1501crypto_verify( 1502 struct exten *ep, /* extension pointer */ 1503 struct value *vp, /* value pointer */ 1504 struct peer *peer /* peer structure pointer */ 1505 ) 1506{ 1507 EVP_PKEY *pkey; /* server public key */ 1508 EVP_MD_CTX ctx; /* signature context */ 1509 tstamp_t tstamp, tstamp1 = 0; /* timestamp */ 1510 tstamp_t fstamp, fstamp1 = 0; /* filestamp */ 1511 u_int vallen; /* value length */ 1512 u_int siglen; /* signature length */ 1513 u_int opcode, len; 1514 int i; 1515 1516 /* 1517 * We require valid opcode and field lengths, timestamp, 1518 * filestamp, public key, digest, signature length and 1519 * signature, where relevant. Note that preliminary length 1520 * checks are done in the main loop. 1521 */ 1522 len = ntohl(ep->opcode) & 0x0000ffff; 1523 opcode = ntohl(ep->opcode) & 0xffff0000; 1524 1525 /* 1526 * Check for valid operation code and protocol. The opcode must 1527 * not have the error bit set. If a response, it must have a 1528 * value header. If a request and does not contain a value 1529 * header, no need for further checking. 1530 */ 1531 if (opcode & CRYPTO_ERROR) 1532 return (XEVNT_ERR); 1533 1534 if (opcode & CRYPTO_RESP) { 1535 if (len < VALUE_LEN) 1536 return (XEVNT_LEN); 1537 } else { 1538 if (len < VALUE_LEN) 1539 return (XEVNT_OK); 1540 } 1541 1542 /* 1543 * We have a value header. Check for valid field lengths. The 1544 * field length must be long enough to contain the value header, 1545 * value and signature. Note both the value and signature fields 1546 * are rounded up to the next word. 1547 */ 1548 vallen = ntohl(ep->vallen); 1549 i = (vallen + 3) / 4; 1550 siglen = ntohl(ep->pkt[i++]); 1551 if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) / 1552 4) * 4) 1553 return (XEVNT_LEN); 1554 1555 /* 1556 * Punt if this is a response with no data. Punt if this is a 1557 * request and a previous response is pending. 1558 */ 1559 if (opcode & CRYPTO_RESP) { 1560 if (vallen == 0) 1561 return (XEVNT_LEN); 1562 } else { 1563 if (peer->cmmd != NULL) 1564 return (XEVNT_LEN); 1565 } 1566 1567 /* 1568 * Check for valid timestamp and filestamp. If the timestamp is 1569 * zero, the sender is not synchronized and signatures are 1570 * disregarded. If not, the timestamp must not precede the 1571 * filestamp. The timestamp and filestamp must not precede the 1572 * corresponding values in the value structure, if present. Once 1573 * the autokey values have been installed, the timestamp must 1574 * always be later than the corresponding value in the value 1575 * structure. Duplicate timestamps are illegal once the cookie 1576 * has been validated. 1577 */ 1578 tstamp = ntohl(ep->tstamp); 1579 fstamp = ntohl(ep->fstamp); 1580 if (tstamp == 0) 1581 return (XEVNT_OK); 1582 1583 if (tstamp < fstamp) 1584 return (XEVNT_TSP); 1585 1586 if (vp != NULL) { 1587 tstamp1 = ntohl(vp->tstamp); 1588 fstamp1 = ntohl(vp->fstamp); 1589 if ((tstamp < tstamp1 || (tstamp == tstamp1 && 1590 (peer->crypto & CRYPTO_FLAG_AUTO)))) 1591 return (XEVNT_TSP); 1592 1593 if ((tstamp < fstamp1 || fstamp < fstamp1)) 1594 return (XEVNT_FSP); 1595 } 1596 1597 /* 1598 * Check for valid signature length, public key and digest 1599 * algorithm. 1600 */ 1601 if (crypto_flags & peer->crypto & CRYPTO_FLAG_PRIV) 1602 pkey = sign_pkey; 1603 else 1604 pkey = peer->pkey; 1605 if (siglen == 0 || pkey == NULL || peer->digest == NULL) 1606 return (XEVNT_OK); 1607 1608 if (siglen != (u_int)EVP_PKEY_size(pkey)) 1609 return (XEVNT_SGL); 1610 1611 /* 1612 * Darn, I thought we would never get here. Verify the 1613 * signature. If the identity exchange is verified, light the 1614 * proventic bit. If no client identity scheme is specified, 1615 * avoid doing the sign exchange. 1616 */ 1617 EVP_VerifyInit(&ctx, peer->digest); 1618 EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); 1619 if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0) 1620 return (XEVNT_SIG); 1621 1622 if (peer->crypto & CRYPTO_FLAG_VRFY) { 1623 peer->crypto |= CRYPTO_FLAG_PROV; 1624 if (!(crypto_flags & CRYPTO_FLAG_MASK)) 1625 peer->crypto |= CRYPTO_FLAG_SIGN; 1626 } 1627 return (XEVNT_OK); 1628} 1629 1630 1631/* 1632 * crypto_encrypt - construct encrypted cookie and signature from 1633 * extension field and cookie 1634 * 1635 * Returns 1636 * XEVNT_OK success 1637 * XEVNT_PUB bad or missing public key 1638 * XEVNT_CKY bad or missing cookie 1639 * XEVNT_PER host certificate expired 1640 */ 1641static int 1642crypto_encrypt( 1643 struct exten *ep, /* extension pointer */ 1644 struct value *vp, /* value pointer */ 1645 keyid_t *cookie /* server cookie */ 1646 ) 1647{ 1648 EVP_PKEY *pkey; /* public key */ 1649 EVP_MD_CTX ctx; /* signature context */ 1650 tstamp_t tstamp; /* NTP timestamp */ 1651 u_int32 temp32; 1652 u_int len; 1653 u_char *ptr; 1654 1655 /* 1656 * Extract the public key from the request. 1657 */ 1658 len = ntohl(ep->vallen); 1659 ptr = (u_char *)ep->pkt; 1660 pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len); 1661 if (pkey == NULL) { 1662 msyslog(LOG_ERR, "crypto_encrypt %s\n", 1663 ERR_error_string(ERR_get_error(), NULL)); 1664 return (XEVNT_PUB); 1665 } 1666 1667 /* 1668 * Encrypt the cookie, encode in ASN.1 and sign. 1669 */ 1670 tstamp = crypto_time(); 1671 memset(vp, 0, sizeof(struct value)); 1672 vp->tstamp = htonl(tstamp); 1673 vp->fstamp = hostval.tstamp; 1674 len = EVP_PKEY_size(pkey); 1675 vp->vallen = htonl(len); 1676 vp->ptr = emalloc(len); 1677 temp32 = htonl(*cookie); 1678 if (!RSA_public_encrypt(4, (u_char *)&temp32, vp->ptr, 1679 pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING)) { 1680 msyslog(LOG_ERR, "crypto_encrypt %s\n", 1681 ERR_error_string(ERR_get_error(), NULL)); 1682 EVP_PKEY_free(pkey); 1683 return (XEVNT_CKY); 1684 } 1685 EVP_PKEY_free(pkey); 1686 vp->siglen = 0; 1687 if (tstamp == 0) 1688 return (XEVNT_OK); 1689 1690 if (tstamp < cinfo->first || tstamp > cinfo->last) 1691 return (XEVNT_PER); 1692 1693 vp->sig = emalloc(sign_siglen); 1694 EVP_SignInit(&ctx, sign_digest); 1695 EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12); 1696 EVP_SignUpdate(&ctx, vp->ptr, len); 1697 if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) 1698 vp->siglen = htonl(len); 1699 return (XEVNT_OK); 1700} 1701 1702 1703/* 1704 * crypto_ident - construct extension field for identity scheme 1705 * 1706 * This routine determines which identity scheme is in use and 1707 * constructs an extension field for that scheme. 1708 */ 1709u_int 1710crypto_ident( 1711 struct peer *peer /* peer structure pointer */ 1712 ) 1713{ 1714 char filename[MAXFILENAME + 1]; 1715 1716 /* 1717 * If the server identity has already been verified, no further 1718 * action is necessary. Otherwise, try to load the identity file 1719 * of the certificate issuer. If the issuer file is not found, 1720 * try the host file. If nothing found, declare a cryptobust. 1721 * Note we can't get here unless the trusted certificate has 1722 * been found and the CRYPTO_FLAG_VALID bit is set, so the 1723 * certificate issuer is valid. 1724 */ 1725 if (peer->ident_pkey != NULL) 1726 EVP_PKEY_free(peer->ident_pkey); 1727 if (peer->crypto & CRYPTO_FLAG_GQ) { 1728 snprintf(filename, MAXFILENAME, "ntpkey_gq_%s", 1729 peer->issuer); 1730 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1731 if (peer->ident_pkey != NULL) 1732 return (CRYPTO_GQ); 1733 1734 snprintf(filename, MAXFILENAME, "ntpkey_gq_%s", 1735 sys_hostname); 1736 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1737 if (peer->ident_pkey != NULL) 1738 return (CRYPTO_GQ); 1739 } 1740 if (peer->crypto & CRYPTO_FLAG_IFF) { 1741 snprintf(filename, MAXFILENAME, "ntpkey_iff_%s", 1742 peer->issuer); 1743 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1744 if (peer->ident_pkey != NULL) 1745 return (CRYPTO_IFF); 1746 1747 snprintf(filename, MAXFILENAME, "ntpkey_iff_%s", 1748 sys_hostname); 1749 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1750 if (peer->ident_pkey != NULL) 1751 return (CRYPTO_IFF); 1752 } 1753 if (peer->crypto & CRYPTO_FLAG_MV) { 1754 snprintf(filename, MAXFILENAME, "ntpkey_mv_%s", 1755 peer->issuer); 1756 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1757 if (peer->ident_pkey != NULL) 1758 return (CRYPTO_MV); 1759 1760 snprintf(filename, MAXFILENAME, "ntpkey_mv_%s", 1761 sys_hostname); 1762 peer->ident_pkey = crypto_key(filename, &peer->fstamp); 1763 if (p…
Large files files are truncated, but you can click here to view the full file