PageRenderTime 92ms CodeModel.GetById 13ms app.highlight 67ms RepoModel.GetById 1ms app.codeStats 0ms

/contrib/ntp/util/ntp-keygen.c

https://bitbucket.org/freebsd/freebsd-head/
C | 1890 lines | 1176 code | 126 blank | 588 comment | 215 complexity | 7a218ffa5338ddea4df3371c6fe5f07b MD5 | raw file

Large files files are truncated, but you can click here to view the full file

   1/*
   2 * Program to generate cryptographic keys for NTP clients and servers
   3 *
   4 * This program generates files "ntpkey_<type>_<hostname>.<filestamp>",
   5 * where <type> is the file type, <hostname> is the generating host and
   6 * <filestamp> is the NTP seconds in decimal format. The NTP programs
   7 * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
   8 * association maintained by soft links.
   9 *
  10 * Files are prefixed with a header giving the name and date of creation
  11 * followed by a type-specific descriptive label and PEM-encoded data
  12 * string compatible with programs of the OpenSSL library.
  13 *
  14 * Note that private keys can be password encrypted as per OpenSSL
  15 * conventions.
  16 *
  17 * The file types include
  18 *
  19 * ntpkey_MD5key_<hostname>.<filestamp>
  20 * 	MD5 (128-bit) keys used to compute message digests in symmetric
  21 *	key cryptography
  22 *
  23 * ntpkey_RSAkey_<hostname>.<filestamp>
  24 * ntpkey_host_<hostname> (RSA) link
  25 *	RSA private/public host key pair used for public key signatures
  26 *	and data encryption
  27 *
  28 * ntpkey_DSAkey_<hostname>.<filestamp>
  29 * ntpkey_sign_<hostname> (RSA or DSA) link
  30 *	DSA private/public sign key pair used for public key signatures,
  31 *	but not data encryption
  32 *
  33 * ntpkey_IFFpar_<hostname>.<filestamp>
  34 * ntpkey_iff_<hostname> (IFF server/client) link
  35 * ntpkey_iffkey_<hostname> (IFF client) link
  36 *	Schnorr (IFF) server/client identity parameters
  37 *
  38 * ntpkey_IFFkey_<hostname>.<filestamp>
  39 *	Schnorr (IFF) client identity parameters
  40 *
  41 * ntpkey_GQpar_<hostname>.<filestamp>,
  42 * ntpkey_gq_<hostname> (GQ) link
  43 *	Guillou-Quisquater (GQ) identity parameters
  44 *
  45 * ntpkey_MVpar_<hostname>.<filestamp>,
  46 *	Mu-Varadharajan (MV) server identity parameters 
  47 *
  48 * ntpkey_MVkeyX_<hostname>.<filestamp>,
  49 * ntpkey_mv_<hostname> (MV server) link
  50 * ntpkey_mvkey_<hostname> (MV client) link
  51 *	Mu-Varadharajan (MV) client identity parameters
  52 *
  53 * ntpkey_XXXcert_<hostname>.<filestamp>
  54 * ntpkey_cert_<hostname> (RSA or DSA) link
  55 *	X509v3 certificate using RSA or DSA public keys and signatures.
  56 *	XXX is a code identifying the message digest and signature
  57 *	encryption algorithm
  58 *
  59 * Available digest/signature schemes
  60 *
  61 * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
  62 * DSA:	DSA-SHA, DSA-SHA1
  63 *
  64 * Note: Once in a while because of some statistical fluke this program
  65 * fails to generate and verify some cryptographic data, as indicated by
  66 * exit status -1. In this case simply run the program again. If the
  67 * program does complete with return code 0, the data are correct as
  68 * verified.
  69 *
  70 * These cryptographic routines are characterized by the prime modulus
  71 * size in bits. The default value of 512 bits is a compromise between
  72 * cryptographic strength and computing time and is ordinarily
  73 * considered adequate for this application. The routines have been
  74 * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
  75 * digest and signature encryption schemes work with sizes less than 512
  76 * bits. The computing time for sizes greater than 2048 bits is
  77 * prohibitive on all but the fastest processors. An UltraSPARC Blade
  78 * 1000 took something over nine minutes to generate and verify the
  79 * values with size 2048. An old SPARC IPC would take a week.
  80 *
  81 * The OpenSSL library used by this program expects a random seed file.
  82 * As described in the OpenSSL documentation, the file name defaults to
  83 * first the RANDFILE environment variable in the user's home directory
  84 * and then .rnd in the user's home directory.
  85 */
  86#ifdef HAVE_CONFIG_H
  87# include <config.h>
  88#endif
  89#include <string.h>
  90#include <stdio.h>
  91#include <stdlib.h>
  92#include <unistd.h>
  93#include <sys/stat.h>
  94#include <sys/time.h>
  95#if HAVE_SYS_TYPES_H
  96# include <sys/types.h>
  97#endif
  98#include "ntp_types.h"
  99#include "ntp_random.h"
 100#include "l_stdlib.h"
 101
 102#include "ntp-keygen-opts.h"
 103
 104#ifdef SYS_WINNT
 105extern	int	ntp_getopt	P((int, char **, const char *));
 106#define getopt ntp_getopt
 107#define optarg ntp_optarg
 108#endif
 109
 110#ifdef OPENSSL
 111#include "openssl/bn.h"
 112#include "openssl/evp.h"
 113#include "openssl/err.h"
 114#include "openssl/rand.h"
 115#include "openssl/pem.h"
 116#include "openssl/x509v3.h"
 117#include <openssl/objects.h>
 118#endif /* OPENSSL */
 119
 120/*
 121 * Cryptodefines
 122 */
 123#define	MD5KEYS		16	/* number of MD5 keys generated */
 124#define	JAN_1970	ULONG_CONST(2208988800) /* NTP seconds */
 125#define YEAR		((long)60*60*24*365) /* one year in seconds */
 126#define MAXFILENAME	256	/* max file name length */
 127#define MAXHOSTNAME	256	/* max host name length */
 128#ifdef OPENSSL
 129#define	PLEN		512	/* default prime modulus size (bits) */
 130
 131/*
 132 * Strings used in X509v3 extension fields
 133 */
 134#define KEY_USAGE		"digitalSignature,keyCertSign"
 135#define BASIC_CONSTRAINTS	"critical,CA:TRUE"
 136#define EXT_KEY_PRIVATE		"private"
 137#define EXT_KEY_TRUST		"trustRoot"
 138#endif /* OPENSSL */
 139
 140/*
 141 * Prototypes
 142 */
 143FILE	*fheader	P((const char *, const char *));
 144void	fslink		P((const char *, const char *));
 145int	gen_md5		P((char *));
 146#ifdef OPENSSL
 147EVP_PKEY *gen_rsa	P((char *));
 148EVP_PKEY *gen_dsa	P((char *));
 149EVP_PKEY *gen_iff	P((char *));
 150EVP_PKEY *gen_gqpar	P((char *));
 151EVP_PKEY *gen_gqkey	P((char *, EVP_PKEY *));
 152EVP_PKEY *gen_mv	P((char *));
 153int	x509		P((EVP_PKEY *, const EVP_MD *, char *, char *));
 154void	cb		P((int, int, void *));
 155EVP_PKEY *genkey	P((char *, char *));
 156u_long	asn2ntp		P((ASN1_TIME *));
 157#endif /* OPENSSL */
 158
 159/*
 160 * Program variables
 161 */
 162extern char *optarg;		/* command line argument */
 163int	debug = 0;		/* debug, not de bug */
 164int	rval;			/* return status */
 165#ifdef OPENSSL
 166u_int	modulus = PLEN;		/* prime modulus size (bits) */
 167#endif
 168int	nkeys = 0;		/* MV keys */
 169time_t	epoch;			/* Unix epoch (seconds) since 1970 */
 170char	*hostname;		/* host name (subject name) */
 171char	*trustname;		/* trusted host name (issuer name) */
 172char	filename[MAXFILENAME + 1]; /* file name */
 173char	*passwd1 = NULL;	/* input private key password */
 174char	*passwd2 = NULL;	/* output private key password */
 175#ifdef OPENSSL
 176long	d0, d1, d2, d3;		/* callback counters */
 177#endif /* OPENSSL */
 178
 179#ifdef SYS_WINNT
 180BOOL init_randfile();
 181
 182/*
 183 * Don't try to follow symbolic links
 184 */
 185int
 186readlink(char * link, char * file, int len) {
 187	return (-1);
 188}
 189/*
 190 * Don't try to create a symbolic link for now.
 191 * Just move the file to the name you need.
 192 */
 193int
 194symlink(char *filename, char *linkname) {
 195	DeleteFile(linkname);
 196	MoveFile(filename, linkname);
 197	return 0;
 198}
 199void
 200InitWin32Sockets() {
 201	WORD wVersionRequested;
 202	WSADATA wsaData;
 203	wVersionRequested = MAKEWORD(2,0);
 204	if (WSAStartup(wVersionRequested, &wsaData))
 205	{
 206		fprintf(stderr, "No useable winsock.dll");
 207		exit(1);
 208	}
 209}
 210#endif /* SYS_WINNT */
 211
 212/*
 213 * Main program
 214 */
 215int
 216main(
 217	int	argc,		/* command line options */
 218	char	**argv
 219	)
 220{
 221	struct timeval tv;	/* initialization vector */
 222	int	md5key = 0;	/* generate MD5 keys */
 223#ifdef OPENSSL
 224	X509	*cert = NULL;	/* X509 certificate */
 225	EVP_PKEY *pkey_host = NULL; /* host key */
 226	EVP_PKEY *pkey_sign = NULL; /* sign key */
 227	EVP_PKEY *pkey_iff = NULL; /* IFF parameters */
 228	EVP_PKEY *pkey_gq = NULL; /* GQ parameters */
 229	EVP_PKEY *pkey_mv = NULL; /* MV parameters */
 230	int	hostkey = 0;	/* generate RSA keys */
 231	int	iffkey = 0;	/* generate IFF parameters */
 232	int	gqpar = 0;	/* generate GQ parameters */
 233	int	gqkey = 0;	/* update GQ keys */
 234	int	mvpar = 0;	/* generate MV parameters */
 235	int	mvkey = 0;	/* update MV keys */
 236	char	*sign = NULL;	/* sign key */
 237	EVP_PKEY *pkey = NULL;	/* temp key */
 238	const EVP_MD *ectx;	/* EVP digest */
 239	char	pathbuf[MAXFILENAME + 1];
 240	const char *scheme = NULL; /* digest/signature scheme */
 241	char	*exten = NULL;	/* private extension */
 242	char	*grpkey = NULL;	/* identity extension */
 243	int	nid;		/* X509 digest/signature scheme */
 244	FILE	*fstr = NULL;	/* file handle */
 245	u_int	temp;
 246#define iffsw   HAVE_OPT(ID_KEY)
 247#endif /* OPENSSL */
 248	char	hostbuf[MAXHOSTNAME + 1];
 249
 250#ifdef SYS_WINNT
 251	/* Initialize before OpenSSL checks */
 252	InitWin32Sockets();
 253	if(!init_randfile())
 254		fprintf(stderr, "Unable to initialize .rnd file\n");
 255#endif
 256
 257#ifdef OPENSSL
 258	/*
 259	 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
 260	 * We match major, minor, fix and status (not patch)
 261	 */
 262	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
 263		fprintf(stderr,
 264		    "OpenSSL version mismatch. Built against %lx, you have %lx\n",
 265		    OPENSSL_VERSION_NUMBER, SSLeay());
 266		return (-1);
 267
 268	} else {
 269		fprintf(stderr,
 270		    "Using OpenSSL version %lx\n", SSLeay());
 271	}
 272#endif /* OPENSSL */
 273
 274	/*
 275	 * Process options, initialize host name and timestamp.
 276	 */
 277	gethostname(hostbuf, MAXHOSTNAME);
 278	hostname = hostbuf;
 279#ifdef OPENSSL
 280	trustname = hostbuf;
 281	passwd1 = hostbuf;
 282#endif
 283#ifndef SYS_WINNT
 284	gettimeofday(&tv, 0);
 285#else
 286	gettimeofday(&tv);
 287#endif
 288	epoch = tv.tv_sec;
 289	rval = 0;
 290
 291	{
 292		int optct = optionProcess(&ntp_keygenOptions, argc, argv);
 293		argc -= optct;
 294		argv += optct;
 295	}
 296
 297#ifdef OPENSSL
 298	if (HAVE_OPT( CERTIFICATE ))
 299	    scheme = OPT_ARG( CERTIFICATE );
 300#endif
 301
 302	debug = DESC(DEBUG_LEVEL).optOccCt;
 303
 304#ifdef OPENSSL
 305	if (HAVE_OPT( GQ_PARAMS ))
 306	    gqpar++;
 307
 308	if (HAVE_OPT( GQ_KEYS ))
 309	    gqkey++;
 310
 311	if (HAVE_OPT( HOST_KEY ))
 312	    hostkey++;
 313
 314	if (HAVE_OPT( IFFKEY ))
 315	    iffkey++;
 316
 317	if (HAVE_OPT( ISSUER_NAME ))
 318	    trustname = OPT_ARG( ISSUER_NAME );
 319#endif
 320
 321	if (HAVE_OPT( MD5KEY ))
 322	    md5key++;
 323
 324#ifdef OPENSSL
 325	if (HAVE_OPT( MODULUS ))
 326	    modulus = OPT_VALUE_MODULUS;
 327
 328	if (HAVE_OPT( PVT_CERT ))
 329	    exten = EXT_KEY_PRIVATE;
 330
 331	if (HAVE_OPT( PVT_PASSWD ))
 332	    passwd2 = OPT_ARG( PVT_PASSWD );
 333
 334	if (HAVE_OPT( GET_PVT_PASSWD ))
 335	    passwd1 = OPT_ARG( GET_PVT_PASSWD );
 336
 337	if (HAVE_OPT( SIGN_KEY ))
 338	    sign = OPT_ARG( SIGN_KEY );
 339
 340	if (HAVE_OPT( SUBJECT_NAME ))
 341	    hostname = OPT_ARG( SUBJECT_NAME );
 342
 343	if (HAVE_OPT( TRUSTED_CERT ))
 344	    exten = EXT_KEY_TRUST;
 345
 346	if (HAVE_OPT( MV_PARAMS )) {
 347		mvpar++;
 348		nkeys = OPT_VALUE_MV_PARAMS;
 349	}
 350
 351	if (HAVE_OPT( MV_KEYS )) {
 352		mvkey++;
 353		nkeys = OPT_VALUE_MV_KEYS;
 354	}
 355#endif
 356
 357	if (passwd1 != NULL && passwd2 == NULL)
 358		passwd2 = passwd1;
 359#ifdef OPENSSL
 360	/*
 361	 * Seed random number generator and grow weeds.
 362	 */
 363	ERR_load_crypto_strings();
 364	OpenSSL_add_all_algorithms();
 365	if (RAND_file_name(pathbuf, MAXFILENAME) == NULL) {
 366		fprintf(stderr, "RAND_file_name %s\n",
 367		    ERR_error_string(ERR_get_error(), NULL));
 368		return (-1);
 369	}
 370	temp = RAND_load_file(pathbuf, -1);
 371	if (temp == 0) {
 372		fprintf(stderr,
 373		    "RAND_load_file %s not found or empty\n", pathbuf);
 374		return (-1);
 375	}
 376	fprintf(stderr,
 377	    "Random seed file %s %u bytes\n", pathbuf, temp);
 378	RAND_add(&epoch, sizeof(epoch), 4.0);
 379#endif
 380
 381	/*
 382	 * Generate new parameters and keys as requested. These replace
 383	 * any values already generated.
 384	 */
 385	if (md5key)
 386		gen_md5("MD5");
 387#ifdef OPENSSL
 388	if (hostkey)
 389		pkey_host = genkey("RSA", "host");
 390	if (sign != NULL)
 391		pkey_sign = genkey(sign, "sign");
 392	if (iffkey)
 393		pkey_iff = gen_iff("iff");
 394	if (gqpar)
 395		pkey_gq = gen_gqpar("gq");
 396	if (mvpar)
 397		pkey_mv = gen_mv("mv");
 398
 399	/*
 400	 * If there is no new host key, look for an existing one. If not
 401	 * found, create it.
 402	 */
 403	while (pkey_host == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
 404		sprintf(filename, "ntpkey_host_%s", hostname);
 405		if ((fstr = fopen(filename, "r")) != NULL) {
 406			pkey_host = PEM_read_PrivateKey(fstr, NULL,
 407			    NULL, passwd1);
 408			fclose(fstr);
 409			readlink(filename, filename,  sizeof(filename));
 410			if (pkey_host == NULL) {
 411				fprintf(stderr, "Host key\n%s\n",
 412				    ERR_error_string(ERR_get_error(),
 413				    NULL));
 414				rval = -1;
 415			} else {
 416				fprintf(stderr,
 417				    "Using host key %s\n", filename);
 418			}
 419			break;
 420
 421		} else if ((pkey_host = genkey("RSA", "host")) ==
 422		    NULL) {
 423			rval = -1;
 424			break;
 425		}
 426	}
 427
 428	/*
 429	 * If there is no new sign key, look for an existing one. If not
 430	 * found, use the host key instead.
 431	 */
 432	pkey = pkey_sign;
 433	while (pkey_sign == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
 434		sprintf(filename, "ntpkey_sign_%s", hostname);
 435		if ((fstr = fopen(filename, "r")) != NULL) {
 436			pkey_sign = PEM_read_PrivateKey(fstr, NULL,
 437			    NULL, passwd1);
 438			fclose(fstr);
 439			readlink(filename, filename, sizeof(filename));
 440			if (pkey_sign == NULL) {
 441				fprintf(stderr, "Sign key\n%s\n",
 442				    ERR_error_string(ERR_get_error(),
 443				    NULL));
 444				rval = -1;
 445			} else {
 446				fprintf(stderr, "Using sign key %s\n",
 447				    filename);
 448			}
 449			break;
 450		} else {
 451			pkey = pkey_host;
 452			fprintf(stderr, "Using host key as sign key\n");
 453			break;
 454		}
 455	}
 456
 457	/*
 458	 * If there is no new IFF file, look for an existing one.
 459	 */
 460	if (pkey_iff == NULL && rval == 0) {
 461		sprintf(filename, "ntpkey_iff_%s", hostname);
 462		if ((fstr = fopen(filename, "r")) != NULL) {
 463			pkey_iff = PEM_read_PrivateKey(fstr, NULL,
 464			    NULL, passwd1);
 465			fclose(fstr);
 466			readlink(filename, filename, sizeof(filename));
 467			if (pkey_iff == NULL) {
 468				fprintf(stderr, "IFF parameters\n%s\n",
 469				    ERR_error_string(ERR_get_error(),
 470				    NULL));
 471				rval = -1;
 472			} else {
 473				fprintf(stderr,
 474				    "Using IFF parameters %s\n",
 475				    filename);
 476			}
 477		}
 478	}
 479
 480	/*
 481	 * If there is no new GQ file, look for an existing one.
 482	 */
 483	if (pkey_gq == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
 484		sprintf(filename, "ntpkey_gq_%s", hostname);
 485		if ((fstr = fopen(filename, "r")) != NULL) {
 486			pkey_gq = PEM_read_PrivateKey(fstr, NULL, NULL,
 487			    passwd1);
 488			fclose(fstr);
 489			readlink(filename, filename, sizeof(filename));
 490			if (pkey_gq == NULL) {
 491				fprintf(stderr, "GQ parameters\n%s\n",
 492				    ERR_error_string(ERR_get_error(),
 493				    NULL));
 494				rval = -1;
 495			} else {
 496				fprintf(stderr,
 497				    "Using GQ parameters %s\n",
 498				    filename);
 499			}
 500		}
 501	}
 502
 503	/*
 504	 * If there is a GQ parameter file, create GQ private/public
 505	 * keys and extract the public key for the certificate.
 506	 */
 507	if (pkey_gq != NULL && rval == 0) {
 508		gen_gqkey("gq", pkey_gq);
 509		grpkey = BN_bn2hex(pkey_gq->pkey.rsa->q);
 510	}
 511
 512	/*
 513	 * Generate a X509v3 certificate.
 514	 */
 515	while (scheme == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
 516		sprintf(filename, "ntpkey_cert_%s", hostname);
 517		if ((fstr = fopen(filename, "r")) != NULL) {
 518			cert = PEM_read_X509(fstr, NULL, NULL, NULL);
 519			fclose(fstr);
 520			readlink(filename, filename, sizeof(filename));
 521			if (cert == NULL) {
 522				fprintf(stderr, "Cert \n%s\n",
 523				    ERR_error_string(ERR_get_error(),
 524				    NULL));
 525				rval = -1;
 526			} else {
 527				nid = OBJ_obj2nid(
 528				 cert->cert_info->signature->algorithm);
 529				scheme = OBJ_nid2sn(nid);
 530				fprintf(stderr,
 531				    "Using scheme %s from %s\n", scheme,
 532				     filename);
 533				break;
 534			}
 535		}
 536		scheme = "RSA-MD5";
 537	}
 538	if (pkey != NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
 539		ectx = EVP_get_digestbyname(scheme);
 540		if (ectx == NULL) {
 541			fprintf(stderr,
 542			    "Invalid digest/signature combination %s\n",
 543			    scheme);
 544			rval = -1;
 545		} else {
 546			x509(pkey, ectx, grpkey, exten);
 547		}
 548	}
 549
 550	/*
 551	 * Write the IFF client parameters and keys as a DSA private key
 552	 * encoded in PEM. Note the private key is obscured.
 553	 */
 554	if (pkey_iff != NULL && rval == 0 && HAVE_OPT(ID_KEY)) {
 555		DSA	*dsa;
 556		char	*sptr;
 557		char	*tld;
 558
 559		sptr = strrchr(filename, '.');
 560		tld = malloc(strlen(sptr));	/* we have an extra byte ... */
 561		strcpy(tld, 1+sptr);		/* ... see? */
 562		sprintf(filename, "ntpkey_IFFkey_%s.%s", trustname,
 563		    tld);
 564		free(tld);
 565		fprintf(stderr, "Writing new IFF key %s\n", filename);
 566		fprintf(stdout, "# %s\n# %s", filename, ctime(&epoch));
 567		dsa = pkey_iff->pkey.dsa;
 568		BN_copy(dsa->priv_key, BN_value_one());
 569		pkey = EVP_PKEY_new();
 570		EVP_PKEY_assign_DSA(pkey, dsa);
 571		PEM_write_PrivateKey(stdout, pkey, passwd2 ?
 572		    EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
 573		fclose(stdout);
 574		if (debug)
 575			DSA_print_fp(stdout, dsa, 0);
 576	}
 577
 578	/*
 579	 * Return the marbles.
 580	 */
 581	if (grpkey != NULL)
 582		OPENSSL_free(grpkey);
 583	if (pkey_host != NULL)
 584		EVP_PKEY_free(pkey_host);
 585	if (pkey_sign != NULL)
 586		EVP_PKEY_free(pkey_sign);
 587	if (pkey_iff != NULL)
 588		EVP_PKEY_free(pkey_iff);
 589	if (pkey_gq != NULL)
 590		EVP_PKEY_free(pkey_gq);
 591	if (pkey_mv != NULL)
 592		EVP_PKEY_free(pkey_mv);
 593#endif /* OPENSSL */
 594	return (rval);
 595}
 596
 597
 598#if 0
 599/*
 600 * Generate random MD5 key with password.
 601 */
 602int
 603gen_md5(
 604	char	*id		/* file name id */
 605	)
 606{
 607	BIGNUM	*key;
 608	BIGNUM	*keyid;
 609	FILE	*str;
 610	u_char	bin[16];
 611
 612	fprintf(stderr, "Generating MD5 keys...\n");
 613	str = fheader("MD5key", hostname);
 614	keyid = BN_new(); key = BN_new();
 615	BN_rand(keyid, 16, -1, 0);
 616	BN_rand(key, 128, -1, 0);
 617	BN_bn2bin(key, bin);
 618	PEM_write_fp(str, MD5, NULL, bin);
 619	fclose(str);
 620	fslink(id, hostname);
 621	return (1);
 622}
 623
 624
 625#else
 626/*
 627 * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4
 628 */
 629int
 630gen_md5(
 631	char	*id		/* file name id */
 632	)
 633{
 634	u_char	md5key[16];	/* MD5 key */
 635	FILE	*str;
 636	u_int	temp = 0;	/* Initialize to prevent warnings during compile */
 637	int	i, j;
 638
 639	fprintf(stderr, "Generating MD5 keys...\n");
 640	str = fheader("MD5key", hostname);
 641	ntp_srandom(epoch);
 642	for (i = 1; i <= MD5KEYS; i++) {
 643		for (j = 0; j < 16; j++) {
 644			while (1) {
 645				temp = ntp_random() & 0xff;
 646				if (temp == '#')
 647					continue;
 648				if (temp > 0x20 && temp < 0x7f)
 649					break;
 650			}
 651			md5key[j] = (u_char)temp;
 652		}
 653		md5key[15] = '\0';
 654		fprintf(str, "%2d MD5 %16s	# MD5 key\n", i,
 655		    md5key);
 656	}
 657	fclose(str);
 658	fslink(id, hostname);
 659	return (1);
 660}
 661#endif /* OPENSSL */
 662
 663
 664#ifdef OPENSSL
 665/*
 666 * Generate RSA public/private key pair
 667 */
 668EVP_PKEY *			/* public/private key pair */
 669gen_rsa(
 670	char	*id		/* file name id */
 671	)
 672{
 673	EVP_PKEY *pkey;		/* private key */
 674	RSA	*rsa;		/* RSA parameters and key pair */
 675	FILE	*str;
 676
 677	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
 678	rsa = RSA_generate_key(modulus, 3, cb, "RSA");
 679	fprintf(stderr, "\n");
 680	if (rsa == NULL) {
 681		fprintf(stderr, "RSA generate keys fails\n%s\n",
 682		    ERR_error_string(ERR_get_error(), NULL));
 683		rval = -1;
 684		return (NULL);
 685	}
 686
 687	/*
 688	 * For signature encryption it is not necessary that the RSA
 689	 * parameters be strictly groomed and once in a while the
 690	 * modulus turns out to be non-prime. Just for grins, we check
 691	 * the primality.
 692	 */
 693	if (!RSA_check_key(rsa)) {
 694		fprintf(stderr, "Invalid RSA key\n%s\n",
 695		    ERR_error_string(ERR_get_error(), NULL));
 696		RSA_free(rsa);
 697		rval = -1;
 698		return (NULL);
 699	}
 700
 701	/*
 702	 * Write the RSA parameters and keys as a RSA private key
 703	 * encoded in PEM.
 704	 */
 705	str = fheader("RSAkey", hostname);
 706	pkey = EVP_PKEY_new();
 707	EVP_PKEY_assign_RSA(pkey, rsa);
 708	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
 709	    NULL, 0, NULL, passwd2);
 710	fclose(str);
 711	if (debug)
 712		RSA_print_fp(stdout, rsa, 0);
 713	fslink(id, hostname);
 714	return (pkey);
 715}
 716
 717 
 718/*
 719 * Generate DSA public/private key pair
 720 */
 721EVP_PKEY *			/* public/private key pair */
 722gen_dsa(
 723	char	*id		/* file name id */
 724	)
 725{
 726	EVP_PKEY *pkey;		/* private key */
 727	DSA	*dsa;		/* DSA parameters */
 728	u_char	seed[20];	/* seed for parameters */
 729	FILE	*str;
 730
 731	/*
 732	 * Generate DSA parameters.
 733	 */
 734	fprintf(stderr,
 735	    "Generating DSA parameters (%d bits)...\n", modulus);
 736	RAND_bytes(seed, sizeof(seed));
 737	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
 738	    NULL, cb, "DSA");
 739	fprintf(stderr, "\n");
 740	if (dsa == NULL) {
 741		fprintf(stderr, "DSA generate parameters fails\n%s\n",
 742		    ERR_error_string(ERR_get_error(), NULL));
 743		rval = -1;
 744		return (NULL);
 745	}
 746
 747	/*
 748	 * Generate DSA keys.
 749	 */
 750	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
 751	if (!DSA_generate_key(dsa)) {
 752		fprintf(stderr, "DSA generate keys fails\n%s\n",
 753		    ERR_error_string(ERR_get_error(), NULL));
 754		DSA_free(dsa);
 755		rval = -1;
 756		return (NULL);
 757	}
 758
 759	/*
 760	 * Write the DSA parameters and keys as a DSA private key
 761	 * encoded in PEM.
 762	 */
 763	str = fheader("DSAkey", hostname);
 764	pkey = EVP_PKEY_new();
 765	EVP_PKEY_assign_DSA(pkey, dsa);
 766	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
 767	    NULL, 0, NULL, passwd2);
 768	fclose(str);
 769	if (debug)
 770		DSA_print_fp(stdout, dsa, 0);
 771	fslink(id, hostname);
 772	return (pkey);
 773}
 774
 775
 776/*
 777 * Generate Schnorr (IFF) parameters and keys
 778 *
 779 * The Schnorr (IFF)identity scheme is intended for use when
 780 * certificates are generated by some other trusted certificate
 781 * authority and the parameters cannot be conveyed in the certificate
 782 * itself. For this purpose, new generations of IFF values must be
 783 * securely transmitted to all members of the group before use. There
 784 * are two kinds of files: server/client files that include private and
 785 * public parameters and client files that include only public
 786 * parameters. The scheme is self contained and independent of new
 787 * generations of host keys, sign keys and certificates.
 788 *
 789 * The IFF values hide in a DSA cuckoo structure which uses the same
 790 * parameters. The values are used by an identity scheme based on DSA
 791 * cryptography and described in Stimson p. 285. The p is a 512-bit
 792 * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
 793 * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
 794 * private random group key b (0 < b < q), then computes public
 795 * v = g^(q - a). All values except the group key are known to all group
 796 * members; the group key is known to the group servers, but not the
 797 * group clients. Alice challenges Bob to confirm identity using the
 798 * protocol described below.
 799 */
 800EVP_PKEY *			/* DSA cuckoo nest */
 801gen_iff(
 802	char	*id		/* file name id */
 803	)
 804{
 805	EVP_PKEY *pkey;		/* private key */
 806	DSA	*dsa;		/* DSA parameters */
 807	u_char	seed[20];	/* seed for parameters */
 808	BN_CTX	*ctx;		/* BN working space */
 809	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
 810	FILE	*str;
 811	u_int	temp;
 812
 813	/*
 814	 * Generate DSA parameters for use as IFF parameters.
 815	 */
 816	fprintf(stderr, "Generating IFF parameters (%d bits)...\n",
 817	    modulus);
 818	RAND_bytes(seed, sizeof(seed));
 819	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
 820	    NULL, cb, "IFF");
 821	fprintf(stderr, "\n");
 822	if (dsa == NULL) {
 823		fprintf(stderr, "DSA generate parameters fails\n%s\n",
 824		    ERR_error_string(ERR_get_error(), NULL));
 825		rval = -1;
 826		return (NULL);;
 827	}
 828
 829	/*
 830	 * Generate the private and public keys. The DSA parameters and
 831	 * these keys are distributed to all members of the group.
 832	 */
 833	fprintf(stderr, "Generating IFF keys (%d bits)...\n", modulus);
 834	b = BN_new(); r = BN_new(); k = BN_new();
 835	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
 836	BN_rand(b, BN_num_bits(dsa->q), -1, 0);	/* a */
 837	BN_mod(b, b, dsa->q, ctx);
 838	BN_sub(v, dsa->q, b);
 839	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^(q - b) mod p */
 840	BN_mod_exp(u, dsa->g, b, dsa->p, ctx);	/* g^b mod p */
 841	BN_mod_mul(u, u, v, dsa->p, ctx);
 842	temp = BN_is_one(u);
 843	fprintf(stderr,
 844	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
 845	    "yes" : "no");
 846	if (!temp) {
 847		BN_free(b); BN_free(r); BN_free(k);
 848		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
 849		rval = -1;
 850		return (NULL);
 851	}
 852	dsa->priv_key = BN_dup(b);		/* private key */
 853	dsa->pub_key = BN_dup(v);		/* public key */
 854
 855	/*
 856	 * Here is a trial round of the protocol. First, Alice rolls
 857	 * random r (0 < r < q) and sends it to Bob. She needs only
 858	 * modulus q.
 859	 */
 860	BN_rand(r, BN_num_bits(dsa->q), -1, 0);	/* r */
 861	BN_mod(r, r, dsa->q, ctx);
 862
 863	/*
 864	 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
 865	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
 866	 * moduli p, q and the group key b.
 867	 */
 868	BN_rand(k, BN_num_bits(dsa->q), -1, 0);	/* k, 0 < k < q  */
 869	BN_mod(k, k, dsa->q, ctx);
 870	BN_mod_mul(v, dsa->priv_key, r, dsa->q, ctx); /* b r mod q */
 871	BN_add(v, v, k);
 872	BN_mod(v, v, dsa->q, ctx);		/* y = k + b r mod q */
 873	BN_mod_exp(u, dsa->g, k, dsa->p, ctx);	/* x = g^k mod p */
 874
 875	/*
 876	 * Alice computes g^y v^r and verifies the result is equal to x.
 877	 * She needs modulus p, generator g, and the public key v, as
 878	 * well as her original r.
 879	 */
 880	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
 881	BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
 882	BN_mod_mul(v, w, v, dsa->p, ctx);	/* product mod p */
 883	temp = BN_cmp(u, v);
 884	fprintf(stderr,
 885	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
 886	    0 ? "yes" : "no");
 887	BN_free(b); BN_free(r);	BN_free(k);
 888	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
 889	if (temp != 0) {
 890		DSA_free(dsa);
 891		rval = -1;
 892		return (NULL);
 893	}
 894
 895	/*
 896	 * Write the IFF server parameters and keys as a DSA private key
 897	 * encoded in PEM.
 898	 *
 899	 * p	modulus p
 900	 * q	modulus q
 901	 * g	generator g
 902	 * priv_key b
 903	 * public_key v
 904	 */
 905	str = fheader("IFFpar", trustname);
 906	pkey = EVP_PKEY_new();
 907	EVP_PKEY_assign_DSA(pkey, dsa);
 908	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
 909	    NULL, 0, NULL, passwd2);
 910	fclose(str);
 911	if (debug)
 912		DSA_print_fp(stdout, dsa, 0);
 913	fslink(id, trustname);
 914	return (pkey);
 915}
 916
 917
 918/*
 919 * Generate Guillou-Quisquater (GQ) parameters and keys
 920 *
 921 * The Guillou-Quisquater (GQ) identity scheme is intended for use when
 922 * the parameters, keys and certificates are generated by this program.
 923 * The scheme uses a certificate extension field do convey the public
 924 * key of a particular group identified by a group key known only to
 925 * members of the group. The scheme is self contained and independent of
 926 * new generations of host keys and sign keys.
 927 *
 928 * The GQ parameters hide in a RSA cuckoo structure which uses the same
 929 * parameters. The values are used by an identity scheme based on RSA
 930 * cryptography and described in Stimson p. 300 (with errors). The 512-
 931 * bit public modulus is n = p q, where p and q are secret large primes.
 932 * The TA rolls private random group key b as RSA exponent. These values
 933 * are known to all group members.
 934 *
 935 * When rolling new certificates, a member recomputes the private and
 936 * public keys. The private key u is a random roll, while the public key
 937 * is the inverse obscured by the group key v = (u^-1)^b. These values
 938 * replace the private and public keys normally generated by the RSA
 939 * scheme. Alice challenges Bob to confirm identity using the protocol
 940 * described below.
 941 */
 942EVP_PKEY *			/* RSA cuckoo nest */
 943gen_gqpar(
 944	char	*id		/* file name id */
 945	)
 946{
 947	EVP_PKEY *pkey;		/* private key */
 948	RSA	*rsa;		/* GQ parameters */
 949	BN_CTX	*ctx;		/* BN working space */
 950	FILE	*str;
 951
 952	/*
 953	 * Generate RSA parameters for use as GQ parameters.
 954	 */
 955	fprintf(stderr,
 956	    "Generating GQ parameters (%d bits)...\n", modulus);
 957	rsa = RSA_generate_key(modulus, 3, cb, "GQ");
 958	fprintf(stderr, "\n");
 959	if (rsa == NULL) {
 960		fprintf(stderr, "RSA generate keys fails\n%s\n",
 961		    ERR_error_string(ERR_get_error(), NULL));
 962		rval = -1;
 963		return (NULL);
 964	}
 965
 966	/*
 967	 * Generate the group key b, which is saved in the e member of
 968	 * the RSA structure. These values are distributed to all
 969	 * members of the group, but shielded from all other groups. We
 970	 * don't use all the parameters, but set the unused ones to a
 971	 * small number to minimize the file size.
 972	 */
 973	ctx = BN_CTX_new();
 974	BN_rand(rsa->e, BN_num_bits(rsa->n), -1, 0); /* b */
 975	BN_mod(rsa->e, rsa->e, rsa->n, ctx);
 976	BN_copy(rsa->d, BN_value_one());
 977	BN_copy(rsa->p, BN_value_one());
 978	BN_copy(rsa->q, BN_value_one());
 979	BN_copy(rsa->dmp1, BN_value_one());
 980	BN_copy(rsa->dmq1, BN_value_one());
 981	BN_copy(rsa->iqmp, BN_value_one());
 982
 983	/*
 984	 * Write the GQ parameters as a RSA private key encoded in PEM.
 985	 * The public and private keys are filled in later.
 986	 *
 987	 * n	modulus n
 988	 * e	group key b
 989	 * (remaining values are not used)
 990	 */
 991	str = fheader("GQpar", trustname);
 992	pkey = EVP_PKEY_new();
 993	EVP_PKEY_assign_RSA(pkey, rsa);
 994	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
 995	    NULL, 0, NULL, passwd2);
 996	fclose(str);
 997	if (debug)
 998		RSA_print_fp(stdout, rsa, 0);
 999	fslink(id, trustname);
1000	return (pkey);
1001}
1002
1003
1004/*
1005 * Update Guillou-Quisquater (GQ) parameters
1006 */
1007EVP_PKEY *			/* RSA cuckoo nest */
1008gen_gqkey(
1009	char	*id,		/* file name id */
1010	EVP_PKEY *gqpar		/* GQ parameters */
1011	)
1012{
1013	EVP_PKEY *pkey;		/* private key */
1014	RSA	*rsa;		/* RSA parameters */
1015	BN_CTX	*ctx;		/* BN working space */
1016	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
1017	FILE	*str;
1018	u_int	temp;
1019
1020	/*
1021	 * Generate GQ keys. Note that the group key b is the e member
1022	 * of
1023	 * the GQ parameters.
1024	 */
1025	fprintf(stderr, "Updating GQ keys (%d bits)...\n", modulus);
1026	ctx = BN_CTX_new(); u = BN_new(); v = BN_new();
1027	g = BN_new(); k = BN_new(); r = BN_new(); y = BN_new();
1028
1029	/*
1030	 * When generating his certificate, Bob rolls random private key
1031	 * u. 
1032	 */
1033	rsa = gqpar->pkey.rsa;
1034	BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
1035	BN_mod(u, u, rsa->n, ctx);
1036	BN_mod_inverse(v, u, rsa->n, ctx);	/* u^-1 mod n */
1037	BN_mod_mul(k, v, u, rsa->n, ctx);
1038
1039	/*
1040	 * Bob computes public key v = (u^-1)^b, which is saved in an
1041	 * extension field on his certificate. We check that u^b v =
1042	 * 1 mod n.
1043	 */
1044	BN_mod_exp(v, v, rsa->e, rsa->n, ctx);
1045	BN_mod_exp(g, u, rsa->e, rsa->n, ctx); /* u^b */
1046	BN_mod_mul(g, g, v, rsa->n, ctx); /* u^b (u^-1)^b */
1047	temp = BN_is_one(g);
1048	fprintf(stderr,
1049	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1050	    "no");
1051	if (!temp) {
1052		BN_free(u); BN_free(v);
1053		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1054		BN_CTX_free(ctx);
1055		RSA_free(rsa);
1056		rval = -1;
1057		return (NULL);
1058	}
1059	BN_copy(rsa->p, u);			/* private key */
1060	BN_copy(rsa->q, v);			/* public key */
1061
1062	/*
1063	 * Here is a trial run of the protocol. First, Alice rolls
1064	 * random r (0 < r < n) and sends it to Bob. She needs only
1065	 * modulus n from the parameters.
1066	 */
1067	BN_rand(r, BN_num_bits(rsa->n), -1, 0);	/* r */
1068	BN_mod(r, r, rsa->n, ctx);
1069
1070	/*
1071	 * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
1072	 * g = k^b mod n, then sends (y, g) to Alice. He needs modulus n
1073	 * from the parameters and his private key u. 
1074	 */
1075	BN_rand(k, BN_num_bits(rsa->n), -1, 0);	/* k */
1076	BN_mod(k, k, rsa->n, ctx);
1077	BN_mod_exp(y, rsa->p, r, rsa->n, ctx);	/* u^r mod n */
1078	BN_mod_mul(y, k, y, rsa->n, ctx);	/* y = k u^r mod n */
1079	BN_mod_exp(g, k, rsa->e, rsa->n, ctx); /* g = k^b mod n */
1080
1081	/*
1082	 * Alice computes v^r y^b mod n and verifies the result is equal
1083	 * to g. She needs modulus n, generator g and group key b from
1084	 * the parameters and Bob's public key v = (u^-1)^b from his
1085	 * certificate.
1086	 */
1087	BN_mod_exp(v, rsa->q, r, rsa->n, ctx);	/* v^r mod n */
1088	BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
1089	BN_mod_mul(y, v, y, rsa->n, ctx);	/* v^r y^b mod n */
1090	temp = BN_cmp(y, g);
1091	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1092	    "yes" : "no");
1093	BN_CTX_free(ctx); BN_free(u); BN_free(v);
1094	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1095	if (temp != 0) {
1096		RSA_free(rsa);
1097		rval = -1;
1098		return (NULL);
1099	}
1100
1101	/*
1102	 * Write the GQ parameters and keys as a RSA private key encoded
1103	 * in PEM.
1104	 *
1105	 * n	modulus n
1106	 * e	group key b
1107	 * p	private key u
1108	 * q	public key (u^-1)^b
1109	 * (remaining values are not used)
1110	 */
1111	str = fheader("GQpar", trustname);
1112	pkey = EVP_PKEY_new();
1113	EVP_PKEY_assign_RSA(pkey, rsa);
1114	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1115	    NULL, 0, NULL, passwd2);
1116	fclose(str);
1117	if (debug)
1118		RSA_print_fp(stdout, rsa, 0);
1119	fslink(id, trustname);
1120	return (pkey);
1121}
1122
1123
1124/*
1125 * Generate Mu-Varadharajan (MV) parameters and keys
1126 *
1127 * The Mu-Varadharajan (MV) cryptosystem is useful when servers
1128 * broadcast messages to clients, but clients never send messages to
1129 * servers. There is one encryption key for the server and a separate
1130 * decryption key for each client. It operates something like a
1131 * pay-per-view satellite broadcasting system where the session key is
1132 * encrypted by the broadcaster and the decryption keys are held in a
1133 * tamperproof set-top box. We don't use it this way, but read on.
1134 *
1135 * The MV parameters and private encryption key hide in a DSA cuckoo
1136 * structure which uses the same parameters, but generated in a
1137 * different way. The values are used in an encryption scheme similar to
1138 * El Gamal cryptography and a polynomial formed from the expansion of
1139 * product terms (x - x[j]), as described in Mu, Y., and V.
1140 * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1141 * 223-231. The paper has significant errors and serious omissions.
1142 *
1143 * Let q be the product of n distinct primes s'[j] (j = 1...n), where
1144 * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1145 * that q and each s'[j] divide p - 1 and p has M = n * m + 1
1146 * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1147 * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1148 * project into Zp* as exponents of g. Sometimes we have to compute an
1149 * inverse b^-1 of random b in Zq, but for that purpose we require
1150 * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1151 * relatively small, like 30. Associated with each s'[j] is an element
1152 * s[j] such that s[j] s'[j] = s'[j] mod q. We find s[j] as the quotient
1153 * (q + s'[j]) / s'[j]. These are the parameters of the scheme and they
1154 * are expensive to compute.
1155 *
1156 * We set up an instance of the scheme as follows. A set of random
1157 * values x[j] mod q (j = 1...n), are generated as the zeros of a
1158 * polynomial of order n. The product terms (x - x[j]) are expanded to
1159 * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1160 * used as exponents of the generator g mod p to generate the private
1161 * encryption key A. The pair (gbar, ghat) of public server keys and the
1162 * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1163 * to construct the decryption keys. The devil is in the details.
1164 *
1165 * This routine generates a private encryption file including the
1166 * private encryption key E and public key (gbar, ghat). It then
1167 * generates decryption files including the private key (xbar[j],
1168 * xhat[j]) for each client. E is a permutation that encrypts a block
1169 * y = E x. The jth client computes the inverse permutation E^-1 =
1170 * gbar^xhat[j] ghat^xbar[j] and decrypts the block x = E^-1 y.
1171 *
1172 * The distinguishing characteristic of this scheme is the capability to
1173 * revoke keys. Included in the calculation of E, gbar and ghat is the
1174 * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
1175 * subsequently removed from the product and E, gbar and ghat
1176 * recomputed, the jth client will no longer be able to compute E^-1 and
1177 * thus unable to decrypt the block.
1178 */
1179EVP_PKEY *			/* DSA cuckoo nest */
1180gen_mv(
1181	char	*id		/* file name id */
1182	)
1183{
1184	EVP_PKEY *pkey, *pkey1;	/* private key */
1185	DSA	*dsa;		/* DSA parameters */
1186	DSA	*sdsa;		/* DSA parameters */
1187	BN_CTX	*ctx;		/* BN working space */
1188	BIGNUM	**x;		/* polynomial zeros vector */
1189	BIGNUM	**a;		/* polynomial coefficient vector */
1190	BIGNUM	**g;		/* public key vector */
1191	BIGNUM	**s, **s1;	/* private enabling keys */
1192	BIGNUM	**xbar, **xhat;	/* private keys vector */
1193	BIGNUM	*b;		/* group key */
1194	BIGNUM	*b1;		/* inverse group key */
1195	BIGNUM	*ss;		/* enabling key */
1196	BIGNUM	*biga;		/* master encryption key */
1197	BIGNUM	*bige;		/* session encryption key */
1198	BIGNUM	*gbar, *ghat;	/* public key */
1199	BIGNUM	*u, *v, *w;	/* BN scratch */
1200	int	i, j, n;
1201	FILE	*str;
1202	u_int	temp;
1203	char	ident[20];
1204
1205	/*
1206	 * Generate MV parameters.
1207	 *
1208	 * The object is to generate a multiplicative group Zp* modulo a
1209	 * prime p and a subset Zq mod q, where q is the product of n
1210	 * distinct primes s'[j] (j = 1...n) and q divides p - 1. We
1211	 * first generate n distinct primes, which may have to be
1212	 * regenerated later. As a practical matter, it is tough to find
1213	 * more than 31 distinct primes for modulus 512 or 61 primes for
1214	 * modulus 1024. The latter can take several hundred iterations
1215	 * and several minutes on a Sun Blade 1000.
1216	 */
1217	n = nkeys;
1218	fprintf(stderr,
1219	    "Generating MV parameters for %d keys (%d bits)...\n", n,
1220	    modulus / n);
1221	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1222	b = BN_new(); b1 = BN_new();
1223	dsa = DSA_new();
1224	dsa->p = BN_new();
1225	dsa->q = BN_new();
1226	dsa->g = BN_new();
1227	s = malloc((n + 1) * sizeof(BIGNUM));
1228	s1 = malloc((n + 1) * sizeof(BIGNUM));
1229	for (j = 1; j <= n; j++)
1230		s1[j] = BN_new();
1231	temp = 0;
1232	for (j = 1; j <= n; j++) {
1233		while (1) {
1234			fprintf(stderr, "Birthdays %d\r", temp);
1235			BN_generate_prime(s1[j], modulus / n, 0, NULL,
1236			    NULL, NULL, NULL);
1237			for (i = 1; i < j; i++) {
1238				if (BN_cmp(s1[i], s1[j]) == 0)
1239					break;
1240			}
1241			if (i == j)
1242				break;
1243			temp++;
1244		}
1245	}
1246	fprintf(stderr, "Birthday keys rejected %d\n", temp);
1247
1248	/*
1249	 * Compute the modulus q as the product of the primes. Compute
1250	 * the modulus p as 2 * q + 1 and test p for primality. If p
1251	 * is composite, replace one of the primes with a new distinct
1252	 * one and try again. Note that q will hardly be a secret since
1253	 * we have to reveal p to servers and clients. However,
1254	 * factoring q to find the primes should be adequately hard, as
1255	 * this is the same problem considered hard in RSA. Question: is
1256	 * it as hard to find n small prime factors totalling n bits as
1257	 * it is to find two large prime factors totalling n bits?
1258	 * Remember, the bad guy doesn't know n.
1259	 */
1260	temp = 0;
1261	while (1) {
1262		fprintf(stderr, "Duplicate keys rejected %d\r", ++temp);
1263		BN_one(dsa->q);
1264		for (j = 1; j <= n; j++)
1265			BN_mul(dsa->q, dsa->q, s1[j], ctx);
1266		BN_copy(dsa->p, dsa->q);
1267		BN_add(dsa->p, dsa->p, dsa->p);
1268		BN_add_word(dsa->p, 1);
1269		if (BN_is_prime(dsa->p, BN_prime_checks, NULL, ctx,
1270		    NULL))
1271			break;
1272
1273		j = temp % n + 1;
1274		while (1) {
1275			BN_generate_prime(u, modulus / n, 0, 0, NULL,
1276			    NULL, NULL);
1277			for (i = 1; i <= n; i++) {
1278				if (BN_cmp(u, s1[i]) == 0)
1279					break;
1280			}
1281			if (i > n)
1282				break;
1283		}
1284		BN_copy(s1[j], u);
1285	}
1286	fprintf(stderr, "Duplicate keys rejected %d\n", temp);
1287
1288	/*
1289	 * Compute the generator g using a random roll such that
1290	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1291	 * q.
1292	 */
1293	BN_copy(v, dsa->p);
1294	BN_sub_word(v, 1);
1295	while (1) {
1296		BN_rand(dsa->g, BN_num_bits(dsa->p) - 1, 0, 0);
1297		BN_mod(dsa->g, dsa->g, dsa->p, ctx);
1298		BN_gcd(u, dsa->g, v, ctx);
1299		if (!BN_is_one(u))
1300			continue;
1301
1302		BN_mod_exp(u, dsa->g, dsa->q, dsa->p, ctx);
1303		if (BN_is_one(u))
1304			break;
1305	}
1306
1307	/*
1308	 * Compute s[j] such that s[j] * s'[j] = s'[j] for all j. The
1309	 * easy way to do this is to compute q + s'[j] and divide the
1310	 * result by s'[j]. Exercise for the student: prove the
1311	 * remainder is always zero.
1312	 */
1313	for (j = 1; j <= n; j++) {
1314		s[j] = BN_new();
1315		BN_add(s[j], dsa->q, s1[j]);
1316		BN_div(s[j], u, s[j], s1[j], ctx);
1317	}
1318
1319	/*
1320	 * Setup is now complete. Roll random polynomial roots x[j]
1321	 * (0 < x[j] < q) for all j. While it may not be strictly
1322	 * necessary, Make sure each root has no factors in common with
1323	 * q.
1324	 */
1325	fprintf(stderr,
1326	    "Generating polynomial coefficients for %d roots (%d bits)\n",
1327	    n, BN_num_bits(dsa->q)); 
1328	x = malloc((n + 1) * sizeof(BIGNUM));
1329	for (j = 1; j <= n; j++) {
1330		x[j] = BN_new();
1331		while (1) {
1332			BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
1333			BN_mod(x[j], x[j], dsa->q, ctx);
1334			BN_gcd(u, x[j], dsa->q, ctx);
1335			if (BN_is_one(u))
1336				break;
1337		}
1338	}
1339
1340	/*
1341	 * Generate polynomial coefficients a[i] (i = 0...n) from the
1342	 * expansion of root products (x - x[j]) mod q for all j. The
1343	 * method is a present from Charlie Boncelet.
1344	 */
1345	a = malloc((n + 1) * sizeof(BIGNUM));
1346	for (i = 0; i <= n; i++) {
1347		a[i] = BN_new();
1348		BN_one(a[i]);
1349	}
1350	for (j = 1; j <= n; j++) {
1351		BN_zero(w);
1352		for (i = 0; i < j; i++) {
1353			BN_copy(u, dsa->q);
1354			BN_mod_mul(v, a[i], x[j], dsa->q, ctx);
1355			BN_sub(u, u, v);
1356			BN_add(u, u, w);
1357			BN_copy(w, a[i]);
1358			BN_mod(a[i], u, dsa->q, ctx);
1359		}
1360	}
1361
1362	/*
1363	 * Generate g[i] = g^a[i] mod p for all i and the generator g.
1364	 */
1365	fprintf(stderr, "Generating g[i] parameters\n");
1366	g = malloc((n + 1) * sizeof(BIGNUM));
1367	for (i = 0; i <= n; i++) {
1368		g[i] = BN_new();
1369		BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
1370	}
1371
1372	/*
1373	 * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j; otherwise,
1374	 * exit. Note the a[i] x[j]^i exponent is computed mod q, but
1375	 * the g[i] is computed mod p. also note the expression given in
1376	 * the paper is incorrect.
1377	 */
1378	temp = 1;
1379	for (j = 1; j <= n; j++) {
1380		BN_one(u);
1381		for (i = 0; i <= n; i++) {
1382			BN_set_word(v, i);
1383			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1384			BN_mod_mul(v, v, a[i], dsa->q, ctx);
1385			BN_mod_exp(v, dsa->g, v, dsa->p, ctx);
1386			BN_mod_mul(u, u, v, dsa->p, ctx);
1387		}
1388		if (!BN_is_one(u))
1389			temp = 0;
1390	}
1391	fprintf(stderr,
1392	    "Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1393	    "yes" : "no");
1394	if (!temp) {
1395		rval = -1;
1396		return (NULL);
1397	}
1398
1399	/*
1400	 * Make private encryption key A. Keep it around for awhile,
1401	 * since it is expensive to compute.
1402	 */
1403	biga = BN_new();
1404	BN_one(biga);
1405	for (j = 1; j <= n; j++) {
1406		for (i = 0; i < n; i++) {
1407			BN_set_word(v, i);
1408			BN_mod_exp(v, x[j], v, dsa->q, ctx);
1409			BN_mod_exp(v, g[i], v, dsa->p, ctx);
1410			BN_mod_mul(biga, biga, v, dsa->p, ctx);
1411		}
1412	}
1413
1414	/*
1415	 * Roll private random group key b mod q (0 < b < q), where
1416	 * gcd(b, q) = 1 to guarantee b^1 exists, then compute b^-1
1417	 * mod q. If b is changed, the client keys must be recomputed.
1418	 */
1419	while (1) {
1420		BN_rand(b, BN_num_bits(dsa->q), 0, 0);
1421		BN_mod(b, b, dsa->q, ctx);
1422		BN_gcd(u, b, dsa->q, ctx);
1423		if (BN_is_one(u))
1424			break;
1425	}
1426	BN_mod_inverse(b1, b, dsa->q, ctx);
1427
1428	/*
1429	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
1430	 * that the keys for the jth client involve s[j], but not s'[j]
1431	 * or the product s = prod(s'[j]) mod q, which is the enabling
1432	 * key.
1433	 */
1434	xbar = malloc((n + 1) * sizeof(BIGNUM));
1435	xhat = malloc((n + 1) * sizeof(BIGNUM));
1436	for (j = 1; j <= n; j++) {
1437		xbar[j] = BN_new(); xhat[j] = BN_new();
1438		BN_zero(xbar[j]);
1439		BN_set_word(v, n);
1440		for (i = 1; i <= n; i++) {
1441			if (i == j)
1442				continue;
1443			BN_mod_exp(u, x[i], v, dsa->q, ctx);
1444			BN_add(xbar[j], xbar[j], u);
1445		}
1446		BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
1447		BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
1448		BN_mod_mul(xhat[j], xhat[j], s[j], dsa->q, ctx);
1449	}
1450
1451	/*
1452	 * The enabling key is initially q by construction. We can
1453	 * revoke client j by dividing q by s'[j]. The quotient becomes
1454	 * the enabling key s. Note we always have to revoke one key;
1455	 * otherwise, the plaintext and cryptotext would be identical.
1456	 */
1457	ss = BN_new();
1458	BN_copy(ss, dsa->q);
1459	BN_div(ss, u, dsa->q, s1[n], ctx);
1460
1461	/*
1462	 * Make private server encryption key E = A^s and public server
1463	 * keys gbar = g^s mod p and ghat = g^(s b) mod p. The (gbar,
1464	 * ghat) is the public key provided to the server, which uses it
1465	 * to compute the session encryption key and public key included
1466	 * in its messages. These values must be regenerated if the
1467	 * enabling key is changed.
1468	 */
1469	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1470	BN_mod_exp(bige, biga, ss, dsa->p, ctx);
1471	BN_mod_exp(gbar, dsa->g, ss, dsa->p, ctx);
1472	BN_mod_mul(v, ss, b, dsa->q, ctx);
1473	BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
1474
1475	/*
1476	 * We produce the key media in three steps. The first step is to
1477	 * generate the private values that do not depend on the
1478	 * enabling key. These include the server values p, q, g, b, A
1479	 * and the client values s'[j], xbar[j] and xhat[j] for each j.
1480	 * The p, xbar[j] and xhat[j] values are encoded in private
1481	 * files which are distributed to respective clients. The p, q,
1482	 * g, A and s'[j] values (will be) written to a secret file to
1483	 * be read back later.
1484	 *
1485	 * The secret file (will be) read back at some later time to
1486	 * enable/disable individual keys and generate/regenerate the
1487	 * enabling key s. The p, q, E, gbar and ghat values are written
1488	 * to a secret file to be read back later by the server.
1489	 *
1490	 * The server reads the secret file and rolls the session key
1491	 * k, which is used only once, then computes E^k, gbar^k and
1492	 * ghat^k. The E^k is the session encryption key. The encrypted
1493	 * data, gbar^k and ghat^k are transmtted to clients in an
1494	 * extension field. The client receives the message and computes
1495	 * x = (gbar^k)^xbar[j] (ghat^k)^xhat[j], finds the session
1496	 * encryption key E^k as the inverse x^-1 and decrypts the data.
1497	 */
1498	BN_copy(dsa->g, bige);
1499	dsa->priv_key = BN_dup(gbar);
1500	dsa->pub_key = BN_dup(ghat);
1501
1502	/*
1503	 * Write the MV server parameters and keys as a DSA private key
1504	 * encoded in PEM.
1505	 *
1506	 * p	modulus p
1507	 * q	modulus q (used only to generate k)
1508	 * g	E mod p
1509	 * priv_key gbar mod p
1510	 * pub_key ghat mod p
1511	 */
1512	str = fheader("MVpar", trustname);
1513	pkey = EVP_PKEY_new();
1514	EVP_PKEY_assign_DSA(pkey, dsa);
1515	PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1516	    NULL, 0, NULL, passwd2);
1517	fclose(str);
1518	if (debug)
1519		DSA_print_fp(stdout, dsa, 0);
1520	fslink(id, trustname);
1521
1522	/*
1523	 * Write the parameters and private key (xbar[j], xhat[j]) for
1524	 * all j as a DSA private key encoded in PEM. It is used only by
1525	 * the designated recipient(s) who pay a suitably outrageous fee
1526	 * for its use.
1527	 */
1528	sdsa = DSA_new();
1529	sdsa->p = BN_dup(dsa->p);
1530	sdsa->q = BN_dup(BN_value_one());
1531	sdsa->g = BN_dup(BN_value_one());
1532	sdsa->priv_key = BN_new();
1533	sdsa->pub_key = BN_new();
1534	for (j = 1; j <= n; j++) {
1535		BN_copy(sdsa->priv_key, xbar[j]);
1536		BN_copy(sdsa->pub_key, xhat[j]);
1537		BN_mod_exp(v, dsa->priv_key, sdsa->pub_key, dsa->p,
1538		    ctx);
1539		BN_mod_exp(u, dsa->pub_key, sdsa->priv_key, dsa->p,
1540		    ctx);
1541		BN_mod_mul(u, u, v, dsa->p, ctx);
1542		BN_mod_mul(u, u, dsa->g, dsa->p, ctx);
1543		BN_free(xbar[j]); BN_free(xhat[j]);
1544		BN_free(x[j]); BN_free(s[j]); BN_free(s1[j]);
1545		if (!BN_is_one(u)) {
1546			fprintf(stderr, "Revoke key %d\n", j);
1547			continue;
1548		}
1549
1550		/*
1551		 * Write the client parameters as a DSA private key
1552		 * encoded in PEM. We don't make links for these.
1553		 *
1554		 * p	modulus p
1555		 * priv_key xbar[j] mod q
1556		 * pub_key xhat[j] mod q
1557		 * (remaining values are not used)
1558		 */
1559		sprintf(ident, "MVkey%d", j);
1560		str = fheader(ident, trustname);
1561		pkey1 = EVP_PKEY_new();
1562		EVP_PKEY_set1_DSA(pkey1, sdsa);
1563		PEM_write_PrivateKey(str, pkey1, passwd2 ?
1564		    EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
1565		fclose(str);
1566		fprintf(stderr, "ntpkey_%s_%s.%lu\n", ident, trustname,
1567		    epoch + JAN_1970);
1568		if (debug)
1569			DSA_print_fp(stdout, sdsa, 0);
1570		EVP_PKEY_free(pkey1);
1571	}
1572
1573	/*
1574	 * Free the countries.
1575	 */
1576	for (i = 0; i <= n; i++) {
1577		BN_free(a[i]);
1578		BN_free(g[i]);
1579	}
1580	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1581	BN_free(b); BN_free(b1); BN_free(biga); BN_free(bige);
1582	BN_free(ss); BN_free(gbar); BN_free(ghat);
1583	DSA_free(sdsa);
1584
1585	/*
1586	 * Free the world.
1587	 */
1588	free(x); free(a); free(g); free(s); free(s1);
1589	free(xbar); free(xhat);
1590	return (pkey);
1591}
1592
1593
1594/*
1595 * Generate X509v3 scertificate.
1596 *
1597 * The certificate consists of the version number, serial number,
1598 * validity interval, issuer name, subject name and public key. For a
1599 * self-signed certificate, the issuer name is the same as the subject
1600 * name and these items are signed using the subject private key. The
1601 * validity interval extends from the current time to the same time one
1602 * year hence. For NTP purposes, it is convenient to use the NTP seconds
1603 * of the current time as the serial number.
1604 */
1605int
1606x509	(
1607	EVP_PKEY *pkey,		/* generic signature algorithm */
1608	const EVP_MD *md,	/* generic digest algorithm */
1609	char	*gqpub,		/* identity extension (hex string) */
1610	char	*exten		/* private cert extension */
1611	)
1612{
1613	X509	*cert;		/* X509 certificate */
1614	X509_NAME *subj;	/* distinguished (common) name */
1615	X509_EXTENSION *ex;	/* X509v3 extension */
1616	FILE	*str;		/* file handle */
1617	ASN1_INTEGER *serial;	/* serial number */
1618	const char *id;		/* digest/signature scheme name */
1619	char	pathbuf[MAXFILENAME + 1];
1620
1621	/*
1622	 * Generate X509 self-signed certificate.
1623	 *
1624	 * Set the certificate serial to the NTP seconds for grins. Set
1625	 * the version to 3. Set the subject name and issuer name to the
1626	 * subject name in the request. Set the initial validity to the
1627	 * current time and the final validity one year hence. 
1628	 */
1629	id = OBJ_nid2sn(md->pkey_type);
1630	fprintf(stderr, "Generating certificate %s\n", id);
1631	cert = X509_new();
1632	X509_set_version(cert, 2L);
1633	serial = ASN1_INTEGER_new();
1634	ASN1_INTEGER_set(serial, epoch + JAN_1970);
1635	X509_set_serialNumber(cert, serial);
1636	ASN1_INTEGER_free(serial);
1637	X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
1638	X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
1639	subj = X509_get_subject_name(cert);
1640	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1641	    (unsigned char *) hostname, strlen(hostname), -1, 0);
1642	subj = X509_get_issuer_name(cert);
1643	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1644	    (unsigned char *) trustname, strlen(trustname), -1, 0);
1645	if (!X509_set_pubkey(cert, pkey)) {
1646		fprintf(stderr, "Assign key fails\n%s\n",
1647		    ERR_error_string(ERR_get_error(), NULL));
1648		X509_free(cert);
1649		rval = -1;
1650		return (0);
1651	}
1652
1653	/*
1654	 * Add X509v3 extensions if present. These represent the minimum
1655	 * set defined in RFC3280 less the certificate_policy extension,
1656	 * which is seriously obfuscated in OpenSSL.
1657	 */
1658	/*
1659	 * The basic_constraints extension CA:TRUE allows servers to
1660	 * sign client certficitates.
1661	 */
1662	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
1663	    BASIC_CONSTRAINTS);
1664	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
1665	    BASIC_CONSTRAINTS);
1666	if (!X509_add_ext(cert, ex, -1)) {
1667		fprintf(stderr, "Add extension field fails\n%s\n",
1668		    ERR_error_string(ERR_get_error(), NULL));
1669		rval = -1;
1670		return (0);
1671	}
1672	X509_EXTENSION_free(ex);
1673
1674	/*
1675	 * The key_usage extension designates the purposes the key can
1676	 * be used for.
1677	 */
1678	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
1679	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, KEY_USAGE);
1680	if (!X509_add_ext(cert, ex, -1)) {
1681		fprintf(stderr, "Add extension field fails\n%s\n",
1682		    ERR_error_string(ERR_get_error(), NULL));
1683		rval = -1;
1684		return (0);
1685	}
1686	X509_EXTENSION_free(ex);
1687	/*
1688	 * The subject_key_identifier is used for the GQ public key.
1689	 * This should not be controversial.
1690	 */
1691	if (gqpub != NULL) {
1692		fprintf(stderr, "%s\n", LN_subject_key_identifier);
1693		ex = X509V3_EXT_conf_nid(NULL, NULL,
1694		    NID_subject_key_identifier, gqpub);
1695		if (!X509_add_ext(cert, ex, -1)) {
1696			fprintf(stderr,
1697			    "Add extension field fails\n%s\n",
1698			    ERR_error_string(ERR_get_error(), NULL));
1699			rval = -1;
1700			return (0);
1701		}
1702		X509_EXTENSION_free(ex);
1703	}
1704
1705	/*
1706	 * The extended key usage extension is used for special purpose
1707	 * here. The semantics probably do not conform to the designer's
1708	 * intent and will likely change in future.
1709	 * 
1710	 * "trustRoot" designates …

Large files files are truncated, but you can click here to view the full file