NetBSD/dist/ntp/ntpd/ntp_crypto.c

1160 lines
30 KiB
C

/* $NetBSD: ntp_crypto.c,v 1.1.1.1 2000/04/22 14:53:16 simonb Exp $ */
/*
* ntp_crypto.c - NTP version 4 public key routines
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifdef AUTOKEY
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include "ntpd.h"
#include "ntp_stdlib.h"
#include "ntp_string.h"
#include "ntp_crypto.h"
/*
* Extension field message formats
*
* +-------+-------+ +-------+-------+ +-------+-------+
* 0 | 3 | len | | 4 | len | | 5 | len |
* +-------+-------+ +-------+-------+ +-------+-------+
* 1 | assoc ID | | assoc ID | | assoc ID |
* +---------------+ +---------------+ +---------------+
* 2 | timestamp | | timestamp | | timestamp |
* +---------------+ +---------------+ +---------------+
* 3 | final seq | | cookie | | value len |
* +---------------+ +---------------+ +---------------+
* 4 | final key | | signature len | | |
* +---------------+ +---------------+ = value =
* 5 | signature len | | | | |
* +---------------+ = signature = +---------------+
* 6 | | | | | signature len |
* = signature = +---------------+ +---------------+
* 7 | | CRYPTO_PRIV rsp | |
* +---------------+ = signature =
* CRYPTO_AUTO rsp | |
* +---------------+
* CRYPTO_DH rsp
* CRYPTO_NAME rsp
*
* CRYPTO_PUBL 1 request/respond for public key
* CRYPTO_ASSOC 2 request/respond association ID
* CRYPTO_AUTO 3 request/respond autokey values
* CRYPTO_PRIV 4 request/respond cookie
* CRYPTO_DH 5 request public value/respond signature
* CRYPTO_NAME 6 request/respond host name
*
* Note: requests carry the association ID of the receiver; responses
* carry the association ID of the sender.
*/
#ifdef PUBKEY
/*
* Cryptodefines
*/
#define MAX_KEYLEN 1024 /* maximum key length */
/*
* Cryptodata
*/
static R_DH_PARAMS dh_params; /* Diffie-Hellman parameters */
static u_int dh_keyLen; /* Diffie-Hellman key length */
static u_char *dh_public; /* Diffie-Hellman public value */
static u_char *dh_private; /* Diffie-Hellman private value */
static R_RSA_PRIVATE_KEY private_key; /* RSA private key */
static R_RSA_PUBLIC_KEY public_key; /* RSA public key */
static u_char *dh_sign = NULL; /* Diffie-Hellman public signature */
static struct value host; /* host name, timestamp and signature */
int crypto_enable; /* master switch */
int crypto_flags; /* flags that wave cryptically */
char *private_key_file = NULL; /* private key file */
char *public_key_file = NULL; /* public key file */
char *dh_params_file = NULL; /* D-H parameters file */
char *keysdir = "/usr/local/etc/"; /* crypto keys directory */
/*
* Cryptotypes
*/
static int crypto_read P((u_char *, u_char *, u_int));
static void crypto_line P((FILE *, u_char **, u_int *));
#endif /* PUBKEY */
/*
* session_key - generate session key
*
* This routine generates a session key from the source address,
* destination address, key ID and private value. The value of the
* session key is the MD5 hash of these values, while the next key ID is
* the first four octets of the hash.
*/
keyid_t /* returns next key ID */
session_key(
struct sockaddr_in *srcadr, /* source address */
struct sockaddr_in *dstadr, /* destination address */
keyid_t keyno, /* key ID */
keyid_t private, /* private value */
u_long lifetime /* key lifetime */
)
{
MD5_CTX ctx; /* MD5 context */
keyid_t keyid; /* key identifer */
u_int32 header[4]; /* data in network byte order */
u_char digest[16]; /* message digest */
/*
* Generate the session key and key ID. If the lifetime is
* greater than zero, install the key and call it trusted.
*/
header[0] = srcadr->sin_addr.s_addr;
header[1] = dstadr->sin_addr.s_addr;
header[2] = htonl(keyno);
header[3] = htonl(private);
MD5Init(&ctx);
MD5Update(&ctx, (u_char *)header, sizeof(header));
MD5Final(digest, &ctx);
memcpy(&keyid, digest, 4);
keyid = ntohl(keyid);
if (lifetime != 0) {
MD5auth_setkey(keyno, digest, 16);
authtrust(keyno, lifetime);
}
#ifdef DEBUG
if (debug > 1)
printf(
"session_key: %s > %s %08x %08x hash %08x life %lu\n",
numtoa(header[0]), numtoa(header[1]), keyno,
private, keyid, lifetime);
#endif
return (keyid);
}
/*
* make_keylist - generate key list
*
* This routine constructs a pseudo-random sequence by repeatedly
* hashing the session key starting from a given source address,
* destination address, private value and the next key ID of the
* preceeding session key. The last entry on the list is saved along
* with its sequence number and public signature.
*/
void
make_keylist(
struct peer *peer /* peer structure pointer */
)
{
struct autokey *ap; /* autokey pointer */
keyid_t keyid; /* next key ID */
keyid_t cookie; /* private value */
l_fp tstamp; /* NTP timestamp */
u_long ltemp;
int i;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
int rval; /* return value */
u_int len;
#endif /* PUBKEY */
/*
* Allocate the key list if necessary.
*/
L_CLR(&tstamp);
if (sys_leap != LEAP_NOTINSYNC)
get_systime(&tstamp);
if (peer->keylist == NULL)
peer->keylist = (keyid_t *)emalloc(sizeof(keyid_t) *
NTP_MAXSESSION);
/*
* Generate an initial key ID which is unique and greater than
* NTP_MAXKEY.
*/
while (1) {
keyid = (u_long)RANDOM & 0xffffffff;
if (keyid <= NTP_MAXKEY)
continue;
if (authhavekey(keyid))
continue;
break;
}
/*
* Generate up to NTP_MAXSESSION session keys. Stop if the
* next one would not be unique or not a session key ID or if
* it would expire before the next poll. The private value
* included in the hash is zero if broadcast mode, the peer
* cookie if client mode or the host cookie if symmetric modes.
*/
ltemp = sys_automax;
peer->hcookie = session_key(&peer->dstadr->sin, &peer->srcadr,
0, sys_private, 0);
if (peer->hmode == MODE_BROADCAST) {
cookie = 0;
} else {
#ifdef PUBKEY
cookie = peer->pcookie.key;
#else
if (peer->hmode == MODE_CLIENT)
cookie = peer->pcookie.key;
else
cookie = peer->hcookie ^ peer->pcookie.key;
#endif /* PUBKEY */
}
for (i = 0; i < NTP_MAXSESSION; i++) {
peer->keylist[i] = keyid;
peer->keynumber = i;
keyid = session_key(&peer->dstadr->sin, (peer->hmode ==
MODE_BROADCAST) ? &peer->dstadr->bcast :
&peer->srcadr, keyid, cookie, ltemp);
ltemp -= 1 << peer->hpoll;
if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
ltemp <= (1 << (peer->hpoll + 1)))
break;
}
/*
* Save the last session key ID, sequence number and timestamp,
* then sign these values for later retrieval by the clients. Be
* careful not to use invalid key media.
*/
ap = &peer->sndauto;
ap->tstamp = htonl(tstamp.l_ui);
ap->seq = htonl(peer->keynumber);
ap->key = htonl(keyid);
ap->siglen = 0;
#if DEBUG
if (debug)
printf("make_keys: %d %08x %08x ts %u\n", ntohl(ap->seq),
ntohl(ap->key), cookie, ntohl(ap->tstamp));
#endif
#ifdef PUBKEY
if(!crypto_enable)
return;
if (private_key.bits < MIN_RSA_MODULUS_BITS ||
private_key.bits > MAX_RSA_MODULUS_BITS) {
rval = -1;
} else {
if (ap->sig == NULL)
ap->sig = emalloc(MAX_SIGNATURE_LEN);
R_SignInit(&ctx, DA_MD5);
R_SignUpdate(&ctx, (u_char *)ap, 12);
rval = R_SignFinal(&ctx, ap->sig, &len, &private_key);
ap->siglen = htonl(len);
}
if (rval != 0)
msyslog(LOG_ERR, "make_keylist: signature fails %x",
rval);
#endif /* PUBKEY */
}
/*
* crypto_recv - parse extension fields
*
* This routine is called when the packet has been matched to an
* association and passed sanity, format and authentication checks. We
* believe the extension field values only if the public key is valid
* and the signature has valid length and is verified.
*/
void
crypto_recv(
struct peer *peer, /* peer structure pointer */
struct recvbuf *rbufp /* packet buffer pointer */
)
{
u_int32 *pkt; /* packet pointer */
struct autokey *ap; /* autokey pointer */
struct cookie *cp; /* cookie pointer */
int has_mac; /* length of MAC field */
int authlen; /* offset of MAC field */
int len; /* extension field length */
u_int code; /* extension field opcode */
u_int tstamp; /* extension field timestamp */
int i;
u_int temp;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
u_char dh_key[MAX_DH_LEN]; /* Diffie-Hellman agreed key */
u_int modulus;
int rval;
int j;
#endif /* PUBKEY */
/*
* Initialize. Note that the packet has already been checked for
* valid format and extension field lengths.
*/
pkt = (u_int32 *)&rbufp->recv_pkt;
authlen = LEN_PKT_NOMAC;
while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
i = authlen / 4;
len = ntohl(pkt[i]) & 0xffff;
code = (ntohl(pkt[i]) >> 16) & 0xffff;
tstamp = ntohl(pkt[i + 2]);
if (code & CRYPTO_RESP)
peer->assoc = ntohl(pkt[i + 1]);
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: ext offset %d len %d code %x assoc ID %d\n",
authlen, len, code, (u_int32)ntohl(pkt[i +
1]));
#endif
switch (code) {
/*
* Exchange association IDs. This is used in multicast
* server mode and is a NOP here.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
break;
/*
* Install autokey values in broadcast client and
* symmetric modes. We believe the values only if the
* public key is valid and the signature has valid
* length and is verified. However, we mark as authentic
* only if the timestamp is nonzero.
*/
case CRYPTO_AUTO | CRYPTO_RESP:
ap = (struct autokey *)&pkt[i + 2];
#ifdef PUBKEY
temp = public_key.bits / 8;
if (!crypto_enable) {
rval = 0;
} else if (tstamp < peer->recauto.tstamp) {
break;
} else if (peer->pubkey == NULL || temp !=
ntohl(ap->siglen)) {
rval = -1;
} else {
R_VerifyInit(&ctx, DA_MD5);
R_VerifyUpdate(&ctx, (u_char *)ap, 12);
rval = R_VerifyFinal(&ctx,
(u_char *)&ap->sig, temp,
(R_RSA_PUBLIC_KEY *)peer->pubkey);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x autokey %d %08x ts %u (%u)\n",
rval, ntohl(ap->seq),
ntohl(ap->key), tstamp,
peer->recauto.tstamp);
#endif
if (rval != 0) {
peer->flags &= ~FLAG_AUTOKEY;
break;
}
if (tstamp != 0)
peer->flags |= FLAG_AUTOKEY;
#endif /* PUBKEY */
peer->flash &= ~TEST10;
peer->recauto.tstamp = ntohl(ap->tstamp);
peer->recauto.seq = ntohl(ap->seq);
peer->recauto.key = ntohl(ap->key);
peer->pkeyid = peer->recauto.key;
break;
/*
* Install session cookie in client mode. We believe the
* value only if the public key is valid and the
* signature has valid length and is verified. However,
* we mark as authentic only if the value is nonzero.
*/
case CRYPTO_PRIV | CRYPTO_RESP:
cp = (struct cookie *)&pkt[i + 2];
#ifdef PUBKEY
temp = public_key.bits / 8;
if (!crypto_enable) {
rval = 0;
} else if (tstamp < peer->pcookie.tstamp) {
break;
} else if (peer->pubkey == NULL || temp !=
ntohl(cp->siglen)) {
rval = -1;
} else {
R_VerifyInit(&ctx, DA_MD5);
R_VerifyUpdate(&ctx, (u_char *)cp, 8);
rval = R_VerifyFinal(&ctx,
(u_char *)&cp->sig, temp,
(R_RSA_PUBLIC_KEY *)peer->pubkey);
}
temp = cp->key;
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x cookie %08x ts %u\n",
rval, temp, tstamp);
#endif
if (rval != 0) {
peer->flags &= ~FLAG_AUTOKEY;
break;
}
if (tstamp != 0)
peer->flags |= FLAG_AUTOKEY;
#else
temp = cp->key;
#endif /* PUBKEY */
peer->flash &= ~TEST10;
if (temp != peer->pcookie.key) {
key_expire(peer);
peer->pcookie.tstamp = tstamp;
peer->pcookie.key = temp;
}
break;
#ifdef PUBKEY
/*
* Verify Diffie-Hellman public value and compute key
* agreement in symmetric modes. We believe the
* value only if the public key is valid and the
* signature has valid length and is verified.
*/
case CRYPTO_DH:
peer->cmmd = ntohl(pkt[i]);
/* fall through */
case CRYPTO_DH | CRYPTO_RESP:
temp = ntohl(pkt[i + 3]);
j = i + 4 + temp / 4;
if (tstamp < peer->pcookie.tstamp) {
break;
} else if (peer->pubkey == NULL ||
ntohl(pkt[j]) != public_key.bits / 8) {
rval = -1;
} else if (temp != dh_params.primeLen ||
dh_public == NULL) {
rval = -2;
} else {
R_VerifyInit(&ctx, DA_MD5);
R_VerifyUpdate(&ctx, (u_char *)&pkt[i +
2], temp + 8);
rval = R_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
public_key.bits / 8,
(R_RSA_PUBLIC_KEY *)peer->pubkey);
}
/*
* Run the agreement algorithm and stash the key
* value. We use only the first u_int32 for the
* host cookie. Wasteful.
*/
if (rval != 0) {
temp = 0;
} else {
rval = R_ComputeDHAgreedKey(dh_key,
(u_char *)&pkt[i + 4], dh_private,
dh_keyLen, &dh_params);
temp = ntohl(*(u_int32 *)dh_key);
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x d-h %08x ts %u\n",
rval, temp, tstamp);
#endif
if (rval != 0) {
peer->flags &= ~FLAG_AUTOKEY;
peer->cmmd = 0;
break;
}
peer->flash &= ~TEST10;
if (temp != peer->pcookie.key) {
key_expire(peer);
peer->pcookie.tstamp = tstamp;
peer->pcookie.key = temp;
}
break;
/*
* Receive remote host name and install public key from
* file.
*/
case CRYPTO_NAME | CRYPTO_RESP:
temp = ntohl(pkt[i + 3]);
j = i + 4 + temp / 4;
if (tstamp < peer->pcookie.tstamp) {
break;
} else if (ntohl(pkt[j]) != public_key.bits / 8)
{
rval = -1;
} else if (crypto_public(peer, (char *)&pkt[i +
4])) {
R_VerifyInit(&ctx, DA_MD5);
R_VerifyUpdate(&ctx, (char *)&pkt[i +
2], 8 + temp);
rval = R_VerifyFinal(&ctx,
(u_char *)&pkt[j + 1],
public_key.bits / 8,
(R_RSA_PUBLIC_KEY *)peer->pubkey);
if (rval != 0) {
free(peer->pubkey);
peer->pubkey = NULL;
}
} else {
rval = -2;
}
#ifdef DEBUG
if (debug)
printf(
"crypto_recv: verify %x host %s ts %u\n",
rval, (char *)&pkt[i + 4], tstamp);
#endif
break;
/*
* Install peer public key. This is rather raucus, since
* the extension field is in network order and the first
* word is a u_int32; however, the corresponding word of
* the key is a u_int, which can be 32 or 64 bits
* depending on architecture. We don't do anything
* unless the length and modulus are valid. Picky,
* picky.
*/
case CRYPTO_PUBL | CRYPTO_RESP:
temp = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int);
if (ntohl(pkt[i + 2]) != temp + 4)
break;
modulus = ntohl(pkt[i + 3]);
if ( modulus < MIN_RSA_MODULUS_BITS ||
modulus > MAX_RSA_MODULUS_BITS)
break;
if (peer->pubkey == NULL)
peer->pubkey =
emalloc(sizeof(R_RSA_PUBLIC_KEY));
((R_RSA_PUBLIC_KEY *)peer->pubkey)->bits =
modulus;
memcpy(
((R_RSA_PUBLIC_KEY *)peer->pubkey)->modulus,
(u_char *)&(pkt[i + 4]), temp);
break;
#endif /* PUBKEY */
/*
* For other requests, save the request code for later;
* for unknown responses or errors, just ignore for now.
*/
default:
if (code & (CRYPTO_RESP | CRYPTO_ERROR))
break;
peer->cmmd = ntohl(pkt[i]);
break;
}
authlen += len;
}
return;
}
/*
* crypto_xmit - construct extension fields
*
* This routine is called both when an association is configured and
* when one is not. The only case where this matters now is to retrieve
* the autokey information, in which case the caller has to provide the
* association ID to match the association.
*/
int /* return length of extension field */
crypto_xmit(
u_int32 *xpkt, /* packet pointer */
int start, /* offset to extension field */
u_int code, /* extension field code */
keyid_t cookie, /* session cookie */
int associd /* association ID */
)
{
struct peer *peer; /* peer structure pointer */
struct autokey *ap; /* autokey pointer */
struct cookie *cp; /* cookie pointer */
int len; /* extension field length */
u_int opcode; /* extension field opcode */
int i;
#ifdef PUBKEY
R_SIGNATURE_CTX ctx; /* signature context */
struct value *vp; /* value pointer */
int rval; /* return value */
u_int temp;
int j;
#endif /* PUBKEY */
/*
* Generate the requested extension field request code, length
* and association ID.
*/
i = start / 4;
opcode = code;
xpkt[i + 1] = htonl(associd);
len = 8;
switch (opcode) {
/*
* Exchange association IDs. This is used in multicast server
* mode and is a NOP here.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
break;
/*
* Find peer and send autokey data and signature in broadcast
* server and symmetric modes.
*/
case CRYPTO_AUTO | CRYPTO_RESP:
peer = findpeerbyassoc(associd);
if (peer == NULL) {
opcode |= CRYPTO_ERROR;
break;
}
ap = (struct autokey *)&xpkt[i + 2];
ap->tstamp = peer->sndauto.tstamp;
ap->seq = peer->sndauto.seq;
ap->key = peer->sndauto.key;
ap->siglen = 0;
len += 16;
#ifdef PUBKEY
if (!crypto_enable)
break;
ap->siglen = peer->sndauto.siglen;
temp = ntohl(peer->sndauto.siglen);
if (temp > 0)
memcpy(&ap->sig, peer->sndauto.sig, temp);
len += temp;
#endif /* PUBKEY */
break;
/*
* Send peer cookie and signature in server mode.
*/
case CRYPTO_PRIV | CRYPTO_RESP:
cp = (struct cookie *)&xpkt[i + 2];
cp->tstamp = htonl(sys_revoketime.l_ui);
cp->key = htonl(cookie);
cp->siglen = 0;
len += 12;
#ifdef PUBKEY
if (!crypto_enable)
break;
cp->siglen = htonl(public_key.bits / 8);
if (private_key.bits < MIN_RSA_MODULUS_BITS ||
private_key.bits > MAX_RSA_MODULUS_BITS) {
rval = -1;
} else {
R_SignInit(&ctx, DA_MD5);
R_SignUpdate(&ctx, (u_char *)cp, 8);
rval = R_SignFinal(&ctx, (u_char *)&cp->sig,
&temp, &private_key);
}
if (rval != 0) {
cp->siglen = 0;
msyslog(LOG_ERR,
"crypto_xmit: cookie signature fails %x",
rval);
break;
}
len += temp;
#endif /* PUBKEY */
break;
#ifdef PUBKEY
/*
* Send Diffie-Hellman public value, timestamp and signature.
*/
case CRYPTO_DH:
case CRYPTO_DH | CRYPTO_RESP:
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = htonl(sys_revoketime.l_ui);
vp->vallen = 0;
len += 8;
temp = dh_params.primeLen;
if (dh_sign == NULL)
break;
vp->vallen = htonl(temp);
memcpy((u_char *)&vp->val, dh_public, temp);
len += temp;
j = i + 4 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy((u_char *)&xpkt[j], dh_sign, temp);
len += temp + 4;
break;
/*
* Send host name, timestamp and signature.
*/
case CRYPTO_NAME | CRYPTO_RESP:
vp = (struct value *)&xpkt[i + 2];
vp->tstamp = htonl(sys_revoketime.l_ui);
vp->vallen = host.vallen;
len += 8;
temp = ntohl(host.vallen);
if (temp == 0)
break;
memcpy((u_char *)&vp->val, host.val, temp);
len += temp;
j = i + 4 + temp / 4;
temp = public_key.bits / 8;
xpkt[j++] = htonl(temp);
memcpy((u_char *)&xpkt[j], host.sig, temp);
len += temp + 4;
break;
/*
* Send public key. We send the public key only if it exists and
* is valid. This is used primarily for testing.
*/
case CRYPTO_PUBL | CRYPTO_RESP:
xpkt[i + 2] = 0;
len += 4;
if (public_key.bits < MIN_RSA_MODULUS_BITS ||
public_key.bits > MAX_RSA_MODULUS_BITS)
break;
temp = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int);
xpkt[i + 2] = htonl(temp + 4);
xpkt[i + 3] = htonl(public_key.bits);
memcpy((u_char *)&xpkt[i + 4],
(u_char *)&public_key.modulus, temp);
len += temp + 4;
break;
#endif /* PUBKEY */
/*
* Default - Fall through for requests; for unknown responses,
* flag as error.
*/
default:
if (opcode & CRYPTO_RESP)
opcode |= CRYPTO_ERROR;
break;
}
/*
* Round up the field length to a multiple of 8 bytes and save
* the request code and length.
*/
len = ((len + 7) / 8) * 8;
if (len >= 4) {
xpkt[i] = htonl((u_int32)((opcode << 16) | len));
#ifdef DEBUG
if (debug)
printf(
"crypto_xmit: ext offset %d len %d code %x assoc ID %d\n",
start, len, code, associd);
#endif
}
return (len);
}
#ifdef PUBKEY
/*
* crypto_agree - compute public and private Diffie-Hellman values from
* given prime and generator, then sign with private key.
*/
void
crypto_agree(void)
{
u_int len, temp;
R_RANDOM_STRUCT randomstr;
R_SIGNATURE_CTX ctx; /* signature context */
int rval;
int i;
/*
* Sign host name and timestamp.
*/
host.tstamp = htonl(sys_revoketime.l_ui);
host.vallen = htonl(sys_hostnamelen);
host.val = sys_hostname;
host.siglen = dh_params.primeLen;
if (host.sig == NULL)
host.sig = emalloc(dh_params.primeLen);
R_SignInit(&ctx, DA_MD5);
R_SignUpdate(&ctx, (u_char *)&host, 8);
R_SignUpdate(&ctx, host.val, sys_hostnamelen);
rval = R_SignFinal(&ctx, host.sig, &temp, &private_key);
if (rval != 0) {
msyslog(LOG_ERR,
"crypto_agree: host signature fails %x", rval);
return;
}
/*
* Compute Diffie-Hellman public value. Note that the length of
* the private value is set arbitrarily to half the prime
* length.
*/
if (dh_params.primeLen == 0) {
msyslog(LOG_ERR,
"unavailable d-h parameters");
return;
}
R_RandomInit(&randomstr);
R_GetRandomBytesNeeded(&len, &randomstr);
for (i = 0; i < len; i++) {
temp = random();
R_RandomUpdate(&randomstr, (u_char *)&temp, 1);
}
if (dh_private == NULL)
dh_private = (u_char *)emalloc(dh_keyLen);
if (dh_public == NULL)
dh_public = (u_char *)emalloc(dh_params.primeLen);
rval = R_SetupDHAgreement(dh_public, dh_private, dh_keyLen,
&dh_params, &randomstr);
if (rval != 0) {
msyslog(LOG_ERR, "invalid d-h parameters");
return;
}
/*
* Sigfie-Hellman public value and save for later.
*/
if (dh_sign == NULL)
dh_sign = emalloc(dh_params.primeLen);
R_SignInit(&ctx, DA_MD5);
R_SignUpdate(&ctx, (char *)&host.tstamp, 4);
temp = htonl(dh_params.primeLen);
R_SignUpdate(&ctx, (char *)&temp, 4);
R_SignUpdate(&ctx, dh_public, dh_params.primeLen);
rval = R_SignFinal(&ctx, dh_sign, &temp, &private_key);
if (rval != 0) {
msyslog(LOG_ERR,
"crypto_agree: d-h signature fails %x", rval);
return;
}
#ifdef DEBUG
if (debug)
printf(
"cypto_agree: host %s d-h prime %d gen %d\n",
host.val, dh_params.primeLen,
dh_params.generatorLen);
#endif
}
/*
* crypto_read - read RSA key, decode and check for errors
*/
static int
crypto_read(
u_char *cp, /* file name */
u_char *key, /* key pointer */
u_int keylen /* key length */
)
{
FILE *str;
u_char buf[MAX_KEYLEN];
u_char encoded_key[MAX_KEYLEN];
char filename[MAXFILENAME];
u_int modulus;
u_int buflen;
char *rptr;
int rval;
/*
* Open the key file and discard comment lines.
*/
if (strlen(cp) == 0 || strlen(cp) >= MAXFILENAME - 1) {
msyslog(LOG_ERR, "invalid key file name length %d",
strlen(filename));
return (0);
} else if (*cp == '/') {
strcpy(filename, cp);
} else {
snprintf(filename, MAXFILENAME - 1, "%s%s", keysdir,
cp);
}
str = fopen(filename, "r");
if (str == NULL) {
msyslog(LOG_ERR, "key file %s not found", filename);
return (0);
}
while ((rptr = fgets(buf, MAX_KEYLEN - 1, str)) != NULL) {
buflen = strlen(buf);
if (buflen < 1)
continue;
if (*buf == '#' || *buf == '\r' || *buf == '\0')
continue;
break;
}
/*
* We are rather paranoid here, since an intruder can cause a
* coredump by infiltrating a naughty key. The line must contain
* a single integer followed by a PEM encoded, null-terminated
* string.
*/
if (rptr == NULL) {
msyslog(LOG_ERR, "invalid key file %s", filename);
return (0);
}
if (sscanf(buf, "%d %s", &modulus, encoded_key) != 2) {
msyslog(LOG_ERR, "invalid key format %s", filename);
return (0);
}
/*
* Initialize the key with the decoded PEM string, but leave
* room for the modulus length in the key structure.
*/
rval = R_DecodePEMBlock(&key[sizeof(u_int)], &buflen,
encoded_key, strlen(encoded_key));
if (rval != 0) {
msyslog(LOG_ERR, "invalid key %s %x", filename, rval);
return (0);
}
/*
* Make sure the structure has the required length.
*/
buflen += sizeof(u_int);
if (buflen != keylen) {
msyslog(LOG_ERR, "invalid key length %s %d", filename,
buflen);
return (0);
}
/*
* Make sure the modulus length is within limits.
*/
if (modulus < MIN_RSA_MODULUS_BITS || modulus >
MAX_RSA_MODULUS_BITS) {
msyslog(LOG_ERR, "invalid key modulus %s %d", filename,
modulus);
return (0);
}
((u_int *)key)[0] = modulus;
#ifdef DEBUG
if (debug)
printf(
"crypto_read: RSA key file %s length %d modulus %d\n",
cp, keylen, modulus);
#endif
return (1);
}
/*
* crypto_public - read and install the public key from the public key
* file. The name of the file is in the form "ntpkey_host", where host
* is the DNS canonical name of the host. If the file is not found or
* has errors, we just keep going and expect the host to fetch the
* public key from the peer via the extension field.
*/
int
crypto_public(
struct peer *peer, /* peer structure pointer */
u_char *cp /* canonical host name */
)
{
R_RSA_PUBLIC_KEY keybuf;
u_int keylen = sizeof(R_RSA_PUBLIC_KEY);
char filename[MAXFILENAME];
snprintf(filename, MAXFILENAME - 1, "ntpkey_%s", cp);
if (!crypto_read(filename, (u_char *)&keybuf, keylen))
return (0);
if (peer->keystr != NULL)
free(peer->keystr);
peer->keystr = emalloc(strlen(filename) + 1);
strcpy(peer->keystr, filename);
if (peer->pubkey == NULL)
peer->pubkey = emalloc(keylen);
memcpy(peer->pubkey, (char *)&keybuf, keylen);
return (1);
}
/*
* crypto_line - read, decode and install Diffie-Hellman prime and
* generator. Be very parannoyed here if every little thing is not
* exactly right.
*/
static void
crypto_line(
FILE *str, /* file handle */
u_char **key, /* decoded string pointer */
u_int *len /* length */
)
{
u_char buf[MAX_KEYLEN];
u_char encoded_key[MAX_KEYLEN];
u_int temp, temp1, temp2;
char *rptr;
/*
* Read key and length. Bail out if the length word doesn't
* match the decoded string length and in other cases.
*/
*key = NULL;
*len = 0;
while ((rptr = fgets(buf, MAX_KEYLEN - 1, str)) != NULL) {
if (strlen(buf) < 1)
continue;
if (*buf == '#' || *buf == '\r' || *buf == '\0')
continue;
break;
}
if (sscanf(buf, "%d %s", &temp, encoded_key) != 2)
return;
if (temp > MAX_DH_LEN)
return;
temp2 = DECODED_CONTENT_LEN(strlen(encoded_key));
if (R_DecodePEMBlock(buf, &temp1, encoded_key,
strlen(encoded_key)))
return;
if (temp != temp1 || temp > temp2)
return;
*key = (u_char *)emalloc(temp2);
memcpy(*key, buf, temp2);
*len = temp;
return;
}
/*
* crypto_setup - read RSA private key, RSA public key and Diffie-
* Hellman parameter files and initialize cryptographic data.
*/
void
crypto_setup(void)
{
FILE *str;
char hostname[MAXFILENAME];
char filename[MAXFILENAME];
/*
* Load RSA private key from file.
*/
if (private_key_file == NULL)
private_key_file = "ntpkey";
crypto_read(private_key_file, (u_char *)&private_key,
sizeof(R_RSA_PRIVATE_KEY));
/*
* Load RSA public key from file, default "ntpkey_host", where
* host is the DNS name of this machine.
*/
if (public_key_file == NULL) {
gethostname(hostname, MAXFILENAME);
snprintf(filename, MAXFILENAME - 1, "ntpkey_%s",
hostname);
public_key_file = emalloc(strlen(filename) + 1);
strcpy(public_key_file, filename);
}
crypto_read(public_key_file, (u_char *)&public_key,
sizeof(R_RSA_PUBLIC_KEY));
/*
* Load Diffie-Hellman key agreement parameters from file.
*/
if (dh_params_file == NULL)
dh_params_file = "ntpkey_dh";
if (*dh_params_file == '/')
strcpy(filename, dh_params_file);
else
snprintf(filename, MAXFILENAME - 1, "%s%s", keysdir,
dh_params_file);
str = fopen(filename, "r");
if (str == NULL) {
msyslog(LOG_ERR, "key file %s not found",
filename);
return;
}
/*
* Read prime and generator. Note that the private value length
* is set arbitrarily at half the prime length.
*/
crypto_line(str, &dh_params.prime, &dh_params.primeLen);
crypto_line(str, &dh_params.generator, &dh_params.generatorLen);
if (dh_params.primeLen == 0|| dh_params.generatorLen == 0) {
msyslog(LOG_ERR,
"invalid Diffie-Hellman file format or value");
return;
}
dh_keyLen = dh_params.primeLen / 2;
}
/*
* crypto_config - configure crypto data.
*/
void
crypto_config(
int item, /* configuration item */
char *cp /* file name */
)
{
switch (item) {
/*
* Initialize flags
*/
case CRYPTO_CONF_FLAGS:
crypto_flags = atoi(cp);
break;
/*
* Override the default Diffie-Hellman parameter file name.
*/
case CRYPTO_CONF_DH:
dh_params_file = emalloc(strlen(cp) + 1);
strcpy(dh_params_file, cp);
break;
/*
* Override the default RSA private key file name.
*/
case CRYPTO_CONF_PRIV:
private_key_file = emalloc(strlen(cp) + 1);
strcpy(private_key_file, cp);
break;
/*
* Override the default RSA public key file name.
*/
case CRYPTO_CONF_PUBL:
public_key_file = emalloc(strlen(cp) + 1);
strcpy(public_key_file, cp);
break;
/*
* Override the default crypto keys directory.
*/
case CRYPTO_CONF_KEYS:
keysdir = emalloc(strlen(cp) + 1);
strcpy(keysdir, cp);
break;
}
}
/*
* crypto_init () - initialize things.
*/
void
crypto_init(void)
{
/*
* Zeroize sensitive crypto data.
*/
memset((char *)&private_key, 0, sizeof(private_key));
memset((char *)&public_key, 0, sizeof(public_key));
memset((char *)&dh_params, 0, sizeof(dh_params));
memset((char *)&host, 0, sizeof(host));
}
#endif /* PUBKEY */
#endif /* AUTOKEY */