1 /* $NetBSD: ntp_crypto.h,v 1.6 2020/05/25 20:47:19 christos Exp $ */ 2 3 /* 4 * ntp_crypto.h - definitions for cryptographic operations 5 */ 6 #ifndef NTP_CRYPTO_H 7 #define NTP_CRYPTO_H 8 9 /* 10 * Configuration codes (also needed for parser without AUTOKEY) 11 */ 12 #define CRYPTO_CONF_NONE 0 /* nothing doing */ 13 #define CRYPTO_CONF_PRIV 1 /* host name */ 14 #define CRYPTO_CONF_IDENT 2 /* group name */ 15 #define CRYPTO_CONF_CERT 3 /* certificate file name */ 16 #define CRYPTO_CONF_RAND 4 /* random seed file name */ 17 #define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ 18 #define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ 19 #define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ 20 #define CRYPTO_CONF_PW 8 /* private key password */ 21 #define CRYPTO_CONF_NID 9 /* specify digest name */ 22 23 #ifdef AUTOKEY 24 #ifndef OPENSSL 25 #error AUTOKEY should be defined only if OPENSSL is. 26 invalidsyntax: AUTOKEY should be defined only if OPENSSL is. 27 #endif 28 29 #include "openssl/bn.h" 30 #include "openssl/evp.h" 31 #include "ntp_calendar.h" /* for fields in the cert_info structure */ 32 33 34 /* 35 * The following bits are set by the CRYPTO_ASSOC message from 36 * the server and are not modified by the client. 37 */ 38 #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ 39 #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ 40 41 #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ 42 #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ 43 #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ 44 #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ 45 #define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ 46 47 /* 48 * The following bits are used by the client during the protocol 49 * exchange. 50 */ 51 #define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ 52 #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ 53 #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ 54 #define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ 55 #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ 56 #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ 57 #define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ 58 #define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ 59 60 /* 61 * Flags used for certificate management 62 */ 63 #define CERT_TRUST 0x01 /* certificate is trusted */ 64 #define CERT_SIGN 0x02 /* certificate is signed */ 65 #define CERT_VALID 0x04 /* certificate is valid */ 66 #define CERT_PRIV 0x08 /* certificate is private */ 67 #define CERT_ERROR 0x80 /* certificate has errors */ 68 69 /* 70 * Extension field definitions 71 */ 72 #define CRYPTO_MAXLEN 1024 /* max extension field length */ 73 #define CRYPTO_VN 2 /* current protocol version number */ 74 #define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) 75 #define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ 76 #define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ 77 #define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ 78 #define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ 79 #define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ 80 #define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ 81 #define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ 82 #define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ 83 #define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ 84 #define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ 85 #define CRYPTO_RESP 0x80000000 /* response */ 86 #define CRYPTO_ERROR 0x40000000 /* error */ 87 88 /* 89 * Autokey event codes 90 */ 91 #define XEVNT_CMD(x) (CRPT_EVENT | (x)) 92 #define XEVNT_OK XEVNT_CMD(0) /* success */ 93 #define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ 94 #define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ 95 #define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ 96 #define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ 97 #define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ 98 #define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ 99 #define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ 100 #define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ 101 #define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ 102 #define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ 103 #define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ 104 #define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ 105 #define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ 106 #define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ 107 #define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ 108 109 /* 110 * Miscellaneous crypto stuff 111 */ 112 #define NTP_MAXSESSION 100 /* maximum session key list entries */ 113 #define NTP_MAXEXTEN 2048 /* maximum extension field size */ 114 #define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ 115 #define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ 116 #define NTP_REFRESH 19 /* default restart timeout (log2 s) */ 117 #define NTP_MAXKEY 65535 /* maximum symmetric key ID */ 118 119 /* 120 * The autokey structure holds the values used to authenticate key IDs. 121 */ 122 struct autokey { /* network byte order */ 123 keyid_t key; /* key ID */ 124 int32 seq; /* key number */ 125 }; 126 127 /* 128 * The value structure holds variable length data such as public 129 * key, agreement parameters, public valule and leapsecond table. 130 * They are in network byte order. 131 */ 132 struct value { /* network byte order */ 133 tstamp_t tstamp; /* timestamp */ 134 tstamp_t fstamp; /* filestamp */ 135 u_int32 vallen; /* value length */ 136 void *ptr; /* data pointer (various) */ 137 u_int32 siglen; /* signature length */ 138 u_char *sig; /* signature */ 139 }; 140 141 /* 142 * The packet extension field structures are used to hold values 143 * and signatures in network byte order. 144 */ 145 struct exten { 146 u_int32 opcode; /* opcode */ 147 u_int32 associd; /* association ID */ 148 u_int32 tstamp; /* timestamp */ 149 u_int32 fstamp; /* filestamp */ 150 u_int32 vallen; /* value length */ 151 u_int32 pkt[1]; /* start of value field */ 152 }; 153 154 155 /* 156 * The certificate info/value structure 157 */ 158 struct cert_info { 159 struct cert_info *link; /* forward link */ 160 u_int flags; /* flags that wave */ 161 EVP_PKEY *pkey; /* generic key */ 162 long version; /* X509 version */ 163 int nid; /* signature/digest ID */ 164 const EVP_MD *digest; /* message digest algorithm */ 165 u_long serial; /* serial number */ 166 struct calendar first; /* not valid before */ 167 struct calendar last; /* not valid after */ 168 char *subject; /* subject common name */ 169 char *issuer; /* issuer common name */ 170 BIGNUM *grpkey; /* GQ group key */ 171 struct value cert; /* certificate/value */ 172 }; 173 174 /* 175 * The keys info/value structure 176 */ 177 struct pkey_info { 178 struct pkey_info *link; /* forward link */ 179 EVP_PKEY *pkey; /* generic key */ 180 char *name; /* file name */ 181 tstamp_t fstamp; /* filestamp */ 182 }; 183 184 /* 185 * Cryptographic values 186 */ 187 extern u_int crypto_flags; /* status word */ 188 extern int crypto_nid; /* digest nid */ 189 extern struct value hostval; /* host name/value */ 190 extern struct cert_info *cinfo; /* host certificate information */ 191 extern struct value tai_leap; /* leapseconds table */ 192 #endif /* AUTOKEY */ 193 #endif /* NTP_CRYPTO_H */ 194