1 /*
2  * nts.h - NTS (Network Time Security) declarations
3  * Copyright the NTPsec project contributors
4  * SPDX-License-Identifier: BSD-2-Clause
5  */
6 
7 #ifndef GUARD_NTS_H
8 #define GUARD_NTS_H
9 
10 #include <stdbool.h>
11 #include <stdint.h>
12 
13 /* default file names */
14 #define NTS_CERT_FILE "/etc/ntp/cert-chain.pem"
15 #define NTS_KEY_FILE "/etc/ntp/key.pem"
16 #define NTS_COOKIE_KEY_FILE "/var/lib/ntp/nts-keys"
17 
18 #define NTS_KE_PORT		4460
19 #define NTS_KE_PORTA		"4460"
20 
21 #define NTS_KE_TIMEOUT		3
22 
23 bool nts_server_init(void);
24 bool nts_client_init(void);
25 bool nts_cookie_init(void);
26 bool nts_server_init2(void);    /* after sandbox */
27 bool nts_cookie_init2(void);
28 
29 void nts_cert_timer(void);
30 void nts_cookie_timer(void);
31 
32 bool nts_read_cookie_keys(void);
33 void nts_make_cookie_key(void);
34 bool nts_write_cookie_keys(void);
35 
36 int nts_make_cookie(uint8_t *cookie,
37   uint16_t aead,
38   uint8_t *c2s, uint8_t *s2c, int keylen);
39 bool nts_unpack_cookie(uint8_t *cookie, int cookielen,
40   uint16_t *aead,
41   uint8_t *c2s, uint8_t *s2c, int *keylen);
42 
43 /* working finger into a buffer - updated by append/unpack routines */
44 struct BufCtl_t {
45     uint8_t *next;  /* pointer to next data/space */
46     int left;       /* data left or space available */
47 };
48 typedef struct BufCtl_t BufCtl;
49 
50 bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead);
51 bool nts_ke_setup_send(struct BufCtl_t *buf, int aead,
52        uint8_t *c2s, uint8_t *s2c, int keylen);
53 
54 /***********************************************************/
55 
56 /* buffer packing/unpacking routines.
57  * NB: The length field in NTP extensions includes the header
58  * while the length field in NTS-KE data streams does not.
59  *
60  * These routines do not handle padding.  NTS-KE has no padding.
61  * NTP extensions are padded to word (4 byte) boundaries.
62  *
63  * Note that data on the wire is big endian.
64  * buffer is wire format, not host format.
65  */
66 
67 
68 /* xxx_append_record_foo makes whole record with one foo */
69 /* append_foo appends foo to existing partial record */
70 void ke_append_record_null(BufCtl* buf, uint16_t type);
71 void ke_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data);
72 void ke_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length);
73 
74 void ex_append_record_null(BufCtl* buf, uint16_t type);
75 void ex_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data);
76 void ex_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length);
77 
78 void ex_append_header(BufCtl* buf, uint16_t type, uint16_t length);
79 void append_header(BufCtl* buf, uint16_t type, uint16_t length);
80 void append_uint16(BufCtl* buf, uint16_t data);
81 void append_bytes(BufCtl* buf, uint8_t *data, int length);
82 
83 uint16_t ke_next_record(BufCtl* buf, int *length);
84 uint16_t ex_next_record(BufCtl* buf, int *length);  /* body length */
85 uint16_t next_uint16(BufCtl* buf);
86 uint16_t next_bytes(BufCtl* buf, uint8_t *data, int length);
87 
88 /***********************************************************/
89 
90 #define NTS_MAX_KEYLEN		64	/* used in cookies */
91 #define NTS_MAX_COOKIELEN	192	/* see nts_cookie.c */
92 #define NTS_MAX_COOKIES		8	/* RFC 4.1.6 */
93 #define NTS_UID_LENGTH		32	/* RFC 5.3 */
94 #define NTS_UID_MAX_LENGTH	64
95 
96 
97 /* Client side configuration data for an NTS association
98  * All are optional.
99  * part of peer struct */
100 struct ntscfg_t {
101 	char *ca;		/* root/trusted certificates */
102 	char *aead;		/* AEAD algorithms on wire */
103 };
104 
105 /* Client-side state per connection to server */
106 struct ntsclient_t {
107 	/* wire connection */
108 	uint16_t aead;	/* AEAD algorithm used on wire */
109 	int keylen;
110 	uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
111 	/* UID of last request sent - RFC 5.3 */
112 	uint8_t UID[NTS_UID_LENGTH];
113 	/* cookies */
114 	int readIdx, writeIdx;
115 	int count;			/* -1 if not in NTS mode */
116 	int cookielen;
117 	uint8_t cookies[NTS_MAX_COOKIES][NTS_MAX_COOKIELEN];
118 };
119 
120 /* Server-side state per packet */
121 struct ntspacket_t {
122 	bool valid;
123 	int uidlen;
124 	uint8_t UID[NTS_UID_MAX_LENGTH];
125 	int needed;
126 	uint16_t aead;
127 	int keylen;
128 	uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
129 };
130 
131 
132 /* Configuration data for an NTS server or client instance */
133 struct ntsconfig_t {
134 	bool ntsenable; 	/* enable NTS KE server on this ntpd */
135 	const char * mintls;	/* minimum TLS version allowed */
136 	const char * maxtls;	/* maximum TLS version allowed */
137 	const char *tlsciphersuites;/* allowed TLS 1.3 ciphersuites */
138 	const char *cert;	/* file holding server certificate key */
139 	const char *key;	/* file holding server private key */
140 	const char *KI;		/* file holding K/I for making cookies */
141 	const char *ca;		/* root cert dir/file */
142 	const char *aead;	/* AEAD algorithms on wire */
143 };
144 
145 
146 /* CMAC length is wired into AEAD_AES_SIV_CMAC_nnn. */
147 #define CMAC_LENGTH 16
148 /* The NONCE length comes from RFC 5116 and/or 5297. */
149 #define NONCE_LENGTH 16
150 
151 /* NTS protocol constants */
152 
153 #define NTS_CRITICAL 0x8000
154 enum nts_record_type {
155 	nts_end_of_message = 0,		/* CRITICAL */
156 	nts_next_protocol_negotiation = 1,	/* CRITICAL */
157 	nts_error = 2,			/* CRITICAL */
158 	nts_warning = 3,
159 	nts_algorithm_negotiation = 4,
160 	nts_new_cookie = 5,
161 	nts_server_negotiation = 6,
162 	nts_port_negotiation = 7
163 };
164 
165 enum nts_protocol_type {
166 	nts_protocol_NTP = 0,
167 };
168 
169 
170 enum nts_errors_type {
171 	nts_unrecognized_critical_section = 0,
172 	nts_bad_request = 1
173 };
174 
175 enum aead_ciphers {
176 #define NO_AEAD 0xffff
177 	AEAD_AES_128_GCM = 1,
178 	AEAD_AES_256_GCM = 2,
179 	AEAD_AES_128_CCM = 3,
180 	AEAD_AES_256_CCM = 4,
181 
182 	AEAD_AES_128_GCM_8 = 5,
183 	AEAD_AES_256_GCM_8 = 6,
184 	AEAD_AES_128_GCM_12 = 7,
185 	AEAD_AES_256_GCM_12 = 8,
186 
187 	AEAD_AES_128_CCM_SHORT = 9,
188 	AEAD_AES_256_CCM_SHORT = 10,
189 	AEAD_AES_128_CCM_SHORT_8 = 11,
190 	AEAD_AES_256_CCM_SHORT_8 = 12,
191 	AEAD_AES_128_CCM_SHORT_12 = 13,
192 	AEAD_AES_256_CCM_SHORT_12 = 14,
193 
194 	AEAD_AES_SIV_CMAC_256 = 15,     /* RFC 5297 */
195 	AEAD_AES_SIV_CMAC_384 = 16,     /* These 3 are the ones we use */
196 	AEAD_AES_SIV_CMAC_512 = 17,
197 #define AEAD_AES_SIV_CMAC_256_KEYLEN 32
198 #define AEAD_AES_SIV_CMAC_384_KEYLEN 48
199 #define AEAD_AES_SIV_CMAC_512_KEYLEN 64
200 
201 	AEAD_AES_128_CCM_8 = 18,
202 	AEAD_AES_256_CCM_8 = 19,
203 
204 	AEAD_AES_128_OCB_TAGLEN128 = 20,
205 	AEAD_AES_128_OCB_TAGLEN96 = 21,
206 	AEAD_AES_128_OCB_TAGLEN64 = 22,
207 	AEAD_AES_192_OCB_TAGLEN128 = 23,
208 	AEAD_AES_192_OCB_TAGLEN96 = 24,
209 	AEAD_AES_192_OCB_TAGLEN64 = 25,
210 	AEAD_AES_256_OCB_TAGLEN128 = 26,
211 	AEAD_AES_256_OCB_TAGLEN96 = 27,
212 	AEAD_AES_256_OCB_TAGLEN64 = 28,
213 
214 	AEAD_CHACHA20_POLY1305 = 29
215 };
216 
217 
218 
219 extern struct ntsconfig_t ntsconfig;
220 
221 
222 
223 /* NTS-related statistics visible via ntpq -c nts */
224 extern uint64_t nts_client_send;
225 extern uint64_t nts_client_recv_good;
226 extern uint64_t nts_client_recv_bad;
227 extern uint64_t nts_server_send;
228 extern uint64_t nts_server_recv_good;
229 extern uint64_t nts_server_recv_bad;
230 extern uint64_t nts_cookie_make;
231 extern uint64_t nts_cookie_decode;
232 extern uint64_t nts_cookie_decode_old;
233 extern uint64_t nts_cookie_decode_too_old;
234 extern uint64_t nts_cookie_decode_error;
235 extern uint64_t nts_ke_serves_good;
236 extern uint64_t nts_ke_serves_bad;
237 extern uint64_t nts_ke_probes_good;
238 extern uint64_t nts_ke_probes_bad;
239 
240 #endif /* GUARD_NTS_H */
241