xref: /freebsd/contrib/ntp/include/ntp_crypto.h (revision 7bd6fde3) 
1 /*
2  * ntp_crypto.h - definitions for cryptographic operations
3  */
4 #ifdef OPENSSL
5 #include "openssl/evp.h"
6 /*
7  * The following bits are set by the CRYPTO_ASSOC message from
8  * the server and are not modified by the client.
9  */
10 #define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
11 #define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */
12 
13 #define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
14 #define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
15 #define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
16 #define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
17 #define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
18 
19 /*
20  * The following bits are used by the client during the protocol
21  * exchange.
22  */
23 #define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
24 #define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
25 #define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
26 #define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
27 #define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
28 #define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
29 #define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */
30 
31 /*
32  * Flags used for certificate management
33  */
34 #define CERT_SIGN       0x01	/* certificate is signed */
35 #define CERT_TRUST      0x02	/* certificate is trusted */
36 #define CERT_PRIV	0x04	/* certificate is private */
37 #define CERT_ERROR	0x80	/* certificate has errors */
38 
39 /*
40  * Extension field definitions
41  */
42 #define	CRYPTO_MAXLEN	1024	/* max extension field length */
43 #define CRYPTO_VN	2	/* current protocol version number */
44 #define CRYPTO_CMD(x)	(((CRYPTO_VN << 8) | (x)) << 16)
45 #define CRYPTO_NULL	CRYPTO_CMD(0) /* no operation */
46 #define CRYPTO_ASSOC	CRYPTO_CMD(1) /* association */
47 #define CRYPTO_CERT	CRYPTO_CMD(2) /* certificate */
48 #define CRYPTO_COOK	CRYPTO_CMD(3) /* cookie value */
49 #define CRYPTO_AUTO	CRYPTO_CMD(4) /* autokey values */
50 #define CRYPTO_TAI	CRYPTO_CMD(5) /* leapseconds table */
51 #define	CRYPTO_SIGN	CRYPTO_CMD(6) /* certificate sign */
52 #define CRYPTO_IFF	CRYPTO_CMD(7) /* IFF identity scheme */
53 #define CRYPTO_GQ	CRYPTO_CMD(8) /* GQ identity scheme */
54 #define	CRYPTO_MV	CRYPTO_CMD(9) /* MV identity scheme */
55 #define CRYPTO_RESP	0x80000000 /* response */
56 #define CRYPTO_ERROR	0x40000000 /* error */
57 
58 /*
59  * Autokey event codes
60  */
61 #define XEVNT_CMD(x)	(CRPT_EVENT | (x))
62 #define XEVNT_OK	XEVNT_CMD(0) /* success */
63 #define XEVNT_LEN	XEVNT_CMD(1) /* bad field format or length */
64 #define XEVNT_TSP	XEVNT_CMD(2) /* bad timestamp */
65 #define XEVNT_FSP	XEVNT_CMD(3) /* bad filestamp */
66 #define XEVNT_PUB	XEVNT_CMD(4) /* bad procedure or data */
67 #define XEVNT_MD	XEVNT_CMD(5) /* unsupported digest type */
68 #define XEVNT_KEY	XEVNT_CMD(6) /* unsupported identity type */
69 #define XEVNT_SGL	XEVNT_CMD(7) /* bad signature length */
70 #define XEVNT_SIG	XEVNT_CMD(8) /* signature not verified */
71 #define XEVNT_VFY	XEVNT_CMD(9) /* certificate not verified */
72 #define XEVNT_PER	XEVNT_CMD(10) /* certificate expired */
73 #define XEVNT_CKY	XEVNT_CMD(11) /* bad or missing cookie */
74 #define XEVNT_DAT	XEVNT_CMD(12) /* bad or missing leapseconds table */
75 #define XEVNT_CRT	XEVNT_CMD(13) /* bad or missing certificate */
76 #define XEVNT_ID	XEVNT_CMD(14) /* bad or missing identification */
77 
78 /*
79  * Configuration codes
80  */
81 #define CRYPTO_CONF_NONE  0	/* nothing doing */
82 #define CRYPTO_CONF_PRIV  1	/* host keys file name */
83 #define CRYPTO_CONF_SIGN  2	/* signature keys file name */
84 #define CRYPTO_CONF_LEAP  3	/* leapseconds table file name */
85 #define CRYPTO_CONF_KEYS  4	/* keys directory path */
86 #define CRYPTO_CONF_CERT  5	/* certificate file name */
87 #define CRYPTO_CONF_RAND  6	/* random seed file name */
88 #define	CRYPTO_CONF_TRST  7	/* specify trust */
89 #define CRYPTO_CONF_IFFPAR 8	/* IFF parameters file name */
90 #define CRYPTO_CONF_GQPAR 9	/* GQ parameters file name */
91 #define	CRYPTO_CONF_MVPAR 10	/* GQ parameters file name */
92 #define CRYPTO_CONF_PW	  11	/* private key password */
93 
94 /*
95  * Miscellaneous crypto stuff
96  */
97 #define NTP_MAXSESSION	100	/* maximum session key list entries */
98 #define NTP_AUTOMAX	13	/* log2 default max session key life */
99 #define KEY_REVOKE	16	/* log2 default key revoke timeout */
100 #define NTP_MAXEXTEN	1024	/* maximum extension field size */
101 
102 /*
103  * The autokey structure holds the values used to authenticate key IDs.
104  */
105 struct autokey {		/* network byte order */
106 	keyid_t	key;		/* key ID */
107 	int32	seq;		/* key number */
108 };
109 
110 /*
111  * The value structure holds variable length data such as public
112  * key, agreement parameters, public valule and leapsecond table.
113  * They are in network byte order.
114  */
115 struct value {			/* network byte order */
116 	tstamp_t tstamp;	/* timestamp */
117 	tstamp_t fstamp;	/* filestamp */
118 	u_int32	vallen;		/* value length */
119 	u_char	*ptr;		/* data pointer (various) */
120 	u_int32	siglen;		/* signature length */
121 	u_char	*sig;		/* signature */
122 };
123 
124 /*
125  * The packet extension field structures are used to hold values
126  * and signatures in network byte order.
127  */
128 struct exten {
129 	u_int32	opcode;		/* opcode */
130 	u_int32	associd;	/* association ID */
131 	u_int32	tstamp;		/* timestamp */
132 	u_int32	fstamp;		/* filestamp */
133 	u_int32	vallen;		/* value length */
134 	u_int32	pkt[1];		/* start of value field */
135 };
136 
137 /*
138  * The certificate info/value structure
139  */
140 struct cert_info {
141 	struct cert_info *link;	/* forward link */
142 	u_int	flags;		/* flags that wave */
143 	EVP_PKEY *pkey;		/* generic key */
144 	long	version;	/* X509 version */
145 	int	nid;		/* signature/digest ID */
146 	const EVP_MD *digest;	/* message digest algorithm */
147 	u_long	serial;		/* serial number */
148 	tstamp_t first;		/* valid not before */
149 	tstamp_t last;		/* valid not after */
150 	char	*subject;	/* subject common name */
151 	char	*issuer;	/* issuer common name */
152 	u_char	*grpkey;	/* GQ group key */
153 	u_int	grplen;		/* GQ group key length */
154 	struct value cert;	/* certificate/value */
155 };
156 
157 /*
158  * Cryptographic values
159  */
160 extern	char	*keysdir;	/* crypto keys directory */
161 extern	u_int	crypto_flags;	/* status word */
162 extern	struct value hostval;	/* host name/value */
163 extern	struct cert_info *cinfo; /* host certificate information */
164 extern	struct value tai_leap;	/* leapseconds table */
165 extern	u_int	sys_tai;	/* current UTC offset from TAI */
166 #endif /* OPENSSL */
167