1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 | /* $NetBSD: ntp_crypto.h,v 1.6 2020/05/25 20:47:19 christos Exp $ */ /* * ntp_crypto.h - definitions for cryptographic operations */ #ifndef NTP_CRYPTO_H #define NTP_CRYPTO_H /* * Configuration codes (also needed for parser without AUTOKEY) */ #define CRYPTO_CONF_NONE 0 /* nothing doing */ #define CRYPTO_CONF_PRIV 1 /* host name */ #define CRYPTO_CONF_IDENT 2 /* group name */ #define CRYPTO_CONF_CERT 3 /* certificate file name */ #define CRYPTO_CONF_RAND 4 /* random seed file name */ #define CRYPTO_CONF_IFFPAR 5 /* IFF parameters file name */ #define CRYPTO_CONF_GQPAR 6 /* GQ parameters file name */ #define CRYPTO_CONF_MVPAR 7 /* MV parameters file name */ #define CRYPTO_CONF_PW 8 /* private key password */ #define CRYPTO_CONF_NID 9 /* specify digest name */ #ifdef AUTOKEY #ifndef OPENSSL #error AUTOKEY should be defined only if OPENSSL is. invalidsyntax: AUTOKEY should be defined only if OPENSSL is. #endif #include "openssl/bn.h" #include "openssl/evp.h" #include "ntp_calendar.h" /* for fields in the cert_info structure */ /* * The following bits are set by the CRYPTO_ASSOC message from * the server and are not modified by the client. */ #define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */ #define CRYPTO_FLAG_TAI 0x0002 /* leapseconds table */ #define CRYPTO_FLAG_PRIV 0x0010 /* PC identity scheme */ #define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */ #define CRYPTO_FLAG_GQ 0x0040 /* GQ identity scheme */ #define CRYPTO_FLAG_MV 0x0080 /* MV identity scheme */ #define CRYPTO_FLAG_MASK 0x00f0 /* identity scheme mask */ /* * The following bits are used by the client during the protocol * exchange. */ #define CRYPTO_FLAG_CERT 0x0100 /* public key verified */ #define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */ #define CRYPTO_FLAG_PROV 0x0400 /* signature verified */ #define CRYPTO_FLAG_COOK 0x0800 /* cookie verifed */ #define CRYPTO_FLAG_AUTO 0x1000 /* autokey verified */ #define CRYPTO_FLAG_SIGN 0x2000 /* certificate signed */ #define CRYPTO_FLAG_LEAP 0x4000 /* leapsecond values verified */ #define CRYPTO_FLAG_ALL 0x7f00 /* all mask */ /* * Flags used for certificate management */ #define CERT_TRUST 0x01 /* certificate is trusted */ #define CERT_SIGN 0x02 /* certificate is signed */ #define CERT_VALID 0x04 /* certificate is valid */ #define CERT_PRIV 0x08 /* certificate is private */ #define CERT_ERROR 0x80 /* certificate has errors */ /* * Extension field definitions */ #define CRYPTO_MAXLEN 1024 /* max extension field length */ #define CRYPTO_VN 2 /* current protocol version number */ #define CRYPTO_CMD(x) (((CRYPTO_VN << 8) | (x)) << 16) #define CRYPTO_NULL CRYPTO_CMD(0) /* no operation */ #define CRYPTO_ASSOC CRYPTO_CMD(1) /* association */ #define CRYPTO_CERT CRYPTO_CMD(2) /* certificate */ #define CRYPTO_COOK CRYPTO_CMD(3) /* cookie value */ #define CRYPTO_AUTO CRYPTO_CMD(4) /* autokey values */ #define CRYPTO_LEAP CRYPTO_CMD(5) /* leapsecond values */ #define CRYPTO_SIGN CRYPTO_CMD(6) /* certificate sign */ #define CRYPTO_IFF CRYPTO_CMD(7) /* IFF identity scheme */ #define CRYPTO_GQ CRYPTO_CMD(8) /* GQ identity scheme */ #define CRYPTO_MV CRYPTO_CMD(9) /* MV identity scheme */ #define CRYPTO_RESP 0x80000000 /* response */ #define CRYPTO_ERROR 0x40000000 /* error */ /* * Autokey event codes */ #define XEVNT_CMD(x) (CRPT_EVENT | (x)) #define XEVNT_OK XEVNT_CMD(0) /* success */ #define XEVNT_LEN XEVNT_CMD(1) /* bad field format or length */ #define XEVNT_TSP XEVNT_CMD(2) /* bad timestamp */ #define XEVNT_FSP XEVNT_CMD(3) /* bad filestamp */ #define XEVNT_PUB XEVNT_CMD(4) /* bad or missing public key */ #define XEVNT_MD XEVNT_CMD(5) /* unsupported digest type */ #define XEVNT_KEY XEVNT_CMD(6) /* unsupported identity type */ #define XEVNT_SGL XEVNT_CMD(7) /* bad signature length */ #define XEVNT_SIG XEVNT_CMD(8) /* signature not verified */ #define XEVNT_VFY XEVNT_CMD(9) /* certificate not verified */ #define XEVNT_PER XEVNT_CMD(10) /* host certificate expired */ #define XEVNT_CKY XEVNT_CMD(11) /* bad or missing cookie */ #define XEVNT_DAT XEVNT_CMD(12) /* bad or missing leapseconds */ #define XEVNT_CRT XEVNT_CMD(13) /* bad or missing certificate */ #define XEVNT_ID XEVNT_CMD(14) /* bad or missing group key */ #define XEVNT_ERR XEVNT_CMD(15) /* protocol error */ /* * Miscellaneous crypto stuff */ #define NTP_MAXSESSION 100 /* maximum session key list entries */ #define NTP_MAXEXTEN 2048 /* maximum extension field size */ #define NTP_AUTOMAX 12 /* default key list timeout (log2 s) */ #define KEY_REVOKE 17 /* default key revoke timeout (log2 s) */ #define NTP_REFRESH 19 /* default restart timeout (log2 s) */ #define NTP_MAXKEY 65535 /* maximum symmetric key ID */ /* * The autokey structure holds the values used to authenticate key IDs. */ struct autokey { /* network byte order */ keyid_t key; /* key ID */ int32 seq; /* key number */ }; /* * The value structure holds variable length data such as public * key, agreement parameters, public valule and leapsecond table. * They are in network byte order. */ struct value { /* network byte order */ tstamp_t tstamp; /* timestamp */ tstamp_t fstamp; /* filestamp */ u_int32 vallen; /* value length */ void *ptr; /* data pointer (various) */ u_int32 siglen; /* signature length */ u_char *sig; /* signature */ }; /* * The packet extension field structures are used to hold values * and signatures in network byte order. */ struct exten { u_int32 opcode; /* opcode */ u_int32 associd; /* association ID */ u_int32 tstamp; /* timestamp */ u_int32 fstamp; /* filestamp */ u_int32 vallen; /* value length */ u_int32 pkt[1]; /* start of value field */ }; /* * The certificate info/value structure */ struct cert_info { struct cert_info *link; /* forward link */ u_int flags; /* flags that wave */ EVP_PKEY *pkey; /* generic key */ long version; /* X509 version */ int nid; /* signature/digest ID */ const EVP_MD *digest; /* message digest algorithm */ u_long serial; /* serial number */ struct calendar first; /* not valid before */ struct calendar last; /* not valid after */ char *subject; /* subject common name */ char *issuer; /* issuer common name */ BIGNUM *grpkey; /* GQ group key */ struct value cert; /* certificate/value */ }; /* * The keys info/value structure */ struct pkey_info { struct pkey_info *link; /* forward link */ EVP_PKEY *pkey; /* generic key */ char *name; /* file name */ tstamp_t fstamp; /* filestamp */ }; /* * Cryptographic values */ extern u_int crypto_flags; /* status word */ extern int crypto_nid; /* digest nid */ extern struct value hostval; /* host name/value */ extern struct cert_info *cinfo; /* host certificate information */ extern struct value tai_leap; /* leapseconds table */ #endif /* AUTOKEY */ #endif /* NTP_CRYPTO_H */ |