1 files changed, 139 insertions, 66 deletions
diff --git a/contrib/ntp/include/ntp_crypto.h b/contrib/ntp/include/ntp_crypto.h
index a4e6d70d6577..fb1955ce4064 100644
--- a/contrib/ntp/include/ntp_crypto.h
+++ b/contrib/ntp/include/ntp_crypto.h
@@ -1,93 +1,166 @@
 /*
  * ntp_crypto.h - definitions for cryptographic operations
  */
-#ifdef AUTOKEY
-#include "global.h"
-#include "md5.h"
-#ifdef RSAREF
-#include "rsaref.h"
-#include "rsa.h"
-
-#define EVP_SignInit(a, b)	R_SignInit(a, b)
-#define EVP_SignUpdate(a, b, c)	R_SignUpdate(a, b, c);
-#define EVP_SignFinal(a, b, c, d) R_SignFinal(a, b, c, d);
-#define EVP_VerifyInit(a, b)	R_VerifyInit(a, b)
-#define EVP_VerifyUpdate(a, b, c) R_VerifyUpdate(a, b, c);
-#define EVP_VerifyFinal(a, b, c, d) R_VerifyFinal(a, b, c, d);
+#ifdef OPENSSL
+#include "openssl/evp.h"
+/*
+ * The following bits are set by the CRYPTO_ASSOC message from
+ * the server and are not modified by the client.
+ */
+#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
+#define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */
 
-#endif /* RSAREF */
+#define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
+#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
+#define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
+#define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
+#define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
+	
+/*
+ * The following bits are used by the client during the protocol
+ * exchange.
+ */
+#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
+#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
+#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
+#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
+#define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
+#define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
+#define CRYPTO_FLAG_LEAP  0x4000 /* leapseconds table verified */
 
 /*
- * Cryptostatus word
+ * Flags used for certificate management
  */
-#define CRYPTO_FLAG_ENAB  0x01	/* crypto enable */
-#define CRYPTO_FLAG_RSA	  0x02	/* public/private keys */
-#define CRYPTO_FLAG_CERT  0x04	/* certificate */
-#define CRYPTO_FLAG_DH	  0x08	/* agreement parameters */
-#define CRYPTO_FLAG_TAI	  0x10	/* leapseconds table */
+#define CERT_SIGN       0x01	/* certificate is signed */
+#define CERT_TRUST      0x02	/* certificate is trusted */
+#define CERT_PRIV	0x04	/* certificate is private */
+#define CERT_ERROR	0x80	/* certificate has errors */
 
 /*
  * Extension field definitions
  */
-#define CRYPTO_VN	1	/* current protocol version number */
+#define	CRYPTO_MAXLEN	1024	/* max extension field length */
+#define CRYPTO_VN	2	/* current protocol version number */
+#define CRYPTO_CMD(x)	(((CRYPTO_VN << 8) | (x)) << 16)
+#define CRYPTO_NULL	CRYPTO_CMD(0) /* no operation */
+#define CRYPTO_ASSOC	CRYPTO_CMD(1) /* association */
+#define CRYPTO_CERT	CRYPTO_CMD(2) /* certificate */
+#define CRYPTO_COOK	CRYPTO_CMD(3) /* cookie value */
+#define CRYPTO_AUTO	CRYPTO_CMD(4) /* autokey values */
+#define CRYPTO_TAI	CRYPTO_CMD(5) /* leapseconds table */
+#define	CRYPTO_SIGN	CRYPTO_CMD(6) /* certificate sign */
+#define CRYPTO_IFF	CRYPTO_CMD(7) /* IFF identity scheme */
+#define CRYPTO_GQ	CRYPTO_CMD(8) /* GQ identity scheme */
+#define	CRYPTO_MV	CRYPTO_CMD(9) /* MV identity scheme */
+#define CRYPTO_RESP	0x80000000 /* response */
+#define CRYPTO_ERROR	0x40000000 /* error */
 
-#define CRYPTO_NULL	((CRYPTO_VN << 8) | 0) /* no operation */
-#define CRYPTO_STAT	((CRYPTO_VN << 8) | 1) /* status */
-#define CRYPTO_ASSOC	((CRYPTO_VN << 8) | 2) /* association ID */
-#define CRYPTO_AUTO	((CRYPTO_VN << 8) | 3) /* autokey values */
-#define CRYPTO_PRIV	((CRYPTO_VN << 8) | 4) /* cookie value */
-#define CRYPTO_DHPAR	((CRYPTO_VN << 8) | 5) /* agreement params */
-#define CRYPTO_DH	((CRYPTO_VN << 8) | 6) /* public value */
-#define CRYPTO_NAME	((CRYPTO_VN << 8) | 7) /* host name/pub key */
-#define CRYPTO_CERT	((CRYPTO_VN << 8) | 8) /* PKI certificate */
-#define CRYPTO_TAI	((CRYPTO_VN << 8) | 9) /* leapseconds table */
-#define CRYPTO_RESP	0x8000			/* response */
-#define CRYPTO_ERROR	0x4000			/* error */
+/*
+ * Autokey event codes
+ */
+#define XEVNT_CMD(x)	(CRPT_EVENT | (x))
+#define XEVNT_OK	XEVNT_CMD(0) /* success */
+#define XEVNT_LEN	XEVNT_CMD(1) /* bad field format or length */
+#define XEVNT_TSP	XEVNT_CMD(2) /* bad timestamp */
+#define XEVNT_FSP	XEVNT_CMD(3) /* bad filestamp */
+#define XEVNT_PUB	XEVNT_CMD(4) /* bad procedure or data */
+#define XEVNT_MD	XEVNT_CMD(5) /* unsupported digest type */
+#define XEVNT_KEY	XEVNT_CMD(6) /* unsupported identity type */
+#define XEVNT_SGL	XEVNT_CMD(7) /* bad signature length */
+#define XEVNT_SIG	XEVNT_CMD(8) /* signature not verified */
+#define XEVNT_VFY	XEVNT_CMD(9) /* certificate not verified */
+#define XEVNT_PER	XEVNT_CMD(10) /* certificate expired */
+#define XEVNT_CKY	XEVNT_CMD(11) /* bad or missing cookie */
+#define XEVNT_DAT	XEVNT_CMD(12) /* bad or missing leapseconds table */
+#define XEVNT_CRT	XEVNT_CMD(13) /* bad or missing certificate */
+#define XEVNT_ID	XEVNT_CMD(14) /* bad or missing identification */
 
-#ifdef PUBKEY
 /*
  * Configuration codes
  */
 #define CRYPTO_CONF_NONE  0	/* nothing doing */
-#define CRYPTO_CONF_FLAGS 1	/* initialize flags */
-#define CRYPTO_CONF_PRIV  2	/* load private key from file */
-#define CRYPTO_CONF_PUBL  3	/* load public key from file */
-#define CRYPTO_CONF_DH    4	/* load Diffie_Hellman pars from file */
-#define CRYPTO_CONF_LEAP  5	/* load leapsecond table */
-#define CRYPTO_CONF_KEYS  6	/* set keys directory path */
-#define CRYPTO_CONF_CERT  7	/* load PKI certificate from file */
-#endif /* PUBKEY */
+#define CRYPTO_CONF_PRIV  1	/* host keys file name */
+#define CRYPTO_CONF_SIGN  2	/* signature keys file name */
+#define CRYPTO_CONF_LEAP  3	/* leapseconds table file name */
+#define CRYPTO_CONF_KEYS  4	/* keys directory path */
+#define CRYPTO_CONF_CERT  5	/* certificate file name */
+#define CRYPTO_CONF_RAND  6	/* random seed file name */
+#define	CRYPTO_CONF_TRST  7	/* specify trust */
+#define CRYPTO_CONF_IFFPAR 8	/* IFF parameters file name */
+#define CRYPTO_CONF_GQPAR 9	/* GQ parameters file name */
+#define	CRYPTO_CONF_MVPAR 10	/* GQ parameters file name */
+#define CRYPTO_CONF_PW	  11	/* private key password */
+
+/*
+ * Miscellaneous crypto stuff
+ */
+#define NTP_MAXSESSION	100	/* maximum session key list entries */
+#define NTP_AUTOMAX	13	/* log2 default max session key life */
+#define KEY_REVOKE	16	/* log2 default key revoke timeout */
+#define NTP_MAXEXTEN	1024	/* maximum extension field size */
+
+/*
+ * The autokey structure holds the values used to authenticate key IDs.
+ */
+struct autokey {		/* network byte order */
+	keyid_t	key;		/* key ID */
+	int32	seq;		/* key number */
+};
+
+/*
+ * The value structure holds variable length data such as public
+ * key, agreement parameters, public valule and leapsecond table.
+ * They are in network byte order.
+ */
+struct value {			/* network byte order */
+	tstamp_t tstamp;	/* timestamp */
+	tstamp_t fstamp;	/* filestamp */
+	u_int32	vallen;		/* value length */
+	u_char	*ptr;		/* data pointer (various) */
+	u_int32	siglen;		/* signature length */
+	u_char	*sig;		/* signature */
+};
+
+/*
+ * The packet extension field structures are used to hold values
+ * and signatures in network byte order.
+ */
+struct exten {
+	u_int32	opcode;		/* opcode */
+	u_int32	associd;	/* association ID */
+	u_int32	tstamp;		/* timestamp */
+	u_int32	fstamp;		/* filestamp */
+	u_int32	vallen;		/* value length */
+	u_int32	pkt[1];		/* start of value field */
+};
 
 /*
- * Function prototypes
+ * The certificate info/value structure
  */
-extern	void	crypto_recv	P((struct peer *, struct recvbuf *));
-extern	int	crypto_xmit	P((u_int32 *, int, u_int, keyid_t,
-				    u_int));
-extern	keyid_t	session_key	P((struct sockaddr_in *, struct
-				    sockaddr_in *, keyid_t, keyid_t,
-				    u_long));
-extern	void	make_keylist	P((struct peer *, struct interface *));
-extern	void	key_expire	P((struct peer *));
-extern	void	crypto_agree	P((void));
-#ifdef PUBKEY
-extern	void	crypto_config	P((int, char *));
-extern	void	crypto_setup	P((void));
-extern	int	crypto_public	P((struct peer *, u_char *, u_int));
-#endif /* PUBKEY */
+struct cert_info {
+	struct cert_info *link;	/* forward link */
+	u_int	flags;		/* flags that wave */
+	EVP_PKEY *pkey;		/* generic key */
+	long	version;	/* X509 version */
+	int	nid;		/* signature/digest ID */
+	const EVP_MD *digest;	/* message digest algorithm */
+	u_long	serial;		/* serial number */
+	tstamp_t first;		/* valid not before */
+	tstamp_t last;		/* valid not after */
+	char	*subject;	/* subject common name */
+	char	*issuer;	/* issuer common name */
+	u_char	*grpkey;	/* GQ group key */
+	u_int	grplen;		/* GQ group key length */
+	struct value cert;	/* certificate/value */
+};
 
 /*
  * Cryptographic values
  */
+extern	char	*keysdir;	/* crypto keys directory */
 extern	u_int	crypto_flags;	/* status word */
-#ifdef PUBKEY
-extern	R_DH_PARAMS dh_params;
-extern	struct value host;	/* host name/public key */
-extern	struct value certif;	/* certificate */
-extern	struct value dhparam;	/* agreement parameters */
-extern	struct value dhpub;	/* public value */
+extern	struct value hostval;	/* host name/value */
+extern	struct cert_info *cinfo; /* host certificate information */
 extern	struct value tai_leap;	/* leapseconds table */
-extern	u_int	crypto_flags;	/* status word */	
 extern	u_int	sys_tai;	/* current UTC offset from TAI */
-#endif /* PUBKEY */
-#endif /* AUTOKEY */
+#endif /* OPENSSL */