| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | /* $NetBSD: ntp_crypto.c,v 1.1.1.1 2009/12/13 16:55:33 kardel Exp $ */ | | 1 | /* $NetBSD: ntp_crypto.c,v 1.2 2009/12/14 00:40:26 christos Exp $ */ |
2 | | | 2 | |
3 | /* | | 3 | /* |
4 | * ntp_crypto.c - NTP version 4 public key routines | | 4 | * ntp_crypto.c - NTP version 4 public key routines |
5 | */ | | 5 | */ |
6 | #ifdef HAVE_CONFIG_H | | 6 | #ifdef HAVE_CONFIG_H |
7 | #include <config.h> | | 7 | #include <config.h> |
8 | #endif | | 8 | #endif |
9 | | | 9 | |
10 | #ifdef OPENSSL | | 10 | #ifdef OPENSSL |
11 | #include <stdio.h> | | 11 | #include <stdio.h> |
12 | #include <sys/types.h> | | 12 | #include <sys/types.h> |
13 | #include <sys/param.h> | | 13 | #include <sys/param.h> |
14 | #include <unistd.h> | | 14 | #include <unistd.h> |
| @@ -393,27 +393,27 @@ crypto_recv( | | | @@ -393,27 +393,27 @@ crypto_recv( |
393 | int has_mac; /* length of MAC field */ | | 393 | int has_mac; /* length of MAC field */ |
394 | int authlen; /* offset of MAC field */ | | 394 | int authlen; /* offset of MAC field */ |
395 | associd_t associd; /* association ID */ | | 395 | associd_t associd; /* association ID */ |
396 | tstamp_t tstamp = 0; /* timestamp */ | | 396 | tstamp_t tstamp = 0; /* timestamp */ |
397 | tstamp_t fstamp = 0; /* filestamp */ | | 397 | tstamp_t fstamp = 0; /* filestamp */ |
398 | u_int len; /* extension field length */ | | 398 | u_int len; /* extension field length */ |
399 | u_int code; /* extension field opcode */ | | 399 | u_int code; /* extension field opcode */ |
400 | u_int vallen = 0; /* value length */ | | 400 | u_int vallen = 0; /* value length */ |
401 | X509 *cert; /* X509 certificate */ | | 401 | X509 *cert; /* X509 certificate */ |
402 | char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ | | 402 | char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ |
403 | keyid_t cookie; /* crumbles */ | | 403 | keyid_t cookie; /* crumbles */ |
404 | int hismode; /* packet mode */ | | 404 | int hismode; /* packet mode */ |
405 | int rval = XEVNT_OK; | | 405 | int rval = XEVNT_OK; |
406 | u_char *ptr; | | 406 | const u_char *ptr; |
407 | u_int32 temp32; | | 407 | u_int32 temp32; |
408 | | | 408 | |
409 | /* | | 409 | /* |
410 | * Initialize. Note that the packet has already been checked for | | 410 | * Initialize. Note that the packet has already been checked for |
411 | * valid format and extension field lengths. First extract the | | 411 | * valid format and extension field lengths. First extract the |
412 | * field length, command code and association ID in host byte | | 412 | * field length, command code and association ID in host byte |
413 | * order. These are used with all commands and modes. Then check | | 413 | * order. These are used with all commands and modes. Then check |
414 | * the version number, which must be 2, and length, which must | | 414 | * the version number, which must be 2, and length, which must |
415 | * be at least 8 for requests and VALUE_LEN (24) for responses. | | 415 | * be at least 8 for requests and VALUE_LEN (24) for responses. |
416 | * Packets that fail either test sink without a trace. The | | 416 | * Packets that fail either test sink without a trace. The |
417 | * association ID is saved only if nonzero. | | 417 | * association ID is saved only if nonzero. |
418 | */ | | 418 | */ |
419 | authlen = LEN_PKT_NOMAC; | | 419 | authlen = LEN_PKT_NOMAC; |
| @@ -1543,53 +1543,54 @@ crypto_verify( | | | @@ -1543,53 +1543,54 @@ crypto_verify( |
1543 | */ | | 1543 | */ |
1544 | static int | | 1544 | static int |
1545 | crypto_encrypt( | | 1545 | crypto_encrypt( |
1546 | struct exten *ep, /* extension pointer */ | | 1546 | struct exten *ep, /* extension pointer */ |
1547 | struct value *vp, /* value pointer */ | | 1547 | struct value *vp, /* value pointer */ |
1548 | keyid_t *cookie /* server cookie */ | | 1548 | keyid_t *cookie /* server cookie */ |
1549 | ) | | 1549 | ) |
1550 | { | | 1550 | { |
1551 | EVP_PKEY *pkey; /* public key */ | | 1551 | EVP_PKEY *pkey; /* public key */ |
1552 | EVP_MD_CTX ctx; /* signature context */ | | 1552 | EVP_MD_CTX ctx; /* signature context */ |
1553 | tstamp_t tstamp; /* NTP timestamp */ | | 1553 | tstamp_t tstamp; /* NTP timestamp */ |
1554 | u_int32 temp32; | | 1554 | u_int32 temp32; |
1555 | u_int len; | | 1555 | u_int len; |
1556 | u_char *ptr; | | 1556 | const u_char *ptr; |
| | | 1557 | u_char *sptr; |
1557 | | | 1558 | |
1558 | /* | | 1559 | /* |
1559 | * Extract the public key from the request. | | 1560 | * Extract the public key from the request. |
1560 | */ | | 1561 | */ |
1561 | len = ntohl(ep->vallen); | | 1562 | len = ntohl(ep->vallen); |
1562 | ptr = (u_char *)ep->pkt; | | 1563 | ptr = (u_char *)ep->pkt; |
1563 | pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len); | | 1564 | pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len); |
1564 | if (pkey == NULL) { | | 1565 | if (pkey == NULL) { |
1565 | msyslog(LOG_ERR, "crypto_encrypt: %s", | | 1566 | msyslog(LOG_ERR, "crypto_encrypt: %s", |
1566 | ERR_error_string(ERR_get_error(), NULL)); | | 1567 | ERR_error_string(ERR_get_error(), NULL)); |
1567 | return (XEVNT_PUB); | | 1568 | return (XEVNT_PUB); |
1568 | } | | 1569 | } |
1569 | | | 1570 | |
1570 | /* | | 1571 | /* |
1571 | * Encrypt the cookie, encode in ASN.1 and sign. | | 1572 | * Encrypt the cookie, encode in ASN.1 and sign. |
1572 | */ | | 1573 | */ |
1573 | memset(vp, 0, sizeof(struct value)); | | 1574 | memset(vp, 0, sizeof(struct value)); |
1574 | tstamp = crypto_time(); | | 1575 | tstamp = crypto_time(); |
1575 | vp->tstamp = htonl(tstamp); | | 1576 | vp->tstamp = htonl(tstamp); |
1576 | vp->fstamp = hostval.tstamp; | | 1577 | vp->fstamp = hostval.tstamp; |
1577 | len = EVP_PKEY_size(pkey); | | 1578 | len = EVP_PKEY_size(pkey); |
1578 | vp->vallen = htonl(len); | | 1579 | vp->vallen = htonl(len); |
1579 | vp->ptr = emalloc(len); | | 1580 | vp->ptr = emalloc(len); |
1580 | ptr = vp->ptr; | | 1581 | sptr = vp->ptr; |
1581 | temp32 = htonl(*cookie); | | 1582 | temp32 = htonl(*cookie); |
1582 | if (RSA_public_encrypt(4, (u_char *)&temp32, ptr, | | 1583 | if (RSA_public_encrypt(4, (const u_char *)&temp32, sptr, |
1583 | pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) { | | 1584 | pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) { |
1584 | msyslog(LOG_ERR, "crypto_encrypt: %s", | | 1585 | msyslog(LOG_ERR, "crypto_encrypt: %s", |
1585 | ERR_error_string(ERR_get_error(), NULL)); | | 1586 | ERR_error_string(ERR_get_error(), NULL)); |
1586 | free(vp->ptr); | | 1587 | free(vp->ptr); |
1587 | EVP_PKEY_free(pkey); | | 1588 | EVP_PKEY_free(pkey); |
1588 | return (XEVNT_CKY); | | 1589 | return (XEVNT_CKY); |
1589 | } | | 1590 | } |
1590 | EVP_PKEY_free(pkey); | | 1591 | EVP_PKEY_free(pkey); |
1591 | if (tstamp == 0) | | 1592 | if (tstamp == 0) |
1592 | return (XEVNT_OK); | | 1593 | return (XEVNT_OK); |
1593 | | | 1594 | |
1594 | vp->sig = emalloc(sign_siglen); | | 1595 | vp->sig = emalloc(sign_siglen); |
1595 | EVP_SignInit(&ctx, sign_digest); | | 1596 | EVP_SignInit(&ctx, sign_digest); |
| @@ -2936,27 +2937,27 @@ cert_sign( | | | @@ -2936,27 +2937,27 @@ cert_sign( |
2936 | struct exten *ep, /* extension field pointer */ | | 2937 | struct exten *ep, /* extension field pointer */ |
2937 | struct value *vp /* value pointer */ | | 2938 | struct value *vp /* value pointer */ |
2938 | ) | | 2939 | ) |
2939 | { | | 2940 | { |
2940 | X509 *req; /* X509 certificate request */ | | 2941 | X509 *req; /* X509 certificate request */ |
2941 | X509 *cert; /* X509 certificate */ | | 2942 | X509 *cert; /* X509 certificate */ |
2942 | X509_EXTENSION *ext; /* certificate extension */ | | 2943 | X509_EXTENSION *ext; /* certificate extension */ |
2943 | ASN1_INTEGER *serial; /* serial number */ | | 2944 | ASN1_INTEGER *serial; /* serial number */ |
2944 | X509_NAME *subj; /* distinguished (common) name */ | | 2945 | X509_NAME *subj; /* distinguished (common) name */ |
2945 | EVP_PKEY *pkey; /* public key */ | | 2946 | EVP_PKEY *pkey; /* public key */ |
2946 | EVP_MD_CTX ctx; /* message digest context */ | | 2947 | EVP_MD_CTX ctx; /* message digest context */ |
2947 | tstamp_t tstamp; /* NTP timestamp */ | | 2948 | tstamp_t tstamp; /* NTP timestamp */ |
2948 | u_int len; | | 2949 | u_int len; |
2949 | u_char *ptr; | | 2950 | const u_char *ptr; |
2950 | int i, temp; | | 2951 | int i, temp; |
2951 | | | 2952 | |
2952 | /* | | 2953 | /* |
2953 | * Decode ASN.1 objects and construct certificate structure. | | 2954 | * Decode ASN.1 objects and construct certificate structure. |
2954 | * Make sure the system clock is synchronized to a proventic | | 2955 | * Make sure the system clock is synchronized to a proventic |
2955 | * source. | | 2956 | * source. |
2956 | */ | | 2957 | */ |
2957 | tstamp = crypto_time(); | | 2958 | tstamp = crypto_time(); |
2958 | if (tstamp == 0) | | 2959 | if (tstamp == 0) |
2959 | return (XEVNT_TSP); | | 2960 | return (XEVNT_TSP); |
2960 | | | 2961 | |
2961 | ptr = (u_char *)ep->pkt; | | 2962 | ptr = (u_char *)ep->pkt; |
2962 | if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) { | | 2963 | if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) { |
| @@ -3019,27 +3020,27 @@ cert_sign( | | | @@ -3019,27 +3020,27 @@ cert_sign( |
3019 | len = i2d_X509(cert, NULL); | | 3020 | len = i2d_X509(cert, NULL); |
3020 | | | 3021 | |
3021 | /* | | 3022 | /* |
3022 | * Build and sign the value structure. We have to sign it here, | | 3023 | * Build and sign the value structure. We have to sign it here, |
3023 | * since the response has to be returned right away. This is a | | 3024 | * since the response has to be returned right away. This is a |
3024 | * clogging hazard. | | 3025 | * clogging hazard. |
3025 | */ | | 3026 | */ |
3026 | memset(vp, 0, sizeof(struct value)); | | 3027 | memset(vp, 0, sizeof(struct value)); |
3027 | vp->tstamp = htonl(tstamp); | | 3028 | vp->tstamp = htonl(tstamp); |
3028 | vp->fstamp = ep->fstamp; | | 3029 | vp->fstamp = ep->fstamp; |
3029 | vp->vallen = htonl(len); | | 3030 | vp->vallen = htonl(len); |
3030 | vp->ptr = emalloc(len); | | 3031 | vp->ptr = emalloc(len); |
3031 | ptr = vp->ptr; | | 3032 | ptr = vp->ptr; |
3032 | i2d_X509(cert, &ptr); | | 3033 | i2d_X509(cert, (unsigned char **)&ptr); |
3033 | vp->siglen = 0; | | 3034 | vp->siglen = 0; |
3034 | if (tstamp != 0) { | | 3035 | if (tstamp != 0) { |
3035 | vp->sig = emalloc(sign_siglen); | | 3036 | vp->sig = emalloc(sign_siglen); |
3036 | EVP_SignInit(&ctx, sign_digest); | | 3037 | EVP_SignInit(&ctx, sign_digest); |
3037 | EVP_SignUpdate(&ctx, (u_char *)vp, 12); | | 3038 | EVP_SignUpdate(&ctx, (u_char *)vp, 12); |
3038 | EVP_SignUpdate(&ctx, vp->ptr, len); | | 3039 | EVP_SignUpdate(&ctx, vp->ptr, len); |
3039 | if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) | | 3040 | if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey)) |
3040 | vp->siglen = htonl(sign_siglen); | | 3041 | vp->siglen = htonl(sign_siglen); |
3041 | } | | 3042 | } |
3042 | #ifdef DEBUG | | 3043 | #ifdef DEBUG |
3043 | if (debug > 1) | | 3044 | if (debug > 1) |
3044 | X509_print_fp(stdout, cert); | | 3045 | X509_print_fp(stdout, cert); |
3045 | #endif | | 3046 | #endif |
| @@ -3122,27 +3123,27 @@ cert_install( | | | @@ -3122,27 +3123,27 @@ cert_install( |
3122 | * XEVNT_OK success | | 3123 | * XEVNT_OK success |
3123 | * XEVNT_CRT bad or missing certificate | | 3124 | * XEVNT_CRT bad or missing certificate |
3124 | * XEVNT_PER host certificate expired | | 3125 | * XEVNT_PER host certificate expired |
3125 | * XEVNT_VFY certificate not verified | | 3126 | * XEVNT_VFY certificate not verified |
3126 | */ | | 3127 | */ |
3127 | int | | 3128 | int |
3128 | cert_hike( | | 3129 | cert_hike( |
3129 | struct peer *peer, /* peer structure pointer */ | | 3130 | struct peer *peer, /* peer structure pointer */ |
3130 | struct cert_info *yp /* issuer certificate */ | | 3131 | struct cert_info *yp /* issuer certificate */ |
3131 | ) | | 3132 | ) |
3132 | { | | 3133 | { |
3133 | struct cert_info *xp; /* subject certificate */ | | 3134 | struct cert_info *xp; /* subject certificate */ |
3134 | X509 *cert; /* X509 certificate */ | | 3135 | X509 *cert; /* X509 certificate */ |
3135 | u_char *ptr; | | 3136 | const u_char *ptr; |
3136 | | | 3137 | |
3137 | /* | | 3138 | /* |
3138 | * Save the issuer on the new certificate, but remember the old | | 3139 | * Save the issuer on the new certificate, but remember the old |
3139 | * one. | | 3140 | * one. |
3140 | */ | | 3141 | */ |
3141 | if (peer->issuer != NULL) | | 3142 | if (peer->issuer != NULL) |
3142 | free(peer->issuer); | | 3143 | free(peer->issuer); |
3143 | peer->issuer = emalloc(strlen(yp->issuer) + 1); | | 3144 | peer->issuer = emalloc(strlen(yp->issuer) + 1); |
3144 | strcpy(peer->issuer, yp->issuer); | | 3145 | strcpy(peer->issuer, yp->issuer); |
3145 | xp = peer->xinfo; | | 3146 | xp = peer->xinfo; |
3146 | peer->xinfo = yp; | | 3147 | peer->xinfo = yp; |
3147 | | | 3148 | |
3148 | /* | | 3149 | /* |
| @@ -3221,27 +3222,27 @@ cert_hike( | | | @@ -3221,27 +3222,27 @@ cert_hike( |
3221 | */ | | 3222 | */ |
3222 | struct cert_info * /* certificate information structure */ | | 3223 | struct cert_info * /* certificate information structure */ |
3223 | cert_parse( | | 3224 | cert_parse( |
3224 | u_char *asn1cert, /* X509 certificate */ | | 3225 | u_char *asn1cert, /* X509 certificate */ |
3225 | long len, /* certificate length */ | | 3226 | long len, /* certificate length */ |
3226 | tstamp_t fstamp /* filestamp */ | | 3227 | tstamp_t fstamp /* filestamp */ |
3227 | ) | | 3228 | ) |
3228 | { | | 3229 | { |
3229 | X509 *cert; /* X509 certificate */ | | 3230 | X509 *cert; /* X509 certificate */ |
3230 | X509_EXTENSION *ext; /* X509v3 extension */ | | 3231 | X509_EXTENSION *ext; /* X509v3 extension */ |
3231 | struct cert_info *ret; /* certificate info/value */ | | 3232 | struct cert_info *ret; /* certificate info/value */ |
3232 | BIO *bp; | | 3233 | BIO *bp; |
3233 | char pathbuf[MAXFILENAME]; | | 3234 | char pathbuf[MAXFILENAME]; |
3234 | u_char *ptr; | | 3235 | const u_char *ptr; |
3235 | int temp, cnt, i; | | 3236 | int temp, cnt, i; |
3236 | | | 3237 | |
3237 | /* | | 3238 | /* |
3238 | * Decode ASN.1 objects and construct certificate structure. | | 3239 | * Decode ASN.1 objects and construct certificate structure. |
3239 | */ | | 3240 | */ |
3240 | ptr = asn1cert; | | 3241 | ptr = asn1cert; |
3241 | if ((cert = d2i_X509(NULL, &ptr, len)) == NULL) { | | 3242 | if ((cert = d2i_X509(NULL, &ptr, len)) == NULL) { |
3242 | msyslog(LOG_ERR, "cert_parse: %s", | | 3243 | msyslog(LOG_ERR, "cert_parse: %s", |
3243 | ERR_error_string(ERR_get_error(), NULL)); | | 3244 | ERR_error_string(ERR_get_error(), NULL)); |
3244 | return (NULL); | | 3245 | return (NULL); |
3245 | } | | 3246 | } |
3246 | #ifdef DEBUG | | 3247 | #ifdef DEBUG |
3247 | if (debug > 1) | | 3248 | if (debug > 1) |