xref: /netbsd-src/external/bsd/ntp/dist/include/ntp_crypto.h (revision fdd524d4ccd2bb0c6f67401e938dabf773eb0372) 
1 /*	$NetBSD: ntp_crypto.h,v 1.4 2016/01/08 21:35:35 christos Exp $	*/
2 
3 /*
4  * ntp_crypto.h - definitions for cryptographic operations
5  */
6 #ifndef NTP_CRYPTO_H
7 #define NTP_CRYPTO_H
8 
9 /*
10  * Configuration codes (also needed for parser without AUTOKEY)
11  */
12 #define CRYPTO_CONF_NONE  0	/* nothing doing */
13 #define CRYPTO_CONF_PRIV  1	/* host name */
14 #define CRYPTO_CONF_IDENT 2	/* group name */
15 #define CRYPTO_CONF_CERT  3	/* certificate file name */
16 #define CRYPTO_CONF_RAND  4	/* random seed file name */
17 #define CRYPTO_CONF_IFFPAR 5	/* IFF parameters file name */
18 #define CRYPTO_CONF_GQPAR 6	/* GQ parameters file name */
19 #define	CRYPTO_CONF_MVPAR 7	/* MV parameters file name */
20 #define CRYPTO_CONF_PW	  8	/* private key password */
21 #define	CRYPTO_CONF_NID   9	/* specify digest name */
22 
23 #ifdef AUTOKEY
24 #ifndef OPENSSL
25 #error AUTOKEY should be defined only if OPENSSL is.
26 invalidsyntax: AUTOKEY should be defined only if OPENSSL is.
27 #endif
28 
29 #include "openssl/evp.h"
30 #include "ntp_calendar.h"	/* for fields in the cert_info structure */
31 
32 
33 /*
34  * The following bits are set by the CRYPTO_ASSOC message from
35  * the server and are not modified by the client.
36  */
37 #define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
38 #define CRYPTO_FLAG_TAI   0x0002 /* leapseconds table */
39 
40 #define CRYPTO_FLAG_PRIV  0x0010 /* PC identity scheme */
41 #define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
42 #define CRYPTO_FLAG_GQ	  0x0040 /* GQ identity scheme */
43 #define	CRYPTO_FLAG_MV	  0x0080 /* MV identity scheme */
44 #define CRYPTO_FLAG_MASK  0x00f0 /* identity scheme mask */
45 
46 /*
47  * The following bits are used by the client during the protocol
48  * exchange.
49  */
50 #define CRYPTO_FLAG_CERT  0x0100 /* public key verified */
51 #define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
52 #define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
53 #define CRYPTO_FLAG_COOK  0x0800 /* cookie verifed */
54 #define CRYPTO_FLAG_AUTO  0x1000 /* autokey verified */
55 #define CRYPTO_FLAG_SIGN  0x2000 /* certificate signed */
56 #define CRYPTO_FLAG_LEAP  0x4000 /* leapsecond values verified */
57 #define	CRYPTO_FLAG_ALL   0x7f00 /* all mask */
58 
59 /*
60  * Flags used for certificate management
61  */
62 #define	CERT_TRUST	0x01	/* certificate is trusted */
63 #define CERT_SIGN	0x02	/* certificate is signed */
64 #define CERT_VALID	0x04	/* certificate is valid */
65 #define CERT_PRIV	0x08	/* certificate is private */
66 #define CERT_ERROR	0x80	/* certificate has errors */
67 
68 /*
69  * Extension field definitions
70  */
71 #define	CRYPTO_MAXLEN	1024	/* max extension field length */
72 #define CRYPTO_VN	2	/* current protocol version number */
73 #define CRYPTO_CMD(x)	(((CRYPTO_VN << 8) | (x)) << 16)
74 #define CRYPTO_NULL	CRYPTO_CMD(0) /* no operation */
75 #define CRYPTO_ASSOC	CRYPTO_CMD(1) /* association */
76 #define CRYPTO_CERT	CRYPTO_CMD(2) /* certificate */
77 #define CRYPTO_COOK	CRYPTO_CMD(3) /* cookie value */
78 #define CRYPTO_AUTO	CRYPTO_CMD(4) /* autokey values */
79 #define CRYPTO_LEAP	CRYPTO_CMD(5) /* leapsecond values */
80 #define	CRYPTO_SIGN	CRYPTO_CMD(6) /* certificate sign */
81 #define CRYPTO_IFF	CRYPTO_CMD(7) /* IFF identity scheme */
82 #define CRYPTO_GQ	CRYPTO_CMD(8) /* GQ identity scheme */
83 #define	CRYPTO_MV	CRYPTO_CMD(9) /* MV identity scheme */
84 #define CRYPTO_RESP	0x80000000 /* response */
85 #define CRYPTO_ERROR	0x40000000 /* error */
86 
87 /*
88  * Autokey event codes
89  */
90 #define XEVNT_CMD(x)	(CRPT_EVENT | (x))
91 #define XEVNT_OK	XEVNT_CMD(0) /* success */
92 #define XEVNT_LEN	XEVNT_CMD(1) /* bad field format or length */
93 #define XEVNT_TSP	XEVNT_CMD(2) /* bad timestamp */
94 #define XEVNT_FSP	XEVNT_CMD(3) /* bad filestamp */
95 #define XEVNT_PUB	XEVNT_CMD(4) /* bad or missing public key */
96 #define XEVNT_MD	XEVNT_CMD(5) /* unsupported digest type */
97 #define XEVNT_KEY	XEVNT_CMD(6) /* unsupported identity type */
98 #define XEVNT_SGL	XEVNT_CMD(7) /* bad signature length */
99 #define XEVNT_SIG	XEVNT_CMD(8) /* signature not verified */
100 #define XEVNT_VFY	XEVNT_CMD(9) /* certificate not verified */
101 #define XEVNT_PER	XEVNT_CMD(10) /* host certificate expired */
102 #define XEVNT_CKY	XEVNT_CMD(11) /* bad or missing cookie */
103 #define XEVNT_DAT	XEVNT_CMD(12) /* bad or missing leapseconds */
104 #define XEVNT_CRT	XEVNT_CMD(13) /* bad or missing certificate */
105 #define XEVNT_ID	XEVNT_CMD(14) /* bad or missing group key */
106 #define	XEVNT_ERR	XEVNT_CMD(15) /* protocol error */
107 
108 /*
109  * Miscellaneous crypto stuff
110  */
111 #define NTP_MAXSESSION	100	/* maximum session key list entries */
112 #define	NTP_MAXEXTEN	2048	/* maximum extension field size */
113 #define	NTP_AUTOMAX	12	/* default key list timeout (log2 s) */
114 #define	KEY_REVOKE	17	/* default key revoke timeout (log2 s) */
115 #define	NTP_REFRESH	19	/* default restart timeout (log2 s) */
116 #define	NTP_MAXKEY	65535	/* maximum symmetric key ID */
117 
118 /*
119  * The autokey structure holds the values used to authenticate key IDs.
120  */
121 struct autokey {		/* network byte order */
122 	keyid_t	key;		/* key ID */
123 	int32	seq;		/* key number */
124 };
125 
126 /*
127  * The value structure holds variable length data such as public
128  * key, agreement parameters, public valule and leapsecond table.
129  * They are in network byte order.
130  */
131 struct value {			/* network byte order */
132 	tstamp_t tstamp;	/* timestamp */
133 	tstamp_t fstamp;	/* filestamp */
134 	u_int32	vallen;		/* value length */
135 	void	*ptr;		/* data pointer (various) */
136 	u_int32	siglen;		/* signature length */
137 	u_char	*sig;		/* signature */
138 };
139 
140 /*
141  * The packet extension field structures are used to hold values
142  * and signatures in network byte order.
143  */
144 struct exten {
145 	u_int32	opcode;		/* opcode */
146 	u_int32	associd;	/* association ID */
147 	u_int32	tstamp;		/* timestamp */
148 	u_int32	fstamp;		/* filestamp */
149 	u_int32	vallen;		/* value length */
150 	u_int32	pkt[1];		/* start of value field */
151 };
152 
153 
154 /*
155  * The certificate info/value structure
156  */
157 struct cert_info {
158 	struct cert_info *link;	/* forward link */
159 	u_int	flags;		/* flags that wave */
160 	EVP_PKEY *pkey;		/* generic key */
161 	long	version;	/* X509 version */
162 	int	nid;		/* signature/digest ID */
163 	const EVP_MD *digest;	/* message digest algorithm */
164 	u_long	serial;		/* serial number */
165 	struct calendar first;	/* not valid before */
166 	struct calendar last;	/* not valid after */
167 	char	*subject;	/* subject common name */
168 	char	*issuer;	/* issuer common name */
169 	BIGNUM	*grpkey;	/* GQ group key */
170 	struct value cert;	/* certificate/value */
171 };
172 
173 /*
174  * The keys info/value structure
175  */
176 struct pkey_info {
177 	struct pkey_info *link; /* forward link */
178 	EVP_PKEY *pkey;		/* generic key */
179 	char	*name;		/* file name */
180 	tstamp_t fstamp;	/* filestamp */
181 };
182 
183 /*
184  * Cryptographic values
185  */
186 extern	u_int	crypto_flags;	/* status word */
187 extern	int	crypto_nid;	/* digest nid */
188 extern	struct value hostval;	/* host name/value */
189 extern	struct cert_info *cinfo; /* host certificate information */
190 extern	struct value tai_leap;	/* leapseconds table */
191 #endif /* AUTOKEY */
192 #endif /* NTP_CRYPTO_H */
193