+* new crypto signature cleanup.
(4.2.5p242-RC) 2009/11/10 Released by Harlan Stenn <stenn@ntp.org>
* [Bug 1363] CID 92 clarify fallthrough case in clk_trimtsip.c
* [Bug 1366] ioctl(TIOCSCTTY, 0) fails on NetBSD *[0-2].* > 3.99.7.
<p>Our resident cryptographer; now you see him, now you don't.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->07-Nov-2009 20:25<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->11-Nov-2009 5:48<!-- #EndDate -->
UTC</p>
<br clear="left">
conformance to FIPS 140-2 is required, only a limited subset of these algorithms
is available.</p>
-<p>NTPv4 includes the NTPv3 scheme, properly called symmetric key cryptography,
- and in addition a new scheme based on public key cryptography and called
+<p>NTPv4 includes the NTPv3 scheme
+ and optionally a new scheme based on public key cryptography and called
Autokey. Public key cryptography is generally considered more secure than
symmetric key cryptography, since the security is based on private and public
values which are generated by each participant and where the private value
or the <a href="keygen.html"><tt>ntp-keygen</tt></a> utility
program in the NTP software distribution.</p>
-<p>While the algorithms for symmetric key cryptography are included in the NTPv4 software distribution, Autokey cryptography requires the OpenSSL software library to be installed before building the NTP distribution. This library is available from <a href="http://www.openssl.org">http://www.openssl.org</a> and can be installed using the procedures outlined in the <a href="build.html">Building and Installing the Distribution</a> page. Once installed, the configure and build process automatically detects the library and links the library routines required.</p>
+<p>While the algorithms for MD5 symmetric key cryptography are included in the
+ NTPv4 software distribution, modern algorithms for symmetric key and public
+ key cryptograpny requires the OpenSSL software library
+ to be installed before building the NTP distribution. This library is available
+ from <a href="http://www.openssl.org">http://www.openssl.org</a> and
+ can be installed using the procedures outlined in the <a href="build.html">Building
+ and Installing the Distribution</a> page. Once installed, the configure and
+ build process automatically detects the library and links the library routines
+ required.</p>
<p>Note that according to US law, NTP binaries including OpenSSL library components,
including the OpenSSL library itself, cannot be exported outside the
program generates pseudo-random keys, one key for each line. Each line consists
of three fields, the key identifier as a decimal number from 1 to 65534 inclusive,
a key type chosen from the keywords of the <tt>digest</tt> option of the <tt>crypto</tt> command,
- and a 16-character printable ASCII string as the key itself.</p>
+ and a 20-character printable ASCII string or a 40-character hex string as
+ the key itself.</p>
<p>When <tt>ntpd</tt> is first started, it reads the key file specified by the <tt>keys</tt> command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> configuration command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p>
<p>By default, the message digest algorithm is MD5 selected by the key type
<p>Alice holds the key.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->04-Nov-2009 21:40<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->11-Nov-2009 6:01<!-- #EndDate -->
</p>
<br clear="left">
<h4 id="descrip">Description</h4>
-<p>This program generates cryptographic data files used by the NTPv4 authentication and identity schemes. It generates MD5 keys used in symmetric key cryptography and, if the OpenSSL software library has been installed, it generates host keys, sign keys, certificates and identity keys used in the Autokey public key cryptography. The symmetric keys file is generated in a format compatible with NTPv3. All other files are in PEM-encoded printable ASCII format so they can be embedded as MIME attachments in mail to other sites.</p>
+<p>This program generates cryptographic data files used by the NTPv4 authentication
+ and identity schemes. It generates MD5 message digest keys used in symmetric
+ key cryptography and, if the OpenSSL software library has been installed,
+ it generates message digest keys for other algorithms, as well as host keys,
+ sign keys, certificates and identity keys used in the Autokey public key
+ cryptography. The symmetric keys file is generated in a format compatible
+ with NTPv3. All other files are in PEM-encoded printable ASCII format so
+ they can be embedded as MIME attachments in mail to other sites.</p>
<p>When used to generate symmetric keys, the program produces a file containing
- 16 pseudo-random keys of 128 bits in length. If this is the only need, run <tt>ntp-keygen</tt> with
+ ten pseudo-random printable ASCII strings, as well as ten random hex strings,
+ both of `60 bits in length.
+ If this is the only need, run <tt>ntp-keygen</tt> with
the <tt>-M</tt> option
and disregard the remainder of this page. The file can be edited later with
purpose-chosen passwords for the <tt>ntpq</tt> and <tt>ntpdc</tt> programs.
sk->next = key_hash[KEYHASH(keyno)];
key_hash[KEYHASH(keyno)] = sk;
#ifdef DEBUG
- if (debug)
- printf("auth_setkey: key %d type %d\n", sk->keyid, sk->type);
+ if (debug > 1) {
+ char hex[] = "0123456789abcdef";
+ int j;
+
+ printf("auth_setkey: key %d type %d len %d ", sk->keyid,
+ sk->type, sk->keylen);
+ for (j = 0; j < sk->keylen; j++)
+ printf("%c%c", hex[key[j] >> 4],
+ hex[key[j] & 0xf]);
+ printf("\n");
+ }
#endif
authnumkeys++;
}
*/
static char *
nexttok(
- char **str
+ char **str
)
{
register char *cp;
const char *file
)
{
- FILE *fp;
- char *line;
- char *token, *keystr;
- keyid_t keyno;
- int keytype;
- char buf[512]; /* lots of room for line */
+ FILE *fp;
+ char *line;
+ char *token;
+ keyid_t keyno;
+ int keytype;
+ char buf[512]; /* lots of room for line */
+ u_char keystr[20];
+ int len;
+ int j;
/*
* Open file. Complain and return if it can't be opened.
* by OpenSSL. The key type is the NID used by the message
* digest algorithm. Ther are a number of inconsistencies in
* the OpenSSL database. We attempt to discover them here
- * and prevent use of inconsistent data.
+ * and prevent use of inconsistent data later.
*/
if (strcmp(token, "M") == 0 || strcmp(token, "m") == 0)
token = "MD5";
}
keytype = KEY_TYPE_MD5;
#endif /* OPENSSL */
- keystr = token;
/*
- * Finally, get key and insert it
+ * Finally, get key and insert it. If it is longer than 20
+ * characters, it is a binary string encoded in hex;
+ * otherwise, it is a text string of printable ASCII
+ * characters.
*/
token = nexttok(&line);
if (token == NULL) {
"authreadkeys: no key for key %d", keyno);
continue;
}
- MD5auth_setkey(keyno, keytype, (u_char *)token,
- strlen(token));
+ len = strlen(token);
+ if (len <= 20) {
+ MD5auth_setkey(keyno, keytype, (u_char *)token, len);
+ } else {
+ char hex[] = "0123456789abcdef";
+ int temp;
+ char *ptr;
+
+ for (j = 0; j < len; j++) {
+ ptr = strchr(hex, tolower(token[j]));
+ if (ptr == NULL) {
+ msyslog(LOG_ERR,
+ "authreadkeys: invalid hex digit for key %d", keyno);
+ continue;
+ }
+ temp = ptr - hex;
+ if (j & 1)
+ keystr[j / 2] |= temp;
+ else
+ keystr[j / 2] = temp << 4;
+ }
+ MD5auth_setkey(keyno, keytype, keystr, len / 2);
+ }
}
fclose(fp);
return (1);
/*
* Cryptodefines
*/
-#define MD5KEYS 16 /* number of MD5 keys generated */
+#define MD5KEYS 10 /* number of keys generated of each type */
+#define MD5SIZE 20 /* maximum key size */
#define JAN_1970 2208988800UL /* NTP seconds */
#define YEAR ((long)60*60*24*365) /* one year in seconds */
#define MAXFILENAME 256 /* max file name length */
/*
- * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4
+ * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
+ * if OpenSSL is around, generate random SHA1 keys compatible with
+ * symmetric key cryptography.
*/
int
gen_md5(
u_char md5key[16+1]; /* MD5 key */
FILE *str;
int i, j;
+#ifdef OPENSSL
+ u_char keystr[MD5SIZE];
+ u_char hexstr[2 * MD5SIZE + 1];
+ u_char hex[] = "0123456789abcdef";
+#endif /* OPENSSL */
str = fheader("MD5key", id, groupname);
ntp_srandom((u_long)epoch);
for (i = 1; i <= MD5KEYS; i++) {
- for (j = 0; j < 16; j++) {
+ for (j = 0; j < MD5SIZE; j++) {
int temp;
while (1) {
md5key[j] = (u_char)temp;
}
md5key[j] = '\0';
- fprintf(str, "%2d MD5 %16s # MD5 key\n", i,
+ fprintf(str, "%2d MD5 %s # MD5 key\n", i,
md5key);
}
+#ifdef OPENSSL
+ for (i = 1; i <= MD5KEYS; i++) {
+ RAND_bytes(keystr, 20);
+ for (j = 0; j < MD5SIZE; j++) {
+ hexstr[2 * j] = hex[keystr[j] >> 4];
+ hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
+ }
+ hexstr[2 * MD5SIZE] = '\0';
+ fprintf(str, "%2d SHA1 %s # SHA1 key\n", i + MD5KEYS,
+ hexstr);
+ }
+#endif /* OPENSSL */
fclose(str);
return (1);
}
projects / thirdparty / ntp.git / commitdiff
