+2000-08-04 Harlan Stenn <stenn@whimsy.udel.edu>
+
+ * ntpd/ntp_proto.c (peer_xmit): Crypto cleanup
+ * ntpd/ntp_crypto.c: Cleanup
+ * ntpd/ntp_control.c: Join the club
+ * ntpd/ntp_config.c: Call crypto_config() instead; we got rid of
+ crypto_flags.
+ * include/ntp_crypto.h (CRYPTO_FLAG_ENAB): New crypto flags, rework
+ * include/ntp_control.h (CS_FLAGS): Wiggle in.
+ * include/ntp.h: Added crypto peer status to struct peer
+ From Dave Mills
+
2000-08-03 Harlan Stenn <stenn@whimsy.udel.edu>
* util/ntp-genkeys.c: Initialize path_keysdir to NTP_KEYSDIR.
* Variables used by authenticated client
*/
#ifdef AUTOKEY
- associd_t assoc; /* association ID of peer */
+ associd_t assoc; /* peer association ID */
+ u_int32 crypto; /* peer status word */
#ifdef PUBKEY
struct value pubkey; /* public key */
u_char *keystr; /* public key file name */
#define CS_STABIL 18
#define CS_VARLIST 19
#ifdef PUBKEY
-#define CS_HOST 20
-#define CS_PUBLIC 21
-#define CS_DHPARAMS 22
-#define CS_REVTIME 23
-#define CS_LEAPTAB 24
-#define CS_TAI 25
+#define CS_FLAGS 20
+#define CS_HOST 21
+#define CS_PUBLIC 22
+#define CS_DHPARAMS 23
+#define CS_REVTIME 24
+#define CS_LEAPTAB 25
+#define CS_TAI 26
#define CS_MAXCODE CS_TAI
#else
#define CS_MAXCODE CS_VARLIST
#define CP_DISP 36
#define CP_VARLIST 37
#ifdef PUBKEY
-#define CP_HOST 38
-#define CP_PUBLIC 39
-#define CP_SESKEY 40
-#define CP_SASKEY 41
-#define CP_INITSEQ 42
-#define CP_INITKEY 43
-#define CP_INITTSP 44
+#define CP_FLAGS 38
+#define CP_HOST 39
+#define CP_PUBLIC 40
+#define CP_SESKEY 41
+#define CP_SASKEY 42
+#define CP_INITSEQ 43
+#define CP_INITKEY 44
+#define CP_INITTSP 45
#define CP_MAXCODE CP_INITTSP
#else
#define CP_MAXCODE CP_VARLIST
#include "rsa.h"
#endif /* PUBKEY */
+/*
+ * Cryptostatus word
+ */
+#define CRYPTO_FLAG_ENAB 0x01 /* crypto enable */
+#define CRYPTO_FLAG_RSA 0x02 /* public/private keys */
+#define CRYPTO_FLAG_DH 0x04 /* agreement parameters */
+#define CRYPTO_FLAG_TAI 0x08 /* leapseconds table */
+
/*
* Extension field definitions
*/
#define CRYPTO_VN 1 /* current protocol version number */
#define CRYPTO_NULL ((CRYPTO_VN << 8) | 0) /* no operation */
-#define CRYPTO_STAT ((CRYPTO_VN << 8) | 1) /* reserved */
+#define CRYPTO_STAT ((CRYPTO_VN << 8) | 1) /* status */
#define CRYPTO_ASSOC ((CRYPTO_VN << 8) | 2) /* association ID */
#define CRYPTO_AUTO ((CRYPTO_VN << 8) | 3) /* autokey values */
#define CRYPTO_PRIV ((CRYPTO_VN << 8) | 4) /* cookie value */
-#define CRYPTO_DHPAR ((CRYPTO_VN << 8) | 5) /* DH parameters */
-#define CRYPTO_DH ((CRYPTO_VN << 8) | 6) /* DH public value */
-#define CRYPTO_NAME ((CRYPTO_VN << 8) | 7) /* RSA public key */
-#define CRYPTO_TAI ((CRYPTO_VN << 8) | 8) /* TAI offset */
+#define CRYPTO_DHPAR ((CRYPTO_VN << 8) | 5) /* agreement params */
+#define CRYPTO_DH ((CRYPTO_VN << 8) | 6) /* public value */
+#define CRYPTO_NAME ((CRYPTO_VN << 8) | 7) /* host name/pub key */
+#define CRYPTO_TAI ((CRYPTO_VN << 8) | 8) /* leapseconds table */
#define CRYPTO_RESP 0x8000 /* response */
#define CRYPTO_ERROR 0x4000 /* error */
-/*
- * Cryptoflags
- */
-#define CRYPTO_FLAG_ENAB 0x01 /* enable public key */
-#define CRYPTO_FLAG_TAI 0x02 /* request TAI leapseconds */
-
#ifdef PUBKEY
/*
* Configuration codes
/*
* Cryptographic values
*/
-extern int crypto_flags;
extern R_DH_PARAMS dh_params;
-extern struct value host; /* public key/host name */
-extern struct value dhparam; /* Diffie-Hellman parameters */
-extern struct value dhpub; /* Diffie-Hellman public value */
-extern struct value tai_leap; /* TAI leapseconds table */
+extern struct value host; /* host name/public key */
+extern struct value dhparam; /* agreement parameters */
+extern struct value dhpub; /* public value */
+extern struct value tai_leap; /* leapseconds table */
+extern u_int crypto_flags; /* status word */
extern u_int sys_tai; /* current UTC offset from TAI */
#endif /* PUBKEY */
#endif /* AUTOKEY */
break;
case CONFIG_CRYPTO:
- crypto_flags |= CRYPTO_FLAG_ENAB;
+ if (ntokens == 1) {
+ crypto_config(CRYPTO_CONF_FLAGS , "0");
+ break;
+ }
for (i = 1; i < ntokens; i++) {
int temp;
temp = matchkey(tokens[i++], crypto_keywords);
if (i > ntokens - 1) {
msyslog(LOG_ERR,
- "crypto: missing file name");
+ "crypto: missing argument");
errflg++;
break;
}
{ CS_STABIL, RO, "stability" }, /* 18 */
{ CS_VARLIST, RO, "sys_var_list" }, /* 19 */
#ifdef PUBKEY
- { CS_HOST, RO, "hostname" }, /* 20 */
- { CS_PUBLIC, RO, "publickey" }, /* 21 */
- { CS_DHPARAMS, RO, "params" }, /* 22 */
- { CS_REVTIME, RO, "refresh"}, /* 23 */
- { CS_LEAPTAB, RO, "leaptable" }, /* 24 */
- { CS_TAI, RO, "tai"}, /* 25 */
+ { CS_FLAGS, RO, "flags" }, /* 20 */
+ { CS_HOST, RO, "hostname" }, /* 21 */
+ { CS_PUBLIC, RO, "publickey" }, /* 22 */
+ { CS_DHPARAMS, RO, "params" }, /* 23 */
+ { CS_REVTIME, RO, "refresh"}, /* 24 */
+ { CS_LEAPTAB, RO, "leaptable" }, /* 25 */
+ { CS_TAI, RO, "tai"}, /* 26 */
#endif /* PUBKEY */
{ 0, EOV, "" }
};
CS_COMPLIANCE,
CS_STABIL,
#ifdef PUBKEY
+ CS_FLAGS,
CS_HOST,
CS_DHPARAMS,
CS_REVTIME,
{ CP_DISP, PADDING,"" }, /* 36 */
{ CP_VARLIST, RO, "peer_var_list" }, /* 37 */
#ifdef PUBKEY
- { CP_HOST, RO, "hostname" }, /* 38 */
- { CP_PUBLIC, RO, "publickey" }, /* 39 */
- { CP_SESKEY, RO, "pcookie" }, /* 40 */
- { CP_SASKEY, RO, "hcookie" }, /* 41 */
- { CP_INITSEQ, RO, "initsequence" }, /* 42 */
- { CP_INITKEY, RO, "initkey" }, /* 43 */
- { CP_INITTSP, RO, "timestamp" }, /* 44 */
+ { CP_FLAGS, RO, "flags" }, /* 38 */
+ { CP_HOST, RO, "hostname" }, /* 39 */
+ { CP_PUBLIC, RO, "publickey" }, /* 40 */
+ { CP_SESKEY, RO, "pcookie" }, /* 41 */
+ { CP_SASKEY, RO, "hcookie" }, /* 42 */
+ { CP_INITSEQ, RO, "initsequence" }, /* 43 */
+ { CP_INITKEY, RO, "initkey" }, /* 44 */
+ { CP_INITTSP, RO, "timestamp" }, /* 45 */
#endif /* PUBKEY */
{ 0, EOV, "" }
};
CP_FILTOFFSET,
CP_FILTERROR,
#ifdef PUBKEY
+ CP_FLAGS,
CP_HOST,
CP_SESKEY,
CP_INITSEQ,
{ CC_FUDGETIME2, RO, "fudgetime2" }, /* 8 */
{ CC_FUDGEVAL1, RO, "stratum" }, /* 9 */
{ CC_FUDGEVAL2, RO, "refid" }, /* 10 */
- { CC_FLAGS, RO, "flags" }, /* 11 */
+ { CC_FLAGS, RO, "flags" }, /* 11 */
{ CC_DEVICE, RO, "device" }, /* 12 */
{ CC_VARLIST, RO, "clock_var_list" },/* 13 */
{ 0, EOV, "" }
break;
#ifdef PUBKEY
+ case CS_FLAGS:
+ if (crypto_flags)
+ ctl_puthex(sys_var[CS_FLAGS].text,
+ crypto_flags);
+ break;
+
case CS_HOST:
ctl_putstr(sys_var[CS_HOST].text, sys_hostname,
strlen(sys_hostname));
}
break;
#ifdef PUBKEY
+ case CP_FLAGS:
+ if (peer->crypto)
+ ctl_puthex(peer_var[CP_FLAGS].text, peer->crypto);
+ break;
+
case CP_HOST:
if (peer->keystr != NULL)
ctl_putstr(peer_var[CP_HOST].text, peer->keystr,
* = signature =
* | |
* +---------------+
+ * CRYPTO_DHPAR rsp
* CRYPTO_DH rsp
* CRYPTO_NAME rsp
* CRYPTO_TAI rsp
*
- * CRYPTO_PUBL 1 - offer/select
+ * CRYPTO_STAT 1 - offer/select
* CRYPTO_ASSOC 2 8 association ID
* CRYPTO_AUTO 3 88 autokey values
- * CRYPTO_PRIV 4 84 cookie values
+ * CRYPTO_PRIV 4 84 cookie value
* CRYPTO_DHPAR 5 220 agreement parameters
* CRYPTO_DH 6 152 public value
* CRYPTO_NAME 7 460 host name/public key
* carry the association ID of the sender.
*/
+/*
+ * Global cryptodata in host byte order.
+ */
+u_int crypto_flags; /* status word */
+u_int sys_tai; /* current UTC offset from TAI */
+
#ifdef PUBKEY
/*
* Cryptodefines
struct value dhpub; /* public value */
struct value tai_leap; /* leapseconds table */
-/*
- * Global cryptodata in host byte order.
- */
-int crypto_flags; /* flags that wave cryptically */
-u_int sys_tai; /* current UTC offset from TAI */
-
/*
* Cryptotypes
*/
switch (code) {
/*
- * Install association ID. This is used in broadcast
- * client mode only.
+ * Install association ID and status word.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
- if (!(peer->flags & FLAG_AUTOKEY) &&
- ntohl(pkt[i + 1]) != 0)
+ if (peer->flags & FLAG_AUTOKEY)
+ break;
+ if (ntohl(pkt[i + 1]) != 0)
peer->assoc = ntohl(pkt[i + 1]);
+ peer->crypto = ntohl(pkt[i + 2]);
+#ifdef DEBUG
+ if (debug)
+ printf(
+ "crypto_recv: flags %x\n",
+ peer->crypto);
+#endif
break;
/*
break;
}
peer->flash &= ~TEST10;
+ crypto_flags |= CRYPTO_FLAG_DH;
/*
* Initialize agreement parameters and extension
dhparam.vallen = vp->vallen;
if (dhparam.ptr != NULL)
free(dhparam.ptr);
- if (dhparam.sig == NULL)
- dhparam.sig = emalloc(private_key.bits /
- 8);
pp = emalloc(temp);
dhparam.ptr = (u_char *)pp;
memcpy(pp, vp->pkt, temp);
if (dh_private != NULL)
free(dh_private);
dh_private = emalloc(dh_keyLen);
+ if (dhparam.sig == NULL)
+ dhparam.sig = emalloc(private_key.bits /
+ 8);
/*
* Initialize public value extension field.
/*
* Verify public value and compute agreed key in
- * symmetric modes.
+ * symmetric modes. If the filestamp is later than the
+ * current value, we abandon and refill the agreement
+ * parameters.
*/
case CRYPTO_DH:
peer->cmmd = ntohl(pkt[i]);
*/
if (rval != RV_OK) {
temp = 0;
+ } else if (ntohl(vp->fstamp) > dhparam.fstamp) {
+ rval = RV_FSP;
+ crypto_flags &= ~CRYPTO_FLAG_DH;
} else {
rval = R_ComputeDHAgreedKey(dh_key,
(u_char *)&pkt[i + 5], dh_private,
break;
}
peer->flash &= ~TEST10;
+ crypto_flags |= CRYPTO_FLAG_TAI;
+ sys_tai = temp / 4 + TAI_1972 - 1;
/*
* Initialize leapseconds table and extension
tai_leap.sig =
emalloc(private_key.bits / 8);
memcpy(tai_leap.ptr, vp->pkt, temp);
- sys_tai = temp / 4 + TAI_1972 - 1;
crypto_agree();
break;
#endif /* PUBKEY */
switch (opcode) {
/*
- * Exchange association IDs. This is used in broadcast server
- * mode and is a no-op here.
+ * Send association ID and status word.
*/
case CRYPTO_ASSOC | CRYPTO_RESP:
+ xpkt[i + 2] = htonl(crypto_flags);
+ len += 4;
break;
/*
break;
+#ifdef PUBKEY
/*
* The following commands and responses work only when public-
* key cryptography has been configured. If configured, but
* disabled due to no crypto command in the configuration file,
* they are ignored and an error response is returned.
*/
-#ifdef PUBKEY
/*
- * Send agreenebt parameters, timestamp and signature.
+ * Send agreement parameters, timestamp and signature.
*/
case CRYPTO_DHPAR | CRYPTO_RESP:
if (!crypto_flags) {
"crypto: public/private key files mismatch");
exit (-1);
}
+ crypto_flags |= CRYPTO_FLAG_RSA;
/*
* Assemble public key and host name in network byte order.
dh_keyLen = primelen / 2;
dh_private = emalloc(dh_keyLen);
dhparam.sig = emalloc(private_key.bits / 8);
+ crypto_flags |= CRYPTO_FLAG_DH;
/*
* Initialize public value extension field.
*pp++ = htonl(leapsec[i]);
}
tai_leap.sig = emalloc(private_key.bits / 8);
+ crypto_flags |= CRYPTO_FLAG_TAI;
sys_tai = len / 4 + TAI_1972 - 1;
strcpy(keysdir, cp);
break;
}
+ crypto_flags |= CRYPTO_FLAG_ENAB;
}
# else
int ntp_crypto_bs_pubkey;
sendlen, (peer->cmmd >> 16) |
CRYPTO_RESP, peer->hcookie,
peer->associd);
- if (!crypto_flags && peer->pcookie.tstamp ==
- 0 && sys_leap != LEAP_NOTINSYNC)
+ if (!peer->crypto)
+ sendlen += crypto_xmit((u_int32 *)&xpkt,
+ sendlen, CRYPTO_ASSOC,
+ peer->hcookie, peer->assoc);
+ else if (!crypto_flags &&
+ peer->pcookie.tstamp == 0 && sys_leap !=
+ LEAP_NOTINSYNC)
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_PRIV, peer->hcookie,
peer->assoc);
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_NAME, peer->hcookie,
peer->assoc);
- else if (crypto_flags && dhparam.vallen == 0)
+ else if (crypto_flags && !(crypto_flags &
+ CRYPTO_FLAG_DH))
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_DHPAR,
peer->hcookie, peer->assoc);
peer->hcookie,
peer->associd);
#ifdef PUBKEY
- else if (crypto_flags & CRYPTO_FLAG_TAI &&
+ else if (peer->crypto & CRYPTO_FLAG_TAI &&
sys_tai == 0)
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_TAI, peer->hcookie,
sendlen, (peer->cmmd >> 16) |
CRYPTO_RESP, peer->hcookie,
peer->associd);
+ if (!peer->crypto)
+ sendlen += crypto_xmit((u_int32 *)&xpkt,
+ sendlen, CRYPTO_ASSOC,
+ peer->hcookie, peer->assoc);
#ifdef PUBKEY
- if (crypto_flags && peer->pubkey.ptr == NULL)
+ else if (crypto_flags && peer->pubkey.ptr ==
+ NULL)
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_NAME, peer->hcookie,
peer->assoc);
- else
#endif /* PUBKEY */
- if (peer->pcookie.tstamp == 0)
+ else if (peer->pcookie.tstamp == 0)
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_PRIV, peer->hcookie,
peer->assoc);
sendlen, CRYPTO_AUTO, peer->hcookie,
peer->assoc);
#ifdef PUBKEY
- else if (crypto_flags & CRYPTO_FLAG_TAI &&
+ else if (peer->crypto & CRYPTO_FLAG_TAI &&
sys_tai == 0)
sendlen += crypto_xmit((u_int32 *)&xpkt,
sendlen, CRYPTO_TAI, peer->hcookie,