ntp_crypto.c   [plain text]

/*
 * ntp_crypto.c - NTP version 4 public key routines
 */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#ifdef AUTOKEY
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>

#include "ntpd.h"
#include "ntp_stdlib.h"
#include "ntp_string.h"
#include "ntp_crypto.h"

#ifdef KERNEL_PLL
#include "ntp_syscall.h"
#endif /* KERNEL_PLL */

/*
 * Extension field message formats
 *
 *   +-------+-------+   +-------+-------+   +-------+-------+
 * 0 |   3   |  len  |   |  2,4  |  len  |   |  5-9  |  len  |
 *   +-------+-------+   +-------+-------+   +-------+-------+
 * 1 |    assocID    |   |    assocID    |   |    assocID    |
 *   +---------------+   +---------------+   +---------------+
 * 2 |   timestamp   |   |   timestamp   |   |   timestamp   |
 *   +---------------+   +---------------+   +---------------+
 * 3 |   final seq   |   |  cookie/flags |   |   filestamp   |
 *   +---------------+   +---------------+   +---------------+
 * 4 |   final key   |   | signature len |   |   value len   |
 *   +---------------+   +---------------+   +---------------+
 * 5 | signature len |   |               |   |               |
 *   +---------------+   =   signature   =   =     value     =
 * 6 |               |   |               |   |               |
 *   =   signature   =   +---------------+   +---------------+
 * 7 |               |   CRYPTO_ASSOC rsp    | signature len |
 *   +---------------+   CRYPTO_PRIV rsp     +---------------+
 *   CRYPTO_AUTO rsp                         |               |
 *                                           =   signature   =
 *                                           |               |
 *                                           +---------------+
 *                                           CRYPTO_DHPAR rsp
 *                                           CRYPTO_DH rsp
 *                                           CRYPTO_NAME rsp
 *                                           CRYPTO_CERT rsp
 *                                           CRYPTO_TAI rsp
 *
 *   CRYPTO_STAT  1  -    offer/select
 *   CRYPTO_ASSOC 2  20   association ID
 *   CRYPTO_AUTO  3  88   autokey values
 *   CRYPTO_PRIV  4  84   cookie value
 *   CRYPTO_DHPAR 5  220  agreement parameters
 *   CRYPTO_DH    6  152  public value
 *   CRYPTO_NAME  7  460  host name/public key
 *   CRYPTO_CERT  8  ?    certificate
 *   CRYPTO_TAI   9  144  leapseconds table
 *
 *   Note: requests carry the association ID of the receiver; responses
 *   carry the association ID of the sender.
 */
/*
 * Minimum sizes of fields
 */
#define COOKIE_LEN	(5 * 4)
#define AUTOKEY_LEN	(6 * 4)
#define VALUE_LEN	(6 * 4)

/*
 * Global cryptodata in host byte order.
 */
u_int	crypto_flags;		/* status word */
u_int	sys_tai;		/* current UTC offset from TAI */

#ifdef PUBKEY
/*
 * Cryptodefines
 */
#define TAI_1972	10	/* initial TAI offset */
#define MAX_LEAP	100	/* max UTC leapseconds */
#define MAX_LINLEN	1024	/* max line */
#define MAX_KEYLEN	1024	/* max key */
#define MAX_ENCLEN	(ENCODED_CONTENT_LEN(1024)) /* max enc key */

/*
 * Private cryptodata in network byte order.
 */
static R_RSA_PRIVATE_KEY private_key; /* private key */
static R_RSA_PUBLIC_KEY public_key; /* public key */
static R_DH_PARAMS dh_params;	/* agreement parameters */
static u_char *dh_private;	/* private value */
static u_int dh_keyLen;		/* private value length */
static char *keysdir = NTP_KEYSDIR; /* crypto keys directory */
static char *private_key_file = NULL; /* private key file */
static char *public_key_file = NULL; /* public key file */
static char *certif_file = NULL; /* certificate file */
static char *dh_params_file = NULL; /* agreement parameters file */
static char *tai_leap_file = NULL; /* leapseconds file */

/*
 * Global cryptodata in network byte order
 */
struct value host;		/* host name/public key */
struct value certif;		/* certificate */
struct value dhparam;		/* agreement parameters */
struct value dhpub;		/* public value */
struct value tai_leap;		/* leapseconds table */

/*
 * Cryptotypes
 */
static	u_int	crypto_rsa	P((char *, u_char *, u_int));
static	void	crypto_cert	P((char *));
static	void	crypto_dh	P((char *));
static	void	crypto_tai	P((char *));
#endif /* PUBKEY */

/*
 * Autokey protocol status codes
 */
#define RV_OK		0	/* success */
#define RV_LEN		1	/* invalid field length */
#define RV_TSP		2	/* invalid timestamp */
#define RV_FSP		3	/* invalid filestamp */
#define RV_PUB		4	/* missing public key */
#define RV_KEY		5	/* invalid RSA modulus */
#define RV_SIG		6	/* invalid signature length */
#define RV_DH		7	/* invalid agreement parameters */
#define RV_FIL		8	/* missing or corrupted key file */
#define RV_DAT		9	/* missing or corrupted data */
#define RV_DEC		10	/* PEM decoding error */
#define RV_DUP		11	/* duplicate flags */
#define RV_VN		12	/* incorrect version */

/*
 * session_key - generate session key
 *
 * This routine generates a session key from the source address,
 * destination address, key ID and private value. The value of the
 * session key is the MD5 hash of these values, while the next key ID is
 * the first four octets of the hash.
 */
keyid_t				/* returns next key ID */
session_key(
	struct sockaddr_in *srcadr, /* source address */
	struct sockaddr_in *dstadr, /* destination address */
	keyid_t keyno,		/* key ID */
	keyid_t private,	/* private value */
	u_long lifetime 	/* key lifetime */
	)
{
	MD5_CTX ctx;		/* MD5 context */
	keyid_t keyid;		/* key identifer */
	u_int32 header[4];	/* data in network byte order */
	u_char digest[16];	/* message digest */

	/*
	 * Generate the session key and key ID. If the lifetime is
	 * greater than zero, install the key and call it trusted.
	 */
	header[0] = srcadr->sin_addr.s_addr;
	header[1] = dstadr->sin_addr.s_addr;
	header[2] = htonl(keyno);
	header[3] = htonl(private);
	MD5Init(&ctx);
	MD5Update(&ctx, (u_char *)header, sizeof(header));
	MD5Final(digest, &ctx);
	memcpy(&keyid, digest, 4);
	keyid = ntohl(keyid);
	if (lifetime != 0) {
		MD5auth_setkey(keyno, digest, 16);
		authtrust(keyno, lifetime);
	}
#ifdef DEBUG
	if (debug > 1)
		printf(
		    "session_key: %s > %s %08x %08x hash %08x life %lu\n",
		    numtoa(header[0]), numtoa(header[1]), keyno,
		    private, keyid, lifetime);
#endif
	return (keyid);
}


/*
 * make_keylist - generate key list
 *
 * This routine constructs a pseudo-random sequence by repeatedly
 * hashing the session key starting from a given source address,
 * destination address, private value and the next key ID of the
 * preceeding session key. The last entry on the list is saved along
 * with its sequence number and public signature.
 */
void
make_keylist(
	struct peer *peer,	/* peer structure pointer */
	struct interface *dstadr /* interface */
	)
{
	struct autokey *ap;	/* autokey pointer */
	keyid_t keyid;		/* next key ID */
	keyid_t cookie;		/* private value */
	l_fp tstamp;		/* NTP timestamp */
	u_long ltemp;
	int i;
#ifdef PUBKEY
	R_SIGNATURE_CTX ctx;	/* signature context */
	int rval;		/* return value */
	u_int len;
#endif /* PUBKEY */

	/*
	 * Allocate the key list if necessary.
	 */
	L_CLR(&tstamp);
	if (sys_leap != LEAP_NOTINSYNC)
		get_systime(&tstamp);
	if (peer->keylist == NULL)
		peer->keylist = (keyid_t *)emalloc(sizeof(keyid_t) *
		    NTP_MAXSESSION);

	/*
	 * Generate an initial key ID which is unique and greater than
	 * NTP_MAXKEY.
	 */
	while (1) {
		keyid = (u_long)RANDOM & 0xffffffff;
		if (keyid <= NTP_MAXKEY)
			continue;
		if (authhavekey(keyid))
			continue;
		break;
	}

	/*
	 * Generate up to NTP_MAXSESSION session keys. Stop if the
	 * next one would not be unique or not a session key ID or if
	 * it would expire before the next poll. The private value
	 * included in the hash is zero if broadcast mode, the peer
	 * cookie if client mode or the host cookie if symmetric modes.
	 */
	ltemp = min(sys_automax, NTP_MAXSESSION * (1 << (peer->kpoll)));
	peer->hcookie = session_key(&dstadr->sin, &peer->srcadr, 0,
	    sys_private, 0);
	if (peer->hmode == MODE_BROADCAST)
		cookie = 0;
	else
		cookie = peer->pcookie.key;
	for (i = 0; i < NTP_MAXSESSION; i++) {
		peer->keylist[i] = keyid;
		peer->keynumber = i;
		keyid = session_key(&dstadr->sin, &peer->srcadr, keyid,
		    cookie, ltemp);
		ltemp -= 1 << peer->kpoll;
		if (auth_havekey(keyid) || keyid <= NTP_MAXKEY ||
		    ltemp <= (1 << (peer->kpoll)))
			break;
	}

	/*
	 * Save the last session key ID, sequence number and timestamp,
	 * then sign these values for later retrieval by the clients. Be
	 * careful not to use invalid key media.
	 */
	ap = &peer->sndauto;
	ap->tstamp = htonl(tstamp.l_ui);
	ap->seq = htonl(peer->keynumber);
	ap->key = htonl(keyid);
	ap->siglen = 0;
#if DEBUG
	if (debug)
		printf("make_keys: %d %08x %08x ts %u poll %d\n",
		    ntohl(ap->seq), ntohl(ap->key), cookie,
		    ntohl(ap->tstamp), peer->kpoll);
#endif
#ifdef PUBKEY
	if(!crypto_flags)
		return;
	if (ap->sig == NULL)
		ap->sig = emalloc(private_key.bits / 8);
	EVP_SignInit(&ctx, DA_MD5);
	EVP_SignUpdate(&ctx, (u_char *)ap, 12);
	rval = EVP_SignFinal(&ctx, ap->sig, &len, &private_key);
	if (rval != RV_OK)
		msyslog(LOG_ERR, "crypto: keylist signature fails %x",
		    rval);
	else
		ap->siglen = htonl(len);
	peer->flags |= FLAG_ASSOC;
#endif /* PUBKEY */
}


/*
 * crypto_recv - parse extension fields
 *
 * This routine is called when the packet has been matched to an
 * association and passed sanity, format and MAC checks. We believe the
 * extension field values only if the field has proper format and
 * length, the timestamp and filestamp are valid and the signature has
 * valid length and is verified. There are a few cases where some values
 * are believed even if the signature fails, but only if the authentic
 * bit is not set.
 */
void
crypto_recv(
	struct peer *peer,	/* peer structure pointer */
	struct recvbuf *rbufp	/* packet buffer pointer */
	)
{
	u_int32 *pkt;		/* packet pointer */
	struct autokey *ap;	/* autokey pointer */
	struct cookie *cp;	/* cookie pointer */
	int has_mac;		/* length of MAC field */
	int authlen;		/* offset of MAC field */
	int len;		/* extension field length */
	u_int code;		/* extension field opcode */
	tstamp_t tstamp;	/* timestamp */
	int i, rval;
	u_int temp;
#ifdef PUBKEY
	R_SIGNATURE_CTX ctx;	/* signature context */
	struct value *vp;	/* value pointer */
	u_char dh_key[MAX_KEYLEN]; /* agreed key */
	R_RSA_PUBLIC_KEY *kp;	/* temporary public key pointer */
	tstamp_t fstamp;	/* filestamp */
	u_int32 *pp;		/* packet pointer */
	u_int rsalen = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int) + 4;
	u_int bits;
	int j;
#ifdef KERNEL_PLL
#if NTP_API > 3
	struct timex ntv;	/* kernel interface structure */
#endif /* NTP_API */
#endif /* KERNEL_PLL */
#endif /* PUBKEY */

	/*
	 * Initialize. Note that the packet has already been checked for
	 * valid format and extension field lengths. We first extract
	 * the field length, command code and timestamp in host byte
	 * order. These are used with all commands and modes. We discard
	 * old timestamps and filestamps; but, for duplicate timestamps
	 * we discard only if the authentic bit is set. Cute.
	 */
	pkt = (u_int32 *)&rbufp->recv_pkt;
	authlen = LEN_PKT_NOMAC;
	while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
		i = authlen / 4;
		len = ntohl(pkt[i]) & 0xffff;
		code = (ntohl(pkt[i]) >> 16) & 0xffff;
		temp = (code >> 8) & 0x3f;
		if (temp != CRYPTO_VN) {
			sys_unknownversion++;
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: incorrect version %d should be %d\n",
				    temp, CRYPTO_VN);
#endif
			return;
		}
		tstamp = ntohl(pkt[i + 2]);
#ifdef DEBUG
		if (debug)
			printf(
			    "crypto_recv: ext offset %d len %d code %x assocID %d\n",
			    authlen, len, code, (u_int32)ntohl(pkt[i +
			    1]));
#endif
		switch (code) {

		/*
		 * Install association ID and status word.
		 */
		case CRYPTO_ASSOC | CRYPTO_RESP:
			cp = (struct cookie *)&pkt[i + 2];
			temp = ntohl(cp->key);
			if (len < COOKIE_LEN) {
				rval = RV_LEN;
			} else if (tstamp == 0) {
				rval = RV_TSP;
			} else {
				if (!peer->crypto)
					peer->crypto = temp;
				if (ntohl(pkt[i + 1]) != 0)
					peer->assoc = ntohl(pkt[i + 1]);
				rval = RV_OK;
			}
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %d flags 0x%x ts %u\n",
				    rval, temp, tstamp);
#endif
			break;

		/*
		 * Install autokey values in broadcast client and
		 * symmetric modes. 
		 */
		case CRYPTO_AUTO | CRYPTO_RESP:
			if (!(peer->flags & FLAG_AUTOKEY) &&
			    ntohl(pkt[i + 1]) != 0)
				peer->assoc = ntohl(pkt[i + 1]);
			ap = (struct autokey *)&pkt[i + 2];
#ifdef PUBKEY
			temp = ntohl(ap->siglen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			if (len < AUTOKEY_LEN) {
				rval = RV_LEN;
			} else if (tstamp == 0 || tstamp <
			    peer->recauto.tstamp || (tstamp ==
			    peer->recauto.tstamp && (peer->flags &
			    FLAG_AUTOKEY))) {
				rval = RV_TSP;
			} else if (!crypto_flags) {
				rval = RV_OK;
			} else if (kp == NULL) {
				rval = RV_PUB;
			} else if (temp != kp->bits / 8) {
				rval = RV_SIG;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)ap,
				    12);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)ap->pkt, temp, kp);
			}
#else /* PUBKEY */
			if (tstamp < peer->recauto.tstamp || (tstamp ==
			    peer->recauto.tstamp && (peer->flags &
			    FLAG_AUTOKEY)))
				rval = RV_TSP;
			else
				rval = RV_OK;
#endif /* PUBKEY */
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x autokey %d %08x ts %u (%u)\n",
				    rval, ntohl(ap->seq),
				    ntohl(ap->key), tstamp,
				    peer->recauto.tstamp);
#endif
			if (rval != RV_OK) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x autokey %d %08x ts %u (%u)\n",
					    rval, ntohl(ap->seq),
					    ntohl(ap->key), tstamp,
					    peer->recauto.tstamp);
				break;
			}
			peer->flags |= FLAG_AUTOKEY;
			peer->flash &= ~TEST10;
			peer->assoc = ntohl(pkt[i + 1]);
			peer->recauto.tstamp = tstamp;
			peer->recauto.seq = ntohl(ap->seq);
			peer->recauto.key = ntohl(ap->key);
			peer->pkeyid = peer->recauto.key;
			break;

		/*
		 * Install session cookie in client mode. Use this also
		 * in symmetric modes for test when rsaref20 has not
		 * been installed.
		 */
		case CRYPTO_PRIV:
			peer->cmmd = ntohl(pkt[i]);
			/* fall through */

		case CRYPTO_PRIV | CRYPTO_RESP:
			cp = (struct cookie *)&pkt[i + 2];
#ifdef PUBKEY
			temp = ntohl(cp->siglen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			if (len < COOKIE_LEN) {
				rval = RV_LEN;
			} else if (tstamp == 0 || tstamp <
			    peer->pcookie.tstamp || (tstamp ==
			    peer->pcookie.tstamp && (peer->flags &
			    FLAG_AUTOKEY))) {
				rval = RV_TSP;
			} else if (!crypto_flags) {
				rval = RV_OK;
			} else if (kp == NULL) {
				rval = RV_PUB;
			} else if (temp != kp->bits / 8) {
				rval = RV_SIG;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)cp, 8);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)cp->pkt, temp, kp);
			}
#else /* PUBKEY */
			if (tstamp <= peer->pcookie.tstamp || (tstamp ==
			    peer->pcookie.tstamp && (peer->flags &
			    FLAG_AUTOKEY)))
				rval = RV_TSP;
			else
				rval = RV_OK;
#endif /* PUBKEY */

			/*
			 * Tricky here. If in client mode, use the
			 * server cookie; otherwise, use EXOR of both
			 * peer cookies. We call this Daffy-Hooligan
			 * agreement.
			 */
			if (peer->hmode == MODE_CLIENT)
				temp = ntohl(cp->key);
			else
				temp = ntohl(cp->key) ^ peer->hcookie;
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x cookie %08x ts %u (%u)\n",
				    rval, temp, tstamp,
				    peer->pcookie.tstamp);
#endif
			if (rval != RV_OK) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x cookie %08x ts %u (%u)\n",
					    rval, temp, tstamp,
					    peer->pcookie.tstamp);
					peer->cmmd |= CRYPTO_ERROR;
				break;
			}
			if (!(peer->cast_flags & MDF_BCLNT))
				peer->flags |= FLAG_AUTOKEY;
			peer->flash &= ~TEST10;
			peer->assoc = ntohl(pkt[i + 1]);
			peer->pcookie.tstamp = tstamp;
			if (temp != peer->pcookie.key) {
				peer->pcookie.key = temp;
				key_expire(peer);
			}
			break;

		/*
		 * The following commands and responses work only when
		 * public-key cryptography has been configured. If
		 * configured, but disabled due to no crypto command in
		 * the configuration file, they are ignored.
		 */
#ifdef PUBKEY
		/*
		 * Install public key and host name.
		 */
		case CRYPTO_NAME | CRYPTO_RESP:
			if (!crypto_flags)
				break;
			vp = (struct value *)&pkt[i + 2];
			fstamp = ntohl(vp->fstamp);
			temp = ntohl(vp->vallen);
			j = i + 5 + ntohl(vp->vallen) / 4;
			bits = ntohl(pkt[i + 5]);
			if (len < VALUE_LEN) {
				rval = RV_LEN;
			} else if (temp < rsalen || bits <
			    MIN_RSA_MODULUS_BITS || bits >
			    MAX_RSA_MODULUS_BITS) {
				rval = RV_KEY;
			} else if (ntohl(pkt[j]) != bits / 8) {
				rval = RV_SIG;
			} else if (tstamp == 0 || tstamp <
			    peer->pubkey.tstamp || (tstamp ==
			    peer->pubkey.tstamp && (peer->flags &
			    FLAG_AUTOKEY))) {
				rval = RV_TSP;
			} else if (tstamp < peer->pubkey.fstamp ||
			    fstamp < peer->pubkey.fstamp) {
				rval = RV_FSP;
			} else if (fstamp == peer->pubkey.fstamp &&
			    (peer->flags & FLAG_AUTOKEY)) {
				rval = RV_FSP;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)vp,
				    temp + 12);
				kp = emalloc(sizeof(R_RSA_PUBLIC_KEY));
				kp->bits = bits;
				memcpy(kp->modulus, &pkt[i + 6],
				    rsalen - 4);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)&pkt[j + 1],
				    ntohl(pkt[j]), kp);
				if (rval != 0) {
					free(kp);
				} else {
					j = i + 5 + rsalen / 4;
					peer->pubkey.ptr = (u_char *)kp;
					temp = strlen((char *)&pkt[j]);
					peer->keystr = emalloc(temp +
					    1);
					strcpy(peer->keystr,
					    (char *)&pkt[j]);
					peer->pubkey.tstamp = tstamp;
					peer->pubkey.fstamp = fstamp;
					peer->flash &= ~TEST10;
					if (!(peer->crypto &
					    CRYPTO_FLAG_CERT))
						peer->flags |=
						    FLAG_PROVEN;
				}
			}
#ifdef DEBUG
			if (debug)

				printf(
				    "crypto_recv: verify %x host %s ts %u fs %u\n",
				    rval, (char *)&pkt[i + 5 + rsalen /
				    4], tstamp, fstamp);
#endif
			if (rval != RV_OK) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x host %s ts %u fs %u\n",
					    rval, (char *)&pkt[i + 5 +
					    rsalen / 4], tstamp,
					    fstamp);
			}
			break;

		/*
		 * Install certificate.
		 */
		case CRYPTO_CERT | CRYPTO_RESP:
			if (!crypto_flags)
				break;
			vp = (struct value *)&pkt[i + 2];
			fstamp = ntohl(vp->fstamp);
			temp = ntohl(vp->vallen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			j = i + 5 + temp / 4;
			if (len < VALUE_LEN) {
				rval = RV_LEN;
			} else if (kp == NULL) {
				rval = RV_PUB;
			} else if (ntohl(pkt[j]) != kp->bits / 8) {
				rval = RV_SIG;
			} else if (tstamp == 0) {
				rval = RV_TSP;
			} else if (tstamp <
			    ntohl(peer->certif.fstamp) || fstamp <
			    ntohl(peer->certif.fstamp)) {
				rval = RV_FSP;
			} else if (fstamp ==
			    ntohl(peer->certif.fstamp) && (peer->flags &
			    FLAG_AUTOKEY)) {
				peer->crypto &= ~CRYPTO_FLAG_CERT;
				rval = RV_FSP;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)vp,
				    temp + 12);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)&pkt[j + 1],
				    ntohl(pkt[j]), kp);
			}
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x certificate %u ts %u fs %u\n",
				    rval, temp, tstamp, fstamp);
#endif

			/*
			 * If the peer data are newer than the host
			 * data, replace the host data. Otherwise,
			 * wait for the peer to fetch the host data.
			 */
			if (rval != RV_OK || temp == 0) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x certificate %u ts %u fs %u\n",
					    rval, temp, tstamp, fstamp);
				break;
			}
			peer->flash &= ~TEST10;
			peer->flags |= FLAG_PROVEN;
			peer->crypto &= ~CRYPTO_FLAG_CERT;

			/*
			 * Initialize agreement parameters and extension
			 * field in network byte order. Note the private
			 * key length is set arbitrarily at half the
			 * prime length.
			 */
			peer->certif.tstamp = vp->tstamp;
			peer->certif.fstamp = vp->fstamp;
			peer->certif.vallen = vp->vallen;
			if (peer->certif.ptr == NULL)
				free(peer->certif.ptr);
			peer->certif.ptr = emalloc(temp);
			memcpy(peer->certif.ptr, vp->pkt, temp);
			crypto_agree();
			break;

		/*
		 * Install agreement parameters in symmetric modes.
		 */
		case CRYPTO_DHPAR | CRYPTO_RESP:
			if (!crypto_flags)
				break;
			vp = (struct value *)&pkt[i + 2];
			fstamp = ntohl(vp->fstamp);
			temp = ntohl(vp->vallen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			j = i + 5 + temp / 4;
			if (len < VALUE_LEN) {
				rval = RV_LEN;
			} else if (kp == NULL) {
				rval = RV_PUB;
			} else if (ntohl(pkt[j]) != kp->bits / 8) {
				rval = RV_SIG;
			} else if (tstamp == 0) {
				rval = RV_TSP;
			} else if (tstamp < ntohl(dhparam.fstamp) ||
			    fstamp < ntohl(dhparam.fstamp)) {
				rval = RV_FSP;
			} else if (fstamp == ntohl(dhparam.fstamp) &&
			    (peer->flags & FLAG_AUTOKEY)) {
				peer->crypto &= ~CRYPTO_FLAG_DH;
				rval = RV_FSP;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)vp,
				    temp + 12);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)&pkt[j + 1],
				    ntohl(pkt[j]), kp);
			}
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x parameters %u ts %u fs %u\n",
				    rval, temp, tstamp, fstamp);
#endif

			/*
			 * If the peer data are newer than the host
			 * data, replace the host data. Otherwise,
			 * wait for the peer to fetch the host data.
			 */
			if (rval != RV_OK || temp == 0) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x parameters %u ts %u fs %u\n",
					    rval, temp, tstamp, fstamp);
				break;
			}
			peer->flash &= ~TEST10;
			crypto_flags |= CRYPTO_FLAG_DH;
			peer->crypto &= ~CRYPTO_FLAG_DH;

			/*
			 * Initialize agreement parameters and extension
			 * field in network byte order. Note the private
			 * key length is set arbitrarily at half the
			 * prime length.
			 */
			dhparam.tstamp = vp->tstamp;
			dhparam.fstamp = vp->fstamp;
			dhparam.vallen = vp->vallen;
			if (dhparam.ptr != NULL)
				free(dhparam.ptr);
			pp = emalloc(temp);
			dhparam.ptr = (u_char *)pp;
			memcpy(pp, vp->pkt, temp);
			dh_params.primeLen = ntohl(*pp++);
			dh_params.prime = (u_char *)pp;
			pp += dh_params.primeLen / 4;
			dh_params.generatorLen = ntohl(*pp++);
			dh_params.generator = (u_char *)pp;
			dh_keyLen = dh_params.primeLen / 2;
			if (dh_private != NULL)
				free(dh_private);
			dh_private = emalloc(dh_keyLen);
			if (dhparam.sig == NULL)
				dhparam.sig = emalloc(private_key.bits /
				    8);

			/*
			 * Initialize public value extension field.
			 */
			dhpub.tstamp = vp->tstamp;
			dhpub.fstamp = vp->fstamp;
			dhpub.vallen = htonl(dh_params.primeLen);
			if (dhpub.ptr != NULL)
				free(dhpub.ptr);
			dhpub.ptr = emalloc(dh_params.primeLen);
			if (dhpub.sig == NULL)
				dhpub.sig = emalloc(private_key.bits /
				    8);
			crypto_agree();
			break;

		/*
		 * Verify public value and compute agreed key in
		 * symmetric modes.
		 */
		case CRYPTO_DH:
			peer->cmmd = ntohl(pkt[i]);
			if (!crypto_flags)
				peer->cmmd |= CRYPTO_ERROR;
			/* fall through */

		case CRYPTO_DH | CRYPTO_RESP:
			if (!crypto_flags)
				break;
			vp = (struct value *)&pkt[i + 2];
			fstamp = ntohl(vp->fstamp);
			temp = ntohl(vp->vallen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			j = i + 5 + temp / 4;
			if (len < VALUE_LEN) {
				rval = RV_LEN;
			} else if (temp != dh_params.primeLen) {
				rval = RV_DH;
			} else if (kp == NULL) {
				rval = RV_PUB;
			} else if (ntohl(pkt[j]) != kp->bits / 8) {
				rval = RV_SIG;
			} else if (tstamp == 0 || tstamp <
			    peer->pcookie.tstamp || (tstamp ==
			    peer->pcookie.tstamp && (peer->flags &
			    FLAG_AUTOKEY))) {
				rval = RV_TSP;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)vp,
				    temp + 12);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)&pkt[j + 1],
				    ntohl(pkt[j]), kp);
			}

			/*
			 * Run the agreement algorithm and stash the key
			 * value. We use only the first u_int32 for the
			 * host cookie. Wasteful. If the association ID
			 * is zero, the other guy hasn't seen us as
			 * synchronized, in which case both of us should
			 * be using a zero cookie.
			 */
			if (rval != RV_OK) {
				temp = 0;
			} else if (fstamp > dhparam.fstamp) {
				crypto_flags &= ~CRYPTO_FLAG_DH;
				rval = RV_FSP;
			} else {
				rval = R_ComputeDHAgreedKey(dh_key,
				    (u_char *)&pkt[i + 5], dh_private,
				    dh_keyLen, &dh_params);
				temp = ntohl(*(u_int32 *)dh_key);
			}
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x agreement %08x ts %u (%u) fs %u\n",
				    rval, temp, tstamp,
				    peer->pcookie.tstamp, fstamp);
#endif
			if (rval != RV_OK) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x agreement %08x ts %u (%u) fs %u\n",
					    rval, temp, tstamp,
					    peer->pcookie.tstamp,
					    fstamp);
					peer->cmmd |= CRYPTO_ERROR;
				break;
			}
			peer->flash &= ~TEST10;
			peer->flags &= ~FLAG_AUTOKEY;
			peer->assoc = ntohl(pkt[i + 1]);
			peer->pcookie.tstamp = tstamp;
			if (temp != peer->pcookie.key) {
				peer->pcookie.key = temp;
				key_expire(peer);
			}
			break;

		/*
		 * Install leapseconds table.
		 */
		case CRYPTO_TAI | CRYPTO_RESP:
			if (!crypto_flags)
				break;
			vp = (struct value *)&pkt[i + 2];
			fstamp = ntohl(vp->fstamp);
			temp = ntohl(vp->vallen);
			kp = (R_RSA_PUBLIC_KEY *)peer->pubkey.ptr;
			j = i + 5 + temp / 4;
			if (len < VALUE_LEN) {
				rval = RV_LEN;
			} if (kp == NULL) {
				rval = RV_PUB;
			} else if (ntohl(pkt[j]) != kp->bits / 8) {
				rval = RV_SIG;
			} else if (tstamp == 0) {
				rval = RV_TSP;
			} else if (tstamp < ntohl(tai_leap.fstamp) ||
			    fstamp < ntohl(tai_leap.fstamp)) {
				rval = RV_FSP;
			} else if (fstamp == ntohl(tai_leap.fstamp) &&
			    (peer->flags & FLAG_AUTOKEY)) {
				peer->crypto &= ~CRYPTO_FLAG_TAI;
				rval = RV_FSP;
			} else {
				EVP_VerifyInit(&ctx, DA_MD5);
				EVP_VerifyUpdate(&ctx, (u_char *)vp,
				    temp + 12);
				rval = EVP_VerifyFinal(&ctx,
				    (u_char *)&pkt[j + 1],
				    ntohl(pkt[j]), kp);
			}
#ifdef DEBUG
			if (debug)
				printf(
				    "crypto_recv: verify %x leapseconds %u ts %u fs %u\n",
				    rval, temp, tstamp, fstamp);
#endif

			/*
			 * If the peer data are newer than the host
			 * data, replace the host data. Otherwise,
			 * wait for the peer to fetch the host data.
			 */
			if (rval != RV_OK || temp == 0) {
				if (rval != RV_TSP)
					msyslog(LOG_ERR,
					    "crypto: %x leapseconds %u ts %u fs %u\n",
					    rval, temp, tstamp, fstamp);
				break;
			}
			peer->flash &= ~TEST10;
			crypto_flags |= CRYPTO_FLAG_TAI;
			peer->crypto &= ~CRYPTO_FLAG_TAI;
			sys_tai = temp / 4 + TAI_1972 - 1;
#ifdef KERNEL_PLL
#if NTP_API > 3
			ntv.modes = MOD_TAI;
			ntv.constant = sys_tai;
			(void)ntp_adjtime(&ntv);
#endif /* NTP_API */
#endif /* KERNEL_PLL */

			/*
			 * Initialize leapseconds table and extension
			 * field in network byte order.
			 */
			tai_leap.tstamp = vp->tstamp;
			tai_leap.fstamp = vp->fstamp;
			tai_leap.vallen = vp->vallen;
			if (tai_leap.ptr == NULL)
				free(tai_leap.ptr);
			tai_leap.ptr = emalloc(temp);
			memcpy(tai_leap.ptr, vp->pkt, temp);
			if (tai_leap.sig == NULL)
				tai_leap.sig =
				    emalloc(private_key.bits / 8);
			crypto_agree();
			break;
#endif /* PUBKEY */

		/*
		 * For other requests, save the request code for later;
		 * for unknown responses or errors, just ignore for now.
		 */
		default:
			if (code & (CRYPTO_RESP | CRYPTO_ERROR))
				break;
			peer->cmmd = ntohl(pkt[i]);
			break;

		}
		authlen += len;
	}
}


/*
 * crypto_xmit - construct extension fields
 *
 * This routine is called both when an association is configured and
 * when one is not. The only case where this matters now is to retrieve
 * the autokey information, in which case the caller has to provide the
 * association ID to match the association.
 */
int				/* return length of extension field */
crypto_xmit(
	u_int32 *xpkt,		/* packet pointer */
	int start,		/* offset to extension field */
	u_int code,		/* extension field code */
	keyid_t cookie,		/* session cookie */
	u_int associd		/* association ID */
	)
{
	struct peer *peer;	/* peer structure pointer */
	struct autokey *ap;	/* autokey pointer */
	struct cookie *cp;	/* cookie pointer */
	int len;		/* extension field length */
	u_int opcode;		/* extension field opcode */
	int i;
#ifdef PUBKEY
	R_SIGNATURE_CTX ctx;	/* signature context */
	struct value *vp;	/* value pointer */
	int rval;		/* return value */
	u_int temp;
	int j;
#endif /* PUBKEY */

	/*
	 * Generate the requested extension field request code, length
	 * and association ID. Note that several extension fields are
	 * used with and without public-key cryptography. If public-key
	 * cryptography has not been configured, we do the same thing,
	 * but leave off the signature.
	 */
	i = start / 4;
	opcode = code;
	xpkt[i + 1] = htonl(associd);
	len = 8;
	switch (opcode) {

	/*
	 * Send association ID, timestamp and status word.
	 */
	case CRYPTO_ASSOC | CRYPTO_RESP:
		cp = (struct cookie *)&xpkt[i + 2];
#ifdef PUBKEY
		cp->tstamp = host.tstamp;
#else
		cp->tstamp = 0;
#endif /* PUBKEY */
		cp->key = htonl(crypto_flags);
		cp->siglen = 0;
		len += 12;
		break;

	/*
	 * Find peer and send autokey data and signature in broadcast
	 * server and symmetric modes. If no association is found,
	 * either the server has restarted with new associations or some
	 * perp has replayed an old message.
	 */
	case CRYPTO_AUTO | CRYPTO_RESP:
		peer = findpeerbyassoc(associd);
		if (peer == NULL) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		peer->flags &= ~FLAG_ASSOC;
		ap = (struct autokey *)&xpkt[i + 2];
		ap->tstamp = peer->sndauto.tstamp;
		ap->seq = peer->sndauto.seq;
		ap->key = peer->sndauto.key;
		ap->siglen = peer->sndauto.siglen;
		len += 16;
#ifdef PUBKEY
		if (!crypto_flags)
			break;
		temp = ntohl(ap->siglen);
		if (temp != 0)
			memcpy(ap->pkt, peer->sndauto.sig, temp);
		len += temp;
#endif /* PUBKEY */
		break;

	/*
	 * Send peer cookie and signature in server mode.
	 */
	case CRYPTO_PRIV:
	case CRYPTO_PRIV | CRYPTO_RESP:
		cp = (struct cookie *)&xpkt[i + 2];
		cp->key = htonl(cookie);
		cp->siglen = 0;
		len += 12;
#ifdef PUBKEY
		cp->tstamp = host.tstamp;
		if (!crypto_flags)
			break;
		EVP_SignInit(&ctx, DA_MD5);
		EVP_SignUpdate(&ctx, (u_char *)cp, 8);
		rval = EVP_SignFinal(&ctx, (u_char *)cp->pkt, &temp,
		    &private_key);
		if (rval != RV_OK) {
			msyslog(LOG_ERR,
			    "crypto: cookie signature fails %x", rval);
			break;
		}
		cp->siglen = htonl(temp);
		len += temp;
#endif /* PUBKEY */
		break;

#ifdef PUBKEY
	/*
	 * The following commands and responses work only when public-
	 * key cryptography has been configured. If configured, but
	 * disabled due to no crypto command in the configuration file,
	 * they are ignored and an error response is returned.
	 */
	/*
	 * Send certificate, timestamp and signature.
	 */
	case CRYPTO_CERT | CRYPTO_RESP:
		if (!crypto_flags) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		vp = (struct value *)&xpkt[i + 2];
		vp->tstamp = certif.tstamp;
		vp->fstamp = certif.fstamp;
		vp->vallen = 0;
		len += 12;
		temp = ntohl(certif.vallen);
		if (temp == 0)
			break;
		vp->vallen = htonl(temp);
		memcpy(vp->pkt, certif.ptr, temp);
		len += temp;
		j = i + 5 + temp / 4;
		temp = public_key.bits / 8;
		xpkt[j++] = htonl(temp);
		memcpy(&xpkt[j], certif.sig, temp);
		len += temp + 4;
		break;

	/*
	 * Send agreement parameters, timestamp and signature.
	 */
	case CRYPTO_DHPAR | CRYPTO_RESP:
		if (!crypto_flags) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		vp = (struct value *)&xpkt[i + 2];
		vp->tstamp = dhparam.tstamp;
		vp->fstamp = dhparam.fstamp;
		vp->vallen = 0;
		len += 12;
		temp = ntohl(dhparam.vallen);
		if (temp == 0)
			break;
		vp->vallen = htonl(temp);
		memcpy(vp->pkt, dhparam.ptr, temp);
		len += temp;
		j = i + 5 + temp / 4;
		temp = public_key.bits / 8;
		xpkt[j++] = htonl(temp);
		memcpy(&xpkt[j], dhparam.sig, temp);
		len += temp + 4;
		break;

	/*
	 * Send public value, timestamp and signature.
	 */
	case CRYPTO_DH:
	case CRYPTO_DH | CRYPTO_RESP:
		if (!crypto_flags) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		vp = (struct value *)&xpkt[i + 2];
		vp->tstamp = dhpub.tstamp;
		vp->fstamp = dhpub.fstamp;
		vp->vallen = 0;
		len += 12;
		temp = ntohl(dhpub.vallen);
		if (temp == 0)
			break;
		vp->vallen = htonl(temp);
		memcpy(vp->pkt, dhpub.ptr, temp);
		len += temp;
		j = i + 5 + temp / 4;
		temp = public_key.bits / 8;
		xpkt[j++] = htonl(temp);
		memcpy(&xpkt[j], dhpub.sig, temp);
		len += temp + 4;
		break;

	/*
	 * Send public key, host name, timestamp and signature.
	 */
	case CRYPTO_NAME | CRYPTO_RESP:
		if (!crypto_flags) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		vp = (struct value *)&xpkt[i + 2];
		vp->tstamp = host.tstamp;
		vp->fstamp = host.fstamp;
		vp->vallen = 0;
		len += 12;
		temp = ntohl(host.vallen);
		if (temp == 0)
			break;
		vp->vallen = htonl(temp);
		memcpy(vp->pkt, host.ptr, temp);
		len += temp;
		j = i + 5 + temp / 4;
		temp = public_key.bits / 8;
		xpkt[j++] = htonl(temp);
		memcpy(&xpkt[j], host.sig, temp);
		len += temp + 4;
		break;

	/*
	 * Send leapseconds table, timestamp and signature.
	 */
	case CRYPTO_TAI | CRYPTO_RESP:
		if (!crypto_flags) {
			opcode |= CRYPTO_ERROR;
			break;
		}
		vp = (struct value *)&xpkt[i + 2];
		vp->tstamp = tai_leap.tstamp;
		vp->fstamp = tai_leap.fstamp;
		vp->vallen = 0;
		len += 12;
		temp = ntohl(tai_leap.vallen);
		if (temp == 0)
			break;
		vp->vallen = htonl(temp);
		memcpy(vp->pkt, tai_leap.ptr, temp);
		len += temp;
		j = i + 5 + temp / 4;
		temp = public_key.bits / 8;
		xpkt[j++] = htonl(temp);
		memcpy(&xpkt[j], tai_leap.sig, temp);
		len += temp + 4;
		break;
#endif /* PUBKEY */

	/*
	 * Default - Fall through for requests; for unknown responses,
	 * flag as error.
	 */
	default:
		if (opcode & CRYPTO_RESP)
			opcode |= CRYPTO_ERROR;
		break;
	}

	/*
	 * Round up the field length to a multiple of 8 octets and save
	 * the request code and length.
	 */
	len = ((len + 7) / 8) * 8;
	if (len >= 4) {
		xpkt[i] = htonl((u_int32)((opcode << 16) | len));
#ifdef DEBUG
		if (debug)
			printf(
			    "crypto_xmit: ext offset %d len %d code %x assocID %d\n",
			    start, len, code, associd);
#endif
	}
	return (len);
}

#ifdef PUBKEY
/*
 * crypto_setup - load private key, public key, optional agreement
 * parameters and optional leapseconds table, then initialize extension
 * fields for later signatures.
 */
void
crypto_setup(void)
{
	char filename[MAXFILENAME];
	u_int fstamp;			/* filestamp */
	u_int len, temp;
	u_int32 *pp;

	/*
	 * Initialize structures.
	 */
	memset(&private_key, 0, sizeof(private_key));
	memset(&public_key, 0, sizeof(public_key));
	memset(&certif, 0, sizeof(certif));
	memset(&dh_params, 0, sizeof(dh_params));
	memset(&host, 0, sizeof(host));
	memset(&dhparam, 0, sizeof(dhparam));
	memset(&dhpub, 0, sizeof(dhpub));
	memset(&tai_leap, 0, sizeof(tai_leap));
	if (!crypto_flags)
		return;

	/*
	 * Load required private key from file, default "ntpkey".
	 */
	if (private_key_file == NULL)
		private_key_file = "ntpkey";
	host.fstamp = htonl(crypto_rsa(private_key_file,
	    (u_char *)&private_key, sizeof(R_RSA_PRIVATE_KEY)));

	/*
	 * Load required public key from file, default
	 * "ntpkey_host", where "host" is the canonical name of this
	 * machine.
	 */
	if (public_key_file == NULL) {
		snprintf(filename, MAXFILENAME, "ntpkey_%s",
		    sys_hostname);
		public_key_file = emalloc(strlen(filename) + 1);
		strcpy(public_key_file, filename);
	}
	fstamp = htonl(crypto_rsa(public_key_file,
	    (u_char *)&public_key, sizeof(R_RSA_PUBLIC_KEY)));
	if (fstamp != host.fstamp || strstr(public_key_file,
	    sys_hostname) == NULL) {
		msyslog(LOG_ERR,
		    "crypto: public/private key files mismatch");
		exit (-1);
	}
	crypto_flags |= CRYPTO_FLAG_RSA;

	/*
	 * Assemble public key and host name in network byte order.
	 * These data will later be signed and sent in response to
	 * a client request. Note that the modulus must be a u_int32 in
	 * network byte order independent of the host order or u_int
	 * size.
	 */
	strcpy(filename, sys_hostname);
	for (len = strlen(filename) + 1; len % 4 != 0; len++)
		filename[len - 1] = 0;
	temp = sizeof(R_RSA_PUBLIC_KEY) - sizeof(u_int) + 4;
	host.vallen = htonl(temp + len);
	pp = emalloc(temp + len);
	host.ptr = (u_char *)pp;
	*pp++ = htonl(public_key.bits);
	memcpy(pp--, public_key.modulus, temp - 4);
	pp += temp / 4;
	memcpy(pp, filename, len);
	host.sig = emalloc(private_key.bits / 8);

	/*
	 * Load optional certificate from file, default "ntpkey_certif".
	 * If the file is missing or defective, the values can later be
	 * retrieved from a server.
	 */
	if (certif_file == NULL)
		snprintf(filename, MAXFILENAME, "ntpkey_certif_%s",
		    sys_hostname);
		certif_file = emalloc(strlen(filename) + 1);
		strcpy(certif_file, filename);
	crypto_cert(certif_file);

	/*
	 * Load optional agreement parameters from file, default
	 * "ntpkey_dh". If the file is missing or defective, the values
	 * can later be retrieved from a server.
	 */
	if (dh_params_file == NULL)
		dh_params_file = "ntpkey_dh";
	crypto_dh(dh_params_file);

	/*
	 * Load optional leapseconds from file, default "ntpkey_leap".
	 * If the file is missing or defective, the values can later be
	 * retrieved from a server.
	 */
	if (tai_leap_file == NULL)
		tai_leap_file = "ntpkey_leap";
	crypto_tai(tai_leap_file);
}


/*
 * crypto_agree - compute new public value and sign extension fields.
 */
void
crypto_agree(void)
{
	R_RANDOM_STRUCT randomstr; /* wiggle bits */
	R_SIGNATURE_CTX ctx;	/* signature context */
	l_fp lstamp;		/* NTP time */
	tstamp_t tstamp;	/* seconds timestamp */
	u_int len, temp;
	int rval, i;

	/*
	 * Sign host name and timestamps, but only if the clock is
	 * synchronized.
	 */
	if (sys_leap == LEAP_NOTINSYNC)
		return;
	get_systime(&lstamp);
	tstamp = lstamp.l_ui;
	host.tstamp = htonl(tstamp);
	if (!crypto_flags)
		return;
	EVP_SignInit(&ctx, DA_MD5);
	EVP_SignUpdate(&ctx, (u_char *)&host, 12);
	EVP_SignUpdate(&ctx, host.ptr, ntohl(host.vallen));
	rval = EVP_SignFinal(&ctx, host.sig, &len, &private_key);
	if (rval != RV_OK || len != private_key.bits / 8) {
		msyslog(LOG_ERR, "crypto: host signature fails %x",
		    rval);
		exit (-1);
	}
	host.siglen = ntohl(len);

	/*
	 * Sign certificate and timestamps.
	 */
	if (certif.vallen != 0) {
		certif.tstamp = htonl(tstamp);
		EVP_SignInit(&ctx, DA_MD5);
		EVP_SignUpdate(&ctx, (u_char *)&certif, 12);
		EVP_SignUpdate(&ctx, certif.ptr,
		    ntohl(certif.vallen));
		rval = EVP_SignFinal(&ctx, certif.sig, &len,
		    &private_key);
		if (rval != RV_OK || len != private_key.bits / 8) {
			msyslog(LOG_ERR,
			    "crypto: certificate signature fails %x",
			    rval);
			exit (-1);
		}
		certif.siglen = ntohl(len);
	}

	/*
	 * Sign agreement parameters and timestamps.
	 */
	if (dhparam.vallen != 0) {
		dhparam.tstamp = htonl(tstamp);
		EVP_SignInit(&ctx, DA_MD5);
		EVP_SignUpdate(&ctx, (u_char *)&dhparam, 12);
		EVP_SignUpdate(&ctx, dhparam.ptr,
		    ntohl(dhparam.vallen));
		rval = EVP_SignFinal(&ctx, dhparam.sig, &len,
		    &private_key);
		if (rval != RV_OK || len != private_key.bits / 8) {
			msyslog(LOG_ERR,
			    "crypto: parameters signature fails %x",
			    rval);
			exit (-11);
		}
		dhparam.siglen = ntohl(len);

		/*
		 * Compute public value.
		 */
		R_RandomInit(&randomstr);
		R_GetRandomBytesNeeded(&len, &randomstr);
		for (i = 0; i < len; i++) {
			temp = RANDOM;
			R_RandomUpdate(&randomstr, (u_char *)&temp, 1);
		}
		rval = R_SetupDHAgreement(dhpub.ptr, dh_private,
		    dh_keyLen, &dh_params, &randomstr);
		if (rval != RV_OK) {
			msyslog(LOG_ERR,
			    "crypto: invalid public value");
			exit (-1);
		}

		/*
		 * Sign public value and timestamps.
		 */
		dhpub.tstamp = htonl(tstamp);
		EVP_SignInit(&ctx, DA_MD5);
		EVP_SignUpdate(&ctx, (u_char *)&dhpub, 12);
		EVP_SignUpdate(&ctx, dhpub.ptr, ntohl(dhpub.vallen));
		rval = EVP_SignFinal(&ctx, dhpub.sig, &len,
		    &private_key);
		if (rval != RV_OK || len != private_key.bits / 8) {
			msyslog(LOG_ERR,
			    "crypto: public value signature fails %x",
			    rval);
			exit (-1);
		}
		dhpub.siglen = ntohl(len);
	}

	/*
	 * Sign leapseconds table and timestamps.
	 */
	if (tai_leap.vallen != 0) {
		tai_leap.tstamp = htonl(tstamp);
		EVP_SignInit(&ctx, DA_MD5);
		EVP_SignUpdate(&ctx, (u_char *)&tai_leap, 12);
		EVP_SignUpdate(&ctx, tai_leap.ptr,
		    ntohl(tai_leap.vallen));
		rval = EVP_SignFinal(&ctx, tai_leap.sig, &len,
		    &private_key);
		if (rval != RV_OK || len != private_key.bits / 8) {
			msyslog(LOG_ERR,
			    "crypto: leapseconds signature fails %x",
			    rval);
			exit (-1);
		}
		tai_leap.siglen = ntohl(len);
	}
#ifdef DEBUG
	if (debug)
		printf(
		    "cypto_agree: ts %u host %u par %u pub %u leap %u\n",
		    tstamp, ntohl(host.fstamp), ntohl(dhparam.fstamp),
		    ntohl(dhpub.fstamp), ntohl(tai_leap.fstamp));
#endif
}


/*
 * crypto_rsa - read RSA key, decode and check for errors.
 */
static u_int
crypto_rsa(
	char *cp,		/* file name */
	u_char *key,		/* key pointer */
	u_int keylen		/* key length */
	)
{
	FILE *str;		/* file handle */
	u_char buf[MAX_LINLEN];	/* file line buffer */
	u_char encoded_key[MAX_ENCLEN]; /* encoded key buffer */
	char filename[MAXFILENAME]; /* name of parameter file */
	char linkname[MAXFILENAME]; /* file link (for filestamp) */
	u_int fstamp;		/* filestamp */
	u_int bits, len;
	char *rptr;
	int rval;

	/*
	 * Open the file and discard comment lines. If the first
	 * character of the file name is not '/', prepend the keys
	 * directory string. 
	 */
	if (*cp == '/')
		strcpy(filename, cp);
	else
		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
	str = fopen(filename, "r");
	if (str == NULL) {
		msyslog(LOG_ERR, "crypto: RSA file %s not found",
		    filename);
		exit (-1);
	}

	/*
	 * Ignore initial comments and empty lines.
	 */
	while ((rptr = fgets(buf, MAX_LINLEN - 1, str)) != NULL) {
		len = strlen(buf);
		if (len < 1)
			continue;
		if (*buf == '#' || *buf == '\r' || *buf == '\0')
			continue;
		break;
	}

	/*
	 * We are rather paranoid here, since an intruder might cause a
	 * coredump by infiltrating a naughty key. The line must contain
	 * a single integer followed by a PEM encoded, null-terminated
	 * string.
	 */
	if (rptr == NULL)
		rval = RV_DAT;
	else if (sscanf(buf, "%d %s", &bits, encoded_key) != 2)
		rval = RV_DAT;
	else if (R_DecodePEMBlock(&buf[sizeof(u_int)], &len,
		    encoded_key, strlen(encoded_key)))
		rval = RV_DEC;
	else if ((len += sizeof(u_int)) != keylen)
		rval = RV_KEY;
	else if (bits < MIN_RSA_MODULUS_BITS || bits >
	    MAX_RSA_MODULUS_BITS)
		rval = RV_KEY;
	else
		rval = RV_OK;
	if (rval != RV_OK) {
		fclose(str);
		msyslog(LOG_ERR, "crypto: RSA file %s error %x", cp,
		    rval);
		exit (-1);
	}
	fclose(str);
	*(u_int *)buf = bits;
	memcpy(key, buf, keylen);

	/*
	 * Extract filestamp if present.
	 */
	rval = readlink(filename, linkname, MAXFILENAME - 1);
	if (rval > 0) {
		linkname[rval] = '\0';
		rptr = strrchr(linkname, '.');
	} else {
		rptr = strrchr(filename, '.');
	}
	if (rptr != NULL)
		sscanf(++rptr, "%u", &fstamp);
	else
		fstamp = 0;
#ifdef DEBUG
	if (debug)
		printf(
		    "crypto_rsa: key file %s link %d fs %u modulus %d\n",
		    cp, rval, fstamp, bits);
#endif
	return (fstamp);
}


/*
 * crypto_cert - read certificate
 */
static void
crypto_cert(
	char *cp		/* file name */
	)
{
	u_char buf[5000];	/* file line buffer */
	char filename[MAXFILENAME]; /* name of certificate file */
	char linkname[MAXFILENAME]; /* file link (for filestamp) */
	u_int fstamp;		/* filestamp */
	u_int32 *pp;
	u_int len;
	char *rptr;
	int rval, fd;

	/*
	 * Open the file and discard comment lines. If the first
	 * character of the file name is not '/', prepend the keys
	 * directory string. If the file is not found, not to worry; it
	 * can be retrieved over the net. But, if it is found with
	 * errors, we crash and burn.
	 */
	if (*cp == '/')
		strcpy(filename, cp);
	else
		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
	fd = open(filename, O_RDONLY, 0777);
	if (fd <= 0) {
		msyslog(LOG_INFO,
		    "crypto: certificate file %s not found",
		    filename);
		return;
	}

	/*
	 * We are rather paranoid here, since an intruder might cause a
	 * coredump by infiltrating naughty values.
	 */
	rval = RV_OK;
	len = read(fd, buf, 5000);
	close(fd);
	if (rval != RV_OK) {
		msyslog(LOG_ERR,
		    "crypto: certificate file %s error %d", cp,
		    rval);
		exit (-1);
	}

	/*
	 * The extension field entry consists of the raw certificate.
	 */
	certif.vallen = htonl(200);	/* xxxxxxxxxxxxxxxxxx */
	pp = emalloc(len);
	certif.ptr = (u_char *)pp;
	memcpy(pp, buf, len);
	certif.sig = emalloc(private_key.bits / 8);
	crypto_flags |= CRYPTO_FLAG_CERT;

	/*
	 * Extract filestamp if present.
	 */
	rval = readlink(filename, linkname, MAXFILENAME - 1);
	if (rval > 0) {
		linkname[rval] = '\0';
		rptr = strrchr(linkname, '.');
	} else {
		rptr = strrchr(filename, '.');
	}
	if (rptr != NULL)
		sscanf(++rptr, "%u", &fstamp);
	else
		fstamp = 0;
	certif.fstamp = htonl(fstamp);
#ifdef DEBUG
	if (debug)
		printf(
		    "crypto_cert: certif file %s link %d fs %u len %d\n",
		    cp, rval, fstamp, len);
#endif
}


/*
 * crypto_dh - read agreement parameters, decode and check for errors.
 */
static void
crypto_dh(
	char *cp		/* file name */
	)
{
	FILE *str;		/* file handle */
	u_char buf[MAX_LINLEN];	/* file line buffer */
	u_char encoded_key[MAX_ENCLEN]; /* encoded key buffer */
	u_char prime[MAX_KEYLEN]; /* decoded prime */
	u_char generator[MAX_KEYLEN]; /* decode generator */
	u_int primelen;		/* prime length (octets) */
	u_int generatorlen;	/* generator length (octets) */
	char filename[MAXFILENAME]; /* name of parameter file */
	char linkname[MAXFILENAME]; /* file link (for filestamp) */
	u_int fstamp;		/* filestamp */
	u_int32 *pp;
	u_int len;
	char *rptr;
	int rval;

	/*
	 * Open the file and discard comment lines. If the first
	 * character of the file name is not '/', prepend the keys
	 * directory string. If the file is not found, not to worry; it
	 * can be retrieved over the net. But, if it is found with
	 * errors, we crash and burn.
	 */
	if (*cp == '/')
		strcpy(filename, cp);
	else
		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
	str = fopen(filename, "r");
	if (str == NULL) {
		msyslog(LOG_INFO,
		    "crypto: parameters file %s not found", filename);
		return;
	}

	/*
	 * Ignore initial comments and empty lines.
	 */
	while ((rptr = fgets(buf, MAX_LINLEN - 1, str)) != NULL) {
		if (strlen(buf) < 1)
			continue;
		if (*buf == '#' || *buf == '\r' || *buf == '\0')
			continue;
		break;
	}

	/*
	 * We are rather paranoid here, since an intruder might cause a
	 * coredump by infiltrating a naughty key. There must be two
	 * lines; the first contains the prime, the second the
	 * generator. Each line must contain a single integer followed
	 * by a PEM encoded, null-terminated string.
	 */
	if (rptr == NULL)
		rval = RV_DAT;
	else if (sscanf(buf, "%u %s", &primelen, encoded_key) != 2)
		rval = RV_DAT;
	else if (primelen > MAX_KEYLEN)
		rval = RV_KEY;
	else if (R_DecodePEMBlock(prime, &len, encoded_key,
	    strlen(encoded_key)))
		rval = RV_DEC;
	else if (primelen != len || primelen >
	    DECODED_CONTENT_LEN(strlen(encoded_key)))
		rval = RV_DAT;
	else if (fscanf(str, "%u %s", &generatorlen, encoded_key) != 2)
		rval = RV_DAT;
	else if (generatorlen > MAX_KEYLEN)
		rval = RV_KEY;
	else if (R_DecodePEMBlock(generator, &len, encoded_key,
	    strlen(encoded_key)))
		rval = RV_DEC;
	else if (generatorlen != len || generatorlen >
	    DECODED_CONTENT_LEN(strlen(encoded_key)))
		rval = RV_DAT;
	else
		rval = RV_OK;
	if (rval != RV_OK) {
		msyslog(LOG_ERR,
		    "crypto: parameters file %s error %x", cp,
		    rval);
		exit (-1);
	}
	fclose(str);

	/*
	 * Initialize agreement parameters and extension field in
	 * network byte order. Note the private key length is set
	 * arbitrarily at half the prime length.
	 */
	len = 4 + primelen + 4 + generatorlen;
	dhparam.vallen = htonl(len);
	pp = emalloc(len);
	dhparam.ptr = (u_char *)pp;
	*pp++ = htonl(primelen);
	memcpy(pp, prime, primelen);
	dh_params.prime = (u_char *)pp;
	pp += primelen / 4;
	*pp++ = htonl(generatorlen);
	memcpy(pp, &generator, generatorlen);
	dh_params.generator = (u_char *)pp;

	dh_params.primeLen = primelen;
	dh_params.generatorLen = generatorlen;
	dh_keyLen = primelen / 2;
	dh_private = emalloc(dh_keyLen);
	dhparam.sig = emalloc(private_key.bits / 8);
	crypto_flags |= CRYPTO_FLAG_DH;

	/*
	 * Initialize public value extension field.
	 */
	dhpub.vallen = htonl(dh_params.primeLen);
	dhpub.ptr = emalloc(dh_params.primeLen);
	dhpub.sig = emalloc(private_key.bits / 8);

	/*
	 * Extract filestamp if present.
	 */
	rval = readlink(filename, linkname, MAXFILENAME - 1);
	if (rval > 0) {
		linkname[rval] = '\0';
		rptr = strrchr(linkname, '.');
	} else {
		rptr = strrchr(filename, '.');
	}
	if (rptr != NULL)
		sscanf(++rptr, "%u", &fstamp);
	else
		fstamp = 0;
	dhparam.fstamp = htonl(fstamp);
	dhpub.fstamp = htonl(fstamp);
#ifdef DEBUG
	if (debug)
		printf(
		    "crypto_dh: pars file %s link %d fs %u prime %u gen %u\n",
		    cp, rval, fstamp, dh_params.primeLen,
		    dh_params.generatorLen);
#endif
}


/*
 * crypto_tai - read leapseconds table and check for errors.
 */
static void
crypto_tai(
	char *cp		/* file name */
	)
{
	FILE *str;		/* file handle */
	u_char buf[MAX_LINLEN];	/* file line buffer */
	u_int leapsec[MAX_LEAP]; /* NTP time at leaps */
	u_int offset;		/* offset at leap (s) */
	char filename[MAXFILENAME]; /* name of leapseconds file */
	char linkname[MAXFILENAME]; /* file link (for filestamp) */
	u_int fstamp;		/* filestamp */
	u_int32 *pp;
	u_int len;
	char *rptr;
	int rval, i;
#ifdef KERNEL_PLL
#if NTP_API > 3
	struct timex ntv;	/* kernel interface structure */
#endif /* NTP_API */
#endif /* KERNEL_PLL */

	/*
	 * Open the file and discard comment lines. If the first
	 * character of the file name is not '/', prepend the keys
	 * directory string. If the file is not found, not to worry; it
	 * can be retrieved over the net. But, if it is found with
	 * errors, we crash and burn.
	 */
	if (*cp == '/')
		strcpy(filename, cp);
	else
		snprintf(filename, MAXFILENAME, "%s/%s", keysdir, cp);
	str = fopen(filename, "r");
	if (str == NULL) {
		msyslog(LOG_INFO,
		    "crypto: leapseconds file %s not found",
		    filename);
		return;
	}

	/*
	 * We are rather paranoid here, since an intruder might cause a
	 * coredump by infiltrating naughty values. Empty lines and
	 * comments are ignored. Other lines must begin with two
	 * integers followed by junk or comments. The first integer is
	 * the NTP seconds of leap insertion, the second is the offset
	 * of TAI relative to UTC after that insertion. The second word
	 * must equal the initial insertion of ten seconds on 1 January
	 * 1972 plus one second for each succeeding insertion.
	 */
	i = 0;
	rval = RV_OK;
	while (i < MAX_LEAP) {
		rptr = fgets(buf, MAX_LINLEN - 1, str);
		if (rptr == NULL)
			break;
		if (strlen(buf) < 1)
			continue;
		if (*buf == '#')
			continue;
		if (sscanf(buf, "%u %u", &leapsec[i], &offset) != 2)
			continue;
		if (i != offset - TAI_1972) { 
			rval = RV_DAT;
			break;
		}
		i++;
	}
	fclose(str);
	if (rval != RV_OK || i == 0) {
		msyslog(LOG_ERR,
		    "crypto: leapseconds file %s error %d", cp,
		    rval);
		exit (-1);
	}

	/*
	 * The extension field table entries consists of the NTP seconds
	 * of leap insertion in reverse order, so that the most recent
	 * insertion is the first entry in the table.
	 */
	len = i * 4;
	tai_leap.vallen = htonl(len);
	pp = emalloc(len);
	tai_leap.ptr = (u_char *)pp;
	for (; i >= 0; i--) {
		*pp++ = htonl(leapsec[i]);
	}
	tai_leap.sig = emalloc(private_key.bits / 8);
	crypto_flags |= CRYPTO_FLAG_TAI;
	sys_tai = len / 4 + TAI_1972 - 1;
#ifdef KERNEL_PLL
#if NTP_API > 3
	ntv.modes = MOD_TAI;
	ntv.constant = sys_tai;
	if (ntp_adjtime(&ntv) == TIME_ERROR)
		msyslog(LOG_ERR,
		    "crypto: kernel TAI update failed");
#endif /* NTP_API */
#endif /* KERNEL_PLL */


	/*
	 * Extract filestamp if present.
	 */
	rval = readlink(filename, linkname, MAXFILENAME - 1);
	if (rval > 0) {
		linkname[rval] = '\0';
		rptr = strrchr(linkname, '.');
	} else {
		rptr = strrchr(filename, '.');
	}
	if (rptr != NULL)
		sscanf(++rptr, "%u", &fstamp);
	else
		fstamp = 0;
	tai_leap.fstamp = htonl(fstamp);
#ifdef DEBUG
	if (debug)
		printf(
		    "crypto_tai: leapseconds file %s link %d fs %u offset %u\n",
		    cp, rval, fstamp, ntohl(tai_leap.vallen) / 4 +
		    TAI_1972);
#endif
}


/*
 * crypto_config - configure crypto data from crypto configuration
 * command.
 */
void
crypto_config(
	int item,		/* configuration item */
	char *cp		/* file name */
	)
{
	switch (item) {

	/*
	 * Initialize flags
	 */
	case CRYPTO_CONF_FLAGS:
		sscanf(cp, "%x", &crypto_flags);
		break;

	/*
	 * Set private key file name.
	 */
	case CRYPTO_CONF_PRIV:
		private_key_file = emalloc(strlen(cp) + 1);
		strcpy(private_key_file, cp);
		break;

	/*
	 * Set public key file name.
	 */
	case CRYPTO_CONF_PUBL:
		public_key_file = emalloc(strlen(cp) + 1);
		strcpy(public_key_file, cp);
		break;

	/*
	 * Set certificate file name.
	 */
	case CRYPTO_CONF_CERT:
		certif_file = emalloc(strlen(cp) + 1);
		strcpy(certif_file, cp);
		break;

	/*
	 * Set agreement parameter file name.
	 */
	case CRYPTO_CONF_DH:
		dh_params_file = emalloc(strlen(cp) + 1);
		strcpy(dh_params_file, cp);
		break;

	/*
	 * Set leapseconds table file name.
	 */
	case CRYPTO_CONF_LEAP:
		tai_leap_file = emalloc(strlen(cp) + 1);
		strcpy(tai_leap_file, cp);
		break;

	/*
	 * Set crypto keys directory.
	 */
	case CRYPTO_CONF_KEYS:
		keysdir = emalloc(strlen(cp) + 1);
		strcpy(keysdir, cp);
		break;
	}
	crypto_flags |= CRYPTO_FLAG_ENAB;
}
# else
int ntp_crypto_bs_pubkey;
# endif /* PUBKEY */
#else
int ntp_crypto_bs_autokey;
#endif /* AUTOKEY */