File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / ntp / util / ntp-keygen.c
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue May 29 12:08:38 2012 UTC (12 years, 7 months ago) by misho
Branches: ntp, MAIN
CVS tags: v4_2_6p5p0, v4_2_6p5, HEAD
ntp 4.2.6p5

    1: /*
    2:  * Program to generate cryptographic keys for ntp clients and servers
    3:  *
    4:  * This program generates password encrypted data files for use with the
    5:  * Autokey security protocol and Network Time Protocol Version 4. Files
    6:  * are prefixed with a header giving the name and date of creation
    7:  * followed by a type-specific descriptive label and PEM-encoded data
    8:  * structure compatible with programs of the OpenSSL library.
    9:  *
   10:  * All file names are like "ntpkey_<type>_<hostname>.<filestamp>", where
   11:  * <type> is the file type, <hostname> the generating host name and
   12:  * <filestamp> the generation time in NTP seconds. The NTP programs
   13:  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
   14:  * association maintained by soft links. Following is a list of file
   15:  * types; the first line is the file name and the second link name.
   16:  *
   17:  * ntpkey_MD5key_<hostname>.<filestamp>
   18:  * 	MD5 (128-bit) keys used to compute message digests in symmetric
   19:  *	key cryptography
   20:  *
   21:  * ntpkey_RSAhost_<hostname>.<filestamp>
   22:  * ntpkey_host_<hostname>
   23:  *	RSA private/public host key pair used for public key signatures
   24:  *
   25:  * ntpkey_RSAsign_<hostname>.<filestamp>
   26:  * ntpkey_sign_<hostname>
   27:  *	RSA private/public sign key pair used for public key signatures
   28:  *
   29:  * ntpkey_DSAsign_<hostname>.<filestamp>
   30:  * ntpkey_sign_<hostname>
   31:  *	DSA Private/public sign key pair used for public key signatures
   32:  *
   33:  * Available digest/signature schemes
   34:  *
   35:  * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
   36:  * DSA:	DSA-SHA, DSA-SHA1
   37:  *
   38:  * ntpkey_XXXcert_<hostname>.<filestamp>
   39:  * ntpkey_cert_<hostname>
   40:  *	X509v3 certificate using RSA or DSA public keys and signatures.
   41:  *	XXX is a code identifying the message digest and signature
   42:  *	encryption algorithm
   43:  *
   44:  * Identity schemes. The key type par is used for the challenge; the key
   45:  * type key is used for the response.
   46:  *
   47:  * ntpkey_IFFkey_<groupname>.<filestamp>
   48:  * ntpkey_iffkey_<groupname>
   49:  *	Schnorr (IFF) identity parameters and keys
   50:  *
   51:  * ntpkey_GQkey_<groupname>.<filestamp>,
   52:  * ntpkey_gqkey_<groupname>
   53:  *	Guillou-Quisquater (GQ) identity parameters and keys
   54:  *
   55:  * ntpkey_MVkeyX_<groupname>.<filestamp>,
   56:  * ntpkey_mvkey_<groupname>
   57:  *	Mu-Varadharajan (MV) identity parameters and keys
   58:  *
   59:  * Note: Once in a while because of some statistical fluke this program
   60:  * fails to generate and verify some cryptographic data, as indicated by
   61:  * exit status -1. In this case simply run the program again. If the
   62:  * program does complete with exit code 0, the data are correct as
   63:  * verified.
   64:  *
   65:  * These cryptographic routines are characterized by the prime modulus
   66:  * size in bits. The default value of 512 bits is a compromise between
   67:  * cryptographic strength and computing time and is ordinarily
   68:  * considered adequate for this application. The routines have been
   69:  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
   70:  * digest and signature encryption schemes work with sizes less than 512
   71:  * bits. The computing time for sizes greater than 2048 bits is
   72:  * prohibitive on all but the fastest processors. An UltraSPARC Blade
   73:  * 1000 took something over nine minutes to generate and verify the
   74:  * values with size 2048. An old SPARC IPC would take a week.
   75:  *
   76:  * The OpenSSL library used by this program expects a random seed file.
   77:  * As described in the OpenSSL documentation, the file name defaults to
   78:  * first the RANDFILE environment variable in the user's home directory
   79:  * and then .rnd in the user's home directory.
   80:  */
   81: #ifdef HAVE_CONFIG_H
   82: # include <config.h>
   83: #endif
   84: #include <string.h>
   85: #include <stdio.h>
   86: #include <stdlib.h>
   87: #include <unistd.h>
   88: #include <sys/stat.h>
   89: #include <sys/time.h>
   90: #include <sys/types.h>
   91: #include "ntp_types.h"
   92: #include "ntp_random.h"
   93: #include "ntp_stdlib.h"
   94: #include "ntp_assert.h"
   95: 
   96: #include "ntp_libopts.h"
   97: #include "ntp-keygen-opts.h"
   98: 
   99: #ifdef OPENSSL
  100: #include "openssl/bn.h"
  101: #include "openssl/evp.h"
  102: #include "openssl/err.h"
  103: #include "openssl/rand.h"
  104: #include "openssl/pem.h"
  105: #include "openssl/x509v3.h"
  106: #include <openssl/objects.h>
  107: #endif /* OPENSSL */
  108: #include <ssl_applink.c>
  109: 
  110: /*
  111:  * Cryptodefines
  112:  */
  113: #define	MD5KEYS		10	/* number of keys generated of each type */
  114: #define	MD5SIZE		20	/* maximum key size */
  115: #define	JAN_1970	2208988800UL /* NTP seconds */
  116: #define YEAR		((long)60*60*24*365) /* one year in seconds */
  117: #define MAXFILENAME	256	/* max file name length */
  118: #define MAXHOSTNAME	256	/* max host name length */
  119: #ifdef OPENSSL
  120: #define	PLEN		512	/* default prime modulus size (bits) */
  121: #define	ILEN		256	/* default identity modulus size (bits) */
  122: #define	MVMAX		100	/* max MV parameters */
  123: 
  124: /*
  125:  * Strings used in X509v3 extension fields
  126:  */
  127: #define KEY_USAGE		"digitalSignature,keyCertSign"
  128: #define BASIC_CONSTRAINTS	"critical,CA:TRUE"
  129: #define EXT_KEY_PRIVATE		"private"
  130: #define EXT_KEY_TRUST		"trustRoot"
  131: #endif /* OPENSSL */
  132: 
  133: /*
  134:  * Prototypes
  135:  */
  136: FILE	*fheader	(const char *, const char *, const char *);
  137: int	gen_md5		(char *);
  138: #ifdef OPENSSL
  139: EVP_PKEY *gen_rsa	(char *);
  140: EVP_PKEY *gen_dsa	(char *);
  141: EVP_PKEY *gen_iffkey	(char *);
  142: EVP_PKEY *gen_gqkey	(char *);
  143: EVP_PKEY *gen_mvkey	(char *, EVP_PKEY **);
  144: void	gen_mvserv	(char *, EVP_PKEY **);
  145: int	x509		(EVP_PKEY *, const EVP_MD *, char *, char *,
  146: 			    char *);
  147: void	cb		(int, int, void *);
  148: EVP_PKEY *genkey	(char *, char *);
  149: EVP_PKEY *readkey	(char *, char *, u_int *, EVP_PKEY **);
  150: void	writekey	(char *, char *, u_int *, EVP_PKEY **);
  151: u_long	asn2ntp		(ASN1_TIME *);
  152: #endif /* OPENSSL */
  153: 
  154: /*
  155:  * Program variables
  156:  */
  157: extern char *optarg;		/* command line argument */
  158: char	*progname;
  159: volatile int	debug = 0;		/* debug, not de bug */
  160: #ifdef OPENSSL
  161: u_int	modulus = PLEN;		/* prime modulus size (bits) */
  162: u_int	modulus2 = ILEN;	/* identity modulus size (bits) */
  163: #endif
  164: int	nkeys;			/* MV keys */
  165: time_t	epoch;			/* Unix epoch (seconds) since 1970 */
  166: u_int	fstamp;			/* NTP filestamp */
  167: char	*hostname = NULL;	/* host name (subject name) */
  168: char	*groupname = NULL;	/* trusted host name (issuer name) */
  169: char	filename[MAXFILENAME + 1]; /* file name */
  170: char	*passwd1 = NULL;	/* input private key password */
  171: char	*passwd2 = NULL;	/* output private key password */
  172: #ifdef OPENSSL
  173: long	d0, d1, d2, d3;		/* callback counters */
  174: #endif /* OPENSSL */
  175: 
  176: #ifdef SYS_WINNT
  177: BOOL init_randfile();
  178: 
  179: /*
  180:  * Don't try to follow symbolic links
  181:  */
  182: int
  183: readlink(char *link, char *file, int len)
  184: {
  185: 	return (-1);
  186: }
  187: 
  188: /*
  189:  * Don't try to create a symbolic link for now.
  190:  * Just move the file to the name you need.
  191:  */
  192: int
  193: symlink(char *filename, char *linkname) {
  194: 	DeleteFile(linkname);
  195: 	MoveFile(filename, linkname);
  196: 	return (0);
  197: }
  198: void
  199: InitWin32Sockets() {
  200: 	WORD wVersionRequested;
  201: 	WSADATA wsaData;
  202: 	wVersionRequested = MAKEWORD(2,0);
  203: 	if (WSAStartup(wVersionRequested, &wsaData))
  204: 	{
  205: 		fprintf(stderr, "No useable winsock.dll\n");
  206: 		exit(1);
  207: 	}
  208: }
  209: #endif /* SYS_WINNT */
  210: 
  211: /*
  212:  * Main program
  213:  */
  214: int
  215: main(
  216: 	int	argc,		/* command line options */
  217: 	char	**argv
  218: 	)
  219: {
  220: 	struct timeval tv;	/* initialization vector */
  221: 	int	md5key = 0;	/* generate MD5 keys */
  222: #ifdef OPENSSL
  223: 	X509	*cert = NULL;	/* X509 certificate */
  224: 	X509_EXTENSION *ext;	/* X509v3 extension */
  225: 	EVP_PKEY *pkey_host = NULL; /* host key */
  226: 	EVP_PKEY *pkey_sign = NULL; /* sign key */
  227: 	EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
  228: 	EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
  229: 	EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
  230: 	EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
  231: 	int	hostkey = 0;	/* generate RSA keys */
  232: 	int	iffkey = 0;	/* generate IFF keys */
  233: 	int	gqkey = 0;	/* generate GQ keys */
  234: 	int	mvkey = 0;	/* update MV keys */
  235: 	int	mvpar = 0;	/* generate MV parameters */
  236: 	char	*sign = NULL;	/* sign key */
  237: 	EVP_PKEY *pkey = NULL;	/* temp key */
  238: 	const EVP_MD *ectx;	/* EVP digest */
  239: 	char	pathbuf[MAXFILENAME + 1];
  240: 	const char *scheme = NULL; /* digest/signature scheme */
  241: 	char	*exten = NULL;	/* private extension */
  242: 	char	*grpkey = NULL;	/* identity extension */
  243: 	int	nid;		/* X509 digest/signature scheme */
  244: 	FILE	*fstr = NULL;	/* file handle */
  245: #define iffsw   HAVE_OPT(ID_KEY)
  246: #endif /* OPENSSL */
  247: 	char	hostbuf[MAXHOSTNAME + 1];
  248: 	char	groupbuf[MAXHOSTNAME + 1];
  249: 
  250: 	progname = argv[0];
  251: 
  252: #ifdef SYS_WINNT
  253: 	/* Initialize before OpenSSL checks */
  254: 	InitWin32Sockets();
  255: 	if (!init_randfile())
  256: 		fprintf(stderr, "Unable to initialize .rnd file\n");
  257: 	ssl_applink();
  258: #endif
  259: 
  260: #ifdef OPENSSL
  261: 	ssl_check_version();
  262: #endif /* OPENSSL */
  263: 
  264: 	/*
  265: 	 * Process options, initialize host name and timestamp.
  266: 	 */
  267: 	gethostname(hostbuf, MAXHOSTNAME);
  268: 	hostname = hostbuf;
  269: 	gettimeofday(&tv, 0);
  270: 
  271: 	epoch = tv.tv_sec;
  272: 
  273: 	{
  274: 		int optct = ntpOptionProcess(&ntp_keygenOptions,
  275: 					     argc, argv);
  276: 		argc -= optct;
  277: 		argv += optct;
  278: 	}
  279: 
  280: #ifdef OPENSSL
  281: 	if (SSLeay() == SSLEAY_VERSION_NUMBER)
  282: 		fprintf(stderr, "Using OpenSSL version %s\n",
  283: 			SSLeay_version(SSLEAY_VERSION));
  284: 	else
  285: 		fprintf(stderr, "Built against OpenSSL %s, using version %s\n",
  286: 			OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION));
  287: #endif /* OPENSSL */
  288: 
  289: 	debug = DESC(DEBUG_LEVEL).optOccCt;
  290: 	if (HAVE_OPT( MD5KEY ))
  291: 		md5key++;
  292: 
  293: #ifdef OPENSSL
  294: 	passwd1 = hostbuf;
  295: 	if (HAVE_OPT( PVT_PASSWD ))
  296: 		passwd1 = strdup(OPT_ARG( PVT_PASSWD ));
  297: 
  298: 	if (HAVE_OPT( GET_PVT_PASSWD ))
  299: 		passwd2 = strdup(OPT_ARG( GET_PVT_PASSWD ));
  300: 
  301: 	if (HAVE_OPT( HOST_KEY ))
  302: 		hostkey++;
  303: 
  304: 	if (HAVE_OPT( SIGN_KEY ))
  305: 		sign = strdup(OPT_ARG( SIGN_KEY ));
  306: 
  307: 	if (HAVE_OPT( GQ_PARAMS ))
  308: 		gqkey++;
  309: 
  310: 	if (HAVE_OPT( IFFKEY ))
  311: 		iffkey++;
  312: 
  313: 	if (HAVE_OPT( MV_PARAMS )) {
  314: 		mvkey++;
  315: 		nkeys = OPT_VALUE_MV_PARAMS;
  316: 	}
  317: 	if (HAVE_OPT( MV_KEYS )) {
  318: 		mvpar++;
  319: 		nkeys = OPT_VALUE_MV_KEYS;
  320: 	}
  321: 	if (HAVE_OPT( MODULUS ))
  322: 		modulus = OPT_VALUE_MODULUS;
  323: 
  324: 	if (HAVE_OPT( CERTIFICATE ))
  325: 		scheme = OPT_ARG( CERTIFICATE );
  326: 
  327: 	if (HAVE_OPT( SUBJECT_NAME ))
  328: 		hostname = strdup(OPT_ARG( SUBJECT_NAME ));
  329: 
  330: 	if (HAVE_OPT( ISSUER_NAME ))
  331: 		groupname = strdup(OPT_ARG( ISSUER_NAME ));
  332: 
  333: 	if (HAVE_OPT( PVT_CERT ))
  334: 		exten = EXT_KEY_PRIVATE;
  335: 
  336: 	if (HAVE_OPT( TRUSTED_CERT ))
  337: 		exten = EXT_KEY_TRUST;
  338: 
  339: 	/*
  340: 	 * Seed random number generator and grow weeds.
  341: 	 */
  342: 	ERR_load_crypto_strings();
  343: 	OpenSSL_add_all_algorithms();
  344: 	if (!RAND_status()) {
  345: 		u_int	temp;
  346: 
  347: 		if (RAND_file_name(pathbuf, MAXFILENAME) == NULL) {
  348: 			fprintf(stderr, "RAND_file_name %s\n",
  349: 			    ERR_error_string(ERR_get_error(), NULL));
  350: 			exit (-1);
  351: 		}
  352: 		temp = RAND_load_file(pathbuf, -1);
  353: 		if (temp == 0) {
  354: 			fprintf(stderr,
  355: 			    "RAND_load_file %s not found or empty\n",
  356: 			    pathbuf);
  357: 			exit (-1);
  358: 		}
  359: 		fprintf(stderr,
  360: 		    "Random seed file %s %u bytes\n", pathbuf, temp);
  361: 		RAND_add(&epoch, sizeof(epoch), 4.0);
  362: 	}
  363: 
  364: 	/*
  365: 	 * Load previous certificate if available.
  366: 	 */
  367: 	sprintf(filename, "ntpkey_cert_%s", hostname);
  368: 	if ((fstr = fopen(filename, "r")) != NULL) {
  369: 		cert = PEM_read_X509(fstr, NULL, NULL, NULL);
  370: 		fclose(fstr);
  371: 	}
  372: 	if (cert != NULL) {
  373: 
  374: 		/*
  375: 		 * Extract subject name.
  376: 		 */
  377: 		X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
  378: 		    MAXFILENAME);
  379: 
  380: 		/*
  381: 		 * Extract digest/signature scheme.
  382: 		 */
  383: 		if (scheme == NULL) {
  384: 			nid = OBJ_obj2nid(cert->cert_info->
  385: 			    signature->algorithm);
  386: 			scheme = OBJ_nid2sn(nid);
  387: 		}
  388: 
  389: 		/*
  390: 		 * If a key_usage extension field is present, determine
  391: 		 * whether this is a trusted or private certificate.
  392: 		 */
  393: 		if (exten == NULL) {
  394: 			BIO	*bp;
  395: 			int	i, cnt;
  396: 			char	*ptr;
  397: 
  398: 			ptr = strstr(groupbuf, "CN=");
  399: 			cnt = X509_get_ext_count(cert);
  400: 			for (i = 0; i < cnt; i++) {
  401: 				ext = X509_get_ext(cert, i);
  402: 				if (OBJ_obj2nid(ext->object) ==
  403: 				    NID_ext_key_usage) {
  404: 					bp = BIO_new(BIO_s_mem());
  405: 					X509V3_EXT_print(bp, ext, 0, 0);
  406: 					BIO_gets(bp, pathbuf,
  407: 					    MAXFILENAME);
  408: 					BIO_free(bp);
  409: 					if (strcmp(pathbuf,
  410: 					    "Trust Root") == 0)
  411: 						exten = EXT_KEY_TRUST;
  412: 					else if (strcmp(pathbuf,
  413: 					    "Private") == 0)
  414: 						exten = EXT_KEY_PRIVATE;
  415: 					if (groupname == NULL)
  416: 						groupname = ptr + 3;
  417: 				}
  418: 			}
  419: 		}
  420: 	}
  421: 	if (scheme == NULL)
  422: 		scheme = "RSA-MD5";
  423: 	if (groupname == NULL)
  424: 		groupname = hostname;
  425: 	fprintf(stderr, "Using host %s group %s\n", hostname,
  426: 	    groupname);
  427: 	if ((iffkey || gqkey || mvkey) && exten == NULL)
  428: 		fprintf(stderr,
  429: 		    "Warning: identity files may not be useful with a nontrusted certificate.\n");
  430: #endif /* OPENSSL */
  431: 
  432: 	/*
  433: 	 * Create new unencrypted MD5 keys file if requested. If this
  434: 	 * option is selected, ignore all other options.
  435: 	 */
  436: 	if (md5key) {
  437: 		gen_md5("md5");
  438: 		exit (0);
  439: 	}
  440: 
  441: #ifdef OPENSSL
  442: 	/*
  443: 	 * Create a new encrypted RSA host key file if requested;
  444: 	 * otherwise, look for an existing host key file. If not found,
  445: 	 * create a new encrypted RSA host key file. If that fails, go
  446: 	 * no further.
  447: 	 */
  448: 	if (hostkey)
  449: 		pkey_host = genkey("RSA", "host");
  450: 	if (pkey_host == NULL) {
  451: 		sprintf(filename, "ntpkey_host_%s", hostname);
  452: 		pkey_host = readkey(filename, passwd1, &fstamp, NULL);
  453: 		if (pkey_host != NULL) {
  454: 			readlink(filename, filename, sizeof(filename));
  455: 			fprintf(stderr, "Using host key %s\n",
  456: 			    filename);
  457: 		} else {
  458: 			pkey_host = genkey("RSA", "host");
  459: 		}
  460: 	}
  461: 	if (pkey_host == NULL) {
  462: 		fprintf(stderr, "Generating host key fails\n");
  463: 		exit (-1);
  464: 	}
  465: 
  466: 	/*
  467: 	 * Create new encrypted RSA or DSA sign keys file if requested;
  468: 	 * otherwise, look for an existing sign key file. If not found,
  469: 	 * use the host key instead.
  470: 	 */
  471: 	if (sign != NULL)
  472: 		pkey_sign = genkey(sign, "sign");
  473: 	if (pkey_sign == NULL) {
  474: 		sprintf(filename, "ntpkey_sign_%s", hostname);
  475: 		pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
  476: 		if (pkey_sign != NULL) {
  477: 			readlink(filename, filename, sizeof(filename));
  478: 			fprintf(stderr, "Using sign key %s\n",
  479: 			    filename);
  480: 		} else if (pkey_host != NULL) {
  481: 			pkey_sign = pkey_host;
  482: 			fprintf(stderr, "Using host key as sign key\n");
  483: 		}
  484: 	}
  485: 
  486: 	/*
  487: 	 * Create new encrypted GQ server keys file if requested;
  488: 	 * otherwise, look for an exisiting file. If found, fetch the
  489: 	 * public key for the certificate.
  490: 	 */
  491: 	if (gqkey)
  492: 		pkey_gqkey = gen_gqkey("gqkey");
  493: 	if (pkey_gqkey == NULL) {
  494: 		sprintf(filename, "ntpkey_gqkey_%s", groupname);
  495: 		pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
  496: 		if (pkey_gqkey != NULL) {
  497: 			readlink(filename, filename, sizeof(filename));
  498: 			fprintf(stderr, "Using GQ parameters %s\n",
  499: 			    filename);
  500: 		}
  501: 	}
  502: 	if (pkey_gqkey != NULL)
  503: 		grpkey = BN_bn2hex(pkey_gqkey->pkey.rsa->q);
  504: 
  505: 	/*
  506: 	 * Write the nonencrypted GQ client parameters to the stdout
  507: 	 * stream. The parameter file is the server key file with the
  508: 	 * private key obscured.
  509: 	 */
  510: 	if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
  511: 		RSA	*rsa;
  512: 
  513: 		epoch = fstamp - JAN_1970;
  514: 		sprintf(filename, "ntpkey_gqpar_%s.%u", groupname,
  515: 		    fstamp);
  516: 		fprintf(stderr, "Writing GQ parameters %s to stdout\n",
  517: 		    filename);
  518: 		fprintf(stdout, "# %s\n# %s\n", filename,
  519: 		    ctime(&epoch));
  520: 		rsa = pkey_gqkey->pkey.rsa;
  521: 		BN_copy(rsa->p, BN_value_one());
  522: 		BN_copy(rsa->q, BN_value_one());
  523: 		pkey = EVP_PKEY_new();
  524: 		EVP_PKEY_assign_RSA(pkey, rsa);
  525: 		PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL,
  526: 		    NULL);
  527: 		fclose(stdout);
  528: 		if (debug)
  529: 			RSA_print_fp(stderr, rsa, 0);
  530: 	}
  531: 
  532: 	/*
  533: 	 * Write the encrypted GQ server keys to the stdout stream.
  534: 	 */
  535: 	if (pkey_gqkey != NULL && passwd2 != NULL) {
  536: 		RSA	*rsa;
  537: 
  538: 		sprintf(filename, "ntpkey_gqkey_%s.%u", groupname,
  539: 		    fstamp);
  540: 		fprintf(stderr, "Writing GQ keys %s to stdout\n",
  541: 		    filename);
  542: 		fprintf(stdout, "# %s\n# %s\n", filename,
  543: 		    ctime(&epoch));
  544: 		rsa = pkey_gqkey->pkey.rsa;
  545: 		pkey = EVP_PKEY_new();
  546: 		EVP_PKEY_assign_RSA(pkey, rsa);
  547: 		PEM_write_PrivateKey(stdout, pkey,
  548: 		    EVP_des_cbc(), NULL, 0, NULL, passwd2);
  549: 		fclose(stdout);
  550: 		if (debug)
  551: 			RSA_print_fp(stderr, rsa, 0);
  552: 	}
  553: 
  554: 	/*
  555: 	 * Create new encrypted IFF server keys file if requested;
  556: 	 * otherwise, look for existing file.
  557: 	 */
  558: 	if (iffkey)
  559: 		pkey_iffkey = gen_iffkey("iffkey");
  560: 	if (pkey_iffkey == NULL) {
  561: 		sprintf(filename, "ntpkey_iffkey_%s", groupname);
  562: 		pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
  563: 		if (pkey_iffkey != NULL) {
  564: 			readlink(filename, filename, sizeof(filename));
  565: 			fprintf(stderr, "Using IFF keys %s\n",
  566: 			    filename);
  567: 		}
  568: 	}
  569: 
  570: 	/*
  571: 	 * Write the nonencrypted IFF client parameters to the stdout
  572: 	 * stream. The parameter file is the server key file with the
  573: 	 * private key obscured.
  574: 	 */
  575: 	if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
  576: 		DSA	*dsa;
  577: 
  578: 		epoch = fstamp - JAN_1970;
  579: 		sprintf(filename, "ntpkey_iffpar_%s.%u", groupname,
  580: 		    fstamp);
  581: 		fprintf(stderr, "Writing IFF parameters %s to stdout\n",
  582: 		    filename);
  583: 		fprintf(stdout, "# %s\n# %s\n", filename,
  584: 		    ctime(&epoch));
  585: 		dsa = pkey_iffkey->pkey.dsa;
  586: 		BN_copy(dsa->priv_key, BN_value_one());
  587: 		pkey = EVP_PKEY_new();
  588: 		EVP_PKEY_assign_DSA(pkey, dsa);
  589: 		PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL,
  590: 		    NULL);
  591: 		fclose(stdout);
  592: 		if (debug)
  593: 			DSA_print_fp(stderr, dsa, 0);
  594: 	}
  595: 
  596: 	/*
  597: 	 * Write the encrypted IFF server keys to the stdout stream.
  598: 	 */
  599: 	if (pkey_iffkey != NULL && passwd2 != NULL) {
  600: 		DSA	*dsa;
  601: 
  602: 		epoch = fstamp - JAN_1970;
  603: 		sprintf(filename, "ntpkey_iffkey_%s.%u", groupname,
  604: 		    fstamp);
  605: 		fprintf(stderr, "Writing IFF keys %s to stdout\n",
  606: 		    filename);
  607: 		fprintf(stdout, "# %s\n# %s\n", filename,
  608: 		    ctime(&epoch));
  609: 		dsa = pkey_iffkey->pkey.dsa;
  610: 		pkey = EVP_PKEY_new();
  611: 		EVP_PKEY_assign_DSA(pkey, dsa);
  612: 		PEM_write_PrivateKey(stdout, pkey, EVP_des_cbc(), NULL,
  613: 		    0, NULL, passwd2);
  614: 		fclose(stdout);
  615: 		if (debug)
  616: 			DSA_print_fp(stderr, dsa, 0);
  617: 	}
  618: 
  619: 	/*
  620: 	 * Create new encrypted MV trusted-authority keys file if
  621: 	 * requested; otherwise, look for existing keys file.
  622: 	 */
  623: 	if (mvkey)
  624: 		pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
  625: 	if (pkey_mvkey == NULL) {
  626: 		sprintf(filename, "ntpkey_mvta_%s", groupname);
  627: 		pkey_mvkey = readkey(filename, passwd1, &fstamp,
  628: 		   pkey_mvpar);
  629: 		if (pkey_mvkey != NULL) {
  630: 			readlink(filename, filename, sizeof(filename));
  631: 			fprintf(stderr, "Using MV keys %s\n",
  632: 			    filename);
  633: 		}
  634: 	}
  635: 
  636: 	/*
  637: 	 * Write the nonencrypted MV client parameters to the stdout
  638: 	 * stream. For the moment, we always use the client parameters
  639: 	 * associated with client key 1.
  640: 	 */
  641: 	if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
  642: 		epoch = fstamp - JAN_1970;
  643: 		sprintf(filename, "ntpkey_mvpar_%s.%u", groupname,
  644: 		    fstamp);
  645: 		fprintf(stderr, "Writing MV parameters %s to stdout\n",
  646: 		    filename);
  647: 		fprintf(stdout, "# %s\n# %s\n", filename,
  648: 		    ctime(&epoch));
  649: 		pkey = pkey_mvpar[2];
  650: 		PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL,
  651: 		    NULL);
  652: 		fclose(stdout);
  653: 		if (debug)
  654: 			DSA_print_fp(stderr, pkey->pkey.dsa, 0);
  655: 	}
  656: 
  657: 	/*
  658: 	 * Write the encrypted MV server keys to the stdout stream.
  659: 	 */
  660: 	if (pkey_mvkey != NULL && passwd2 != NULL) {
  661: 		epoch = fstamp - JAN_1970;
  662: 		sprintf(filename, "ntpkey_mvkey_%s.%u", groupname,
  663: 		    fstamp);
  664: 		fprintf(stderr, "Writing MV keys %s to stdout\n",
  665: 		    filename);
  666: 		fprintf(stdout, "# %s\n# %s\n", filename,
  667: 		    ctime(&epoch));
  668: 		pkey = pkey_mvpar[1];
  669: 		PEM_write_PrivateKey(stdout, pkey, EVP_des_cbc(), NULL,
  670: 		    0, NULL, passwd2);
  671: 		fclose(stdout);
  672: 		if (debug)
  673: 			DSA_print_fp(stderr, pkey->pkey.dsa, 0);
  674: 	}
  675: 
  676: 	/*
  677: 	 * Don't generate a certificate if no host keys or extracting
  678: 	 * encrypted or nonencrypted keys to the standard output stream.
  679: 	 */
  680: 	if (pkey_host == NULL || HAVE_OPT(ID_KEY) || passwd2 != NULL)
  681: 		exit (0);
  682: 
  683: 	/*
  684: 	 * Decode the digest/signature scheme. If trusted, set the
  685: 	 * subject and issuer names to the group name; if not set both
  686: 	 * to the host name.
  687: 	 */
  688: 	ectx = EVP_get_digestbyname(scheme);
  689: 	if (ectx == NULL) {
  690: 		fprintf(stderr,
  691: 		    "Invalid digest/signature combination %s\n",
  692: 		    scheme);
  693: 			exit (-1);
  694: 	}
  695: 	if (exten == NULL)
  696: 		x509(pkey_sign, ectx, grpkey, exten, hostname);
  697: 	else
  698: 		x509(pkey_sign, ectx, grpkey, exten, groupname);
  699: #endif /* OPENSSL */
  700: 	exit (0);
  701: }
  702: 
  703: 
  704: /*
  705:  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
  706:  * if OpenSSL is around, generate random SHA1 keys compatible with
  707:  * symmetric key cryptography.
  708:  */
  709: int
  710: gen_md5(
  711: 	char	*id		/* file name id */
  712: 	)
  713: {
  714: 	u_char	md5key[MD5SIZE + 1];	/* MD5 key */
  715: 	FILE	*str;
  716: 	int	i, j;
  717: #ifdef OPENSSL
  718: 	u_char	keystr[MD5SIZE];
  719: 	u_char	hexstr[2 * MD5SIZE + 1];
  720: 	u_char	hex[] = "0123456789abcdef";
  721: #endif /* OPENSSL */
  722: 
  723: 	str = fheader("MD5key", id, groupname);
  724: 	ntp_srandom((u_long)epoch);
  725: 	for (i = 1; i <= MD5KEYS; i++) {
  726: 		for (j = 0; j < MD5SIZE; j++) {
  727: 			int temp;
  728: 
  729: 			while (1) {
  730: 				temp = ntp_random() & 0xff;
  731: 				if (temp == '#')
  732: 					continue;
  733: 
  734: 				if (temp > 0x20 && temp < 0x7f)
  735: 					break;
  736: 			}
  737: 			md5key[j] = (u_char)temp;
  738: 		}
  739: 		md5key[j] = '\0';
  740: 		fprintf(str, "%2d MD5 %s  # MD5 key\n", i,
  741: 		    md5key);
  742: 	}
  743: #ifdef OPENSSL
  744: 	for (i = 1; i <= MD5KEYS; i++) {
  745: 		RAND_bytes(keystr, 20);
  746: 		for (j = 0; j < MD5SIZE; j++) {
  747: 			hexstr[2 * j] = hex[keystr[j] >> 4];
  748: 			hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
  749: 		}
  750: 		hexstr[2 * MD5SIZE] = '\0';
  751: 		fprintf(str, "%2d SHA1 %s  # SHA1 key\n", i + MD5KEYS,
  752: 		    hexstr);
  753: 	}
  754: #endif /* OPENSSL */
  755: 	fclose(str);
  756: 	return (1);
  757: }
  758: 
  759: 
  760: #ifdef OPENSSL
  761: /*
  762:  * readkey - load cryptographic parameters and keys
  763:  *
  764:  * This routine loads a PEM-encoded file of given name and password and
  765:  * extracts the filestamp from the file name. It returns a pointer to
  766:  * the first key if valid, NULL if not.
  767:  */
  768: EVP_PKEY *			/* public/private key pair */
  769: readkey(
  770: 	char	*cp,		/* file name */
  771: 	char	*passwd,	/* password */
  772: 	u_int	*estamp,	/* file stamp */
  773: 	EVP_PKEY **evpars	/* parameter list pointer */
  774: 	)
  775: {
  776: 	FILE	*str;		/* file handle */
  777: 	EVP_PKEY *pkey = NULL;	/* public/private key */
  778: 	u_int	gstamp;		/* filestamp */
  779: 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
  780: 	EVP_PKEY *parkey;
  781: 	char	*ptr;
  782: 	int	i;
  783: 
  784: 	/*
  785: 	 * Open the key file.
  786: 	 */
  787: 	str = fopen(cp, "r");
  788: 	if (str == NULL)
  789: 		return (NULL);
  790: 
  791: 	/*
  792: 	 * Read the filestamp, which is contained in the first line.
  793: 	 */
  794: 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
  795: 		fprintf(stderr, "Empty key file %s\n", cp);
  796: 		fclose(str);
  797: 		return (NULL);
  798: 	}
  799: 	if ((ptr = strrchr(ptr, '.')) == NULL) {
  800: 		fprintf(stderr, "No filestamp found in %s\n", cp);
  801: 		fclose(str);
  802: 		return (NULL);
  803: 	}
  804: 	if (sscanf(++ptr, "%u", &gstamp) != 1) {
  805: 		fprintf(stderr, "Invalid filestamp found in %s\n", cp);
  806: 		fclose(str);
  807: 		return (NULL);
  808: 	}
  809: 
  810: 	/*
  811: 	 * Read and decrypt PEM-encoded private keys. The first one
  812: 	 * found is returned. If others are expected, add them to the
  813: 	 * parameter list.
  814: 	 */
  815: 	for (i = 0; i <= MVMAX - 1;) {
  816: 		parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
  817: 		if (evpars != NULL) {
  818: 			evpars[i++] = parkey;
  819: 			evpars[i] = NULL;
  820: 		}
  821: 		if (parkey == NULL)
  822: 			break;
  823: 
  824: 		if (pkey == NULL)
  825: 			pkey = parkey;
  826: 		if (debug) {
  827: 			if (parkey->type == EVP_PKEY_DSA)
  828: 				DSA_print_fp(stderr, parkey->pkey.dsa,
  829: 				    0);
  830: 			else if (parkey->type == EVP_PKEY_RSA)
  831: 				RSA_print_fp(stderr, parkey->pkey.rsa,
  832: 				    0);
  833: 		}
  834: 	}
  835: 	fclose(str);
  836: 	if (pkey == NULL) {
  837: 		fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
  838: 		    cp, passwd, ERR_error_string(ERR_get_error(),
  839: 		    NULL));
  840: 		exit (-1);
  841: 	}
  842: 	*estamp = gstamp;
  843: 	return (pkey);
  844: }
  845: 
  846: 
  847: /*
  848:  * Generate RSA public/private key pair
  849:  */
  850: EVP_PKEY *			/* public/private key pair */
  851: gen_rsa(
  852: 	char	*id		/* file name id */
  853: 	)
  854: {
  855: 	EVP_PKEY *pkey;		/* private key */
  856: 	RSA	*rsa;		/* RSA parameters and key pair */
  857: 	FILE	*str;
  858: 
  859: 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
  860: 	rsa = RSA_generate_key(modulus, 3, cb, "RSA");
  861: 	fprintf(stderr, "\n");
  862: 	if (rsa == NULL) {
  863: 		fprintf(stderr, "RSA generate keys fails\n%s\n",
  864: 		    ERR_error_string(ERR_get_error(), NULL));
  865: 		return (NULL);
  866: 	}
  867: 
  868: 	/*
  869: 	 * For signature encryption it is not necessary that the RSA
  870: 	 * parameters be strictly groomed and once in a while the
  871: 	 * modulus turns out to be non-prime. Just for grins, we check
  872: 	 * the primality.
  873: 	 */
  874: 	if (!RSA_check_key(rsa)) {
  875: 		fprintf(stderr, "Invalid RSA key\n%s\n",
  876: 		    ERR_error_string(ERR_get_error(), NULL));
  877: 		RSA_free(rsa);
  878: 		return (NULL);
  879: 	}
  880: 
  881: 	/*
  882: 	 * Write the RSA parameters and keys as a RSA private key
  883: 	 * encoded in PEM.
  884: 	 */
  885: 	if (strcmp(id, "sign") == 0)
  886: 		str = fheader("RSAsign", id, hostname);
  887: 	else
  888: 		str = fheader("RSAhost", id, hostname);
  889: 	pkey = EVP_PKEY_new();
  890: 	EVP_PKEY_assign_RSA(pkey, rsa);
  891: 	PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
  892: 	    passwd1);
  893: 	fclose(str);
  894: 	if (debug)
  895: 		RSA_print_fp(stderr, rsa, 0);
  896: 	return (pkey);
  897: }
  898: 
  899:  
  900: /*
  901:  * Generate DSA public/private key pair
  902:  */
  903: EVP_PKEY *			/* public/private key pair */
  904: gen_dsa(
  905: 	char	*id		/* file name id */
  906: 	)
  907: {
  908: 	EVP_PKEY *pkey;		/* private key */
  909: 	DSA	*dsa;		/* DSA parameters */
  910: 	u_char	seed[20];	/* seed for parameters */
  911: 	FILE	*str;
  912: 
  913: 	/*
  914: 	 * Generate DSA parameters.
  915: 	 */
  916: 	fprintf(stderr,
  917: 	    "Generating DSA parameters (%d bits)...\n", modulus);
  918: 	RAND_bytes(seed, sizeof(seed));
  919: 	dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
  920: 	    NULL, cb, "DSA");
  921: 	fprintf(stderr, "\n");
  922: 	if (dsa == NULL) {
  923: 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
  924: 		    ERR_error_string(ERR_get_error(), NULL));
  925: 		return (NULL);
  926: 	}
  927: 
  928: 	/*
  929: 	 * Generate DSA keys.
  930: 	 */
  931: 	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
  932: 	if (!DSA_generate_key(dsa)) {
  933: 		fprintf(stderr, "DSA generate keys fails\n%s\n",
  934: 		    ERR_error_string(ERR_get_error(), NULL));
  935: 		DSA_free(dsa);
  936: 		return (NULL);
  937: 	}
  938: 
  939: 	/*
  940: 	 * Write the DSA parameters and keys as a DSA private key
  941: 	 * encoded in PEM.
  942: 	 */
  943: 	str = fheader("DSAsign", id, hostname);
  944: 	pkey = EVP_PKEY_new();
  945: 	EVP_PKEY_assign_DSA(pkey, dsa);
  946: 	PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
  947: 	    passwd1);
  948: 	fclose(str);
  949: 	if (debug)
  950: 		DSA_print_fp(stderr, dsa, 0);
  951: 	return (pkey);
  952: }
  953: 
  954: 
  955: /*
  956:  ***********************************************************************
  957:  *								       *
  958:  * The following routines implement the Schnorr (IFF) identity scheme  *
  959:  *								       *
  960:  ***********************************************************************
  961:  *
  962:  * The Schnorr (IFF) identity scheme is intended for use when
  963:  * certificates are generated by some other trusted certificate
  964:  * authority and the certificate cannot be used to convey public
  965:  * parameters. There are two kinds of files: encrypted server files that
  966:  * contain private and public values and nonencrypted client files that
  967:  * contain only public values. New generations of server files must be
  968:  * securely transmitted to all servers of the group; client files can be
  969:  * distributed by any means. The scheme is self contained and
  970:  * independent of new generations of host keys, sign keys and
  971:  * certificates.
  972:  *
  973:  * The IFF values hide in a DSA cuckoo structure which uses the same
  974:  * parameters. The values are used by an identity scheme based on DSA
  975:  * cryptography and described in Stimson p. 285. The p is a 512-bit
  976:  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
  977:  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
  978:  * private random group key b (0 < b < q) and public key v = g^b, then
  979:  * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
  980:  * Alice challenges Bob to confirm identity using the protocol described
  981:  * below.
  982:  *
  983:  * How it works
  984:  *
  985:  * The scheme goes like this. Both Alice and Bob have the public primes
  986:  * p, q and generator g. The TA gives private key b to Bob and public
  987:  * key v to Alice.
  988:  *
  989:  * Alice rolls new random challenge r (o < r < q) and sends to Bob in
  990:  * the IFF request message. Bob rolls new random k (0 < k < q), then
  991:  * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
  992:  * to Alice in the response message. Besides making the response
  993:  * shorter, the hash makes it effectivey impossible for an intruder to
  994:  * solve for b by observing a number of these messages.
  995:  * 
  996:  * Alice receives the response and computes g^y v^r mod p. After a bit
  997:  * of algebra, this simplifies to g^k. If the hash of this result
  998:  * matches hash(x), Alice knows that Bob has the group key b. The signed
  999:  * response binds this knowledge to Bob's private key and the public key
 1000:  * previously received in his certificate.
 1001:  */
 1002: /*
 1003:  * Generate Schnorr (IFF) keys.
 1004:  */
 1005: EVP_PKEY *			/* DSA cuckoo nest */
 1006: gen_iffkey(
 1007: 	char	*id		/* file name id */
 1008: 	)
 1009: {
 1010: 	EVP_PKEY *pkey;		/* private key */
 1011: 	DSA	*dsa;		/* DSA parameters */
 1012: 	u_char	seed[20];	/* seed for parameters */
 1013: 	BN_CTX	*ctx;		/* BN working space */
 1014: 	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
 1015: 	FILE	*str;
 1016: 	u_int	temp;
 1017: 
 1018: 	/*
 1019: 	 * Generate DSA parameters for use as IFF parameters.
 1020: 	 */
 1021: 	fprintf(stderr, "Generating IFF keys (%d bits)...\n",
 1022: 	    modulus2);
 1023: 	RAND_bytes(seed, sizeof(seed));
 1024: 	dsa = DSA_generate_parameters(modulus2, seed, sizeof(seed), NULL,
 1025: 	    NULL, cb, "IFF");
 1026: 	fprintf(stderr, "\n");
 1027: 	if (dsa == NULL) {
 1028: 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
 1029: 		    ERR_error_string(ERR_get_error(), NULL));
 1030: 		return (NULL);;
 1031: 	}
 1032: 
 1033: 	/*
 1034: 	 * Generate the private and public keys. The DSA parameters and
 1035: 	 * private key are distributed to the servers, while all except
 1036: 	 * the private key are distributed to the clients.
 1037: 	 */
 1038: 	b = BN_new(); r = BN_new(); k = BN_new();
 1039: 	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
 1040: 	BN_rand(b, BN_num_bits(dsa->q), -1, 0);	/* a */
 1041: 	BN_mod(b, b, dsa->q, ctx);
 1042: 	BN_sub(v, dsa->q, b);
 1043: 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^(q - b) mod p */
 1044: 	BN_mod_exp(u, dsa->g, b, dsa->p, ctx);	/* g^b mod p */
 1045: 	BN_mod_mul(u, u, v, dsa->p, ctx);
 1046: 	temp = BN_is_one(u);
 1047: 	fprintf(stderr,
 1048: 	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
 1049: 	    "yes" : "no");
 1050: 	if (!temp) {
 1051: 		BN_free(b); BN_free(r); BN_free(k);
 1052: 		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
 1053: 		return (NULL);
 1054: 	}
 1055: 	dsa->priv_key = BN_dup(b);		/* private key */
 1056: 	dsa->pub_key = BN_dup(v);		/* public key */
 1057: 
 1058: 	/*
 1059: 	 * Here is a trial round of the protocol. First, Alice rolls
 1060: 	 * random nonce r mod q and sends it to Bob. She needs only
 1061: 	 * q from parameters.
 1062: 	 */
 1063: 	BN_rand(r, BN_num_bits(dsa->q), -1, 0);	/* r */
 1064: 	BN_mod(r, r, dsa->q, ctx);
 1065: 
 1066: 	/*
 1067: 	 * Bob rolls random nonce k mod q, computes y = k + b r mod q
 1068: 	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
 1069: 	 * p, q and b from parameters and r from Alice.
 1070: 	 */
 1071: 	BN_rand(k, BN_num_bits(dsa->q), -1, 0);	/* k, 0 < k < q  */
 1072: 	BN_mod(k, k, dsa->q, ctx);
 1073: 	BN_mod_mul(v, dsa->priv_key, r, dsa->q, ctx); /* b r mod q */
 1074: 	BN_add(v, v, k);
 1075: 	BN_mod(v, v, dsa->q, ctx);		/* y = k + b r mod q */
 1076: 	BN_mod_exp(u, dsa->g, k, dsa->p, ctx);	/* x = g^k mod p */
 1077: 
 1078: 	/*
 1079: 	 * Alice verifies x = g^y v^r to confirm that Bob has group key
 1080: 	 * b. She needs p, q, g from parameters, (y, x) from Bob and the
 1081: 	 * original r. We omit the detail here thatt only the hash of y
 1082: 	 * is sent.
 1083: 	 */
 1084: 	BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
 1085: 	BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
 1086: 	BN_mod_mul(v, w, v, dsa->p, ctx);	/* product mod p */
 1087: 	temp = BN_cmp(u, v);
 1088: 	fprintf(stderr,
 1089: 	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
 1090: 	    0 ? "yes" : "no");
 1091: 	BN_free(b); BN_free(r);	BN_free(k);
 1092: 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
 1093: 	if (temp != 0) {
 1094: 		DSA_free(dsa);
 1095: 		return (NULL);
 1096: 	}
 1097: 
 1098: 	/*
 1099: 	 * Write the IFF keys as an encrypted DSA private key encoded in
 1100: 	 * PEM.
 1101: 	 *
 1102: 	 * p	modulus p
 1103: 	 * q	modulus q
 1104: 	 * g	generator g
 1105: 	 * priv_key b
 1106: 	 * public_key v
 1107: 	 * kinv	not used
 1108: 	 * r	not used
 1109: 	 */
 1110: 	str = fheader("IFFkey", id, groupname);
 1111: 	pkey = EVP_PKEY_new();
 1112: 	EVP_PKEY_assign_DSA(pkey, dsa);
 1113: 	PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
 1114: 	    passwd1);
 1115: 	fclose(str);
 1116: 	if (debug)
 1117: 		DSA_print_fp(stderr, dsa, 0);
 1118: 	return (pkey);
 1119: }
 1120: 
 1121: 
 1122: /*
 1123:  ***********************************************************************
 1124:  *								       *
 1125:  * The following routines implement the Guillou-Quisquater (GQ)        *
 1126:  * identity scheme                                                     *
 1127:  *								       *
 1128:  ***********************************************************************
 1129:  *
 1130:  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
 1131:  * the certificate can be used to convey public parameters. The scheme
 1132:  * uses a X509v3 certificate extension field do convey the public key of
 1133:  * a private key known only to servers. There are two kinds of files:
 1134:  * encrypted server files that contain private and public values and
 1135:  * nonencrypted client files that contain only public values. New
 1136:  * generations of server files must be securely transmitted to all
 1137:  * servers of the group; client files can be distributed by any means.
 1138:  * The scheme is self contained and independent of new generations of
 1139:  * host keys and sign keys. The scheme is self contained and independent
 1140:  * of new generations of host keys and sign keys.
 1141:  *
 1142:  * The GQ parameters hide in a RSA cuckoo structure which uses the same
 1143:  * parameters. The values are used by an identity scheme based on RSA
 1144:  * cryptography and described in Stimson p. 300 (with errors). The 512-
 1145:  * bit public modulus is n = p q, where p and q are secret large primes.
 1146:  * The TA rolls private random group key b as RSA exponent. These values
 1147:  * are known to all group members.
 1148:  *
 1149:  * When rolling new certificates, a server recomputes the private and
 1150:  * public keys. The private key u is a random roll, while the public key
 1151:  * is the inverse obscured by the group key v = (u^-1)^b. These values
 1152:  * replace the private and public keys normally generated by the RSA
 1153:  * scheme. Alice challenges Bob to confirm identity using the protocol
 1154:  * described below.
 1155:  *
 1156:  * How it works
 1157:  *
 1158:  * The scheme goes like this. Both Alice and Bob have the same modulus n
 1159:  * and some random b as the group key. These values are computed and
 1160:  * distributed in advance via secret means, although only the group key
 1161:  * b is truly secret. Each has a private random private key u and public
 1162:  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
 1163:  * can regenerate the key pair from time to time without affecting
 1164:  * operations. The public key is conveyed on the certificate in an
 1165:  * extension field; the private key is never revealed.
 1166:  *
 1167:  * Alice rolls new random challenge r and sends to Bob in the GQ
 1168:  * request message. Bob rolls new random k, then computes y = k u^r mod
 1169:  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
 1170:  * message. Besides making the response shorter, the hash makes it
 1171:  * effectivey impossible for an intruder to solve for b by observing
 1172:  * a number of these messages.
 1173:  * 
 1174:  * Alice receives the response and computes y^b v^r mod n. After a bit
 1175:  * of algebra, this simplifies to k^b. If the hash of this result
 1176:  * matches hash(x), Alice knows that Bob has the group key b. The signed
 1177:  * response binds this knowledge to Bob's private key and the public key
 1178:  * previously received in his certificate.
 1179:  */
 1180: /*
 1181:  * Generate Guillou-Quisquater (GQ) parameters file.
 1182:  */
 1183: EVP_PKEY *			/* RSA cuckoo nest */
 1184: gen_gqkey(
 1185: 	char	*id		/* file name id */
 1186: 	)
 1187: {
 1188: 	EVP_PKEY *pkey;		/* private key */
 1189: 	RSA	*rsa;		/* RSA parameters */
 1190: 	BN_CTX	*ctx;		/* BN working space */
 1191: 	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
 1192: 	FILE	*str;
 1193: 	u_int	temp;
 1194: 
 1195: 	/*
 1196: 	 * Generate RSA parameters for use as GQ parameters.
 1197: 	 */
 1198: 	fprintf(stderr,
 1199: 	    "Generating GQ parameters (%d bits)...\n",
 1200: 	     modulus2);
 1201: 	rsa = RSA_generate_key(modulus2, 3, cb, "GQ");
 1202: 	fprintf(stderr, "\n");
 1203: 	if (rsa == NULL) {
 1204: 		fprintf(stderr, "RSA generate keys fails\n%s\n",
 1205: 		    ERR_error_string(ERR_get_error(), NULL));
 1206: 		return (NULL);
 1207: 	}
 1208: 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new();
 1209: 	g = BN_new(); k = BN_new(); r = BN_new(); y = BN_new();
 1210: 
 1211: 	/*
 1212: 	 * Generate the group key b, which is saved in the e member of
 1213: 	 * the RSA structure. The group key is transmitted to each group
 1214: 	 * member encrypted by the member private key.
 1215: 	 */
 1216: 	ctx = BN_CTX_new();
 1217: 	BN_rand(rsa->e, BN_num_bits(rsa->n), -1, 0); /* b */
 1218: 	BN_mod(rsa->e, rsa->e, rsa->n, ctx);
 1219: 
 1220: 	/*
 1221: 	 * When generating his certificate, Bob rolls random private key
 1222: 	 * u, then computes inverse v = u^-1. 
 1223: 	 */
 1224: 	BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
 1225: 	BN_mod(u, u, rsa->n, ctx);
 1226: 	BN_mod_inverse(v, u, rsa->n, ctx);	/* u^-1 mod n */
 1227: 	BN_mod_mul(k, v, u, rsa->n, ctx);
 1228: 
 1229: 	/*
 1230: 	 * Bob computes public key v = (u^-1)^b, which is saved in an
 1231: 	 * extension field on his certificate. We check that u^b v =
 1232: 	 * 1 mod n.
 1233: 	 */
 1234: 	BN_mod_exp(v, v, rsa->e, rsa->n, ctx);
 1235: 	BN_mod_exp(g, u, rsa->e, rsa->n, ctx); /* u^b */
 1236: 	BN_mod_mul(g, g, v, rsa->n, ctx); /* u^b (u^-1)^b */
 1237: 	temp = BN_is_one(g);
 1238: 	fprintf(stderr,
 1239: 	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
 1240: 	    "no");
 1241: 	if (!temp) {
 1242: 		BN_free(u); BN_free(v);
 1243: 		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
 1244: 		BN_CTX_free(ctx);
 1245: 		RSA_free(rsa);
 1246: 		return (NULL);
 1247: 	}
 1248: 	BN_copy(rsa->p, u);			/* private key */
 1249: 	BN_copy(rsa->q, v);			/* public key */
 1250: 
 1251: 	/*
 1252: 	 * Here is a trial run of the protocol. First, Alice rolls
 1253: 	 * random nonce r mod n and sends it to Bob. She needs only n
 1254: 	 * from parameters.
 1255: 	 */
 1256: 	BN_rand(r, BN_num_bits(rsa->n), -1, 0);	/* r */
 1257: 	BN_mod(r, r, rsa->n, ctx);
 1258: 
 1259: 	/*
 1260: 	 * Bob rolls random nonce k mod n, computes y = k u^r mod n and
 1261: 	 * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
 1262: 	 * from parameters and r from Alice. 
 1263: 	 */
 1264: 	BN_rand(k, BN_num_bits(rsa->n), -1, 0);	/* k */
 1265: 	BN_mod(k, k, rsa->n, ctx);
 1266: 	BN_mod_exp(y, rsa->p, r, rsa->n, ctx);	/* u^r mod n */
 1267: 	BN_mod_mul(y, k, y, rsa->n, ctx);	/* y = k u^r mod n */
 1268: 	BN_mod_exp(g, k, rsa->e, rsa->n, ctx);	/* g = k^b mod n */
 1269: 
 1270: 	/*
 1271: 	 * Alice verifies g = v^r y^b mod n to confirm that Bob has
 1272: 	 * private key u. She needs n, g from parameters, public key v =
 1273: 	 * (u^-1)^b from the certificate, (y, g) from Bob and the
 1274: 	 * original r. We omit the detaul here that only the hash of g
 1275: 	 * is sent.
 1276: 	 */
 1277: 	BN_mod_exp(v, rsa->q, r, rsa->n, ctx);	/* v^r mod n */
 1278: 	BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
 1279: 	BN_mod_mul(y, v, y, rsa->n, ctx);	/* v^r y^b mod n */
 1280: 	temp = BN_cmp(y, g);
 1281: 	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
 1282: 	    "yes" : "no");
 1283: 	BN_CTX_free(ctx); BN_free(u); BN_free(v);
 1284: 	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
 1285: 	if (temp != 0) {
 1286: 		RSA_free(rsa);
 1287: 		return (NULL);
 1288: 	}
 1289: 
 1290: 	/*
 1291: 	 * Write the GQ parameter file as an encrypted RSA private key
 1292: 	 * encoded in PEM.
 1293: 	 *
 1294: 	 * n	modulus n
 1295: 	 * e	group key b
 1296: 	 * d	not used
 1297: 	 * p	private key u
 1298: 	 * q	public key (u^-1)^b
 1299: 	 * dmp1	not used
 1300: 	 * dmq1	not used
 1301: 	 * iqmp	not used
 1302: 	 */
 1303: 	BN_copy(rsa->d, BN_value_one());
 1304: 	BN_copy(rsa->dmp1, BN_value_one());
 1305: 	BN_copy(rsa->dmq1, BN_value_one());
 1306: 	BN_copy(rsa->iqmp, BN_value_one());
 1307: 	str = fheader("GQkey", id, groupname);
 1308: 	pkey = EVP_PKEY_new();
 1309: 	EVP_PKEY_assign_RSA(pkey, rsa);
 1310: 	PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
 1311: 	    passwd1);
 1312: 	fclose(str);
 1313: 	if (debug)
 1314: 		RSA_print_fp(stderr, rsa, 0);
 1315: 	return (pkey);
 1316: }
 1317: 
 1318: 
 1319: /*
 1320:  ***********************************************************************
 1321:  *								       *
 1322:  * The following routines implement the Mu-Varadharajan (MV) identity  *
 1323:  * scheme                                                              *
 1324:  *								       *
 1325:  ***********************************************************************
 1326:  *
 1327:  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
 1328:  * servers broadcast messages to clients, but clients never send
 1329:  * messages to servers. There is one encryption key for the server and a
 1330:  * separate decryption key for each client. It operated something like a
 1331:  * pay-per-view satellite broadcasting system where the session key is
 1332:  * encrypted by the broadcaster and the decryption keys are held in a
 1333:  * tamperproof set-top box.
 1334:  *
 1335:  * The MV parameters and private encryption key hide in a DSA cuckoo
 1336:  * structure which uses the same parameters, but generated in a
 1337:  * different way. The values are used in an encryption scheme similar to
 1338:  * El Gamal cryptography and a polynomial formed from the expansion of
 1339:  * product terms (x - x[j]), as described in Mu, Y., and V.
 1340:  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
 1341:  * 223-231. The paper has significant errors and serious omissions.
 1342:  *
 1343:  * Let q be the product of n distinct primes s1[j] (j = 1...n), where
 1344:  * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
 1345:  * that q and each s1[j] divide p - 1 and p has M = n * m + 1
 1346:  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
 1347:  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
 1348:  * project into Zp* as exponents of g. Sometimes we have to compute an
 1349:  * inverse b^-1 of random b in Zq, but for that purpose we require
 1350:  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
 1351:  * relatively small, like 30. These are the parameters of the scheme and
 1352:  * they are expensive to compute.
 1353:  *
 1354:  * We set up an instance of the scheme as follows. A set of random
 1355:  * values x[j] mod q (j = 1...n), are generated as the zeros of a
 1356:  * polynomial of order n. The product terms (x - x[j]) are expanded to
 1357:  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
 1358:  * used as exponents of the generator g mod p to generate the private
 1359:  * encryption key A. The pair (gbar, ghat) of public server keys and the
 1360:  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
 1361:  * to construct the decryption keys. The devil is in the details.
 1362:  *
 1363:  * This routine generates a private server encryption file including the
 1364:  * private encryption key E and partial decryption keys gbar and ghat.
 1365:  * It then generates public client decryption files including the public
 1366:  * keys xbar[j] and xhat[j] for each client j. The partial decryption
 1367:  * files are used to compute the inverse of E. These values are suitably
 1368:  * blinded so secrets are not revealed.
 1369:  *
 1370:  * The distinguishing characteristic of this scheme is the capability to
 1371:  * revoke keys. Included in the calculation of E, gbar and ghat is the
 1372:  * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
 1373:  * subsequently removed from the product and E, gbar and ghat
 1374:  * recomputed, the jth client will no longer be able to compute E^-1 and
 1375:  * thus unable to decrypt the messageblock.
 1376:  *
 1377:  * How it works
 1378:  *
 1379:  * The scheme goes like this. Bob has the server values (p, E, q, gbar,
 1380:  * ghat) and Alice has the client values (p, xbar, xhat).
 1381:  *
 1382:  * Alice rolls new random nonce r mod p and sends to Bob in the MV
 1383:  * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
 1384:  * mod p and sends (y, gbar^k, ghat^k) to Alice.
 1385:  * 
 1386:  * Alice receives the response and computes the inverse (E^k)^-1 from
 1387:  * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
 1388:  * decrypts y and verifies it matches the original r. The signed
 1389:  * response binds this knowledge to Bob's private key and the public key
 1390:  * previously received in his certificate.
 1391:  */
 1392: EVP_PKEY *			/* DSA cuckoo nest */
 1393: gen_mvkey(
 1394: 	char	*id,		/* file name id */
 1395: 	EVP_PKEY **evpars	/* parameter list pointer */
 1396: 	)
 1397: {
 1398: 	EVP_PKEY *pkey, *pkey1;	/* private keys */
 1399: 	DSA	*dsa, *dsa2, *sdsa; /* DSA parameters */
 1400: 	BN_CTX	*ctx;		/* BN working space */
 1401: 	BIGNUM	*a[MVMAX];	/* polynomial coefficient vector */
 1402: 	BIGNUM	*g[MVMAX];	/* public key vector */
 1403: 	BIGNUM	*s1[MVMAX];	/* private enabling keys */
 1404: 	BIGNUM	*x[MVMAX];	/* polynomial zeros vector */
 1405: 	BIGNUM	*xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
 1406: 	BIGNUM	*b;		/* group key */
 1407: 	BIGNUM	*b1;		/* inverse group key */
 1408: 	BIGNUM	*s;		/* enabling key */
 1409: 	BIGNUM	*biga;		/* master encryption key */
 1410: 	BIGNUM	*bige;		/* session encryption key */
 1411: 	BIGNUM	*gbar, *ghat;	/* public key */
 1412: 	BIGNUM	*u, *v, *w;	/* BN scratch */
 1413: 	int	i, j, n;
 1414: 	FILE	*str;
 1415: 	u_int	temp;
 1416: 
 1417: 	/*
 1418: 	 * Generate MV parameters.
 1419: 	 *
 1420: 	 * The object is to generate a multiplicative group Zp* modulo a
 1421: 	 * prime p and a subset Zq mod q, where q is the product of n
 1422: 	 * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
 1423: 	 * first generate n m-bit primes, where the product n m is in
 1424: 	 * the order of 512 bits. One or more of these may have to be
 1425: 	 * replaced later. As a practical matter, it is tough to find
 1426: 	 * more than 31 distinct primes for 512 bits or 61 primes for
 1427: 	 * 1024 bits. The latter can take several hundred iterations
 1428: 	 * and several minutes on a Sun Blade 1000.
 1429: 	 */
 1430: 	n = nkeys;
 1431: 	fprintf(stderr,
 1432: 	    "Generating MV parameters for %d keys (%d bits)...\n", n,
 1433: 	    modulus2 / n);
 1434: 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
 1435: 	b = BN_new(); b1 = BN_new();
 1436: 	dsa = DSA_new();
 1437: 	dsa->p = BN_new(); dsa->q = BN_new(); dsa->g = BN_new();
 1438: 	dsa->priv_key = BN_new(); dsa->pub_key = BN_new();
 1439: 	temp = 0;
 1440: 	for (j = 1; j <= n; j++) {
 1441: 		s1[j] = BN_new();
 1442: 		while (1) {
 1443: 			BN_generate_prime(s1[j], modulus2 / n, 0, NULL,
 1444: 			    NULL, NULL, NULL);
 1445: 			for (i = 1; i < j; i++) {
 1446: 				if (BN_cmp(s1[i], s1[j]) == 0)
 1447: 					break;
 1448: 			}
 1449: 			if (i == j)
 1450: 				break;
 1451: 			temp++;
 1452: 		}
 1453: 	}
 1454: 	fprintf(stderr, "Birthday keys regenerated %d\n", temp);
 1455: 
 1456: 	/*
 1457: 	 * Compute the modulus q as the product of the primes. Compute
 1458: 	 * the modulus p as 2 * q + 1 and test p for primality. If p
 1459: 	 * is composite, replace one of the primes with a new distinct
 1460: 	 * one and try again. Note that q will hardly be a secret since
 1461: 	 * we have to reveal p to servers, but not clients. However,
 1462: 	 * factoring q to find the primes should be adequately hard, as
 1463: 	 * this is the same problem considered hard in RSA. Question: is
 1464: 	 * it as hard to find n small prime factors totalling n bits as
 1465: 	 * it is to find two large prime factors totalling n bits?
 1466: 	 * Remember, the bad guy doesn't know n.
 1467: 	 */
 1468: 	temp = 0;
 1469: 	while (1) {
 1470: 		BN_one(dsa->q);
 1471: 		for (j = 1; j <= n; j++)
 1472: 			BN_mul(dsa->q, dsa->q, s1[j], ctx);
 1473: 		BN_copy(dsa->p, dsa->q);
 1474: 		BN_add(dsa->p, dsa->p, dsa->p);
 1475: 		BN_add_word(dsa->p, 1);
 1476: 		if (BN_is_prime(dsa->p, BN_prime_checks, NULL, ctx,
 1477: 		    NULL))
 1478: 			break;
 1479: 
 1480: 		temp++;
 1481: 		j = temp % n + 1;
 1482: 		while (1) {
 1483: 			BN_generate_prime(u, modulus2 / n, 0, 0, NULL,
 1484: 			    NULL, NULL);
 1485: 			for (i = 1; i <= n; i++) {
 1486: 				if (BN_cmp(u, s1[i]) == 0)
 1487: 					break;
 1488: 			}
 1489: 			if (i > n)
 1490: 				break;
 1491: 		}
 1492: 		BN_copy(s1[j], u);
 1493: 	}
 1494: 	fprintf(stderr, "Defective keys regenerated %d\n", temp);
 1495: 
 1496: 	/*
 1497: 	 * Compute the generator g using a random roll such that
 1498: 	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
 1499: 	 * q. This may take several iterations.
 1500: 	 */
 1501: 	BN_copy(v, dsa->p);
 1502: 	BN_sub_word(v, 1);
 1503: 	while (1) {
 1504: 		BN_rand(dsa->g, BN_num_bits(dsa->p) - 1, 0, 0);
 1505: 		BN_mod(dsa->g, dsa->g, dsa->p, ctx);
 1506: 		BN_gcd(u, dsa->g, v, ctx);
 1507: 		if (!BN_is_one(u))
 1508: 			continue;
 1509: 
 1510: 		BN_mod_exp(u, dsa->g, dsa->q, dsa->p, ctx);
 1511: 		if (BN_is_one(u))
 1512: 			break;
 1513: 	}
 1514: 
 1515: 	/*
 1516: 	 * Setup is now complete. Roll random polynomial roots x[j]
 1517: 	 * (j = 1...n) for all j. While it may not be strictly
 1518: 	 * necessary, Make sure each root has no factors in common with
 1519: 	 * q.
 1520: 	 */
 1521: 	fprintf(stderr,
 1522: 	    "Generating polynomial coefficients for %d roots (%d bits)\n",
 1523: 	    n, BN_num_bits(dsa->q)); 
 1524: 	for (j = 1; j <= n; j++) {
 1525: 		x[j] = BN_new();
 1526: 
 1527: 		while (1) {
 1528: 			BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
 1529: 			BN_mod(x[j], x[j], dsa->q, ctx);
 1530: 			BN_gcd(u, x[j], dsa->q, ctx);
 1531: 			if (BN_is_one(u))
 1532: 				break;
 1533: 		}
 1534: 	}
 1535: 
 1536: 	/*
 1537: 	 * Generate polynomial coefficients a[i] (i = 0...n) from the
 1538: 	 * expansion of root products (x - x[j]) mod q for all j. The
 1539: 	 * method is a present from Charlie Boncelet.
 1540: 	 */
 1541: 	for (i = 0; i <= n; i++) {
 1542: 		a[i] = BN_new();
 1543: 
 1544: 		BN_one(a[i]);
 1545: 	}
 1546: 	for (j = 1; j <= n; j++) {
 1547: 		BN_zero(w);
 1548: 		for (i = 0; i < j; i++) {
 1549: 			BN_copy(u, dsa->q);
 1550: 			BN_mod_mul(v, a[i], x[j], dsa->q, ctx);
 1551: 			BN_sub(u, u, v);
 1552: 			BN_add(u, u, w);
 1553: 			BN_copy(w, a[i]);
 1554: 			BN_mod(a[i], u, dsa->q, ctx);
 1555: 		}
 1556: 	}
 1557: 
 1558: 	/*
 1559: 	 * Generate g[i] = g^a[i] mod p for all i and the generator g.
 1560: 	 */
 1561: 	for (i = 0; i <= n; i++) {
 1562: 		g[i] = BN_new();
 1563: 
 1564: 		BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
 1565: 	}
 1566: 
 1567: 	/*
 1568: 	 * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
 1569: 	 * a[i] x[j]^i exponent is computed mod q, but the g[i] is
 1570: 	 * computed mod p. also note the expression given in the paper
 1571: 	 * is incorrect.
 1572: 	 */
 1573: 	temp = 1;
 1574: 	for (j = 1; j <= n; j++) {
 1575: 		BN_one(u);
 1576: 		for (i = 0; i <= n; i++) {
 1577: 			BN_set_word(v, i);
 1578: 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
 1579: 			BN_mod_mul(v, v, a[i], dsa->q, ctx);
 1580: 			BN_mod_exp(v, dsa->g, v, dsa->p, ctx);
 1581: 			BN_mod_mul(u, u, v, dsa->p, ctx);
 1582: 		}
 1583: 		if (!BN_is_one(u))
 1584: 			temp = 0;
 1585: 	}
 1586: 	fprintf(stderr,
 1587: 	    "Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
 1588: 	    "yes" : "no");
 1589: 	if (!temp) {
 1590: 		return (NULL);
 1591: 	}
 1592: 
 1593: 	/*
 1594: 	 * Make private encryption key A. Keep it around for awhile,
 1595: 	 * since it is expensive to compute.
 1596: 	 */
 1597: 	biga = BN_new();
 1598: 
 1599: 	BN_one(biga);
 1600: 	for (j = 1; j <= n; j++) {
 1601: 		for (i = 0; i < n; i++) {
 1602: 			BN_set_word(v, i);
 1603: 			BN_mod_exp(v, x[j], v, dsa->q, ctx);
 1604: 			BN_mod_exp(v, g[i], v, dsa->p, ctx);
 1605: 			BN_mod_mul(biga, biga, v, dsa->p, ctx);
 1606: 		}
 1607: 	}
 1608: 
 1609: 	/*
 1610: 	 * Roll private random group key b mod q (0 < b < q), where
 1611: 	 * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
 1612: 	 * mod q. If b is changed, the client keys must be recomputed.
 1613: 	 */
 1614: 	while (1) {
 1615: 		BN_rand(b, BN_num_bits(dsa->q), 0, 0);
 1616: 		BN_mod(b, b, dsa->q, ctx);
 1617: 		BN_gcd(u, b, dsa->q, ctx);
 1618: 		if (BN_is_one(u))
 1619: 			break;
 1620: 	}
 1621: 	BN_mod_inverse(b1, b, dsa->q, ctx);
 1622: 
 1623: 	/*
 1624: 	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
 1625: 	 * that the keys for the jth client do not s1[j] or the product
 1626: 	 * s1[j]) (j = 1...n) which is q by construction.
 1627: 	 *
 1628: 	 * Compute the factor w such that w s1[j] = s1[j] for all j. The
 1629: 	 * easy way to do this is to compute (q + s1[j]) / s1[j].
 1630: 	 * Exercise for the student: prove the remainder is always zero.
 1631: 	 */
 1632: 	for (j = 1; j <= n; j++) {
 1633: 		xbar[j] = BN_new(); xhat[j] = BN_new();
 1634: 
 1635: 		BN_add(w, dsa->q, s1[j]);
 1636: 		BN_div(w, u, w, s1[j], ctx);
 1637: 		BN_zero(xbar[j]);
 1638: 		BN_set_word(v, n);
 1639: 		for (i = 1; i <= n; i++) {
 1640: 			if (i == j)
 1641: 				continue;
 1642: 			BN_mod_exp(u, x[i], v, dsa->q, ctx);
 1643: 			BN_add(xbar[j], xbar[j], u);
 1644: 		}
 1645: 		BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
 1646: 		BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
 1647: 		BN_mod_mul(xhat[j], xhat[j], w, dsa->q, ctx);
 1648: 	}
 1649: 
 1650: 	/*
 1651: 	 * We revoke client j by dividing q by s1[j]. The quotient
 1652: 	 * becomes the enabling key s. Note we always have to revoke
 1653: 	 * one key; otherwise, the plaintext and cryptotext would be
 1654: 	 * identical. For the present there are no provisions to revoke
 1655: 	 * additional keys, so we sail on with only token revocations.
 1656: 	 */
 1657: 	s = BN_new();
 1658: 
 1659: 	BN_copy(s, dsa->q);
 1660: 	BN_div(s, u, s, s1[n], ctx);
 1661: 
 1662: 	/*
 1663: 	 * For each combination of clients to be revoked, make private
 1664: 	 * encryption key E = A^s and partial decryption keys gbar = g^s
 1665: 	 * and ghat = g^(s b), all mod p. The servers use these keys to
 1666: 	 * compute the session encryption key and partial decryption
 1667: 	 * keys. These values must be regenerated if the enabling key is
 1668: 	 * changed.
 1669: 	 */
 1670: 	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
 1671: 
 1672: 	BN_mod_exp(bige, biga, s, dsa->p, ctx);
 1673: 	BN_mod_exp(gbar, dsa->g, s, dsa->p, ctx);
 1674: 	BN_mod_mul(v, s, b, dsa->q, ctx);
 1675: 	BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
 1676: 	
 1677: 	/*
 1678: 	 * Notes: We produce the key media in three steps. The first
 1679: 	 * step is to generate the system parameters p, q, g, b, A and
 1680: 	 * the enabling keys s1[j]. Associated with each s1[j] are
 1681: 	 * parameters xbar[j] and xhat[j]. All of these parameters are
 1682: 	 * retained in a data structure protecteted by the trusted-agent
 1683: 	 * password. The p, xbar[j] and xhat[j] paremeters are
 1684: 	 * distributed to the j clients. When the client keys are to be
 1685: 	 * activated, the enabled keys are multipied together to form
 1686: 	 * the master enabling key s. This and the other parameters are
 1687: 	 * used to compute the server encryption key E and the partial
 1688: 	 * decryption keys gbar and ghat.
 1689: 	 *
 1690: 	 * In the identity exchange the client rolls random r and sends
 1691: 	 * it to the server. The server rolls random k, which is used
 1692: 	 * only once, then computes the session key E^k and partial
 1693: 	 * decryption keys gbar^k and ghat^k. The server sends the
 1694: 	 * encrypted r along with gbar^k and ghat^k to the client. The
 1695: 	 * client completes the decryption and verifies it matches r.
 1696: 	 */
 1697: 	/*
 1698: 	 * Write the MV trusted-agent parameters and keys as a DSA
 1699: 	 * private key encoded in PEM.
 1700: 	 *
 1701: 	 * p	modulus p
 1702: 	 * q	modulus q
 1703: 	 * g	generator g
 1704: 	 * priv_key A mod p
 1705: 	 * pub_key b mod q
 1706: 	 * (remaining values are not used)
 1707: 	 */
 1708: 	i = 0;
 1709: 	str = fheader("MVta", "mvta", groupname);
 1710: 	fprintf(stderr, "Generating MV trusted-authority keys\n");
 1711: 	BN_copy(dsa->priv_key, biga);
 1712: 	BN_copy(dsa->pub_key, b);
 1713: 	pkey = EVP_PKEY_new();
 1714: 	EVP_PKEY_assign_DSA(pkey, dsa);
 1715: 	PEM_write_PrivateKey(str, pkey, EVP_des_cbc(), NULL, 0, NULL,
 1716: 	    passwd1);
 1717: 	evpars[i++] = pkey;
 1718: 	if (debug)
 1719: 		DSA_print_fp(stderr, dsa, 0);
 1720: 
 1721: 	/*
 1722: 	 * Append the MV server parameters and keys as a DSA key encoded
 1723: 	 * in PEM.
 1724: 	 *
 1725: 	 * p	modulus p
 1726: 	 * q	modulus q (used only when generating k)
 1727: 	 * g	bige
 1728: 	 * priv_key gbar
 1729: 	 * pub_key ghat
 1730: 	 * (remaining values are not used)
 1731: 	 */
 1732: 	fprintf(stderr, "Generating MV server keys\n");
 1733: 	dsa2 = DSA_new();
 1734: 	dsa2->p = BN_dup(dsa->p);
 1735: 	dsa2->q = BN_dup(dsa->q); 
 1736: 	dsa2->g = BN_dup(bige); 
 1737: 	dsa2->priv_key = BN_dup(gbar);
 1738: 	dsa2->pub_key = BN_dup(ghat);
 1739: 	pkey1 = EVP_PKEY_new();
 1740: 	EVP_PKEY_assign_DSA(pkey1, dsa2);
 1741: 	PEM_write_PrivateKey(str, pkey1, EVP_des_cbc(), NULL, 0, NULL,
 1742: 	    passwd1);
 1743: 	evpars[i++] = pkey1;
 1744: 	if (debug)
 1745: 		DSA_print_fp(stderr, dsa2, 0);
 1746: 
 1747: 	/*
 1748: 	 * Append the MV client parameters for each client j as DSA keys
 1749: 	 * encoded in PEM.
 1750: 	 *
 1751: 	 * p	modulus p
 1752: 	 * priv_key xbar[j] mod q
 1753: 	 * pub_key xhat[j] mod q
 1754: 	 * (remaining values are not used)
 1755: 	 */
 1756: 	fprintf(stderr, "Generating %d MV client keys\n", n);
 1757: 	for (j = 1; j <= n; j++) {
 1758: 		sdsa = DSA_new();
 1759: 
 1760: 		sdsa->p = BN_dup(dsa->p);
 1761: 		sdsa->q = BN_dup(BN_value_one()); 
 1762: 		sdsa->g = BN_dup(BN_value_one()); 
 1763: 		sdsa->priv_key = BN_dup(xbar[j]);
 1764: 		sdsa->pub_key = BN_dup(xhat[j]);
 1765: 		pkey1 = EVP_PKEY_new();
 1766: 		EVP_PKEY_set1_DSA(pkey1, sdsa);
 1767: 		PEM_write_PrivateKey(str, pkey1, EVP_des_cbc(), NULL, 0,
 1768: 		    NULL, passwd1);
 1769: 		evpars[i++] = pkey1;
 1770: 		if (debug)
 1771: 			DSA_print_fp(stderr, sdsa, 0);
 1772: 
 1773: 		/*
 1774: 		 * The product gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
 1775: 		 * are inverses of each other. We check that the product
 1776: 		 * is one for each client except the ones that have been
 1777: 		 * revoked. 
 1778: 		 */
 1779: 		BN_mod_exp(v, dsa2->priv_key, sdsa->pub_key, dsa->p,
 1780: 		    ctx);
 1781: 		BN_mod_exp(u, dsa2->pub_key, sdsa->priv_key, dsa->p,
 1782: 		    ctx);
 1783: 		BN_mod_mul(u, u, v, dsa->p, ctx);
 1784: 		BN_mod_mul(u, u, bige, dsa->p, ctx);
 1785: 		if (!BN_is_one(u)) {
 1786: 			fprintf(stderr, "Revoke key %d\n", j);
 1787: 			continue;
 1788: 		}
 1789: 	}
 1790: 	evpars[i++] = NULL;
 1791: 	fclose(str);
 1792: 
 1793: 	/*
 1794: 	 * Free the countries.
 1795: 	 */
 1796: 	for (i = 0; i <= n; i++) {
 1797: 		BN_free(a[i]); BN_free(g[i]);
 1798: 	}
 1799: 	for (j = 1; j <= n; j++) {
 1800: 		BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
 1801: 		BN_free(s1[j]); 
 1802: 	}
 1803: 	return (pkey);
 1804: }
 1805: 
 1806: 
 1807: /*
 1808:  * Generate X509v3 certificate.
 1809:  *
 1810:  * The certificate consists of the version number, serial number,
 1811:  * validity interval, issuer name, subject name and public key. For a
 1812:  * self-signed certificate, the issuer name is the same as the subject
 1813:  * name and these items are signed using the subject private key. The
 1814:  * validity interval extends from the current time to the same time one
 1815:  * year hence. For NTP purposes, it is convenient to use the NTP seconds
 1816:  * of the current time as the serial number.
 1817:  */
 1818: int
 1819: x509	(
 1820: 	EVP_PKEY *pkey,		/* generic signature algorithm */
 1821: 	const EVP_MD *md,	/* generic digest algorithm */
 1822: 	char	*gqpub,		/* identity extension (hex string) */
 1823: 	char	*exten,		/* private cert extension */
 1824: 	char	*name		/* subject/issuer namd */
 1825: 	)
 1826: {
 1827: 	X509	*cert;		/* X509 certificate */
 1828: 	X509_NAME *subj;	/* distinguished (common) name */
 1829: 	X509_EXTENSION *ex;	/* X509v3 extension */
 1830: 	FILE	*str;		/* file handle */
 1831: 	ASN1_INTEGER *serial;	/* serial number */
 1832: 	const char *id;		/* digest/signature scheme name */
 1833: 	char	pathbuf[MAXFILENAME + 1];
 1834: 
 1835: 	/*
 1836: 	 * Generate X509 self-signed certificate.
 1837: 	 *
 1838: 	 * Set the certificate serial to the NTP seconds for grins. Set
 1839: 	 * the version to 3. Set the initial validity to the current
 1840: 	 * time and the finalvalidity one year hence.
 1841: 	 */
 1842:  	id = OBJ_nid2sn(md->pkey_type);
 1843: 	fprintf(stderr, "Generating new certificate %s %s\n", name, id);
 1844: 	cert = X509_new();
 1845: 	X509_set_version(cert, 2L);
 1846: 	serial = ASN1_INTEGER_new();
 1847: 	ASN1_INTEGER_set(serial, (long)epoch + JAN_1970);
 1848: 	X509_set_serialNumber(cert, serial);
 1849: 	ASN1_INTEGER_free(serial);
 1850: 	X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
 1851: 	X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
 1852: 	subj = X509_get_subject_name(cert);
 1853: 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
 1854: 	    (unsigned char *) name, strlen(name), -1, 0);
 1855: 	subj = X509_get_issuer_name(cert);
 1856: 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
 1857: 	    (unsigned char *) name, strlen(name), -1, 0);
 1858: 	if (!X509_set_pubkey(cert, pkey)) {
 1859: 		fprintf(stderr, "Assign key fails\n%s\n",
 1860: 		    ERR_error_string(ERR_get_error(), NULL));
 1861: 		X509_free(cert);
 1862: 		return (0);
 1863: 	}
 1864: 
 1865: 	/*
 1866: 	 * Add X509v3 extensions if present. These represent the minimum
 1867: 	 * set defined in RFC3280 less the certificate_policy extension,
 1868: 	 * which is seriously obfuscated in OpenSSL.
 1869: 	 */
 1870: 	/*
 1871: 	 * The basic_constraints extension CA:TRUE allows servers to
 1872: 	 * sign client certficitates.
 1873: 	 */
 1874: 	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
 1875: 	    BASIC_CONSTRAINTS);
 1876: 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
 1877: 	    BASIC_CONSTRAINTS);
 1878: 	if (!X509_add_ext(cert, ex, -1)) {
 1879: 		fprintf(stderr, "Add extension field fails\n%s\n",
 1880: 		    ERR_error_string(ERR_get_error(), NULL));
 1881: 		return (0);
 1882: 	}
 1883: 	X509_EXTENSION_free(ex);
 1884: 
 1885: 	/*
 1886: 	 * The key_usage extension designates the purposes the key can
 1887: 	 * be used for.
 1888: 	 */
 1889: 	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
 1890: 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, KEY_USAGE);
 1891: 	if (!X509_add_ext(cert, ex, -1)) {
 1892: 		fprintf(stderr, "Add extension field fails\n%s\n",
 1893: 		    ERR_error_string(ERR_get_error(), NULL));
 1894: 		return (0);
 1895: 	}
 1896: 	X509_EXTENSION_free(ex);
 1897: 	/*
 1898: 	 * The subject_key_identifier is used for the GQ public key.
 1899: 	 * This should not be controversial.
 1900: 	 */
 1901: 	if (gqpub != NULL) {
 1902: 		fprintf(stderr, "%s\n", LN_subject_key_identifier);
 1903: 		ex = X509V3_EXT_conf_nid(NULL, NULL,
 1904: 		    NID_subject_key_identifier, gqpub);
 1905: 		if (!X509_add_ext(cert, ex, -1)) {
 1906: 			fprintf(stderr,
 1907: 			    "Add extension field fails\n%s\n",
 1908: 			    ERR_error_string(ERR_get_error(), NULL));
 1909: 			return (0);
 1910: 		}
 1911: 		X509_EXTENSION_free(ex);
 1912: 	}
 1913: 
 1914: 	/*
 1915: 	 * The extended key usage extension is used for special purpose
 1916: 	 * here. The semantics probably do not conform to the designer's
 1917: 	 * intent and will likely change in future.
 1918: 	 * 
 1919: 	 * "trustRoot" designates a root authority
 1920: 	 * "private" designates a private certificate
 1921: 	 */
 1922: 	if (exten != NULL) {
 1923: 		fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
 1924: 		ex = X509V3_EXT_conf_nid(NULL, NULL,
 1925: 		    NID_ext_key_usage, exten);
 1926: 		if (!X509_add_ext(cert, ex, -1)) {
 1927: 			fprintf(stderr,
 1928: 			    "Add extension field fails\n%s\n",
 1929: 			    ERR_error_string(ERR_get_error(), NULL));
 1930: 			return (0);
 1931: 		}
 1932: 		X509_EXTENSION_free(ex);
 1933: 	}
 1934: 
 1935: 	/*
 1936: 	 * Sign and verify.
 1937: 	 */
 1938: 	X509_sign(cert, pkey, md);
 1939: 	if (X509_verify(cert, pkey) <= 0) {
 1940: 		fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
 1941: 		    ERR_error_string(ERR_get_error(), NULL));
 1942: 		X509_free(cert);
 1943: 		return (0);
 1944: 	}
 1945: 
 1946: 	/*
 1947: 	 * Write the certificate encoded in PEM.
 1948: 	 */
 1949: 	sprintf(pathbuf, "%scert", id);
 1950: 	str = fheader(pathbuf, "cert", hostname);
 1951: 	PEM_write_X509(str, cert);
 1952: 	fclose(str);
 1953: 	if (debug)
 1954: 		X509_print_fp(stderr, cert);
 1955: 	X509_free(cert);
 1956: 	return (1);
 1957: }
 1958: 
 1959: #if 0	/* asn2ntp is used only with commercial certificates */
 1960: /*
 1961:  * asn2ntp - convert ASN1_TIME time structure to NTP time
 1962:  */
 1963: u_long
 1964: asn2ntp	(
 1965: 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
 1966: 	)
 1967: {
 1968: 	char	*v;		/* pointer to ASN1_TIME string */
 1969: 	struct	tm tm;		/* time decode structure time */
 1970: 
 1971: 	/*
 1972: 	 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
 1973: 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
 1974: 	 * SS fiels start with zero and the Z character should be 'Z'
 1975: 	 * for UTC. Also note that years less than 50 map to years
 1976: 	 * greater than 100. Dontcha love ASN.1?
 1977: 	 */
 1978: 	if (asn1time->length > 13)
 1979: 		return (-1);
 1980: 	v = (char *)asn1time->data;
 1981: 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
 1982: 	if (tm.tm_year < 50)
 1983: 		tm.tm_year += 100;
 1984: 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
 1985: 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
 1986: 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
 1987: 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
 1988: 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
 1989: 	tm.tm_wday = 0;
 1990: 	tm.tm_yday = 0;
 1991: 	tm.tm_isdst = 0;
 1992: 	return (mktime(&tm) + JAN_1970);
 1993: }
 1994: #endif
 1995: 
 1996: /*
 1997:  * Callback routine
 1998:  */
 1999: void
 2000: cb	(
 2001: 	int	n1,		/* arg 1 */
 2002: 	int	n2,		/* arg 2 */
 2003: 	void	*chr		/* arg 3 */
 2004: 	)
 2005: {
 2006: 	switch (n1) {
 2007: 	case 0:
 2008: 		d0++;
 2009: 		fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
 2010: 		    d0);
 2011: 		break;
 2012: 	case 1:
 2013: 		d1++;
 2014: 		fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
 2015: 		    n2, d1);
 2016: 		break;
 2017: 	case 2:
 2018: 		d2++;
 2019: 		fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
 2020: 		    n1, n2, d2);
 2021: 		break;
 2022: 	case 3:
 2023: 		d3++;
 2024: 		fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
 2025: 		    (char *)chr, n1, n2, d3);
 2026: 		break;
 2027: 	}
 2028: }
 2029: 
 2030: 
 2031: /*
 2032:  * Generate key
 2033:  */
 2034: EVP_PKEY *			/* public/private key pair */
 2035: genkey(
 2036: 	char	*type,		/* key type (RSA or DSA) */
 2037: 	char	*id		/* file name id */
 2038: 	)
 2039: {
 2040: 	if (type == NULL)
 2041: 		return (NULL);
 2042: 	if (strcmp(type, "RSA") == 0)
 2043: 		return (gen_rsa(id));
 2044: 
 2045: 	else if (strcmp(type, "DSA") == 0)
 2046: 		return (gen_dsa(id));
 2047: 
 2048: 	fprintf(stderr, "Invalid %s key type %s\n", id, type);
 2049: 	return (NULL);
 2050: }
 2051: #endif /* OPENSSL */
 2052: 
 2053: 
 2054: /*
 2055:  * Generate file header and link
 2056:  */
 2057: FILE *
 2058: fheader	(
 2059: 	const char *file,	/* file name id */
 2060: 	const char *ulink,	/* linkname */
 2061: 	const char *owner	/* owner name */
 2062: 	)
 2063: {
 2064: 	FILE	*str;		/* file handle */
 2065: 	char	linkname[MAXFILENAME]; /* link name */
 2066: 	int	temp;
 2067: 
 2068: 	sprintf(filename, "ntpkey_%s_%s.%lu", file, owner, epoch +
 2069: 	    JAN_1970);
 2070: 	if ((str = fopen(filename, "w")) == NULL) {
 2071: 		perror("Write");
 2072: 		exit (-1);
 2073: 	}
 2074: 	sprintf(linkname, "ntpkey_%s_%s", ulink, owner);
 2075: 	remove(linkname);
 2076: 	temp = symlink(filename, linkname);
 2077: 	if (temp < 0)
 2078: 		perror(file);
 2079: 	fprintf(stderr, "Generating new %s file and link\n", ulink);
 2080: 	fprintf(stderr, "%s->%s\n", linkname, filename);
 2081: 	fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
 2082: 	return (str);
 2083: }

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>