search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / dist / ntp / util / ntp-keygen.c
bloba53c6cfc0ae2d557dd3673d7d7d39e5adf397823
1 /* $NetBSD: ntp-keygen.c,v 1.11 2007/08/18 05:48:46 kardel Exp $ */
2
3 /*
4 * Program to generate cryptographic keys for NTP clients and servers
5 *
6 * This program generates files "ntpkey_<type>_<hostname>.<filestamp>",
7 * where <type> is the file type, <hostname> is the generating host and
8 * <filestamp> is the NTP seconds in decimal format. The NTP programs
9 * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
10 * association maintained by soft links.
11 *
12 * Files are prefixed with a header giving the name and date of creation
13 * followed by a type-specific descriptive label and PEM-encoded data
14 * string compatible with programs of the OpenSSL library.
15 *
16 * Note that private keys can be password encrypted as per OpenSSL
17 * conventions.
18 *
19 * The file types include
20 *
21 * ntpkey_MD5key_<hostname>.<filestamp>
22 * MD5 (128-bit) keys used to compute message digests in symmetric
23 * key cryptography
24 *
25 * ntpkey_RSAkey_<hostname>.<filestamp>
26 * ntpkey_host_<hostname> (RSA) link
27 * RSA private/public host key pair used for public key signatures
28 * and data encryption
29 *
30 * ntpkey_DSAkey_<hostname>.<filestamp>
31 * ntpkey_sign_<hostname> (RSA or DSA) link
32 * DSA private/public sign key pair used for public key signatures,
33 * but not data encryption
34 *
35 * ntpkey_IFFpar_<hostname>.<filestamp>
36 * ntpkey_iff_<hostname> (IFF server/client) link
37 * ntpkey_iffkey_<hostname> (IFF client) link
38 * Schnorr (IFF) server/client identity parameters
39 *
40 * ntpkey_IFFkey_<hostname>.<filestamp>
41 * Schnorr (IFF) client identity parameters
42 *
43 * ntpkey_GQpar_<hostname>.<filestamp>,
44 * ntpkey_gq_<hostname> (GQ) link
45 * Guillou-Quisquater (GQ) identity parameters
46 *
47 * ntpkey_MVpar_<hostname>.<filestamp>,
48 * Mu-Varadharajan (MV) server identity parameters
49 *
50 * ntpkey_MVkeyX_<hostname>.<filestamp>,
51 * ntpkey_mv_<hostname> (MV server) link
52 * ntpkey_mvkey_<hostname> (MV client) link
53 * Mu-Varadharajan (MV) client identity parameters
54 *
55 * ntpkey_XXXcert_<hostname>.<filestamp>
56 * ntpkey_cert_<hostname> (RSA or DSA) link
57 * X509v3 certificate using RSA or DSA public keys and signatures.
58 * XXX is a code identifying the message digest and signature
59 * encryption algorithm
60 *
61 * Available digest/signature schemes
62 *
63 * RSA: RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
64 * DSA: DSA-SHA, DSA-SHA1
65 *
66 * Note: Once in a while because of some statistical fluke this program
67 * fails to generate and verify some cryptographic data, as indicated by
68 * exit status -1. In this case simply run the program again. If the
69 * program does complete with return code 0, the data are correct as
70 * verified.
71 *
72 * These cryptographic routines are characterized by the prime modulus
73 * size in bits. The default value of 512 bits is a compromise between
74 * cryptographic strength and computing time and is ordinarily
75 * considered adequate for this application. The routines have been
76 * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
77 * digest and signature encryption schemes work with sizes less than 512
78 * bits. The computing time for sizes greater than 2048 bits is
79 * prohibitive on all but the fastest processors. An UltraSPARC Blade
80 * 1000 took something over nine minutes to generate and verify the
81 * values with size 2048. An old SPARC IPC would take a week.
82 *
83 * The OpenSSL library used by this program expects a random seed file.
84 * As described in the OpenSSL documentation, the file name defaults to
85 * first the RANDFILE environment variable in the user's home directory
86 * and then .rnd in the user's home directory.
87 */
88 #ifdef HAVE_CONFIG_H
89 # include <config.h>
90 #endif
91 #include <string.h>
92 #include <stdio.h>
93 #include <stdlib.h>
94 #include <unistd.h>
95 #include <sys/stat.h>
96 #include <sys/time.h>
97 #if HAVE_SYS_TYPES_H
98 # include <sys/types.h>
99 #endif
100 #include "ntp_types.h"
101 #include "ntp_random.h"
102 #include "l_stdlib.h"
103
104 #include "ntp-keygen-opts.h"
105
106 #ifdef SYS_WINNT
107 extern int ntp_getopt P((int, char **, const char *));
108 #define getopt ntp_getopt
109 #define optarg ntp_optarg
110 #endif
111
112 #ifdef OPENSSL
113 #include "openssl/bn.h"
114 #include "openssl/evp.h"
115 #include "openssl/err.h"
116 #include "openssl/rand.h"
117 #include "openssl/pem.h"
118 #include "openssl/x509v3.h"
119 #include <openssl/objects.h>
120 #endif /* OPENSSL */
121
122 /*
123 * Cryptodefines
124 */
125 #define MD5KEYS 16 /* number of MD5 keys generated */
126 #define JAN_1970 ULONG_CONST(2208988800) /* NTP seconds */
127 #define YEAR ((long)60*60*24*365) /* one year in seconds */
128 #define MAXFILENAME 256 /* max file name length */
129 #define MAXHOSTNAME 256 /* max host name length */
130 #ifdef OPENSSL
131 #define PLEN 512 /* default prime modulus size (bits) */
132
133 /*
134 * Strings used in X509v3 extension fields
135 */
136 #define KEY_USAGE "digitalSignature,keyCertSign"
137 #define BASIC_CONSTRAINTS "critical,CA:TRUE"
138 #define EXT_KEY_PRIVATE "private"
139 #define EXT_KEY_TRUST "trustRoot"
140 #endif /* OPENSSL */
141
142 /*
143 * Prototypes
144 */
145 FILE *fheader P((const char *, const char *));
146 void fslink P((const char *, const char *));
147 int gen_md5 P((char *));
148 #ifdef OPENSSL
149 EVP_PKEY *gen_rsa P((char *));
150 EVP_PKEY *gen_dsa P((char *));
151 EVP_PKEY *gen_iff P((char *));
152 EVP_PKEY *gen_gqpar P((char *));
153 EVP_PKEY *gen_gqkey P((char *, EVP_PKEY *));
154 EVP_PKEY *gen_mv P((char *));
155 int x509 P((EVP_PKEY *, const EVP_MD *, char *, char *));
156 void cb P((int, int, void *));
157 EVP_PKEY *genkey P((char *, char *));
158 u_long asn2ntp P((ASN1_TIME *));
159 #endif /* OPENSSL */
160
161 /*
162 * Program variables
163 */
164 extern char *optarg; /* command line argument */
165 int debug = 0; /* debug, not de bug */
166 int rval; /* return status */
167 #ifdef OPENSSL
168 u_int modulus = PLEN; /* prime modulus size (bits) */
169 #endif
170 int nkeys = 0; /* MV keys */
171 time_t epoch; /* Unix epoch (seconds) since 1970 */
172 char *hostname; /* host name (subject name) */
173 char *trustname; /* trusted host name (issuer name) */
174 char filename[MAXFILENAME + 1]; /* file name */
175 char *passwd1 = NULL; /* input private key password */
176 char *passwd2 = NULL; /* output private key password */
177 #ifdef OPENSSL
178 long d0, d1, d2, d3; /* callback counters */
179 #endif /* OPENSSL */
180
181 #ifdef SYS_WINNT
182 BOOL init_randfile();
183
184 /*
185 * Don't try to follow symbolic links
186 */
187 int
188 readlink(char * link, char * file, int len) {
189 return (-1);
190 }
191 /*
192 * Don't try to create a symbolic link for now.
193 * Just move the file to the name you need.
194 */
195 int
196 symlink(char *filename, char *linkname) {
197 DeleteFile(linkname);
198 MoveFile(filename, linkname);
199 return 0;
200 }
201 void
202 InitWin32Sockets() {
203 WORD wVersionRequested;
204 WSADATA wsaData;
205 wVersionRequested = MAKEWORD(2,0);
206 if (WSAStartup(wVersionRequested, &wsaData))
207 {
208 fprintf(stderr, "No useable winsock.dll");
209 exit(1);
210 }
211 }
212 #endif /* SYS_WINNT */
213
214 /*
215 * Main program
216 */
217 int
218 main(
219 int argc, /* command line options */
220 char **argv
221 )
222 {
223 struct timeval tv; /* initialization vector */
224 int md5key = 0; /* generate MD5 keys */
225 #ifdef OPENSSL
226 X509 *cert = NULL; /* X509 certificate */
227 EVP_PKEY *pkey_host = NULL; /* host key */
228 EVP_PKEY *pkey_sign = NULL; /* sign key */
229 EVP_PKEY *pkey_iff = NULL; /* IFF parameters */
230 EVP_PKEY *pkey_gq = NULL; /* GQ parameters */
231 EVP_PKEY *pkey_mv = NULL; /* MV parameters */
232 int hostkey = 0; /* generate RSA keys */
233 int iffkey = 0; /* generate IFF parameters */
234 int gqpar = 0; /* generate GQ parameters */
235 int gqkey = 0; /* update GQ keys */
236 int mvpar = 0; /* generate MV parameters */
237 int mvkey = 0; /* update MV keys */
238 char *sign = NULL; /* sign key */
239 EVP_PKEY *pkey = NULL; /* temp key */
240 const EVP_MD *ectx; /* EVP digest */
241 char pathbuf[MAXFILENAME + 1];
242 const char *scheme = NULL; /* digest/signature scheme */
243 char *exten = NULL; /* private extension */
244 char *grpkey = NULL; /* identity extension */
245 int nid; /* X509 digest/signature scheme */
246 FILE *fstr = NULL; /* file handle */
247 u_int temp;
248 #define iffsw HAVE_OPT(ID_KEY)
249 #endif /* OPENSSL */
250 char hostbuf[MAXHOSTNAME + 1];
251
252 #ifdef SYS_WINNT
253 /* Initialize before OpenSSL checks */
254 InitWin32Sockets();
255 if(!init_randfile())
256 fprintf(stderr, "Unable to initialize .rnd file\n");
257 #endif
258
259 #ifdef OPENSSL
260 /*
261 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
262 * We match major, minor, fix and status (not patch)
263 */
264 if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
265 fprintf(stderr,
266 "OpenSSL version mismatch. Built against %lx, you have %lx\n",
267 (long)OPENSSL_VERSION_NUMBER, SSLeay());
268 return (-1);
269
270 } else {
271 fprintf(stderr,
272 "Using OpenSSL version %lx\n", SSLeay());
273 }
274 #endif /* OPENSSL */
275
276 /*
277 * Process options, initialize host name and timestamp.
278 */
279 gethostname(hostbuf, MAXHOSTNAME);
280 hostname = hostbuf;
281 #ifdef OPENSSL
282 trustname = hostbuf;
283 passwd1 = hostbuf;
284 #endif
285 #ifndef SYS_WINNT
286 gettimeofday(&tv, 0);
287 #else
288 gettimeofday(&tv);
289 #endif
290 epoch = tv.tv_sec;
291 rval = 0;
292
293 {
294 int optct = optionProcess(&ntp_keygenOptions, argc, argv);
295 argc -= optct;
296 argv += optct;
297 }
298
299 #ifdef OPENSSL
300 if (HAVE_OPT( CERTIFICATE ))
301 scheme = OPT_ARG( CERTIFICATE );
302 #endif
303
304 debug = DESC(DEBUG_LEVEL).optOccCt;
305
306 #ifdef OPENSSL
307 if (HAVE_OPT( GQ_PARAMS ))
308 gqpar++;
309
310 if (HAVE_OPT( GQ_KEYS ))
311 gqkey++;
312
313 if (HAVE_OPT( HOST_KEY ))
314 hostkey++;
315
316 if (HAVE_OPT( IFFKEY ))
317 iffkey++;
318
319 if (HAVE_OPT( ISSUER_NAME ))
320 trustname = (char *)OPT_ARG( ISSUER_NAME );
321 #endif
322
323 if (HAVE_OPT( MD5KEY ))
324 md5key++;
325
326 #ifdef OPENSSL
327 if (HAVE_OPT( MODULUS ))
328 modulus = OPT_VALUE_MODULUS;
329
330 if (HAVE_OPT( PVT_CERT ))
331 exten = EXT_KEY_PRIVATE;
332
333 if (HAVE_OPT( PVT_PASSWD ))
334 passwd2 = (char *)OPT_ARG( PVT_PASSWD );
335
336 if (HAVE_OPT( GET_PVT_PASSWD ))
337 passwd1 = (char *)OPT_ARG( GET_PVT_PASSWD );
338
339 if (HAVE_OPT( SIGN_KEY ))
340 sign = (char *)OPT_ARG( SIGN_KEY );
341
342 if (HAVE_OPT( SUBJECT_NAME ))
343 hostname = (char *)OPT_ARG( SUBJECT_NAME );
344
345 if (HAVE_OPT( TRUSTED_CERT ))
346 exten = EXT_KEY_TRUST;
347
348 if (HAVE_OPT( MV_PARAMS )) {
349 mvpar++;
350 nkeys = OPT_VALUE_MV_PARAMS;
351 }
352
353 if (HAVE_OPT( MV_KEYS )) {
354 mvkey++;
355 nkeys = OPT_VALUE_MV_KEYS;
356 }
357 #endif
358
359 if (passwd1 != NULL && passwd2 == NULL)
360 passwd2 = passwd1;
361 #ifdef OPENSSL
362 /*
363 * Seed random number generator and grow weeds.
364 */
365 ERR_load_crypto_strings();
366 OpenSSL_add_all_algorithms();
367 if (RAND_file_name(pathbuf, MAXFILENAME) == NULL) {
368 fprintf(stderr, "RAND_file_name %s\n",
369 ERR_error_string(ERR_get_error(), NULL));
370 return (-1);
371 }
372 temp = RAND_load_file(pathbuf, -1);
373 if (temp == 0) {
374 fprintf(stderr,
375 "RAND_load_file %s not found or empty\n", pathbuf);
376 return (-1);
377 }
378 fprintf(stderr,
379 "Random seed file %s %u bytes\n", pathbuf, temp);
380 RAND_add(&epoch, sizeof(epoch), 4.0);
381 #endif
382
383 /*
384 * Generate new parameters and keys as requested. These replace
385 * any values already generated.
386 */
387 if (md5key)
388 gen_md5("MD5");
389 #ifdef OPENSSL
390 if (hostkey)
391 pkey_host = genkey("RSA", "host");
392 if (sign != NULL)
393 pkey_sign = genkey(sign, "sign");
394 if (iffkey)
395 pkey_iff = gen_iff("iff");
396 if (gqpar)
397 pkey_gq = gen_gqpar("gq");
398 if (mvpar)
399 pkey_mv = gen_mv("mv");
400
401 /*
402 * If there is no new host key, look for an existing one. If not
403 * found, create it.
404 */
405 while (pkey_host == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
406 sprintf(filename, "ntpkey_host_%s", hostname);
407 if ((fstr = fopen(filename, "r")) != NULL) {
408 pkey_host = PEM_read_PrivateKey(fstr, NULL,
409 NULL, passwd1);
410 fclose(fstr);
411 readlink(filename, filename, sizeof(filename));
412 if (pkey_host == NULL) {
413 fprintf(stderr, "Host key\n%s\n",
414 ERR_error_string(ERR_get_error(),
415 NULL));
416 rval = -1;
417 } else {
418 fprintf(stderr,
419 "Using host key %s\n", filename);
420 }
421 break;
422
423 } else if ((pkey_host = genkey("RSA", "host")) ==
424 NULL) {
425 rval = -1;
426 break;
427 }
428 }
429
430 /*
431 * If there is no new sign key, look for an existing one. If not
432 * found, use the host key instead.
433 */
434 pkey = pkey_sign;
435 while (pkey_sign == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
436 sprintf(filename, "ntpkey_sign_%s", hostname);
437 if ((fstr = fopen(filename, "r")) != NULL) {
438 pkey_sign = PEM_read_PrivateKey(fstr, NULL,
439 NULL, passwd1);
440 fclose(fstr);
441 readlink(filename, filename, sizeof(filename));
442 if (pkey_sign == NULL) {
443 fprintf(stderr, "Sign key\n%s\n",
444 ERR_error_string(ERR_get_error(),
445 NULL));
446 rval = -1;
447 } else {
448 fprintf(stderr, "Using sign key %s\n",
449 filename);
450 }
451 break;
452 } else {
453 pkey = pkey_host;
454 fprintf(stderr, "Using host key as sign key\n");
455 break;
456 }
457 }
458
459 /*
460 * If there is no new IFF file, look for an existing one.
461 */
462 if (pkey_iff == NULL && rval == 0) {
463 sprintf(filename, "ntpkey_iff_%s", hostname);
464 if ((fstr = fopen(filename, "r")) != NULL) {
465 pkey_iff = PEM_read_PrivateKey(fstr, NULL,
466 NULL, passwd1);
467 fclose(fstr);
468 readlink(filename, filename, sizeof(filename));
469 if (pkey_iff == NULL) {
470 fprintf(stderr, "IFF parameters\n%s\n",
471 ERR_error_string(ERR_get_error(),
472 NULL));
473 rval = -1;
474 } else {
475 fprintf(stderr,
476 "Using IFF parameters %s\n",
477 filename);
478 }
479 }
480 }
481
482 /*
483 * If there is no new GQ file, look for an existing one.
484 */
485 if (pkey_gq == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
486 sprintf(filename, "ntpkey_gq_%s", hostname);
487 if ((fstr = fopen(filename, "r")) != NULL) {
488 pkey_gq = PEM_read_PrivateKey(fstr, NULL, NULL,
489 passwd1);
490 fclose(fstr);
491 readlink(filename, filename, sizeof(filename));
492 if (pkey_gq == NULL) {
493 fprintf(stderr, "GQ parameters\n%s\n",
494 ERR_error_string(ERR_get_error(),
495 NULL));
496 rval = -1;
497 } else {
498 fprintf(stderr,
499 "Using GQ parameters %s\n",
500 filename);
501 }
502 }
503 }
504
505 /*
506 * If there is a GQ parameter file, create GQ private/public
507 * keys and extract the public key for the certificate.
508 */
509 if (pkey_gq != NULL && rval == 0) {
510 gen_gqkey("gq", pkey_gq);
511 grpkey = BN_bn2hex(pkey_gq->pkey.rsa->q);
512 }
513
514 /*
515 * Generate a X509v3 certificate.
516 */
517 while (scheme == NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
518 sprintf(filename, "ntpkey_cert_%s", hostname);
519 if ((fstr = fopen(filename, "r")) != NULL) {
520 cert = PEM_read_X509(fstr, NULL, NULL, NULL);
521 fclose(fstr);
522 readlink(filename, filename, sizeof(filename));
523 if (cert == NULL) {
524 fprintf(stderr, "Cert \n%s\n",
525 ERR_error_string(ERR_get_error(),
526 NULL));
527 rval = -1;
528 } else {
529 nid = OBJ_obj2nid(
530 cert->cert_info->signature->algorithm);
531 scheme = OBJ_nid2sn(nid);
532 fprintf(stderr,
533 "Using scheme %s from %s\n", scheme,
534 filename);
535 break;
536 }
537 }
538 scheme = "RSA-MD5";
539 }
540 if (pkey != NULL && rval == 0 && !HAVE_OPT(ID_KEY)) {
541 ectx = EVP_get_digestbyname(scheme);
542 if (ectx == NULL) {
543 fprintf(stderr,
544 "Invalid digest/signature combination %s\n",
545 scheme);
546 rval = -1;
547 } else {
548 x509(pkey, ectx, grpkey, exten);
549 }
550 }
551
552 /*
553 * Write the IFF client parameters and keys as a DSA private key
554 * encoded in PEM. Note the private key is obscured.
555 */
556 if (pkey_iff != NULL && rval == 0 && HAVE_OPT(ID_KEY)) {
557 DSA *dsa;
558 char *sptr;
559 char *tld;
560
561 sptr = strrchr(filename, '.');
562 tld = malloc(strlen(sptr)); /* we have an extra byte ... */
563 strcpy(tld, 1+sptr); /* ... see? */
564 sprintf(filename, "ntpkey_IFFkey_%s.%s", trustname,
565 tld);
566 free(tld);
567 fprintf(stderr, "Writing new IFF key %s\n", filename);
568 fprintf(stdout, "# %s\n# %s", filename, ctime(&epoch));
569 dsa = pkey_iff->pkey.dsa;
570 BN_copy(dsa->priv_key, BN_value_one());
571 pkey = EVP_PKEY_new();
572 EVP_PKEY_assign_DSA(pkey, dsa);
573 PEM_write_PrivateKey(stdout, pkey, passwd2 ?
574 EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
575 fclose(stdout);
576 if (debug)
577 DSA_print_fp(stdout, dsa, 0);
578 }
579
580 /*
581 * Return the marbles.
582 */
583 if (grpkey != NULL)
584 OPENSSL_free(grpkey);
585 if (pkey_host != NULL)
586 EVP_PKEY_free(pkey_host);
587 if (pkey_sign != NULL)
588 EVP_PKEY_free(pkey_sign);
589 if (pkey_iff != NULL)
590 EVP_PKEY_free(pkey_iff);
591 if (pkey_gq != NULL)
592 EVP_PKEY_free(pkey_gq);
593 if (pkey_mv != NULL)
594 EVP_PKEY_free(pkey_mv);
595 #endif /* OPENSSL */
596 return (rval);
597 }
598
599
600 #if 0
601 /*
602 * Generate random MD5 key with password.
603 */
604 int
605 gen_md5(
606 char *id /* file name id */
607 )
608 {
609 BIGNUM *key;
610 BIGNUM *keyid;
611 FILE *str;
612 u_char bin[16];
613
614 fprintf(stderr, "Generating MD5 keys...\n");
615 str = fheader("MD5key", hostname);
616 keyid = BN_new(); key = BN_new();
617 BN_rand(keyid, 16, -1, 0);
618 BN_rand(key, 128, -1, 0);
619 BN_bn2bin(key, bin);
620 PEM_write_fp(str, MD5, NULL, bin);
621 fclose(str);
622 fslink(id, hostname);
623 return (1);
624 }
625
626
627 #else
628 /*
629 * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4
630 */
631 int
632 gen_md5(
633 char *id /* file name id */
634 )
635 {
636 u_char md5key[16]; /* MD5 key */
637 FILE *str;
638 u_int temp = 0; /* Initialize to prevent warnings during compile */
639 int i, j;
640
641 fprintf(stderr, "Generating MD5 keys...\n");
642 str = fheader("MD5key", hostname);
643 ntp_srandom(epoch);
644 for (i = 1; i <= MD5KEYS; i++) {
645 for (j = 0; j < 16; j++) {
646 while (1) {
647 temp = ntp_random() & 0xff;
648 if (temp == '#')
649 continue;
650 if (temp > 0x20 && temp < 0x7f)
651 break;
652 }
653 md5key[j] = (u_char)temp;
654 }
655 md5key[15] = '\0';
656 fprintf(str, "%2d MD5 %16s # MD5 key\n", i,
657 md5key);
658 }
659 fclose(str);
660 fslink(id, hostname);
661 return (1);
662 }
663 #endif /* OPENSSL */
664
665
666 #ifdef OPENSSL
667 /*
668 * Generate RSA public/private key pair
669 */
670 EVP_PKEY * /* public/private key pair */
671 gen_rsa(
672 char *id /* file name id */
673 )
674 {
675 EVP_PKEY *pkey; /* private key */
676 RSA *rsa; /* RSA parameters and key pair */
677 FILE *str;
678
679 fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
680 rsa = RSA_generate_key(modulus, 3, cb, "RSA");
681 fprintf(stderr, "\n");
682 if (rsa == NULL) {
683 fprintf(stderr, "RSA generate keys fails\n%s\n",
684 ERR_error_string(ERR_get_error(), NULL));
685 rval = -1;
686 return (NULL);
687 }
688
689 /*
690 * For signature encryption it is not necessary that the RSA
691 * parameters be strictly groomed and once in a while the
692 * modulus turns out to be non-prime. Just for grins, we check
693 * the primality.
694 */
695 if (!RSA_check_key(rsa)) {
696 fprintf(stderr, "Invalid RSA key\n%s\n",
697 ERR_error_string(ERR_get_error(), NULL));
698 RSA_free(rsa);
699 rval = -1;
700 return (NULL);
701 }
702
703 /*
704 * Write the RSA parameters and keys as a RSA private key
705 * encoded in PEM.
706 */
707 str = fheader("RSAkey", hostname);
708 pkey = EVP_PKEY_new();
709 EVP_PKEY_assign_RSA(pkey, rsa);
710 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
711 NULL, 0, NULL, passwd2);
712 fclose(str);
713 if (debug)
714 RSA_print_fp(stdout, rsa, 0);
715 fslink(id, hostname);
716 return (pkey);
717 }
718
719
720 /*
721 * Generate DSA public/private key pair
722 */
723 EVP_PKEY * /* public/private key pair */
724 gen_dsa(
725 char *id /* file name id */
726 )
727 {
728 EVP_PKEY *pkey; /* private key */
729 DSA *dsa; /* DSA parameters */
730 u_char seed[20]; /* seed for parameters */
731 FILE *str;
732
733 /*
734 * Generate DSA parameters.
735 */
736 fprintf(stderr,
737 "Generating DSA parameters (%d bits)...\n", modulus);
738 RAND_bytes(seed, sizeof(seed));
739 dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
740 NULL, cb, "DSA");
741 fprintf(stderr, "\n");
742 if (dsa == NULL) {
743 fprintf(stderr, "DSA generate parameters fails\n%s\n",
744 ERR_error_string(ERR_get_error(), NULL));
745 rval = -1;
746 return (NULL);
747 }
748
749 /*
750 * Generate DSA keys.
751 */
752 fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
753 if (!DSA_generate_key(dsa)) {
754 fprintf(stderr, "DSA generate keys fails\n%s\n",
755 ERR_error_string(ERR_get_error(), NULL));
756 DSA_free(dsa);
757 rval = -1;
758 return (NULL);
759 }
760
761 /*
762 * Write the DSA parameters and keys as a DSA private key
763 * encoded in PEM.
764 */
765 str = fheader("DSAkey", hostname);
766 pkey = EVP_PKEY_new();
767 EVP_PKEY_assign_DSA(pkey, dsa);
768 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
769 NULL, 0, NULL, passwd2);
770 fclose(str);
771 if (debug)
772 DSA_print_fp(stdout, dsa, 0);
773 fslink(id, hostname);
774 return (pkey);
775 }
776
777
778 /*
779 * Generate Schnorr (IFF) parameters and keys
780 *
781 * The Schnorr (IFF)identity scheme is intended for use when
782 * certificates are generated by some other trusted certificate
783 * authority and the parameters cannot be conveyed in the certificate
784 * itself. For this purpose, new generations of IFF values must be
785 * securely transmitted to all members of the group before use. There
786 * are two kinds of files: server/client files that include private and
787 * public parameters and client files that include only public
788 * parameters. The scheme is self contained and independent of new
789 * generations of host keys, sign keys and certificates.
790 *
791 * The IFF values hide in a DSA cuckoo structure which uses the same
792 * parameters. The values are used by an identity scheme based on DSA
793 * cryptography and described in Stimson p. 285. The p is a 512-bit
794 * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
795 * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
796 * private random group key b (0 < b < q), then computes public
797 * v = g^(q - a). All values except the group key are known to all group
798 * members; the group key is known to the group servers, but not the
799 * group clients. Alice challenges Bob to confirm identity using the
800 * protocol described below.
801 */
802 EVP_PKEY * /* DSA cuckoo nest */
803 gen_iff(
804 char *id /* file name id */
805 )
806 {
807 EVP_PKEY *pkey; /* private key */
808 DSA *dsa; /* DSA parameters */
809 u_char seed[20]; /* seed for parameters */
810 BN_CTX *ctx; /* BN working space */
811 BIGNUM *b, *r, *k, *u, *v, *w; /* BN temp */
812 FILE *str;
813 u_int temp;
814
815 /*
816 * Generate DSA parameters for use as IFF parameters.
817 */
818 fprintf(stderr, "Generating IFF parameters (%d bits)...\n",
819 modulus);
820 RAND_bytes(seed, sizeof(seed));
821 dsa = DSA_generate_parameters(modulus, seed, sizeof(seed), NULL,
822 NULL, cb, "IFF");
823 fprintf(stderr, "\n");
824 if (dsa == NULL) {
825 fprintf(stderr, "DSA generate parameters fails\n%s\n",
826 ERR_error_string(ERR_get_error(), NULL));
827 rval = -1;
828 return (NULL);;
829 }
830
831 /*
832 * Generate the private and public keys. The DSA parameters and
833 * these keys are distributed to all members of the group.
834 */
835 fprintf(stderr, "Generating IFF keys (%d bits)...\n", modulus);
836 b = BN_new(); r = BN_new(); k = BN_new();
837 u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
838 BN_rand(b, BN_num_bits(dsa->q), -1, 0); /* a */
839 BN_mod(b, b, dsa->q, ctx);
840 BN_sub(v, dsa->q, b);
841 BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^(q - b) mod p */
842 BN_mod_exp(u, dsa->g, b, dsa->p, ctx); /* g^b mod p */
843 BN_mod_mul(u, u, v, dsa->p, ctx);
844 temp = BN_is_one(u);
845 fprintf(stderr,
846 "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
847 "yes" : "no");
848 if (!temp) {
849 BN_free(b); BN_free(r); BN_free(k);
850 BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
851 rval = -1;
852 return (NULL);
853 }
854 dsa->priv_key = BN_dup(b); /* private key */
855 dsa->pub_key = BN_dup(v); /* public key */
856
857 /*
858 * Here is a trial round of the protocol. First, Alice rolls
859 * random r (0 < r < q) and sends it to Bob. She needs only
860 * modulus q.
861 */
862 BN_rand(r, BN_num_bits(dsa->q), -1, 0); /* r */
863 BN_mod(r, r, dsa->q, ctx);
864
865 /*
866 * Bob rolls random k (0 < k < q), computes y = k + b r mod q
867 * and x = g^k mod p, then sends (y, x) to Alice. He needs
868 * moduli p, q and the group key b.
869 */
870 BN_rand(k, BN_num_bits(dsa->q), -1, 0); /* k, 0 < k < q */
871 BN_mod(k, k, dsa->q, ctx);
872 BN_mod_mul(v, dsa->priv_key, r, dsa->q, ctx); /* b r mod q */
873 BN_add(v, v, k);
874 BN_mod(v, v, dsa->q, ctx); /* y = k + b r mod q */
875 BN_mod_exp(u, dsa->g, k, dsa->p, ctx); /* x = g^k mod p */
876
877 /*
878 * Alice computes g^y v^r and verifies the result is equal to x.
879 * She needs modulus p, generator g, and the public key v, as
880 * well as her original r.
881 */
882 BN_mod_exp(v, dsa->g, v, dsa->p, ctx); /* g^y mod p */
883 BN_mod_exp(w, dsa->pub_key, r, dsa->p, ctx); /* v^r */
884 BN_mod_mul(v, w, v, dsa->p, ctx); /* product mod p */
885 temp = BN_cmp(u, v);
886 fprintf(stderr,
887 "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
888 0 ? "yes" : "no");
889 BN_free(b); BN_free(r); BN_free(k);
890 BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
891 if (temp != 0) {
892 DSA_free(dsa);
893 rval = -1;
894 return (NULL);
895 }
896
897 /*
898 * Write the IFF server parameters and keys as a DSA private key
899 * encoded in PEM.
900 *
901 * p modulus p
902 * q modulus q
903 * g generator g
904 * priv_key b
905 * public_key v
906 */
907 str = fheader("IFFpar", trustname);
908 pkey = EVP_PKEY_new();
909 EVP_PKEY_assign_DSA(pkey, dsa);
910 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
911 NULL, 0, NULL, passwd2);
912 fclose(str);
913 if (debug)
914 DSA_print_fp(stdout, dsa, 0);
915 fslink(id, trustname);
916 return (pkey);
917 }
918
919
920 /*
921 * Generate Guillou-Quisquater (GQ) parameters and keys
922 *
923 * The Guillou-Quisquater (GQ) identity scheme is intended for use when
924 * the parameters, keys and certificates are generated by this program.
925 * The scheme uses a certificate extension field do convey the public
926 * key of a particular group identified by a group key known only to
927 * members of the group. The scheme is self contained and independent of
928 * new generations of host keys and sign keys.
929 *
930 * The GQ parameters hide in a RSA cuckoo structure which uses the same
931 * parameters. The values are used by an identity scheme based on RSA
932 * cryptography and described in Stimson p. 300 (with errors). The 512-
933 * bit public modulus is n = p q, where p and q are secret large primes.
934 * The TA rolls private random group key b as RSA exponent. These values
935 * are known to all group members.
936 *
937 * When rolling new certificates, a member recomputes the private and
938 * public keys. The private key u is a random roll, while the public key
939 * is the inverse obscured by the group key v = (u^-1)^b. These values
940 * replace the private and public keys normally generated by the RSA
941 * scheme. Alice challenges Bob to confirm identity using the protocol
942 * described below.
943 */
944 EVP_PKEY * /* RSA cuckoo nest */
945 gen_gqpar(
946 char *id /* file name id */
947 )
948 {
949 EVP_PKEY *pkey; /* private key */
950 RSA *rsa; /* GQ parameters */
951 BN_CTX *ctx; /* BN working space */
952 FILE *str;
953
954 /*
955 * Generate RSA parameters for use as GQ parameters.
956 */
957 fprintf(stderr,
958 "Generating GQ parameters (%d bits)...\n", modulus);
959 rsa = RSA_generate_key(modulus, 3, cb, "GQ");
960 fprintf(stderr, "\n");
961 if (rsa == NULL) {
962 fprintf(stderr, "RSA generate keys fails\n%s\n",
963 ERR_error_string(ERR_get_error(), NULL));
964 rval = -1;
965 return (NULL);
966 }
967
968 /*
969 * Generate the group key b, which is saved in the e member of
970 * the RSA structure. These values are distributed to all
971 * members of the group, but shielded from all other groups. We
972 * don't use all the parameters, but set the unused ones to a
973 * small number to minimize the file size.
974 */
975 ctx = BN_CTX_new();
976 BN_rand(rsa->e, BN_num_bits(rsa->n), -1, 0); /* b */
977 BN_mod(rsa->e, rsa->e, rsa->n, ctx);
978 BN_copy(rsa->d, BN_value_one());
979 BN_copy(rsa->p, BN_value_one());
980 BN_copy(rsa->q, BN_value_one());
981 BN_copy(rsa->dmp1, BN_value_one());
982 BN_copy(rsa->dmq1, BN_value_one());
983 BN_copy(rsa->iqmp, BN_value_one());
984
985 /*
986 * Write the GQ parameters as a RSA private key encoded in PEM.
987 * The public and private keys are filled in later.
988 *
989 * n modulus n
990 * e group key b
991 * (remaining values are not used)
992 */
993 str = fheader("GQpar", trustname);
994 pkey = EVP_PKEY_new();
995 EVP_PKEY_assign_RSA(pkey, rsa);
996 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
997 NULL, 0, NULL, passwd2);
998 fclose(str);
999 if (debug)
1000 RSA_print_fp(stdout, rsa, 0);
1001 fslink(id, trustname);
1002 return (pkey);
1003 }
1004
1005
1006 /*
1007 * Update Guillou-Quisquater (GQ) parameters
1008 */
1009 EVP_PKEY * /* RSA cuckoo nest */
1010 gen_gqkey(
1011 char *id, /* file name id */
1012 EVP_PKEY *gqpar /* GQ parameters */
1013 )
1014 {
1015 EVP_PKEY *pkey; /* private key */
1016 RSA *rsa; /* RSA parameters */
1017 BN_CTX *ctx; /* BN working space */
1018 BIGNUM *u, *v, *g, *k, *r, *y; /* BN temps */
1019 FILE *str;
1020 u_int temp;
1021
1022 /*
1023 * Generate GQ keys. Note that the group key b is the e member
1024 * of
1025 * the GQ parameters.
1026 */
1027 fprintf(stderr, "Updating GQ keys (%d bits)...\n", modulus);
1028 ctx = BN_CTX_new(); u = BN_new(); v = BN_new();
1029 g = BN_new(); k = BN_new(); r = BN_new(); y = BN_new();
1030
1031 /*
1032 * When generating his certificate, Bob rolls random private key
1033 * u.
1034 */
1035 rsa = gqpar->pkey.rsa;
1036 BN_rand(u, BN_num_bits(rsa->n), -1, 0); /* u */
1037 BN_mod(u, u, rsa->n, ctx);
1038 BN_mod_inverse(v, u, rsa->n, ctx); /* u^-1 mod n */
1039 BN_mod_mul(k, v, u, rsa->n, ctx);
1040
1041 /*
1042 * Bob computes public key v = (u^-1)^b, which is saved in an
1043 * extension field on his certificate. We check that u^b v =
1044 * 1 mod n.
1045 */
1046 BN_mod_exp(v, v, rsa->e, rsa->n, ctx);
1047 BN_mod_exp(g, u, rsa->e, rsa->n, ctx); /* u^b */
1048 BN_mod_mul(g, g, v, rsa->n, ctx); /* u^b (u^-1)^b */
1049 temp = BN_is_one(g);
1050 fprintf(stderr,
1051 "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
1052 "no");
1053 if (!temp) {
1054 BN_free(u); BN_free(v);
1055 BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1056 BN_CTX_free(ctx);
1057 RSA_free(rsa);
1058 rval = -1;
1059 return (NULL);
1060 }
1061 BN_copy(rsa->p, u); /* private key */
1062 BN_copy(rsa->q, v); /* public key */
1063
1064 /*
1065 * Here is a trial run of the protocol. First, Alice rolls
1066 * random r (0 < r < n) and sends it to Bob. She needs only
1067 * modulus n from the parameters.
1068 */
1069 BN_rand(r, BN_num_bits(rsa->n), -1, 0); /* r */
1070 BN_mod(r, r, rsa->n, ctx);
1071
1072 /*
1073 * Bob rolls random k (0 < k < n), computes y = k u^r mod n and
1074 * g = k^b mod n, then sends (y, g) to Alice. He needs modulus n
1075 * from the parameters and his private key u.
1076 */
1077 BN_rand(k, BN_num_bits(rsa->n), -1, 0); /* k */
1078 BN_mod(k, k, rsa->n, ctx);
1079 BN_mod_exp(y, rsa->p, r, rsa->n, ctx); /* u^r mod n */
1080 BN_mod_mul(y, k, y, rsa->n, ctx); /* y = k u^r mod n */
1081 BN_mod_exp(g, k, rsa->e, rsa->n, ctx); /* g = k^b mod n */
1082
1083 /*
1084 * Alice computes v^r y^b mod n and verifies the result is equal
1085 * to g. She needs modulus n, generator g and group key b from
1086 * the parameters and Bob's public key v = (u^-1)^b from his
1087 * certificate.
1088 */
1089 BN_mod_exp(v, rsa->q, r, rsa->n, ctx); /* v^r mod n */
1090 BN_mod_exp(y, y, rsa->e, rsa->n, ctx); /* y^b mod n */
1091 BN_mod_mul(y, v, y, rsa->n, ctx); /* v^r y^b mod n */
1092 temp = BN_cmp(y, g);
1093 fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
1094 "yes" : "no");
1095 BN_CTX_free(ctx); BN_free(u); BN_free(v);
1096 BN_free(g); BN_free(k); BN_free(r); BN_free(y);
1097 if (temp != 0) {
1098 RSA_free(rsa);
1099 rval = -1;
1100 return (NULL);
1101 }
1102
1103 /*
1104 * Write the GQ parameters and keys as a RSA private key encoded
1105 * in PEM.
1106 *
1107 * n modulus n
1108 * e group key b
1109 * p private key u
1110 * q public key (u^-1)^b
1111 * (remaining values are not used)
1112 */
1113 str = fheader("GQpar", trustname);
1114 pkey = EVP_PKEY_new();
1115 EVP_PKEY_assign_RSA(pkey, rsa);
1116 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1117 NULL, 0, NULL, passwd2);
1118 fclose(str);
1119 if (debug)
1120 RSA_print_fp(stdout, rsa, 0);
1121 fslink(id, trustname);
1122 return (pkey);
1123 }
1124
1125
1126 /*
1127 * Generate Mu-Varadharajan (MV) parameters and keys
1128 *
1129 * The Mu-Varadharajan (MV) cryptosystem is useful when servers
1130 * broadcast messages to clients, but clients never send messages to
1131 * servers. There is one encryption key for the server and a separate
1132 * decryption key for each client. It operates something like a
1133 * pay-per-view satellite broadcasting system where the session key is
1134 * encrypted by the broadcaster and the decryption keys are held in a
1135 * tamperproof set-top box. We don't use it this way, but read on.
1136 *
1137 * The MV parameters and private encryption key hide in a DSA cuckoo
1138 * structure which uses the same parameters, but generated in a
1139 * different way. The values are used in an encryption scheme similar to
1140 * El Gamal cryptography and a polynomial formed from the expansion of
1141 * product terms (x - x[j]), as described in Mu, Y., and V.
1142 * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
1143 * 223-231. The paper has significant errors and serious omissions.
1144 *
1145 * Let q be the product of n distinct primes s'[j] (j = 1...n), where
1146 * each s'[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
1147 * that q and each s'[j] divide p - 1 and p has M = n * m + 1
1148 * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
1149 * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
1150 * project into Zp* as exponents of g. Sometimes we have to compute an
1151 * inverse b^-1 of random b in Zq, but for that purpose we require
1152 * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
1153 * relatively small, like 30. Associated with each s'[j] is an element
1154 * s[j] such that s[j] s'[j] = s'[j] mod q. We find s[j] as the quotient
1155 * (q + s'[j]) / s'[j]. These are the parameters of the scheme and they
1156 * are expensive to compute.
1157 *
1158 * We set up an instance of the scheme as follows. A set of random
1159 * values x[j] mod q (j = 1...n), are generated as the zeros of a
1160 * polynomial of order n. The product terms (x - x[j]) are expanded to
1161 * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
1162 * used as exponents of the generator g mod p to generate the private
1163 * encryption key A. The pair (gbar, ghat) of public server keys and the
1164 * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
1165 * to construct the decryption keys. The devil is in the details.
1166 *
1167 * This routine generates a private encryption file including the
1168 * private encryption key E and public key (gbar, ghat). It then
1169 * generates decryption files including the private key (xbar[j],
1170 * xhat[j]) for each client. E is a permutation that encrypts a block
1171 * y = E x. The jth client computes the inverse permutation E^-1 =
1172 * gbar^xhat[j] ghat^xbar[j] and decrypts the block x = E^-1 y.
1173 *
1174 * The distinguishing characteristic of this scheme is the capability to
1175 * revoke keys. Included in the calculation of E, gbar and ghat is the
1176 * product s = prod(s'[j]) (j = 1...n) above. If the factor s'[j] is
1177 * subsequently removed from the product and E, gbar and ghat
1178 * recomputed, the jth client will no longer be able to compute E^-1 and
1179 * thus unable to decrypt the block.
1180 */
1181 EVP_PKEY * /* DSA cuckoo nest */
1182 gen_mv(
1183 char *id /* file name id */
1184 )
1185 {
1186 EVP_PKEY *pkey, *pkey1; /* private key */
1187 DSA *dsa; /* DSA parameters */
1188 DSA *sdsa; /* DSA parameters */
1189 BN_CTX *ctx; /* BN working space */
1190 BIGNUM **x; /* polynomial zeros vector */
1191 BIGNUM **a; /* polynomial coefficient vector */
1192 BIGNUM **g; /* public key vector */
1193 BIGNUM **s, **s1; /* private enabling keys */
1194 BIGNUM **xbar, **xhat; /* private keys vector */
1195 BIGNUM *b; /* group key */
1196 BIGNUM *b1; /* inverse group key */
1197 BIGNUM *ss; /* enabling key */
1198 BIGNUM *biga; /* master encryption key */
1199 BIGNUM *bige; /* session encryption key */
1200 BIGNUM *gbar, *ghat; /* public key */
1201 BIGNUM *u, *v, *w; /* BN scratch */
1202 int i, j, n;
1203 FILE *str;
1204 u_int temp;
1205 char ident[20];
1206
1207 /*
1208 * Generate MV parameters.
1209 *
1210 * The object is to generate a multiplicative group Zp* modulo a
1211 * prime p and a subset Zq mod q, where q is the product of n
1212 * distinct primes s'[j] (j = 1...n) and q divides p - 1. We
1213 * first generate n distinct primes, which may have to be
1214 * regenerated later. As a practical matter, it is tough to find
1215 * more than 31 distinct primes for modulus 512 or 61 primes for
1216 * modulus 1024. The latter can take several hundred iterations
1217 * and several minutes on a Sun Blade 1000.
1218 */
1219 n = nkeys;
1220 fprintf(stderr,
1221 "Generating MV parameters for %d keys (%d bits)...\n", n,
1222 modulus / n);
1223 ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
1224 b = BN_new(); b1 = BN_new();
1225 dsa = DSA_new();
1226 dsa->p = BN_new();
1227 dsa->q = BN_new();
1228 dsa->g = BN_new();
1229 s = malloc((n + 1) * sizeof(BIGNUM));
1230 s1 = malloc((n + 1) * sizeof(BIGNUM));
1231 for (j = 1; j <= n; j++)
1232 s1[j] = BN_new();
1233 temp = 0;
1234 for (j = 1; j <= n; j++) {
1235 while (1) {
1236 fprintf(stderr, "Birthdays %d\r", temp);
1237 BN_generate_prime(s1[j], modulus / n, 0, NULL,
1238 NULL, NULL, NULL);
1239 for (i = 1; i < j; i++) {
1240 if (BN_cmp(s1[i], s1[j]) == 0)
1241 break;
1242 }
1243 if (i == j)
1244 break;
1245 temp++;
1246 }
1247 }
1248 fprintf(stderr, "Birthday keys rejected %d\n", temp);
1249
1250 /*
1251 * Compute the modulus q as the product of the primes. Compute
1252 * the modulus p as 2 * q + 1 and test p for primality. If p
1253 * is composite, replace one of the primes with a new distinct
1254 * one and try again. Note that q will hardly be a secret since
1255 * we have to reveal p to servers and clients. However,
1256 * factoring q to find the primes should be adequately hard, as
1257 * this is the same problem considered hard in RSA. Question: is
1258 * it as hard to find n small prime factors totalling n bits as
1259 * it is to find two large prime factors totalling n bits?
1260 * Remember, the bad guy doesn't know n.
1261 */
1262 temp = 0;
1263 while (1) {
1264 fprintf(stderr, "Duplicate keys rejected %d\r", ++temp);
1265 BN_one(dsa->q);
1266 for (j = 1; j <= n; j++)
1267 BN_mul(dsa->q, dsa->q, s1[j], ctx);
1268 BN_copy(dsa->p, dsa->q);
1269 BN_add(dsa->p, dsa->p, dsa->p);
1270 BN_add_word(dsa->p, 1);
1271 if (BN_is_prime(dsa->p, BN_prime_checks, NULL, ctx,
1272 NULL))
1273 break;
1274
1275 j = temp % n + 1;
1276 while (1) {
1277 BN_generate_prime(u, modulus / n, 0, 0, NULL,
1278 NULL, NULL);
1279 for (i = 1; i <= n; i++) {
1280 if (BN_cmp(u, s1[i]) == 0)
1281 break;
1282 }
1283 if (i > n)
1284 break;
1285 }
1286 BN_copy(s1[j], u);
1287 }
1288 fprintf(stderr, "Duplicate keys rejected %d\n", temp);
1289
1290 /*
1291 * Compute the generator g using a random roll such that
1292 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
1293 * q.
1294 */
1295 BN_copy(v, dsa->p);
1296 BN_sub_word(v, 1);
1297 while (1) {
1298 BN_rand(dsa->g, BN_num_bits(dsa->p) - 1, 0, 0);
1299 BN_mod(dsa->g, dsa->g, dsa->p, ctx);
1300 BN_gcd(u, dsa->g, v, ctx);
1301 if (!BN_is_one(u))
1302 continue;
1303
1304 BN_mod_exp(u, dsa->g, dsa->q, dsa->p, ctx);
1305 if (BN_is_one(u))
1306 break;
1307 }
1308
1309 /*
1310 * Compute s[j] such that s[j] * s'[j] = s'[j] for all j. The
1311 * easy way to do this is to compute q + s'[j] and divide the
1312 * result by s'[j]. Exercise for the student: prove the
1313 * remainder is always zero.
1314 */
1315 for (j = 1; j <= n; j++) {
1316 s[j] = BN_new();
1317 BN_add(s[j], dsa->q, s1[j]);
1318 BN_div(s[j], u, s[j], s1[j], ctx);
1319 }
1320
1321 /*
1322 * Setup is now complete. Roll random polynomial roots x[j]
1323 * (0 < x[j] < q) for all j. While it may not be strictly
1324 * necessary, Make sure each root has no factors in common with
1325 * q.
1326 */
1327 fprintf(stderr,
1328 "Generating polynomial coefficients for %d roots (%d bits)\n",
1329 n, BN_num_bits(dsa->q));
1330 x = malloc((n + 1) * sizeof(BIGNUM));
1331 for (j = 1; j <= n; j++) {
1332 x[j] = BN_new();
1333 while (1) {
1334 BN_rand(x[j], BN_num_bits(dsa->q), 0, 0);
1335 BN_mod(x[j], x[j], dsa->q, ctx);
1336 BN_gcd(u, x[j], dsa->q, ctx);
1337 if (BN_is_one(u))
1338 break;
1339 }
1340 }
1341
1342 /*
1343 * Generate polynomial coefficients a[i] (i = 0...n) from the
1344 * expansion of root products (x - x[j]) mod q for all j. The
1345 * method is a present from Charlie Boncelet.
1346 */
1347 a = malloc((n + 1) * sizeof(BIGNUM));
1348 for (i = 0; i <= n; i++) {
1349 a[i] = BN_new();
1350 BN_one(a[i]);
1351 }
1352 for (j = 1; j <= n; j++) {
1353 BN_zero(w);
1354 for (i = 0; i < j; i++) {
1355 BN_copy(u, dsa->q);
1356 BN_mod_mul(v, a[i], x[j], dsa->q, ctx);
1357 BN_sub(u, u, v);
1358 BN_add(u, u, w);
1359 BN_copy(w, a[i]);
1360 BN_mod(a[i], u, dsa->q, ctx);
1361 }
1362 }
1363
1364 /*
1365 * Generate g[i] = g^a[i] mod p for all i and the generator g.
1366 */
1367 fprintf(stderr, "Generating g[i] parameters\n");
1368 g = malloc((n + 1) * sizeof(BIGNUM));
1369 for (i = 0; i <= n; i++) {
1370 g[i] = BN_new();
1371 BN_mod_exp(g[i], dsa->g, a[i], dsa->p, ctx);
1372 }
1373
1374 /*
1375 * Verify prod(g[i]^(a[i] x[j]^i)) = 1 for all i, j; otherwise,
1376 * exit. Note the a[i] x[j]^i exponent is computed mod q, but
1377 * the g[i] is computed mod p. also note the expression given in
1378 * the paper is incorrect.
1379 */
1380 temp = 1;
1381 for (j = 1; j <= n; j++) {
1382 BN_one(u);
1383 for (i = 0; i <= n; i++) {
1384 BN_set_word(v, i);
1385 BN_mod_exp(v, x[j], v, dsa->q, ctx);
1386 BN_mod_mul(v, v, a[i], dsa->q, ctx);
1387 BN_mod_exp(v, dsa->g, v, dsa->p, ctx);
1388 BN_mod_mul(u, u, v, dsa->p, ctx);
1389 }
1390 if (!BN_is_one(u))
1391 temp = 0;
1392 }
1393 fprintf(stderr,
1394 "Confirm prod(g[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
1395 "yes" : "no");
1396 if (!temp) {
1397 rval = -1;
1398 return (NULL);
1399 }
1400
1401 /*
1402 * Make private encryption key A. Keep it around for awhile,
1403 * since it is expensive to compute.
1404 */
1405 biga = BN_new();
1406 BN_one(biga);
1407 for (j = 1; j <= n; j++) {
1408 for (i = 0; i < n; i++) {
1409 BN_set_word(v, i);
1410 BN_mod_exp(v, x[j], v, dsa->q, ctx);
1411 BN_mod_exp(v, g[i], v, dsa->p, ctx);
1412 BN_mod_mul(biga, biga, v, dsa->p, ctx);
1413 }
1414 }
1415
1416 /*
1417 * Roll private random group key b mod q (0 < b < q), where
1418 * gcd(b, q) = 1 to guarantee b^1 exists, then compute b^-1
1419 * mod q. If b is changed, the client keys must be recomputed.
1420 */
1421 while (1) {
1422 BN_rand(b, BN_num_bits(dsa->q), 0, 0);
1423 BN_mod(b, b, dsa->q, ctx);
1424 BN_gcd(u, b, dsa->q, ctx);
1425 if (BN_is_one(u))
1426 break;
1427 }
1428 BN_mod_inverse(b1, b, dsa->q, ctx);
1429
1430 /*
1431 * Make private client keys (xbar[j], xhat[j]) for all j. Note
1432 * that the keys for the jth client involve s[j], but not s'[j]
1433 * or the product s = prod(s'[j]) mod q, which is the enabling
1434 * key.
1435 */
1436 xbar = malloc((n + 1) * sizeof(BIGNUM));
1437 xhat = malloc((n + 1) * sizeof(BIGNUM));
1438 for (j = 1; j <= n; j++) {
1439 xbar[j] = BN_new(); xhat[j] = BN_new();
1440 BN_zero(xbar[j]);
1441 BN_set_word(v, n);
1442 for (i = 1; i <= n; i++) {
1443 if (i == j)
1444 continue;
1445 BN_mod_exp(u, x[i], v, dsa->q, ctx);
1446 BN_add(xbar[j], xbar[j], u);
1447 }
1448 BN_mod_mul(xbar[j], xbar[j], b1, dsa->q, ctx);
1449 BN_mod_exp(xhat[j], x[j], v, dsa->q, ctx);
1450 BN_mod_mul(xhat[j], xhat[j], s[j], dsa->q, ctx);
1451 }
1452
1453 /*
1454 * The enabling key is initially q by construction. We can
1455 * revoke client j by dividing q by s'[j]. The quotient becomes
1456 * the enabling key s. Note we always have to revoke one key;
1457 * otherwise, the plaintext and cryptotext would be identical.
1458 */
1459 ss = BN_new();
1460 BN_copy(ss, dsa->q);
1461 BN_div(ss, u, dsa->q, s1[n], ctx);
1462
1463 /*
1464 * Make private server encryption key E = A^s and public server
1465 * keys gbar = g^s mod p and ghat = g^(s b) mod p. The (gbar,
1466 * ghat) is the public key provided to the server, which uses it
1467 * to compute the session encryption key and public key included
1468 * in its messages. These values must be regenerated if the
1469 * enabling key is changed.
1470 */
1471 bige = BN_new(); gbar = BN_new(); ghat = BN_new();
1472 BN_mod_exp(bige, biga, ss, dsa->p, ctx);
1473 BN_mod_exp(gbar, dsa->g, ss, dsa->p, ctx);
1474 BN_mod_mul(v, ss, b, dsa->q, ctx);
1475 BN_mod_exp(ghat, dsa->g, v, dsa->p, ctx);
1476
1477 /*
1478 * We produce the key media in three steps. The first step is to
1479 * generate the private values that do not depend on the
1480 * enabling key. These include the server values p, q, g, b, A
1481 * and the client values s'[j], xbar[j] and xhat[j] for each j.
1482 * The p, xbar[j] and xhat[j] values are encoded in private
1483 * files which are distributed to respective clients. The p, q,
1484 * g, A and s'[j] values (will be) written to a secret file to
1485 * be read back later.
1486 *
1487 * The secret file (will be) read back at some later time to
1488 * enable/disable individual keys and generate/regenerate the
1489 * enabling key s. The p, q, E, gbar and ghat values are written
1490 * to a secret file to be read back later by the server.
1491 *
1492 * The server reads the secret file and rolls the session key
1493 * k, which is used only once, then computes E^k, gbar^k and
1494 * ghat^k. The E^k is the session encryption key. The encrypted
1495 * data, gbar^k and ghat^k are transmtted to clients in an
1496 * extension field. The client receives the message and computes
1497 * x = (gbar^k)^xbar[j] (ghat^k)^xhat[j], finds the session
1498 * encryption key E^k as the inverse x^-1 and decrypts the data.
1499 */
1500 BN_copy(dsa->g, bige);
1501 dsa->priv_key = BN_dup(gbar);
1502 dsa->pub_key = BN_dup(ghat);
1503
1504 /*
1505 * Write the MV server parameters and keys as a DSA private key
1506 * encoded in PEM.
1507 *
1508 * p modulus p
1509 * q modulus q (used only to generate k)
1510 * g E mod p
1511 * priv_key gbar mod p
1512 * pub_key ghat mod p
1513 */
1514 str = fheader("MVpar", trustname);
1515 pkey = EVP_PKEY_new();
1516 EVP_PKEY_assign_DSA(pkey, dsa);
1517 PEM_write_PrivateKey(str, pkey, passwd2 ? EVP_des_cbc() : NULL,
1518 NULL, 0, NULL, passwd2);
1519 fclose(str);
1520 if (debug)
1521 DSA_print_fp(stdout, dsa, 0);
1522 fslink(id, trustname);
1523
1524 /*
1525 * Write the parameters and private key (xbar[j], xhat[j]) for
1526 * all j as a DSA private key encoded in PEM. It is used only by
1527 * the designated recipient(s) who pay a suitably outrageous fee
1528 * for its use.
1529 */
1530 sdsa = DSA_new();
1531 sdsa->p = BN_dup(dsa->p);
1532 sdsa->q = BN_dup(BN_value_one());
1533 sdsa->g = BN_dup(BN_value_one());
1534 sdsa->priv_key = BN_new();
1535 sdsa->pub_key = BN_new();
1536 for (j = 1; j <= n; j++) {
1537 BN_copy(sdsa->priv_key, xbar[j]);
1538 BN_copy(sdsa->pub_key, xhat[j]);
1539 BN_mod_exp(v, dsa->priv_key, sdsa->pub_key, dsa->p,
1540 ctx);
1541 BN_mod_exp(u, dsa->pub_key, sdsa->priv_key, dsa->p,
1542 ctx);
1543 BN_mod_mul(u, u, v, dsa->p, ctx);
1544 BN_mod_mul(u, u, dsa->g, dsa->p, ctx);
1545 BN_free(xbar[j]); BN_free(xhat[j]);
1546 BN_free(x[j]); BN_free(s[j]); BN_free(s1[j]);
1547 if (!BN_is_one(u)) {
1548 fprintf(stderr, "Revoke key %d\n", j);
1549 continue;
1550 }
1551
1552 /*
1553 * Write the client parameters as a DSA private key
1554 * encoded in PEM. We don't make links for these.
1555 *
1556 * p modulus p
1557 * priv_key xbar[j] mod q
1558 * pub_key xhat[j] mod q
1559 * (remaining values are not used)
1560 */
1561 sprintf(ident, "MVkey%d", j);
1562 str = fheader(ident, trustname);
1563 pkey1 = EVP_PKEY_new();
1564 EVP_PKEY_set1_DSA(pkey1, sdsa);
1565 PEM_write_PrivateKey(str, pkey1, passwd2 ?
1566 EVP_des_cbc() : NULL, NULL, 0, NULL, passwd2);
1567 fclose(str);
1568 fprintf(stderr, "ntpkey_%s_%s.%lld\n", ident, trustname,
1569 (long long)epoch + JAN_1970);
1570 if (debug)
1571 DSA_print_fp(stdout, sdsa, 0);
1572 EVP_PKEY_free(pkey1);
1573 }
1574
1575 /*
1576 * Free the countries.
1577 */
1578 for (i = 0; i <= n; i++) {
1579 BN_free(a[i]);
1580 BN_free(g[i]);
1581 }
1582 BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
1583 BN_free(b); BN_free(b1); BN_free(biga); BN_free(bige);
1584 BN_free(ss); BN_free(gbar); BN_free(ghat);
1585 DSA_free(sdsa);
1586
1587 /*
1588 * Free the world.
1589 */
1590 free(x); free(a); free(g); free(s); free(s1);
1591 free(xbar); free(xhat);
1592 return (pkey);
1593 }
1594
1595
1596 /*
1597 * Generate X509v3 scertificate.
1598 *
1599 * The certificate consists of the version number, serial number,
1600 * validity interval, issuer name, subject name and public key. For a
1601 * self-signed certificate, the issuer name is the same as the subject
1602 * name and these items are signed using the subject private key. The
1603 * validity interval extends from the current time to the same time one
1604 * year hence. For NTP purposes, it is convenient to use the NTP seconds
1605 * of the current time as the serial number.
1606 */
1607 int
1608 x509 (
1609 EVP_PKEY *pkey, /* generic signature algorithm */
1610 const EVP_MD *md, /* generic digest algorithm */
1611 char *gqpub, /* identity extension (hex string) */
1612 char *exten /* private cert extension */
1613 )
1614 {
1615 X509 *cert; /* X509 certificate */
1616 X509_NAME *subj; /* distinguished (common) name */
1617 X509_EXTENSION *ex; /* X509v3 extension */
1618 FILE *str; /* file handle */
1619 ASN1_INTEGER *serial; /* serial number */
1620 const char *id; /* digest/signature scheme name */
1621 char pathbuf[MAXFILENAME + 1];
1622
1623 /*
1624 * Generate X509 self-signed certificate.
1625 *
1626 * Set the certificate serial to the NTP seconds for grins. Set
1627 * the version to 3. Set the subject name and issuer name to the
1628 * subject name in the request. Set the initial validity to the
1629 * current time and the final validity one year hence.
1630 */
1631 id = OBJ_nid2sn(md->pkey_type);
1632 fprintf(stderr, "Generating certificate %s\n", id);
1633 cert = X509_new();
1634 X509_set_version(cert, 2L);
1635 serial = ASN1_INTEGER_new();
1636 ASN1_INTEGER_set(serial, epoch + JAN_1970);
1637 X509_set_serialNumber(cert, serial);
1638 ASN1_INTEGER_free(serial);
1639 X509_time_adj(X509_get_notBefore(cert), 0L, &epoch);
1640 X509_time_adj(X509_get_notAfter(cert), YEAR, &epoch);
1641 subj = X509_get_subject_name(cert);
1642 X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1643 (unsigned char *) hostname, strlen(hostname), -1, 0);
1644 subj = X509_get_issuer_name(cert);
1645 X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
1646 (unsigned char *) trustname, strlen(trustname), -1, 0);
1647 if (!X509_set_pubkey(cert, pkey)) {
1648 fprintf(stderr, "Assign key fails\n%s\n",
1649 ERR_error_string(ERR_get_error(), NULL));
1650 X509_free(cert);
1651 rval = -1;
1652 return (0);
1653 }
1654
1655 /*
1656 * Add X509v3 extensions if present. These represent the minimum
1657 * set defined in RFC3280 less the certificate_policy extension,
1658 * which is seriously obfuscated in OpenSSL.
1659 */
1660 /*
1661 * The basic_constraints extension CA:TRUE allows servers to
1662 * sign client certficitates.
1663 */
1664 fprintf(stderr, "%s: %s\n", LN_basic_constraints,
1665 BASIC_CONSTRAINTS);
1666 ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
1667 BASIC_CONSTRAINTS);
1668 if (!X509_add_ext(cert, ex, -1)) {
1669 fprintf(stderr, "Add extension field fails\n%s\n",
1670 ERR_error_string(ERR_get_error(), NULL));
1671 rval = -1;
1672 return (0);
1673 }
1674 X509_EXTENSION_free(ex);
1675
1676 /*
1677 * The key_usage extension designates the purposes the key can
1678 * be used for.
1679 */
1680 fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
1681 ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, KEY_USAGE);
1682 if (!X509_add_ext(cert, ex, -1)) {
1683 fprintf(stderr, "Add extension field fails\n%s\n",
1684 ERR_error_string(ERR_get_error(), NULL));
1685 rval = -1;
1686 return (0);
1687 }
1688 X509_EXTENSION_free(ex);
1689 /*
1690 * The subject_key_identifier is used for the GQ public key.
1691 * This should not be controversial.
1692 */
1693 if (gqpub != NULL) {
1694 fprintf(stderr, "%s\n", LN_subject_key_identifier);
1695 ex = X509V3_EXT_conf_nid(NULL, NULL,
1696 NID_subject_key_identifier, gqpub);
1697 if (!X509_add_ext(cert, ex, -1)) {
1698 fprintf(stderr,
1699 "Add extension field fails\n%s\n",
1700 ERR_error_string(ERR_get_error(), NULL));
1701 rval = -1;
1702 return (0);
1703 }
1704 X509_EXTENSION_free(ex);
1705 }
1706
1707 /*
1708 * The extended key usage extension is used for special purpose
1709 * here. The semantics probably do not conform to the designer's
1710 * intent and will likely change in future.
1711 *
1712 * "trustRoot" designates a root authority
1713 * "private" designates a private certificate
1714 */
1715 if (exten != NULL) {
1716 fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
1717 ex = X509V3_EXT_conf_nid(NULL, NULL,
1718 NID_ext_key_usage, exten);
1719 if (!X509_add_ext(cert, ex, -1)) {
1720 fprintf(stderr,
1721 "Add extension field fails\n%s\n",
1722 ERR_error_string(ERR_get_error(), NULL));
1723 rval = -1;
1724 return (0);
1725 }
1726 X509_EXTENSION_free(ex);
1727 }
1728
1729 /*
1730 * Sign and verify.
1731 */
1732 X509_sign(cert, pkey, md);
1733 if (!X509_verify(cert, pkey)) {
1734 fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
1735 ERR_error_string(ERR_get_error(), NULL));
1736 X509_free(cert);
1737 rval = -1;
1738 return (0);
1739 }
1740
1741 /*
1742 * Write the certificate encoded in PEM.
1743 */
1744 sprintf(pathbuf, "%scert", id);
1745 str = fheader(pathbuf, hostname);
1746 PEM_write_X509(str, cert);
1747 fclose(str);
1748 if (debug)
1749 X509_print_fp(stdout, cert);
1750 X509_free(cert);
1751 fslink("cert", hostname);
1752 return (1);
1753 }
1754
1755 #if 0 /* asn2ntp is not used */
1756 /*
1757 * asn2ntp - convert ASN1_TIME time structure to NTP time
1758 */
1759 u_long
1760 asn2ntp (
1761 ASN1_TIME *asn1time /* pointer to ASN1_TIME structure */
1762 )
1763 {
1764 char *v; /* pointer to ASN1_TIME string */
1765 struct tm tm; /* time decode structure time */
1766
1767 /*
1768 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
1769 * Note that the YY, MM, DD fields start with one, the HH, MM,
1770 * SS fiels start with zero and the Z character should be 'Z'
1771 * for UTC. Also note that years less than 50 map to years
1772 * greater than 100. Dontcha love ASN.1?
1773 */
1774 if (asn1time->length > 13)
1775 return (-1);
1776 v = (char *)asn1time->data;
1777 tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
1778 if (tm.tm_year < 50)
1779 tm.tm_year += 100;
1780 tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
1781 tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
1782 tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
1783 tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
1784 tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
1785 tm.tm_wday = 0;
1786 tm.tm_yday = 0;
1787 tm.tm_isdst = 0;
1788 return (mktime(&tm) + JAN_1970);
1789 }
1790 #endif
1791
1792 /*
1793 * Callback routine
1794 */
1795 void
1796 cb (
1797 int n1, /* arg 1 */
1798 int n2, /* arg 2 */
1799 void *chr /* arg 3 */
1800 )
1801 {
1802 switch (n1) {
1803 case 0:
1804 d0++;
1805 fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
1806 d0);
1807 break;
1808 case 1:
1809 d1++;
1810 fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
1811 n2, d1);
1812 break;
1813 case 2:
1814 d2++;
1815 fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
1816 n1, n2, d2);
1817 break;
1818 case 3:
1819 d3++;
1820 fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
1821 (char *)chr, n1, n2, d3);
1822 break;
1823 }
1824 }
1825
1826
1827 /*
1828 * Generate key
1829 */
1830 EVP_PKEY * /* public/private key pair */
1831 genkey(
1832 char *type, /* key type (RSA or DSA) */
1833 char *id /* file name id */
1834 )
1835 {
1836 if (type == NULL)
1837 return (NULL);
1838 if (strcmp(type, "RSA") == 0)
1839 return (gen_rsa(id));
1840
1841 else if (strcmp(type, "DSA") == 0)
1842 return (gen_dsa(id));
1843
1844 fprintf(stderr, "Invalid %s key type %s\n", id, type);
1845 rval = -1;
1846 return (NULL);
1847 }
1848 #endif /* OPENSSL */
1849
1850
1851 /*
1852 * Generate file header
1853 */
1854 FILE *
1855 fheader (
1856 const char *id, /* file name id */
1857 const char *name /* owner name */
1858 )
1859 {
1860 FILE *str; /* file handle */
1861
1862 sprintf(filename, "ntpkey_%s_%s.%lld", id, name, (long long)epoch +
1863 JAN_1970);
1864 if ((str = fopen(filename, "w")) == NULL) {
1865 perror("Write");
1866 exit (-1);
1867 }
1868 fprintf(str, "# %s\n# %s", filename, ctime(&epoch));
1869 return (str);
1870 }
1871
1872
1873 /*
1874 * Generate symbolic links
1875 */
1876 void
1877 fslink(
1878 const char *id, /* file name id */
1879 const char *name /* owner name */
1880 )
1881 {
1882 char linkname[MAXFILENAME]; /* link name */
1883 int temp;
1884
1885 sprintf(linkname, "ntpkey_%s_%s", id, name);
1886 remove(linkname);
1887 temp = symlink(filename, linkname);
1888 if (temp < 0)
1889 perror(id);
1890 fprintf(stderr, "Generating new %s file and link\n", id);
1891 fprintf(stderr, "%s->%s\n", linkname, filename);
1892 }
NetBSD on the FriendlyARM MINI2440