Home | History | Annotate | Line # | Download | only in util
      1 /*	$NetBSD: ntp-keygen.c,v 1.16 2024/08/18 20:47:27 christos Exp $	*/
      2 
      3 /*
      4  * Program to generate cryptographic keys for ntp clients and servers
      5  *
      6  * This program generates password encrypted data files for use with the
      7  * Autokey security protocol and Network Time Protocol Version 4. Files
      8  * are prefixed with a header giving the name and date of creation
      9  * followed by a type-specific descriptive label and PEM-encoded data
     10  * structure compatible with programs of the OpenSSL library.
     11  *
     12  * All file names are like "ntpkey_<type>_<hostname>.<filestamp>", where
     13  * <type> is the file type, <hostname> the generating host name and
     14  * <filestamp> the generation time in NTP seconds. The NTP programs
     15  * expect generic names such as "ntpkey_<type>_whimsy.udel.edu" with the
     16  * association maintained by soft links. Following is a list of file
     17  * types; the first line is the file name and the second link name.
     18  *
     19  * ntpkey_MD5key_<hostname>.<filestamp>
     20  * 	MD5 (128-bit) keys used to compute message digests in symmetric
     21  *	key cryptography
     22  *
     23  * ntpkey_RSAhost_<hostname>.<filestamp>
     24  * ntpkey_host_<hostname>
     25  *	RSA private/public host key pair used for public key signatures
     26  *
     27  * ntpkey_RSAsign_<hostname>.<filestamp>
     28  * ntpkey_sign_<hostname>
     29  *	RSA private/public sign key pair used for public key signatures
     30  *
     31  * ntpkey_DSAsign_<hostname>.<filestamp>
     32  * ntpkey_sign_<hostname>
     33  *	DSA Private/public sign key pair used for public key signatures
     34  *
     35  * Available digest/signature schemes
     36  *
     37  * RSA:	RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, EVP-RIPEMD160
     38  * DSA:	DSA-SHA, DSA-SHA1
     39  *
     40  * ntpkey_XXXcert_<hostname>.<filestamp>
     41  * ntpkey_cert_<hostname>
     42  *	X509v3 certificate using RSA or DSA public keys and signatures.
     43  *	XXX is a code identifying the message digest and signature
     44  *	encryption algorithm
     45  *
     46  * Identity schemes. The key type par is used for the challenge; the key
     47  * type key is used for the response.
     48  *
     49  * ntpkey_IFFkey_<groupname>.<filestamp>
     50  * ntpkey_iffkey_<groupname>
     51  *	Schnorr (IFF) identity parameters and keys
     52  *
     53  * ntpkey_GQkey_<groupname>.<filestamp>,
     54  * ntpkey_gqkey_<groupname>
     55  *	Guillou-Quisquater (GQ) identity parameters and keys
     56  *
     57  * ntpkey_MVkeyX_<groupname>.<filestamp>,
     58  * ntpkey_mvkey_<groupname>
     59  *	Mu-Varadharajan (MV) identity parameters and keys
     60  *
     61  * Note: Once in a while because of some statistical fluke this program
     62  * fails to generate and verify some cryptographic data, as indicated by
     63  * exit status -1. In this case simply run the program again. If the
     64  * program does complete with exit code 0, the data are correct as
     65  * verified.
     66  *
     67  * These cryptographic routines are characterized by the prime modulus
     68  * size in bits. The default value of 512 bits is a compromise between
     69  * cryptographic strength and computing time and is ordinarily
     70  * considered adequate for this application. The routines have been
     71  * tested with sizes of 256, 512, 1024 and 2048 bits. Not all message
     72  * digest and signature encryption schemes work with sizes less than 512
     73  * bits. The computing time for sizes greater than 2048 bits is
     74  * prohibitive on all but the fastest processors. An UltraSPARC Blade
     75  * 1000 took something over nine minutes to generate and verify the
     76  * values with size 2048. An old SPARC IPC would take a week.
     77  *
     78  * The OpenSSL library used by this program expects a random seed file.
     79  * As described in the OpenSSL documentation, the file name defaults to
     80  * first the RANDFILE environment variable in the user's home directory
     81  * and then .rnd in the user's home directory.
     82  */
     83 #ifdef HAVE_CONFIG_H
     84 # include <config.h>
     85 #endif
     86 #include <string.h>
     87 #include <stdio.h>
     88 #include <stdlib.h>
     89 #include <unistd.h>
     90 #include <sys/stat.h>
     91 #include <sys/time.h>
     92 #include <sys/types.h>
     93 
     94 #include "ntp.h"
     95 #include "ntp_random.h"
     96 #include "ntp_stdlib.h"
     97 #include "ntp_assert.h"
     98 #include "ntp_libopts.h"
     99 #include "ntp_unixtime.h"
    100 #include "ntp-keygen-opts.h"
    101 
    102 #ifdef OPENSSL
    103 #include "openssl/asn1.h"
    104 #include "openssl/bn.h"
    105 #include "openssl/crypto.h"
    106 #include "openssl/evp.h"
    107 #include "openssl/err.h"
    108 #include "openssl/rand.h"
    109 #include "openssl/opensslv.h"
    110 #include "openssl/pem.h"
    111 #include "openssl/x509.h"
    112 #include "openssl/x509v3.h"
    113 #include <openssl/objects.h>
    114 #include "libssl_compat.h"
    115 #endif	/* OPENSSL */
    116 #include <ssl_applink.c>
    117 
    118 #define _UC(str)	((char *)(intptr_t)(str))
    119 /*
    120  * Cryptodefines
    121  */
    122 #define	MD5KEYS		10	/* number of keys generated of each type */
    123 #define	MD5SIZE		20	/* maximum key size */
    124 #ifdef AUTOKEY
    125 #define	PLEN		512	/* default prime modulus size (bits) */
    126 #define	ILEN		512	/* default identity modulus size (bits) */
    127 #define	MVMAX		100	/* max MV parameters */
    128 
    129 /*
    130  * Strings used in X509v3 extension fields
    131  */
    132 #define KEY_USAGE		"digitalSignature,keyCertSign"
    133 #define BASIC_CONSTRAINTS	"critical,CA:TRUE"
    134 #define EXT_KEY_PRIVATE		"private"
    135 #define EXT_KEY_TRUST		"trustRoot"
    136 #endif	/* AUTOKEY */
    137 
    138 /*
    139  * Prototypes
    140  */
    141 FILE	*fheader	(const char *, const char *, const char *);
    142 int	gen_md5		(const char *);
    143 void	followlink	(char *, size_t);
    144 #ifdef AUTOKEY
    145 EVP_PKEY *gen_rsa	(const char *);
    146 EVP_PKEY *gen_dsa	(const char *);
    147 EVP_PKEY *gen_iffkey	(const char *);
    148 EVP_PKEY *gen_gqkey	(const char *);
    149 EVP_PKEY *gen_mvkey	(const char *, EVP_PKEY **);
    150 void	gen_mvserv	(char *, EVP_PKEY **);
    151 int	x509		(EVP_PKEY *, const EVP_MD *, char *, const char *,
    152 			    char *);
    153 void	cb		(int, int, void *);
    154 EVP_PKEY *genkey	(const char *, const char *);
    155 EVP_PKEY *readkey	(char *, char *, u_int *, EVP_PKEY **);
    156 void	writekey	(char *, char *, u_int *, EVP_PKEY **);
    157 u_long	asn2ntp		(ASN1_TIME *);
    158 
    159 static DSA* genDsaParams(int, char*);
    160 static RSA* genRsaKeyPair(int, char*);
    161 
    162 #endif	/* AUTOKEY */
    163 
    164 /*
    165  * Program variables
    166  */
    167 extern char *optarg;		/* command line argument */
    168 char	const *progname;
    169 u_int	lifetime = DAYSPERYEAR;	/* certificate lifetime (days) */
    170 int	nkeys;			/* MV keys */
    171 time_t	epoch;			/* Unix epoch (seconds) since 1970 */
    172 u_int	fstamp;			/* NTP filestamp */
    173 char	hostbuf[MAXHOSTNAME + 1];
    174 char	*hostname = NULL;	/* host, used in cert filenames */
    175 char	*groupname = NULL;	/* group name */
    176 char	certnamebuf[2 * sizeof(hostbuf)];
    177 char	*certname = NULL;	/* certificate subject/issuer name */
    178 char	*passwd1 = NULL;	/* input private key password */
    179 char	*passwd2 = NULL;	/* output private key password */
    180 char	filename[MAXFILENAME + 1]; /* file name */
    181 #ifdef AUTOKEY
    182 u_int	modulus = PLEN;		/* prime modulus size (bits) */
    183 u_int	modulus2 = ILEN;	/* identity modulus size (bits) */
    184 long	d0, d1, d2, d3;		/* callback counters */
    185 const EVP_CIPHER * cipher = NULL;
    186 #endif	/* AUTOKEY */
    187 
    188 #ifdef SYS_WINNT
    189 BOOL init_randfile();
    190 
    191 /*
    192  * Don't try to follow symbolic links on Windows.  Assume link == file.
    193  */
    194 int
    195 readlink(
    196 	char *	link,
    197 	char *	file,
    198 	int	len
    199 	)
    200 {
    201 	return (int)strlen(file); /* assume no overflow possible */
    202 }
    203 
    204 /*
    205  * Don't try to create symbolic links on Windows, that is supported on
    206  * Vista and later only.  Instead, if CreateHardLink is available (XP
    207  * and later), hardlink the linkname to the original filename.  On
    208  * earlier systems, user must rename file to match expected link for
    209  * ntpd to find it.  To allow building a ntp-keygen.exe which loads on
    210  * Windows pre-XP, runtime link to CreateHardLinkA().
    211  */
    212 int
    213 symlink(
    214 	char *	filename,
    215 	char*	linkname
    216 	)
    217 {
    218 	typedef BOOL (WINAPI *PCREATEHARDLINKA)(
    219 		__in LPCSTR	lpFileName,
    220 		__in LPCSTR	lpExistingFileName,
    221 		__reserved LPSECURITY_ATTRIBUTES lpSA
    222 		);
    223 	static PCREATEHARDLINKA pCreateHardLinkA;
    224 	static int		tried;
    225 	HMODULE			hDll;
    226 	FARPROC			pfn;
    227 	int			link_created;
    228 	int			saved_errno;
    229 
    230 	if (!tried) {
    231 		tried = TRUE;
    232 		hDll = LoadLibrary("kernel32");
    233 		pfn = GetProcAddress(hDll, "CreateHardLinkA");
    234 		pCreateHardLinkA = (PCREATEHARDLINKA)pfn;
    235 	}
    236 
    237 	if (NULL == pCreateHardLinkA) {
    238 		errno = ENOSYS;
    239 		return -1;
    240 	}
    241 
    242 	link_created = (*pCreateHardLinkA)(linkname, filename, NULL);
    243 
    244 	if (link_created)
    245 		return 0;
    246 
    247 	saved_errno = GetLastError();	/* yes we play loose */
    248 	mfprintf(stderr, "Create hard link %s to %s failed: %m\n",
    249 		 linkname, filename);
    250 	errno = saved_errno;
    251 	return -1;
    252 }
    253 
    254 void
    255 InitWin32Sockets() {
    256 	WORD wVersionRequested;
    257 	WSADATA wsaData;
    258 	wVersionRequested = MAKEWORD(2,0);
    259 	if (WSAStartup(wVersionRequested, &wsaData))
    260 	{
    261 		fprintf(stderr, "No useable winsock.dll\n");
    262 		exit(1);
    263 	}
    264 }
    265 #endif /* SYS_WINNT */
    266 
    267 
    268 /*
    269  * followlink() - replace filename with its target if symlink.
    270  *
    271  * readlink() does not null-terminate the result.
    272  */
    273 void
    274 followlink(
    275 	char *	fname,
    276 	size_t	bufsiz
    277 	)
    278 {
    279 	ssize_t	len;
    280 	char *	target;
    281 
    282 	REQUIRE(bufsiz > 0 && bufsiz <= SSIZE_MAX);
    283 
    284 	target = emalloc(bufsiz);
    285 	len = readlink(fname, target, bufsiz);
    286 	if (len < 0) {
    287 		fname[0] = '\0';
    288 		return;
    289 	}
    290 	if ((size_t)len > bufsiz - 1)
    291 		len = bufsiz - 1;
    292 	memcpy(fname, target, len);
    293 	fname[len] = '\0';
    294 	free(target);
    295 }
    296 
    297 
    298 /*
    299  * Main program
    300  */
    301 int
    302 main(
    303 	int	argc,		/* command line options */
    304 	char	**argv
    305 	)
    306 {
    307 	struct timeval tv;	/* initialization vector */
    308 	int	md5key = 0;	/* generate MD5 keys */
    309 	int	optct;		/* option count */
    310 #ifdef AUTOKEY
    311 	X509	*cert = NULL;	/* X509 certificate */
    312 	EVP_PKEY *pkey_host = NULL; /* host key */
    313 	EVP_PKEY *pkey_sign = NULL; /* sign key */
    314 	EVP_PKEY *pkey_iffkey = NULL; /* IFF sever keys */
    315 	EVP_PKEY *pkey_gqkey = NULL; /* GQ server keys */
    316 	EVP_PKEY *pkey_mvkey = NULL; /* MV trusted agen keys */
    317 	EVP_PKEY *pkey_mvpar[MVMAX]; /* MV cleient keys */
    318 	int	hostkey = 0;	/* generate RSA keys */
    319 	int	iffkey = 0;	/* generate IFF keys */
    320 	int	gqkey = 0;	/* generate GQ keys */
    321 	int	mvkey = 0;	/* update MV keys */
    322 	int	mvpar = 0;	/* generate MV parameters */
    323 	char	*sign = NULL;	/* sign key */
    324 	EVP_PKEY *pkey = NULL;	/* temp key */
    325 	const EVP_MD *ectx;	/* EVP digest */
    326 	char	pathbuf[MAXFILENAME + 1];
    327 	const char *scheme = NULL; /* digest/signature scheme */
    328 	const char *ciphername = NULL; /* to encrypt priv. key */
    329 	const char *exten = NULL;	/* private extension */
    330 	char	*grpkey = NULL;	/* identity extension */
    331 	int	nid;		/* X509 digest/signature scheme */
    332 	FILE	*fstr = NULL;	/* file handle */
    333 	char	groupbuf[MAXHOSTNAME + 1];
    334 	u_int	temp;
    335 	BIO *	bp;
    336 	int	i, cnt;
    337 	char *	ptr;
    338 #endif	/* AUTOKEY */
    339 #ifdef OPENSSL
    340 	const char *sslvtext;
    341 	int sslvmatch;
    342 #endif /* OPENSSL */
    343 
    344 	progname = argv[0];
    345 
    346 #ifdef SYS_WINNT
    347 	/* Initialize before OpenSSL checks */
    348 	InitWin32Sockets();
    349 	if (!init_randfile())
    350 		fprintf(stderr, "Unable to initialize .rnd file\n");
    351 	ssl_applink();
    352 #endif
    353 
    354 #ifdef OPENSSL
    355 	ssl_check_version();
    356 #endif	/* OPENSSL */
    357 
    358 	ntp_crypto_srandom();
    359 
    360 	/*
    361 	 * Process options, initialize host name and timestamp.
    362 	 * gethostname() won't null-terminate if hostname is exactly the
    363 	 * length provided for the buffer.
    364 	 */
    365 	gethostname(hostbuf, sizeof(hostbuf) - 1);
    366 	hostbuf[COUNTOF(hostbuf) - 1] = '\0';
    367 	hostname = hostbuf;
    368 	groupname = hostbuf;
    369 	passwd1 = hostbuf;
    370 	passwd2 = NULL;
    371 	GETTIMEOFDAY(&tv, NULL);
    372 	epoch = tv.tv_sec;
    373 	fstamp = (u_int)(epoch + JAN_1970);
    374 
    375 	optct = ntpOptionProcess(&ntp_keygenOptions, argc, argv);
    376 	argc -= optct;	// Just in case we care later.
    377 	argv += optct;	// Just in case we care later.
    378 
    379 #ifdef OPENSSL
    380 	sslvtext = OpenSSL_version(OPENSSL_VERSION);
    381 	sslvmatch = OpenSSL_version_num() == OPENSSL_VERSION_NUMBER;
    382 	if (sslvmatch)
    383 		fprintf(stderr, "Using OpenSSL version %s\n",
    384 			sslvtext);
    385 	else
    386 		fprintf(stderr, "Built against OpenSSL %s, using version %s\n",
    387 			OPENSSL_VERSION_TEXT, sslvtext);
    388 #endif /* OPENSSL */
    389 
    390 	debug = OPT_VALUE_SET_DEBUG_LEVEL;
    391 
    392 	if (HAVE_OPT( MD5KEY ))
    393 		md5key++;
    394 #ifdef AUTOKEY
    395 	if (HAVE_OPT( PASSWORD ))
    396 		passwd1 = estrdup(OPT_ARG( PASSWORD ));
    397 
    398 	if (HAVE_OPT( EXPORT_PASSWD ))
    399 		passwd2 = estrdup(OPT_ARG( EXPORT_PASSWD ));
    400 
    401 	if (HAVE_OPT( HOST_KEY ))
    402 		hostkey++;
    403 
    404 	if (HAVE_OPT( SIGN_KEY ))
    405 		sign = estrdup(OPT_ARG( SIGN_KEY ));
    406 
    407 	if (HAVE_OPT( GQ_PARAMS ))
    408 		gqkey++;
    409 
    410 	if (HAVE_OPT( IFFKEY ))
    411 		iffkey++;
    412 
    413 	if (HAVE_OPT( MV_PARAMS )) {
    414 		mvkey++;			/* DLH are these two swapped? */
    415 		nkeys = OPT_VALUE_MV_PARAMS;
    416 	}
    417 	if (HAVE_OPT( MV_KEYS )) {
    418 		mvpar++;	/* not used! */	/* DLH are these two swapped? */
    419 		nkeys = OPT_VALUE_MV_KEYS;
    420 	}
    421 
    422 	if (HAVE_OPT( IMBITS ))
    423 		modulus2 = OPT_VALUE_IMBITS;
    424 
    425 	if (HAVE_OPT( MODULUS ))
    426 		modulus = OPT_VALUE_MODULUS;
    427 
    428 	if (HAVE_OPT( CERTIFICATE ))
    429 		scheme = OPT_ARG( CERTIFICATE );
    430 
    431 	if (HAVE_OPT( CIPHER ))
    432 		ciphername = OPT_ARG( CIPHER );
    433 
    434 	if (HAVE_OPT( SUBJECT_NAME ))
    435 		hostname = estrdup(OPT_ARG( SUBJECT_NAME ));
    436 
    437 	if (HAVE_OPT( IDENT ))
    438 		groupname = estrdup(OPT_ARG( IDENT ));
    439 
    440 	if (HAVE_OPT( LIFETIME ))
    441 		lifetime = OPT_VALUE_LIFETIME;
    442 
    443 	if (HAVE_OPT( PVT_CERT ))
    444 		exten = EXT_KEY_PRIVATE;
    445 
    446 	if (HAVE_OPT( TRUSTED_CERT ))
    447 		exten = EXT_KEY_TRUST;
    448 
    449 	/*
    450 	 * Remove the group name from the hostname variable used
    451 	 * in host and sign certificate file names.
    452 	 */
    453 	if (hostname != hostbuf)
    454 		ptr = strchr(hostname, '@');
    455 	else
    456 		ptr = NULL;
    457 	if (ptr != NULL) {
    458 		*ptr = '\0';
    459 		groupname = estrdup(ptr + 1);
    460 		/* -s @group is equivalent to -i group, host unch. */
    461 		if (ptr == hostname)
    462 			hostname = hostbuf;
    463 	}
    464 
    465 	/*
    466 	 * Derive host certificate issuer/subject names from host name
    467 	 * and optional group.  If no groupname is provided, the issuer
    468 	 * and subject is the hostname with no '@group', and the
    469 	 * groupname variable is pointed to hostname for use in IFF, GQ,
    470 	 * and MV parameters file names.
    471 	 */
    472 	if (groupname == hostbuf) {
    473 		certname = hostname;
    474 	} else {
    475 		snprintf(certnamebuf, sizeof(certnamebuf), "%s@%s",
    476 			 hostname, groupname);
    477 		certname = certnamebuf;
    478 	}
    479 
    480 	/*
    481 	 * Seed random number generator and grow weeds.
    482 	 */
    483 #if OPENSSL_VERSION_NUMBER < 0x10100000L
    484 	ERR_load_crypto_strings();
    485 	OpenSSL_add_all_algorithms();
    486 #endif /* OPENSSL_VERSION_NUMBER */
    487 	if (!RAND_status()) {
    488 		if (RAND_file_name(pathbuf, sizeof(pathbuf)) == NULL) {
    489 			fprintf(stderr, "RAND_file_name %s\n",
    490 			    ERR_error_string(ERR_get_error(), NULL));
    491 			exit (-1);
    492 		}
    493 		temp = RAND_load_file(pathbuf, -1);
    494 		if (temp == 0) {
    495 			fprintf(stderr,
    496 			    "RAND_load_file %s not found or empty\n",
    497 			    pathbuf);
    498 			exit (-1);
    499 		}
    500 		fprintf(stderr,
    501 		    "Random seed file %s %u bytes\n", pathbuf, temp);
    502 		RAND_add(&epoch, sizeof(epoch), 4.0);
    503 	}
    504 #endif	/* AUTOKEY */
    505 
    506 	/*
    507 	 * Create new unencrypted MD5 keys file if requested. If this
    508 	 * option is selected, ignore all other options.
    509 	 */
    510 	if (md5key) {
    511 		gen_md5("md5");
    512 		exit (0);
    513 	}
    514 
    515 #ifdef AUTOKEY
    516 	/*
    517 	 * Load previous certificate if available.
    518 	 */
    519 	snprintf(filename, sizeof(filename), "ntpkey_cert_%s", hostname);
    520 	if ((fstr = fopen(filename, "r")) != NULL) {
    521 		cert = PEM_read_X509(fstr, NULL, NULL, NULL);
    522 		fclose(fstr);
    523 	}
    524 	if (cert != NULL) {
    525 
    526 		/*
    527 		 * Extract subject name.
    528 		 */
    529 		X509_NAME_oneline(X509_get_subject_name(cert), groupbuf,
    530 		    MAXFILENAME);
    531 
    532 		/*
    533 		 * Extract digest/signature scheme.
    534 		 */
    535 		if (scheme == NULL) {
    536 			nid = X509_get_signature_nid(cert);
    537 			scheme = OBJ_nid2sn(nid);
    538 		}
    539 
    540 		/*
    541 		 * If a key_usage extension field is present, determine
    542 		 * whether this is a trusted or private certificate.
    543 		 */
    544 		if (exten == NULL) {
    545 			ptr = strstr(groupbuf, "CN=");
    546 			cnt = X509_get_ext_count(cert);
    547 			for (i = 0; i < cnt; i++) {
    548 				X509_EXTENSION *ext;
    549 				ASN1_OBJECT *obj;
    550 
    551 				ext = X509_get_ext(cert, i);
    552 				obj = X509_EXTENSION_get_object(ext);
    553 
    554 				if (OBJ_obj2nid(obj) ==
    555 				    NID_ext_key_usage) {
    556 					bp = BIO_new(BIO_s_mem());
    557 					X509V3_EXT_print(bp, ext, 0, 0);
    558 					BIO_gets(bp, pathbuf,
    559 					    MAXFILENAME);
    560 					BIO_free(bp);
    561 					if (strcmp(pathbuf,
    562 					    "Trust Root") == 0)
    563 						exten = EXT_KEY_TRUST;
    564 					else if (strcmp(pathbuf,
    565 					    "Private") == 0)
    566 						exten = EXT_KEY_PRIVATE;
    567 					certname = estrdup(ptr + 3);
    568 				}
    569 			}
    570 		}
    571 	}
    572 	if (scheme == NULL)
    573 		scheme = "RSA-MD5";
    574 	if (ciphername == NULL)
    575 		ciphername = "des-ede3-cbc";
    576 	cipher = EVP_get_cipherbyname(ciphername);
    577 	if (cipher == NULL) {
    578 		fprintf(stderr, "Unknown cipher %s\n", ciphername);
    579 		exit(-1);
    580 	}
    581 	fprintf(stderr, "Using host %s group %s\n", hostname,
    582 	    groupname);
    583 
    584 	/*
    585 	 * Create a new encrypted RSA host key file if requested;
    586 	 * otherwise, look for an existing host key file. If not found,
    587 	 * create a new encrypted RSA host key file. If that fails, go
    588 	 * no further.
    589 	 */
    590 	if (hostkey)
    591 		pkey_host = genkey("RSA", "host");
    592 	if (pkey_host == NULL) {
    593 		snprintf(filename, sizeof(filename), "ntpkey_host_%s", hostname);
    594 		pkey_host = readkey(filename, passwd1, &fstamp, NULL);
    595 		if (pkey_host != NULL) {
    596 			followlink(filename, sizeof(filename));
    597 			fprintf(stderr, "Using host key %s\n",
    598 			    filename);
    599 		} else {
    600 			pkey_host = genkey("RSA", "host");
    601 		}
    602 	}
    603 	if (pkey_host == NULL) {
    604 		fprintf(stderr, "Generating host key fails\n");
    605 		exit(-1);
    606 	}
    607 
    608 	/*
    609 	 * Create new encrypted RSA or DSA sign keys file if requested;
    610 	 * otherwise, look for an existing sign key file. If not found,
    611 	 * use the host key instead.
    612 	 */
    613 	if (sign != NULL)
    614 		pkey_sign = genkey(sign, "sign");
    615 	if (pkey_sign == NULL) {
    616 		snprintf(filename, sizeof(filename), "ntpkey_sign_%s",
    617 			 hostname);
    618 		pkey_sign = readkey(filename, passwd1, &fstamp, NULL);
    619 		if (pkey_sign != NULL) {
    620 			followlink(filename, sizeof(filename));
    621 			fprintf(stderr, "Using sign key %s\n",
    622 			    filename);
    623 		} else {
    624 			pkey_sign = pkey_host;
    625 			fprintf(stderr, "Using host key as sign key\n");
    626 		}
    627 	}
    628 
    629 	/*
    630 	 * Create new encrypted GQ server keys file if requested;
    631 	 * otherwise, look for an exisiting file. If found, fetch the
    632 	 * public key for the certificate.
    633 	 */
    634 	if (gqkey)
    635 		pkey_gqkey = gen_gqkey("gqkey");
    636 	if (pkey_gqkey == NULL) {
    637 		snprintf(filename, sizeof(filename), "ntpkey_gqkey_%s",
    638 		    groupname);
    639 		pkey_gqkey = readkey(filename, passwd1, &fstamp, NULL);
    640 		if (pkey_gqkey != NULL) {
    641 			followlink(filename, sizeof(filename));
    642 			fprintf(stderr, "Using GQ parameters %s\n",
    643 			    filename);
    644 		}
    645 	}
    646 	if (pkey_gqkey != NULL) {
    647 		RSA		*rsa;
    648 		const BIGNUM	*q;
    649 
    650 		rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
    651 		RSA_get0_factors(rsa, NULL, &q);
    652 		grpkey = BN_bn2hex(q);
    653 		RSA_free(rsa);
    654 	}
    655 
    656 	/*
    657 	 * Write the nonencrypted GQ client parameters to the stdout
    658 	 * stream. The parameter file is the server key file with the
    659 	 * private key obscured.
    660 	 */
    661 	if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
    662 		RSA	*rsa;
    663 
    664 		snprintf(filename, sizeof(filename),
    665 		    "ntpkey_gqpar_%s.%u", groupname, fstamp);
    666 		fprintf(stderr, "Writing GQ parameters %s to stdout\n",
    667 		    filename);
    668 		fprintf(stdout, "# %s\n# %s\n", filename,
    669 		    ctime(&epoch));
    670 		rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
    671 		RSA_set0_factors(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()));
    672 		pkey = EVP_PKEY_new();
    673 		EVP_PKEY_assign_RSA(pkey, rsa);
    674 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
    675 		    NULL, NULL);
    676 		fflush(stdout);
    677 		if (debug) {
    678 			RSA_print_fp(stderr, rsa, 0);
    679 		}
    680 		EVP_PKEY_free(pkey);
    681 		pkey = NULL;
    682 		RSA_free(rsa);
    683 	}
    684 
    685 	/*
    686 	 * Write the encrypted GQ server keys to the stdout stream.
    687 	 */
    688 	if (pkey_gqkey != NULL && passwd2 != NULL) {
    689 		RSA	*rsa;
    690 
    691 		snprintf(filename, sizeof(filename),
    692 		    "ntpkey_gqkey_%s.%u", groupname, fstamp);
    693 		fprintf(stderr, "Writing GQ keys %s to stdout\n",
    694 		    filename);
    695 		fprintf(stdout, "# %s\n# %s\n", filename,
    696 		    ctime(&epoch));
    697 		rsa = EVP_PKEY_get1_RSA(pkey_gqkey);
    698 		pkey = EVP_PKEY_new();
    699 		EVP_PKEY_assign_RSA(pkey, rsa);
    700 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
    701 		    NULL, passwd2);
    702 		fflush(stdout);
    703 		if (debug) {
    704 			RSA_print_fp(stderr, rsa, 0);
    705 		}
    706 		EVP_PKEY_free(pkey);
    707 		pkey = NULL;
    708 		RSA_free(rsa);
    709 	}
    710 
    711 	/*
    712 	 * Create new encrypted IFF server keys file if requested;
    713 	 * otherwise, look for existing file.
    714 	 */
    715 	if (iffkey)
    716 		pkey_iffkey = gen_iffkey("iffkey");
    717 	if (pkey_iffkey == NULL) {
    718 		snprintf(filename, sizeof(filename), "ntpkey_iffkey_%s",
    719 		    groupname);
    720 		pkey_iffkey = readkey(filename, passwd1, &fstamp, NULL);
    721 		if (pkey_iffkey != NULL) {
    722 			followlink(filename, sizeof(filename));
    723 			fprintf(stderr, "Using IFF keys %s\n",
    724 			    filename);
    725 		}
    726 	}
    727 
    728 	/*
    729 	 * Write the nonencrypted IFF client parameters to the stdout
    730 	 * stream. The parameter file is the server key file with the
    731 	 * private key obscured.
    732 	 */
    733 	if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
    734 		DSA	*dsa;
    735 
    736 		snprintf(filename, sizeof(filename),
    737 		    "ntpkey_iffpar_%s.%u", groupname, fstamp);
    738 		fprintf(stderr, "Writing IFF parameters %s to stdout\n",
    739 		    filename);
    740 		fprintf(stdout, "# %s\n# %s\n", filename,
    741 		    ctime(&epoch));
    742 		dsa = EVP_PKEY_get1_DSA(pkey_iffkey);
    743 		DSA_set0_key(dsa, NULL, BN_dup(BN_value_one()));
    744 		pkey = EVP_PKEY_new();
    745 		EVP_PKEY_assign_DSA(pkey, dsa);
    746 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
    747 		    NULL, NULL);
    748 		fflush(stdout);
    749 		if (debug) {
    750 			DSA_print_fp(stderr, dsa, 0);
    751 		}
    752 		EVP_PKEY_free(pkey);
    753 		pkey = NULL;
    754 		DSA_free(dsa);
    755 	}
    756 
    757 	/*
    758 	 * Write the encrypted IFF server keys to the stdout stream.
    759 	 */
    760 	if (pkey_iffkey != NULL && passwd2 != NULL) {
    761 		DSA	*dsa;
    762 
    763 		snprintf(filename, sizeof(filename),
    764 		    "ntpkey_iffkey_%s.%u", groupname, fstamp);
    765 		fprintf(stderr, "Writing IFF keys %s to stdout\n",
    766 		    filename);
    767 		fprintf(stdout, "# %s\n# %s\n", filename,
    768 		    ctime(&epoch));
    769 		dsa = EVP_PKEY_get1_DSA(pkey_iffkey);
    770 		pkey = EVP_PKEY_new();
    771 		EVP_PKEY_assign_DSA(pkey, dsa);
    772 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
    773 		    NULL, passwd2);
    774 		fflush(stdout);
    775 		if (debug) {
    776 			DSA_print_fp(stderr, dsa, 0);
    777 		}
    778 		EVP_PKEY_free(pkey);
    779 		pkey = NULL;
    780 		DSA_free(dsa);
    781 	}
    782 
    783 	/*
    784 	 * Create new encrypted MV trusted-authority keys file if
    785 	 * requested; otherwise, look for existing keys file.
    786 	 */
    787 	if (mvkey)
    788 		pkey_mvkey = gen_mvkey("mv", pkey_mvpar);
    789 	if (pkey_mvkey == NULL) {
    790 		snprintf(filename, sizeof(filename), "ntpkey_mvta_%s",
    791 		    groupname);
    792 		pkey_mvkey = readkey(filename, passwd1, &fstamp,
    793 		    pkey_mvpar);
    794 		if (pkey_mvkey != NULL) {
    795 			followlink(filename, sizeof(filename));
    796 			fprintf(stderr, "Using MV keys %s\n",
    797 			    filename);
    798 		}
    799 	}
    800 
    801 	/*
    802 	 * Write the nonencrypted MV client parameters to the stdout
    803 	 * stream. For the moment, we always use the client parameters
    804 	 * associated with client key 1.
    805 	 */
    806 	if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
    807 		snprintf(filename, sizeof(filename),
    808 		    "ntpkey_mvpar_%s.%u", groupname, fstamp);
    809 		fprintf(stderr, "Writing MV parameters %s to stdout\n",
    810 		    filename);
    811 		fprintf(stdout, "# %s\n# %s\n", filename,
    812 		    ctime(&epoch));
    813 		pkey = pkey_mvpar[2];
    814 		PEM_write_PKCS8PrivateKey(stdout, pkey, NULL, NULL, 0,
    815 		    NULL, NULL);
    816 		fflush(stdout);
    817 		if (debug) {
    818 			DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
    819 		}
    820 	}
    821 
    822 	/*
    823 	 * Write the encrypted MV server keys to the stdout stream.
    824 	 */
    825 	if (pkey_mvkey != NULL && passwd2 != NULL) {
    826 		snprintf(filename, sizeof(filename),
    827 		    "ntpkey_mvkey_%s.%u", groupname, fstamp);
    828 		fprintf(stderr, "Writing MV keys %s to stdout\n",
    829 		    filename);
    830 		fprintf(stdout, "# %s\n# %s\n", filename,
    831 		    ctime(&epoch));
    832 		pkey = pkey_mvpar[1];
    833 		PEM_write_PKCS8PrivateKey(stdout, pkey, cipher, NULL, 0,
    834 		    NULL, passwd2);
    835 		fflush(stdout);
    836 		if (debug) {
    837 			DSA_print_fp(stderr, EVP_PKEY_get0_DSA(pkey), 0);
    838 		}
    839 	}
    840 
    841 	/*
    842 	 * Decode the digest/signature scheme and create the
    843 	 * certificate. Do this every time we run the program.
    844 	 */
    845 	ectx = EVP_get_digestbyname(scheme);
    846 	if (ectx == NULL) {
    847 		fprintf(stderr,
    848 		    "Invalid digest/signature combination %s\n",
    849 		    scheme);
    850 		exit (-1);
    851 	}
    852 	x509(pkey_sign, ectx, grpkey, exten, certname);
    853 #endif	/* AUTOKEY */
    854 	exit(0);
    855 }
    856 
    857 
    858 /*
    859  * Generate semi-random MD5 keys compatible with NTPv3 and NTPv4. Also,
    860  * if OpenSSL is around, generate random SHA1 keys compatible with
    861  * symmetric key cryptography.
    862  */
    863 int
    864 gen_md5(
    865 	const char *id		/* file name id */
    866 	)
    867 {
    868 	u_char	md5key[MD5SIZE + 1];	/* MD5 key */
    869 	FILE	*str;
    870 	int	i, j;
    871 #ifdef OPENSSL
    872 	u_char	keystr[MD5SIZE];
    873 	u_char	hexstr[2 * MD5SIZE + 1];
    874 	u_char	hex[] = "0123456789abcdef";
    875 #endif	/* OPENSSL */
    876 
    877 	str = fheader("MD5key", id, groupname);
    878 	for (i = 1; i <= MD5KEYS; i++) {
    879 		for (j = 0; j < MD5SIZE; j++) {
    880 			u_char temp;
    881 
    882 			while (1) {
    883 				int rc;
    884 
    885 				rc = ntp_crypto_random_buf(
    886 				    &temp, sizeof(temp));
    887 				if (-1 == rc) {
    888 					fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
    889 					exit (-1);
    890 				}
    891 				if (temp == '#')
    892 					continue;
    893 
    894 				if (temp > 0x20 && temp < 0x7f)
    895 					break;
    896 			}
    897 			md5key[j] = temp;
    898 		}
    899 		md5key[j] = '\0';
    900 		fprintf(str, "%2d MD5 %s  # MD5 key\n", i,
    901 		    md5key);
    902 	}
    903 #ifdef OPENSSL
    904 	for (i = 1; i <= MD5KEYS; i++) {
    905 		RAND_bytes(keystr, 20);
    906 		for (j = 0; j < MD5SIZE; j++) {
    907 			hexstr[2 * j] = hex[keystr[j] >> 4];
    908 			hexstr[2 * j + 1] = hex[keystr[j] & 0xf];
    909 		}
    910 		hexstr[2 * MD5SIZE] = '\0';
    911 		fprintf(str, "%2d SHA1 %s  # SHA1 key\n", i + MD5KEYS,
    912 		    hexstr);
    913 	}
    914 #endif	/* OPENSSL */
    915 	fclose(str);
    916 	return (1);
    917 }
    918 
    919 
    920 #ifdef AUTOKEY
    921 /*
    922  * readkey - load cryptographic parameters and keys
    923  *
    924  * This routine loads a PEM-encoded file of given name and password and
    925  * extracts the filestamp from the file name. It returns a pointer to
    926  * the first key if valid, NULL if not.
    927  */
    928 EVP_PKEY *			/* public/private key pair */
    929 readkey(
    930 	char	*cp,		/* file name */
    931 	char	*passwd,	/* password */
    932 	u_int	*estamp,	/* file stamp */
    933 	EVP_PKEY **evpars	/* parameter list pointer */
    934 	)
    935 {
    936 	FILE	*str;		/* file handle */
    937 	EVP_PKEY *pkey = NULL;	/* public/private key */
    938 	u_int	gstamp;		/* filestamp */
    939 	char	linkname[MAXFILENAME]; /* filestamp buffer) */
    940 	EVP_PKEY *parkey;
    941 	char	*ptr;
    942 	int	i;
    943 
    944 	/*
    945 	 * Open the key file.
    946 	 */
    947 	str = fopen(cp, "r");
    948 	if (str == NULL)
    949 		return (NULL);
    950 
    951 	/*
    952 	 * Read the filestamp, which is contained in the first line.
    953 	 */
    954 	if ((ptr = fgets(linkname, MAXFILENAME, str)) == NULL) {
    955 		fprintf(stderr, "Empty key file %s\n", cp);
    956 		fclose(str);
    957 		return (NULL);
    958 	}
    959 	if ((ptr = strrchr(ptr, '.')) == NULL) {
    960 		fprintf(stderr, "No filestamp found in %s\n", cp);
    961 		fclose(str);
    962 		return (NULL);
    963 	}
    964 	if (sscanf(++ptr, "%u", &gstamp) != 1) {
    965 		fprintf(stderr, "Invalid filestamp found in %s\n", cp);
    966 		fclose(str);
    967 		return (NULL);
    968 	}
    969 
    970 	/*
    971 	 * Read and decrypt PEM-encoded private keys. The first one
    972 	 * found is returned. If others are expected, add them to the
    973 	 * parameter list.
    974 	 */
    975 	for (i = 0; i <= MVMAX - 1;) {
    976 		parkey = PEM_read_PrivateKey(str, NULL, NULL, passwd);
    977 		if (evpars != NULL) {
    978 			evpars[i++] = parkey;
    979 			evpars[i] = NULL;
    980 		}
    981 		if (parkey == NULL)
    982 			break;
    983 
    984 		if (pkey == NULL)
    985 			pkey = parkey;
    986 		if (debug) {
    987 			if (EVP_PKEY_base_id(parkey) == EVP_PKEY_DSA)
    988 				DSA_print_fp(stderr, EVP_PKEY_get0_DSA(parkey),
    989 				    0);
    990 			else if (EVP_PKEY_base_id(parkey) == EVP_PKEY_RSA)
    991 				RSA_print_fp(stderr, EVP_PKEY_get0_RSA(parkey),
    992 				    0);
    993 		}
    994 	}
    995 	fclose(str);
    996 	if (pkey == NULL) {
    997 		fprintf(stderr, "Corrupt file %s or wrong key %s\n%s\n",
    998 		    cp, passwd, ERR_error_string(ERR_get_error(),
    999 		    NULL));
   1000 		exit (-1);
   1001 	}
   1002 	*estamp = gstamp;
   1003 	return (pkey);
   1004 }
   1005 
   1006 
   1007 /*
   1008  * Generate RSA public/private key pair
   1009  */
   1010 EVP_PKEY *			/* public/private key pair */
   1011 gen_rsa(
   1012 	const char *id		/* file name id */
   1013 	)
   1014 {
   1015 	EVP_PKEY *pkey;		/* private key */
   1016 	RSA	*rsa;		/* RSA parameters and key pair */
   1017 	FILE	*str;
   1018 
   1019 	fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
   1020 	rsa = genRsaKeyPair(modulus, _UC("RSA"));
   1021 	fprintf(stderr, "\n");
   1022 	if (rsa == NULL) {
   1023 		fprintf(stderr, "RSA generate keys fails\n%s\n",
   1024 		    ERR_error_string(ERR_get_error(), NULL));
   1025 		return (NULL);
   1026 	}
   1027 
   1028 	/*
   1029 	 * For signature encryption it is not necessary that the RSA
   1030 	 * parameters be strictly groomed and once in a while the
   1031 	 * modulus turns out to be non-prime. Just for grins, we check
   1032 	 * the primality.
   1033 	 */
   1034 	if (!RSA_check_key(rsa)) {
   1035 		fprintf(stderr, "Invalid RSA key\n%s\n",
   1036 		    ERR_error_string(ERR_get_error(), NULL));
   1037 		RSA_free(rsa);
   1038 		return (NULL);
   1039 	}
   1040 
   1041 	/*
   1042 	 * Write the RSA parameters and keys as a RSA private key
   1043 	 * encoded in PEM.
   1044 	 */
   1045 	if (strcmp(id, "sign") == 0)
   1046 		str = fheader("RSAsign", id, hostname);
   1047 	else
   1048 		str = fheader("RSAhost", id, hostname);
   1049 	pkey = EVP_PKEY_new();
   1050 	EVP_PKEY_assign_RSA(pkey, rsa);
   1051 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
   1052 	    passwd1);
   1053 	fclose(str);
   1054 	if (debug)
   1055 		RSA_print_fp(stderr, rsa, 0);
   1056 	return (pkey);
   1057 }
   1058 
   1059 
   1060 /*
   1061  * Generate DSA public/private key pair
   1062  */
   1063 EVP_PKEY *			/* public/private key pair */
   1064 gen_dsa(
   1065 	const char *id		/* file name id */
   1066 	)
   1067 {
   1068 	EVP_PKEY *pkey;		/* private key */
   1069 	DSA	*dsa;		/* DSA parameters */
   1070 	FILE	*str;
   1071 
   1072 	/*
   1073 	 * Generate DSA parameters.
   1074 	 */
   1075 	fprintf(stderr,
   1076 	    "Generating DSA parameters (%d bits)...\n", modulus);
   1077 	dsa = genDsaParams(modulus, _UC("DSA"));
   1078 	fprintf(stderr, "\n");
   1079 	if (dsa == NULL) {
   1080 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
   1081 		    ERR_error_string(ERR_get_error(), NULL));
   1082 		return (NULL);
   1083 	}
   1084 
   1085 	/*
   1086 	 * Generate DSA keys.
   1087 	 */
   1088 	fprintf(stderr, "Generating DSA keys (%d bits)...\n", modulus);
   1089 	if (!DSA_generate_key(dsa)) {
   1090 		fprintf(stderr, "DSA generate keys fails\n%s\n",
   1091 		    ERR_error_string(ERR_get_error(), NULL));
   1092 		DSA_free(dsa);
   1093 		return (NULL);
   1094 	}
   1095 
   1096 	/*
   1097 	 * Write the DSA parameters and keys as a DSA private key
   1098 	 * encoded in PEM.
   1099 	 */
   1100 	str = fheader("DSAsign", id, hostname);
   1101 	pkey = EVP_PKEY_new();
   1102 	EVP_PKEY_assign_DSA(pkey, dsa);
   1103 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
   1104 	    passwd1);
   1105 	fclose(str);
   1106 	if (debug)
   1107 		DSA_print_fp(stderr, dsa, 0);
   1108 	return (pkey);
   1109 }
   1110 
   1111 
   1112 /*
   1113  ***********************************************************************
   1114  *								       *
   1115  * The following routines implement the Schnorr (IFF) identity scheme  *
   1116  *								       *
   1117  ***********************************************************************
   1118  *
   1119  * The Schnorr (IFF) identity scheme is intended for use when
   1120  * certificates are generated by some other trusted certificate
   1121  * authority and the certificate cannot be used to convey public
   1122  * parameters. There are two kinds of files: encrypted server files that
   1123  * contain private and public values and nonencrypted client files that
   1124  * contain only public values. New generations of server files must be
   1125  * securely transmitted to all servers of the group; client files can be
   1126  * distributed by any means. The scheme is self contained and
   1127  * independent of new generations of host keys, sign keys and
   1128  * certificates.
   1129  *
   1130  * The IFF values hide in a DSA cuckoo structure which uses the same
   1131  * parameters. The values are used by an identity scheme based on DSA
   1132  * cryptography and described in Stimson p. 285. The p is a 512-bit
   1133  * prime, g a generator of Zp* and q a 160-bit prime that divides p - 1
   1134  * and is a qth root of 1 mod p; that is, g^q = 1 mod p. The TA rolls a
   1135  * private random group key b (0 < b < q) and public key v = g^b, then
   1136  * sends (p, q, g, b) to the servers and (p, q, g, v) to the clients.
   1137  * Alice challenges Bob to confirm identity using the protocol described
   1138  * below.
   1139  *
   1140  * How it works
   1141  *
   1142  * The scheme goes like this. Both Alice and Bob have the public primes
   1143  * p, q and generator g. The TA gives private key b to Bob and public
   1144  * key v to Alice.
   1145  *
   1146  * Alice rolls new random challenge r (o < r < q) and sends to Bob in
   1147  * the IFF request message. Bob rolls new random k (0 < k < q), then
   1148  * computes y = k + b r mod q and x = g^k mod p and sends (y, hash(x))
   1149  * to Alice in the response message. Besides making the response
   1150  * shorter, the hash makes it effectivey impossible for an intruder to
   1151  * solve for b by observing a number of these messages.
   1152  *
   1153  * Alice receives the response and computes g^y v^r mod p. After a bit
   1154  * of algebra, this simplifies to g^k. If the hash of this result
   1155  * matches hash(x), Alice knows that Bob has the group key b. The signed
   1156  * response binds this knowledge to Bob's private key and the public key
   1157  * previously received in his certificate.
   1158  */
   1159 /*
   1160  * Generate Schnorr (IFF) keys.
   1161  */
   1162 EVP_PKEY *			/* DSA cuckoo nest */
   1163 gen_iffkey(
   1164 	const char *id		/* file name id */
   1165 	)
   1166 {
   1167 	EVP_PKEY *pkey;		/* private key */
   1168 	DSA	*dsa;		/* DSA parameters */
   1169 	BN_CTX	*ctx;		/* BN working space */
   1170 	BIGNUM	*b, *r, *k, *u, *v, *w; /* BN temp */
   1171 	FILE	*str;
   1172 	u_int	temp;
   1173 	const BIGNUM *p, *q, *g;
   1174 	BIGNUM *pub_key, *priv_key;
   1175 
   1176 	/*
   1177 	 * Generate DSA parameters for use as IFF parameters.
   1178 	 */
   1179 	fprintf(stderr, "Generating IFF keys (%d bits)...\n",
   1180 	    modulus2);
   1181 	dsa = genDsaParams(modulus2, _UC("IFF"));
   1182 	fprintf(stderr, "\n");
   1183 	if (dsa == NULL) {
   1184 		fprintf(stderr, "DSA generate parameters fails\n%s\n",
   1185 		    ERR_error_string(ERR_get_error(), NULL));
   1186 		return (NULL);
   1187 	}
   1188 	DSA_get0_pqg(dsa, &p, &q, &g);
   1189 
   1190 	/*
   1191 	 * Generate the private and public keys. The DSA parameters and
   1192 	 * private key are distributed to the servers, while all except
   1193 	 * the private key are distributed to the clients.
   1194 	 */
   1195 	b = BN_new(); r = BN_new(); k = BN_new();
   1196 	u = BN_new(); v = BN_new(); w = BN_new(); ctx = BN_CTX_new();
   1197 	BN_rand(b, BN_num_bits(q), -1, 0);	/* a */
   1198 	BN_mod(b, b, q, ctx);
   1199 	BN_sub(v, q, b);
   1200 	BN_mod_exp(v, g, v, p, ctx); /* g^(q - b) mod p */
   1201 	BN_mod_exp(u, g, b, p, ctx);	/* g^b mod p */
   1202 	BN_mod_mul(u, u, v, p, ctx);
   1203 	temp = BN_is_one(u);
   1204 	fprintf(stderr,
   1205 	    "Confirm g^(q - b) g^b = 1 mod p: %s\n", temp == 1 ?
   1206 	    "yes" : "no");
   1207 	if (!temp) {
   1208 		BN_free(b); BN_free(r); BN_free(k);
   1209 		BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
   1210 		return (NULL);
   1211 	}
   1212 	pub_key = BN_dup(v);
   1213 	priv_key = BN_dup(b);
   1214 	DSA_set0_key(dsa, pub_key, priv_key);
   1215 
   1216 	/*
   1217 	 * Here is a trial round of the protocol. First, Alice rolls
   1218 	 * random nonce r mod q and sends it to Bob. She needs only
   1219 	 * q from parameters.
   1220 	 */
   1221 	BN_rand(r, BN_num_bits(q), -1, 0);	/* r */
   1222 	BN_mod(r, r, q, ctx);
   1223 
   1224 	/*
   1225 	 * Bob rolls random nonce k mod q, computes y = k + b r mod q
   1226 	 * and x = g^k mod p, then sends (y, x) to Alice. He needs
   1227 	 * p, q and b from parameters and r from Alice.
   1228 	 */
   1229 	BN_rand(k, BN_num_bits(q), -1, 0);	/* k, 0 < k < q  */
   1230 	BN_mod(k, k, q, ctx);
   1231 	BN_mod_mul(v, priv_key, r, q, ctx); /* b r mod q */
   1232 	BN_add(v, v, k);
   1233 	BN_mod(v, v, q, ctx);		/* y = k + b r mod q */
   1234 	BN_mod_exp(u, g, k, p, ctx);	/* x = g^k mod p */
   1235 
   1236 	/*
   1237 	 * Alice verifies x = g^y v^r to confirm that Bob has group key
   1238 	 * b. She needs p, q, g from parameters, (y, x) from Bob and the
   1239 	 * original r. We omit the detail here thatt only the hash of y
   1240 	 * is sent.
   1241 	 */
   1242 	BN_mod_exp(v, g, v, p, ctx); /* g^y mod p */
   1243 	BN_mod_exp(w, pub_key, r, p, ctx); /* v^r */
   1244 	BN_mod_mul(v, w, v, p, ctx);	/* product mod p */
   1245 	temp = BN_cmp(u, v);
   1246 	fprintf(stderr,
   1247 	    "Confirm g^k = g^(k + b r) g^(q - b) r: %s\n", temp ==
   1248 	    0 ? "yes" : "no");
   1249 	BN_free(b); BN_free(r);	BN_free(k);
   1250 	BN_free(u); BN_free(v); BN_free(w); BN_CTX_free(ctx);
   1251 	if (temp != 0) {
   1252 		DSA_free(dsa);
   1253 		return (NULL);
   1254 	}
   1255 
   1256 	/*
   1257 	 * Write the IFF keys as an encrypted DSA private key encoded in
   1258 	 * PEM.
   1259 	 *
   1260 	 * p	modulus p
   1261 	 * q	modulus q
   1262 	 * g	generator g
   1263 	 * priv_key b
   1264 	 * public_key v
   1265 	 * kinv	not used
   1266 	 * r	not used
   1267 	 */
   1268 	str = fheader("IFFkey", id, groupname);
   1269 	pkey = EVP_PKEY_new();
   1270 	EVP_PKEY_assign_DSA(pkey, dsa);
   1271 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
   1272 	    passwd1);
   1273 	fclose(str);
   1274 	if (debug)
   1275 		DSA_print_fp(stderr, dsa, 0);
   1276 	return (pkey);
   1277 }
   1278 
   1279 
   1280 /*
   1281  ***********************************************************************
   1282  *								       *
   1283  * The following routines implement the Guillou-Quisquater (GQ)        *
   1284  * identity scheme                                                     *
   1285  *								       *
   1286  ***********************************************************************
   1287  *
   1288  * The Guillou-Quisquater (GQ) identity scheme is intended for use when
   1289  * the certificate can be used to convey public parameters. The scheme
   1290  * uses a X509v3 certificate extension field do convey the public key of
   1291  * a private key known only to servers. There are two kinds of files:
   1292  * encrypted server files that contain private and public values and
   1293  * nonencrypted client files that contain only public values. New
   1294  * generations of server files must be securely transmitted to all
   1295  * servers of the group; client files can be distributed by any means.
   1296  * The scheme is self contained and independent of new generations of
   1297  * host keys and sign keys. The scheme is self contained and independent
   1298  * of new generations of host keys and sign keys.
   1299  *
   1300  * The GQ parameters hide in a RSA cuckoo structure which uses the same
   1301  * parameters. The values are used by an identity scheme based on RSA
   1302  * cryptography and described in Stimson p. 300 (with errors). The 512-
   1303  * bit public modulus is n = p q, where p and q are secret large primes.
   1304  * The TA rolls private random group key b as RSA exponent. These values
   1305  * are known to all group members.
   1306  *
   1307  * When rolling new certificates, a server recomputes the private and
   1308  * public keys. The private key u is a random roll, while the public key
   1309  * is the inverse obscured by the group key v = (u^-1)^b. These values
   1310  * replace the private and public keys normally generated by the RSA
   1311  * scheme. Alice challenges Bob to confirm identity using the protocol
   1312  * described below.
   1313  *
   1314  * How it works
   1315  *
   1316  * The scheme goes like this. Both Alice and Bob have the same modulus n
   1317  * and some random b as the group key. These values are computed and
   1318  * distributed in advance via secret means, although only the group key
   1319  * b is truly secret. Each has a private random private key u and public
   1320  * key (u^-1)^b, although not necessarily the same ones. Bob and Alice
   1321  * can regenerate the key pair from time to time without affecting
   1322  * operations. The public key is conveyed on the certificate in an
   1323  * extension field; the private key is never revealed.
   1324  *
   1325  * Alice rolls new random challenge r and sends to Bob in the GQ
   1326  * request message. Bob rolls new random k, then computes y = k u^r mod
   1327  * n and x = k^b mod n and sends (y, hash(x)) to Alice in the response
   1328  * message. Besides making the response shorter, the hash makes it
   1329  * effectivey impossible for an intruder to solve for b by observing
   1330  * a number of these messages.
   1331  *
   1332  * Alice receives the response and computes y^b v^r mod n. After a bit
   1333  * of algebra, this simplifies to k^b. If the hash of this result
   1334  * matches hash(x), Alice knows that Bob has the group key b. The signed
   1335  * response binds this knowledge to Bob's private key and the public key
   1336  * previously received in his certificate.
   1337  */
   1338 /*
   1339  * Generate Guillou-Quisquater (GQ) parameters file.
   1340  */
   1341 EVP_PKEY *			/* RSA cuckoo nest */
   1342 gen_gqkey(
   1343 	const char *id		/* file name id */
   1344 	)
   1345 {
   1346 	EVP_PKEY *pkey;		/* private key */
   1347 	RSA	*rsa;		/* RSA parameters */
   1348 	BN_CTX	*ctx;		/* BN working space */
   1349 	BIGNUM	*u, *v, *g, *k, *r, *y; /* BN temps */
   1350 	FILE	*str;
   1351 	u_int	temp;
   1352 	BIGNUM	*b;
   1353 	const BIGNUM	*n;
   1354 
   1355 	/*
   1356 	 * Generate RSA parameters for use as GQ parameters.
   1357 	 */
   1358 	fprintf(stderr,
   1359 	    "Generating GQ parameters (%d bits)...\n",
   1360 	     modulus2);
   1361 	rsa = genRsaKeyPair(modulus2, _UC("GQ"));
   1362 	fprintf(stderr, "\n");
   1363 	if (rsa == NULL) {
   1364 		fprintf(stderr, "RSA generate keys fails\n%s\n",
   1365 		    ERR_error_string(ERR_get_error(), NULL));
   1366 		return (NULL);
   1367 	}
   1368 	RSA_get0_key(rsa, &n, NULL, NULL);
   1369 	u = BN_new(); v = BN_new(); g = BN_new();
   1370 	k = BN_new(); r = BN_new(); y = BN_new();
   1371 	b = BN_new();
   1372 
   1373 	/*
   1374 	 * Generate the group key b, which is saved in the e member of
   1375 	 * the RSA structure. The group key is transmitted to each group
   1376 	 * member encrypted by the member private key.
   1377 	 */
   1378 	ctx = BN_CTX_new();
   1379 	BN_rand(b, BN_num_bits(n), -1, 0); /* b */
   1380 	BN_mod(b, b, n, ctx);
   1381 
   1382 	/*
   1383 	 * When generating his certificate, Bob rolls random private key
   1384 	 * u, then computes inverse v = u^-1.
   1385 	 */
   1386 	BN_rand(u, BN_num_bits(n), -1, 0); /* u */
   1387 	BN_mod(u, u, n, ctx);
   1388 	BN_mod_inverse(v, u, n, ctx);	/* u^-1 mod n */
   1389 	BN_mod_mul(k, v, u, n, ctx);
   1390 
   1391 	/*
   1392 	 * Bob computes public key v = (u^-1)^b, which is saved in an
   1393 	 * extension field on his certificate. We check that u^b v =
   1394 	 * 1 mod n.
   1395 	 */
   1396 	BN_mod_exp(v, v, b, n, ctx);
   1397 	BN_mod_exp(g, u, b, n, ctx); /* u^b */
   1398 	BN_mod_mul(g, g, v, n, ctx); /* u^b (u^-1)^b */
   1399 	temp = BN_is_one(g);
   1400 	fprintf(stderr,
   1401 	    "Confirm u^b (u^-1)^b = 1 mod n: %s\n", temp ? "yes" :
   1402 	    "no");
   1403 	if (!temp) {
   1404 		BN_free(u); BN_free(v);
   1405 		BN_free(g); BN_free(k); BN_free(r); BN_free(y);
   1406 		BN_CTX_free(ctx);
   1407 		RSA_free(rsa);
   1408 		return (NULL);
   1409 	}
   1410 	/* setting 'u' and 'v' into a RSA object takes over ownership.
   1411 	 * Since we use these values again, we have to pass in dupes,
   1412 	 * or we'll corrupt the program!
   1413 	 */
   1414 	RSA_set0_factors(rsa, BN_dup(u), BN_dup(v));
   1415 
   1416 	/*
   1417 	 * Here is a trial run of the protocol. First, Alice rolls
   1418 	 * random nonce r mod n and sends it to Bob. She needs only n
   1419 	 * from parameters.
   1420 	 */
   1421 	BN_rand(r, BN_num_bits(n), -1, 0);	/* r */
   1422 	BN_mod(r, r, n, ctx);
   1423 
   1424 	/*
   1425 	 * Bob rolls random nonce k mod n, computes y = k u^r mod n and
   1426 	 * g = k^b mod n, then sends (y, g) to Alice. He needs n, u, b
   1427 	 * from parameters and r from Alice.
   1428 	 */
   1429 	BN_rand(k, BN_num_bits(n), -1, 0);	/* k */
   1430 	BN_mod(k, k, n, ctx);
   1431 	BN_mod_exp(y, u, r, n, ctx);	/* u^r mod n */
   1432 	BN_mod_mul(y, k, y, n, ctx);	/* y = k u^r mod n */
   1433 	BN_mod_exp(g, k, b, n, ctx);	/* g = k^b mod n */
   1434 
   1435 	/*
   1436 	 * Alice verifies g = v^r y^b mod n to confirm that Bob has
   1437 	 * private key u. She needs n, g from parameters, public key v =
   1438 	 * (u^-1)^b from the certificate, (y, g) from Bob and the
   1439 	 * original r. We omit the detaul here that only the hash of g
   1440 	 * is sent.
   1441 	 */
   1442 	BN_mod_exp(v, v, r, n, ctx);	/* v^r mod n */
   1443 	BN_mod_exp(y, y, b, n, ctx);	/* y^b mod n */
   1444 	BN_mod_mul(y, v, y, n, ctx);	/* v^r y^b mod n */
   1445 	temp = BN_cmp(y, g);
   1446 	fprintf(stderr, "Confirm g^k = v^r y^b mod n: %s\n", temp == 0 ?
   1447 	    "yes" : "no");
   1448 	BN_CTX_free(ctx); BN_free(u); BN_free(v);
   1449 	BN_free(g); BN_free(k); BN_free(r); BN_free(y);
   1450 	if (temp != 0) {
   1451 		RSA_free(rsa);
   1452 		return (NULL);
   1453 	}
   1454 
   1455 	/*
   1456 	 * Write the GQ parameter file as an encrypted RSA private key
   1457 	 * encoded in PEM.
   1458 	 *
   1459 	 * n	modulus n
   1460 	 * e	group key b
   1461 	 * d	not used
   1462 	 * p	private key u
   1463 	 * q	public key (u^-1)^b
   1464 	 * dmp1	not used
   1465 	 * dmq1	not used
   1466 	 * iqmp	not used
   1467 	 */
   1468 	RSA_set0_key(rsa, NULL, b, BN_dup(BN_value_one()));
   1469 	RSA_set0_crt_params(rsa, BN_dup(BN_value_one()), BN_dup(BN_value_one()),
   1470 		BN_dup(BN_value_one()));
   1471 	str = fheader("GQkey", id, groupname);
   1472 	pkey = EVP_PKEY_new();
   1473 	EVP_PKEY_assign_RSA(pkey, rsa);
   1474 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
   1475 	    passwd1);
   1476 	fclose(str);
   1477 	if (debug)
   1478 		RSA_print_fp(stderr, rsa, 0);
   1479 	return (pkey);
   1480 }
   1481 
   1482 
   1483 /*
   1484  ***********************************************************************
   1485  *								       *
   1486  * The following routines implement the Mu-Varadharajan (MV) identity  *
   1487  * scheme                                                              *
   1488  *								       *
   1489  ***********************************************************************
   1490  *
   1491  * The Mu-Varadharajan (MV) cryptosystem was originally intended when
   1492  * servers broadcast messages to clients, but clients never send
   1493  * messages to servers. There is one encryption key for the server and a
   1494  * separate decryption key for each client. It operated something like a
   1495  * pay-per-view satellite broadcasting system where the session key is
   1496  * encrypted by the broadcaster and the decryption keys are held in a
   1497  * tamperproof set-top box.
   1498  *
   1499  * The MV parameters and private encryption key hide in a DSA cuckoo
   1500  * structure which uses the same parameters, but generated in a
   1501  * different way. The values are used in an encryption scheme similar to
   1502  * El Gamal cryptography and a polynomial formed from the expansion of
   1503  * product terms (x - x[j]), as described in Mu, Y., and V.
   1504  * Varadharajan: Robust and Secure Broadcasting, Proc. Indocrypt 2001,
   1505  * 223-231. The paper has significant errors and serious omissions.
   1506  *
   1507  * Let q be the product of n distinct primes s1[j] (j = 1...n), where
   1508  * each s1[j] has m significant bits. Let p be a prime p = 2 * q + 1, so
   1509  * that q and each s1[j] divide p - 1 and p has M = n * m + 1
   1510  * significant bits. Let g be a generator of Zp; that is, gcd(g, p - 1)
   1511  * = 1 and g^q = 1 mod p. We do modular arithmetic over Zq and then
   1512  * project into Zp* as exponents of g. Sometimes we have to compute an
   1513  * inverse b^-1 of random b in Zq, but for that purpose we require
   1514  * gcd(b, q) = 1. We expect M to be in the 500-bit range and n
   1515  * relatively small, like 30. These are the parameters of the scheme and
   1516  * they are expensive to compute.
   1517  *
   1518  * We set up an instance of the scheme as follows. A set of random
   1519  * values x[j] mod q (j = 1...n), are generated as the zeros of a
   1520  * polynomial of order n. The product terms (x - x[j]) are expanded to
   1521  * form coefficients a[i] mod q (i = 0...n) in powers of x. These are
   1522  * used as exponents of the generator g mod p to generate the private
   1523  * encryption key A. The pair (gbar, ghat) of public server keys and the
   1524  * pairs (xbar[j], xhat[j]) (j = 1...n) of private client keys are used
   1525  * to construct the decryption keys. The devil is in the details.
   1526  *
   1527  * This routine generates a private server encryption file including the
   1528  * private encryption key E and partial decryption keys gbar and ghat.
   1529  * It then generates public client decryption files including the public
   1530  * keys xbar[j] and xhat[j] for each client j. The partial decryption
   1531  * files are used to compute the inverse of E. These values are suitably
   1532  * blinded so secrets are not revealed.
   1533  *
   1534  * The distinguishing characteristic of this scheme is the capability to
   1535  * revoke keys. Included in the calculation of E, gbar and ghat is the
   1536  * product s = prod(s1[j]) (j = 1...n) above. If the factor s1[j] is
   1537  * subsequently removed from the product and E, gbar and ghat
   1538  * recomputed, the jth client will no longer be able to compute E^-1 and
   1539  * thus unable to decrypt the messageblock.
   1540  *
   1541  * How it works
   1542  *
   1543  * The scheme goes like this. Bob has the server values (p, E, q,
   1544  * gbar, ghat) and Alice has the client values (p, xbar, xhat).
   1545  *
   1546  * Alice rolls new random nonce r mod p and sends to Bob in the MV
   1547  * request message. Bob rolls random nonce k mod q, encrypts y = r E^k
   1548  * mod p and sends (y, gbar^k, ghat^k) to Alice.
   1549  *
   1550  * Alice receives the response and computes the inverse (E^k)^-1 from
   1551  * the partial decryption keys gbar^k, ghat^k, xbar and xhat. She then
   1552  * decrypts y and verifies it matches the original r. The signed
   1553  * response binds this knowledge to Bob's private key and the public key
   1554  * previously received in his certificate.
   1555  */
   1556 EVP_PKEY *			/* DSA cuckoo nest */
   1557 gen_mvkey(
   1558 	const char *id,		/* file name id */
   1559 	EVP_PKEY **evpars	/* parameter list pointer */
   1560 	)
   1561 {
   1562 	EVP_PKEY *pkey, *pkey1;	/* private keys */
   1563 	DSA	*dsa, *dsa2, *sdsa; /* DSA parameters */
   1564 	BN_CTX	*ctx;		/* BN working space */
   1565 	BIGNUM	*a[MVMAX];	/* polynomial coefficient vector */
   1566 	BIGNUM	*gs[MVMAX];	/* public key vector */
   1567 	BIGNUM	*s1[MVMAX];	/* private enabling keys */
   1568 	BIGNUM	*x[MVMAX];	/* polynomial zeros vector */
   1569 	BIGNUM	*xbar[MVMAX], *xhat[MVMAX]; /* private keys vector */
   1570 	BIGNUM	*b;		/* group key */
   1571 	BIGNUM	*b1;		/* inverse group key */
   1572 	BIGNUM	*s;		/* enabling key */
   1573 	BIGNUM	*biga;		/* master encryption key */
   1574 	BIGNUM	*bige;		/* session encryption key */
   1575 	BIGNUM	*gbar, *ghat;	/* public key */
   1576 	BIGNUM	*u, *v, *w;	/* BN scratch */
   1577 	BIGNUM	*p, *q, *g, *priv_key, *pub_key;
   1578 	int	i, j, n;
   1579 	FILE	*str;
   1580 	u_int	temp;
   1581 
   1582 	/*
   1583 	 * Generate MV parameters.
   1584 	 *
   1585 	 * The object is to generate a multiplicative group Zp* modulo a
   1586 	 * prime p and a subset Zq mod q, where q is the product of n
   1587 	 * distinct primes s1[j] (j = 1...n) and q divides p - 1. We
   1588 	 * first generate n m-bit primes, where the product n m is in
   1589 	 * the order of 512 bits. One or more of these may have to be
   1590 	 * replaced later. As a practical matter, it is tough to find
   1591 	 * more than 31 distinct primes for 512 bits or 61 primes for
   1592 	 * 1024 bits. The latter can take several hundred iterations
   1593 	 * and several minutes on a Sun Blade 1000.
   1594 	 */
   1595 	n = nkeys;
   1596 	fprintf(stderr,
   1597 	    "Generating MV parameters for %d keys (%d bits)...\n", n,
   1598 	    modulus2 / n);
   1599 	ctx = BN_CTX_new(); u = BN_new(); v = BN_new(); w = BN_new();
   1600 	b = BN_new(); b1 = BN_new();
   1601 	dsa = DSA_new();
   1602 	p = BN_new(); q = BN_new(); g = BN_new();
   1603 	priv_key = BN_new(); pub_key = BN_new();
   1604 	temp = 0;
   1605 	for (j = 1; j <= n; j++) {
   1606 		s1[j] = BN_new();
   1607 		while (1) {
   1608 			BN_generate_prime_ex(s1[j], modulus2 / n, 0,
   1609 					     NULL, NULL, NULL);
   1610 			for (i = 1; i < j; i++) {
   1611 				if (BN_cmp(s1[i], s1[j]) == 0)
   1612 					break;
   1613 			}
   1614 			if (i == j)
   1615 				break;
   1616 			temp++;
   1617 		}
   1618 	}
   1619 	fprintf(stderr, "Birthday keys regenerated %d\n", temp);
   1620 
   1621 	/*
   1622 	 * Compute the modulus q as the product of the primes. Compute
   1623 	 * the modulus p as 2 * q + 1 and test p for primality. If p
   1624 	 * is composite, replace one of the primes with a new distinct
   1625 	 * one and try again. Note that q will hardly be a secret since
   1626 	 * we have to reveal p to servers, but not clients. However,
   1627 	 * factoring q to find the primes should be adequately hard, as
   1628 	 * this is the same problem considered hard in RSA. Question: is
   1629 	 * it as hard to find n small prime factors totalling n bits as
   1630 	 * it is to find two large prime factors totalling n bits?
   1631 	 * Remember, the bad guy doesn't know n.
   1632 	 */
   1633 	temp = 0;
   1634 	while (1) {
   1635 		BN_one(q);
   1636 		for (j = 1; j <= n; j++)
   1637 			BN_mul(q, q, s1[j], ctx);
   1638 		BN_copy(p, q);
   1639 		BN_add(p, p, p);
   1640 		BN_add_word(p, 1);
   1641 		if (BN_is_prime_ex(p, BN_prime_checks, ctx, NULL))
   1642 			break;
   1643 
   1644 		temp++;
   1645 		j = temp % n + 1;
   1646 		while (1) {
   1647 			BN_generate_prime_ex(u, modulus2 / n, 0,
   1648 					     NULL, NULL, NULL);
   1649 			for (i = 1; i <= n; i++) {
   1650 				if (BN_cmp(u, s1[i]) == 0)
   1651 					break;
   1652 			}
   1653 			if (i > n)
   1654 				break;
   1655 		}
   1656 		BN_copy(s1[j], u);
   1657 	}
   1658 	fprintf(stderr, "Defective keys regenerated %d\n", temp);
   1659 
   1660 	/*
   1661 	 * Compute the generator g using a random roll such that
   1662 	 * gcd(g, p - 1) = 1 and g^q = 1. This is a generator of p, not
   1663 	 * q. This may take several iterations.
   1664 	 */
   1665 	BN_copy(v, p);
   1666 	BN_sub_word(v, 1);
   1667 	while (1) {
   1668 		BN_rand(g, BN_num_bits(p) - 1, 0, 0);
   1669 		BN_mod(g, g, p, ctx);
   1670 		BN_gcd(u, g, v, ctx);
   1671 		if (!BN_is_one(u))
   1672 			continue;
   1673 
   1674 		BN_mod_exp(u, g, q, p, ctx);
   1675 		if (BN_is_one(u))
   1676 			break;
   1677 	}
   1678 
   1679 	DSA_set0_pqg(dsa, p, q, g);
   1680 
   1681 	/*
   1682 	 * Setup is now complete. Roll random polynomial roots x[j]
   1683 	 * (j = 1...n) for all j. While it may not be strictly
   1684 	 * necessary, Make sure each root has no factors in common with
   1685 	 * q.
   1686 	 */
   1687 	fprintf(stderr,
   1688 	    "Generating polynomial coefficients for %d roots (%d bits)\n",
   1689 	    n, BN_num_bits(q));
   1690 	for (j = 1; j <= n; j++) {
   1691 		x[j] = BN_new();
   1692 
   1693 		while (1) {
   1694 			BN_rand(x[j], BN_num_bits(q), 0, 0);
   1695 			BN_mod(x[j], x[j], q, ctx);
   1696 			BN_gcd(u, x[j], q, ctx);
   1697 			if (BN_is_one(u))
   1698 				break;
   1699 		}
   1700 	}
   1701 
   1702 	/*
   1703 	 * Generate polynomial coefficients a[i] (i = 0...n) from the
   1704 	 * expansion of root products (x - x[j]) mod q for all j. The
   1705 	 * method is a present from Charlie Boncelet.
   1706 	 */
   1707 	for (i = 0; i <= n; i++) {
   1708 		a[i] = BN_new();
   1709 		BN_one(a[i]);
   1710 	}
   1711 	for (j = 1; j <= n; j++) {
   1712 		BN_zero(w);
   1713 		for (i = 0; i < j; i++) {
   1714 			BN_copy(u, q);
   1715 			BN_mod_mul(v, a[i], x[j], q, ctx);
   1716 			BN_sub(u, u, v);
   1717 			BN_add(u, u, w);
   1718 			BN_copy(w, a[i]);
   1719 			BN_mod(a[i], u, q, ctx);
   1720 		}
   1721 	}
   1722 
   1723 	/*
   1724 	 * Generate gs[i] = g^a[i] mod p for all i and the generator g.
   1725 	 */
   1726 	for (i = 0; i <= n; i++) {
   1727 		gs[i] = BN_new();
   1728 		BN_mod_exp(gs[i], g, a[i], p, ctx);
   1729 	}
   1730 
   1731 	/*
   1732 	 * Verify prod(gs[i]^(a[i] x[j]^i)) = 1 for all i, j. Note the
   1733 	 * a[i] x[j]^i exponent is computed mod q, but the gs[i] is
   1734 	 * computed mod p. also note the expression given in the paper
   1735 	 * is incorrect.
   1736 	 */
   1737 	temp = 1;
   1738 	for (j = 1; j <= n; j++) {
   1739 		BN_one(u);
   1740 		for (i = 0; i <= n; i++) {
   1741 			BN_set_word(v, i);
   1742 			BN_mod_exp(v, x[j], v, q, ctx);
   1743 			BN_mod_mul(v, v, a[i], q, ctx);
   1744 			BN_mod_exp(v, g, v, p, ctx);
   1745 			BN_mod_mul(u, u, v, p, ctx);
   1746 		}
   1747 		if (!BN_is_one(u))
   1748 			temp = 0;
   1749 	}
   1750 	fprintf(stderr,
   1751 	    "Confirm prod(gs[i]^(x[j]^i)) = 1 for all i, j: %s\n", temp ?
   1752 	    "yes" : "no");
   1753 	if (!temp) {
   1754 		return (NULL);
   1755 	}
   1756 
   1757 	/*
   1758 	 * Make private encryption key A. Keep it around for awhile,
   1759 	 * since it is expensive to compute.
   1760 	 */
   1761 	biga = BN_new();
   1762 
   1763 	BN_one(biga);
   1764 	for (j = 1; j <= n; j++) {
   1765 		for (i = 0; i < n; i++) {
   1766 			BN_set_word(v, i);
   1767 			BN_mod_exp(v, x[j], v, q, ctx);
   1768 			BN_mod_exp(v, gs[i], v, p, ctx);
   1769 			BN_mod_mul(biga, biga, v, p, ctx);
   1770 		}
   1771 	}
   1772 
   1773 	/*
   1774 	 * Roll private random group key b mod q (0 < b < q), where
   1775 	 * gcd(b, q) = 1 to guarantee b^-1 exists, then compute b^-1
   1776 	 * mod q. If b is changed, the client keys must be recomputed.
   1777 	 */
   1778 	while (1) {
   1779 		BN_rand(b, BN_num_bits(q), 0, 0);
   1780 		BN_mod(b, b, q, ctx);
   1781 		BN_gcd(u, b, q, ctx);
   1782 		if (BN_is_one(u))
   1783 			break;
   1784 	}
   1785 	BN_mod_inverse(b1, b, q, ctx);
   1786 
   1787 	/*
   1788 	 * Make private client keys (xbar[j], xhat[j]) for all j. Note
   1789 	 * that the keys for the jth client do not s1[j] or the product
   1790 	 * s1[j]) (j = 1...n) which is q by construction.
   1791 	 *
   1792 	 * Compute the factor w such that w s1[j] = s1[j] for all j. The
   1793 	 * easy way to do this is to compute (q + s1[j]) / s1[j].
   1794 	 * Exercise for the student: prove the remainder is always zero.
   1795 	 */
   1796 	for (j = 1; j <= n; j++) {
   1797 		xbar[j] = BN_new(); xhat[j] = BN_new();
   1798 
   1799 		BN_add(w, q, s1[j]);
   1800 		BN_div(w, u, w, s1[j], ctx);
   1801 		BN_zero(xbar[j]);
   1802 		BN_set_word(v, n);
   1803 		for (i = 1; i <= n; i++) {
   1804 			if (i == j)
   1805 				continue;
   1806 
   1807 			BN_mod_exp(u, x[i], v, q, ctx);
   1808 			BN_add(xbar[j], xbar[j], u);
   1809 		}
   1810 		BN_mod_mul(xbar[j], xbar[j], b1, q, ctx);
   1811 		BN_mod_exp(xhat[j], x[j], v, q, ctx);
   1812 		BN_mod_mul(xhat[j], xhat[j], w, q, ctx);
   1813 	}
   1814 
   1815 	/*
   1816 	 * We revoke client j by dividing q by s1[j]. The quotient
   1817 	 * becomes the enabling key s. Note we always have to revoke
   1818 	 * one key; otherwise, the plaintext and cryptotext would be
   1819 	 * identical. For the present there are no provisions to revoke
   1820 	 * additional keys, so we sail on with only token revocations.
   1821 	 */
   1822 	s = BN_new();
   1823 	BN_copy(s, q);
   1824 	BN_div(s, u, s, s1[n], ctx);
   1825 
   1826 	/*
   1827 	 * For each combination of clients to be revoked, make private
   1828 	 * encryption key E = A^s and partial decryption keys gbar = g^s
   1829 	 * and ghat = g^(s b), all mod p. The servers use these keys to
   1830 	 * compute the session encryption key and partial decryption
   1831 	 * keys. These values must be regenerated if the enabling key is
   1832 	 * changed.
   1833 	 */
   1834 	bige = BN_new(); gbar = BN_new(); ghat = BN_new();
   1835 	BN_mod_exp(bige, biga, s, p, ctx);
   1836 	BN_mod_exp(gbar, g, s, p, ctx);
   1837 	BN_mod_mul(v, s, b, q, ctx);
   1838 	BN_mod_exp(ghat, g, v, p, ctx);
   1839 
   1840 	/*
   1841 	 * Notes: We produce the key media in three steps. The first
   1842 	 * step is to generate the system parameters p, q, g, b, A and
   1843 	 * the enabling keys s1[j]. Associated with each s1[j] are
   1844 	 * parameters xbar[j] and xhat[j]. All of these parameters are
   1845 	 * retained in a data structure protecteted by the trusted-agent
   1846 	 * password. The p, xbar[j] and xhat[j] paremeters are
   1847 	 * distributed to the j clients. When the client keys are to be
   1848 	 * activated, the enabled keys are multipied together to form
   1849 	 * the master enabling key s. This and the other parameters are
   1850 	 * used to compute the server encryption key E and the partial
   1851 	 * decryption keys gbar and ghat.
   1852 	 *
   1853 	 * In the identity exchange the client rolls random r and sends
   1854 	 * it to the server. The server rolls random k, which is used
   1855 	 * only once, then computes the session key E^k and partial
   1856 	 * decryption keys gbar^k and ghat^k. The server sends the
   1857 	 * encrypted r along with gbar^k and ghat^k to the client. The
   1858 	 * client completes the decryption and verifies it matches r.
   1859 	 */
   1860 	/*
   1861 	 * Write the MV trusted-agent parameters and keys as a DSA
   1862 	 * private key encoded in PEM.
   1863 	 *
   1864 	 * p	modulus p
   1865 	 * q	modulus q
   1866 	 * g	generator g
   1867 	 * priv_key A mod p
   1868 	 * pub_key b mod q
   1869 	 * (remaining values are not used)
   1870 	 */
   1871 	i = 0;
   1872 	str = fheader("MVta", "mvta", groupname);
   1873 	fprintf(stderr, "Generating MV trusted-authority keys\n");
   1874 	BN_copy(priv_key, biga);
   1875 	BN_copy(pub_key, b);
   1876 	DSA_set0_key(dsa, pub_key, priv_key);
   1877 	pkey = EVP_PKEY_new();
   1878 	EVP_PKEY_assign_DSA(pkey, dsa);
   1879 	PEM_write_PKCS8PrivateKey(str, pkey, cipher, NULL, 0, NULL,
   1880 	    passwd1);
   1881 	evpars[i++] = pkey;
   1882 	if (debug)
   1883 		DSA_print_fp(stderr, dsa, 0);
   1884 
   1885 	/*
   1886 	 * Append the MV server parameters and keys as a DSA key encoded
   1887 	 * in PEM.
   1888 	 *
   1889 	 * p	modulus p
   1890 	 * q	modulus q (used only when generating k)
   1891 	 * g	bige
   1892 	 * priv_key gbar
   1893 	 * pub_key ghat
   1894 	 * (remaining values are not used)
   1895 	 */
   1896 	fprintf(stderr, "Generating MV server keys\n");
   1897 	dsa2 = DSA_new();
   1898 	DSA_set0_pqg(dsa2, BN_dup(p), BN_dup(q), BN_dup(bige));
   1899 	DSA_set0_key(dsa2, BN_dup(ghat), BN_dup(gbar));
   1900 	pkey1 = EVP_PKEY_new();
   1901 	EVP_PKEY_assign_DSA(pkey1, dsa2);
   1902 	PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0, NULL,
   1903 	    passwd1);
   1904 	evpars[i++] = pkey1;
   1905 	if (debug)
   1906 		DSA_print_fp(stderr, dsa2, 0);
   1907 
   1908 	/*
   1909 	 * Append the MV client parameters for each client j as DSA keys
   1910 	 * encoded in PEM.
   1911 	 *
   1912 	 * p	modulus p
   1913 	 * priv_key xbar[j] mod q
   1914 	 * pub_key xhat[j] mod q
   1915 	 * (remaining values are not used)
   1916 	 */
   1917 	fprintf(stderr, "Generating %d MV client keys\n", n);
   1918 	for (j = 1; j <= n; j++) {
   1919 		sdsa = DSA_new();
   1920 		DSA_set0_pqg(sdsa, BN_dup(p), BN_dup(BN_value_one()),
   1921 			BN_dup(BN_value_one()));
   1922 		DSA_set0_key(sdsa, BN_dup(xhat[j]), BN_dup(xbar[j]));
   1923 		pkey1 = EVP_PKEY_new();
   1924 		EVP_PKEY_set1_DSA(pkey1, sdsa);
   1925 		PEM_write_PKCS8PrivateKey(str, pkey1, cipher, NULL, 0,
   1926 		    NULL, passwd1);
   1927 		evpars[i++] = pkey1;
   1928 		if (debug)
   1929 			DSA_print_fp(stderr, sdsa, 0);
   1930 
   1931 		/*
   1932 		 * The product (gbar^k)^xbar[j] (ghat^k)^xhat[j] and E
   1933 		 * are inverses of each other. We check that the product
   1934 		 * is one for each client except the ones that have been
   1935 		 * revoked.
   1936 		 */
   1937 		BN_mod_exp(v, gbar, xhat[j], p, ctx);
   1938 		BN_mod_exp(u, ghat, xbar[j], p, ctx);
   1939 		BN_mod_mul(u, u, v, p, ctx);
   1940 		BN_mod_mul(u, u, bige, p, ctx);
   1941 		if (!BN_is_one(u)) {
   1942 			fprintf(stderr, "Revoke key %d\n", j);
   1943 			continue;
   1944 		}
   1945 	}
   1946 	evpars[i++] = NULL;
   1947 	fclose(str);
   1948 
   1949 	/*
   1950 	 * Free the countries.
   1951 	 */
   1952 	for (i = 0; i <= n; i++) {
   1953 		BN_free(a[i]); BN_free(gs[i]);
   1954 	}
   1955 	for (j = 1; j <= n; j++) {
   1956 		BN_free(x[j]); BN_free(xbar[j]); BN_free(xhat[j]);
   1957 		BN_free(s1[j]);
   1958 	}
   1959 	return (pkey);
   1960 }
   1961 
   1962 
   1963 /*
   1964  * Generate X509v3 certificate.
   1965  *
   1966  * The certificate consists of the version number, serial number,
   1967  * validity interval, issuer name, subject name and public key. For a
   1968  * self-signed certificate, the issuer name is the same as the subject
   1969  * name and these items are signed using the subject private key. The
   1970  * validity interval extends from the current time to the same time one
   1971  * year hence. For NTP purposes, it is convenient to use the NTP seconds
   1972  * of the current time as the serial number.
   1973  */
   1974 int
   1975 x509	(
   1976 	EVP_PKEY *pkey,		/* signing key */
   1977 	const EVP_MD *md,	/* signature/digest scheme */
   1978 	char	*gqpub,		/* identity extension (hex string) */
   1979 	const char *exten,	/* private cert extension */
   1980 	char	*name		/* subject/issuer name */
   1981 	)
   1982 {
   1983 	X509	*cert;		/* X509 certificate */
   1984 	X509_NAME *subj;	/* distinguished (common) name */
   1985 	X509_EXTENSION *ex;	/* X509v3 extension */
   1986 	FILE	*str;		/* file handle */
   1987 	ASN1_INTEGER *serial;	/* serial number */
   1988 	const char *id;		/* digest/signature scheme name */
   1989 	char	pathbuf[MAXFILENAME + 1];
   1990 
   1991 	/*
   1992 	 * Generate X509 self-signed certificate.
   1993 	 *
   1994 	 * Set the certificate serial to the NTP seconds for grins. Set
   1995 	 * the version to 3. Set the initial validity to the current
   1996 	 * time and the finalvalidity one year hence.
   1997 	 */
   1998  	id = OBJ_nid2sn(EVP_MD_pkey_type(md));
   1999 	fprintf(stderr, "Generating new certificate %s %s\n", name, id);
   2000 	cert = X509_new();
   2001 	X509_set_version(cert, 2L);
   2002 	serial = ASN1_INTEGER_new();
   2003 	ASN1_INTEGER_set(serial, (long)epoch + JAN_1970);
   2004 	X509_set_serialNumber(cert, serial);
   2005 	ASN1_INTEGER_free(serial);
   2006 	X509_time_adj(X509_getm_notBefore(cert), 0L, &epoch);
   2007 	X509_time_adj(X509_getm_notAfter(cert), lifetime * SECSPERDAY, &epoch);
   2008 	subj = X509_get_subject_name(cert);
   2009 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
   2010 	    (u_char *)name, -1, -1, 0);
   2011 	subj = X509_get_issuer_name(cert);
   2012 	X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
   2013 	    (u_char *)name, -1, -1, 0);
   2014 	if (!X509_set_pubkey(cert, pkey)) {
   2015 		fprintf(stderr, "Assign certificate signing key fails\n%s\n",
   2016 		    ERR_error_string(ERR_get_error(), NULL));
   2017 		X509_free(cert);
   2018 		return (0);
   2019 	}
   2020 
   2021 	/*
   2022 	 * Add X509v3 extensions if present. These represent the minimum
   2023 	 * set defined in RFC3280 less the certificate_policy extension,
   2024 	 * which is seriously obfuscated in OpenSSL.
   2025 	 */
   2026 	/*
   2027 	 * The basic_constraints extension CA:TRUE allows servers to
   2028 	 * sign client certficitates.
   2029 	 */
   2030 	fprintf(stderr, "%s: %s\n", LN_basic_constraints,
   2031 	    BASIC_CONSTRAINTS);
   2032 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
   2033 	    _UC(BASIC_CONSTRAINTS));
   2034 	if (!X509_add_ext(cert, ex, -1)) {
   2035 		fprintf(stderr, "Add extension field fails\n%s\n",
   2036 		    ERR_error_string(ERR_get_error(), NULL));
   2037 		return (0);
   2038 	}
   2039 	X509_EXTENSION_free(ex);
   2040 
   2041 	/*
   2042 	 * The key_usage extension designates the purposes the key can
   2043 	 * be used for.
   2044 	 */
   2045 	fprintf(stderr, "%s: %s\n", LN_key_usage, KEY_USAGE);
   2046 	ex = X509V3_EXT_conf_nid(NULL, NULL, NID_key_usage, _UC(KEY_USAGE));
   2047 	if (!X509_add_ext(cert, ex, -1)) {
   2048 		fprintf(stderr, "Add extension field fails\n%s\n",
   2049 		    ERR_error_string(ERR_get_error(), NULL));
   2050 		return (0);
   2051 	}
   2052 	X509_EXTENSION_free(ex);
   2053 	/*
   2054 	 * The subject_key_identifier is used for the GQ public key.
   2055 	 * This should not be controversial.
   2056 	 */
   2057 	if (gqpub != NULL) {
   2058 		fprintf(stderr, "%s\n", LN_subject_key_identifier);
   2059 		ex = X509V3_EXT_conf_nid(NULL, NULL,
   2060 		    NID_subject_key_identifier, gqpub);
   2061 		if (!X509_add_ext(cert, ex, -1)) {
   2062 			fprintf(stderr,
   2063 			    "Add extension field fails\n%s\n",
   2064 			    ERR_error_string(ERR_get_error(), NULL));
   2065 			return (0);
   2066 		}
   2067 		X509_EXTENSION_free(ex);
   2068 	}
   2069 
   2070 	/*
   2071 	 * The extended key usage extension is used for special purpose
   2072 	 * here. The semantics probably do not conform to the designer's
   2073 	 * intent and will likely change in future.
   2074 	 *
   2075 	 * "trustRoot" designates a root authority
   2076 	 * "private" designates a private certificate
   2077 	 */
   2078 	if (exten != NULL) {
   2079 		fprintf(stderr, "%s: %s\n", LN_ext_key_usage, exten);
   2080 		ex = X509V3_EXT_conf_nid(NULL, NULL,
   2081 		    NID_ext_key_usage, _UC(exten));
   2082 		if (!X509_add_ext(cert, ex, -1)) {
   2083 			fprintf(stderr,
   2084 			    "Add extension field fails\n%s\n",
   2085 			    ERR_error_string(ERR_get_error(), NULL));
   2086 			return (0);
   2087 		}
   2088 		X509_EXTENSION_free(ex);
   2089 	}
   2090 
   2091 	/*
   2092 	 * Sign and verify.
   2093 	 */
   2094 	X509_sign(cert, pkey, md);
   2095 	if (X509_verify(cert, pkey) <= 0) {
   2096 		fprintf(stderr, "Verify %s certificate fails\n%s\n", id,
   2097 		    ERR_error_string(ERR_get_error(), NULL));
   2098 		X509_free(cert);
   2099 		return (0);
   2100 	}
   2101 
   2102 	/*
   2103 	 * Write the certificate encoded in PEM.
   2104 	 */
   2105 	snprintf(pathbuf, sizeof(pathbuf), "%scert", id);
   2106 	str = fheader(pathbuf, "cert", hostname);
   2107 	PEM_write_X509(str, cert);
   2108 	fclose(str);
   2109 	if (debug)
   2110 		X509_print_fp(stderr, cert);
   2111 	X509_free(cert);
   2112 	return (1);
   2113 }
   2114 
   2115 #if 0	/* asn2ntp is used only with commercial certificates */
   2116 /*
   2117  * asn2ntp - convert ASN1_TIME time structure to NTP time
   2118  */
   2119 u_long
   2120 asn2ntp	(
   2121 	ASN1_TIME *asn1time	/* pointer to ASN1_TIME structure */
   2122 	)
   2123 {
   2124 	char	*v;		/* pointer to ASN1_TIME string */
   2125 	struct	tm tm;		/* time decode structure time */
   2126 
   2127 	/*
   2128 	 * Extract time string YYMMDDHHMMSSZ from ASN.1 time structure.
   2129 	 * Note that the YY, MM, DD fields start with one, the HH, MM,
   2130 	 * SS fiels start with zero and the Z character should be 'Z'
   2131 	 * for UTC. Also note that years less than 50 map to years
   2132 	 * greater than 100. Dontcha love ASN.1?
   2133 	 */
   2134 	if (asn1time->length > 13)
   2135 		return (-1);
   2136 	v = (char *)asn1time->data;
   2137 	tm.tm_year = (v[0] - '0') * 10 + v[1] - '0';
   2138 	if (tm.tm_year < 50)
   2139 		tm.tm_year += 100;
   2140 	tm.tm_mon = (v[2] - '0') * 10 + v[3] - '0' - 1;
   2141 	tm.tm_mday = (v[4] - '0') * 10 + v[5] - '0';
   2142 	tm.tm_hour = (v[6] - '0') * 10 + v[7] - '0';
   2143 	tm.tm_min = (v[8] - '0') * 10 + v[9] - '0';
   2144 	tm.tm_sec = (v[10] - '0') * 10 + v[11] - '0';
   2145 	tm.tm_wday = 0;
   2146 	tm.tm_yday = 0;
   2147 	tm.tm_isdst = 0;
   2148 	return (mktime(&tm) + JAN_1970);
   2149 }
   2150 #endif
   2151 
   2152 /*
   2153  * Callback routine
   2154  */
   2155 void
   2156 cb	(
   2157 	int	n1,		/* arg 1 */
   2158 	int	n2,		/* arg 2 */
   2159 	void	*chr		/* arg 3 */
   2160 	)
   2161 {
   2162 	switch (n1) {
   2163 	case 0:
   2164 		d0++;
   2165 		fprintf(stderr, "%s %d %d %lu\r", (char *)chr, n1, n2,
   2166 		    d0);
   2167 		break;
   2168 	case 1:
   2169 		d1++;
   2170 		fprintf(stderr, "%s\t\t%d %d %lu\r", (char *)chr, n1,
   2171 		    n2, d1);
   2172 		break;
   2173 	case 2:
   2174 		d2++;
   2175 		fprintf(stderr, "%s\t\t\t\t%d %d %lu\r", (char *)chr,
   2176 		    n1, n2, d2);
   2177 		break;
   2178 	case 3:
   2179 		d3++;
   2180 		fprintf(stderr, "%s\t\t\t\t\t\t%d %d %lu\r",
   2181 		    (char *)chr, n1, n2, d3);
   2182 		break;
   2183 	}
   2184 }
   2185 
   2186 
   2187 /*
   2188  * Generate key
   2189  */
   2190 EVP_PKEY *			/* public/private key pair */
   2191 genkey(
   2192 	const char *type,	/* key type (RSA or DSA) */
   2193 	const char *id		/* file name id */
   2194 	)
   2195 {
   2196 	if (type == NULL)
   2197 		return (NULL);
   2198 	if (strcmp(type, "RSA") == 0)
   2199 		return (gen_rsa(id));
   2200 
   2201 	else if (strcmp(type, "DSA") == 0)
   2202 		return (gen_dsa(id));
   2203 
   2204 	fprintf(stderr, "Invalid %s key type %s\n", id, type);
   2205 	return (NULL);
   2206 }
   2207 
   2208 static RSA*
   2209 genRsaKeyPair(
   2210 	int	bits,
   2211 	char *	what
   2212 	)
   2213 {
   2214 	RSA *		rsa = RSA_new();
   2215 	BN_GENCB *	gcb = BN_GENCB_new();
   2216 	BIGNUM *	bne = BN_new();
   2217 
   2218 	if (gcb)
   2219 		BN_GENCB_set_old(gcb, cb, what);
   2220 	if (bne)
   2221 		BN_set_word(bne, 65537);
   2222 	if (!(rsa && gcb && bne && RSA_generate_key_ex(
   2223 		      rsa, bits, bne, gcb)))
   2224 	{
   2225 		RSA_free(rsa);
   2226 		rsa = NULL;
   2227 	}
   2228 	BN_GENCB_free(gcb);
   2229 	BN_free(bne);
   2230 	return rsa;
   2231 }
   2232 
   2233 static DSA*
   2234 genDsaParams(
   2235 	int	bits,
   2236 	char *	what
   2237 	)
   2238 {
   2239 
   2240 	DSA *		dsa = DSA_new();
   2241 	BN_GENCB *	gcb = BN_GENCB_new();
   2242 	u_char		seed[20];
   2243 
   2244 	if (gcb)
   2245 		BN_GENCB_set_old(gcb, cb, what);
   2246 	RAND_bytes(seed, sizeof(seed));
   2247 	if (!(dsa && gcb && DSA_generate_parameters_ex(
   2248 		      dsa, bits, seed, sizeof(seed), NULL, NULL, gcb)))
   2249 	{
   2250 		DSA_free(dsa);
   2251 		dsa = NULL;
   2252 	}
   2253 	BN_GENCB_free(gcb);
   2254 	return dsa;
   2255 }
   2256 
   2257 #endif	/* AUTOKEY */
   2258 
   2259 
   2260 /*
   2261  * Generate file header and link
   2262  */
   2263 FILE *
   2264 fheader	(
   2265 	const char *file,	/* file name id */
   2266 	const char *ulink,	/* linkname */
   2267 	const char *owner	/* owner name */
   2268 	)
   2269 {
   2270 	FILE	*str;		/* file handle */
   2271 	char	linkname[MAXFILENAME]; /* link name */
   2272 	int	temp;
   2273 #ifdef HAVE_UMASK
   2274         mode_t  orig_umask;
   2275 #endif
   2276 
   2277 	snprintf(filename, sizeof(filename), "ntpkey_%s_%s.%u", file,
   2278 	    owner, fstamp);
   2279 #ifdef HAVE_UMASK
   2280         orig_umask = umask( S_IWGRP | S_IRWXO );
   2281         str = fopen(filename, "w");
   2282         (void) umask(orig_umask);
   2283 #else
   2284         str = fopen(filename, "w");
   2285 #endif
   2286 	if (str == NULL) {
   2287 		perror("Write");
   2288 		exit (-1);
   2289 	}
   2290         if (strcmp(ulink, "md5") == 0) {
   2291           strcpy(linkname,"ntp.keys");
   2292         } else {
   2293           snprintf(linkname, sizeof(linkname), "ntpkey_%s_%s", ulink,
   2294                    hostname);
   2295         }
   2296 	(void)remove(linkname);		/* The symlink() line below matters */
   2297 	temp = symlink(filename, linkname);
   2298 	if (temp < 0)
   2299 		perror(file);
   2300 	fprintf(stderr, "Generating new %s file and link\n", ulink);
   2301 	fprintf(stderr, "%s->%s\n", linkname, filename);
   2302 	fprintf(str, "# %s\n# %s\n", filename, ctime(&epoch));
   2303 	return (str);
   2304 }
   2305