diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-02-23 10:34:14 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-02-23 10:34:14 +0000 |
| commit | ed7d79f96177044949744da10f4431c1d6242241 (patch) | |
| tree | 3aabaa55ed3b5291daef891cfee9befb5235e2b8 /src/libsimaka | |
| parent | 7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff) | |
| download | vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip | |
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'src/libsimaka')
| -rw-r--r-- | src/libsimaka/Makefile.am | 6 | ||||
| -rw-r--r-- | src/libsimaka/Makefile.in | 516 | ||||
| -rw-r--r-- | src/libsimaka/simaka_crypto.c | 241 | ||||
| -rw-r--r-- | src/libsimaka/simaka_crypto.h | 110 | ||||
| -rw-r--r-- | src/libsimaka/simaka_message.c | 909 | ||||
| -rw-r--r-- | src/libsimaka/simaka_message.h | 273 |
6 files changed, 2055 insertions, 0 deletions
diff --git a/src/libsimaka/Makefile.am b/src/libsimaka/Makefile.am new file mode 100644 index 000000000..f64e4dba3 --- /dev/null +++ b/src/libsimaka/Makefile.am @@ -0,0 +1,6 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon + +noinst_LTLIBRARIES = libsimaka.la +libsimaka_la_SOURCES = simaka_message.h simaka_message.c \ + simaka_crypto.h simaka_crypto.c diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in new file mode 100644 index 000000000..9a448ef02 --- /dev/null +++ b/src/libsimaka/Makefile.in @@ -0,0 +1,516 @@ +# Makefile.in generated by automake 1.11 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libsimaka +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +LTLIBRARIES = $(noinst_LTLIBRARIES) +libsimaka_la_LIBADD = +am_libsimaka_la_OBJECTS = simaka_message.lo simaka_crypto.lo +libsimaka_la_OBJECTS = $(am_libsimaka_la_OBJECTS) +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libsimaka_la_SOURCES) +DIST_SOURCES = $(libsimaka_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon +noinst_LTLIBRARIES = libsimaka.la +libsimaka_la_SOURCES = simaka_message.h simaka_message.c \ + simaka_crypto.h simaka_crypto.c + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libsimaka/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libsimaka/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libsimaka.la: $(libsimaka_la_OBJECTS) $(libsimaka_la_DEPENDENCIES) + $(LINK) $(libsimaka_la_OBJECTS) $(libsimaka_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/simaka_message.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c new file mode 100644 index 000000000..b85502012 --- /dev/null +++ b/src/libsimaka/simaka_crypto.c @@ -0,0 +1,241 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "simaka_crypto.h" + +#include <daemon.h> + +/** length of the k_encr key */ +#define KENCR_LEN 16 +/** length of the k_auth key */ +#define KAUTH_LEN 16 +/** length of the MSK */ +#define MSK_LEN 64 +/** length of the EMSK */ +#define EMSK_LEN 64 + +typedef struct private_simaka_crypto_t private_simaka_crypto_t; + +/** + * Private data of an simaka_crypto_t object. + */ +struct private_simaka_crypto_t { + + /** + * Public simaka_crypto_t interface. + */ + simaka_crypto_t public; + + /** + * signer to create/verify AT_MAC + */ + signer_t *signer; + + /** + * crypter to encrypt/decrypt AT_ENCR_DATA + */ + crypter_t *crypter; + + /** + * hasher used in key derivation + */ + hasher_t *hasher; + + /** + * PRF function used in key derivation + */ + prf_t *prf; + + /** + * Random number generator to generate nonces + */ + rng_t *rng; + + /** + * Have k_encr/k_auth been derived? + */ + bool derived; +}; + +/** + * Implementation of simaka_crypto_t.get_signer + */ +static signer_t* get_signer(private_simaka_crypto_t *this) +{ + return this->derived ? this->signer : NULL; +} + +/** + * Implementation of simaka_crypto_t.get_crypter + */ +static crypter_t* get_crypter(private_simaka_crypto_t *this) +{ + return this->derived ? this->crypter : NULL; +} + +/** + * Implementation of simaka_crypto_t.get_rng + */ +static rng_t* get_rng(private_simaka_crypto_t *this) +{ + return this->rng; +} + +/** + * Implementation of simaka_crypto_t.derive_keys_full + */ +static chunk_t derive_keys_full(private_simaka_crypto_t *this, + identification_t *id, chunk_t data, chunk_t *mk) +{ + chunk_t str, msk, k_encr, k_auth; + int i; + + /* For SIM: MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) + * For AKA: MK = SHA1(Identity|IK|CK) */ + this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL); + this->hasher->allocate_hash(this->hasher, data, mk); + DBG3(DBG_IKE, "MK %B", mk); + + /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() */ + this->prf->set_key(this->prf, *mk); + str = chunk_alloca(this->prf->get_block_size(this->prf) * 3); + for (i = 0; i < 3; i++) + { + this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 3 * i); + } + + k_encr = chunk_create(str.ptr, KENCR_LEN); + k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN); + msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN); + DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk); + + this->signer->set_key(this->signer, k_auth); + this->crypter->set_key(this->crypter, k_encr); + + charon->sim->key_hook(charon->sim, k_encr, k_auth); + + this->derived = TRUE; + return chunk_clone(msk); +} + +/** + * Implementation of simaka_crypto_t.derive_keys_reauth + */ +static void derive_keys_reauth(private_simaka_crypto_t *this, chunk_t mk) +{ + chunk_t str, k_encr, k_auth; + int i; + + /* K_encr | K_auth = prf() | prf() */ + this->prf->set_key(this->prf, mk); + str = chunk_alloca(this->prf->get_block_size(this->prf) * 2); + for (i = 0; i < 2; i++) + { + this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i); + } + k_encr = chunk_create(str.ptr, KENCR_LEN); + k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN); + DBG3(DBG_IKE, "K_encr %B\nK_auth %B", &k_encr, &k_auth); + + this->signer->set_key(this->signer, k_auth); + this->crypter->set_key(this->crypter, k_encr); + + charon->sim->key_hook(charon->sim, k_encr, k_auth); + + this->derived = TRUE; +} + +/** + * Implementation of simaka_crypto_t.derive_keys_reauth_msk + */ +static chunk_t derive_keys_reauth_msk(private_simaka_crypto_t *this, + identification_t *id, chunk_t counter, + chunk_t nonce_s, chunk_t mk) +{ + char xkey[HASH_SIZE_SHA1]; + chunk_t str, msk; + int i; + + this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL); + this->hasher->get_hash(this->hasher, counter, NULL); + this->hasher->get_hash(this->hasher, nonce_s, NULL); + this->hasher->get_hash(this->hasher, mk, xkey); + + /* MSK | EMSK = prf() | prf() | prf() | prf() */ + this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey))); + str = chunk_alloca(this->prf->get_block_size(this->prf) * 2); + for (i = 0; i < 2; i++) + { + this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i); + } + msk = chunk_create(str.ptr, MSK_LEN); + DBG3(DBG_IKE, "MSK %B", &msk); + + return chunk_clone(msk); +} + +/** + * Implementation of simaka_crypto_t.clear_keys + */ +static void clear_keys(private_simaka_crypto_t *this) +{ + this->derived = FALSE; +} + +/** + * Implementation of simaka_crypto_t.destroy. + */ +static void destroy(private_simaka_crypto_t *this) +{ + DESTROY_IF(this->rng); + DESTROY_IF(this->hasher); + DESTROY_IF(this->prf); + DESTROY_IF(this->signer); + DESTROY_IF(this->crypter); + free(this); +} + +/** + * See header + */ +simaka_crypto_t *simaka_crypto_create() +{ + private_simaka_crypto_t *this = malloc_thing(private_simaka_crypto_t); + + this->public.get_signer = (signer_t*(*)(simaka_crypto_t*))get_signer; + this->public.get_crypter = (crypter_t*(*)(simaka_crypto_t*))get_crypter; + this->public.get_rng = (rng_t*(*)(simaka_crypto_t*))get_rng; + this->public.derive_keys_full = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t data, chunk_t *mk))derive_keys_full; + this->public.derive_keys_reauth = (void(*)(simaka_crypto_t*, chunk_t mk))derive_keys_reauth; + this->public.derive_keys_reauth_msk = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t counter, chunk_t nonce_s, chunk_t mk))derive_keys_reauth_msk; + this->public.clear_keys = (void(*)(simaka_crypto_t*))clear_keys; + this->public.destroy = (void(*)(simaka_crypto_t*))destroy; + + this->derived = FALSE; + this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + this->prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160); + this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); + this->crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); + if (!this->rng || !this->hasher || !this->prf || + !this->signer || !this->crypter) + { + DBG1(DBG_IKE, "unable to use EAP-SIM, missing algorithms"); + destroy(this); + return NULL; + } + return &this->public; +} + diff --git a/src/libsimaka/simaka_crypto.h b/src/libsimaka/simaka_crypto.h new file mode 100644 index 000000000..d1830e658 --- /dev/null +++ b/src/libsimaka/simaka_crypto.h @@ -0,0 +1,110 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup simaka_crypto simaka_crypto + * @{ @ingroup libsimaka + */ + +#ifndef SIMAKA_CRYPTO_H_ +#define SIMAKA_CRYPTO_H_ + +#include <library.h> + +typedef struct simaka_crypto_t simaka_crypto_t; + +/** + * EAP-SIM/AKA crypto helper and key derivation class. + */ +struct simaka_crypto_t { + + /** + * Get the signer to use for AT_MAC calculation/verification. + * + * @return signer reference, NULL if no keys have been derived + */ + signer_t* (*get_signer)(simaka_crypto_t *this); + + /** + * Get the signer to use for AT_ENCR_DATA encryption/decryption. + * + * @return crypter reference, NULL if no keys have been derived + */ + crypter_t* (*get_crypter)(simaka_crypto_t *this); + + /** + * Get the random number generator. + * + * @return rng reference + */ + rng_t* (*get_rng)(simaka_crypto_t *this); + + /** + * Derive keys after full authentication. + * + * This methods derives the k_encr/k_auth keys and loads them into the + * internal crypter/signer instances. The passed data is method specific: + * For EAP-SIM, it is "n*Kc|NONCE_MT|Version List|Selected Version", for + * EAP-AKA it is "IK|CK". + * + * @param id peer identity + * @param data method specific data + * @param mk chunk receiving allocated master key MK + * @return allocated MSK value + */ + chunk_t (*derive_keys_full)(simaka_crypto_t *this, identification_t *id, + chunk_t data, chunk_t *mk); + + /** + * Derive k_encr/k_auth keys from MK using fast reauthentication. + * + * This methods derives the k_encr/k_auth keys and loads them into the + * internal crypter/signer instances. + * + * @param mk master key + */ + void (*derive_keys_reauth)(simaka_crypto_t *this, chunk_t mk); + + /** + * Derive MSK using fast reauthentication. + * + * @param id fast reauthentication identity + * @param counter fast reauthentication counter value, network order + * @param nonce_s server generated NONCE_S value + * @param mk master key of last full authentication + */ + chunk_t (*derive_keys_reauth_msk)(simaka_crypto_t *this, + identification_t *id, chunk_t counter, + chunk_t nonce_s, chunk_t mk); + + /** + * Clear keys (partially) derived. + */ + void (*clear_keys)(simaka_crypto_t *this); + + /** + * Destroy a simaka_crypto_t. + */ + void (*destroy)(simaka_crypto_t *this); +}; + +/** + * Create a simaka_crypto instance. + * + * @return EAP-SIM/AKA crypto instance, NULL if algorithms missing + */ +simaka_crypto_t *simaka_crypto_create(); + +#endif /** SIMAKA_CRYPTO_H_ @}*/ diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c new file mode 100644 index 000000000..22d111bfd --- /dev/null +++ b/src/libsimaka/simaka_message.c @@ -0,0 +1,909 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "simaka_message.h" + +typedef struct private_simaka_message_t private_simaka_message_t; +typedef struct hdr_t hdr_t; +typedef struct attr_hdr_t attr_hdr_t; +typedef struct attr_t attr_t; + +/** + * packed EAP-SIM/AKA header struct + */ +struct hdr_t { + /** EAP code (REQUEST/RESPONSE) */ + u_int8_t code; + /** unique message identifier */ + u_int8_t identifier; + /** length of whole message */ + u_int16_t length; + /** EAP type => EAP_SIM/EAP_AKA */ + u_int8_t type; + /** SIM subtype */ + u_int8_t subtype; + /** reserved bytes */ + u_int16_t reserved; +} __attribute__((__packed__)); + +/** + * packed EAP-SIM/AKA attribute header struct + */ +struct attr_hdr_t { + /** attribute type */ + u_int8_t type; + /** attibute length */ + u_int8_t length; +} __attribute__((__packed__)); + +/** + * SIM/AKA attribute, parsed + */ +struct attr_t { + /** type of attribute */ + simaka_attribute_t type; + /** length of data */ + size_t len; + /** start of data, variable length */ + char data[]; +}; + +ENUM_BEGIN(simaka_subtype_names, AKA_CHALLENGE, AKA_IDENTITY, + "AKA_CHALLENGE", + "AKA_AUTHENTICATION_REJECT", + "AKA_3", + "AKA_SYNCHRONIZATION_FAILURE", + "AKA_IDENTITY"); +ENUM_NEXT(simaka_subtype_names, SIM_START, AKA_CLIENT_ERROR, AKA_IDENTITY, + "SIM_START", + "SIM_CHALLENGE", + "SIM/AKA_NOTIFICATION", + "SIM/AKA_REAUTHENTICATION", + "SIM/AKA_CLIENT_ERROR"); +ENUM_END(simaka_subtype_names, AKA_CLIENT_ERROR); + + +ENUM_BEGIN(simaka_attribute_names, AT_RAND, AT_CLIENT_ERROR_CODE, + "AT_RAND", + "AT_AUTN", + "AT_RES", + "AT_AUTS", + "AT_5", + "AT_PADDING", + "AT_NONCE_MT", + "AT_8", + "AT_9", + "AT_PERMANENT_ID_REQ", + "AT_MAC", + "AT_NOTIFICATION", + "AT_ANY_ID_REQ", + "AT_IDENTITY", + "AT_VERSION_LIST", + "AT_SELECTED_VERSION", + "AT_FULLAUTH_ID_REQ", + "AT_18", + "AT_COUNTER", + "AT_COUNTER_TOO_SMALL", + "AT_NONCE_S", + "AT_CLIENT_ERROR_CODE"); +ENUM_NEXT(simaka_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE, + "AT_IV", + "AT_ENCR_DATA", + "AT_131", + "AT_NEXT_PSEUDONYM", + "AT_NEXT_REAUTH_ID", + "AT_CHECKCODE", + "AT_RESULT_IND"); +ENUM_END(simaka_attribute_names, AT_RESULT_IND); + + +ENUM_BEGIN(simaka_notification_names, SIM_GENERAL_FAILURE_AA, SIM_GENERAL_FAILURE_AA, + "General failure after authentication"); +ENUM_NEXT(simaka_notification_names, SIM_TEMP_DENIED, SIM_TEMP_DENIED, SIM_GENERAL_FAILURE_AA, + "User has been temporarily denied access"); +ENUM_NEXT(simaka_notification_names, SIM_NOT_SUBSCRIBED, SIM_NOT_SUBSCRIBED, SIM_TEMP_DENIED, + "User has not subscribed to the requested service"); +ENUM_NEXT(simaka_notification_names, SIM_GENERAL_FAILURE, SIM_GENERAL_FAILURE, SIM_NOT_SUBSCRIBED, + "General failure"); +ENUM_NEXT(simaka_notification_names, SIM_SUCCESS, SIM_SUCCESS, SIM_GENERAL_FAILURE, + "User has been successfully authenticated"); +ENUM_END(simaka_notification_names, SIM_SUCCESS); + + +ENUM(simaka_client_error_names, SIM_UNABLE_TO_PROCESS, SIM_RANDS_NOT_FRESH, + "unable to process packet", + "unsupported version", + "insufficient number of challenges", + "RANDs are not fresh", +); + +/** + * Check if an EAP-SIM/AKA attribute is skippable + */ +bool simaka_attribute_skippable(simaka_attribute_t attribute) +{ + bool skippable = !(attribute >= 0 && attribute <= 127); + + DBG1(DBG_IKE, "%sskippable EAP-SIM/AKA attribute %N", + skippable ? "ignoring " : "found non-", + simaka_attribute_names, attribute); + return skippable; +} + +/** + * Private data of an simaka_message_t object. + */ +struct private_simaka_message_t { + + /** + * Public simaka_message_t interface. + */ + simaka_message_t public; + + /** + * EAP message, starting with EAP header + */ + hdr_t *hdr; + + /** + * List of parsed attributes, attr_t + */ + linked_list_t *attributes; + + /** + * Currently parsing AT_ENCR_DATA wrapped attributes? + */ + bool encrypted; + + /** + * crypto helper + */ + simaka_crypto_t *crypto; + + /** + * Phase a NOTIFICATION is sent within + */ + bool p_bit; + + /** + * MAC value, pointing into message + */ + chunk_t mac; + + /** + * ENCR_DATA value, pointing into message + */ + chunk_t encr; + + /** + * IV value, pointing into message + */ + chunk_t iv; +}; + +/** + * Implementation of simaka_message_t.is_request + */ +static bool is_request(private_simaka_message_t *this) +{ + return this->hdr->code == EAP_REQUEST; +} + +/** + * Implementation of simaka_message_t.get_identifier + */ +static u_int8_t get_identifier(private_simaka_message_t *this) +{ + return this->hdr->identifier; +} + +/** + * Implementation of simaka_message_t.get_subtype + */ +static simaka_subtype_t get_subtype(private_simaka_message_t *this) +{ + return this->hdr->subtype; +} + +/** + * Implementation of simaka_message_t.get_type + */ +static eap_type_t get_type(private_simaka_message_t *this) +{ + return this->hdr->type; +} + +/** + * convert attr_t to type and data enumeration + */ +static bool attr_enum_filter(void *null, attr_t **in, simaka_attribute_t *type, + void *dummy, chunk_t *data) +{ + attr_t *attr = *in; + + *type = attr->type; + *data = chunk_create(attr->data, attr->len); + return TRUE; +} + +/** + * Implementation of simaka_message_t.create_attribute_enumerator + */ +static enumerator_t* create_attribute_enumerator(private_simaka_message_t *this) +{ + return enumerator_create_filter( + this->attributes->create_enumerator(this->attributes), + (void*)attr_enum_filter, NULL, NULL); +} + +/** + * Implementation of simaka_message_t.add_attribute + */ +static void add_attribute(private_simaka_message_t *this, + simaka_attribute_t type, chunk_t data) +{ + attr_t *attr; + + if (!charon->sim->attribute_hook(charon->sim, this->hdr->code, + this->hdr->type, this->hdr->subtype, type, data)) + { + attr = malloc(sizeof(attr_t) + data.len); + attr->len = data.len; + attr->type = type; + memcpy(attr->data, data.ptr, data.len); + + this->attributes->insert_last(this->attributes, attr); + } +} + +/** + * Error handling for unencrypted attributes + */ +static bool not_encrypted(simaka_attribute_t type) +{ + DBG1(DBG_IKE, "received unencrypted %N", simaka_attribute_names, type); + return FALSE; +} + +/** + * Error handling for invalid length + */ +static bool invalid_length(simaka_attribute_t type) +{ + DBG1(DBG_IKE, "invalid length of %N", simaka_attribute_names, type); + return FALSE; +} + +/** + * Parse attributes from a chunk of data + */ +static bool parse_attributes(private_simaka_message_t *this, chunk_t in) +{ + while (in.len) + { + attr_hdr_t *hdr; + chunk_t data; + + if (in.len < sizeof(attr_hdr_t)) + { + DBG1(DBG_IKE, "found short %N attribute header", + eap_type_names, this->hdr->type); + return FALSE; + } + hdr = (attr_hdr_t*)in.ptr; + + switch (hdr->type) + { + /* attributes without data */ + case AT_COUNTER_TOO_SMALL: + if (!this->encrypted) + { + return not_encrypted(hdr->type); + } + /* FALL */ + case AT_ANY_ID_REQ: + case AT_PERMANENT_ID_REQ: + case AT_FULLAUTH_ID_REQ: + { + if (hdr->length != 1 || in.len < 4) + { + return invalid_length(hdr->type); + } + data = chunk_empty; + in = chunk_skip(in, 4); + break; + } + /* attributes with two bytes data */ + case AT_COUNTER: + if (!this->encrypted) + { + return not_encrypted(hdr->type); + } + /* FALL */ + case AT_CLIENT_ERROR_CODE: + case AT_SELECTED_VERSION: + case AT_NOTIFICATION: + { + if (hdr->length != 1 || in.len < 4) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 2, 2); + in = chunk_skip(in, 4); + break; + } + /* attributes with an additional actual-length in bits or bytes */ + case AT_NEXT_PSEUDONYM: + case AT_NEXT_REAUTH_ID: + if (!this->encrypted) + { + return not_encrypted(hdr->type); + } + /* FALL */ + case AT_RES: + case AT_IDENTITY: + case AT_VERSION_LIST: + { + u_int16_t len; + + if (hdr->length < 1 || in.len < 4) + { + return invalid_length(hdr->type); + } + memcpy(&len, in.ptr + 2, 2); + len = ntohs(len); + if (hdr->type == AT_RES) + { /* AT_RES uses length encoding in bits */ + len /= 8; + } + if (len > hdr->length * 4 || len > in.len) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 4, len); + in = chunk_skip(in, hdr->length * 4); + break; + } + /* attributes with two reserved bytes, 16 bytes length */ + case AT_NONCE_S: + if (!this->encrypted) + { + return not_encrypted(hdr->type); + } + /* FALL */ + case AT_AUTN: + case AT_NONCE_MT: + case AT_IV: + case AT_MAC: + { + if (hdr->length != 5 || in.len < 20) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 4, 16); + in = chunk_skip(in, 20); + break; + } + /* attributes with two reserved bytes, variable length */ + case AT_ENCR_DATA: + case AT_RAND: + { + if (hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 4, hdr->length * 4 - 4); + in = chunk_skip(in, hdr->length * 4); + break; + } + /* attributes with no reserved bytes, 14 bytes length */ + case AT_AUTS: + { + if (hdr->length != 4 || in.len < 16) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 2, 14); + in = chunk_skip(in, 16); + break; + } + /* other attributes (with 4n + 2 length) */ + case AT_PADDING: + default: + { + if (hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } + data = chunk_create(in.ptr + 2, hdr->length * 4 - 2); + in = chunk_skip(in, hdr->length * 4); + break; + } + } + + /* handle special attributes */ + switch (hdr->type) + { + case AT_MAC: + this->mac = data; + break; + case AT_IV: + this->iv = data; + break; + case AT_ENCR_DATA: + this->encr = data; + break; + case AT_PADDING: + break; + case AT_NOTIFICATION: + if (this->p_bit) + { /* remember P bit for MAC verification */ + this->p_bit = !!(data.ptr[0] & 0x40); + } + else if (!this->encrypted) + { + DBG1(DBG_IKE, "found P-bit 0 notify in unencrypted message"); + return FALSE; + } + /* FALL */ + default: + add_attribute(this, hdr->type, data); + break; + } + } + return TRUE; +} + +/** + * Decrypt a message and parse the decrypted attributes + */ +static bool decrypt(private_simaka_message_t *this) +{ + bool success; + crypter_t *crypter; + chunk_t plain; + + crypter = this->crypto->get_crypter(this->crypto); + if (!crypter || !this->iv.len || !this->encr.len || this->encrypted) + { + return TRUE; + } + if (this->encr.len % crypter->get_block_size(crypter)) + { + DBG1(DBG_IKE, "%N ENCR_DATA not a multiple of block size", + eap_type_names, this->hdr->type); + return FALSE; + } + + crypter->decrypt(crypter, this->encr, this->iv, &plain); + + this->encrypted = TRUE; + success = parse_attributes(this, plain); + this->encrypted = FALSE; + free(plain.ptr); + return success; +} + +/** + * Implementation of simaka_message_t.parse + */ +static bool parse(private_simaka_message_t *this) +{ + chunk_t in; + + if (this->attributes->get_count(this->attributes)) + { /* Already parsed. Try to decrypt and parse AT_ENCR_DATA. */ + return decrypt(this); + } + + in = chunk_create((char*)this->hdr, ntohs(this->hdr->length)); + if (!parse_attributes(this, chunk_skip(in, sizeof(hdr_t)))) + { + return FALSE; + } + /* try to decrypt if we already have keys */ + return decrypt(this); +} + +/** + * Implementation of simaka_message_t.verify + */ +static bool verify(private_simaka_message_t *this, chunk_t sigdata) +{ + chunk_t data, backup; + signer_t *signer; + + signer = this->crypto->get_signer(this->crypto); + + switch (this->hdr->subtype) + { + case SIM_START: + case SIM_CLIENT_ERROR: + /* AKA_CLIENT_ERROR: */ + case AKA_AUTHENTICATION_REJECT: + case AKA_SYNCHRONIZATION_FAILURE: + case AKA_IDENTITY: + /* skip MAC if available */ + return TRUE; + case SIM_CHALLENGE: + case AKA_CHALLENGE: + case SIM_REAUTHENTICATION: + /* AKA_REAUTHENTICATION: */ + { + if (!this->mac.ptr || !signer) + { /* require MAC, but not found */ + DBG1(DBG_IKE, "%N message requires a MAC, but none found", + simaka_subtype_names, this->hdr->subtype); + return FALSE; + } + break; + } + case SIM_NOTIFICATION: + /* AKA_NOTIFICATION: */ + { + if (this->p_bit) + { /* MAC not verified if in Phase 1 */ + return TRUE; + } + if (!this->mac.ptr || !signer) + { + DBG1(DBG_IKE, "%N message has a phase 0 notify, but " + "no MAC found", simaka_subtype_names, this->hdr->subtype); + return FALSE; + } + break; + } + default: + /* unknown message? */ + DBG1(DBG_IKE, "signature rule for %N messages missing", + simaka_subtype_names, this->hdr->subtype); + return FALSE; + } + + /* zero MAC for verification */ + backup = chunk_clonea(this->mac); + memset(this->mac.ptr, 0, this->mac.len); + + data = chunk_create((char*)this->hdr, ntohs(this->hdr->length)); + if (sigdata.len) + { + data = chunk_cata("cc", data, sigdata); + } + if (!signer->verify_signature(signer, data, backup)) + { + DBG1(DBG_IKE, "%N MAC verification failed", + eap_type_names, this->hdr->type); + return FALSE; + } + return TRUE; +} + +/** + * Implementation of simaka_message_t.generate + */ +static eap_payload_t* generate(private_simaka_message_t *this, chunk_t sigdata) +{ + /* buffers large enough for messages we generate */ + char out_buf[1024], encr_buf[512]; + enumerator_t *enumerator; + chunk_t out, encr, data, *target, mac = chunk_empty; + simaka_attribute_t type; + attr_hdr_t *hdr; + u_int16_t len; + signer_t *signer; + + out = chunk_create(out_buf, sizeof(out_buf)); + encr = chunk_create(encr_buf, sizeof(encr_buf)); + + /* copy header */ + memcpy(out.ptr, this->hdr, sizeof(hdr_t)); + out = chunk_skip(out, sizeof(hdr_t)); + + /* encode attributes */ + enumerator = create_attribute_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &data)) + { + /* encrypt this attribute? */ + switch (type) + { + case AT_NONCE_S: + case AT_NEXT_PSEUDONYM: + case AT_NEXT_REAUTH_ID: + case AT_COUNTER: + case AT_COUNTER_TOO_SMALL: + target = &encr; + break; + case AT_NOTIFICATION: + /* P bit not set, encrypt */ + if (!(data.ptr[0] & 0x40)) + { + target = &encr; + break; + } + /* FALL */ + default: + target = &out; + break; + } + + hdr = (attr_hdr_t*)target->ptr; + hdr->type = type; + + /* encode type specific */ + switch (type) + { + /* attributes without data */ + case AT_COUNTER_TOO_SMALL: + case AT_ANY_ID_REQ: + case AT_PERMANENT_ID_REQ: + case AT_FULLAUTH_ID_REQ: + { + hdr->length = 1; + memset(target->ptr + 2, 0, 2); + *target = chunk_skip(*target, 4); + break; + } + /* attributes with two bytes data */ + case AT_COUNTER: + case AT_CLIENT_ERROR_CODE: + case AT_SELECTED_VERSION: + case AT_NOTIFICATION: + { + hdr->length = 1; + memcpy(target->ptr + 2, data.ptr, 2); + *target = chunk_skip(*target, 4); + break; + } + /* attributes with an additional actual-length in bits or bytes */ + case AT_NEXT_PSEUDONYM: + case AT_NEXT_REAUTH_ID: + case AT_IDENTITY: + case AT_VERSION_LIST: + case AT_RES: + { + u_int16_t len, padding; + + len = htons(data.len); + if (type == AT_RES) + { /* AT_RES uses length encoding in bits */ + len *= 8; + } + memcpy(target->ptr + 2, &len, sizeof(len)); + memcpy(target->ptr + 4, data.ptr, data.len); + hdr->length = data.len / 4 + 1; + padding = (4 - (data.len % 4)) % 4; + if (padding) + { + hdr->length++; + memset(target->ptr + 4 + data.len, 0, padding); + } + *target = chunk_skip(*target, hdr->length * 4); + break; + } + /* attributes with two reserved bytes, 16 bytes length */ + case AT_NONCE_S: + case AT_NONCE_MT: + case AT_AUTN: + { + hdr->length = 5; + memset(target->ptr + 2, 0, 2); + memcpy(target->ptr + 4, data.ptr, data.len); + *target = chunk_skip(*target, 20); + break; + } + /* attributes with two reserved bytes, variable length */ + case AT_RAND: + { + hdr->length = 1 + data.len / 4; + memset(target->ptr + 2, 0, 2); + memcpy(target->ptr + 4, data.ptr, data.len); + *target = chunk_skip(*target, data.len + 4); + break; + } + /* attributes with no reserved bytes, 14 bytes length */ + case AT_AUTS: + { + hdr->length = 4; + memcpy(target->ptr + 2, data.ptr, data.len); + *target = chunk_skip(*target, 16); + break; + } + default: + { + DBG1(DBG_IKE, "no rule to encode %N, skipped", + simaka_attribute_names, type); + break; + } + } + } + enumerator->destroy(enumerator); + + /* encrypt attributes, if any */ + if (encr.len < sizeof(encr_buf)) + { + chunk_t iv; + size_t bs, padding; + crypter_t *crypter; + rng_t *rng; + + crypter = this->crypto->get_crypter(this->crypto); + bs = crypter->get_block_size(crypter); + + /* add AT_PADDING attribute */ + padding = bs - ((sizeof(encr_buf) - encr.len) % bs); + if (padding) + { + hdr = (attr_hdr_t*)encr.ptr; + hdr->type = AT_PADDING; + hdr->length = padding / 4; + memset(encr.ptr + 2, 0, padding - 2); + encr = chunk_skip(encr, padding); + } + encr = chunk_create(encr_buf, sizeof(encr_buf) - encr.len); + + /* add IV attribute */ + hdr = (attr_hdr_t*)out.ptr; + hdr->type = AT_IV; + hdr->length = bs / 4 + 1; + memset(out.ptr + 2, 0, 2); + out = chunk_skip(out, 4); + + rng = this->crypto->get_rng(this->crypto); + rng->get_bytes(rng, bs, out.ptr); + + iv = chunk_clonea(chunk_create(out.ptr, bs)); + out = chunk_skip(out, bs); + + /* inline encryption */ + crypter->encrypt(crypter, encr, iv, NULL); + + /* add ENCR_DATA attribute */ + hdr = (attr_hdr_t*)out.ptr; + hdr->type = AT_ENCR_DATA; + hdr->length = encr.len / 4 + 1; + memset(out.ptr + 2, 0, 2); + memcpy(out.ptr + 4, encr.ptr, encr.len); + out = chunk_skip(out, encr.len + 4); + } + + /* include MAC ? */ + signer = this->crypto->get_signer(this->crypto); + switch (this->hdr->subtype) + { + case SIM_CHALLENGE: + case AKA_CHALLENGE: + case SIM_REAUTHENTICATION: + /* AKA_REAUTHENTICATION: */ + /* TODO: Notifications without P bit */ + { + size_t bs; + + bs = signer->get_block_size(signer); + hdr = (attr_hdr_t*)out.ptr; + hdr->type = AT_MAC; + hdr->length = bs / 4 + 1; + memset(out.ptr + 2, 0, 2 + bs); + mac = chunk_create(out.ptr + 4, bs); + out = chunk_skip(out, bs + 4); + break; + } + default: + break; + } + + /* calculate message length */ + out = chunk_create(out_buf, sizeof(out_buf) - out.len); + len = htons(out.len); + memcpy(out.ptr + 2, &len, sizeof(len)); + + /* generate MAC */ + if (mac.len) + { + data = chunk_cata("cc", out, sigdata); + signer->get_signature(signer, data, mac.ptr); + } + return eap_payload_create_data(out); +} + +/** + * Implementation of simaka_message_t.destroy. + */ +static void destroy(private_simaka_message_t *this) +{ + this->attributes->destroy_function(this->attributes, free); + free(this->hdr); + free(this); +} + +/** + * Generic constructor. + */ +static simaka_message_t *simaka_message_create_data(chunk_t data, + simaka_crypto_t *crypto) +{ + private_simaka_message_t *this; + hdr_t *hdr = (hdr_t*)data.ptr; + + if (data.len < sizeof(hdr_t) || hdr->length != htons(data.len)) + { + DBG1(DBG_IKE, "EAP-SIM/AKA header has invalid length"); + return NULL; + } + if (hdr->code != EAP_REQUEST && hdr->code != EAP_RESPONSE) + { + DBG1(DBG_IKE, "invalid EAP code in EAP-SIM/AKA message", + eap_type_names, hdr->type); + return NULL; + } + if (hdr->type != EAP_SIM && hdr->type != EAP_AKA) + { + DBG1(DBG_IKE, "invalid EAP type in EAP-SIM/AKA message", + eap_type_names, hdr->type); + return NULL; + } + + this = malloc_thing(private_simaka_message_t); + + this->public.is_request = (bool(*)(simaka_message_t*))is_request; + this->public.get_identifier = (u_int8_t(*)(simaka_message_t*))get_identifier; + this->public.get_type = (eap_type_t(*)(simaka_message_t*))get_type; + this->public.get_subtype = (simaka_subtype_t(*)(simaka_message_t*))get_subtype; + this->public.create_attribute_enumerator = (enumerator_t*(*)(simaka_message_t*))create_attribute_enumerator; + this->public.add_attribute = (void(*)(simaka_message_t*, simaka_attribute_t type, chunk_t data))add_attribute; + this->public.parse = (bool(*)(simaka_message_t*))parse; + this->public.verify = (bool(*)(simaka_message_t*, chunk_t sigdata))verify; + this->public.generate = (eap_payload_t*(*)(simaka_message_t*, chunk_t sigdata))generate; + this->public.destroy = (void(*)(simaka_message_t*))destroy; + + this->attributes = linked_list_create(); + this->encrypted = FALSE; + this->crypto = crypto; + this->p_bit = TRUE; + this->mac = chunk_empty; + this->encr = chunk_empty; + this->iv = chunk_empty; + this->hdr = malloc(data.len); + memcpy(this->hdr, hdr, data.len); + + return &this->public; +} + +/** + * See header. + */ +simaka_message_t *simaka_message_create_from_payload(eap_payload_t *payload, + simaka_crypto_t *crypto) +{ + return simaka_message_create_data(payload->get_data(payload), crypto); +} + +/** + * See header. + */ +simaka_message_t *simaka_message_create(bool request, u_int8_t identifier, + eap_type_t type, simaka_subtype_t subtype, + simaka_crypto_t *crypto) +{ + hdr_t hdr = { + .code = request ? EAP_REQUEST : EAP_RESPONSE, + .identifier = identifier, + .length = htons(sizeof(hdr_t)), + .type = type, + .subtype = subtype, + }; + return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)), + crypto); +} + diff --git a/src/libsimaka/simaka_message.h b/src/libsimaka/simaka_message.h new file mode 100644 index 000000000..ee9b3ebec --- /dev/null +++ b/src/libsimaka/simaka_message.h @@ -0,0 +1,273 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup libsimaka libsimaka + * + * @addtogroup libsimaka + * Library providing functions shared between EAP-SIM and EAP-AKA plugins. + * + * @defgroup simaka_message simaka_message + * @{ @ingroup libsimaka + */ + +#ifndef SIMAKA_MESSAGE_H_ +#define SIMAKA_MESSAGE_H_ + +#include <enum.h> +#include <daemon.h> + +#include "simaka_crypto.h" + +typedef struct simaka_message_t simaka_message_t; +typedef enum simaka_attribute_t simaka_attribute_t; +typedef enum simaka_subtype_t simaka_subtype_t; +typedef enum simaka_notification_t simaka_notification_t; +typedef enum simaka_client_error_t simaka_client_error_t; + +/** + * Subtypes of EAP-SIM/AKA messages + */ +enum simaka_subtype_t { + AKA_CHALLENGE = 1, + AKA_AUTHENTICATION_REJECT = 2, + AKA_SYNCHRONIZATION_FAILURE = 4, + AKA_IDENTITY = 5, + SIM_START = 10, + SIM_CHALLENGE = 11, + SIM_NOTIFICATION = 12, + AKA_NOTIFICATION = 12, + SIM_REAUTHENTICATION = 13, + AKA_REAUTHENTICATION = 13, + SIM_CLIENT_ERROR = 14, + AKA_CLIENT_ERROR = 14, +}; + +/** + * Enum names for simaka_subtype_t + */ +extern enum_name_t *simaka_subtype_names; + +/** + * Attributes in EAP-SIM/AKA messages + */ +enum simaka_attribute_t { + AT_RAND = 1, + AT_AUTN = 2, + AT_RES = 3, + AT_AUTS = 4, + AT_PADDING = 6, + AT_NONCE_MT = 7, + AT_PERMANENT_ID_REQ = 10, + AT_MAC = 11, + AT_NOTIFICATION = 12, + AT_ANY_ID_REQ = 13, + AT_IDENTITY = 14, + AT_VERSION_LIST = 15, + AT_SELECTED_VERSION = 16, + AT_FULLAUTH_ID_REQ = 17, + AT_COUNTER = 19, + AT_COUNTER_TOO_SMALL = 20, + AT_NONCE_S = 21, + AT_CLIENT_ERROR_CODE = 22, + AT_IV = 129, + AT_ENCR_DATA = 130, + AT_NEXT_PSEUDONYM = 132, + AT_NEXT_REAUTH_ID = 133, + AT_CHECKCODE = 134, + AT_RESULT_IND = 135, +}; + +/** + * Enum names for simaka_attribute_t + */ +extern enum_name_t *simaka_attribute_names; + +/** + * Notification codes used within AT_NOTIFICATION attribute. + */ +enum simaka_notification_t { + /** SIM General failure after authentication. (Implies failure) */ + SIM_GENERAL_FAILURE_AA = 0, + /** AKA General failure after authentication. (Implies failure) */ + AKA_GENERAL_FAILURE_AA = 0, + /** SIM General failure. (Implies failure, used before authentication) */ + SIM_GENERAL_FAILURE = 16384, + /** AKA General failure. (Implies failure, used before authentication) */ + AKA_GENERAL_FAILURE = 16384, + /** SIM User has been temporarily denied access to the requested service. */ + SIM_TEMP_DENIED = 1026, + /** AKA User has been temporarily denied access to the requested service. */ + AKA_TEMP_DENIED = 1026, + /** SIM User has not subscribed to the requested service. */ + SIM_NOT_SUBSCRIBED = 1031, + /** AKA User has not subscribed to the requested service. */ + AKA_NOT_SUBSCRIBED = 1031, + /** SIM Success. User has been successfully authenticated. */ + SIM_SUCCESS = 32768, + /** AKA Success. User has been successfully authenticated. */ + AKA_SUCCESS = 32768, +}; + +/** + * Enum names for simaka_notification_t + */ +extern enum_name_t *simaka_notification_names; + +/** + * Error codes sent in AT_CLIENT_ERROR_CODE attribute + */ +enum simaka_client_error_t { + /** AKA unable to process packet */ + AKA_UNABLE_TO_PROCESS = 0, + /** SIM unable to process packet */ + SIM_UNABLE_TO_PROCESS = 0, + /** SIM unsupported version */ + SIM_UNSUPPORTED_VERSION = 1, + /** SIM insufficient number of challenges */ + SIM_INSUFFICIENT_CHALLENGES = 2, + /** SIM RANDs are not fresh */ + SIM_RANDS_NOT_FRESH = 3, +}; + +/** + * Enum names for simaka_client_error_t + */ +extern enum_name_t *simaka_client_error_names; + +/** + * Check if an EAP-SIM/AKA attribute is "skippable". + * + * @param attribute attribute to check + * @return TRUE if attribute skippable, FALSE if non-skippable + */ +bool simaka_attribute_skippable(simaka_attribute_t attribute); + +/** + * EAP-SIM and EAP-AKA message abstraction. + * + * Messages for EAP-SIM and EAP-AKA share a common format, this class + * abstracts such a message and provides encoding/encryption/signing + * functionality. + */ +struct simaka_message_t { + + /** + * Check if the given message is a request or response. + * + * @return TRUE if request, FALSE if response + */ + bool (*is_request)(simaka_message_t *this); + + /** + * Get the EAP message identifier. + * + * @return EAP message identifier + */ + u_int8_t (*get_identifier)(simaka_message_t *this); + + /** + * Get the EAP type of the message. + * + * @return EAP type: EAP-SIM or EAP-AKA + */ + eap_type_t (*get_type)(simaka_message_t *this); + + /** + * Get the subtype of an EAP-SIM message. + * + * @return subtype of message + */ + simaka_subtype_t (*get_subtype)(simaka_message_t *this); + + /** + * Create an enumerator over message attributes. + * + * @return enumerator over (simaka_attribute_t, chunk_t) + */ + enumerator_t* (*create_attribute_enumerator)(simaka_message_t *this); + + /** + * Append an attribute to the EAP-SIM message. + * + * Make sure to pass only data of correct length for the given attribute. + * + * @param type type of attribute to add to message + * @param data unpadded attribute data to add + */ + void (*add_attribute)(simaka_message_t *this, simaka_attribute_t type, + chunk_t data); + + /** + * Parse a message, with optional attribute decryption. + * + * This method does not verify message integrity, as the key is available + * only after the payload has been parsed. It might be necessary to call + * parse twice, as key derivation data in EAP-SIM/AKA is in the same + * packet as encrypted data. + * + * @param crypto EAP-SIM/AKA crypto helper + * @return TRUE if message parsed successfully + */ + bool (*parse)(simaka_message_t *this); + + /** + * Verify the message integrity of a parsed message. + * + * @param crypto EAP-SIM/AKA crypto helper + * @param sigdata additional data to include in signature, if any + * @return TRUE if message integrity check successful + */ + bool (*verify)(simaka_message_t *this, chunk_t sigdata); + + /** + * Generate a message, optionally encrypt attributes and create a MAC. + * + * @param sigdata additional data to include in signature, if any + * @return generated eap payload, NULL if failed + */ + eap_payload_t* (*generate)(simaka_message_t *this, chunk_t sigdata); + + /** + * Destroy a simaka_message_t. + */ + void (*destroy)(simaka_message_t *this); +}; + +/** + * Create an empty simaka_message. + * + * @param request TRUE for a request message, FALSE for a response + * @param identifier EAP message identifier + * @param type EAP type: EAP-SIM or EAP-AKA + * @param subtype subtype of the EAP message + * @param crypto EAP-SIM/AKA crypto helper + * @return empty message of requested kind, NULL on error + */ +simaka_message_t *simaka_message_create(bool request, u_int8_t identifier, + eap_type_t type, simaka_subtype_t subtype, + simaka_crypto_t *crypto); + +/** + * Create an simaka_message from a chunk of data. + * + * @param payload payload to create message from + * @param crypto EAP-SIM/AKA crypto helper + * @return EAP message, NULL on error + */ +simaka_message_t *simaka_message_create_from_payload(eap_payload_t *payload, + simaka_crypto_t *crypto); + +#endif /** SIMAKA_MESSAGE_H_ @}*/ |