Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixd bugs of RFC4285 support on Home agent

- Binding Ack. didn't involve MN-HA option
- HA address instead of HoA was used for calculating a authenticator of MN-HA option in BA.
- Most fields of BCE were not updated when the BCE status was 'under auth'
- Calucalation code of First(96, SHA1(data)) was moved to common.c so that also HA can use.
  • Loading branch information...
commit 836dec9500997ac533057a3613078bb2c87cce39 1 parent 7e26b3e
t-momose authored
View
274 kame/kame/shisad/auth.c
@@ -1,4 +1,4 @@
-/* $KAME: auth.c,v 1.1 2006/06/09 11:29:58 t-momose Exp $ */
+/* $KAME: auth.c,v 1.2 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2006 WIDE Project. All rights reserved.
@@ -31,6 +31,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <ctype.h>
#include <poll.h>
#include <syslog.h>
@@ -45,30 +46,46 @@
#include "callout.h"
#include "fdlist.h"
#include "shisad.h"
+#include "command.h"
+#include "config.h"
LIST_HEAD(haauth_users_head, haauth_users) haauth_users_head = LIST_HEAD_INITIALIZER(haauth_users_head);
+struct sockaddr_in6 aaa_server = {sizeof(struct sockaddr_in6), AF_INET6, 0, 0};
static int ha_auth(struct in6_addr *, struct in6_addr *,
struct ip6_mh_opt_authentication *, struct ip6_mh *,
mip6_authenticator_t *);
-void aaa_auth_start(void);
-int aaa_auth_done(int);
+void aaa_auth_start(struct in6_addr *, struct in6_addr *,
+ struct ip6_mh_opt_mn_id *, struct ip6_mh *);
+int aaa_auth_reply_from_aaa(int);
static void ha_auth_init();
static void aaa_auth_init();
+#if 0
+static void aaa_auth_done(int);
+#endif
+static int get_secret(char *, int, u_int8_t *, int *);
-char *auth_database = "/usr/local/v6/etc/authdata";
+char *auth_database = SYSCONFDIR "/authdata";
void
-auth_init()
+auth_init(if_params, config_params)
+ struct config_entry *if_params;
+ struct config_entry *config_params;
{
+ if (if_params != NULL) {
+ config_get_string(CFT_AUTHDATABASE, &auth_database, if_params);
+ }
+ if (config_params != NULL) {
+ config_get_string(CFT_AUTHDATABASE, &auth_database, config_params);
+ }
+
ha_auth_init();
aaa_auth_init();
}
/*
- return value:
- status codes of BA
+ return value: status code of BA
*/
int
auth_opt(hoa, coa, mh, mopt, authmethod, authmethod_done)
@@ -88,26 +105,30 @@ auth_opt(hoa, coa, mh, mopt, authmethod, authmethod_done)
switch (mopt_auth->ip6moauth_subtype) {
case IP6_MH_AUTHOPT_SUBTYPE_MNHA:
- /* To authorize:
- pick parameters
- calculate authenticate
+ /* pick parameters and
+ calculate authenticator with
+ the parameters to authenticate.
*/
*authmethod |= BC_AUTH_MNHA;
if (ha_auth(hoa, coa, mopt_auth, mh, &authenticator) == 0 &&
- memcmp((caddr_t)&authenticator, (caddr_t)(mopt_auth + 1), MIP6_AUTHENTICATOR_SIZE) == 0)
+ memcmp((caddr_t)&authenticator, (caddr_t)(mopt_auth + 1), MIP6_AUTHENTICATOR_SIZE) == 0) {
statuscode = IP6_MH_BAS_ACCEPTED;
- else
+ } else {
statuscode = IP6_MH_BAS_AUTH_FAIL;
+ syslog(LOG_ERR, "authenticator received from BU: %s",
+ hexdump(mopt_auth + 1, MIP6_AUTHENTICATOR_SIZE));
+ syslog(LOG_ERR, "Calculated authenticator: %s",
+ hexdump(&authenticator, MIP6_AUTHENTICATOR_SIZE));
+ }
*authmethod_done |= BC_AUTH_MNHA;
break;
case IP6_MH_AUTHOPT_SUBTYPE_MNAAA:
- /* To authorize: send a query to an AAA later.
+ /* To authorize: send a query to an AAA server.
This is an asynchoronous process because an
AAA server is usually another entity.
*/
- /* Make a query here */
- aaa_auth_start();
+ aaa_auth_start(hoa, coa, mopt->opt_mnid, mh);
*authmethod |= BC_AUTH_MNAAA;
break;
@@ -135,15 +156,20 @@ ha_auth(hoa, coa, mopt_auth, mh, authenticator)
struct haauth_users *hausers;
hausers = find_haauth_users(ntohl(mopt_auth->ip6moauth_mobility_spi));
- if (hausers == NULL)
+ if (hausers == NULL) {
+ syslog(LOG_INFO, "No such user(spi=%d) was registered",
+ ntohl(mopt_auth->ip6moauth_mobility_spi));
return (-1);
+ }
cksum = mh->ip6mh_cksum;
mh->ip6mh_cksum = 0;
- mip6_calculate_authenticator((mip6_kbm_t *)hausers->sharedkey, hoa, coa,
- (caddr_t)mh, (mh->ip6mh_len + 1) << 3,
- (caddr_t)(mopt_auth + 1) - (caddr_t)mh,
- MIP6_AUTHENTICATOR_SIZE, authenticator);
+ calculate_authenticator(hausers->sharedkey, hausers->keylen, coa, hoa,
+ (caddr_t)mh,
+ (caddr_t)(mopt_auth + 1) - (caddr_t)mh,
+ (caddr_t)(mopt_auth + 1) - (caddr_t)mh,
+ 0,
+ (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
mh->ip6mh_cksum = cksum;
return (0);
@@ -163,6 +189,56 @@ find_haauth_users(spi)
return (NULL);
}
+static int
+get_secret(sharedkeyp, secretkey_size, secretkey, keylen)
+ char *sharedkeyp;
+ int secretkey_size;
+ u_int8_t *secretkey;
+ int *keylen;
+{
+ if (*sharedkeyp == '\'' || *sharedkeyp == '\"') {
+ int i = 0;
+
+ sharedkeyp++;
+ while (sharedkeyp[i] != '\'' && sharedkeyp[i] != '\"'
+ && i < secretkey_size) {
+ i++;
+ }
+ if (sharedkeyp[i] != '\'' && sharedkeyp[i] != '\"') {
+ syslog(LOG_WARNING, "shared key is too long. truncated.");
+ i = secretkey_size;
+ }
+ memcpy(secretkey, sharedkeyp, i);
+ *keylen = i;
+ } else if (*sharedkeyp == '0' && *(sharedkeyp + 1) == 'x') {
+ /* it might be a sequence of hex */
+ char *ep;
+ char *hexchr = "0123456789ABCDEFabcdef";
+ int loopend = 0, i = 0;
+ u_int v;
+
+ sharedkeyp += 2;
+ ep = sharedkeyp + strlen(sharedkeyp);
+ do {
+ if (!strchr(hexchr, *sharedkeyp) ||
+ !strchr(hexchr, *(sharedkeyp + 1)))
+ loopend = 1;
+ sscanf(sharedkeyp, "%2x", &v);
+ ((u_int8_t *)secretkey)[i++]
+ = v & 0xff;
+ sharedkeyp += 2;
+ } while (i < secretkey_size && (sharedkeyp < ep) && !loopend);
+ if (i == secretkey_size && sharedkeyp < ep)
+ syslog(LOG_WARNING, "shared key is too long. truncated.");
+ *keylen = i;
+ } else {
+ syslog(LOG_ERR, "No secret was found");
+ return (-1);
+ }
+
+ return (0);
+}
+
/*
Read and construct MN-HA authenticator database
@@ -170,14 +246,14 @@ find_haauth_users(spi)
---
# the line started '#' shows comment.
# one data is described in one line. spi followed by shared key separated by space
-10000 'shared-key in 20byte' # byte's' is trimmed
-10001 0x0102030405060708090a0b0c0d0e0f10111213
+10000 'shared-key in 16' # The string 'bytes' to be trailed is trimmed
+10001 0x0102030405060708090a0b0c0d0e0f10
---
*/
static void
ha_auth_init()
{
- char *p, *spip, *sharedkeyp, *last;
+ char *p, *spip, *last;
char read_buffer[1024];
FILE *keytable;
struct haauth_users *hausers;
@@ -188,8 +264,14 @@ ha_auth_init()
}
while (fgets(read_buffer, sizeof(read_buffer), keytable) != NULL) {
- if ((p = strchr(read_buffer, '\n')) == NULL)
+ int base = 10;
+
+ read_buffer[sizeof(read_buffer) - 1] = '\0';
+ if ((p = strchr(read_buffer, '\n')) == NULL &&
+ strlen(read_buffer) >= sizeof(read_buffer) - 1) {
+ syslog(LOG_ERR, "The line was too long. [%1024s]", read_buffer);
continue; /* the line was too long */
+ }
*p = '\0';
p = read_buffer;
@@ -203,62 +285,75 @@ ha_auth_init()
hausers = malloc(sizeof(*hausers));
memset(hausers, '\0', sizeof(*hausers));
- hausers->mobility_spi = atoi(spip);
-
- sharedkeyp = strtok_r(NULL, " \t", &last);
- if (*sharedkeyp == '\'' || *sharedkeyp == '\"') {
- int i = 0;
-
- sharedkeyp++;
- while (sharedkeyp[i] != '\'' && sharedkeyp[i] && '\"'
- && i < MIP6_AUTHENTICATOR_SIZE) {
- i++;
- }
- memcpy(hausers->sharedkey, sharedkeyp, i);
- } else {
- /* it might be hex */
- if (*sharedkeyp == '0' &&
- *(sharedkeyp + 1) == 'x') {
- char *ep;
- char *hexchr = "0123456789ABCDEFabcdef";
- int loopend = 0, i = 0;
- u_int v;
-
- sharedkeyp += 2;
- ep = sharedkeyp + strlen(sharedkeyp);
- do {
- if (!strchr(hexchr, *sharedkeyp) ||
- !strchr(hexchr, *(sharedkeyp + 1)))
- loopend = 1;
- sscanf(sharedkeyp, "%2x", &v);
- ((u_int8_t *)&hausers->sharedkey)[i] = v & 0xff;
- sharedkeyp += 2;
- } while ((sharedkeyp < ep) && !loopend);
- }
+ if (spip[0] == '0' && spip[1] == 'x') {
+ spip += 2; /* for '0x' */
+ base = 16;
+ }
+ hausers->mobility_spi = strtol(spip, NULL, base);
+ if (get_secret(strtok_r(NULL, " \t", &last), SECRETKEY_SIZE, hausers->sharedkey, &hausers->keylen) < 0) {
+ free(hausers);
+ continue;
}
+
+ if (debug)
+ syslog(LOG_INFO, "spi: %d [%s]\n",
+ hausers->mobility_spi,
+ hexdump(hausers->sharedkey, hausers->keylen));
LIST_INSERT_HEAD(&haauth_users_head, hausers, hauthusers_entry);
}
fclose(keytable);
}
-int aaa_socket;
+void
+command_show_authdata(s, dummy)
+ int s;
+ char *dummy;
+{
+ struct haauth_users *hausers;
+
+ command_printf(s, "Authentication database\n");
+ LIST_FOREACH(hausers, &haauth_users_head, hauthusers_entry) {
+ command_printf(s, "%d [%s]\n",
+ hausers->mobility_spi,
+ hexdump(hausers->sharedkey, hausers->keylen));
+ }
+}
static void
aaa_auth_init()
{
- /* Normally, the function will do following process:
- 1) Open socket to the AAA server
- 2) register it's handle
- */
-// new_fd_list(aaa_socket, POLLIN, aaa_auth_done);
}
void
-aaa_auth_start()
+aaa_auth_start(hoa, coa, mopt_mnid, mh)
+ struct in6_addr *hoa, *coa;
+ struct ip6_mh_opt_mn_id *mopt_mnid;
+ struct ip6_mh *mh;
{
- /* Send a query packet here with the aaa_socket */
- /* And start a timer to resend if needed */
+#if 0
+ int mnid_len;
+ char *mnid;
+
+ if ((mopt_mnid == NULL) ||
+ (mopt_mnid->ip6mnmnid_subtype != 1)) {
+ syslog(LOG_ERR, "No MN ID option was found.");
+ return;
+ }
+ mnid_len = mopt_mnid->ip6momnid_len - 1; /* '-1' is for the subtype field */
+ if (mnid_len <= 0) {
+ syslog(LOG_ERR, "MN ID length is too short.");
+ return;
+ }
+ mnid = (char *)(mopt_mnid + 1);
+
+ if ((aaa_socket = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+ syslog(LOG_ERR,
+ "Opening UDP socket to the AAA server was failed.");
+ return;
+ }
+ new_fd_list(aaa_socket, POLLIN, aaa_auth_reply_from_aaa);
+#endif
}
void
@@ -271,41 +366,56 @@ aaa_auth_stop()
* indicates a socket to talk an AAA server.
*
* What implementors should do here are:
- * 1)
+ * 1) Receive a reply packet from AAA
+ * 2) Validate the message in the packet
+ * 3) Judge the result from the AAA
+ * 4) Pass to aaa_auth_done()
*/
int
-aaa_auth_done(fd)
+aaa_auth_reply_from_aaa(fd)
int fd;
{
-#if 0
- struct binding_cache *bc;
+#if 0
+ /* Judge the result from the AAA */
+ aaa_auth_done(success);
+#endif
+ return (0);
+}
+
+#if 0
+static void
+aaa_auth_done(success)
+ int success;
+{
+ struct binding_cache *bc = NULL;
+
+ /* Find a binding cache somehow */
+
+ if (!bc)
+ return;
- bc = find_bc_somehow();
-
- /* Judge the validity of this result somehow */
-
if (success) {
/* the authentication was succeeded. */
- bc->authmethod_done |= BC_AUTH_MNAAA;
- if (bc->authmethod ^ bc->authmethod_done == 0)
+ bc->bc_authmethod_done |= BC_AUTH_MNAAA;
+ if ((bc->bc_authmethod ^ bc->bc_authmethod_done) == 0)
bc->bc_state &= ~BC_STATE_UNDER_AUTH;
- mip6_bc_validate(bc);
+ mip6_validate_bc(bc);
if ((bc->bc_state == BC_STATE_VALID) &&
- !IN6_IS_ADDR_LINKLOCAL(addr)) {
+ !IN6_IS_ADDR_LINKLOCAL(&bc->bc_hoa)) {
if (bc->bc_flags & (IP6_MH_BU_ACK | IP6_MH_BU_HOME))
send_ba(&bc->bc_myaddr, &bc->bc_realcoa,
&bc->bc_coa, &bc->bc_hoa, bc->bc_flags,
NULL, IP6_MH_BAS_ACCEPTED,
- bc->bc_seqno, bc->bc_lifetime, bc->bc_bid, 0);
+ bc->bc_seqno, bc->bc_lifetime, 0, 0/*bc->bc_bid*/, bc->bc_mobility_spi);
}
} else {
/* the authentication was failed. */
send_ba(&bc->bc_myaddr, &bc->bc_realcoa,
&bc->bc_coa, &bc->bc_hoa, bc->bc_flags,
- NULL, IP6_MH_BAS_XXX,
- bc->bc_seqno, bc->bc_lifetime, bc->bc_bid, 0);
+ NULL, IP6_MH_BAS_AUTH_FAIL,
+ bc->bc_seqno, bc->bc_lifetime, 0, 0/*bc->bc_bid*/, bc->bc_mobility_spi);
mip6_bc_delete(bc);
}
-#endif
- return 0;
+
}
+#endif
View
19 kame/kame/shisad/binding.c
@@ -1,4 +1,4 @@
-/* $KAME: binding.c,v 1.30 2006/06/09 11:29:58 t-momose Exp $ */
+/* $KAME: binding.c,v 1.31 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
@@ -90,7 +90,6 @@ static void command_show_bul_one(int, struct binding_update_list *);
struct binding_cache_head bchead;
static void mip6_bc_set_refresh_timer(struct binding_cache *, int);
static void mip6_bc_stop_refresh_timer(struct binding_cache *);
-static void mip6_validate_bc(struct binding_cache *);
int do_proxy_dad = 1;
@@ -149,17 +148,20 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod, authmet
if (bc) {
bc->bc_authmethod = authmethod;
bc->bc_authmethod_done = authmethod_done;
- if ((authmethod ^ authmethod_done) != 0) {
- bc->bc_state |= BC_STATE_UNDER_AUTH;
- return (NULL);
- }
bc->bc_myaddr = *recvaddr;
bc->bc_lifetime = lifetime;
bc->bc_flags = flags;
bc->bc_seqno = seqno;
- /* update BC in the kernel via mipsock */
bc->bc_coa = *coa;
+ bc->bc_mobility_spi = mobility_spi;
+
+ if ((authmethod ^ authmethod_done) != 0) {
+ bc->bc_state |= BC_STATE_UNDER_AUTH;
+ return (bc);
+ }
+
+ /* update BC in the kernel via mipsock */
mipsock_bc_request(bc, MIPM_BC_UPDATE);
bc->bc_expire = now + bc->bc_lifetime;
@@ -198,6 +200,7 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod, authmet
#ifdef MIP_MCOA
bc->bc_bid = bid;
#endif /* MIP_MCOA */
+ bc->bc_mobility_spi = mobility_spi;
if (bc->bc_state & BC_STATE_UNDER_DAD) {
/* do dad start */
@@ -211,7 +214,7 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod, authmet
return (bc);
}
-static void
+void
mip6_validate_bc(bc)
struct binding_cache *bc;
{
View
4 kame/kame/shisad/cnd.c
@@ -1,4 +1,4 @@
-/* $KAME: cnd.c,v 1.14 2006/05/05 15:51:17 t-momose Exp $ */
+/* $KAME: cnd.c,v 1.15 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -159,7 +159,7 @@ main(argc, argv)
/* initialization */
fdlist_init();
- if (command_init("cn> ", command_table, sizeof(command_table) / sizeof(struct command_table), command_port) < 0) {
+ if (command_init("cn> ", command_table, sizeof(command_table) / sizeof(struct command_table), command_port, NULL) < 0) {
fprintf(stderr, "Unable to open user interface\n");
}
cn_lists_init();
View
98 kame/kame/shisad/common.c
@@ -1,4 +1,4 @@
-/* $KAME: common.c,v 1.28 2006/04/10 15:30:53 t-momose Exp $ */
+/* $KAME: common.c,v 1.29 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
@@ -58,6 +58,10 @@
#include <net/mipsock.h>
#include <arpa/inet.h>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+
#include "callout.h"
#include "command.h"
#include "stat.h"
@@ -1298,3 +1302,95 @@ command_show_stat(s, line)
PS("Routing Header type 2", mip6stat.mip6s_orthdr2);
PS("reverse tunneled output", mip6stat.mip6s_orevtunnel);
}
+
+#define DUMP 0
+
+/*
+ * <------------------ datalen ------------------->
+ * <-- exclude_data_len --->
+ * ---------------+-----------------------+--------
+ * ^ <-- -->
+ * data The area excluded from calculation Auth.
+ * - - - - - - - ->
+ * exclude_offset
+ *
+ * If you don't need to exclude any area, you have to
+ * specify as follows:
+ * exclude_offset: same as datalen
+ * exclude_data_len: 0
+ */
+void
+calculate_authenticator(key, keylen, addr1, addr2, data, datalen,
+ exclude_offset, exclude_data_len,
+ authenticator, authenticator_len)
+ u_int8_t *key;
+ size_t keylen;
+ struct in6_addr *addr1, *addr2;
+ caddr_t data;
+ size_t datalen;
+ int exclude_offset;
+ size_t exclude_data_len;
+ u_int8_t *authenticator;
+ size_t authenticator_len;
+{
+ int restlen;
+ HMAC_CTX hmac_ctx;
+ u_int8_t sha1result[20];
+
+#if DUMP
+ if (debug) {
+ syslog(LOG_INFO, "key = %s\n",
+ hexdump(key, keylen));
+ syslog(LOG_INFO, "addr1 = %s\n",
+ ip6_sprintf(addr1));
+ syslog(LOG_INFO, "addr2 = %s\n",
+ ip6_sprintf(addr2));
+ syslog(LOG_INFO, "datalen = %d\n", datalen);
+ syslog(LOG_INFO, "exclude_offset = %d\n", exclude_offset);
+ syslog(LOG_INFO, "exclude_data_len = %d\n", exclude_data_len);
+ }
+#endif
+
+#ifndef __NetBSD__
+ HMAC_CTX_init(&hmac_ctx);
+#endif
+ HMAC_Init(&hmac_ctx, (u_int8_t *)key, keylen, EVP_sha1());
+ HMAC_Update(&hmac_ctx, (u_int8_t *)addr1, sizeof(*addr1));
+#if DUMP
+ syslog(LOG_INFO, "addr1: %s", hexdump((u_int8_t *)addr1, sizeof(*addr1)));
+#endif
+ HMAC_Update(&hmac_ctx, (u_int8_t *)addr2, sizeof(*addr2));
+#if DUMP
+ syslog(LOG_INFO, "addr2: %s", hexdump((u_int8_t *)addr2, sizeof(*addr2)));
+#endif
+ HMAC_Update(&hmac_ctx, (u_int8_t *)data, exclude_offset);
+#if DUMP
+ syslog(LOG_INFO, "data: %s", hexdump((u_int8_t *)data, exclude_offset));
+#endif
+
+ /*
+ * Exclude authdata field in the mobility option to calculate
+ * authdata But it should be included padding area
+ */
+
+ restlen = datalen - (exclude_offset + exclude_data_len);
+ if (restlen > 0) {
+ HMAC_Update(&hmac_ctx,
+ (u_int8_t *) data + exclude_offset + exclude_data_len,
+ restlen);
+#if DUMP
+ syslog(LOG_INFO, "restdata: %s", hexdump((u_int8_t *) data + exclude_offset + exclude_data_len, restlen));
+#endif
+ }
+
+ HMAC_Final(&hmac_ctx, (u_int8_t *)sha1result, NULL);
+
+ /* First96 */
+ memcpy((void *)authenticator, (const void *)sha1result,
+ authenticator_len);
+#if DUMP
+ if (debug)
+ syslog(LOG_INFO, "authenticator = %s\n",
+ hexdump(authenticator, authenticator_len));
+#endif
+}
View
20 kame/kame/shisad/had.c
@@ -1,4 +1,4 @@
-/* $KAME: had.c,v 1.34 2006/06/09 11:29:58 t-momose Exp $ */
+/* $KAME: had.c,v 1.35 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -118,6 +118,9 @@ struct command_table show_command_table[] = {
{"hal", command_show_hal, "Home Agent List"},
{"callout", show_callout_table, "show callout table"},
{"config", command_show_config, "show current configuration for the HA"},
+#ifdef AUTHID
+ {"auth", command_show_authdata, "show authentication database"},
+#endif
{NULL}
};
@@ -137,6 +140,8 @@ struct command_table command_table[] = {
{"flush", NULL, "Flush stat, bc, hal", flush_command},
};
+extern int pager_mode;
+
void
ha_usage(path)
char *path;
@@ -204,15 +209,19 @@ main(argc, argv)
config_get_interface(ifname, &if_params, config_params);
if (if_params != NULL) {
config_get_number(CFT_DEBUG, &debug, if_params);
+ config_get_number(CFT_NAMELOOKUP, &namelookup, if_params);
config_get_number(CFT_COMMANDPORT, &command_port, if_params);
+ config_get_number(CFT_DAD, &do_proxy_dad, if_params);
config_get_number(CFT_PREFERENCE, &preference, if_params);
config_get_number(CFT_KEYMANAGEMENT, &keymanagement,
if_params);
}
if (config_params != NULL) {
config_get_number(CFT_DEBUG, &debug, config_params);
+ config_get_number(CFT_NAMELOOKUP, &namelookup, config_params);
config_get_number(CFT_COMMANDPORT, &command_port,
config_params);
+ config_get_number(CFT_DAD, &do_proxy_dad, config_params);
config_get_number(CFT_PREFERENCE, &preference, config_params);
config_get_number(CFT_KEYMANAGEMENT, &keymanagement,
config_params);
@@ -226,7 +235,7 @@ main(argc, argv)
/* Various Initialization */
fdlist_init();
command_init("ha> ", command_table,
- sizeof(command_table) / sizeof(struct command_table), 7778);
+ sizeof(command_table) / sizeof(struct command_table), command_port, if_params);
/* register signal handlers. */
signal(SIGTERM, terminate);
@@ -258,7 +267,7 @@ main(argc, argv)
mip6_bc_init();
#ifdef AUTHID
if (use_authid)
- auth_init();
+ auth_init(if_params, config_params);
#endif /* AUTHID */
/* notify a kernel to behave as a home agent. */
@@ -606,14 +615,17 @@ command_show_config(s, dummy)
char *dummy;
{
command_printf(s, "Current configuration\n");
- command_printf(s, "debug: %s\n", debug ? "true" : "false");
+ command_printf(s, "debug: %s\n", debug ? "on" : "off");
command_printf(s, "name lookup: %s\n", namelookup ? "true" : "false");
command_printf(s, "command port: %d\n", command_port);
+#ifndef AUTHID
command_printf(s, "key management: %s\n", keymanagement ? "true" : "false");
+#endif
#ifdef MIP_IPV4MNPSUPPORT
command_printf(s, "ipv4mnpsupport: %s\n", ipv4mnpsupport ? "true" : "false");
#endif /* MIP_IPV4MNPSUPPORT */
command_printf(s, "proxy DAD: %s\n", do_proxy_dad ? "true" : "false");
+ command_printf(s, "pager mode: %s\n", pager_mode ? "true" : "false");
}
int
View
43 kame/kame/shisad/mh.c
@@ -1,4 +1,4 @@
-/* $KAME: mh.c,v 1.55 2006/06/09 11:29:58 t-momose Exp $ */
+/* $KAME: mh.c,v 1.56 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
*
@@ -310,9 +310,8 @@ syslog(LOG_INFO, "XXXX %s:%d", __FILE__, __LINE__);
sizeof(struct in6_addr));
}
-
mh = (struct ip6_mh *)buf;
- mhlen = (mh->ip6mh_len + 1) << 3;
+ mhlen = (mh->ip6mh_len + 1) << 3;
if (debug) {
int mhtype;
@@ -800,7 +799,7 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
auth_opt(hoa, coa, (struct ip6_mh *)bu, &mopt,
&authmethod, &authmethod_done);
- mobility_spi = mopt.mnha_auth->ip6moauth_mobility_spi;
+ mobility_spi = ntohl(mopt.mnha_auth->ip6moauth_mobility_spi);
}
#else /* AUTHID */
/* go thorough (assuming IPsec protection in the kernel) */
@@ -1011,7 +1010,7 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
}
bc->bc_realcoa = *retcoa;
- if (bc->bc_state & BC_STATE_UNDER_DAD)
+ if (bc->bc_state & (BC_STATE_UNDER_DAD | BC_STATE_UNDER_AUTH))
return (0);
}
retcode = 0;
@@ -1756,7 +1755,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
struct ip6_mh_opt_authentication *auth_opt;
mip6_authenticator_t *authenticator;
- pad = MIP6_PADLEN(buflen, 8, 2); /* 8n+2 */
+ pad = MIP6_PADLEN(buflen, 4, 1); /* 4n+1 */
MIP6_FILL_PADDING(bufp + buflen, pad);
buflen += pad;
@@ -1765,6 +1764,8 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
auth_opt->ip6moauth_len =
sizeof(struct ip6_mh_opt_authentication)
- sizeof(struct ip6_mh_opt) + MIP6_AUTHENTICATOR_SIZE;
+ auth_opt->ip6moauth_subtype = IP6_MH_AUTHOPT_SUBTYPE_MNHA;
+ auth_opt->ip6moauth_mobility_spi = htonl(mobility_spi);
buflen += sizeof(*auth_opt);
buflen += MIP6_AUTHENTICATOR_SIZE;
@@ -1776,7 +1777,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
bap->ip6mhba_hdr.ip6mh_len = (buflen >> 3) - 1;
bap->ip6mhba_hdr.ip6mh_cksum = 0;
- /* Alignment 8n to sit the end of the packet */
+ /* Alignment 8n to sit at the end of the packet */
pad = MIP6_PADLEN(buflen, 8, 0);
MIP6_FILL_PADDING(bufp + buflen, pad);
buflen += pad;
@@ -1785,14 +1786,26 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
(bufp + (buflen - MIP6_AUTHENTICATOR_SIZE - pad));
hausers = find_haauth_users(mobility_spi);
- mip6_calculate_authenticator((mip6_kbm_t *)hausers->sharedkey,
- (acoa) ? acoa : coa,
- src,
- (caddr_t)bufp,
- buflen,
- buflen - pad - MIP6_AUTHENTICATOR_SIZE,
- MIP6_AUTHENTICATOR_SIZE,
- authenticator);
+ if (!hausers)
+ syslog(LOG_ERR, "No authentication data for spi:%d was found.", mobility_spi);
+ else
+#if 0
+ calculate_authenticator(hausers->sharedkey, hausers->keylen,
+ (acoa) ? acoa : coa,
+ hoa, (caddr_t)bufp,
+ buflen,
+ buflen - pad - MIP6_AUTHENTICATOR_SIZE,
+ MIP6_AUTHENTICATOR_SIZE,
+ (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
+#else
+ calculate_authenticator(hausers->sharedkey, hausers->keylen,
+ (acoa) ? acoa : coa,
+ hoa, (caddr_t)bufp,
+ buflen,
+ buflen - pad - MIP6_AUTHENTICATOR_SIZE,
+ MIP6_AUTHENTICATOR_SIZE,
+ (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
+#endif
/* MN-AAA isn't needed as described RFC4285 5.2 */
}
#endif /* MIP_HA && AUTHID */
View
4 kame/kame/shisad/mnd.c
@@ -1,4 +1,4 @@
-/* $KAME: mnd.c,v 1.34 2006/04/13 10:04:34 keiichi Exp $ */
+/* $KAME: mnd.c,v 1.35 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -292,7 +292,7 @@ main(argc, argv)
fdlist_init();
csock = command_init("mn> ", command_table,
sizeof(command_table) / sizeof(struct command_table),
- command_port);
+ command_port, if_params);
if (csock < 0) {
fprintf(stderr, "Unable to open user interface\n");
}
View
4 kame/kame/shisad/rr.c
@@ -1,4 +1,4 @@
-/* $KAME: rr.c,v 1.6 2006/04/25 11:11:13 keiichi Exp $ */
+/* $KAME: rr.c,v 1.7 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2005 WIDE Project. All rights reserved.
@@ -76,6 +76,7 @@ mip6_calculate_kbm(home_token, careof_token, kbm)
* - - - - - - - ->
* exclude_offset
*/
+#if 0
void
mip6_calculate_authenticator(key_bm, addr1, addr2, data, datalen,
exclude_offset, exclude_data_len, authenticator)
@@ -132,6 +133,7 @@ mip6_calculate_authenticator(key_bm, addr1, addr2, data, datalen,
syslog(LOG_INFO, "authenticator = %s\n",
hexdump(authenticator, MIP6_AUTHENTICATOR_SIZE));
}
+#endif
#ifdef MIP_CN
void
View
19 kame/kame/shisad/sampleconf/had.conf.sample
@@ -1,19 +1,22 @@
debug 1;
+# pager 1;
+# homelink-dad 1;
+# auth-database /usr/local/v6/etc/authdata;
interface fxp0 {
command-port 7778;
preference 10; # This directive doesn't affect the actual pref. value.
# change the value in rtadvd.conf
- prefixtable {
+# prefixtable {
# homeaddress mobilenetworkpfx pl mode bid
- 2001:200:0:8c08::328 2001:200:0:8c0a::/64 explicit 111;
- 2001:200:0:8c08::328 2001:200:0:8c0a::/64 explicit 800;
- };
+# 2001:200:0:8c08::328 2001:200:0:8c0a::/64 explicit 111;
+# 2001:200:0:8c08::328 2001:200:0:8c0a::/64 explicit 800;
+# };
- static-tunnel {
+# static-tunnel {
# if homeaddress bid
- nemo3 2001:200:0:8c08::328 111;
- nemo6 2001:200:0:8c08::328 800;
- };
+# nemo3 2001:200:0:8c08::328 111;
+# nemo6 2001:200:0:8c08::328 800;
+# };
};
View
33 kame/kame/shisad/shisad.h
@@ -1,4 +1,4 @@
-/* $KAME: shisad.h,v 1.38 2006/06/09 11:29:58 t-momose Exp $ */
+/* $KAME: shisad.h,v 1.39 2006/08/02 11:00:56 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -114,10 +114,10 @@ typedef u_int8_t mip6_authenticator_t[MIP6_AUTHENTICATOR_SIZE];
#ifndef SYSCONFDIR
#define SYSCONFDIR "/usr/local/v6/etc"
#endif
-#define CND_CONFFILE SYSCONFDIR "/shisa/cnd.conf"
-#define MND_CONFFILE SYSCONFDIR "/shisa/mnd.conf"
-#define MRD_CONFFILE SYSCONFDIR "/shisa/mrd.conf"
-#define HAD_CONFFILE SYSCONFDIR "/shisa/had.conf"
+#define CND_CONFFILE SYSCONFDIR "/cnd.conf"
+#define MND_CONFFILE SYSCONFDIR "/mnd.conf"
+#define MRD_CONFFILE SYSCONFDIR "/mrd.conf"
+#define HAD_CONFFILE SYSCONFDIR "/had.conf"
#define MND_NORO_FILE "/etc/ro.deny"
@@ -433,6 +433,7 @@ struct binding_cache {
#ifdef MIP_MCOA
u_int16_t bc_bid; /* Binding Unique Identifier */
#endif /* MIP_MCOA */
+ u_int32_t bc_mobility_spi;
};
LIST_HEAD(binding_cache_head, binding_cache);
@@ -443,12 +444,15 @@ struct nd6options {
};
extern struct nd6options ndopts;
+#define SECRETKEY_SIZE 16
+
struct haauth_users {
LIST_ENTRY(haauth_users) hauthusers_entry;
u_int32_t mobility_spi;
struct in6_addr hoa;
- u_int8_t sharedkey[20];
+ u_int8_t sharedkey[SECRETKEY_SIZE];
+ int keylen;
};
/* mh.c */
@@ -479,8 +483,16 @@ int send_mps(struct mip6_hpfxl *);
/* rr.c */
void mip6_calculate_kbm(mip6_token_t *, mip6_token_t *, mip6_kbm_t *);
+/*
void mip6_calculate_authenticator(mip6_kbm_t *, struct in6_addr *,
struct in6_addr *, caddr_t, size_t, int, size_t, mip6_authenticator_t *);
+*/
+#define mip6_calculate_authenticator(key_bm, addr1, addr2, data, datalen, \
+ exclude_offset, exclude_data_len, \
+ authenticator) \
+ calculate_authenticator((u_int8_t *)key_bm, sizeof(mip6_kbm_t), addr1, addr2,\
+ data, datalen, exclude_offset, exclude_data_len, \
+ (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
struct mip6_nonces_info *get_nonces(u_int16_t);
struct mip6_nonces_info * generate_nonces(struct mip6_nonces_info *);
void init_nonces (void);
@@ -512,6 +524,7 @@ void mipsock_bc_request(struct binding_cache *, u_char);
void mip6_dad_order(int, struct in6_addr *);
#define mip6_dad_start(addr) mip6_dad_order(MIPM_DAD_DO, addr)
#define mip6_dad_stop(addr) mip6_dad_order(MIPM_DAD_STOP, addr)
+void mip6_validate_bc(struct binding_cache *);
void mip6_dad_done(int, struct in6_addr *);
void command_show_bc(int, char *);
void command_show_kbc(int, char *);
@@ -563,6 +576,9 @@ void hal_stop_expire_timer(struct home_agent_list *);
void command_show_stat(int, char *);
struct ip6_hdr;
struct ip6_rthdr2 *find_rthdr2(struct ip6_hdr *);
+int kernel_debug(int);
+void calculate_authenticator(u_int8_t *, size_t, struct in6_addr *,
+ struct in6_addr *, caddr_t, size_t, int, size_t, u_int8_t*, size_t);
/* cnd.c */
int cn_receive_dst_unreach(struct icmp6_hdr *);
@@ -647,16 +663,17 @@ int receive_ra(struct nd_router_advert *, size_t, int, struct in6_addr *, struct
/* auth.c */
#ifdef AUTHID
-void auth_init();
+struct config_entry;
+void auth_init(struct config_entry *, struct config_entry *);
int auth_opt(struct in6_addr *, struct in6_addr *, struct ip6_mh *,
struct mip6_mobility_options *, int *, int *);
struct haauth_users *find_haauth_users(u_int32_t);
+void command_show_authdata(int, char *);
#endif /* AUTHID */
/* other utility functions */
int inet_are_prefix_equal(void *, void *, int);
char *hexdump(void *, size_t);
const char *ip6_sprintf(const struct in6_addr *addr);
-int kernel_debug(int);
#endif /* _SHISAD_SHISAD_H_ */
Please sign in to comment.
Something went wrong with that request. Please try again.