Permalink
Browse files

RFC4285 issues updated.

 - The data format for MN-HA database was changed to include a HoA for each entry.
 - MN-HA SAD for BA was determined by HoA
 - Work to receive a bu which includes only MN-HA or MN-AAA option
  • Loading branch information...
1 parent 5ab054e commit 4c977e17b9bb12f695f5391e4b9014941ff42b53 t-momose committed Oct 20, 2006
Showing with 116 additions and 57 deletions.
  1. +72 −18 kame/kame/shisad/auth.c
  2. +2 −2 kame/kame/shisad/cftoken.l
  3. +4 −4 kame/kame/shisad/common.c
  4. +35 −32 kame/kame/shisad/mh.c
  5. +3 −1 kame/kame/shisad/shisad.h
View
90 kame/kame/shisad/auth.c
@@ -1,4 +1,4 @@
-/* $KAME: auth.c,v 1.2 2006/08/02 11:00:56 t-momose Exp $ */
+/* $KAME: auth.c,v 1.3 2006/10/20 07:41:15 t-momose Exp $ */
/*
* Copyright (C) 2006 WIDE Project. All rights reserved.
@@ -35,9 +35,12 @@
#include <ctype.h>
#include <poll.h>
#include <syslog.h>
+#include <netdb.h>
#include <sys/types.h>
+#include <sys/socket.h>
#include <sys/queue.h>
+#include <sys/param.h>
#include <netinet/in.h>
#include <netinet/icmp6.h>
@@ -78,6 +81,7 @@ auth_init(if_params, config_params)
if (config_params != NULL) {
config_get_string(CFT_AUTHDATABASE, &auth_database, config_params);
}
+ syslog(LOG_INFO, "auth_database: %s", auth_database);
ha_auth_init();
aaa_auth_init();
@@ -110,17 +114,20 @@ auth_opt(hoa, coa, mh, mopt, authmethod, authmethod_done)
the parameters to authenticate.
*/
*authmethod |= BC_AUTH_MNHA;
+ *authmethod_done |= BC_AUTH_MNHA;
if (ha_auth(hoa, coa, mopt_auth, mh, &authenticator) == 0 &&
memcmp((caddr_t)&authenticator, (caddr_t)(mopt_auth + 1), MIP6_AUTHENTICATOR_SIZE) == 0) {
statuscode = IP6_MH_BAS_ACCEPTED;
} else {
statuscode = IP6_MH_BAS_AUTH_FAIL;
- syslog(LOG_ERR, "authenticator received from BU: %s",
+ syslog(LOG_ERR,
+ "authenticator received from BU(Hoa:[%s], SPI=%d): %s",
+ ip6_sprintf(hoa),
+ ntohl(mopt_auth->ip6moauth_mobility_spi),
hexdump(mopt_auth + 1, MIP6_AUTHENTICATOR_SIZE));
syslog(LOG_ERR, "Calculated authenticator: %s",
hexdump(&authenticator, MIP6_AUTHENTICATOR_SIZE));
}
- *authmethod_done |= BC_AUTH_MNHA;
break;
case IP6_MH_AUTHOPT_SUBTYPE_MNAAA:
@@ -189,13 +196,30 @@ find_haauth_users(spi)
return (NULL);
}
+struct haauth_users *
+find_haauth_users_with_hoa(hoa)
+ struct in6_addr *hoa;
+{
+ struct haauth_users *hausers;
+
+ LIST_FOREACH(hausers, &haauth_users_head, hauthusers_entry) {
+ if (IN6_ARE_ADDR_EQUAL(&hausers->hoa, hoa))
+ return (hausers);
+ }
+
+ return (NULL);
+}
+
static int
get_secret(sharedkeyp, secretkey_size, secretkey, keylen)
char *sharedkeyp;
int secretkey_size;
u_int8_t *secretkey;
int *keylen;
{
+ if (sharedkeyp == NULL)
+ return (-1);
+
if (*sharedkeyp == '\'' || *sharedkeyp == '\"') {
int i = 0;
@@ -245,21 +269,25 @@ get_secret(sharedkeyp, secretkey_size, secretkey, keylen)
The format of authentication Database is described as followed:
---
# the line started '#' shows comment.
-# one data is described in one line. spi followed by shared key separated by space
-10000 'shared-key in 16' # The string 'bytes' to be trailed is trimmed
-10001 0x0102030405060708090a0b0c0d0e0f10
+# one data is described in one line. The line contains 'HoA', 'SPI' and 16octets secret separated with space(including TAB).
+2001:DB8:0:80be::1000 10000 'shared-key in 16' # The string 'bytes' to be trailed is trimmed
+2001:DB8:0:80be::1001 10001 0x0102030405060708090a0b0c0d0e0f10
---
*/
static void
ha_auth_init()
{
- char *p, *spip, *last;
+ int error;
+ char *p, *spip, *last, *addr;
char read_buffer[1024];
FILE *keytable;
struct haauth_users *hausers;
+ struct addrinfo hints, *res0;
if ((keytable = fopen(auth_database, "r")) == NULL) {
- syslog(LOG_ERR, "Opening authentication database was failed (%s)", auth_database);
+ syslog(LOG_ERR,
+ "Authdata: Opening authentication database was failed (%s)",
+ auth_database);
return;
}
@@ -269,7 +297,8 @@ ha_auth_init()
read_buffer[sizeof(read_buffer) - 1] = '\0';
if ((p = strchr(read_buffer, '\n')) == NULL &&
strlen(read_buffer) >= sizeof(read_buffer) - 1) {
- syslog(LOG_ERR, "The line was too long. [%1024s]", read_buffer);
+ syslog(LOG_ERR, "Authdata: The line was too long. [%1024s]",
+ read_buffer);
continue; /* the line was too long */
}
*p = '\0';
@@ -279,24 +308,47 @@ ha_auth_init()
p++;
if (*p == '#')
continue; /* comment line */
-
- if ((spip = strtok_r(p, " \t", &last)) == NULL)
- continue;
-
+
hausers = malloc(sizeof(*hausers));
memset(hausers, '\0', sizeof(*hausers));
+
+ if ((spip = addr = strtok_r(p, " \t", &last)) == NULL) {
+ free(hausers);
+ continue;
+ }
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_flags = AI_NUMERICHOST;
+ if ((error = getaddrinfo(addr, NULL, &hints, &res0)) != 0) {
+ syslog(LOG_ERR, "Authdata: Failed to get HoA[%s] because %s",
+ addr, gai_strerror(error));
+ } else if (res0->ai_family != AF_INET6) {
+ syslog(LOG_ERR, "Authdata: Not IPv6 address [%s]", addr);
+ } else {
+ hausers->hoa = ((struct sockaddr_in6 *)res0->ai_addr)->sin6_addr;
+ freeaddrinfo(res0);
+
+ if ((spip = strtok_r(NULL, " \t", &last)) == NULL) {
+ free(hausers);
+ continue;
+ }
+ }
+
if (spip[0] == '0' && spip[1] == 'x') {
spip += 2; /* for '0x' */
base = 16;
}
hausers->mobility_spi = strtol(spip, NULL, base);
- if (get_secret(strtok_r(NULL, " \t", &last), SECRETKEY_SIZE, hausers->sharedkey, &hausers->keylen) < 0) {
+ if (get_secret(strtok_r(NULL, " \t", &last), SECRETKEY_SIZE,
+ hausers->sharedkey, &hausers->keylen) < 0) {
free(hausers);
continue;
}
if (debug)
- syslog(LOG_INFO, "spi: %d [%s]\n",
+ syslog(LOG_INFO, "%s spi: %d [%s]\n",
+ ip6_sprintf(&hausers->hoa),
hausers->mobility_spi,
hexdump(hausers->sharedkey, hausers->keylen));
LIST_INSERT_HEAD(&haauth_users_head, hausers, hauthusers_entry);
@@ -314,7 +366,8 @@ command_show_authdata(s, dummy)
command_printf(s, "Authentication database\n");
LIST_FOREACH(hausers, &haauth_users_head, hauthusers_entry) {
- command_printf(s, "%d [%s]\n",
+ command_printf(s, "%s %d [%s]\n",
+ ip6_sprintf(&hausers->hoa),
hausers->mobility_spi,
hexdump(hausers->sharedkey, hausers->keylen));
}
@@ -357,7 +410,8 @@ aaa_auth_start(hoa, coa, mopt_mnid, mh)
}
void
-aaa_auth_stop()
+aaa_auth_stop(hoa)
+ struct in6_addr *hoa;
{
}
@@ -378,7 +432,7 @@ aaa_auth_reply_from_aaa(fd)
#if 0
/* Judge the result from the AAA */
aaa_auth_done(success);
-#endif
+#endif
return (0);
}
View
4 kame/kame/shisad/cftoken.l
@@ -1,4 +1,4 @@
-/* $KAME: cftoken.l,v 1.12 2006/09/28 03:05:53 keiichi Exp $ */
+/* $KAME: cftoken.l,v 1.13 2006/10/20 07:41:16 t-momose Exp $ */
%{
/*
@@ -63,7 +63,7 @@ integer {digit}+
addrstring [a-zA-Z0-9:\.][a-zA-Z0-9:\.]*
ifname [a-zA-Z]+[0-9]+
mipifname mip[0-9]+
-filename [a-zA-Z0-9:\.\-\+]*
+filename [a-zA-Z0-9:\.\-\+/=#\$%]*
%s S_CONFIG
%s S_INTERFACE
View
8 kame/kame/shisad/common.c
@@ -1,4 +1,4 @@
-/* $KAME: common.c,v 1.30 2006/09/07 17:59:57 t-momose Exp $ */
+/* $KAME: common.c,v 1.31 2006/10/20 07:41:16 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
@@ -845,9 +845,9 @@ static const char *binding_ack_status_desc[] = {
"#141",
"#142",
"#143",
- "#144",
- "#145",
- "#146",
+ "ID of RFC4285 mismatched",
+ "MIPV6-MESG-ID_REQD",
+ "Authentication of RFC4285 was failed",
"#147",
"#148",
"#149",
View
67 kame/kame/shisad/mh.c
@@ -1,4 +1,4 @@
-/* $KAME: mh.c,v 1.57 2006/09/11 12:00:10 t-momose Exp $ */
+/* $KAME: mh.c,v 1.58 2006/10/20 07:41:16 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
*
@@ -227,7 +227,7 @@ mh_input_common(fd)
bul_kick_fsm_by_mh(src, dst, hoa, rtaddr, mh, mhlen)
#endif
-syslog(LOG_INFO, "XXXX %s:%d", __FILE__, __LINE__);
+/*syslog(LOG_INFO, "XXXX %s:%d", __FILE__, __LINE__);*/
memset(&iov, 0, sizeof(iov));
memset(buf, 0, sizeof(buf));
@@ -787,7 +787,8 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
#elif defined(MIP_HA)
#ifdef AUTHID
if (authmethod & BC_AUTH_MNHA) {
- if (mopt.mnha_auth == NULL) {
+ if ((mopt.mnha_auth == NULL) &&
+ (mopt.mnaaa_auth == NULL)) {
/*
* RFC 4285 section 5 says, "When a Binding
* Update or Binding Acknowledgement is
@@ -796,13 +797,23 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
* should silently discard the received
* message."
*/
- syslog(LOG_ERR, "No mobility message authentication option is found");
+ syslog(LOG_ERR,
+ "No mobility message authentication option is found");
return (-1);
}
- auth_opt(hoa, coa, (struct ip6_mh *)bu, &mopt,
- &authmethod, &authmethod_done);
- mobility_spi = ntohl(mopt.mnha_auth->ip6moauth_mobility_spi);
+ authmethod = 0;
+ statuscode = auth_opt(hoa, coa, (struct ip6_mh *)bu,
+ &mopt,
+ &authmethod, &authmethod_done);
+ mobility_spi = 0;
+ if (mopt.mnha_auth)
+ mobility_spi = ntohl(mopt.mnha_auth->ip6moauth_mobility_spi);
+ if (((authmethod ^ authmethod_done) == 0) &&
+ (statuscode != IP6_MH_BAS_ACCEPTED)) {
+ retcode = -1;
+ goto sendba;
+ }
}
#else /* AUTHID */
/* go thorough (assuming IPsec protection in the kernel) */
@@ -1615,6 +1626,9 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
#ifdef DSMIP
struct ip6_mh_opt_ipv4_ack v4ack_opt;
#endif /* DSMIP */
+#ifdef AUTHID
+ struct haauth_users *hausers;
+#endif /* AUTHID */
if (hoa == NULL)
hoa = coa;
@@ -1753,8 +1767,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
#endif /* MIP_CN */
#if defined(MIP_HA) && defined(AUTHID)
- if (mobility_spi != 0) {
- struct haauth_users *hausers;
+ if ((hausers = find_haauth_users_with_hoa(hoa)) != NULL) {
struct ip6_mh_opt_authentication *auth_opt;
mip6_authenticator_t *authenticator;
@@ -1768,12 +1781,12 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
sizeof(struct ip6_mh_opt_authentication)
- sizeof(struct ip6_mh_opt) + MIP6_AUTHENTICATOR_SIZE;
auth_opt->ip6moauth_subtype = IP6_MH_AUTHOPT_SUBTYPE_MNHA;
- auth_opt->ip6moauth_mobility_spi = htonl(mobility_spi);
+ auth_opt->ip6moauth_mobility_spi = htonl(hausers->mobility_spi);
buflen += sizeof(*auth_opt);
buflen += MIP6_AUTHENTICATOR_SIZE;
/*
- * This is not final length, but
+ * This is not a final length, but
* mobileip6_authentication_data() needs correct bu
* length for authentication data calculation
*/
@@ -1788,28 +1801,18 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
authenticator = (mip6_authenticator_t *)
(bufp + (buflen - MIP6_AUTHENTICATOR_SIZE - pad));
- hausers = find_haauth_users(mobility_spi);
- if (!hausers)
- syslog(LOG_ERR, "No authentication data for spi:%d was found.", mobility_spi);
- else
-#if 0
- calculate_authenticator(hausers->sharedkey, hausers->keylen,
- (acoa) ? acoa : coa,
- hoa, (caddr_t)bufp,
- buflen,
- buflen - pad - MIP6_AUTHENTICATOR_SIZE,
- MIP6_AUTHENTICATOR_SIZE,
- (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
-#else
- calculate_authenticator(hausers->sharedkey, hausers->keylen,
- (acoa) ? acoa : coa,
- hoa, (caddr_t)bufp,
- buflen,
- buflen - pad - MIP6_AUTHENTICATOR_SIZE,
- MIP6_AUTHENTICATOR_SIZE,
- (u_int8_t *)authenticator, MIP6_AUTHENTICATOR_SIZE);
-#endif
+ calculate_authenticator(hausers->sharedkey, hausers->keylen,
+ (acoa) ? acoa : coa,
+ hoa, (caddr_t)bufp,
+ buflen,
+ buflen - pad - MIP6_AUTHENTICATOR_SIZE,
+ MIP6_AUTHENTICATOR_SIZE,
+ (u_int8_t *)authenticator,
+ MIP6_AUTHENTICATOR_SIZE);
/* MN-AAA isn't needed as described RFC4285 5.2 */
+ } else {
+ syslog(LOG_ERR, "No authentication data for HoA:%s was found.",
+ ip6_sprintf(hoa));
}
#endif /* MIP_HA && AUTHID */
View
4 kame/kame/shisad/shisad.h
@@ -1,4 +1,4 @@
-/* $KAME: shisad.h,v 1.40 2006/08/25 07:02:15 t-momose Exp $ */
+/* $KAME: shisad.h,v 1.41 2006/10/20 07:41:16 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -536,6 +536,7 @@ struct binding_cache *mip6_bc_lookup(struct in6_addr *, struct in6_addr *,
u_int16_t);
struct binding_cache *mip6_bc_add(struct in6_addr *, struct in6_addr *,
struct in6_addr *, u_int32_t, u_int16_t, u_int16_t, u_int16_t, u_int8_t, u_int8_t, u_int32_t);
+void flush_bc(void);
/* network.c */
int set_ip6addr(char *, struct in6_addr *, int, int);
@@ -669,6 +670,7 @@ void auth_init(struct config_entry *, struct config_entry *);
int auth_opt(struct in6_addr *, struct in6_addr *, struct ip6_mh *,
struct mip6_mobility_options *, int *, int *);
struct haauth_users *find_haauth_users(u_int32_t);
+struct haauth_users *find_haauth_users_with_hoa(struct in6_addr *);
void command_show_authdata(int, char *);
#endif /* AUTHID */

0 comments on commit 4c977e1

Please sign in to comment.