Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

RFC4285 is implemented.

  • Loading branch information...
commit 80b5686a3c56d5f3ddb0b06c1bb4935a540b0382 1 parent ad40faa
t-momose authored
View
6 CHANGELOG
@@ -1,6 +1,10 @@
CHANGELOG for KAME kit
-$KAME: CHANGELOG,v 1.2826 2006/04/23 02:52:41 jinmei Exp $
+$KAME: CHANGELOG,v 1.2827 2006/06/09 11:29:57 t-momose Exp $
+<200606>
+2006-06-09 Tsuyoshi MOMOSE <momose@az.jp.nec.com>
+ * kame/kame/shisad: RFC4285 on home agnets is implemented.
+
<200604>
2006-04-23 JINMEI, Tatuya <jinmei@isl.rdc.toshiba.co.jp>
* kame/sys/netinet6/nd6.c (nd6_is_addr_neighbor): disabled the
View
2  freebsd5/usr.sbin/shisad/had/Makefile
@@ -34,6 +34,8 @@ CFLAGS+= -g -Wall -Werror -DTEST -DMIP_HA
#CFLAGS+= -DMIP_NEMO
#CFLAGS+= -DMIP_MCOA
#CFLAGS+= -DMIP_IPV4MNPSUPPORT
+#CFLAGS+= -DAUTHID
+#SRCS+=auth.c rr.c # XXX rr.c is required only for mip6_calculate_authenticator()
CFLAGS+= -I${.OBJDIR} -I${SRCDIR}
LDADD+= -L${.OBJDIR}/../../../lib/libinet6 \
View
33 kame/kame/shisad/OPTIONS
@@ -0,0 +1,33 @@
+ Shisa Compile options
+ /* $KAME: OPTIONS,v 1.1 2006/06/09 11:29:57 t-momose Exp $ */
+
+There are several compile options on the Shisa. Some of them are
+mandatory to specify which binaries are being built. The others are
+optinoal options. Somes are used for extentions specified as
+startdard. The rest ones are for experimental codes going on WIDE and
+Nautilus6 projects.
+
+MIP_MN
+MIP_CN
+MIP_HA
+ When building binaries, you have to specify either one.
+
+MIP_NEMO
+
+MIP_MCOA
+ TBD
+
+DSMIP
+ TBD
+
+AUTHID
+ This option enables RFC4283 and RFC4285 features. RFC4285 specifies
+another authentication mechanism. Shisa has a code to process the
+specification, however no codes for actual authentication code because
+such authentication part depends on the operated network policy. Thus,
+you have to add your authentication code on home agent before using
+Shisa on RFC4285 required network.
+ auth_start(), auth_stop() and auth_done() functions are ready in
+auth.c. At this time, these functions have only small template
+codes. You can change and add your specific
+
View
311 kame/kame/shisad/auth.c
@@ -0,0 +1,311 @@
+/* $KAME: auth.c,v 1.1 2006/06/09 11:29:58 t-momose Exp $ */
+
+/*
+ * Copyright (C) 2006 WIDE Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <poll.h>
+#include <syslog.h>
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <netinet/in.h>
+#include <netinet/icmp6.h>
+#include <netinet/ip6mh.h>
+
+#include "callout.h"
+#include "fdlist.h"
+#include "shisad.h"
+
+LIST_HEAD(haauth_users_head, haauth_users) haauth_users_head = LIST_HEAD_INITIALIZER(haauth_users_head);
+
+static int ha_auth(struct in6_addr *, struct in6_addr *,
+ struct ip6_mh_opt_authentication *, struct ip6_mh *,
+ mip6_authenticator_t *);
+void aaa_auth_start(void);
+int aaa_auth_done(int);
+static void ha_auth_init();
+static void aaa_auth_init();
+
+char *auth_database = "/usr/local/v6/etc/authdata";
+
+void
+auth_init()
+{
+ ha_auth_init();
+ aaa_auth_init();
+}
+
+
+/*
+ return value:
+ status codes of BA
+*/
+int
+auth_opt(hoa, coa, mh, mopt, authmethod, authmethod_done)
+ struct in6_addr *hoa, *coa;
+ struct ip6_mh *mh;
+ struct mip6_mobility_options *mopt;
+ int *authmethod, *authmethod_done;
+{
+ int i, statuscode = IP6_MH_BAS_ACCEPTED;
+ struct ip6_mh_opt_authentication *mopt_auth;
+ mip6_authenticator_t authenticator;
+
+ for (i = 0; i < 2; i++) {
+ if ((mopt_auth = mopt->opt_authentication[i]) == NULL)
+ continue;
+
+ switch (mopt_auth->ip6moauth_subtype) {
+
+ case IP6_MH_AUTHOPT_SUBTYPE_MNHA:
+ /* To authorize:
+ pick parameters
+ calculate authenticate
+ */
+ *authmethod |= BC_AUTH_MNHA;
+ if (ha_auth(hoa, coa, mopt_auth, mh, &authenticator) == 0 &&
+ memcmp((caddr_t)&authenticator, (caddr_t)(mopt_auth + 1), MIP6_AUTHENTICATOR_SIZE) == 0)
+ statuscode = IP6_MH_BAS_ACCEPTED;
+ else
+ statuscode = IP6_MH_BAS_AUTH_FAIL;
+ *authmethod_done |= BC_AUTH_MNHA;
+ break;
+
+ case IP6_MH_AUTHOPT_SUBTYPE_MNAAA:
+ /* To authorize: send a query to an AAA later.
+ This is an asynchoronous process because an
+ AAA server is usually another entity.
+ */
+ /* Make a query here */
+ aaa_auth_start();
+ *authmethod |= BC_AUTH_MNAAA;
+ break;
+
+ default:
+ syslog(LOG_ERR, "Unknown subtype in mobiliy message authentication");
+ break;
+ }
+ }
+
+ return (statuscode);
+}
+
+/*
+ Ret. val. 0: authenticator was retrieved, non-zero: error has been occured
+
+*/
+static int
+ha_auth(hoa, coa, mopt_auth, mh, authenticator)
+ struct in6_addr *hoa, *coa;
+ struct ip6_mh_opt_authentication *mopt_auth;
+ struct ip6_mh *mh;
+ mip6_authenticator_t *authenticator;
+{
+ u_int16_t cksum;
+ struct haauth_users *hausers;
+
+ hausers = find_haauth_users(ntohl(mopt_auth->ip6moauth_mobility_spi));
+ if (hausers == NULL)
+ return (-1);
+
+ cksum = mh->ip6mh_cksum;
+ mh->ip6mh_cksum = 0;
+ mip6_calculate_authenticator((mip6_kbm_t *)hausers->sharedkey, hoa, coa,
+ (caddr_t)mh, (mh->ip6mh_len + 1) << 3,
+ (caddr_t)(mopt_auth + 1) - (caddr_t)mh,
+ MIP6_AUTHENTICATOR_SIZE, authenticator);
+ mh->ip6mh_cksum = cksum;
+
+ return (0);
+}
+
+struct haauth_users *
+find_haauth_users(spi)
+ u_int32_t spi;
+{
+ struct haauth_users *hausers;
+
+ LIST_FOREACH(hausers, &haauth_users_head, hauthusers_entry) {
+ if (hausers->mobility_spi == spi)
+ return (hausers);
+ }
+
+ return (NULL);
+}
+
+/*
+ Read and construct MN-HA authenticator database
+
+ The format of authentication Database is described as followed:
+---
+# the line started '#' shows comment.
+# one data is described in one line. spi followed by shared key separated by space
+10000 'shared-key in 20byte' # byte's' is trimmed
+10001 0x0102030405060708090a0b0c0d0e0f10111213
+---
+ */
+static void
+ha_auth_init()
+{
+ char *p, *spip, *sharedkeyp, *last;
+ char read_buffer[1024];
+ FILE *keytable;
+ struct haauth_users *hausers;
+
+ if ((keytable = fopen(auth_database, "r")) == NULL) {
+ syslog(LOG_ERR, "Opening authentication database was failed (%s)", auth_database);
+ return;
+ }
+
+ while (fgets(read_buffer, sizeof(read_buffer), keytable) != NULL) {
+ if ((p = strchr(read_buffer, '\n')) == NULL)
+ continue; /* the line was too long */
+ *p = '\0';
+
+ p = read_buffer;
+ while (isspace(*p))
+ p++;
+ if (*p == '#')
+ continue; /* comment line */
+
+ if ((spip = strtok_r(p, " \t", &last)) == NULL)
+ continue;
+
+ hausers = malloc(sizeof(*hausers));
+ memset(hausers, '\0', sizeof(*hausers));
+ hausers->mobility_spi = atoi(spip);
+
+ sharedkeyp = strtok_r(NULL, " \t", &last);
+ if (*sharedkeyp == '\'' || *sharedkeyp == '\"') {
+ int i = 0;
+
+ sharedkeyp++;
+ while (sharedkeyp[i] != '\'' && sharedkeyp[i] && '\"'
+ && i < MIP6_AUTHENTICATOR_SIZE) {
+ i++;
+ }
+ memcpy(hausers->sharedkey, sharedkeyp, i);
+ } else {
+ /* it might be hex */
+ if (*sharedkeyp == '0' &&
+ *(sharedkeyp + 1) == 'x') {
+ char *ep;
+ char *hexchr = "0123456789ABCDEFabcdef";
+ int loopend = 0, i = 0;
+ u_int v;
+
+ sharedkeyp += 2;
+ ep = sharedkeyp + strlen(sharedkeyp);
+ do {
+ if (!strchr(hexchr, *sharedkeyp) ||
+ !strchr(hexchr, *(sharedkeyp + 1)))
+ loopend = 1;
+ sscanf(sharedkeyp, "%2x", &v);
+ ((u_int8_t *)&hausers->sharedkey)[i] = v & 0xff;
+ sharedkeyp += 2;
+ } while ((sharedkeyp < ep) && !loopend);
+ }
+ }
+ LIST_INSERT_HEAD(&haauth_users_head, hausers, hauthusers_entry);
+ }
+
+ fclose(keytable);
+}
+
+int aaa_socket;
+
+static void
+aaa_auth_init()
+{
+ /* Normally, the function will do following process:
+ 1) Open socket to the AAA server
+ 2) register it's handle
+ */
+// new_fd_list(aaa_socket, POLLIN, aaa_auth_done);
+}
+
+void
+aaa_auth_start()
+{
+ /* Send a query packet here with the aaa_socket */
+ /* And start a timer to resend if needed */
+}
+
+void
+aaa_auth_stop()
+{
+}
+
+/*
+ * This function would be called with a file descriptor, which
+ * indicates a socket to talk an AAA server.
+ *
+ * What implementors should do here are:
+ * 1)
+ */
+int
+aaa_auth_done(fd)
+ int fd;
+{
+#if 0
+ struct binding_cache *bc;
+
+ bc = find_bc_somehow();
+
+ /* Judge the validity of this result somehow */
+
+ if (success) {
+ /* the authentication was succeeded. */
+ bc->authmethod_done |= BC_AUTH_MNAAA;
+ if (bc->authmethod ^ bc->authmethod_done == 0)
+ bc->bc_state &= ~BC_STATE_UNDER_AUTH;
+ mip6_bc_validate(bc);
+ if ((bc->bc_state == BC_STATE_VALID) &&
+ !IN6_IS_ADDR_LINKLOCAL(addr)) {
+ if (bc->bc_flags & (IP6_MH_BU_ACK | IP6_MH_BU_HOME))
+ send_ba(&bc->bc_myaddr, &bc->bc_realcoa,
+ &bc->bc_coa, &bc->bc_hoa, bc->bc_flags,
+ NULL, IP6_MH_BAS_ACCEPTED,
+ bc->bc_seqno, bc->bc_lifetime, bc->bc_bid, 0);
+ }
+ } else {
+ /* the authentication was failed. */
+ send_ba(&bc->bc_myaddr, &bc->bc_realcoa,
+ &bc->bc_coa, &bc->bc_hoa, bc->bc_flags,
+ NULL, IP6_MH_BAS_XXX,
+ bc->bc_seqno, bc->bc_lifetime, bc->bc_bid, 0);
+ mip6_bc_delete(bc);
+ }
+#endif
+ return 0;
+}
View
181 kame/kame/shisad/binding.c
@@ -1,4 +1,4 @@
-/* $KAME: binding.c,v 1.29 2006/06/08 12:02:00 keiichi Exp $ */
+/* $KAME: binding.c,v 1.30 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
@@ -66,21 +66,21 @@ static struct binding_update_list *bul_create(struct in6_addr *,
struct in6_addr *, u_int16_t, struct mip6_hoainfo *);
static char *reg_fsm_desc[] = {
- "IDLE",
- "RRINIT",
- "RRREDO",
- "RRDEL",
- "WAITA",
- "WAITAR",
- "WAITD",
- "BOUND",
- "DHAAD"
+ "IDLE",
+ "RRINIT",
+ "RRREDO",
+ "RRDEL",
+ "WAITA",
+ "WAITAR",
+ "WAITD",
+ "BOUND",
+ "DHAAD"
};
static char *rr_fsm_desc[] = {
- "START",
- "WAITHC",
- "WAITH",
- "WAITC"
+ "START",
+ "WAITHC",
+ "WAITH",
+ "WAITC"
};
static void command_show_bul_one(int, struct binding_update_list *);
@@ -90,11 +90,10 @@ static void command_show_bul_one(int, struct binding_update_list *);
struct binding_cache_head bchead;
static void mip6_bc_set_refresh_timer(struct binding_cache *, int);
static void mip6_bc_stop_refresh_timer(struct binding_cache *);
-#endif /* MIP_MN */
+static void mip6_validate_bc(struct binding_cache *);
int do_proxy_dad = 1;
-#ifndef MIP_MN
/*
* Binding Cache State Change
*
@@ -122,17 +121,19 @@ mip6_flush_kernel_bc()
mipmsg.miph_type = MIPM_BC_FLUSH;
if (write(mipsock, &mipmsg, sizeof(struct mip_msghdr)) == -1) {
syslog(LOG_ERR,
- "removing all bul entries failed.\n");
+ "removing all bul entries failed.");
}
}
struct binding_cache *
-mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod)
+mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod, authmethod_done, mobility_spi)
struct in6_addr *hoa, *coa, *recvaddr;
u_int32_t lifetime;
u_int16_t flags;
u_int16_t seqno, bid;
u_int8_t authmethod;
+ u_int8_t authmethod_done;
+ u_int32_t mobility_spi;
{
struct binding_cache *bc;
time_t now;
@@ -146,6 +147,13 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod)
*/
bc = mip6_bc_lookup(hoa, recvaddr, bid);
if (bc) {
+ bc->bc_authmethod = authmethod;
+ bc->bc_authmethod_done = authmethod_done;
+ if ((authmethod ^ authmethod_done) != 0) {
+ bc->bc_state |= BC_STATE_UNDER_AUTH;
+ return (NULL);
+ }
+
bc->bc_myaddr = *recvaddr;
bc->bc_lifetime = lifetime;
bc->bc_flags = flags;
@@ -153,8 +161,12 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod)
/* update BC in the kernel via mipsock */
bc->bc_coa = *coa;
mipsock_bc_request(bc, MIPM_BC_UPDATE);
-
- goto done;
+
+ bc->bc_expire = now + bc->bc_lifetime;
+
+ if (!IN6_IS_ADDR_LINKLOCAL(hoa) && !(bc->bc_state & BC_STATE_UNDER_DAD))
+ mip6_bc_set_refresh_timer(bc, bc->bc_lifetime / 2);
+ return (bc);
}
/*
@@ -172,38 +184,53 @@ mip6_bc_add(hoa, coa, recvaddr, lifetime, flags, seqno, bid, authmethod)
bc->bc_flags = flags;
bc->bc_seqno = seqno;
bc->bc_state = BC_STATE_VALID;
- if (do_proxy_dad && (flags & IP6_MH_BU_HOME)) {
- bc->bc_state = BC_STATE_UNDER_DAD;
+ if (flags & IP6_MH_BU_HOME) {
+ if (do_proxy_dad)
+ bc->bc_state |= BC_STATE_UNDER_DAD;
+#ifdef AUTHID
+ if ((authmethod ^ authmethod_done) != 0)
+ bc->bc_state |= BC_STATE_UNDER_AUTH;
+#endif /* AUTHID */
}
bc->bc_refcnt = 0;
bc->bc_authmethod = authmethod;
+ bc->bc_authmethod_done = authmethod_done;
#ifdef MIP_MCOA
bc->bc_bid = bid;
#endif /* MIP_MCOA */
- if (bc->bc_state == BC_STATE_VALID) {
- /* insert BC into the kernel via mipsock */
- mipsock_bc_request(bc, MIPM_BC_ADD);
- } else if (bc->bc_state == BC_STATE_UNDER_DAD) {
+ if (bc->bc_state & BC_STATE_UNDER_DAD) {
/* do dad start */
mip6_dad_start(hoa);
}
-
+
+ mip6_validate_bc(bc);
LIST_INSERT_HEAD(&bchead, bc, bc_entry);
bc->bc_refcnt++;
- done:
- bc->bc_expire = now + bc->bc_lifetime;
+ return (bc);
+}
+
+static void
+mip6_validate_bc(bc)
+ struct binding_cache *bc;
+{
+ time_t now;
+
+ if (bc->bc_state != BC_STATE_VALID)
+ return;
+ now = time(0);
+ /* insert the BC into the kernel via mipsock */
+ mipsock_bc_request(bc, MIPM_BC_ADD);
+ bc->bc_expire = now + bc->bc_lifetime;
/* refreshment is called after the half of BC's lifetime */
/* The linklocal entries are handled along with the original
binding cache entry. Thus it doesn't need to have
a independent timer. */
- if (!IN6_IS_ADDR_LINKLOCAL(hoa) && (bc->bc_state != BC_STATE_UNDER_DAD))
- mip6_bc_set_refresh_timer(bc, bc->bc_lifetime / 2);
-
- return (bc);
-};
+ if (!IN6_IS_ADDR_LINKLOCAL(&bc->bc_hoa))
+ mip6_bc_set_refresh_timer(bc, bc->bc_lifetime / 2);
+}
void
mip6_bc_delete(bcreq)
@@ -223,6 +250,13 @@ mip6_bc_delete(bcreq)
return;
#endif /* 1 */
+#ifdef AUTHID
+ if (bc->bc_state & BC_STATE_UNDER_AUTH) {
+ /* stop authentication query here */
+
+ bc->bc_state &= ~BC_STATE_UNDER_AUTH;
+ }
+#endif /* AUTHID */
switch (bc->bc_state) {
case BC_STATE_VALID:
/* delete the BCE in the kernel via mipsock */
@@ -253,8 +287,7 @@ mip6_bc_delete(bcreq)
}
return;
-};
-
+}
/* src can be wildcard */
struct binding_cache *
@@ -267,7 +300,6 @@ mip6_bc_lookup(hoa, src, bid)
for (bc = LIST_FIRST(&bchead); bc; bc = bc_nxt) {
bc_nxt = LIST_NEXT(bc, bc_entry);
-
#ifdef MIP_MCOA
if (bid && bid != bc->bc_bid)
continue;
@@ -280,7 +312,7 @@ mip6_bc_lookup(hoa, src, bid)
}
return (NULL);
-};
+}
/* compose a mipsock message and issue it to the kernel */
void
@@ -307,10 +339,8 @@ mip6_dad_done(message, addr)
struct in6_addr *addr;
{
struct binding_cache *bc, *gbc;
- time_t now;
int bid = 0;
- now = time(0);
bc = mip6_bc_lookup(addr, NULL, 0);
if (bc && IN6_IS_ADDR_LINKLOCAL(&bc->bc_hoa))
gbc = bc->bc_glmbc;
@@ -323,31 +353,30 @@ mip6_dad_done(message, addr)
if (message == MIPM_DAD_SUCCESS) {
/* I got a message the DAD was succeeded */
/* the status of the BC should go to the normal */
- if (!bc || bc->bc_state != BC_STATE_UNDER_DAD) {
+ if (!bc || !(bc->bc_state & BC_STATE_UNDER_DAD)) {
syslog(LOG_ERR,
- "The status of this BCE (for %s) should be UNDER_DAD, inspite of %d\n",
+ "The status of this BCE (for %s) should be UNDER_DAD, inspite of %d",
ip6_sprintf(addr), bc ? bc->bc_state : -1);
return;
}
syslog(LOG_INFO,
- "DAD against the HoA(%s) is suceeded.\n",
+ "DAD against the HoA(%s) is suceeded.",
ip6_sprintf(addr));
- bc->bc_state = BC_STATE_VALID;
- mipsock_bc_request(bc, MIPM_BC_ADD);
- bc->bc_expire = now + bc->bc_lifetime;
- if (!IN6_IS_ADDR_LINKLOCAL(addr)) {
- mip6_bc_set_refresh_timer(bc, bc->bc_lifetime / 2);
+ bc->bc_state &= ~BC_STATE_UNDER_DAD;
+ mip6_validate_bc(bc);
+ if ((bc->bc_state == BC_STATE_VALID) &&
+ !IN6_IS_ADDR_LINKLOCAL(addr)) {
if (bc->bc_flags & (IP6_MH_BU_ACK | IP6_MH_BU_HOME))
send_ba(&gbc->bc_myaddr, &gbc->bc_realcoa,
&gbc->bc_coa, &gbc->bc_hoa, gbc->bc_flags,
NULL, IP6_MH_BAS_ACCEPTED,
- gbc->bc_seqno, gbc->bc_lifetime, bid, 0);
+ gbc->bc_seqno, gbc->bc_lifetime, 0, bid, 0);
}
} else if (message == MIPM_DAD_FAIL) {
/* I got a message the DAD was failed */
syslog(LOG_INFO,
- "DAD aganist the HoA(%s) is failed.\n",
+ "DAD aganist the HoA(%s) is failed.",
ip6_sprintf(addr));
if (gbc == NULL || bc == NULL)
@@ -355,7 +384,7 @@ mip6_dad_done(message, addr)
send_ba(&gbc->bc_myaddr, &gbc->bc_realcoa,
&gbc->bc_coa, &gbc->bc_hoa, gbc->bc_flags,
NULL, IP6_MH_BAS_DAD_FAILED,
- gbc->bc_seqno, gbc->bc_lifetime, bid, 0);
+ gbc->bc_seqno, gbc->bc_lifetime, 0, bid, 0);
mip6_bc_delete(bc);
if (gbc != bc)
mip6_bc_delete(gbc);
@@ -374,7 +403,7 @@ command_show_bc(s, line)
for (bc = LIST_FIRST(&bchead); bc; bc = LIST_NEXT(bc, bc_entry)) {
if (bc->bc_state > BC_STATE_MAX)
continue;
- command_printf(s, "%c ", "VDU"[bc->bc_state]);
+ command_printf(s, "%c ", "VUABD"[bc->bc_state]);
command_printf(s, "%s ", ip6_sprintf(&bc->bc_hoa));
command_printf(s, "%s ", ip6_sprintf(&bc->bc_coa));
command_printf(s, "%s ", ip6_sprintf(&bc->bc_myaddr));
@@ -397,7 +426,6 @@ command_show_kbc(s, line)
command_printf(s, "Not Supported yet\n");
}
-
void
flush_bc()
{
@@ -426,7 +454,6 @@ mip6_bc_stop_refresh_timer(bc)
remove_callout_entry(bc->bc_refresh);
}
-
void
mip6_bc_refresh_timer(arg)
void *arg;
@@ -512,7 +539,7 @@ mipsock_bc_request(bc, command)
err = write(mipsock, bcinfo, bcinfo->mipc_msglen);
if (err < 0)
- perror("mipsock_bc_request:write");
+ syslog(LOG_ERR, "%m mipsock_bc_request:write");
if (debug) {
switch (command) {
@@ -529,24 +556,22 @@ mipsock_bc_request(bc, command)
break;
}
syslog(LOG_INFO, "[BC info] HoA %s", ip6_sprintf(&bc->bc_hoa));
- syslog(LOG_INFO, "\tCoA %s\n", ip6_sprintf(&bc->bc_coa));
- syslog(LOG_INFO, "\tPeer %s\n", ip6_sprintf(&bc->bc_myaddr));
+ syslog(LOG_INFO, "\tCoA %s", ip6_sprintf(&bc->bc_coa));
+ syslog(LOG_INFO, "\tPeer %s", ip6_sprintf(&bc->bc_myaddr));
#ifdef MIP_MCOA
- syslog(LOG_INFO, "\tBID %d\n", bc->bc_bid);
+ syslog(LOG_INFO, "\tBID %d", bc->bc_bid);
#endif /* MIP_MCOA */
- syslog(LOG_INFO, "\tSeq %d, Lifetime %d\n",
+ syslog(LOG_INFO, "\tSeq %d, Lifetime %d",
bc->bc_seqno, bc->bc_lifetime);
}
return;
}
-#endif /* MIP_MN */
+#endif /* !MIP_MN */
#ifdef MIP_MN
-
-
/*
* functions for hoainfo structure
*/
@@ -590,11 +615,11 @@ hoainfo_insert(hoa, ifindex)
LIST_INSERT_HEAD(&hoa_head, hoainfo, hinfo_entry);
if (debug)
- syslog(LOG_INFO, "hoainfo entry (HoA %s ifindex %d) is added\n",
+ syslog(LOG_INFO, "hoainfo entry (HoA %s ifindex %d) is added",
ip6_sprintf(hoa), ifindex);
return (hoainfo);
-};
+}
int
hoainfo_remove(hoa)
@@ -614,7 +639,7 @@ hoainfo_remove(hoa)
hoainfo = NULL;
return (0);
-};
+}
struct mip6_hoainfo *
hoainfo_find_withhoa(hoa)
@@ -629,7 +654,7 @@ hoainfo_find_withhoa(hoa)
}
return (NULL);
-};
+}
struct mip6_hoainfo *
@@ -645,7 +670,7 @@ hoainfo_get_withdhaadid (id)
}
return (NULL);
-};
+}
/*
* functions for bul structure
@@ -728,7 +753,7 @@ bul_create(peeraddr, coa, flags, hoainfo)
bul = (struct binding_update_list *)malloc(sizeof(struct binding_update_list));
if (bul == NULL) {
- perror("malloc");
+ syslog(LOG_ERR, "Faild to allocate memory for a bul.");
return (NULL);
}
@@ -748,7 +773,6 @@ bul_create(peeraddr, coa, flags, hoainfo)
return (bul);
}
-
void
bul_remove(bul)
struct binding_update_list *bul;
@@ -766,8 +790,8 @@ bul_remove(bul)
LIST_REMOVE(mbul, bul_entry);
free(mbul);
mbul = NULL;
- };
- };
+ }
+ }
#endif /* MIP_MCOA */
LIST_REMOVE(bul, bul_entry);
@@ -797,8 +821,7 @@ bul_get_homeflag(hoa)
}
return (NULL);
-};
-
+}
/*
* check the mobile node's link-local address has the same interface
@@ -840,8 +863,7 @@ int bul_check_ifid(hoainfo)
return 1;
return 0;
-};
-
+}
#ifdef MIP_MCOA
struct binding_update_list *
@@ -906,7 +928,7 @@ bul_get(hoa, peer)
}
return (NULL);
-};
+}
void
bul_flush(hoainfo)
@@ -925,7 +947,7 @@ bul_flush(hoainfo)
free(bul);
bul = NULL;
}
-};
+}
struct binding_update_list *
bul_get_nohoa(cookie, coa, peer)
@@ -953,7 +975,7 @@ bul_get_nohoa(cookie, coa, peer)
}
return (NULL);
-};
+}
void
command_show_bul(s, dummy)
@@ -1045,7 +1067,7 @@ command_show_kbul(s, dummy)
sock = socket(AF_INET6, SOCK_DGRAM, 0);
if (sock < 0) {
- perror("socket");
+ command_printf(s, "faild to open a socket to get kbuls.\n");
return;
}
@@ -1100,5 +1122,4 @@ command_show_kbul(s, dummy)
return;
}
-
#endif /* MIP_MN */
View
3  kame/kame/shisad/cftoken.l
@@ -1,4 +1,4 @@
-/* $KAME: cftoken.l,v 1.9 2005/10/11 10:04:46 keiichi Exp $ */
+/* $KAME: cftoken.l,v 1.10 2006/06/09 11:29:58 t-momose Exp $ */
%{
/*
@@ -61,6 +61,7 @@ integer {digit}+
addrstring [a-zA-Z0-9:\.][a-zA-Z0-9:\.]*
ifname [a-zA-Z]+[0-9]+
mipifname mip[0-9]+
+filename .*
%s S_CONFIG
%s S_INTERFACE
View
8 kame/kame/shisad/fsm.c
@@ -1,4 +1,4 @@
-/* $KAME: fsm.c,v 1.38 2006/04/13 10:08:25 keiichi Exp $ */
+/* $KAME: fsm.c,v 1.39 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
@@ -2321,7 +2321,7 @@ bul_fsm_back_preprocess(bul, fsmmsg)
* when it is from Home Agent (i.e. Home Flag set to
* BUL. Otherwise, all packets SHOULD have authenticator and
* nonce indice option. */
- if (mopt.opt_auth) {
+ if (mopt.opt_bauth) {
/* verify authenticator. */
/*
* RFC3775 Section 6.2.7
@@ -2339,10 +2339,10 @@ bul_fsm_back_preprocess(bul, fsmmsg)
(fsmmsg->fsmm_rtaddr != NULL)
? fsmmsg->fsmm_rtaddr : fsmmsg->fsmm_dst,
fsmmsg->fsmm_src, (caddr_t)ip6mhba, ip6mhbalen,
- ((caddr_t)mopt.opt_auth - (caddr_t)ip6mhba) + 2,
+ ((caddr_t)mopt.opt_bauth - (caddr_t)ip6mhba) + 2,
MIP6_AUTHENTICATOR_SIZE, &authenticator);
ip6mhba->ip6mhba_hdr.ip6mh_cksum = cksum;
- if (memcmp((caddr_t)mopt.opt_auth + 2, &authenticator,
+ if (memcmp((caddr_t)mopt.opt_bauth + 2, &authenticator,
MIP6_AUTHENTICATOR_SIZE) != 0) {
syslog(LOG_ERR,
"BACK authenticator mismatch.\n");
View
9 kame/kame/shisad/had.c
@@ -1,4 +1,4 @@
-/* $KAME: had.c,v 1.33 2006/03/02 11:35:37 t-momose Exp $ */
+/* $KAME: had.c,v 1.34 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -85,6 +85,9 @@ int keymanagement = 0;
int ipv4mnpsupport = 0;
#endif /* MIP_IPV4MNPSUPPORT */
extern int do_proxy_dad;
+#ifdef AUTHID
+int use_authid = 0;
+#endif /* AUTHID */
struct mip6stat mip6stat;
struct mip6_hpfx_list hpfx_head;
@@ -253,6 +256,10 @@ main(argc, argv)
#endif /*MIP_NEMO*/
mip6_bc_init();
+#ifdef AUTHID
+ if (use_authid)
+ auth_init();
+#endif /* AUTHID */
/* notify a kernel to behave as a home agent. */
mipsock_nodetype_request(MIP6_NODETYPE_HOME_AGENT, 1);
View
200 kame/kame/shisad/mh.c
@@ -1,4 +1,4 @@
-/* $KAME: mh.c,v 1.54 2006/06/08 12:02:00 keiichi Exp $ */
+/* $KAME: mh.c,v 1.55 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project. All rights reserved.
*
@@ -102,20 +102,21 @@ char *mh_name[] = {
"Unknown MH Message"
};
-char *mhopt_name[] = {"Pad1",
- "PadN",
- "Binding Refresh Advice",
- "Alternate Care-of Address",
- "Nonce Indices",
- "Binding Authorization Data",
- "Mobile Network Prefix (NEMO)",
- "Binding Unique Identifier",
- "Mobile Node ID",
- "Authentication",
- "Replay Protection",
- "IPv4 prefix",
- "IPv4 Home Address Option",
- "Unknown option"
+char *mhopt_name[] = {
+ "Pad1",
+ "PadN",
+ "Binding Refresh Advice",
+ "Alternate Care-of Address",
+ "Nonce Indices",
+ "Binding Authorization Data",
+ "Mobile Network Prefix (NEMO)",
+ "Binding Unique Identifier",
+ "Mobile Node ID",
+ "Authentication",
+ "Replay Protection",
+ "IPv4 prefix",
+ "IPv4 Home Address Option",
+ "Unknown option"
};
static struct ip6_opt_home_address *mip6_search_hoa_in_destopt(u_int8_t *);
@@ -317,7 +318,7 @@ syslog(LOG_INFO, "XXXX %s:%d", __FILE__, __LINE__);
int mhtype;
if ((mhtype = mh->ip6mh_type) > IP6_MH_TYPE_MAX)
- mhtype = IP6_MH_TYPE_MAX;
+ mhtype = IP6_MH_TYPE_MAX + 1; /* '+1' is for 'unknown mh type' message */
syslog(LOG_INFO, "%s is received", mh_name[mhtype]);
syslog(LOG_INFO, " from:[%s] -> dst:[%s]",
ip6_sprintf(&from.sin6_addr), ip6_sprintf(&dst));
@@ -358,17 +359,18 @@ get_mobility_options(ip6mh, hlen, ip6mhlen, mopt)
#define check_mopt_len(mopt_len) \
if (*(mhopt + 1) != mopt_len) goto bad;
#define check_bauth_last() \
- if (mopt->opt_auth) goto bad;
+ if (mopt->opt_bauth) goto bad;
while (mhopt < mhend) {
-
if (debug) {
syslog(LOG_INFO, " %s is found",
mhopt_name[(*mhopt <= IP6_MHOPT_MAX) ? *mhopt : IP6_MHOPT_MAX + 1]);
}
+#ifdef MIP_CN
if (*mhopt != IP6_MHOPT_BAUTH) /* Always bind. auth. opt. should be the last option */
check_bauth_last();
+#endif /* MIP_CN */
switch (*mhopt) {
case IP6_MHOPT_PAD1:
@@ -385,7 +387,7 @@ get_mobility_options(ip6mh, hlen, ip6mhlen, mopt)
mopt->opt_nonce = (struct ip6_mh_opt_nonce_index *)mhopt;
break;
case IP6_MHOPT_BAUTH:
- mopt->opt_auth = (struct ip6_mh_opt_auth_data *)mhopt;
+ mopt->opt_bauth = (struct ip6_mh_opt_auth_data *)mhopt;
break;
case IP6_MHOPT_BREFRESH:
check_mopt_len(2);
@@ -411,6 +413,30 @@ get_mobility_options(ip6mh, hlen, ip6mhlen, mopt)
mopt->opt_v4hoa = (struct ip6_mh_opt_ipv4_hoa *)mhopt;
break;
#endif /* DSMIP */
+#ifdef AUTHID
+ case IP6_MHOPT_MN_ID:
+ mopt->opt_mnid = (struct p6_mh_opt_mn_id *)mhopt;
+ break;
+
+ case IP6_MHOPT_AUTH_OPT:
+ switch (((struct ip6_mh_opt_authentication *)mhopt)->ip6moauth_subtype) {
+ case IP6_MH_AUTHOPT_SUBTYPE_MNHA:
+ mopt->mnha_auth =
+ (struct ip6_mh_opt_authentication *)mhopt;
+ break;
+ case IP6_MH_AUTHOPT_SUBTYPE_MNAAA:
+ mopt->mnaaa_auth =
+ (struct ip6_mh_opt_authentication *)mhopt;
+ break;
+ default:
+ syslog(LOG_ERR, "Unknown authentication AAA");
+ break;
+ }
+ break;
+
+ case IP6_MHOPT_REPLAY_PROTECTION:
+ break;
+#endif /* AUTHID */
default:
syslog(LOG_INFO,
"invalid mobility option (%02x).", *mhopt);
@@ -470,7 +496,6 @@ mip6_search_hoa_in_destopt(optbuf)
return (NULL); /* Not found */
}
-
#ifndef MIP_MN
int receive_bu(struct in6_addr *, struct in6_addr *,
struct in6_addr *, struct in6_addr *, struct ip6_mh_binding_update *, int);
@@ -535,9 +560,6 @@ mh_input(src, dst, hoa, rtaddr, mh, mhlen)
case IP6_MH_TYPE_BERROR:
break;
default:
- /* Shisa Statistics: unknown MH type */
- mip6stat.mip6s_unknowntype++;
-
send_be(src, dst, hoa, IP6_MH_BES_UNKNOWN_MH);
break;
}
@@ -570,7 +592,8 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
int retcode = -1;
int statuscode = IP6_MH_BAS_ACCEPTED;
u_int16_t bid = 0;
- int authmethod = BC_AUTH_NONE;
+ int authmethod = BC_AUTH_NONE, authmethod_done = BC_AUTH_NONE;
+ u_int32_t mobility_spi = 0;
/*
* If home address option is not present, home address
@@ -631,13 +654,25 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
return (-1);
}
+#ifdef MIP_CN
+ authmethod |= BC_AUTH_RR;
+#endif /* MIP_CN */
+#ifdef MIP_HA
+#ifdef AUTHID
+ if (use_authid)
+ authmethod |= BC_AUTH_MNHA;
+#else /* AUTHID */
+ authmethod |= BC_AUTH_IPSEC;
+#endif /* AUTHID */
+#endif /* MIP_HA */
+
/*
* Authenticator check if available. BU is protected
* by IPsec when it is sent to Home Agent. Otherwise, all
- * packets SHOULD have authenticato and nonce indice
- * option.
+ * packets SHOULD have a binding authorization and a nonce
+ * indices options.
*/
- if (mopt.opt_auth && mopt.opt_nonce) {
+ if (mopt.opt_bauth && mopt.opt_nonce) {
#ifdef MIP_CN
int cnnonce = 0;
u_int16_t cksum;
@@ -694,14 +729,14 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
/* Calculate authenticator */
mip6_calculate_authenticator(kbm, coa, dst, (caddr_t)bu, mhlen,
- (u_int8_t *)mopt.opt_auth +
+ (u_int8_t *)mopt.opt_bauth +
sizeof(struct ip6_mh_opt_auth_data) - (u_int8_t *)bu,
MIP6_AUTHENTICATOR_SIZE, &authenticator);
bu->ip6mhbu_hdr.ip6mh_cksum = cksum;
/* Authentication is failed, silently discard */
if (memcmp(&authenticator,
- ((u_int8_t *)mopt.opt_auth + 2), MIP6_AUTHENTICATOR_SIZE) != 0) {
+ ((u_int8_t *)mopt.opt_bauth + 2), MIP6_AUTHENTICATOR_SIZE) != 0) {
syslog(LOG_ERR, "Authenticator comparison failed");
if (debug) {
syslog(LOG_INFO, "HomeIndex 0x%x",
@@ -720,7 +755,7 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
}
if (lifetime > MIP6_MAX_RR_BINDING_LIFE)
lifetime = MIP6_MAX_RR_BINDING_LIFE;
- authmethod = BC_AUTH_RR;
+ authmethod_done = BC_AUTH_RR;
#endif /* MIP_CN */
} else {
#ifdef MIP_CN
@@ -748,8 +783,29 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
return (0);
}
#elif defined(MIP_HA)
+#ifdef AUTHID
+ if (authmethod & BC_AUTH_MNHA) {
+ if (mopt.mnha_auth == NULL) {
+ /*
+ * RFC 4285 section 5 says, "When a Binding
+ * Update or Binding Acknowledgement is
+ * received without a mobility message
+ * authentication option ... , the entity
+ * should silently discard the received
+ * message."
+ */
+ syslog(LOG_ERR, "No mobility message authentication option is found");
+ return (-1);
+ }
+
+ auth_opt(hoa, coa, (struct ip6_mh *)bu, &mopt,
+ &authmethod, &authmethod_done);
+ mobility_spi = mopt.mnha_auth->ip6moauth_mobility_spi;
+ }
+#else /* AUTHID */
/* go thorough (assuming IPsec protection in the kernel) */
- authmethod = BC_AUTH_IPSEC;
+ authmethod_done = BC_AUTH_IPSEC;
+#endif /* AUTHID */
#endif /* MIP_CN */
}
@@ -782,16 +838,21 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
/* sequence number comparison */
if (bc && MIP6_LEQ(seqno, bc->bc_seqno)) {
statuscode = IP6_MH_BAS_SEQNO_BAD;
+ syslog(LOG_ERR,
+ "Received sequence number from [%s] is out of window. "
+ "[%u] should be larger than [%u]",
+ ip6_sprintf(hoa), seqno, bc->bc_seqno);
seqno = bc->bc_seqno;
- syslog(LOG_ERR, "Received sequence number from [%s] is out of window.",
- ip6_sprintf(hoa));
goto sendba;
}
#ifdef MIP_HA
-
- /* if flags is changed during registration, sending BA with 139 */
- if (bc && (bc->bc_flags != flags)) {
+ /* if flags are changed during registration, sending BA with 139 */
+ if (bc && ((bc->bc_flags ^ flags) & (IP6_MH_BU_HOME
+#ifdef MIP_NEMO
+ | IP6_MH_BU_ROUTER
+#endif /* MIP_NEMO */
+ ))) {
statuscode = IP6_MH_BAS_REG_NOT_ALLOWED;
goto sendba;
}
@@ -878,7 +939,6 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
goto sendba;
}
-
/* check whether MR has authority for MNP */
if (!IN6_ARE_ADDR_EQUAL(hoa, &hpt->hpt_hoa)) {
statuscode = IP6_MH_BAS_NOT_AUTHORIZED;
@@ -905,9 +965,9 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
Does it work on MCOA case ?
*/
#ifdef MIP_CN
- if (home_nonces && (authmethod == BC_AUTH_RR))
+ if (home_nonces && (authmethod & BC_AUTH_RR))
retain_bc_to_nonce(home_nonces, bc);
- if (careof_nonces && (authmethod == BC_AUTH_RR))
+ if (careof_nonces && (authmethod & BC_AUTH_RR))
retain_bc_to_nonce(careof_nonces, bc);
if (!home_nonces && !careof_nonces)
mip6_bc_delete(bc);
@@ -933,7 +993,7 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
lifetime = 0; /* Returned lifetime in BA must be zero */
} else {
/* Requesitng to cache binding (registration) */
- bc = mip6_bc_add(hoa, coa, dst, lifetime, flags, seqno, bid, authmethod);
+ bc = mip6_bc_add(hoa, coa, dst, lifetime, flags, seqno, bid, authmethod, authmethod_done, mobility_spi);
if (bc == NULL) {
statuscode = IP6_MH_BAS_INSUFFICIENT;
goto sendba;
@@ -946,12 +1006,12 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
llhoa.s6_addr[1] = 0x80;
llhoa.s6_addr[3] = ha_if() & 0xff;
memcpy(&llhoa.s6_addr[8], &hoa->s6_addr[8], 8);
- bc->bc_llmbc = mip6_bc_add(&llhoa, coa, dst, lifetime, flags, seqno, bid, authmethod);
+ bc->bc_llmbc = mip6_bc_add(&llhoa, coa, dst, lifetime, flags, seqno, bid, authmethod, authmethod_done, 0);
bc->bc_llmbc->bc_glmbc = bc;
}
bc->bc_realcoa = *retcoa;
- if (bc->bc_state == BC_STATE_UNDER_DAD)
+ if (bc->bc_state & BC_STATE_UNDER_DAD)
return (0);
}
retcode = 0;
@@ -960,7 +1020,7 @@ receive_bu(src, dst, hoa, rtaddr, bu, mhlen)
if (statuscode != IP6_MH_BAS_ACCEPTED ||
(flags & (IP6_MH_BU_ACK | IP6_MH_BU_HOME))) {
send_ba(dst, retcoa, coa, hoa, flags, kbm,
- statuscode, seqno, lifetime, 0 /* refresh */, bid);
+ statuscode, seqno, lifetime, 0 /* refresh */, bid, mobility_spi);
}
return (retcode);
@@ -1530,7 +1590,7 @@ system("ifconfig nemo0 tunnel 203.178.128.64 203.178.128.50 up");
#ifndef MIP_MN
int
-send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid)
+send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid, mobility_spi)
struct in6_addr *src, *coa, *acoa, *hoa;
u_int16_t flags;
mip6_kbm_t *kbm_p;
@@ -1539,6 +1599,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
u_int16_t lifetime;
int refresh;
u_int16_t bid;
+ u_int32_t mobility_spi;
{
int err = 0;
char buf[1024];
@@ -1657,7 +1718,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
auth_opt = (struct ip6_mh_opt_auth_data *)(bufp + buflen);
auth_opt->ip6moad_type = IP6_MHOPT_BAUTH;
- auth_opt->ip6moad_len = MIP6_AUTHENTICATOR_SIZE;
+ auth_opt->ip6moad_len = MIP6_AUTHENTICATOR_SIZE;
buflen += sizeof(*auth_opt);
buflen += MIP6_AUTHENTICATOR_SIZE;
@@ -1667,7 +1728,7 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
buflen += pad;
/*
- * This is not fianl length, but
+ * This is not final length, but
* mobileip6_authentication_data() needs correct bu
* length for authentication data calculation
*/
@@ -1689,6 +1750,53 @@ send_ba(src, coa, acoa, hoa, flags, kbm_p, status, seqno, lifetime, refresh, bid
skip_auth:
#endif /* MIP_CN */
+#if defined(MIP_HA) && defined(AUTHID)
+ if (mobility_spi != 0) {
+ struct haauth_users *hausers;
+ struct ip6_mh_opt_authentication *auth_opt;
+ mip6_authenticator_t *authenticator;
+
+ pad = MIP6_PADLEN(buflen, 8, 2); /* 8n+2 */
+ MIP6_FILL_PADDING(bufp + buflen, pad);
+ buflen += pad;
+
+ auth_opt = (struct ip6_mh_opt_authentication *)(bufp + buflen);
+ auth_opt->ip6moauth_type = IP6_MHOPT_AUTH_OPT;
+ auth_opt->ip6moauth_len =
+ sizeof(struct ip6_mh_opt_authentication)
+ - sizeof(struct ip6_mh_opt) + MIP6_AUTHENTICATOR_SIZE;
+ buflen += sizeof(*auth_opt);
+ buflen += MIP6_AUTHENTICATOR_SIZE;
+
+ /*
+ * This is not final length, but
+ * mobileip6_authentication_data() needs correct bu
+ * length for authentication data calculation
+ */
+ bap->ip6mhba_hdr.ip6mh_len = (buflen >> 3) - 1;
+ bap->ip6mhba_hdr.ip6mh_cksum = 0;
+
+ /* Alignment 8n to sit the end of the packet */
+ pad = MIP6_PADLEN(buflen, 8, 0);
+ MIP6_FILL_PADDING(bufp + buflen, pad);
+ buflen += pad;
+
+ authenticator = (mip6_authenticator_t *)
+ (bufp + (buflen - MIP6_AUTHENTICATOR_SIZE - pad));
+
+ hausers = find_haauth_users(mobility_spi);
+ mip6_calculate_authenticator((mip6_kbm_t *)hausers->sharedkey,
+ (acoa) ? acoa : coa,
+ src,
+ (caddr_t)bufp,
+ buflen,
+ buflen - pad - MIP6_AUTHENTICATOR_SIZE,
+ MIP6_AUTHENTICATOR_SIZE,
+ authenticator);
+ /* MN-AAA isn't needed as described RFC4285 5.2 */
+ }
+#endif /* MIP_HA && AUTHID */
+
/* Alignment 8n */
pad = MIP6_PADLEN(buflen, 8, 0);
MIP6_FILL_PADDING(bufp + buflen, pad);
View
62 kame/kame/shisad/shisad.h
@@ -1,4 +1,4 @@
-/* $KAME: shisad.h,v 1.37 2006/06/08 12:02:00 keiichi Exp $ */
+/* $KAME: shisad.h,v 1.38 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -40,6 +40,11 @@ extern int raw4sock;
#endif
extern struct mip6stat mip6stat;
extern struct mip6_hinfo_list hoa_head;
+extern int debug, namelookup;
+#ifdef AUTHID
+extern int use_authid;
+#endif /* AUTHID */
+
/* protocol constants. */
#define DHAAD_RETRIES 4
@@ -254,6 +259,9 @@ struct binding_update_list {
#ifdef DSMIP
struct in_addr bul_v4hoa;
#endif /* DSMIP */
+#ifdef AUTHID
+ u_int32_t bul_spi;
+#endif /* AUTHID */
};
#define MIP6_BUL_STATE_DISABLE 0x01
@@ -336,7 +344,6 @@ LIST_HEAD(mip6_hinfo_list, mip6_hoainfo);
#define MNINFO_MN_HOME 0x01
#define MNINFO_MN_FOREIGN 0x02
-
/* MIP Virtual Interface Information (each Home Link info) */
struct mip6_mipif {
LIST_ENTRY(mip6_mipif) mipif_entry;
@@ -357,7 +364,7 @@ struct mip6_mobility_options {
struct ip6_mh_opt_refresh_advice *opt_refresh;
struct ip6_mh_opt_altcoa *opt_altcoa;
struct ip6_mh_opt_nonce_index *opt_nonce;
- struct ip6_mh_opt_auth_data *opt_auth;
+ struct ip6_mh_opt_auth_data *opt_bauth;
#ifdef MIP_NEMO
#define NEMO_MAX_ALLOW_PREFIX 10
@@ -370,6 +377,22 @@ struct mip6_mobility_options {
#ifdef DSMIP
struct ip6_mh_opt_ipv4_hoa *opt_v4hoa;
#endif /* DSMIP */
+
+#ifdef AUTHID
+ struct ip6_mh_opt_mn_id *opt_mnid;
+ /* mobility message authentication option could appear twice
+ in one pakcet with a different subtype */
+ union {
+ struct ip6_mh_opt_authentication *opt_authentication[2];
+ struct {
+ struct ip6_mh_opt_authentication *_mnha_auth;
+ struct ip6_mh_opt_authentication *_mnaaa_auth;
+ } _authtype_byname;
+ } _authtype;
+#define opt_authentication _authtype.opt_authentication
+#define mnha_auth _authtype._authtype_byname._mnha_auth
+#define mnaaa_auth _authtype._authtype_byname._mnaaa_auth
+#endif /* AUTHID */
};
/* Binding Cache */
@@ -381,9 +404,10 @@ struct binding_cache {
struct in6_addr bc_myaddr; /* my addr */
u_int8_t bc_state; /* state of this bce */
#define BC_STATE_VALID 0
-#define BC_STATE_DEPRECATED 1
-#define BC_STATE_UNDER_DAD 2
-#define BC_STATE_MAX 2
+#define BC_STATE_UNDER_DAD 1
+#define BC_STATE_UNDER_AUTH 2
+#define BC_STATE_DEPRECATED 4
+#define BC_STATE_MAX 4
u_int16_t bc_flags; /* recved BU flags */
u_int16_t bc_seqno; /* recved BU seqno */
u_int32_t bc_lifetime; /* recved BU lifetime */
@@ -391,10 +415,13 @@ struct binding_cache {
time_t bc_expire; /* expiration time of this BC. */
CALLOUT_HANDLE bc_refresh; /* callout handle for retrans */
u_int8_t bc_refresh_count;
- u_int8_t bc_authmethod;
+ u_int8_t bc_authmethod; /* to be done */
+ u_int8_t bc_authmethod_done; /* done */
#define BC_AUTH_NONE 0
#define BC_AUTH_IPSEC 1
#define BC_AUTH_RR 2
+#define BC_AUTH_MNHA 4
+#define BC_AUTH_MNAAA 8
/* valid only when BUF_HOME */
void *bc_dad; /* dad handler */
@@ -415,7 +442,14 @@ struct nd6options {
struct nd_opt_homeagent_info *ndhai;
};
extern struct nd6options ndopts;
-extern int debug, namelookup;
+
+struct haauth_users {
+ LIST_ENTRY(haauth_users) hauthusers_entry;
+
+ u_int32_t mobility_spi;
+ struct in6_addr hoa;
+ u_int8_t sharedkey[20];
+};
/* mh.c */
void mhsock_open(void);
@@ -440,7 +474,7 @@ int send_hot(struct ip6_mh_home_test_init *, struct in6_addr *,
int send_cot(struct ip6_mh_careof_test_init *, struct in6_addr *,
struct in6_addr *);
int send_ba(struct in6_addr *, struct in6_addr *, struct in6_addr *, struct in6_addr *,
- u_int16_t, mip6_kbm_t *, u_int8_t, u_int16_t, u_int16_t, int, u_int16_t);
+ u_int16_t, mip6_kbm_t *, u_int8_t, u_int16_t, u_int16_t, int, u_int16_t, u_int32_t);
int send_mps(struct mip6_hpfxl *);
/* rr.c */
@@ -487,7 +521,7 @@ void command_show_kbul(int, char *);
struct binding_cache *mip6_bc_lookup(struct in6_addr *, struct in6_addr *,
u_int16_t);
struct binding_cache *mip6_bc_add(struct in6_addr *, struct in6_addr *,
- struct in6_addr *, u_int32_t, u_int16_t, u_int16_t, u_int16_t, u_int8_t);
+ struct in6_addr *, u_int32_t, u_int16_t, u_int16_t, u_int16_t, u_int8_t, u_int8_t, u_int32_t);
/* network.c */
int set_ip6addr(char *, struct in6_addr *, int, int);
@@ -611,6 +645,14 @@ struct mip6_hpfxl *mip6_get_hpfxlist(struct in6_addr *, int,
void show_hal(int, struct mip6_hpfx_list *);
int receive_ra(struct nd_router_advert *, size_t, int, struct in6_addr *, struct in6_addr *);
+/* auth.c */
+#ifdef AUTHID
+void auth_init();
+int auth_opt(struct in6_addr *, struct in6_addr *, struct ip6_mh *,
+ struct mip6_mobility_options *, int *, int *);
+struct haauth_users *find_haauth_users(u_int32_t);
+#endif /* AUTHID */
+
/* other utility functions */
int inet_are_prefix_equal(void *, void *, int);
char *hexdump(void *, size_t);
View
8 kame/sys/netinet/ip6mh.h
@@ -1,4 +1,4 @@
-/* $KAME: ip6mh.h,v 1.9 2006/06/09 05:46:13 t-momose Exp $ */
+/* $KAME: ip6mh.h,v 1.10 2006/06/09 11:29:58 t-momose Exp $ */
/*
* Copyright (C) 2004 WIDE Project.
@@ -387,6 +387,12 @@ struct ip6_mh_opt_authentication {
/* followed by authentication data */
} __attribute__((__packed__));
#define ip6moauth_mobility_spi __ip6moauth_mobility_spi.__mobility_spi32
+/* definition for subtype */
+#define IP6_MH_AUTHOPT_SUBTYPE_MNHA 1
+#define IP6_MH_AUTHOPT_SUBTYPE_MNAAA 2
+/* special reserved SPI values */
+#define IP6_MH_AUTHOPT_SPI_HMAC_SHA1 3
+#define IP6_MH_AUTHOPT_SPI_3GPP2 5
/* Mobility Message Replay Protection Option */
struct ip6_mh_opt_replay_protection {
Please sign in to comment.
Something went wrong with that request. Please try again.