Merge lp:~rene-hummen/hipl/midauth-hipd into lp:hipl
- midauth-hipd
- Merge into trunk
Status: | Superseded |
---|---|
Proposed branch: | lp:~rene-hummen/hipl/midauth-hipd |
Merge into: | lp:hipl |
Diff against target: |
1770 lines (+1191/-259) 25 files modified
.bzrignore (+1/-0) Makefile.am (+16/-4) firewall/midauth.h (+2/-1) hipd/hipd.c (+2/-47) hipd/hipd.h (+3/-0) hipd/main.c (+84/-0) hipd/output.c (+0/-10) lib/core/builder.c (+8/-100) lib/core/builder.h (+0/-10) lib/core/protodefs.h (+0/-23) lib/core/solve.c (+1/-57) lib/core/solve.h (+1/-4) modules/heartbeat/Makefile.am (+1/-1) modules/heartbeat_update/Makefile.am (+1/-1) modules/midauth/Makefile.am (+32/-0) modules/midauth/hipd/midauth.c (+229/-0) modules/midauth/hipd/midauth.h (+34/-0) modules/midauth/lib/midauth_builder.c (+184/-0) modules/midauth/lib/midauth_builder.h (+79/-0) modules/midauth/module_info.xml (+47/-0) modules/update/Makefile.am (+1/-1) test/check_modules_midauth.c (+46/-0) test/modules/midauth/hipd/midauth.c (+120/-0) test/modules/midauth/lib/midauth_builder.c (+265/-0) test/modules/midauth/test_suites.h (+34/-0) |
To merge this branch: | bzr merge lp:~rene-hummen/hipl/midauth-hipd |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Stefan Götz (community) | Needs Fixing | ||
Diego Biurrun | Needs Fixing | ||
Christof Mroz | Approve | ||
Review via email: mp+68431@code.launchpad.net |
This proposal has been superseded by a proposal from 2011-08-08.
Commit message
Description of the change
This branch re-implements the hipd-related part of http://
Short intro to HIP middlebox authentication:
1) The firewall intercepts R1, I2, U1 and U2 messages and adds a nonce that needs to be echoed back to the firewall by the respective end-host in the signed part of the reply. This enables the firewall to evaluate the freshness of the exchange.
2) In order to mitigate DoS attacks targeting the signature verification at the firewall, the nonce is additionally used as the input for a puzzle that the end-host needs to solve and send back to the firewall in the reply as well.
Review guidance:
1) I have broken down the midauth code into hipd- and firewall-related functionality. Hopefully, this will decrease the review effort.
2) You can ignore the code removed in hipd/*.c. This code has been moved to modules/midauth and has mostly been rewritten.
3) modules/
4) There are no unit-tests for the hipd-related functionality as of now. However, we have tested the code extensively in three demos and I will add the tests at a later point in time.
- 6021. By Diego Biurrun
-
Fix moduels ---> modules typo.
- 6022. By Diego Biurrun
-
build: clean up .bzrignore
Restore alphabetical order, remove duplicates, use wildcard for config.foo
entries, do not globally ignore .lo and .la files. - 6023. By Diego Biurrun
-
create_ecdsa_key(): bandaid compilation fix for gcc 4.6
The err variable was write-only since the function returns EC_KEY* and not int.
Change err variable to type EC_KEY* and return it instead of NULL. - 6024. By Diego Biurrun
-
cosmetics: remove some unnecessary parentheses from pointer expressions
The struct member selection operators '.' and '->' have higher precedence than
the address operator '&'. Remove parentheses made unnecessary by this order
in cases where they add no readability or even impair readability. - 6025. By René Hummen
-
replace code with hip_ifel abuse
- 6026. By Diego Biurrun
-
doxygen: exclude directory generated by 'make dist' from list of source files
- 6027. By Diego Biurrun
-
build: ignore directory generated by 'make dist'
- 6028. By Diego Biurrun
-
Merge vestigial locking macros removal branch.
Christof Mroz (christof-mroz) wrote : | # |
Aside from Diego's comment's, it looks good to me. Minor point:
> + static const size_t min_length = sizeof(*request)
> + - sizeof(
> + - sizeof(
This exact same computation is used in other functions, so it could be refactored into a global... But OTOH this is unlikely to change anyway.
More ideally, a separate branch could rewrite all HIPL structures to utilize zero-length arrays (a C99 feature AFAIK), which would lead to a simpler length calculations and more flexibility when working with preallocated packet buffers (by not fixing their length in the struct itself).
This was already briefly discussed on the list before though.
René Hummen (rene-hummen) wrote : | # |
On 23.07.2011, at 00:59, Christof Mroz wrote:
> Review: Approve
> Aside from Diego's comment's, it looks good to me. Minor point:
>
>> + static const size_t min_length = sizeof(*request)
>> + - sizeof(
>> + - sizeof(
>
> This exact same computation is used in other functions, so it could be refactored into a global... But OTOH this is unlikely to change anyway.
This code is just repeated once for request and response respectively. I'm leaving it as it is.
René
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
René Hummen (rene-hummen) wrote : | # |
Diego, I have addressed the issues that you mentioned. Can you please approve the merge or give further feedback.
Diego Biurrun (diego-biurrun) wrote : | # |
On Mon, Jul 25, 2011 at 09:06:20AM +0000, René Hummen wrote:
> Diego, I have addressed the issues that you mentioned.
Where? I have not seen any commits from you nor an updated merge
proposal...
Diego
Diego Biurrun (diego-biurrun) wrote : | # |
review needs-fixing
On Tue, Jul 19, 2011 at 05:18:19PM +0000, René Hummen wrote:
> René Hummen has proposed merging lp:~rene-hummen/hipl/midauth-hipd into lp:hipl.
>
> --- modules/
> +++ modules/
> @@ -0,0 +1,257 @@
> +
> +#include <errno.h>
> +#include <string.h>
You should add stdint.h for the POSIX integer types you use.
> +/**
> + * Handle the CHALLENGE_REQUEST parameter.
> + *
> + * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
> + * @param ha_state The host association state (RFC 5201, 4.4.1.)
> + * @param ctx Pointer to the packet context, containing all information for
> + * the packet handling (received message, source and destination
> + * address, the ports and the corresponding entry from the host
> + * association database).
nit: The one-space indentation for the description block looks weird.
more below
> +int hip_midauth_
> +{
> + int err = 0;
> +
> + HIP_IFEL(
> + "HIP_PARAM_
> + -1, "failed to register parameter type\n");
> + HIP_IFEL(
> + "HIP_PARAM_
> + -1, "failed to register parameter type\n");
> +
> + HIP_IFEL(
> + HIP_STATE_R2_SENT,
> + &hip_add_
> + 20750),
> + -1, "Error on registering MIDAUTH handle function.\n");
> + HIP_IFEL(
> + HIP_STATE_
> + &hip_add_
> + 20750),
> + -1, "Error on registering MIDAUTH handle function.\n");
> +
> +out_err:
> + return err;
> +}
HIP_IFEL abuse
> --- modules/
> +++ modules/
> @@ -0,0 +1,199 @@
> +
> +#include <string.h>
stdint.h
> + static const size_t min_length = sizeof(*request)
> + - sizeof(
> + - sizeof(
> +
> +
> + static const size_t min_length = sizeof(response)
> + - sizeof(
> + - sizeof(
nit: These would IMO look slightly more readable with the '-' at the
end of the line.
> + /* note: the length cannot be calculated with calc_param_len() */
> + hip_set_
> + hip_set_
> +
> + memcpy(response.J, val_J, PUZZLE_LENGTH);
> + response.K = request->K;
> + response.lifetime = req...
- 6029. By Diego Biurrun
-
uncrustify: force END_TEST to be treated as macro-close token
This allows uncrustify to deal with the unit test code without completely
messing up its formatting. - 6030. By Diego Biurrun
-
unit tests: reformat struct declaration in a way that survives uncrustify
- 6031. By Diego Biurrun
-
stylecheck: fix description of this pre-commit hook's dependencies
There is nothing GNU in the way diff/patch are used; mention both diff and
patch as dependencies; remove some stray trailing whitespace. - 6032. By Diego Biurrun
-
cosmetics: drop some redundant ';' pointed out by uncrustify; merge two lines
- 6033. By Diego Biurrun
-
stylecheck.py: fix some typos
- 6034. By Diego Biurrun
-
cosmetics: fix some incorrect spacing found while playing with uncrustify
Stefan Götz (stefan.goetz-deactivatedaccount) wrote : | # |
Hi Rene!
> 4) There are no unit-tests for the hipd-related functionality as of now.
> However, we have tested the code extensively in three demos and I will add the
> tests at a later point in time.
Sorry, but I'm skeptical :-) As per our current policy, I cannot approve this without unit tests.
> === modified file 'firewall/
> === modified file 'lib/core/solve.c'
> === modified file 'lib/core/solve.h'
Please don't forget to update the Copyright dates when you modify files with
Copyright headers. Scatterbrains like myself may want to try out the pre-commit
hook in https:/
automatically checks for that.
> === added file 'modules/
This file lacks a copyright statement.
> === added file 'modules/
> +/**
> + * Handle the CHALLENGE_REQUEST parameter.
> + *
> + * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
> + * @param ha_state The host association state (RFC 5201, 4.4.1.)
> + * @param ctx Pointer to the packet context, containing all information for
> + * the packet handling (received message, source and destination
> + * address, the ports and the corresponding entry from the host
> + * association database).
> + *
> + * @return zero if the challenge was processed correctly or no challenge was
> + * attached to the packet, negative value otherwise
So it is not an error for a CHALLENGE_REQUEST parameter to be present but an actual challenge to be missing at the same time? Sounds like a protocol violation to me, though I haven't checked the RFC.
> +static int handle_
> + UNUSED const uint32_t ha_state,
> + struct hip_packet_context *ctx)
[M] policy: please ensure full const correctness for the 'ctx' function argument
> +{
> + const struct hip_challenge_
> +
> + request = hip_get_
> + if (!request) {
> + return 0;
> + }
> + // each on-path middlebox may add a challenge on its own
> + do {
> + // process next challenge parameter, if available
> + request = (const struct hip_challenge_
> + hip_get_
> + } while (request && hip_get_
[L] simplicity: the 'if' check for '!request' and its extra 'return' statement could be avoided if a 'while(){}' loop was used instead of the 'do {} while ()' loop. That would make the code more readable in my opinion.
> +/**
> + * Add a HOST_ID parameter corresponding to the local HIT of the association to
> + * an UPDATE packet.
> + *
> + * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
> + * @param ha_state The host association state (RFC 5201, 4.4.1.)
> + * @param ctx Pointer to the packet context, containing all information for
> + * the packet handling (received message, source and destination
> + * address, the ...
Christof Mroz (christof-mroz) wrote : | # |
On Sat, 30 Jul 2011 17:01:37 +0200, Stefan Götz
<email address hidden> wrote:
>> +{
>> + const struct hip_challenge_
>> +
>> + request = hip_get_
>> HIP_PARAM_
>> + if (!request) {
>> + return 0;
>> + }
>> + // each on-path middlebox may add a challenge on its own
>> + do {
>
>> + // process next challenge parameter, if available
>> + request = (const struct hip_challenge_
>> + hip_get_
>> + } while (request && hip_get_
>> HIP_PARAM_
>
> [L] simplicity: the 'if' check for '!request' and its extra 'return'
> statement could be avoided if a 'while(){}' loop was used instead of the
> 'do {} while ()' loop. That would make the code more readable in my
> opinion.
Could you elaborate? I originally wrote it this way because of the
"asymmetry" between hip_get_param() and hip_get_
Stefan Götz (stefan.goetz-deactivatedaccount) wrote : | # |
> Could you elaborate? I originally wrote it this way because of the
> "asymmetry" between hip_get_param() and hip_get_
Something like:
request = hip_get_
while (request && hip_get_
[...]
request = (const struct hip_challenge_
}
Perfectly valid, but less common would also be
for (request = hip_get_
[...]
}
Stefan
- 6035. By Diego Biurrun
-
INSTALL: add a short sentence on contributing; mention HACKING
Diego Biurrun (diego-biurrun) wrote : | # |
On Sat, Jul 30, 2011 at 03:01:37PM +0000, Stefan Götz wrote:
>
> > === added file 'modules/
>
> This file lacks a copyright statement.
All subdirectory Makefile.am snippets do. It is part of the modularization
silliness. I have a patch pending that merges the snippets into the
top-level Makefile.am.
Diego
- 6036. By Diego Biurrun
-
Drop unnecessary return statements at the end of void functions.
- 6037. By Miika Komu
-
Added a note on an experimental bzr hook to the HACKING file
Stefan Götz has developed a pre-commit hook for the Copyright. While
the pre-commit has not been merged yet, it pops up on the mailing list
every now and then. Therefore, I decided to note it on the HACKING
instructions and advocate Stefan to merge it!
René Hummen (rene-hummen) wrote : | # |
Thanks for your extensive review!
On 30.07.2011, at 17:01, Stefan Götz wrote:
> Review: Needs Fixing
> Hi Rene!
>
>> 4) There are no unit-tests for the hipd-related functionality as of now.
>> However, we have tested the code extensively in three demos and I will add the
>> tests at a later point in time.
>
> Sorry, but I'm skeptical :-) As per our current policy, I cannot approve this without unit tests.
Well, you are right. I'll add them now.
>> === modified file 'firewall/
>> === modified file 'lib/core/solve.c'
>> === modified file 'lib/core/solve.h'
>
> Please don't forget to update the Copyright dates when you modify files with
> Copyright headers. Scatterbrains like myself may want to try out the pre-commit
> hook in https:/
> automatically checks for that.
I just started using your commit guard after finishing this branch. Future commit should be bullet proof.
>> +static int handle_
>> + UNUSED const uint32_t ha_state,
>> + struct hip_packet_context *ctx)
>
> [M] policy: please ensure full const correctness for the 'ctx' function argument
Handle functions currently require the non-constness. This should be fixed in trunk.
>> +int hip_midauth_
>> + const uint8_t opaque_len,
>> + uint8_t puzzle_
>
> [M] lack of const correctness
I don't know how to make this more const correct. The prototype uses the pointer notation with complete const-correctness instead of arrays though.
René
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
- 6038. By Diego Biurrun
-
Merge uncrustify improvements branch.
René Hummen (rene-hummen) wrote : | # |
On 30.07.2011, at 17:01, Stefan Götz wrote:
> Review: Needs Fixing
> Hi Rene!
>
>> 4) There are no unit-tests for the hipd-related functionality as of now.
>> However, we have tested the code extensively in three demos and I will add the
>> tests at a later point in time.
>
> Sorry, but I'm skeptical :-) As per our current policy, I cannot approve this without unit tests.
I have added unit tests for all but the function below:
static int add_host_
The problem here is that hip_init_host_ids() is needed to set up the host id db for host id lookup within add_host_
START_TEST(
{
const uint8_t opaque[] = "\x01\x41\
struct hip_packet_context ctx = { 0 };
ctx.input_msg = hip_msg_alloc();
ctx.output_msg = hip_msg_alloc();
hip_
hip_
hip_
fail_
0, NULL);
fail_
fail_
}
END_TEST
Ciao,
René
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://
Stefan Götz (stefan.goetz-deactivatedaccount) wrote : | # |
Hi Rene!
Thanks for all the not so trivial improvements! Almost happy now :)
> === modified file 'Makefile.am'
> --- Makefile.am 2011-07-11 12:50:33 +0000
> +++ Makefile.am 2011-08-04 17:15:48 +0000
> @@ -215,10 +220,16 @@
> test/lib/
> test/lib/tool/pk.c
>
> +test_check_
> + test/modules/
> + test/modules/
> + $(hipd_
> +
> # Include module Makefile.am's.
> # TODO: Make this inclusion dynamic
> include modules/
> include modules/
> +include modules/
> include modules/
[L] I think with Diego's recent change, the contents of the module Makefile.am should be moved into the top-level Makefile.am? Not sure.
> === added file 'modules/
> +/**
> + * Initialization function for the midauth module.
> + *
> + * @return zero on success, negative value otherwise
> + */
> +int hip_midauth_
[L] I don't like the code duplication in this function very much, even if it's just boiler plate code. Here are some optional suggestions for improvement.
> +{
> + int err = 0;
[L] Get rid of this and don't use HIP_IFEL at all because there is no cleanup.
> +
> + HIP_IFEL(
> + "HIP_PARAM_
> + -1, "failed to register parameter type\n");
> + HIP_IFEL(
> + "HIP_PARAM_
> + -1, "failed to register parameter type\n");
[L] Is the second parameter always the string version of the the first? If so, a macro with stringification would avoid that duplication.
> +
> + HIP_IFEL(
> + HIP_STATE_I1_SENT,
> + &handle_
> + 32500),
> + -1, "Error on registering MIDAUTH handle function.\n");
> + HIP_IFEL(
> + HIP_STATE_I2_SENT,
> + &handle_
> + 32500),
> + -1, "Error on registering MIDAUTH handle function.\n");
> + HIP_IFEL(
> + HIP_STATE_CLOSING,
> + &handle_
> + 32500),
> + -1, "Error on registering MIDAUTH handle function.\n");
> + HIP_IFEL(
> + HIP_STATE_CLOSED,
> + ...
Stefan Götz (stefan.goetz-deactivatedaccount) wrote : | # |
Hi Rene!
> I have added unit tests for all but the function below:
Cool!
> The problem here is that hip_init_host_ids() is needed to set up the host id db for host id lookup within add_host_
How about adding the check 'if (!getuid()) { [UNIT TEST CODE] } else {
printf("The unit test %s requires root privileges.\n", __FUNCTION__); }' to the
unit test? Would that seem like a reasonable thing to do?
Stefan
- 6039. By Stefan Götz
-
Completely removes the files lib/tool/
lutil.{ c.h}. They primarily contain a list
implementation which is only used for string parsing. This string parsing is
actually implemented much better directly via strtok(). This also removes a
source of GPL infection.Merge of branch https:/
/code.launchpad .net/~stefan. goetz/hipl/ delist
Merge proposal https://code.launchpad .net/~stefan. goetz/hipl/ delist/ +merge/ 62559
René Hummen (rene-hummen) wrote : | # |
On 04.08.2011, at 20:41, Stefan Götz wrote:
> Review: Needs Fixing
> Hi Rene!
>
> Thanks for all the not so trivial improvements! Almost happy now :)
>
>> === modified file 'Makefile.am'
>> --- Makefile.am 2011-07-11 12:50:33 +0000
>> +++ Makefile.am 2011-08-04 17:15:48 +0000
>> @@ -215,10 +220,16 @@
>> test/lib/
>> test/lib/tool/pk.c
>>
>> +test_check_
>> + test/modules/
>> + test/modules/
>> + $(hipd_
>> +
>> # Include module Makefile.am's.
>> # TODO: Make this inclusion dynamic
>> include modules/
>> include modules/
>> +include modules/
>> include modules/
>
> [L] I think with Diego's recent change, the contents of the module Makefile.am should be moved into the top-level Makefile.am? Not sure.
Diego's changes have not yet been merged to trunk. Hence, I would prefer to modify the Makefile with his merge.
>> +
>> + HIP_IFEL(
>> + "HIP_PARAM_
>> + -1, "failed to register parameter type\n");
>> + HIP_IFEL(
>> + "HIP_PARAM_
>> + -1, "failed to register parameter type\n");
>
> [L] Is the second parameter always the string version of the the first? If so, a macro with stringification would avoid that duplication.
They need not be the same, but it makes sense to do so. The string is used for debugging output. Feel free to adjust and improve lmod_register_
>> + HIP_IFEL(
>> + HIP_STATE_CLOSED,
>> + &handle_
>> + 32500),
>> + -1, "Error on registering MIDAUTH handle function.\n");
>
> [M] as I just see this: the magic numbers 32500 really must be replaced with something more meaningful!
You are right. The priority is for handle functions is somewhat random at the moment. This should be fixed for all handle functions in a separate branch.
> [L] How about:
>
> int states[4] = { HIP_STATE_I1_SENT, [...] };
> for (unsigned i = 0; i < ARRAY_SIZE(states); i++) {
> if (hip_register_
> states[i],
> &handle_
> 32500)) {
> HIP_ERROR("Error on registering MIDAUTH handle function.\n");
> return -1;
> }
> }
>
> and similar for all the registrations below?
Good idea. I changed the code accordingly.
--
Dipl.-Inform...
- 6040. By Diego Biurrun
-
Merge demodularization branch that pulls together Makefile.am snippets.
- 6041. By Henrik Ziegeldorf
-
Fix incorrect use of sizeof.
- 6042. By Henrik Ziegeldorf
-
Fixed tests for ECC functionality, such that all tests are passed.
- 6043. By Diego Biurrun
-
cosmetics: fix 'null' vs. 'NULL' typo
- 6044. By Diego Biurrun
-
builder: clean up return handling
Return values directly instead of setting a variable, jumping
to a goto label and returning the variable there. - 6045. By Diego Biurrun
-
nlink: drop some pointless void* casts
- 6068. By René Hummen
-
remove hip_ prefix from static functions
- 6069. By René Hummen
-
fix doxygen comments
- 6070. By René Hummen
-
fix HIP_IFEL abuse in static functions
- 6071. By René Hummen
-
merge hip_set_
param_challenge _request( ) into hip_build_ param_challenge _request( ) - 6072. By René Hummen
-
add missing include
- 6073. By René Hummen
-
break lines behind -
- 6074. By René Hummen
-
fix doxygen comments
- 6075. By René Hummen
-
add and fix doxygen comments
- 6076. By René Hummen
-
convert if..do..while into while loop
- 6077. By René Hummen
-
move parameters inside funtion for const correctness
- 6078. By René Hummen
-
apply feedback to hip_build_
param_challenge _request( ) - 6079. By René Hummen
-
apply feedback to hip_build_
param_challenge _response( ) - 6080. By René Hummen
-
apply feedback to hip_challenge_
request_ opaque_ len() - 6081. By René Hummen
-
apply feedback to hip_midauth_
puzzle_ seed() - 6082. By René Hummen
-
fix copyright
- 6083. By René Hummen
-
remove TODO about flexible arrays
- 6084. By René Hummen
-
fix const-correctness of prototypes
- 6085. By René Hummen
-
fix different opaque_len data types
- 6086. By René Hummen
-
add unit-tests for hipd-related midauth functionality
- 6087. By René Hummen
-
catch exceptions in hip_build_digest()
- 6088. By René Hummen
-
complete unit-tests for midauth_builder.c
- 6089. By René Hummen
-
catch exceptions for input parameters
- 6090. By René Hummen
-
enable unit tests for hipd functionality
This requires a similar work-around as already done for the firewall in
order to allow hipd-related functionality to be linked correctly. - 6091. By René Hummen
-
unit tests for modules/
midauth/ hipd/midauth. c - 6092. By René Hummen
-
improve readability of hip_midauth_init()
- 6093. By René Hummen
-
add a copyright and license header to xml file
- 6094. By René Hummen
-
replace if statement by HIP_ASSERT
Modify unit test accordingly.
- 6095. By René Hummen
-
move instruction from module Makefile to central one
Unmerged revisions
Preview Diff
1 | === modified file '.bzrignore' |
2 | --- .bzrignore 2011-07-21 17:27:23 +0000 |
3 | +++ .bzrignore 2011-08-05 09:02:54 +0000 |
4 | @@ -56,6 +56,7 @@ |
5 | test/check_firewall |
6 | test/check_lib_core |
7 | test/check_lib_tool |
8 | +test/check_modules_midauth |
9 | test/dh_performance |
10 | test/fw_port_bindings_performance |
11 | test/hc_performance |
12 | |
13 | === modified file 'Makefile.am' |
14 | --- Makefile.am 2011-05-25 09:26:26 +0000 |
15 | +++ Makefile.am 2011-08-05 09:02:54 +0000 |
16 | @@ -70,10 +70,12 @@ |
17 | if HIP_UNITTESTS |
18 | TESTS = test/check_firewall \ |
19 | test/check_lib_core \ |
20 | - test/check_lib_tool |
21 | + test/check_lib_tool \ |
22 | + test/check_modules_midauth |
23 | check_PROGRAMS = test/check_firewall \ |
24 | test/check_lib_core \ |
25 | - test/check_lib_tool |
26 | + test/check_lib_tool \ |
27 | + test/check_modules_midauth |
28 | endif |
29 | |
30 | |
31 | @@ -91,7 +93,7 @@ |
32 | tools_hipconf_SOURCES = tools/hipconf.c |
33 | tools_pisacert_SOURCES = tools/pisacert.c |
34 | |
35 | -hipd_hipd_SOURCES = hipd/accessor.c \ |
36 | +hipd_hipd_sources = hipd/accessor.c \ |
37 | hipd/cert.c \ |
38 | hipd/close.c \ |
39 | hipd/configfilereader.c \ |
40 | @@ -122,9 +124,12 @@ |
41 | hipd/user_ipsec_sadb_api.c |
42 | |
43 | if HIP_MIDAUTH |
44 | -hipd_hipd_SOURCES += hipd/pisa.c |
45 | +hipd_hipd_sources += hipd/pisa.c |
46 | endif |
47 | |
48 | +hipd_hipd_SOURCES = $(hipd_hipd_sources) \ |
49 | + hipd/main.c |
50 | + |
51 | firewall_hipfw_sources = firewall/cache.c \ |
52 | firewall/dlist.c \ |
53 | firewall/esp_prot_api.c \ |
54 | @@ -214,10 +219,16 @@ |
55 | test/lib/tool/checksum.c \ |
56 | test/lib/tool/pk.c |
57 | |
58 | +test_check_modules_midauth_SOURCES = test/check_modules_midauth.c \ |
59 | + test/modules/midauth/lib/midauth_builder.c \ |
60 | + test/modules/midauth/hipd/midauth.c \ |
61 | + $(hipd_hipd_sources) |
62 | + |
63 | # Include module Makefile.am's. |
64 | # TODO: Make this inclusion dynamic |
65 | include modules/heartbeat/Makefile.am |
66 | include modules/heartbeat_update/Makefile.am |
67 | +include modules/midauth/Makefile.am |
68 | include modules/update/Makefile.am |
69 | |
70 | ### static library dependencies ### |
71 | @@ -228,6 +239,7 @@ |
72 | test_check_firewall_LDADD = lib/core/libhipcore.la |
73 | test_check_lib_core_LDADD = lib/core/libhipcore.la |
74 | test_check_lib_tool_LDADD = lib/core/libhipcore.la |
75 | +test_check_modules_midauth_LDADD = lib/core/libhipcore.la |
76 | test_certteststub_LDADD = lib/core/libhipcore.la |
77 | test_dh_performance_LDADD = lib/core/libhipcore.la |
78 | test_fw_port_bindings_performance_LDADD = lib/core/libhipcore.la |
79 | |
80 | === modified file 'firewall/midauth.h' |
81 | --- firewall/midauth.h 2011-04-20 09:10:18 +0000 |
82 | +++ firewall/midauth.h 2011-08-05 09:02:54 +0000 |
83 | @@ -1,5 +1,5 @@ |
84 | /* |
85 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
86 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
87 | * |
88 | * Permission is hereby granted, free of charge, to any person |
89 | * obtaining a copy of this software and associated documentation |
90 | @@ -36,6 +36,7 @@ |
91 | #include <stdint.h> |
92 | |
93 | #include "lib/core/protodefs.h" |
94 | +#include "modules/midauth/lib/midauth_builder.h" |
95 | #include "firewall_defines.h" |
96 | |
97 | typedef int (*midauth_handler)(struct hip_fw_context *ctx); |
98 | |
99 | === modified file 'hipd/hipd.c' |
100 | --- hipd/hipd.c 2011-05-16 11:39:06 +0000 |
101 | +++ hipd/hipd.c 2011-08-05 09:02:54 +0000 |
102 | @@ -205,7 +205,7 @@ |
103 | * @param flags pointer to the startup flags container |
104 | * @return nonzero if the caller should exit, 0 otherwise |
105 | */ |
106 | -static int hipd_parse_cmdline_opts(int argc, char *argv[], uint64_t *flags) |
107 | +int hipd_parse_cmdline_opts(int argc, char *argv[], uint64_t *flags) |
108 | { |
109 | int c; |
110 | |
111 | @@ -276,7 +276,7 @@ |
112 | * @param flags startup flags |
113 | * @return 0 on success, negative error code otherwise |
114 | */ |
115 | -static int hipd_main(uint64_t flags) |
116 | +int hipd_main(uint64_t flags) |
117 | { |
118 | int highest_descriptor = 0, err = 0; |
119 | struct timeval timeout; |
120 | @@ -422,48 +422,3 @@ |
121 | |
122 | return err; |
123 | } |
124 | - |
125 | -/** |
126 | - * the main function for hipd |
127 | - * |
128 | - * @param argc number of command line arguments |
129 | - * @param argv the command line arguments |
130 | - * @return zero on success or negative on error |
131 | - */ |
132 | -int main(int argc, char *argv[]) |
133 | -{ |
134 | - uint64_t sflags = HIPD_START_FOREGROUND | HIPD_START_LOWCAP; |
135 | - |
136 | - /* The flushing is enabled by default. The reason for this is that |
137 | - * people are doing some very experimental features on some branches |
138 | - * that may crash the daemon and leave the SAs floating around to |
139 | - * disturb further base exchanges. Use -N flag to disable this. */ |
140 | - sflags |= HIPD_START_FLUSH_IPSEC; |
141 | - |
142 | - /* The default behaviour is to allow hipd to load the required modules |
143 | - * and unload them when exiting. |
144 | - */ |
145 | - sflags |= HIPD_START_LOAD_KMOD; |
146 | - |
147 | - /* set the initial verbosity level */ |
148 | - hip_set_logdebug(LOGDEBUG_MEDIUM); |
149 | - |
150 | - /* One should be able to check the hipd version and usage, |
151 | - * even without having root privileges. |
152 | - */ |
153 | - if (hipd_parse_cmdline_opts(argc, argv, &sflags)) { |
154 | - return EXIT_SUCCESS; |
155 | - } |
156 | - |
157 | - /* We need to recreate the NAT UDP sockets to bind to the new port. */ |
158 | - if (getuid()) { |
159 | - HIP_ERROR("hipd must be started as root!\n"); |
160 | - return EXIT_FAILURE; |
161 | - } |
162 | - |
163 | - if (hipd_main(sflags)) { |
164 | - return EXIT_FAILURE; |
165 | - } |
166 | - |
167 | - return EXIT_SUCCESS; |
168 | -} |
169 | |
170 | === modified file 'hipd/hipd.h' |
171 | --- hipd/hipd.h 2011-05-16 11:00:04 +0000 |
172 | +++ hipd/hipd.h 2011-08-05 09:02:54 +0000 |
173 | @@ -112,4 +112,7 @@ |
174 | /* Functions for handling outgoing packets. */ |
175 | int hip_sendto_firewall(const struct hip_common *msg); |
176 | |
177 | +int hipd_parse_cmdline_opts(int argc, char *argv[], uint64_t * flags); |
178 | +int hipd_main(uint64_t flags); |
179 | + |
180 | #endif /* HIP_HIPD_HIPD_H */ |
181 | |
182 | === added file 'hipd/main.c' |
183 | --- hipd/main.c 1970-01-01 00:00:00 +0000 |
184 | +++ hipd/main.c 2011-08-05 09:02:54 +0000 |
185 | @@ -0,0 +1,84 @@ |
186 | +/* |
187 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
188 | + * |
189 | + * Permission is hereby granted, free of charge, to any person |
190 | + * obtaining a copy of this software and associated documentation |
191 | + * files (the "Software"), to deal in the Software without |
192 | + * restriction, including without limitation the rights to use, |
193 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
194 | + * copies of the Software, and to permit persons to whom the |
195 | + * Software is furnished to do so, subject to the following |
196 | + * conditions: |
197 | + * |
198 | + * The above copyright notice and this permission notice shall be |
199 | + * included in all copies or substantial portions of the Software. |
200 | + * |
201 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
202 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
203 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
204 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
205 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
206 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
207 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
208 | + * OTHER DEALINGS IN THE SOFTWARE. |
209 | + */ |
210 | + |
211 | +/** |
212 | + * @file |
213 | + * The HIPL main file containing the daemon main function. |
214 | + */ |
215 | + |
216 | +#include <stdint.h> |
217 | +#include <unistd.h> |
218 | +#include <sys/types.h> |
219 | + |
220 | + |
221 | +#include "hipd/hipd.h" |
222 | +#include "init.h" |
223 | +#include "lib/core/debug.h" |
224 | + |
225 | + |
226 | +/** |
227 | + * the main function for hipd |
228 | + * |
229 | + * @param argc number of command line arguments |
230 | + * @param argv the command line arguments |
231 | + * @return zero on success or negative on error |
232 | + */ |
233 | +int main(int argc, char *argv[]) |
234 | +{ |
235 | + uint64_t sflags = HIPD_START_FOREGROUND | HIPD_START_LOWCAP; |
236 | + |
237 | + /* The flushing is enabled by default. The reason for this is that |
238 | + * people are doing some very experimental features on some branches |
239 | + * that may crash the daemon and leave the SAs floating around to |
240 | + * disturb further base exchanges. Use -N flag to disable this. */ |
241 | + sflags |= HIPD_START_FLUSH_IPSEC; |
242 | + |
243 | + /* The default behaviour is to allow hipd to load the required modules |
244 | + * and unload them when exiting. |
245 | + */ |
246 | + sflags |= HIPD_START_LOAD_KMOD; |
247 | + |
248 | + /* set the initial verbosity level */ |
249 | + hip_set_logdebug(LOGDEBUG_MEDIUM); |
250 | + |
251 | + /* One should be able to check the hipd version and usage, |
252 | + * even without having root privileges. |
253 | + */ |
254 | + if (hipd_parse_cmdline_opts(argc, argv, &sflags)) { |
255 | + return EXIT_SUCCESS; |
256 | + } |
257 | + |
258 | + /* We need to recreate the NAT UDP sockets to bind to the new port. */ |
259 | + if (getuid()) { |
260 | + HIP_ERROR("hipd must be started as root!\n"); |
261 | + return EXIT_FAILURE; |
262 | + } |
263 | + |
264 | + if (hipd_main(sflags)) { |
265 | + return EXIT_FAILURE; |
266 | + } |
267 | + |
268 | + return EXIT_SUCCESS; |
269 | +} |
270 | |
271 | === modified file 'hipd/output.c' |
272 | --- hipd/output.c 2011-07-29 18:50:43 +0000 |
273 | +++ hipd/output.c 2011-08-05 09:02:54 +0000 |
274 | @@ -1050,16 +1050,6 @@ |
275 | |
276 | /********** CHALLENGE_RESPONSE **********/ |
277 | #ifdef CONFIG_HIP_MIDAUTH |
278 | - /** @todo no caching is done for PUZZLE_M parameters. This may be |
279 | - * a DOS attack vector. |
280 | - */ |
281 | - HIP_IFEL(hip_solve_puzzle_m(ctx->output_msg, ctx->input_msg), |
282 | - -1, "Building of Challenge_Response failed\n"); |
283 | - midauth_cert = hip_pisa_get_certificate(); |
284 | - |
285 | - HIP_IFEL(hip_build_param(ctx->output_msg, ctx->hadb_entry->our_pub), -1, |
286 | - "Building of host id failed\n"); |
287 | - |
288 | /* For now we just add some random data to see if it works */ |
289 | HIP_IFEL(hip_build_param_cert(ctx->output_msg, 1, 1, 1, 1, midauth_cert, |
290 | strlen(midauth_cert)), |
291 | |
292 | === modified file 'lib/core/builder.c' |
293 | --- lib/core/builder.c 2011-07-29 12:55:51 +0000 |
294 | +++ lib/core/builder.c 2011-08-05 09:02:54 +0000 |
295 | @@ -679,13 +679,6 @@ |
296 | HIP_PARAM_ESP_PROT_BRANCH, |
297 | HIP_PARAM_ESP_PROT_SECRET, |
298 | HIP_PARAM_ESP_PROT_ROOT |
299 | -#ifdef CONFIG_HIP_MIDAUTH |
300 | - , |
301 | - HIP_PARAM_ECHO_REQUEST_M, |
302 | - HIP_PARAM_ECHO_RESPONSE_M, |
303 | - HIP_PARAM_CHALLENGE_REQUEST, |
304 | - HIP_PARAM_CHALLENGE_RESPONSE |
305 | -#endif /* CONFIG_HIP_MIDAUTH */ |
306 | }; |
307 | hip_tlv type = hip_get_param_type(param); |
308 | |
309 | @@ -1175,10 +1168,8 @@ |
310 | case HIP_PARAM_DST_ADDR: return "HIP_PARAM_DST_ADDR"; |
311 | case HIP_PARAM_ECHO_REQUEST: return "HIP_PARAM_ECHO_REQUEST"; |
312 | case HIP_PARAM_ECHO_REQUEST_SIGN: return "HIP_PARAM_ECHO_REQUEST_SIGN"; |
313 | - case HIP_PARAM_ECHO_REQUEST_M: return "HIP_PARAM_ECHO_REQUEST_M"; |
314 | case HIP_PARAM_ECHO_RESPONSE: return "HIP_PARAM_ECHO_RESPONSE"; |
315 | case HIP_PARAM_ECHO_RESPONSE_SIGN: return "HIP_PARAM_ECHO_RESPONSE_SIGN"; |
316 | - case HIP_PARAM_ECHO_RESPONSE_M: return "HIP_PARAM_ECHO_RESPONSE_M"; |
317 | case HIP_PARAM_EID_ADDR: return "HIP_PARAM_EID_ADDR"; |
318 | case HIP_PARAM_EID_ENDPOINT: return "HIP_PARAM_EID_ENDPOINT"; |
319 | case HIP_PARAM_EID_IFACE: return "HIP_PARAM_EID_IFACE"; |
320 | @@ -1209,7 +1200,6 @@ |
321 | case HIP_PARAM_NOTIFICATION: return "HIP_PARAM_NOTIFICATION"; |
322 | case HIP_PARAM_PORTPAIR: return "HIP_PARAM_PORTPAIR"; |
323 | case HIP_PARAM_PUZZLE: return "HIP_PARAM_PUZZLE"; |
324 | - case HIP_PARAM_CHALLENGE_REQUEST: return "HIP_PARAM_CHALLENGE_REQUEST"; |
325 | case HIP_PARAM_R1_COUNTER: return "HIP_PARAM_R1_COUNTER"; |
326 | case HIP_PARAM_REG_FAILED: return "HIP_PARAM_REG_FAILED"; |
327 | case HIP_PARAM_REG_FROM: return "HIP_PARAM_REG_FROM"; |
328 | @@ -1222,7 +1212,6 @@ |
329 | case HIP_PARAM_RVS_HMAC: return "HIP_PARAM_RVS_HMAC"; |
330 | case HIP_PARAM_SEQ: return "HIP_PARAM_SEQ"; |
331 | case HIP_PARAM_SOLUTION: return "HIP_PARAM_SOLUTION"; |
332 | - case HIP_PARAM_CHALLENGE_RESPONSE: return "HIP_PARAM_CHALLENGE_RESPONSE"; |
333 | case HIP_PARAM_SRC_ADDR: return "HIP_PARAM_SRC_ADDR"; |
334 | case HIP_PARAM_TO_PEER: return "HIP_PARAM_TO_PEER"; |
335 | case HIP_PARAM_UINT: return "HIP_PARAM_UINT"; |
336 | @@ -2400,95 +2389,6 @@ |
337 | return err; |
338 | } |
339 | |
340 | -#ifdef CONFIG_HIP_MIDAUTH |
341 | -/** |
342 | - * Build and append a HIP challenge_request to the message. |
343 | - * |
344 | - * The puzzle mechanism assumes that every value is in network byte order |
345 | - * except for the hip_birthday_cookie.cv union, where the value is in |
346 | - * host byte order. This is an exception to the normal builder rules, where |
347 | - * input arguments are normally always in host byte order. |
348 | - * |
349 | - * @param msg the message where the puzzle_m is to be appended |
350 | - * @param val_K the K value for the puzzle_m |
351 | - * @param lifetime lifetime field of the puzzle_m |
352 | - * @param opaque the opaque data filed of the puzzle_m |
353 | - * @param opaque_len the length uf the opaque data field |
354 | - * |
355 | - * @return zero for success, or non-zero on error |
356 | - */ |
357 | -int hip_build_param_challenge_request(struct hip_common *msg, |
358 | - uint8_t val_K, |
359 | - uint8_t lifetime, |
360 | - uint8_t *opaque, |
361 | - uint8_t opaque_len) |
362 | -{ |
363 | - struct hip_challenge_request puzzle; |
364 | - int err = 0; |
365 | - |
366 | - /* note: the length cannot be calculated with calc_param_len() */ |
367 | - hip_set_param_contents_len((struct hip_tlv_common *) &puzzle, |
368 | - sizeof(struct hip_challenge_request) - |
369 | - sizeof(struct hip_tlv_common)); |
370 | - /* Type 2 (in R1) or 3 (in I2) */ |
371 | - hip_set_param_type((struct hip_tlv_common *) &puzzle, |
372 | - HIP_PARAM_CHALLENGE_REQUEST); |
373 | - |
374 | - /* only the random_j_k is in host byte order */ |
375 | - puzzle.K = val_K; |
376 | - puzzle.lifetime = lifetime; |
377 | - memcpy(&puzzle.opaque, opaque, opaque_len); |
378 | - |
379 | - err = hip_build_generic_param(msg, |
380 | - &puzzle, |
381 | - sizeof(struct hip_tlv_common), |
382 | - hip_get_param_contents_direct(&puzzle)); |
383 | - return err; |
384 | -} |
385 | - |
386 | -/** |
387 | - * Build and append a HIP solution into the message. |
388 | - * |
389 | - * The puzzle mechanism assumes that every value is in network byte order |
390 | - * except for the hip_birthday_cookie.cv union, where the value is in |
391 | - * host byte order. This is an exception to the normal builder rules, where |
392 | - * input arguments are normally always in host byte order. |
393 | - * |
394 | - * @param msg the message where the solution is to be appended |
395 | - * @param pz values from the corresponding hip_challenge_request copied to the solution |
396 | - * @param solution value for the solution (in host byte order) |
397 | - * |
398 | - * @return zero for success, or non-zero on error |
399 | - */ |
400 | -int hip_build_param_challenge_response(struct hip_common *const msg, |
401 | - const struct hip_challenge_request *const pz, |
402 | - const uint8_t solution[PUZZLE_LENGTH]) |
403 | -{ |
404 | - struct hip_challenge_response cookie; |
405 | - int err = 0, opaque_len = 0; |
406 | - |
407 | - /* note: the length cannot be calculated with calc_param_len() */ |
408 | - hip_set_param_contents_len((struct hip_tlv_common *) &cookie, |
409 | - sizeof(struct hip_challenge_response) - |
410 | - sizeof(struct hip_tlv_common)); |
411 | - /* Type 2 (in R1) or 3 (in I2) */ |
412 | - hip_set_param_type((struct hip_tlv_common *) &cookie, HIP_PARAM_CHALLENGE_RESPONSE); |
413 | - |
414 | - memcpy(cookie.J, solution, PUZZLE_LENGTH); |
415 | - cookie.K = pz->K; |
416 | - cookie.lifetime = pz->K; |
417 | - opaque_len = sizeof(pz->opaque) / sizeof(pz->opaque[0]); |
418 | - memcpy(&cookie.opaque, pz->opaque, opaque_len); |
419 | - |
420 | - err = hip_build_generic_param(msg, |
421 | - &cookie, |
422 | - sizeof(struct hip_tlv_common), |
423 | - hip_get_param_contents_direct(&cookie)); |
424 | - return err; |
425 | -} |
426 | - |
427 | -#endif /* CONFIG_HIP_MIDAUTH */ |
428 | - |
429 | /** |
430 | * Build and append a HIP solution into the message. |
431 | * |
432 | @@ -3962,6 +3862,14 @@ |
433 | SHA_CTX sha; |
434 | MD5_CTX md5; |
435 | |
436 | + HIP_ASSERT(in != NULL); |
437 | + HIP_ASSERT(out != NULL); |
438 | + |
439 | + if (in_len <= 0) { |
440 | + HIP_ERROR("invalid input length: %i\n", in_len); |
441 | + return -1; |
442 | + } |
443 | + |
444 | switch (type) { |
445 | case HIP_DIGEST_SHA1: |
446 | SHA1_Init(&sha); |
447 | |
448 | === modified file 'lib/core/builder.h' |
449 | --- lib/core/builder.h 2011-07-18 13:10:26 +0000 |
450 | +++ lib/core/builder.h 2011-08-05 09:02:54 +0000 |
451 | @@ -133,12 +133,6 @@ |
452 | const uint32_t opaque, |
453 | const uint8_t *const random_i); |
454 | |
455 | -int hip_build_param_challenge_request(struct hip_common *, |
456 | - uint8_t, |
457 | - uint8_t, |
458 | - uint8_t *, |
459 | - uint8_t); |
460 | - |
461 | int hip_build_param_r1_counter(struct hip_common *, uint64_t); |
462 | |
463 | int hip_build_param_signature2_contents(struct hip_common *, |
464 | @@ -153,10 +147,6 @@ |
465 | const struct hip_puzzle *, |
466 | uint8_t *const); |
467 | |
468 | -int hip_build_param_challenge_response(struct hip_common *const msg, |
469 | - const struct hip_challenge_request *const pz, |
470 | - const uint8_t *const solution); |
471 | - |
472 | int hip_build_param(struct hip_common *, const void *); |
473 | void hip_set_msg_response(struct hip_common *msg, uint8_t on); |
474 | uint8_t hip_get_msg_response(struct hip_common *msg); |
475 | |
476 | === modified file 'lib/core/protodefs.h' |
477 | --- lib/core/protodefs.h 2011-07-28 18:11:17 +0000 |
478 | +++ lib/core/protodefs.h 2011-08-05 09:02:54 +0000 |
479 | @@ -140,7 +140,6 @@ |
480 | #define HIP_PARAM_LOCATOR 193 |
481 | #define HIP_PARAM_PUZZLE 257 |
482 | #define HIP_PARAM_SOLUTION 321 |
483 | -#define HIP_PARAM_CHALLENGE_RESPONSE 322 |
484 | #define HIP_PARAM_SEQ 385 |
485 | #define HIP_PARAM_ACK 449 |
486 | #define HIP_PARAM_DIFFIE_HELLMAN 513 |
487 | @@ -156,7 +155,6 @@ |
488 | #define HIP_PARAM_REG_FAILED 936 |
489 | #define HIP_PARAM_REG_FROM 950 |
490 | #define HIP_PARAM_ECHO_RESPONSE_SIGN 961 |
491 | -#define HIP_PARAM_ECHO_RESPONSE_M 962 |
492 | #define HIP_PARAM_ESP_TRANSFORM 4095 |
493 | #define HIP_PARAM_ESP_PROT_TRANSFORMS 4120 |
494 | #define HIP_PARAM_ESP_PROT_ANCHOR 4121 |
495 | @@ -230,8 +228,6 @@ |
496 | //#define HIP_PARAM_REG_FROM 64010 |
497 | #define HIP_PARAM_TO_PEER 64006 |
498 | #define HIP_PARAM_FROM_PEER 64008 |
499 | -#define HIP_PARAM_ECHO_REQUEST_M 65332 |
500 | -#define HIP_PARAM_CHALLENGE_REQUEST 65334 |
501 | #define HIP_PARAM_FROM 65498 |
502 | #define HIP_PARAM_RVS_HMAC 65500 |
503 | #define HIP_PARAM_VIA_RVS 65502 |
504 | @@ -783,25 +779,6 @@ |
505 | uint8_t J[PUZZLE_LENGTH]; |
506 | } __attribute__((packed)); |
507 | |
508 | - |
509 | - |
510 | -struct hip_challenge_request { |
511 | - hip_tlv type; |
512 | - hip_tlv_len length; |
513 | - uint8_t K; |
514 | - uint8_t lifetime; |
515 | - uint8_t opaque[24]; /**< variable length */ |
516 | -} __attribute__((packed)); |
517 | - |
518 | -struct hip_challenge_response { |
519 | - hip_tlv type; |
520 | - hip_tlv_len length; |
521 | - uint8_t K; |
522 | - uint8_t lifetime; |
523 | - uint8_t J[PUZZLE_LENGTH]; |
524 | - uint8_t opaque[24]; /**< variable length */ |
525 | -} __attribute__((packed)); |
526 | - |
527 | struct hip_dh_public_value { |
528 | uint8_t group_id; |
529 | uint16_t pub_len; |
530 | |
531 | === modified file 'lib/core/solve.c' |
532 | --- lib/core/solve.c 2011-04-20 09:38:33 +0000 |
533 | +++ lib/core/solve.c 2011-08-05 09:02:54 +0000 |
534 | @@ -1,5 +1,5 @@ |
535 | /* |
536 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
537 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
538 | * |
539 | * Permission is hereby granted, free of charge, to any person |
540 | * obtaining a copy of this software and associated documentation |
541 | @@ -174,59 +174,3 @@ |
542 | |
543 | return 0; |
544 | } |
545 | - |
546 | -#ifdef CONFIG_HIP_MIDAUTH |
547 | -/** |
548 | - * solve a midauth puzzle which is essentially a normal HIP cookie |
549 | - * with some extra whipped cream on the top |
550 | - * |
551 | - * @param out the received R1 message |
552 | - * @param in an I2 message where the solution will be written |
553 | - * @return zero on success and negative on error |
554 | - * @see <a |
555 | - * href="http://tools.ietf.org/id/draft-heer-hip-middle-auth">Heer et |
556 | - * al, End-Host Authentication for HIP Middleboxes, Internet draft, |
557 | - * work in progress, February 2009</a> |
558 | - */ |
559 | -int hip_solve_puzzle_m(struct hip_common *const out, |
560 | - const struct hip_common *const in) |
561 | -{ |
562 | - struct puzzle_hash_input puzzle_input; |
563 | - const struct hip_challenge_request *pz; |
564 | - uint8_t digest[HIP_AH_SHA_LEN]; |
565 | - |
566 | - pz = hip_get_param(in, HIP_PARAM_CHALLENGE_REQUEST); |
567 | - while (pz) { |
568 | - if (hip_get_param_type(pz) != HIP_PARAM_CHALLENGE_REQUEST) { |
569 | - break; |
570 | - } |
571 | - |
572 | - if (hip_build_digest(HIP_DIGEST_SHA1, pz->opaque, 24, digest) < 0) { |
573 | - HIP_ERROR("Building of SHA1 Random seed I failed\n"); |
574 | - return -1; |
575 | - } |
576 | - |
577 | - memcpy(puzzle_input.puzzle, |
578 | - &digest[HIP_AH_SHA_LEN - PUZZLE_LENGTH], |
579 | - PUZZLE_LENGTH); |
580 | - puzzle_input.initiator_hit = out->hits; |
581 | - puzzle_input.responder_hit = out->hitr; |
582 | - RAND_bytes(puzzle_input.solution, PUZZLE_LENGTH); |
583 | - |
584 | - if ((hip_solve_puzzle(&puzzle_input, pz->K))) { |
585 | - HIP_ERROR("Solving of puzzle failed\n"); |
586 | - return -EINVAL; |
587 | - } |
588 | - |
589 | - if (hip_build_param_challenge_response(out, pz, puzzle_input.solution) < 0) { |
590 | - HIP_ERROR("Error while creating solution_m reply parameter\n"); |
591 | - return -1; |
592 | - } |
593 | - pz = (const struct hip_challenge_request *) |
594 | - hip_get_next_param(in, (const struct hip_tlv_common *) pz); |
595 | - } |
596 | - |
597 | - return 0; |
598 | -} |
599 | - |
600 | -#endif /* CONFIG_HIP_MIDAUTH */ |
601 | |
602 | === modified file 'lib/core/solve.h' |
603 | --- lib/core/solve.h 2011-07-28 18:11:17 +0000 |
604 | +++ lib/core/solve.h 2011-08-05 09:02:54 +0000 |
605 | @@ -1,5 +1,5 @@ |
606 | /* |
607 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
608 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
609 | * |
610 | * Permission is hereby granted, free of charge, to any person |
611 | * obtaining a copy of this software and associated documentation |
612 | @@ -55,7 +55,4 @@ |
613 | int hip_verify_puzzle_solution(const struct puzzle_hash_input *const puzzle_input, |
614 | const uint8_t difficulty); |
615 | |
616 | -int hip_solve_puzzle_m(struct hip_common *const out, |
617 | - const struct hip_common *const in); |
618 | - |
619 | #endif /* HIP_LIB_CORE_SOLVE_H */ |
620 | |
621 | === modified file 'modules/heartbeat/Makefile.am' |
622 | --- modules/heartbeat/Makefile.am 2011-01-13 09:45:20 +0000 |
623 | +++ modules/heartbeat/Makefile.am 2011-08-05 09:02:54 +0000 |
624 | @@ -1,1 +1,1 @@ |
625 | -hipd_hipd_SOURCES += modules/heartbeat/hipd/heartbeat.c |
626 | +hipd_hipd_sources += modules/heartbeat/hipd/heartbeat.c |
627 | |
628 | === modified file 'modules/heartbeat_update/Makefile.am' |
629 | --- modules/heartbeat_update/Makefile.am 2011-01-13 09:45:20 +0000 |
630 | +++ modules/heartbeat_update/Makefile.am 2011-08-05 09:02:54 +0000 |
631 | @@ -1,1 +1,1 @@ |
632 | -hipd_hipd_SOURCES += modules/heartbeat_update/hipd/hb_update.c |
633 | +hipd_hipd_sources += modules/heartbeat_update/hipd/hb_update.c |
634 | |
635 | === added directory 'modules/midauth' |
636 | === added file 'modules/midauth/Makefile.am' |
637 | --- modules/midauth/Makefile.am 1970-01-01 00:00:00 +0000 |
638 | +++ modules/midauth/Makefile.am 2011-08-05 09:02:54 +0000 |
639 | @@ -0,0 +1,32 @@ |
640 | +# Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
641 | +# |
642 | +# Permission is hereby granted, free of charge, to any person |
643 | +# obtaining a copy of this software and associated documentation |
644 | +# files (the "Software"), to deal in the Software without |
645 | +# restriction, including without limitation the rights to use, |
646 | +# copy, modify, merge, publish, distribute, sublicense, and/or sell |
647 | +# copies of the Software, and to permit persons to whom the |
648 | +# Software is furnished to do so, subject to the following |
649 | +# conditions: |
650 | +# |
651 | +# The above copyright notice and this permission notice shall be |
652 | +# included in all copies or substantial portions of the Software. |
653 | +# |
654 | +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
655 | +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
656 | +# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
657 | +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
658 | +# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
659 | +# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
660 | +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
661 | +# OTHER DEALINGS IN THE SOFTWARE. |
662 | + |
663 | + |
664 | +hipd_hipd_SOURCES += modules/midauth/hipd/midauth.c \ |
665 | + modules/midauth/lib/midauth_builder.c |
666 | + |
667 | +firewall_hipfw_SOURCES += modules/midauth/lib/midauth_builder.c |
668 | + |
669 | +test_check_firewall_SOURCES += modules/midauth/lib/midauth_builder.c |
670 | + |
671 | +test_check_modules_midauth_SOURCES += modules/midauth/lib/midauth_builder.c |
672 | |
673 | === added directory 'modules/midauth/hipd' |
674 | === added file 'modules/midauth/hipd/midauth.c' |
675 | --- modules/midauth/hipd/midauth.c 1970-01-01 00:00:00 +0000 |
676 | +++ modules/midauth/hipd/midauth.c 2011-08-05 09:02:54 +0000 |
677 | @@ -0,0 +1,229 @@ |
678 | +/* |
679 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
680 | + * |
681 | + * Permission is hereby granted, free of charge, to any person |
682 | + * obtaining a copy of this software and associated documentation |
683 | + * files (the "Software"), to deal in the Software without |
684 | + * restriction, including without limitation the rights to use, |
685 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
686 | + * copies of the Software, and to permit persons to whom the |
687 | + * Software is furnished to do so, subject to the following |
688 | + * conditions: |
689 | + * |
690 | + * The above copyright notice and this permission notice shall be |
691 | + * included in all copies or substantial portions of the Software. |
692 | + * |
693 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
694 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
695 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
696 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
697 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
698 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
699 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
700 | + * OTHER DEALINGS IN THE SOFTWARE. |
701 | + */ |
702 | + |
703 | +/** |
704 | + * @file |
705 | + * This file contains the implementation for the middlebox authentication |
706 | + * extension. |
707 | + * |
708 | + * @author Rene Hummen |
709 | + */ |
710 | + |
711 | +#include <errno.h> |
712 | +#include <stdint.h> |
713 | +#include <string.h> |
714 | + |
715 | +#include "hipd/hidb.h" |
716 | +#include "hipd/pkt_handling.h" |
717 | +#include "lib/core/builder.h" |
718 | +#include "lib/core/common.h" |
719 | +#include "lib/core/ife.h" |
720 | +#include "lib/core/modularization.h" |
721 | +#include "lib/core/protodefs.h" |
722 | +#include "lib/core/solve.h" |
723 | +#include "modules/midauth/lib/midauth_builder.h" |
724 | +#include "modules/update/hipd/update.h" |
725 | +#include "midauth.h" |
726 | + |
727 | + |
728 | +/** |
729 | + * Handle the CHALLENGE_REQUEST parameter. |
730 | + * |
731 | + * @param packet_type The packet type of the control message (RFC 5201, 5.3.) |
732 | + * @param ha_state The host association state (RFC 5201, 4.4.1.) |
733 | + * @param ctx Pointer to the packet context, containing all information for |
734 | + * the packet handling (received message, source and destination |
735 | + * address, the ports and the corresponding entry from the host |
736 | + * association database). |
737 | + * |
738 | + * @return zero if the challenge was processed correctly or no challenge |
739 | + * parameter was attached to the packet, negative value otherwise. |
740 | + */ |
741 | +static int handle_challenge_request_param(UNUSED const uint8_t packet_type, |
742 | + UNUSED const uint32_t ha_state, |
743 | + struct hip_packet_context *ctx) |
744 | +{ |
745 | + const struct hip_challenge_request *request = NULL; |
746 | + |
747 | + request = hip_get_param(ctx->input_msg, HIP_PARAM_CHALLENGE_REQUEST); |
748 | + |
749 | + // each on-path middlebox may add a challenge on its own |
750 | + while (request && |
751 | + hip_get_param_type(request) == HIP_PARAM_CHALLENGE_REQUEST) { |
752 | + struct puzzle_hash_input tmp_puzzle; |
753 | + const unsigned int len = hip_challenge_request_opaque_len(request); |
754 | + |
755 | + if (hip_midauth_puzzle_seed(request->opaque, len, tmp_puzzle.puzzle)) { |
756 | + HIP_ERROR("failed to derive midauth puzzle\n"); |
757 | + return -1; |
758 | + } |
759 | + |
760 | + tmp_puzzle.initiator_hit = ctx->input_msg->hitr; |
761 | + tmp_puzzle.responder_hit = ctx->input_msg->hits; |
762 | + |
763 | + if (hip_solve_puzzle(&tmp_puzzle, request->K)) { |
764 | + HIP_ERROR("Solving of middlebox challenge failed\n"); |
765 | + return -EINVAL; |
766 | + } |
767 | + |
768 | + if (hip_build_param_challenge_response(ctx->output_msg, |
769 | + request, |
770 | + tmp_puzzle.solution) < 0) { |
771 | + HIP_ERROR("Error while creating CHALLENGE_RESPONSE parameter\n"); |
772 | + return -1; |
773 | + } |
774 | + |
775 | + // process next challenge parameter, if available |
776 | + request = (const struct hip_challenge_request *) |
777 | + hip_get_next_param(ctx->input_msg, &request->tlv); |
778 | + } |
779 | + |
780 | + return 0; |
781 | +} |
782 | + |
783 | +/** |
784 | + * Add a HOST_ID parameter corresponding to the local HIT of the association to |
785 | + * an UPDATE packet. |
786 | + * |
787 | + * @param packet_type The packet type of the control message (RFC 5201, 5.3.) |
788 | + * @param ha_state The host association state (RFC 5201, 4.4.1.) |
789 | + * @param ctx Pointer to the packet context, containing all information for |
790 | + * the packet handling (received message, source and destination |
791 | + * address, the ports and the corresponding entry from the host |
792 | + * association database). |
793 | + * |
794 | + * @return zero on success, negative value otherwise |
795 | + */ |
796 | +static int add_host_id_param_update(UNUSED const uint8_t packet_type, |
797 | + UNUSED const uint32_t ha_state, |
798 | + struct hip_packet_context *ctx) |
799 | +{ |
800 | + const struct hip_challenge_request *const challenge_request = |
801 | + hip_get_param(ctx->input_msg, HIP_PARAM_CHALLENGE_REQUEST); |
802 | + |
803 | + // add HOST_ID to packets containing a CHALLENGE_RESPONSE |
804 | + if (challenge_request) { |
805 | + const struct local_host_id *const host_id_entry = |
806 | + hip_get_hostid_entry_by_lhi_and_algo(HIP_DB_LOCAL_HID, |
807 | + &ctx->input_msg->hitr, |
808 | + HIP_ANY_ALGO, |
809 | + -1); |
810 | + if (!host_id_entry) { |
811 | + HIP_ERROR("Unknown HIT\n"); |
812 | + return -1; |
813 | + } |
814 | + |
815 | + if (hip_build_param_host_id(ctx->output_msg, &host_id_entry->host_id)) { |
816 | + HIP_ERROR("Building of host id failed\n"); |
817 | + return -1; |
818 | + } |
819 | + } |
820 | + |
821 | + return 0; |
822 | +} |
823 | + |
824 | +/** |
825 | + * Initialization function for the midauth module. |
826 | + * |
827 | + * @return zero on success, negative value otherwise |
828 | + */ |
829 | +int hip_midauth_init(void) |
830 | +{ |
831 | + if (lmod_register_parameter_type(HIP_PARAM_CHALLENGE_REQUEST, |
832 | + "HIP_PARAM_CHALLENGE_REQUEST")) { |
833 | + HIP_ERROR("failed to register parameter type\n"); |
834 | + return -1; |
835 | + } |
836 | + |
837 | + if (lmod_register_parameter_type(HIP_PARAM_CHALLENGE_RESPONSE, |
838 | + "HIP_PARAM_CHALLENGE_RESPONSE")) { |
839 | + HIP_ERROR("failed to register parameter type\n"); |
840 | + return -1; |
841 | + } |
842 | + |
843 | + const int challenge_request_R1_states[] = { HIP_STATE_I1_SENT, |
844 | + HIP_STATE_I2_SENT, |
845 | + HIP_STATE_CLOSING, |
846 | + HIP_STATE_CLOSED }; |
847 | + for (unsigned i = 0; i < ARRAY_SIZE(challenge_request_R1_states); i++) { |
848 | + if (hip_register_handle_function(HIP_R1, |
849 | + challenge_request_R1_states[i], |
850 | + &handle_challenge_request_param, |
851 | + 32500)) { |
852 | + HIP_ERROR("Error on registering MIDAUTH handle function.\n"); |
853 | + return -1; |
854 | + } |
855 | + } |
856 | + |
857 | + // |
858 | + // we hook on every occasion that causes an R2 to get sent. |
859 | + // R2 packet is first allocated at 40000, so we use a higher |
860 | + // base priority here. |
861 | + // |
862 | + const int challenge_request_I2_states[] = { HIP_STATE_UNASSOCIATED, |
863 | + HIP_STATE_I1_SENT, |
864 | + HIP_STATE_I2_SENT, |
865 | + HIP_STATE_R2_SENT, |
866 | + HIP_STATE_ESTABLISHED, |
867 | + HIP_STATE_CLOSING, |
868 | + HIP_STATE_CLOSED, |
869 | + HIP_STATE_NONE }; |
870 | + for (unsigned i = 0; i < ARRAY_SIZE(challenge_request_I2_states); i++) { |
871 | + if (hip_register_handle_function(HIP_I2, |
872 | + challenge_request_I2_states[i], |
873 | + &handle_challenge_request_param, |
874 | + 40322)) { |
875 | + HIP_ERROR("Error on registering MIDAUTH handle function.\n"); |
876 | + return -1; |
877 | + } |
878 | + } |
879 | + |
880 | + // |
881 | + // Priority computed the same as above, but UPDATE response is sent at |
882 | + // priority 30000 already (checking is 20000) and we must add our |
883 | + // CHALLENGE_REQUEST verification in between, hence a lower base priority. |
884 | + // |
885 | + const int challenge_request_UPDATE_states[] = { HIP_STATE_R2_SENT, |
886 | + HIP_STATE_ESTABLISHED }; |
887 | + for (unsigned i = 0; i < ARRAY_SIZE(challenge_request_UPDATE_states); i++) { |
888 | + if (hip_register_handle_function(HIP_UPDATE, |
889 | + challenge_request_UPDATE_states[i], |
890 | + &handle_challenge_request_param, |
891 | + 20322)) { |
892 | + HIP_ERROR("Error on registering MIDAUTH handle function.\n"); |
893 | + return -1; |
894 | + } |
895 | + |
896 | + if (hip_register_handle_function(HIP_UPDATE, |
897 | + challenge_request_UPDATE_states[i], |
898 | + &add_host_id_param_update, |
899 | + 20750)) { |
900 | + HIP_ERROR("Error on registering MIDAUTH handle function.\n"); |
901 | + return -1; |
902 | + } |
903 | + } |
904 | + |
905 | + return 0; |
906 | +} |
907 | |
908 | === added file 'modules/midauth/hipd/midauth.h' |
909 | --- modules/midauth/hipd/midauth.h 1970-01-01 00:00:00 +0000 |
910 | +++ modules/midauth/hipd/midauth.h 2011-08-05 09:02:54 +0000 |
911 | @@ -0,0 +1,34 @@ |
912 | +/* |
913 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
914 | + * |
915 | + * Permission is hereby granted, free of charge, to any person |
916 | + * obtaining a copy of this software and associated documentation |
917 | + * files (the "Software"), to deal in the Software without |
918 | + * restriction, including without limitation the rights to use, |
919 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
920 | + * copies of the Software, and to permit persons to whom the |
921 | + * Software is furnished to do so, subject to the following |
922 | + * conditions: |
923 | + * |
924 | + * The above copyright notice and this permission notice shall be |
925 | + * included in all copies or substantial portions of the Software. |
926 | + * |
927 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
928 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
929 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
930 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
931 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
932 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
933 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
934 | + * OTHER DEALINGS IN THE SOFTWARE. |
935 | + */ |
936 | + |
937 | +#ifndef MODULES_MIDAUTH_HIPD_MIDAUTH_H |
938 | +#define MODULES_MIDAUTH_HIPD_MIDAUTH_H |
939 | + |
940 | +#define HIP_PARAM_CHALLENGE_REQUEST 65334 |
941 | +#define HIP_PARAM_CHALLENGE_RESPONSE 322 |
942 | + |
943 | +int hip_midauth_init(void); |
944 | + |
945 | +#endif /* MODULES_MIDAUTH_HIPD_MIDAUTH_H */ |
946 | |
947 | === added directory 'modules/midauth/lib' |
948 | === added file 'modules/midauth/lib/midauth_builder.c' |
949 | --- modules/midauth/lib/midauth_builder.c 1970-01-01 00:00:00 +0000 |
950 | +++ modules/midauth/lib/midauth_builder.c 2011-08-05 09:02:54 +0000 |
951 | @@ -0,0 +1,184 @@ |
952 | +/* |
953 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
954 | + * |
955 | + * Permission is hereby granted, free of charge, to any person |
956 | + * obtaining a copy of this software and associated documentation |
957 | + * files (the "Software"), to deal in the Software without |
958 | + * restriction, including without limitation the rights to use, |
959 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
960 | + * copies of the Software, and to permit persons to whom the |
961 | + * Software is furnished to do so, subject to the following |
962 | + * conditions: |
963 | + * |
964 | + * The above copyright notice and this permission notice shall be |
965 | + * included in all copies or substantial portions of the Software. |
966 | + * |
967 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
968 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
969 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
970 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
971 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
972 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
973 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
974 | + * OTHER DEALINGS IN THE SOFTWARE. |
975 | + */ |
976 | + |
977 | +/** |
978 | + * @file |
979 | + * This file contains parameter handling functionality for the middlebox |
980 | + * authentication extension. |
981 | + * |
982 | + * @author Rene Hummen |
983 | + * @author Christof Mroz <christof.mroz@rwth-aachen.de> |
984 | + */ |
985 | + |
986 | +#include <stdint.h> |
987 | +#include <string.h> |
988 | + |
989 | +#include "lib/core/ife.h" |
990 | +#include "modules/midauth/hipd/midauth.h" |
991 | +#include "midauth_builder.h" |
992 | + |
993 | + |
994 | +/** |
995 | + * Build and append a HIP CHALLENGE_REQUEST to the message. |
996 | + * |
997 | + * @param msg the message where the CHALLENGE_REQUEST is appended |
998 | + * @param difficulty the puzzle difficulty for the CHALLENGE_REQUEST |
999 | + * @param lifetime lifetime the puzzle nonce |
1000 | + * @param opaque the nonce (challenge) of the CHALLENGE_REQUEST |
1001 | + * @param opaque_len the length of the nonce |
1002 | + * |
1003 | + * @return zero for success, or negative value on error |
1004 | + */ |
1005 | +int hip_build_param_challenge_request(struct hip_common *const msg, |
1006 | + const uint8_t difficulty, |
1007 | + const uint8_t lifetime, |
1008 | + const uint8_t *opaque, |
1009 | + const uint8_t opaque_len) |
1010 | +{ |
1011 | + struct hip_challenge_request request; |
1012 | + static const size_t min_length = sizeof(request) - |
1013 | + sizeof(request.tlv) - |
1014 | + sizeof(request.opaque); |
1015 | + |
1016 | + HIP_ASSERT(opaque); |
1017 | + |
1018 | + /* note: the length cannot be calculated with calc_param_len() */ |
1019 | + hip_set_param_contents_len(&request.tlv, min_length + opaque_len); |
1020 | + hip_set_param_type(&request.tlv, HIP_PARAM_CHALLENGE_REQUEST); |
1021 | + |
1022 | + /* only the random_j_k is in host byte order */ |
1023 | + request.K = difficulty; |
1024 | + request.lifetime = lifetime; |
1025 | + memcpy(&request.opaque, opaque, opaque_len); |
1026 | + |
1027 | + if (hip_build_param(msg, &request) != 0) { |
1028 | + HIP_ERROR("failed to build parameter\n"); |
1029 | + return -1; |
1030 | + } |
1031 | + |
1032 | + return 0; |
1033 | +} |
1034 | + |
1035 | +/** |
1036 | + * Build and append a HIP CHALLENGE_RESPONSE to the message. |
1037 | + * |
1038 | + * @param msg the message where the CHALLENGE_RESPONSE is appended |
1039 | + * @param request the received CHALLENGE_REQUEST parameter for this response |
1040 | + * @param solution the solution for the puzzle in the CHALLENGE_REQUEST |
1041 | + * |
1042 | + * @return zero for success, or negative value on error |
1043 | + */ |
1044 | +int hip_build_param_challenge_response(struct hip_common *const msg, |
1045 | + const struct hip_challenge_request *const request, |
1046 | + const uint8_t solution[PUZZLE_LENGTH]) |
1047 | +{ |
1048 | + struct hip_challenge_response response; |
1049 | + static const size_t min_length = sizeof(response) - |
1050 | + sizeof(response.tlv) - |
1051 | + sizeof(response.opaque); |
1052 | + |
1053 | + if (!request || !solution) { |
1054 | + HIP_ERROR("Unexpected input parameter values (NULL).\n"); |
1055 | + return -1; |
1056 | + } |
1057 | + |
1058 | + const int opaque_len = hip_challenge_request_opaque_len(request); |
1059 | + |
1060 | + /* note: the length cannot be calculated with calc_param_len() */ |
1061 | + hip_set_param_contents_len(&response.tlv, min_length + opaque_len); |
1062 | + hip_set_param_type(&response.tlv, HIP_PARAM_CHALLENGE_RESPONSE); |
1063 | + |
1064 | + memcpy(response.J, solution, PUZZLE_LENGTH); |
1065 | + response.K = request->K; |
1066 | + response.lifetime = request->lifetime; |
1067 | + memcpy(response.opaque, request->opaque, opaque_len); |
1068 | + |
1069 | + if (hip_build_param(msg, &response)) { |
1070 | + HIP_ERROR("failed to build parameter\n"); |
1071 | + return -1; |
1072 | + } |
1073 | + |
1074 | + return 0; |
1075 | +} |
1076 | + |
1077 | +/** |
1078 | + * Compute length of opaque field in CHALLENGE_REQUEST parameter. |
1079 | + * |
1080 | + * @param request the CHALLENGE_REQUEST parameter |
1081 | + * @return length of the opaque field; 0 in case of error or if length equals 0 |
1082 | + */ |
1083 | +unsigned int hip_challenge_request_opaque_len(const struct hip_challenge_request *const request) |
1084 | +{ |
1085 | + if (!request) { |
1086 | + return 0; |
1087 | + } |
1088 | + |
1089 | + static const size_t min_len = sizeof(*request) - |
1090 | + sizeof(request->tlv) - |
1091 | + sizeof(request->opaque); |
1092 | + |
1093 | + return hip_get_param_contents_len(&request->tlv) - min_len; |
1094 | +} |
1095 | + |
1096 | +/** |
1097 | + * Convert the opaque value in the CHALLENGE_REQUEST to the seed value I of a |
1098 | + * HIP puzzle. |
1099 | + * |
1100 | + * The opaque value plays a dual role in a CHALLENGE_REQUEST: |
1101 | + * i) it is a challenge that needs to be echoed back by the responder and |
1102 | + * ii) it is used to derive the seed value for a cryptographic puzzle. The |
1103 | + * puzzle is defined in RFC5201. |
1104 | + * |
1105 | + * @param opaque the nonce (challenge) in the CHALLENGE_REQUEST |
1106 | + * @param opaque_len the length of the nonce |
1107 | + * @param puzzle_value the puzzle value generated from the nonce |
1108 | + * @return zero on success, -1 in case of an error |
1109 | + */ |
1110 | +int hip_midauth_puzzle_seed(const uint8_t opaque[], |
1111 | + const unsigned int opaque_len, |
1112 | + uint8_t puzzle_value[PUZZLE_LENGTH]) |
1113 | +{ |
1114 | + unsigned char sha_digest[SHA_DIGEST_LENGTH]; |
1115 | + |
1116 | + if (!puzzle_value) { |
1117 | + HIP_ERROR("Parameter puzzle_value is not allocated\n"); |
1118 | + return -1; |
1119 | + } |
1120 | + |
1121 | + // the hashed opaque field is used as puzzle seed |
1122 | + if (hip_build_digest(HIP_DIGEST_SHA1, |
1123 | + opaque, |
1124 | + opaque_len, |
1125 | + sha_digest)) { |
1126 | + HIP_ERROR("Building of SHA1 random seed I failed\n"); |
1127 | + return -1; |
1128 | + } |
1129 | + |
1130 | + memcpy(puzzle_value, |
1131 | + &sha_digest[SHA_DIGEST_LENGTH - PUZZLE_LENGTH], |
1132 | + PUZZLE_LENGTH); |
1133 | + |
1134 | + return 0; |
1135 | +} |
1136 | |
1137 | === added file 'modules/midauth/lib/midauth_builder.h' |
1138 | --- modules/midauth/lib/midauth_builder.h 1970-01-01 00:00:00 +0000 |
1139 | +++ modules/midauth/lib/midauth_builder.h 2011-08-05 09:02:54 +0000 |
1140 | @@ -0,0 +1,79 @@ |
1141 | +/* |
1142 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
1143 | + * |
1144 | + * Permission is hereby granted, free of charge, to any person |
1145 | + * obtaining a copy of this software and associated documentation |
1146 | + * files (the "Software"), to deal in the Software without |
1147 | + * restriction, including without limitation the rights to use, |
1148 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1149 | + * copies of the Software, and to permit persons to whom the |
1150 | + * Software is furnished to do so, subject to the following |
1151 | + * conditions: |
1152 | + * |
1153 | + * The above copyright notice and this permission notice shall be |
1154 | + * included in all copies or substantial portions of the Software. |
1155 | + * |
1156 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1157 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1158 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1159 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1160 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1161 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1162 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1163 | + * OTHER DEALINGS IN THE SOFTWARE. |
1164 | + */ |
1165 | + |
1166 | +/** |
1167 | + * @file |
1168 | + * This file contains parameter handling functionality for the middlebox |
1169 | + * authentication extension. |
1170 | + * |
1171 | + * @author Rene Hummen |
1172 | + * @author Christof Mroz <christof.mroz@rwth-aachen.de> |
1173 | + */ |
1174 | + |
1175 | +#ifndef MODULES_MIDAUTH_HIPD_MIDAUTH_BUILDER_H |
1176 | +#define MODULES_MIDAUTH_HIPD_MIDAUTH_BUILDER_H |
1177 | + |
1178 | +#include <stdint.h> |
1179 | + |
1180 | +#include "lib/core/builder.h" |
1181 | +#include "lib/core/protodefs.h" |
1182 | + |
1183 | + |
1184 | +#define MAX_CHALLENGE_LENGTH 256 |
1185 | + |
1186 | + |
1187 | +struct hip_challenge_request { |
1188 | + struct hip_tlv_common tlv; |
1189 | + uint8_t K; |
1190 | + uint8_t lifetime; |
1191 | + uint8_t opaque[MAX_CHALLENGE_LENGTH]; /**< variable length */ |
1192 | +} __attribute__ ((packed)); |
1193 | + |
1194 | +struct hip_challenge_response { |
1195 | + struct hip_tlv_common tlv; |
1196 | + uint8_t K; |
1197 | + uint8_t lifetime; |
1198 | + uint8_t J[PUZZLE_LENGTH]; |
1199 | + uint8_t opaque[MAX_CHALLENGE_LENGTH]; /**< variable length */ |
1200 | +} __attribute__ ((packed)); |
1201 | + |
1202 | + |
1203 | +int hip_build_param_challenge_request(struct hip_common *const msg, |
1204 | + const uint8_t difficulty, |
1205 | + const uint8_t lifetime, |
1206 | + const uint8_t *opaque, |
1207 | + const uint8_t opaque_len); |
1208 | + |
1209 | +int hip_build_param_challenge_response(struct hip_common *const msg, |
1210 | + const struct hip_challenge_request *const request, |
1211 | + const uint8_t *const solution); |
1212 | + |
1213 | +unsigned int hip_challenge_request_opaque_len(const struct hip_challenge_request *const request); |
1214 | + |
1215 | +int hip_midauth_puzzle_seed(const uint8_t *const opaque, |
1216 | + const unsigned int opaque_len, |
1217 | + uint8_t *const puzzle_value); |
1218 | + |
1219 | +#endif /* MODULES_MIDAUTH_HIPD_MIDAUTH_BUILDER_H */ |
1220 | |
1221 | === added file 'modules/midauth/module_info.xml' |
1222 | --- modules/midauth/module_info.xml 1970-01-01 00:00:00 +0000 |
1223 | +++ modules/midauth/module_info.xml 2011-08-05 09:02:54 +0000 |
1224 | @@ -0,0 +1,47 @@ |
1225 | +<!-- |
1226 | +Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
1227 | + |
1228 | +Permission is hereby granted, free of charge, to any person |
1229 | +obtaining a copy of this software and associated documentation |
1230 | +files (the "Software"), to deal in the Software without |
1231 | +restriction, including without limitation the rights to use, |
1232 | +copy, modify, merge, publish, distribute, sublicense, and/or sell |
1233 | +copies of the Software, and to permit persons to whom the |
1234 | +Software is furnished to do so, subject to the following |
1235 | +conditions: |
1236 | + |
1237 | +The above copyright notice and this permission notice shall be |
1238 | +included in all copies or substantial portions of the Software. |
1239 | + |
1240 | +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1241 | +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1242 | +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1243 | +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1244 | +HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1245 | +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1246 | +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1247 | +OTHER DEALINGS IN THE SOFTWARE. |
1248 | +--> |
1249 | + |
1250 | +<?xml version="1.0" encoding="UTF-8"?> |
1251 | + |
1252 | +<!-- Mandatory: name, version --> |
1253 | +<module |
1254 | + name="midauth" |
1255 | + version="0.0.1" |
1256 | + description="Middlebox authentication functionality for the hip daemon." |
1257 | + developer="" |
1258 | + bugaddress="hipl-users@freelists.org" |
1259 | + webpage="http://infrahip.hiit.fi/"> |
1260 | + |
1261 | + <requires> |
1262 | + <module name="update" minversion="0.0.1" /> |
1263 | + </requires> |
1264 | + |
1265 | + <!-- Mandatory: name, header_file, init_function --> |
1266 | + <application |
1267 | + name="hipd" |
1268 | + header_file="modules/midauth/hipd/midauth.h" |
1269 | + init_function="hip_midauth_init" /> |
1270 | +</module> |
1271 | + |
1272 | |
1273 | === modified file 'modules/update/Makefile.am' |
1274 | --- modules/update/Makefile.am 2011-04-13 13:28:58 +0000 |
1275 | +++ modules/update/Makefile.am 2011-08-05 09:02:54 +0000 |
1276 | @@ -1,4 +1,4 @@ |
1277 | -hipd_hipd_SOURCES += modules/update/hipd/update.c \ |
1278 | +hipd_hipd_sources += modules/update/hipd/update.c \ |
1279 | modules/update/hipd/update_builder.c \ |
1280 | modules/update/hipd/update_locator.c \ |
1281 | modules/update/hipd/update_param_handling.c |
1282 | |
1283 | === added file 'test/check_modules_midauth.c' |
1284 | --- test/check_modules_midauth.c 1970-01-01 00:00:00 +0000 |
1285 | +++ test/check_modules_midauth.c 2011-08-05 09:02:54 +0000 |
1286 | @@ -0,0 +1,46 @@ |
1287 | +/* |
1288 | + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University. |
1289 | + * |
1290 | + * Permission is hereby granted, free of charge, to any person |
1291 | + * obtaining a copy of this software and associated documentation |
1292 | + * files (the "Software"), to deal in the Software without |
1293 | + * restriction, including without limitation the rights to use, |
1294 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1295 | + * copies of the Software, and to permit persons to whom the |
1296 | + * Software is furnished to do so, subject to the following |
1297 | + * conditions: |
1298 | + * |
1299 | + * The above copyright notice and this permission notice shall be |
1300 | + * included in all copies or substantial portions of the Software. |
1301 | + * |
1302 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1303 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1304 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1305 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1306 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1307 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1308 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1309 | + * OTHER DEALINGS IN THE SOFTWARE. |
1310 | + */ |
1311 | + |
1312 | +/** |
1313 | + * @file |
1314 | + * @brief Unit tests of modules/midauth (see doc/HACKING on unit tests). |
1315 | + */ |
1316 | + |
1317 | +#include <stdlib.h> |
1318 | +#include <check.h> |
1319 | + |
1320 | +#include "test/modules/midauth/test_suites.h" |
1321 | + |
1322 | +int main(void) |
1323 | +{ |
1324 | + int number_failed; |
1325 | + SRunner *sr = srunner_create(modules_midauth_lib_builder()); |
1326 | + srunner_add_suite(sr, modules_midauth_hipd_midauth()); |
1327 | + |
1328 | + srunner_run_all(sr, CK_NORMAL); |
1329 | + number_failed = srunner_ntests_failed(sr); |
1330 | + srunner_free(sr); |
1331 | + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; |
1332 | +} |
1333 | |
1334 | === added directory 'test/modules' |
1335 | === added directory 'test/modules/midauth' |
1336 | === added directory 'test/modules/midauth/hipd' |
1337 | === added file 'test/modules/midauth/hipd/midauth.c' |
1338 | --- test/modules/midauth/hipd/midauth.c 1970-01-01 00:00:00 +0000 |
1339 | +++ test/modules/midauth/hipd/midauth.c 2011-08-05 09:02:54 +0000 |
1340 | @@ -0,0 +1,120 @@ |
1341 | +/* |
1342 | + * Copyright (c) 2011 Aalto University and RWTH Aachen University. |
1343 | + * |
1344 | + * Permission is hereby granted, free of charge, to any person |
1345 | + * obtaining a copy of this software and associated documentation |
1346 | + * files (the "Software"), to deal in the Software without |
1347 | + * restriction, including without limitation the rights to use, |
1348 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1349 | + * copies of the Software, and to permit persons to whom the |
1350 | + * Software is furnished to do so, subject to the following |
1351 | + * conditions: |
1352 | + * |
1353 | + * The above copyright notice and this permission notice shall be |
1354 | + * included in all copies or substantial portions of the Software. |
1355 | + * |
1356 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1357 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1358 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1359 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1360 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1361 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1362 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1363 | + * OTHER DEALINGS IN THE SOFTWARE. |
1364 | + */ |
1365 | + |
1366 | +#include <check.h> |
1367 | +#include <stdint.h> |
1368 | + |
1369 | +#include "modules/midauth/hipd/midauth.c" |
1370 | +#include "modules/midauth/lib/midauth_builder.h" |
1371 | +#include "../test_suites.h" |
1372 | + |
1373 | +#define MIDAUTH_DEFAULT_NONCE_LENGTH 18 |
1374 | + |
1375 | +/* Test where the HIP packet does not contain any CHALLANGE_REQUESTs */ |
1376 | +START_TEST(test_midauth_handle_challenge_request_param_0_CORRECT) |
1377 | +{ |
1378 | + struct hip_packet_context ctx = { 0 }; |
1379 | + const struct hip_challenge_response *response = NULL; |
1380 | + |
1381 | + ctx.input_msg = hip_msg_alloc(); |
1382 | + ctx.output_msg = hip_msg_alloc(); |
1383 | + |
1384 | + fail_unless(handle_challenge_request_param(0, 0, &ctx) == 0, NULL); |
1385 | + |
1386 | + /* NOTE we can only check for the existance of the response parameter here |
1387 | + * as the puzzle solution differs for each run. */ |
1388 | + fail_unless((response = hip_get_param(ctx.output_msg, |
1389 | + HIP_PARAM_CHALLENGE_RESPONSE)) == NULL, |
1390 | + NULL); |
1391 | +} |
1392 | +END_TEST |
1393 | + |
1394 | +START_TEST(test_midauth_handle_challenge_request_param_1_CORRECT) |
1395 | +{ |
1396 | + const uint8_t opaque1[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1397 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1398 | + struct hip_packet_context ctx = { 0 }; |
1399 | + const struct hip_challenge_response *response = NULL; |
1400 | + |
1401 | + ctx.input_msg = hip_msg_alloc(); |
1402 | + ctx.output_msg = hip_msg_alloc(); |
1403 | + |
1404 | + fail_unless(hip_build_param_challenge_request(ctx.input_msg, 0, 0, opaque1, |
1405 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1406 | + 0, NULL); |
1407 | + fail_unless(handle_challenge_request_param(0, 0, &ctx) == 0, NULL); |
1408 | + |
1409 | + /* NOTE we can only check for the existance of the response parameter here |
1410 | + * as the puzzle solution differs for each run. */ |
1411 | + fail_unless((response = hip_get_param(ctx.output_msg, |
1412 | + HIP_PARAM_CHALLENGE_RESPONSE)) != NULL, |
1413 | + NULL); |
1414 | +} |
1415 | +END_TEST |
1416 | + |
1417 | +START_TEST(test_midauth_handle_challenge_request_param_2_CORRECT) |
1418 | +{ |
1419 | + const uint8_t opaque1[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1420 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1421 | + const uint8_t opaque2[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1422 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0d"; |
1423 | + struct hip_packet_context ctx = { 0 }; |
1424 | + const struct hip_challenge_response *response = NULL; |
1425 | + |
1426 | + ctx.input_msg = hip_msg_alloc(); |
1427 | + ctx.output_msg = hip_msg_alloc(); |
1428 | + |
1429 | + fail_unless(hip_build_param_challenge_request(ctx.input_msg, 0, 0, opaque1, |
1430 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1431 | + 0, NULL); |
1432 | + fail_unless(hip_build_param_challenge_request(ctx.input_msg, 0, 0, opaque2, |
1433 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1434 | + 0, NULL); |
1435 | + fail_unless(handle_challenge_request_param(0, 0, &ctx) == 0, NULL); |
1436 | + |
1437 | + /* NOTE we can only check for the existance of the response parameter here |
1438 | + * as the puzzle solution differs for each run. */ |
1439 | + fail_unless((response = hip_get_param(ctx.output_msg, |
1440 | + HIP_PARAM_CHALLENGE_RESPONSE)) != NULL, |
1441 | + NULL); |
1442 | + fail_unless(hip_get_next_param(ctx.output_msg, |
1443 | + (const struct hip_tlv_common *) response) != |
1444 | + NULL, NULL); |
1445 | +} |
1446 | +END_TEST |
1447 | + |
1448 | +Suite *modules_midauth_hipd_midauth(void) |
1449 | +{ |
1450 | + Suite *s = suite_create("modules/midauth/hipd/midauth"); |
1451 | + TCase *tc_midauth = tcase_create("Midauth"); |
1452 | + |
1453 | + tcase_add_test(tc_midauth, test_midauth_handle_challenge_request_param_0_CORRECT); |
1454 | + tcase_add_test(tc_midauth, test_midauth_handle_challenge_request_param_1_CORRECT); |
1455 | + tcase_add_test(tc_midauth, test_midauth_handle_challenge_request_param_2_CORRECT); |
1456 | + |
1457 | + suite_add_tcase(s, tc_midauth); |
1458 | + |
1459 | + return s; |
1460 | +} |
1461 | |
1462 | === added directory 'test/modules/midauth/lib' |
1463 | === added file 'test/modules/midauth/lib/midauth_builder.c' |
1464 | --- test/modules/midauth/lib/midauth_builder.c 1970-01-01 00:00:00 +0000 |
1465 | +++ test/modules/midauth/lib/midauth_builder.c 2011-08-05 09:02:54 +0000 |
1466 | @@ -0,0 +1,265 @@ |
1467 | +/* |
1468 | + * Copyright (c) 2011 Aalto University and RWTH Aachen University. |
1469 | + * |
1470 | + * Permission is hereby granted, free of charge, to any person |
1471 | + * obtaining a copy of this software and associated documentation |
1472 | + * files (the "Software"), to deal in the Software without |
1473 | + * restriction, including without limitation the rights to use, |
1474 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1475 | + * copies of the Software, and to permit persons to whom the |
1476 | + * Software is furnished to do so, subject to the following |
1477 | + * conditions: |
1478 | + * |
1479 | + * The above copyright notice and this permission notice shall be |
1480 | + * included in all copies or substantial portions of the Software. |
1481 | + * |
1482 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1483 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1484 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1485 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1486 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1487 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1488 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1489 | + * OTHER DEALINGS IN THE SOFTWARE. |
1490 | + */ |
1491 | + |
1492 | +#include <check.h> |
1493 | +#include <stdint.h> |
1494 | + |
1495 | +#include "lib/core/protodefs.h" |
1496 | +#include "modules/midauth/hipd/midauth.h" |
1497 | +#include "modules/midauth/lib/midauth_builder.h" |
1498 | +#include "../test_suites.h" |
1499 | + |
1500 | +#define MIDAUTH_DEFAULT_NONCE_LENGTH 18 |
1501 | + |
1502 | +START_TEST(test_midauth_builder_build_param_challenge_request_NULL_msg) |
1503 | +{ |
1504 | + const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1505 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1506 | + |
1507 | + fail_unless(hip_build_param_challenge_request(NULL, 0, 0, opaque, |
1508 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1509 | + -1, NULL); |
1510 | +} |
1511 | +END_TEST |
1512 | + |
1513 | +#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1514 | +START_TEST(test_midauth_builder_build_param_challenge_request_NULL_opaque) |
1515 | +{ |
1516 | + struct hip_common *const msg = hip_msg_alloc(); |
1517 | + |
1518 | + hip_build_param_challenge_request(msg, 0, 0, NULL, |
1519 | + MIDAUTH_DEFAULT_NONCE_LENGTH); |
1520 | +} |
1521 | +END_TEST |
1522 | +#endif /* HAVE_TCASE_ADD_EXIT_TEST */ |
1523 | + |
1524 | +START_TEST(test_midauth_builder_build_param_challenge_request_0_opaque_len) |
1525 | +{ |
1526 | + const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1527 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1528 | + struct hip_common *const msg = hip_msg_alloc(); |
1529 | + |
1530 | + fail_unless(hip_build_param_challenge_request(msg, 0, 0, opaque, |
1531 | + 0) == 0, NULL); |
1532 | +} |
1533 | +END_TEST |
1534 | + |
1535 | +START_TEST(test_midauth_builder_build_param_challenge_request_CORRECT) |
1536 | +{ |
1537 | + const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1538 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1539 | + const char cmp_challenge_request[] = "\xff\x36\x00\x14\x00\x00\x01\x41\x01" |
1540 | + "\x14\x05\x00\x48\x49\x0b\x02\x42\x02" |
1541 | + "\x15\x06\x08\x49\x50\x0C"; |
1542 | + const struct hip_challenge_request *request = NULL; |
1543 | + struct hip_common *const msg = hip_msg_alloc(); |
1544 | + |
1545 | + fail_unless(hip_build_param_challenge_request(msg, 0, 0, opaque, |
1546 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1547 | + 0, NULL); |
1548 | + fail_unless((request = hip_get_param(msg, HIP_PARAM_CHALLENGE_REQUEST)) != NULL, |
1549 | + NULL); |
1550 | + fail_unless(memcmp(request, &cmp_challenge_request, |
1551 | + hip_get_param_total_len(request)) == 0, NULL); |
1552 | +} |
1553 | +END_TEST |
1554 | + |
1555 | +START_TEST(test_midauth_builder_build_param_challenge_response_NULL_msg) |
1556 | +{ |
1557 | + const char challenge_request[] = "\xff\x36\x00\x14\x00\x00\x01\x41\x01" |
1558 | + "\x14\x05\x00\x48\x49\x0b\x02\x42\x02" |
1559 | + "\x15\x06\x08\x49\x50\x0C"; |
1560 | + const uint8_t solution[] = "\x01\x41\x01\x14\x05\x00\x48\x49"; |
1561 | + const struct hip_challenge_request *request = |
1562 | + (const struct hip_challenge_request *) challenge_request; |
1563 | + |
1564 | + fail_unless(hip_build_param_challenge_response(NULL, request, solution) == -1, |
1565 | + NULL); |
1566 | +} |
1567 | +END_TEST |
1568 | + |
1569 | +START_TEST(test_midauth_builder_build_param_challenge_response_NULL_request) |
1570 | +{ |
1571 | + const uint8_t solution[] = "\x01\x41\x01\x14\x05\x00\x48\x49"; |
1572 | + const struct hip_challenge_request *request = NULL; |
1573 | + struct hip_common *const msg = hip_msg_alloc(); |
1574 | + |
1575 | + fail_unless(hip_build_param_challenge_response(msg, request, solution) == -1, |
1576 | + NULL); |
1577 | +} |
1578 | +END_TEST |
1579 | + |
1580 | +START_TEST(test_midauth_builder_build_param_challenge_response_NULL_solution) |
1581 | +{ |
1582 | + const char challenge_request[] = "\xff\x36\x00\x14\x00\x00\x01\x41\x01" |
1583 | + "\x14\x05\x00\x48\x49\x0b\x02\x42\x02" |
1584 | + "\x15\x06\x08\x49\x50\x0C"; |
1585 | + const struct hip_challenge_request *request = |
1586 | + (const struct hip_challenge_request *) challenge_request; |
1587 | + struct hip_common *const msg = hip_msg_alloc(); |
1588 | + |
1589 | + fail_unless(hip_build_param_challenge_response(msg, request, NULL) == -1, |
1590 | + NULL); |
1591 | +} |
1592 | +END_TEST |
1593 | + |
1594 | +START_TEST(test_midauth_builder_build_param_challenge_response_CORRECT) |
1595 | +{ |
1596 | + const char challenge_request[] = "\xff\x36\x00\x14\x00\x00\x01\x41\x01" |
1597 | + "\x14\x05\x00\x48\x49\x0b\x02\x42\x02" |
1598 | + "\x15\x06\x08\x49\x50\x0C"; |
1599 | + const char cmp_challenge_response[] = "\x01\x42\x00\x1C\x00\x00\x01\x41\x01" |
1600 | + "\x14\x05\x00\x48\x49\x01\x41\x01\x14" |
1601 | + "\x05\x00\x48\x49\x0b\x02\x42\x02\x15" |
1602 | + "\x06\x08\x49\x50\x0c"; |
1603 | + const uint8_t solution[] = "\x01\x41\x01\x14\x05\x00\x48\x49"; |
1604 | + const struct hip_challenge_request *request = |
1605 | + (const struct hip_challenge_request *) challenge_request; |
1606 | + const struct hip_challenge_response *response = NULL; |
1607 | + struct hip_common *const msg = hip_msg_alloc(); |
1608 | + |
1609 | + fail_unless(hip_build_param_challenge_response(msg, request, solution) == 0, |
1610 | + NULL); |
1611 | + fail_unless((response = hip_get_param(msg, HIP_PARAM_CHALLENGE_RESPONSE)) != NULL, |
1612 | + NULL); |
1613 | + fail_unless(memcmp(response, &cmp_challenge_response, |
1614 | + hip_get_param_total_len(response)) == 0, NULL); |
1615 | +} |
1616 | +END_TEST |
1617 | + |
1618 | +START_TEST(test_midauth_builder_challenge_request_opaque_len_NULL) |
1619 | +{ |
1620 | + fail_unless(hip_challenge_request_opaque_len(NULL) == 0, NULL); |
1621 | +} |
1622 | +END_TEST |
1623 | + |
1624 | +START_TEST(test_midauth_builder_challenge_request_opaque_len_CORRECT) |
1625 | +{ |
1626 | + const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1627 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1628 | + const struct hip_challenge_request *request = NULL; |
1629 | + struct hip_common *const msg = hip_msg_alloc(); |
1630 | + |
1631 | + fail_unless(hip_build_param_challenge_request(msg, 0, 0, opaque, |
1632 | + MIDAUTH_DEFAULT_NONCE_LENGTH) == |
1633 | + 0, NULL); |
1634 | + fail_unless((request = hip_get_param(msg, HIP_PARAM_CHALLENGE_REQUEST)) != NULL, |
1635 | + NULL); |
1636 | + fail_unless(hip_challenge_request_opaque_len(request) == |
1637 | + MIDAUTH_DEFAULT_NONCE_LENGTH, NULL); |
1638 | +} |
1639 | +END_TEST |
1640 | + |
1641 | +#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1642 | +START_TEST(test_midauth_builder_puzzle_seed_NULL_opaque) |
1643 | +{ |
1644 | + const uint8_t *const opaque = NULL; |
1645 | + uint8_t puzzle_value[PUZZLE_LENGTH]; |
1646 | + |
1647 | + hip_midauth_puzzle_seed(opaque, MIDAUTH_DEFAULT_NONCE_LENGTH, puzzle_value); |
1648 | +} |
1649 | +END_TEST |
1650 | +#endif /* HAVE_TCASE_ADD_EXIT_TEST */ |
1651 | + |
1652 | +START_TEST(test_midauth_builder_puzzle_seed_0_opaque_len) |
1653 | +{ |
1654 | + const uint8_t opaque[] = "\x01\x41\x00\x14\x05\x00\x48\x49\x0b"; |
1655 | + uint8_t puzzle_value[PUZZLE_LENGTH]; |
1656 | + |
1657 | + fail_unless(hip_midauth_puzzle_seed(opaque, |
1658 | + 0, |
1659 | + puzzle_value) == -1, NULL); |
1660 | +} |
1661 | +END_TEST |
1662 | + |
1663 | +START_TEST(test_midauth_builder_puzzle_seed_NULL_puzzle_value) |
1664 | +{ |
1665 | + const uint8_t opaque[] = "\x01\x41\x00\x14\x05\x00\x48\x49\x0b"; |
1666 | + |
1667 | + fail_unless(hip_midauth_puzzle_seed(opaque, |
1668 | + MIDAUTH_DEFAULT_NONCE_LENGTH, |
1669 | + NULL) == -1, NULL); |
1670 | +} |
1671 | +END_TEST |
1672 | + |
1673 | +START_TEST(test_midauth_builder_puzzle_seed_CORRECT) |
1674 | +{ |
1675 | + const uint8_t opaque[] = "\x01\x41\x01\x14\x05\x00\x48\x49\x0b" |
1676 | + "\x02\x42\x02\x15\x06\x08\x49\x50\x0c"; |
1677 | + uint8_t puzzle_value[PUZZLE_LENGTH]; |
1678 | + uint8_t correct_puzzle_value[] = "\x43\x03\x8F\xD7\x2F\xC7\xD2\xF3"; |
1679 | + |
1680 | + fail_unless(hip_midauth_puzzle_seed(opaque, |
1681 | + MIDAUTH_DEFAULT_NONCE_LENGTH, |
1682 | + puzzle_value) == 0, NULL); |
1683 | + fail_unless(memcmp(correct_puzzle_value, puzzle_value, PUZZLE_LENGTH) == 0, |
1684 | + NULL); |
1685 | +} |
1686 | +END_TEST |
1687 | + |
1688 | +Suite *modules_midauth_lib_builder(void) |
1689 | +{ |
1690 | + Suite *s = suite_create("modules/midauth/lib/midauth_builder"); |
1691 | + TCase *tc_midauth_builder = tcase_create("Midauth_builder"); |
1692 | + |
1693 | + tcase_add_test(tc_midauth_builder, |
1694 | + test_midauth_builder_build_param_challenge_request_NULL_msg); |
1695 | +// the tcase_add_exit_test macro is only available in check 0.9.8 or later but |
1696 | +// scratchbox uses an older version of checkc so we try to avoid this macro |
1697 | +#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1698 | + tcase_add_exit_test(tc_midauth_builder, |
1699 | + test_midauth_builder_build_param_challenge_request_NULL_opaque, |
1700 | + 1); |
1701 | +#endif |
1702 | + tcase_add_test(tc_midauth_builder, |
1703 | + test_midauth_builder_build_param_challenge_request_0_opaque_len); |
1704 | + tcase_add_test(tc_midauth_builder, |
1705 | + test_midauth_builder_build_param_challenge_request_CORRECT); |
1706 | + tcase_add_test(tc_midauth_builder, |
1707 | + test_midauth_builder_build_param_challenge_response_NULL_msg); |
1708 | + tcase_add_test(tc_midauth_builder, |
1709 | + test_midauth_builder_build_param_challenge_response_NULL_request); |
1710 | + tcase_add_test(tc_midauth_builder, |
1711 | + test_midauth_builder_build_param_challenge_response_NULL_solution); |
1712 | + tcase_add_test(tc_midauth_builder, |
1713 | + test_midauth_builder_build_param_challenge_response_CORRECT); |
1714 | + tcase_add_test(tc_midauth_builder, |
1715 | + test_midauth_builder_challenge_request_opaque_len_NULL); |
1716 | + tcase_add_test(tc_midauth_builder, |
1717 | + test_midauth_builder_challenge_request_opaque_len_CORRECT); |
1718 | + |
1719 | +#ifdef HAVE_TCASE_ADD_EXIT_TEST |
1720 | + tcase_add_exit_test(tc_midauth_builder, |
1721 | + test_midauth_builder_puzzle_seed_NULL_opaque, 1); |
1722 | +#endif |
1723 | + tcase_add_test(tc_midauth_builder, test_midauth_builder_puzzle_seed_0_opaque_len); |
1724 | + tcase_add_test(tc_midauth_builder, |
1725 | + test_midauth_builder_puzzle_seed_NULL_puzzle_value); |
1726 | + tcase_add_test(tc_midauth_builder, test_midauth_builder_puzzle_seed_CORRECT); |
1727 | + |
1728 | + suite_add_tcase(s, tc_midauth_builder); |
1729 | + |
1730 | + return s; |
1731 | +} |
1732 | |
1733 | === added file 'test/modules/midauth/test_suites.h' |
1734 | --- test/modules/midauth/test_suites.h 1970-01-01 00:00:00 +0000 |
1735 | +++ test/modules/midauth/test_suites.h 2011-08-05 09:02:54 +0000 |
1736 | @@ -0,0 +1,34 @@ |
1737 | +/* |
1738 | + * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1739 | + * |
1740 | + * Permission is hereby granted, free of charge, to any person |
1741 | + * obtaining a copy of this software and associated documentation |
1742 | + * files (the "Software"), to deal in the Software without |
1743 | + * restriction, including without limitation the rights to use, |
1744 | + * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1745 | + * copies of the Software, and to permit persons to whom the |
1746 | + * Software is furnished to do so, subject to the following |
1747 | + * conditions: |
1748 | + * |
1749 | + * The above copyright notice and this permission notice shall be |
1750 | + * included in all copies or substantial portions of the Software. |
1751 | + * |
1752 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1753 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1754 | + * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1755 | + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1756 | + * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1757 | + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1758 | + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1759 | + * OTHER DEALINGS IN THE SOFTWARE. |
1760 | + */ |
1761 | + |
1762 | +#ifndef HIP_TEST_MODULES_MIDAUTH_TEST_SUITES_H |
1763 | +#define HIP_TEST_MODULES_MIDAUTH_TEST_SUITES_H |
1764 | + |
1765 | +#include <check.h> |
1766 | + |
1767 | +Suite *modules_midauth_lib_builder(void); |
1768 | +Suite *modules_midauth_hipd_midauth(void); |
1769 | + |
1770 | +#endif /* HIP_TEST_MODULES_MIDAUTH_TEST_SUITES_H */ |
review needs-fixing