DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity
fwknop/lib/fko_digest.c
Michael Rash ba3b7d1d11 Bug fix for multi-stanza key use and replay attack detection 
This commit fixes a bug where the same encryption key used for two stanzas in
the access.conf file would result in access requests that matched the second
stanza to always be treated as a replay attack.  This has been fixed for
the fwknop-2.0.1 release, and was reported by Andy Rowland.  Now the fwknopd
server computes the SHA256 digest of raw incoming payload data before
decryption, and compares this against all previous hashes.  Previous to this
commit, fwknopd would add a new hash to the replay digest list right after
the first access.conf stanza match, so when SPA packet data matched the
second access.conf stanza a matching replay digest would already be there.
2012-07-07 21:31:30 -04:00

228 lines
5.5 KiB
C
Raw Blame History

/*
*****************************************************************************
*
* File: fko_digest.c
*
* Author: Damien S. Stuart
*
* Purpose: Create the base64-encoded digest for the current spa data. The
* digest used is determined by the digest_type setting in the
* fko context.
*
* Copyright 2009-2010 Damien Stuart (dstuart@dstuart.org)
*
* License (GNU Public License):
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
* USA
*
*****************************************************************************
*/
#include "fko_common.h"
#include "fko.h"
#include "digest.h"
/* Set the SPA digest type.
*/
static int
set_spa_digest_type(fko_ctx_t ctx,
short *digest_type_field, const short digest_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(digest_type < 1 || digest_type >= FKO_LAST_DIGEST_TYPE)
return(FKO_ERROR_INVALID_DATA);
*digest_type_field = digest_type;
ctx->state |= FKO_DIGEST_TYPE_MODIFIED;
return(FKO_SUCCESS);
}
int
fko_set_spa_digest_type(fko_ctx_t ctx, const short digest_type)
{
return set_spa_digest_type(ctx, &ctx->digest_type, digest_type);
}
int
fko_set_raw_spa_digest_type(fko_ctx_t ctx, const short raw_digest_type)
{
return set_spa_digest_type(ctx, &ctx->raw_digest_type, raw_digest_type);
}
/* Return the SPA digest type.
*/
int
fko_get_spa_digest_type(fko_ctx_t ctx, short *digest_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*digest_type = ctx->digest_type;
return(FKO_SUCCESS);
}
/* Return the SPA digest type.
*/
int
fko_get_raw_spa_digest_type(fko_ctx_t ctx, short *raw_digest_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*raw_digest_type = ctx->raw_digest_type;
return(FKO_SUCCESS);
}
static int
set_digest(char *data, char **digest, short digest_type)
{
char *md = NULL;
switch(digest_type)
{
case FKO_DIGEST_MD5:
md = malloc(MD_HEX_SIZE(MD5_DIGEST_LENGTH)+1);
if(md == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
md5_base64(md,
(unsigned char*)data, strlen(data));
break;
case FKO_DIGEST_SHA1:
md = malloc(MD_HEX_SIZE(SHA1_DIGEST_LENGTH)+1);
if(md == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
sha1_base64(md,
(unsigned char*)data, strlen(data));
break;
case FKO_DIGEST_SHA256:
md = malloc(MD_HEX_SIZE(SHA256_DIGEST_LENGTH)+1);
if(md == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
sha256_base64(md,
(unsigned char*)data, strlen(data));
break;
case FKO_DIGEST_SHA384:
md = malloc(MD_HEX_SIZE(SHA384_DIGEST_LENGTH)+1);
if(md == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
sha384_base64(md,
(unsigned char*)data, strlen(data));
break;
case FKO_DIGEST_SHA512:
md = malloc(MD_HEX_SIZE(SHA512_DIGEST_LENGTH)+1);
if(md == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
sha512_base64(md,
(unsigned char*)data, strlen(data));
break;
default:
return(FKO_ERROR_INVALID_DIGEST_TYPE);
}
/* Just in case this is a subsquent call to this function. We
* do not want to be leaking memory.
*/
if(*digest != NULL)
free(*digest);
*digest = md;
return(FKO_SUCCESS);
}
int
fko_set_spa_digest(fko_ctx_t ctx)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
/* Must have encoded message data to start with.
*/
if(ctx->encoded_msg == NULL)
return(FKO_ERROR_MISSING_ENCODED_DATA);
return set_digest(ctx->encoded_msg,
&ctx->digest, ctx->digest_type);
}
int
fko_set_raw_spa_digest(fko_ctx_t ctx)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
/* Must have encoded message data to start with.
*/
if(ctx->encrypted_msg == NULL)
return(FKO_ERROR_MISSING_ENCODED_DATA);
return set_digest(ctx->encrypted_msg,
&ctx->raw_digest, ctx->raw_digest_type);
}
int
fko_get_spa_digest(fko_ctx_t ctx, char **md)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*md = ctx->digest;
return(FKO_SUCCESS);
}
int
fko_get_raw_spa_digest(fko_ctx_t ctx, char **md)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*md = ctx->raw_digest;
return(FKO_SUCCESS);
}
/***EOF***/
View Git Blame Copy Permalink