WIP VoLTE support for Asterisk
This commit is contained in:
parent
93c9780637
commit
05c9684302
|
@ -847,6 +847,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
|
|||
usleep(BIND_DELAY_US);
|
||||
}
|
||||
|
||||
printf("TRANSPORT HIER\n");
|
||||
res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
|
||||
&temp_state->state->factory);
|
||||
}
|
||||
|
|
|
@ -313,7 +313,9 @@ static pj_status_t set_outbound_authentication_credentials(pjsip_auth_clt_sess *
|
|||
pj_cstr(&auth_cred.scheme, "digest");
|
||||
switch (auth->type) {
|
||||
case AST_SIP_AUTH_TYPE_USER_PASS:
|
||||
if (volte_auth)
|
||||
if (volte_auth == (void *)0x1)
|
||||
pj_cstr(&auth_cred.data, "");
|
||||
else if (volte_auth)
|
||||
pj_strset(&auth_cred.data, (char *)volte_auth, 8);
|
||||
else
|
||||
pj_cstr(&auth_cred.data, auth->auth_pass);
|
||||
|
|
|
@ -92,6 +92,12 @@
|
|||
are made.
|
||||
</para></description>
|
||||
</configOption>
|
||||
<configOption name="max_auth" default="1">
|
||||
<synopsis>Maximum number of authentication attempts.</synopsis>
|
||||
<description><para>
|
||||
This sets the maximum number of authentications attempts that are made.
|
||||
</para></description>
|
||||
</configOption>
|
||||
<configOption name="security_negotiation" default="no">
|
||||
<synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
|
||||
<description>
|
||||
|
@ -361,6 +367,8 @@ struct sip_outbound_registration {
|
|||
unsigned int auth_rejection_permanent;
|
||||
/*! \brief Maximum number of retries permitted */
|
||||
unsigned int max_retries;
|
||||
/*! \brief Maximum number of authentication attemps permitted */
|
||||
unsigned int max_auth;
|
||||
/*! \brief Whether to add a line parameter to the outbound Contact or not */
|
||||
unsigned int line;
|
||||
/*! \brief Type of security negotiation to use (RFC 3329). */
|
||||
|
@ -402,6 +410,8 @@ struct sip_outbound_registration_client_state {
|
|||
unsigned int retries;
|
||||
/*! \brief Maximum number of retries permitted */
|
||||
unsigned int max_retries;
|
||||
/*! \brief Maximum number of authentication attemps permitted */
|
||||
unsigned int max_auth;
|
||||
/*! \brief Interval at which retries should occur for temporal responses */
|
||||
unsigned int retry_interval;
|
||||
/*! \brief Interval at which retries should occur for permanent responses */
|
||||
|
@ -1278,7 +1288,7 @@ static int handle_registration_response(void *data)
|
|||
}
|
||||
}
|
||||
} else if ((response->code == 401 || response->code == 407 || response->code == 494)
|
||||
&& (!response->client_state->auth_attempted
|
||||
&& (response->client_state->auth_attempted < response->client_state->max_auth
|
||||
|| response->rdata->msg_info.cseq->cseq != response->client_state->auth_cseq)) {
|
||||
int res;
|
||||
pjsip_cseq_hdr *cseq_hdr;
|
||||
|
@ -1326,7 +1336,7 @@ static int handle_registration_response(void *data)
|
|||
return 0;
|
||||
} else if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths,
|
||||
response->rdata, response->old_request, &tdata)) {
|
||||
response->client_state->auth_attempted = 1;
|
||||
response->client_state->auth_attempted++;
|
||||
ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n",
|
||||
server_uri, client_uri);
|
||||
pjsip_tx_data_add_ref(tdata);
|
||||
|
@ -1965,6 +1975,7 @@ static int sip_outbound_registration_perform(void *data)
|
|||
state->client_state->forbidden_retry_interval = registration->forbidden_retry_interval;
|
||||
state->client_state->fatal_retry_interval = registration->fatal_retry_interval;
|
||||
state->client_state->max_retries = registration->max_retries;
|
||||
state->client_state->max_auth = registration->max_auth;
|
||||
state->client_state->retries = 0;
|
||||
state->client_state->support_path = registration->support_path;
|
||||
state->client_state->support_outbound = registration->support_outbound;
|
||||
|
@ -2827,6 +2838,7 @@ static int load_module(void)
|
|||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "forbidden_retry_interval", "0", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, forbidden_retry_interval));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "fatal_retry_interval", "0", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, fatal_retry_interval));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "max_retries", "10", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, max_retries));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "max_auth", "1", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, max_auth));
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "auth_rejection_permanent", "yes", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, auth_rejection_permanent));
|
||||
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "outbound_auth", "", outbound_auth_handler, outbound_auths_to_str, outbound_auths_to_var_list, 0, 0);
|
||||
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_path", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_path));
|
||||
|
|
|
@ -34,8 +34,10 @@ const pj_str_t STR_PROXY_REQUIRE = { "Proxy-Require", 13 };
|
|||
const pj_str_t STR_PATH = { "path", 4 };
|
||||
const pj_str_t STR_SEC_AGREE = { "sec-agree", 9 };
|
||||
const pj_str_t STR_AUTHORIZATION = { "Authorization", 13 };
|
||||
const pj_str_t STR_AUTS = { "auts", 4 };
|
||||
const pj_str_t STR_SECURITY_CLIENT = { "Security-Client", 15 };
|
||||
const pj_str_t STR_SECURITY_SERVER = { "Security-Server", 15 };
|
||||
const pj_str_t STR_SECURITY_VERIFY = { "Security-Verify", 15 };
|
||||
const pj_str_t STR_Q = { "q", 1 };
|
||||
const pj_str_t STR_PROT = { "prot", 4 };
|
||||
const pj_str_t STR_MOD = { "mod", 3 };
|
||||
|
@ -62,13 +64,23 @@ const struct ipsec_alg ipsec_ealg[] = {
|
|||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
static unsigned char aka_res[8];
|
||||
enum auth_state {
|
||||
AUTH_STATE_NONE,
|
||||
AUTH_STATE_RESYNC,
|
||||
AUTH_STATE_RESULT,
|
||||
};
|
||||
|
||||
static enum auth_state g_auth_state = AUTH_STATE_NONE;
|
||||
static unsigned char g_aka_res[8];
|
||||
static unsigned char g_auts[14];
|
||||
static char g_security_server[1024] = "";
|
||||
|
||||
static struct mnl_socket *g_mnl_socket = NULL;
|
||||
struct sockaddr_storage g_local_addr_c, g_local_addr_s;
|
||||
struct sockaddr_storage g_remote_addr_c, g_remote_addr_s;
|
||||
static pj_sockaddr g_local_addr_c, g_local_addr_s;
|
||||
static pj_sockaddr g_remote_addr_c, g_remote_addr_s;
|
||||
static uint32_t g_local_spi_c, g_local_spi_s;
|
||||
static uint32_t g_remote_spi_c, g_remote_spi_s;
|
||||
static int hacking_port;
|
||||
static pj_bool_t g_local_sa_c_set = PJ_FALSE, g_local_sa_s_set = PJ_FALSE;
|
||||
static pj_bool_t g_remote_sa_c_set = PJ_FALSE, g_remote_sa_s_set = PJ_FALSE;
|
||||
static pj_bool_t g_local_sp_c_set = PJ_FALSE, g_local_sp_s_set = PJ_FALSE;
|
||||
|
@ -83,12 +95,12 @@ static void copy_pj_sockaddr_to_sockaddr_storage(const pj_sockaddr *src, struct
|
|||
if (dst->ss_family == AF_INET) {
|
||||
struct sockaddr_in *dst_in = (struct sockaddr_in *)dst;
|
||||
const pj_sockaddr_in *src_in = (const pj_sockaddr_in *)src;
|
||||
dst_in->sin_port = htons(src_in->sin_port);
|
||||
dst_in->sin_port = src_in->sin_port;
|
||||
memcpy(&dst_in->sin_addr, &src_in->sin_addr, sizeof(struct in_addr));
|
||||
} else if (dst->ss_family == AF_INET6) {
|
||||
struct sockaddr_in6 *dst_in6 = (struct sockaddr_in6 *)dst;
|
||||
const pj_sockaddr_in6 *src_in6 = (const pj_sockaddr_in6 *)src;
|
||||
dst_in6->sin6_port = htons(src_in6->sin6_port);
|
||||
dst_in6->sin6_port = src_in6->sin6_port;
|
||||
memcpy(&dst_in6->sin6_addr, &src_in6->sin6_addr, sizeof(struct in6_addr));
|
||||
}
|
||||
}
|
||||
|
@ -108,53 +120,51 @@ static char *sockaddr_storage_to_string(const struct sockaddr_storage *addr, cha
|
|||
return ip_string;
|
||||
}
|
||||
|
||||
static void sockaddr_storage_port(struct sockaddr_storage *addr, uint16_t port)
|
||||
{
|
||||
switch (((struct sockaddr *)addr)->sa_family) {
|
||||
case AF_INET:
|
||||
((struct sockaddr_in *)addr)->sin_port = htons(port);
|
||||
break;
|
||||
case AF_INET6:
|
||||
((struct sockaddr_in6 *)addr)->sin6_port = htons(port);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Delete old SA and SP entries upon new registration or module exit. */
|
||||
static void cleanup_xfrm(void)
|
||||
{
|
||||
struct sockaddr_storage local_addr_c, local_addr_s;
|
||||
struct sockaddr_storage remote_addr_c, remote_addr_s;
|
||||
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
|
||||
|
||||
if (g_local_sa_c_set) {
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c);
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s);
|
||||
g_local_sa_c_set = PJ_FALSE;
|
||||
}
|
||||
if (g_local_sa_s_set) {
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s);
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c);
|
||||
g_local_sa_s_set = PJ_FALSE;
|
||||
}
|
||||
if (g_remote_sa_c_set) {
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c);
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s);
|
||||
g_remote_sa_c_set = PJ_FALSE;
|
||||
}
|
||||
if (g_remote_sa_s_set) {
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s);
|
||||
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c);
|
||||
g_remote_sa_s_set = PJ_FALSE;
|
||||
}
|
||||
puts("x");
|
||||
if (g_local_sp_c_set) {
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, false);
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, false);
|
||||
g_local_sp_c_set = PJ_FALSE;
|
||||
}
|
||||
if (g_local_sp_s_set) {
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, false);
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, false);
|
||||
g_local_sp_s_set = PJ_FALSE;
|
||||
}
|
||||
if (g_remote_sp_c_set) {
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, true);
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, true);
|
||||
g_remote_sp_c_set = PJ_FALSE;
|
||||
}
|
||||
if (g_remote_sp_s_set) {
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, true);
|
||||
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, true);
|
||||
g_remote_sp_s_set = PJ_FALSE;
|
||||
}
|
||||
puts("y");
|
||||
|
||||
}
|
||||
|
||||
|
@ -337,9 +347,10 @@ static void add_value_array_hdr(pjsip_tx_data *tdata, const pj_str_t *name, cons
|
|||
|
||||
static pj_status_t on_tx_register_request(pjsip_tx_data *tdata)
|
||||
{
|
||||
char src_str[64], dst_str[64];
|
||||
pjsip_generic_array_hdr *hdr;
|
||||
pjsip_generic_array_hdr *sec_hdr;
|
||||
pjsip_authorization_hdr *auth_hdr, *auth_hdr2;
|
||||
int rc;
|
||||
pj_status_t status;
|
||||
|
||||
volte_auth = NULL;
|
||||
|
||||
|
@ -349,29 +360,82 @@ static pj_status_t on_tx_register_request(pjsip_tx_data *tdata)
|
|||
pj_bool_t created = PJ_FALSE;
|
||||
|
||||
/* Create header, if not yet created. */
|
||||
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
|
||||
if (!hdr) {
|
||||
puts("first register\n");
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
|
||||
if (!sec_hdr) {
|
||||
struct sockaddr_storage local_addr_c, local_addr_s;
|
||||
struct sockaddr_storage remote_addr_c, remote_addr_s;
|
||||
uint16_t local_port_c, local_port_s;
|
||||
char src_str[64], dst_str[64];
|
||||
g_auth_state = AUTH_STATE_NONE;
|
||||
cleanup_xfrm();
|
||||
|
||||
/* Get local and remote peer address. */
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_local_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_local_addr_s);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_remote_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_remote_addr_s);
|
||||
sockaddr_storage_port(&g_remote_addr_c, 0x0001);
|
||||
sockaddr_storage_port(&g_remote_addr_s, 0x0001);
|
||||
ast_log(LOG_DEBUG, "peers %s->%s\n", sockaddr_storage_to_string(&g_local_addr_c, src_str, sizeof(src_str)), sockaddr_storage_to_string(&g_remote_addr_c, dst_str, sizeof(dst_str)));
|
||||
printf("was ist local=%d\n", pj_sockaddr_get_port(&g_local_addr_c));
|
||||
memcpy(&g_local_addr_c, &tdata->tp_info.transport->local_addr, sizeof(pj_sockaddr));
|
||||
memcpy(&g_local_addr_s, &tdata->tp_info.transport->factory->local_addr, sizeof(pj_sockaddr));
|
||||
memcpy(&g_remote_addr_c, &tdata->tp_info.dst_addr, sizeof(pj_sockaddr));
|
||||
memcpy(&g_remote_addr_s, &tdata->tp_info.dst_addr, sizeof(pj_sockaddr));
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
|
||||
ast_log(LOG_DEBUG, "old local client: %s:%d remote server: %s:%d\n", sockaddr_storage_to_string(&local_addr_c, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_c), sockaddr_storage_to_string(&remote_addr_s, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_s));
|
||||
printf("was ist jetzt local=%d\n", pj_sockaddr_get_port(&g_local_addr_c));
|
||||
if (pj_sockaddr_get_port(&g_local_addr_c) == 5050) {
|
||||
puts("switch to old transport");
|
||||
/* Create socket with new port. */
|
||||
if (!tdata->tp_info.transport->create_new_sock) {
|
||||
ast_log(LOG_ERROR, "Cannot get connection addresses. The transport protocol does not support it. Please add support.\n");
|
||||
return PJ_SUCCESS;
|
||||
}
|
||||
#define HACK
|
||||
status = tdata->tp_info.transport->create_new_sock(tdata->tp_info.transport, NULL);
|
||||
if (status != PJ_SUCCESS) {
|
||||
ast_log(LOG_ERROR, "Failed to get connection addresses (errno=%d).\n", errno);
|
||||
return PJ_CONSUME;
|
||||
}
|
||||
if (!tdata->tp_info.transport->connect_new_sock) {
|
||||
ast_log(LOG_ERROR, "Cannot change connection addresses. The transport protocol does not support it. Please add support.\n");
|
||||
return PJ_SUCCESS;
|
||||
}
|
||||
status = tdata->tp_info.transport->connect_new_sock(tdata->tp_info.transport, &g_local_addr_c, &g_remote_addr_s);
|
||||
if (status != PJ_SUCCESS) {
|
||||
ast_log(LOG_ERROR, "Failed to change connection addresses.\n");
|
||||
return PJ_CONSUME;
|
||||
}
|
||||
puts("switch to old transport done!");
|
||||
}
|
||||
pj_sockaddr_set_port(&g_remote_addr_c, 0);
|
||||
pj_sockaddr_set_port(&g_remote_addr_s, 0);
|
||||
/* Create socket with new port. */
|
||||
if (!tdata->tp_info.transport->create_new_sock) {
|
||||
ast_log(LOG_ERROR, "Cannot get connection addresses. The transport protocol does not support it. Please add support.\n");
|
||||
return PJ_SUCCESS;
|
||||
}
|
||||
#define HACK
|
||||
pj_sockaddr_set_port(&g_local_addr_c, 5050); /* client */
|
||||
status = tdata->tp_info.transport->create_new_sock(tdata->tp_info.transport, &g_local_addr_c);
|
||||
if (status != PJ_SUCCESS) {
|
||||
ast_log(LOG_ERROR, "Failed to get connection addresses (errno=%d).\n", errno);
|
||||
return PJ_CONSUME;
|
||||
}
|
||||
printf("%d\n", pj_sockaddr_get_port(&g_local_addr_c));
|
||||
|
||||
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
|
||||
ast_log(LOG_DEBUG, "local client: %s:%d remote server: %s:%d\n", sockaddr_storage_to_string(&local_addr_c, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_c), sockaddr_storage_to_string(&remote_addr_s, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_s));
|
||||
ast_log(LOG_DEBUG, "local server: %s:%d remote client: %s:%d\n", sockaddr_storage_to_string(&local_addr_s, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_s), sockaddr_storage_to_string(&remote_addr_c, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_c));
|
||||
|
||||
/* Allocate SPI-C and SPI-S towards remote peer. */
|
||||
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_c, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c);
|
||||
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_c, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_c);
|
||||
if (rc < 0) {
|
||||
spi_alloc_failed:
|
||||
ast_log(LOG_ERROR, "Failed to request SPI.\n");
|
||||
return PJ_CONSUME;
|
||||
}
|
||||
g_local_sa_s_set = PJ_TRUE;
|
||||
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_s, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s);
|
||||
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_s, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_s);
|
||||
if (rc < 0)
|
||||
goto spi_alloc_failed;
|
||||
g_local_sa_c_set = PJ_TRUE;
|
||||
|
@ -384,22 +448,87 @@ spi_alloc_failed:
|
|||
add_value_string_hdr(tdata, &STR_PROXY_REQUIRE, &STR_SEC_AGREE);
|
||||
/* "Supported: path,sec-agree" */
|
||||
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_PATH);
|
||||
/* "Security-Client: ..." */
|
||||
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_SEC_AGREE);
|
||||
#warning fix port numbers
|
||||
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_local_spi_c, g_local_spi_s, 43419, 42318);
|
||||
/* "Security-Client: ..." */
|
||||
local_port_c = pj_sockaddr_get_port(&g_local_addr_c);
|
||||
local_port_s = pj_sockaddr_get_port(&g_local_addr_s);
|
||||
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_local_spi_c, g_local_spi_s, local_port_c, local_port_s);
|
||||
}
|
||||
|
||||
/* remove double authentication header */
|
||||
auth_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
|
||||
if (auth_hdr) {
|
||||
auth_hdr2 = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, auth_hdr->next);
|
||||
if (auth_hdr2) {
|
||||
puts("erase double entry");
|
||||
pj_list_erase(auth_hdr);
|
||||
}
|
||||
}
|
||||
|
||||
switch (g_auth_state) {
|
||||
case AUTH_STATE_NONE:
|
||||
puts("fist register\n");
|
||||
#warning HACKING: Asterisk must do this on first register! Or we must do it!
|
||||
char xxx[] = "Digest uri=\"sip:ims.mnc001.mcc238.3gppnetwork.org\",username=\"238010000090828@ims.mnc001.mcc238.3gppnetwork.org\",response=\"\",realm=\"ims.mnc001.mcc238.3gppnetwork.org\",nonce=\"\"";
|
||||
const pj_str_t STR_XXX = { xxx, strlen(xxx)};
|
||||
add_value_string_hdr(tdata, &STR_AUTHORIZATION, &STR_XXX);
|
||||
} else {
|
||||
puts("second register\n");
|
||||
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
|
||||
if (hdr)
|
||||
pj_list_erase(hdr);
|
||||
break;
|
||||
|
||||
case AUTH_STATE_RESULT:
|
||||
printf("next register (result)\n");
|
||||
#warning HACKING: changing transport
|
||||
if (!tdata->tp_info.transport->connect_new_sock) {
|
||||
ast_log(LOG_ERROR, "Cannot change connection addresses. The transport protocol does not support it. Please add support.\n");
|
||||
return PJ_SUCCESS;
|
||||
}
|
||||
status = tdata->tp_info.transport->connect_new_sock(tdata->tp_info.transport, &g_local_addr_c, &g_remote_addr_s);
|
||||
if (status != PJ_SUCCESS) {
|
||||
ast_log(LOG_ERROR, "Failed to change connection addresses.\n");
|
||||
return PJ_CONSUME;
|
||||
}
|
||||
const pj_str_t STR_YYY = { g_security_server, strlen(g_security_server)};
|
||||
add_value_string_hdr(tdata, &STR_SECURITY_VERIFY, &STR_YYY);
|
||||
break;
|
||||
case AUTH_STATE_RESYNC:
|
||||
puts("next register (resnchronization)\n");
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_VERIFY, NULL);
|
||||
if (sec_hdr)
|
||||
pj_list_erase(sec_hdr);
|
||||
auth_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
|
||||
if (auth_hdr) {
|
||||
/* Append auts to Authorization header and replace that header. */
|
||||
char enc_auts[23] = "\" \"";
|
||||
pjsip_param *param;
|
||||
ast_base64encode(enc_auts + 1, g_auts, 14, 21);
|
||||
enc_auts[21] = '"';
|
||||
printf("enc=%s\n", enc_auts);
|
||||
param = PJ_POOL_ALLOC_T(tdata->pool, pjsip_param);
|
||||
param->name = STR_AUTS;
|
||||
pj_strdup2(tdata->pool, ¶m->value, enc_auts);
|
||||
pj_list_insert_before(&auth_hdr->credential.digest.other_param, param);
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
#if 0
|
||||
if (g_auth_state == AUTH_STATE_RESYNC) {
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_REQUIRE, NULL);
|
||||
if (sec_hdr)
|
||||
pj_list_erase(sec_hdr);
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_PROXY_REQUIRE, NULL);
|
||||
if (sec_hdr)
|
||||
pj_list_erase(sec_hdr);
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SUPPORTED, NULL);
|
||||
if (sec_hdr)
|
||||
pj_list_erase(sec_hdr);
|
||||
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
|
||||
if (sec_hdr)
|
||||
pj_list_erase(sec_hdr);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
return PJ_SUCCESS;
|
||||
}
|
||||
|
||||
|
@ -443,6 +572,13 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
|
|||
ast_log(LOG_ERROR, "Missing 'Security-Server' in REGISTER response.");
|
||||
return PJ_FALSE;
|
||||
}
|
||||
if (sec_hdr->hvalue.slen < sizeof(g_security_server)) {
|
||||
memcpy(g_security_server, sec_hdr->hvalue.ptr, sec_hdr->hvalue.slen);
|
||||
g_security_server[sec_hdr->hvalue.slen] = '\0';
|
||||
} else {
|
||||
ast_log(LOG_ERROR, "Security-Server' too large.");
|
||||
return PJ_FALSE;
|
||||
}
|
||||
parse_security_server(rdata->tp_info.pool, sec_hdr->hvalue.ptr, sec_hdr->hvalue.slen, &sec);
|
||||
if (!sec.prot.ptr || !sec.spi_c.ptr || !sec.spi_s.ptr || !sec.port_c.ptr || !sec.port_s.ptr || !sec.alg.ptr || !sec.ealg.ptr) {
|
||||
ast_log(LOG_ERROR, "Missing 'Security-Server' elements in REGISTER response. header=\"%.*s\", prot=%.*s, spi-c=%.*s, spi-s=%.*s, port-c=%.*s, port-s=%.*s, alg=%.*s, ealg=%.*s", fmt_str(sec_hdr->hvalue), fmt_str(sec.prot), fmt_str(sec.spi_c), fmt_str(sec.spi_s), fmt_str(sec.port_c), fmt_str(sec.port_s), fmt_str(sec.alg), fmt_str(sec.ealg));
|
||||
|
@ -466,28 +602,41 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
|
|||
|
||||
#warning hacking
|
||||
const uint8_t opc[16] = { 0x77, 0x5A, 0x1F, 0x88, 0x7D, 0x2A, 0xD6, 0x6F, 0x97, 0x19, 0xC2, 0xC7, 0x9F, 0x84, 0x7B, 0x50 };
|
||||
const uint8_t ki[16] = { 0xD5, 0x34, 0xE0, 0x78, 0x54, 0xB7, 0x5E, 0x47, 0x5C, 0x66, 0x7A, 0x85, 0x6A, 0xA3, 0x1F, 0x9C };
|
||||
const uint8_t k[16] = { 0xD5, 0x34, 0xE0, 0x78, 0x54, 0xB7, 0x5E, 0x47, 0x5C, 0x66, 0x7A, 0x85, 0x6A, 0xA3, 0x1F, 0x9C };
|
||||
const uint8_t amf[2] = { 0x80, 0x00 };
|
||||
const uint8_t sqn[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
|
||||
uint8_t rand_auth[32], *rand = rand_auth, *auth = rand_auth + 16;
|
||||
uint8_t out_autn[16], out_ik[16], out_ck[16];
|
||||
const uint8_t sqn[6] = { 0x00, 0x00, 0x00, 0x00, 0xd0, 0x00 };
|
||||
uint8_t rand_auth[32], *rand = rand_auth, *autn = rand_auth + 16;
|
||||
uint8_t out_ik[16], out_ck[16];
|
||||
size_t out_res_len = 8;
|
||||
int rc;
|
||||
ast_base64decode(rand_auth, auth_hdr->challenge.digest.nonce.ptr, sizeof(rand_auth));
|
||||
hexdump(LOG_DEBUG, "nonce", rand_auth, 32);
|
||||
|
||||
milenage_generate(opc, amf, ki, sqn, rand, out_autn, out_ik, out_ck, aka_res, &out_res_len);
|
||||
if (out_res_len != 8) {
|
||||
ast_log(LOG_ERROR, "Milenage computation failed.\n");
|
||||
// milenage_generate(opc, amf, ki, sqn, rand, out_autn, out_ik, out_ck, g_aka_res, &out_res_len);
|
||||
rc = milenage_check(opc, k, sqn, rand, autn, out_ik, out_ck, g_aka_res, &out_res_len, g_auts);
|
||||
printf("mileange rc=%d\n", rc);
|
||||
if (rc == -1) {
|
||||
ast_log(LOG_ERROR, "Milenage check failed, Changing the response to 403, so that SIP stack will stop the outgoing registration.\n");
|
||||
rdata->msg_info.msg->line.req.method.id = 403;
|
||||
g_auth_state = AUTH_STATE_NONE;
|
||||
return PJ_FALSE;
|
||||
}
|
||||
hexdump(LOG_DEBUG, "IK", out_ik, 16);
|
||||
hexdump(LOG_DEBUG, "CK", out_ck, 16);
|
||||
|
||||
volte_auth = aka_res;
|
||||
if (rc == -2) {
|
||||
g_auth_state = AUTH_STATE_RESYNC;
|
||||
#warning hier muss eventuell die authentication im stack geändert werden. oder wir machen es selber
|
||||
volte_auth = (void *)0x1;
|
||||
// volte_auth = g_aka_res;
|
||||
return PJ_FALSE;
|
||||
}
|
||||
|
||||
g_auth_state = AUTH_STATE_RESULT;
|
||||
volte_auth = g_aka_res;
|
||||
|
||||
struct xfrm_algobuf auth_algo, ciph_algo;
|
||||
int i, j;
|
||||
int rc;
|
||||
for (i = 0; ipsec_alg[i].sip_name; i++) {
|
||||
if (!pj_strncmp2(&sec.alg, ipsec_alg[i].sip_name, strlen(ipsec_alg[i].sip_name)))
|
||||
break;
|
||||
|
@ -502,19 +651,21 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
|
|||
}
|
||||
g_remote_spi_c = atoi(sec.spi_c.ptr);
|
||||
g_remote_spi_s = atoi(sec.spi_s.ptr);
|
||||
ast_log(LOG_DEBUG, "remote SPI-C=0x%08x SPI-S=0x%08x\n", g_remote_spi_s, g_remote_spi_c);
|
||||
sockaddr_storage_port(&g_remote_addr_c, atoi(sec.port_c.ptr));
|
||||
sockaddr_storage_port(&g_remote_addr_s, atoi(sec.port_s.ptr));
|
||||
ast_log(LOG_DEBUG, "remote SPI-C=0x%08x SPI-S=0x%08x\n", g_remote_spi_c, g_remote_spi_s);
|
||||
pj_sockaddr_set_port(&g_remote_addr_c, atoi(sec.port_c.ptr));
|
||||
pj_sockaddr_set_port(&g_remote_addr_s, atoi(sec.port_s.ptr));
|
||||
ast_log(LOG_DEBUG, "remote PORT-C=%d PORT-S=%d\n", pj_sockaddr_get_port(&g_remote_addr_c), pj_sockaddr_get_port(&g_remote_addr_s));
|
||||
hacking_port = atoi(sec.port_s.ptr);
|
||||
strcpy(auth_algo.algo.alg_name, ipsec_alg[i].kernel_name);
|
||||
switch (i) {
|
||||
case 0:
|
||||
memcpy(auth_algo.algo.alg_key, out_ik, 16);
|
||||
auth_algo.algo.alg_key_len = 16;
|
||||
auth_algo.algo.alg_key_len = 128;
|
||||
break;
|
||||
case 1:
|
||||
memcpy(auth_algo.algo.alg_key, out_ik, 16);
|
||||
memset(auth_algo.algo.alg_key + 16, 0x00, 4);
|
||||
auth_algo.algo.alg_key_len = 20;
|
||||
auth_algo.algo.alg_key_len = 160;
|
||||
break;
|
||||
}
|
||||
strcpy(ciph_algo.algo.alg_name, ipsec_ealg[j].kernel_name);
|
||||
|
@ -524,42 +675,51 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
|
|||
break;
|
||||
}
|
||||
cleanup_xfrm();
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_c, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c, &auth_algo.algo, &ciph_algo.algo);
|
||||
|
||||
struct sockaddr_storage local_addr_c, local_addr_s;
|
||||
struct sockaddr_storage remote_addr_c, remote_addr_s;
|
||||
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
|
||||
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
|
||||
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_s, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s, &auth_algo.algo, &ciph_algo.algo);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
|
||||
else
|
||||
g_local_sa_c_set = PJ_TRUE;
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_s, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s, &auth_algo.algo, &ciph_algo.algo);
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_c, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c, &auth_algo.algo, &ciph_algo.algo);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
|
||||
else
|
||||
g_local_sa_s_set = PJ_TRUE;
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_c, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c, &auth_algo.algo, &ciph_algo.algo);
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_s, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s, &auth_algo.algo, &ciph_algo.algo);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
|
||||
else
|
||||
g_remote_sa_c_set = PJ_TRUE;
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_s, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s, &auth_algo.algo, &ciph_algo.algo);
|
||||
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_c, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c, &auth_algo.algo, &ciph_algo.algo);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
|
||||
else
|
||||
g_remote_sa_s_set = PJ_TRUE;
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c, false);
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s, false);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
|
||||
else
|
||||
g_local_sp_c_set = PJ_TRUE;
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s, false);
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c, false);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
|
||||
else
|
||||
g_local_sp_s_set = PJ_TRUE;
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c, true);
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s, true);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
|
||||
else
|
||||
g_remote_sp_c_set = PJ_TRUE;
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s, true);
|
||||
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c, true);
|
||||
if (rc < 0)
|
||||
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
|
||||
else
|
||||
|
@ -585,6 +745,8 @@ static pj_bool_t on_rx_response(pjsip_rx_data *rdata)
|
|||
return on_rx_401_407_response(rdata, PJSIP_H_WWW_AUTHENTICATE);
|
||||
case 407:
|
||||
return on_rx_401_407_response(rdata, PJSIP_H_PROXY_AUTHENTICATE);
|
||||
case 200:
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,347 @@
|
|||
/*
|
||||
* 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208)
|
||||
* Copyright (c) 2006-2007 <j@w1.fi>
|
||||
*
|
||||
* This software may be distributed under the terms of the BSD license.
|
||||
* See README for more details.
|
||||
*
|
||||
* This file implements an example authentication algorithm defined for 3GPP
|
||||
* AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow
|
||||
* EAP-AKA to be tested properly with real USIM cards.
|
||||
*
|
||||
* This implementations assumes that the r1..r5 and c1..c5 constants defined in
|
||||
* TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00,
|
||||
* c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to
|
||||
* be AES (Rijndael).
|
||||
*/
|
||||
|
||||
|
||||
#include "milenage.h"
|
||||
#include "asterisk.h"
|
||||
#include "asterisk/utils.h"
|
||||
#include "asterisk/crypto.h"
|
||||
|
||||
static int aes_128_encrypt_block(const u8 *key, const u8 *plain, u8 *encr)
|
||||
{
|
||||
ast_aes_encrypt_key aes_key;
|
||||
|
||||
ast_aes_set_encrypt_key(key, &aes_key);
|
||||
if (ast_aes_encrypt(plain, encr, &aes_key) <= 0) {
|
||||
ast_log(LOG_ERROR, "Failed to ecrypt AES 128.");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void hexdump(int level, const char *file, int line, const char *func, const char *text, const uint8_t *data, int len)
|
||||
{
|
||||
char s[3 * len + 2], *p;
|
||||
int f;
|
||||
|
||||
for (p = s, f = 0; f < len; f++, p += 3) {
|
||||
sprintf(p, "%02hhX ", (unsigned char)data[f]);
|
||||
}
|
||||
ast_log(level, file, line, func, "%s: %s\n", text, s);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* milenage_f1 - Milenage f1 and f1* algorithms
|
||||
* @opc: OPc = 128-bit value derived from OP and K
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @sqn: SQN = 48-bit sequence number
|
||||
* @amf: AMF = 16-bit authentication management field
|
||||
* @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL
|
||||
* @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL
|
||||
* Returns: 0 on success, -1 on failure
|
||||
*/
|
||||
int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
|
||||
const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s)
|
||||
{
|
||||
u8 tmp1[16], tmp2[16], tmp3[16];
|
||||
int i;
|
||||
|
||||
/* tmp1 = TEMP = E_K(RAND XOR OP_C) */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[i] = _rand[i] ^ opc[i];
|
||||
if (aes_128_encrypt_block(k, tmp1, tmp1))
|
||||
return -1;
|
||||
|
||||
/* tmp2 = IN1 = SQN || AMF || SQN || AMF */
|
||||
memcpy(tmp2, sqn, 6);
|
||||
memcpy(tmp2 + 6, amf, 2);
|
||||
memcpy(tmp2 + 8, tmp2, 8);
|
||||
|
||||
/* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
|
||||
|
||||
/* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i];
|
||||
/* XOR with TEMP = E_K(RAND XOR OP_C) */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp3[i] ^= tmp1[i];
|
||||
/* XOR with c1 (= ..00, i.e., NOP) */
|
||||
|
||||
/* f1 || f1* = E_K(tmp3) XOR OP_c */
|
||||
if (aes_128_encrypt_block(k, tmp3, tmp1))
|
||||
return -1;
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[i] ^= opc[i];
|
||||
if (mac_a)
|
||||
memcpy(mac_a, tmp1, 8); /* f1 */
|
||||
if (mac_s)
|
||||
memcpy(mac_s, tmp1 + 8, 8); /* f1* */
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms
|
||||
* @opc: OPc = 128-bit value derived from OP and K
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
|
||||
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
|
||||
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
|
||||
* @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL
|
||||
* @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL
|
||||
* Returns: 0 on success, -1 on failure
|
||||
*/
|
||||
int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
|
||||
u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar)
|
||||
{
|
||||
u8 tmp1[16], tmp2[16], tmp3[16];
|
||||
int i;
|
||||
|
||||
/* tmp2 = TEMP = E_K(RAND XOR OP_C) */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[i] = _rand[i] ^ opc[i];
|
||||
if (aes_128_encrypt_block(k, tmp1, tmp2))
|
||||
return -1;
|
||||
|
||||
/* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */
|
||||
/* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */
|
||||
/* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */
|
||||
/* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */
|
||||
|
||||
/* f2 and f5 */
|
||||
/* rotate by r2 (= 0, i.e., NOP) */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[i] = tmp2[i] ^ opc[i];
|
||||
tmp1[15] ^= 1; /* XOR c2 (= ..01) */
|
||||
/* f5 || f2 = E_K(tmp1) XOR OP_c */
|
||||
if (aes_128_encrypt_block(k, tmp1, tmp3))
|
||||
return -1;
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp3[i] ^= opc[i];
|
||||
if (res)
|
||||
memcpy(res, tmp3 + 8, 8); /* f2 */
|
||||
if (ak)
|
||||
memcpy(ak, tmp3, 6); /* f5 */
|
||||
|
||||
/* f3 */
|
||||
if (ck) {
|
||||
/* rotate by r3 = 0x20 = 4 bytes */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i];
|
||||
tmp1[15] ^= 2; /* XOR c3 (= ..02) */
|
||||
if (aes_128_encrypt_block(k, tmp1, ck))
|
||||
return -1;
|
||||
for (i = 0; i < 16; i++)
|
||||
ck[i] ^= opc[i];
|
||||
}
|
||||
|
||||
/* f4 */
|
||||
if (ik) {
|
||||
/* rotate by r4 = 0x40 = 8 bytes */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i];
|
||||
tmp1[15] ^= 4; /* XOR c4 (= ..04) */
|
||||
if (aes_128_encrypt_block(k, tmp1, ik))
|
||||
return -1;
|
||||
for (i = 0; i < 16; i++)
|
||||
ik[i] ^= opc[i];
|
||||
}
|
||||
|
||||
/* f5* */
|
||||
if (akstar) {
|
||||
/* rotate by r5 = 0x60 = 12 bytes */
|
||||
for (i = 0; i < 16; i++)
|
||||
tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i];
|
||||
tmp1[15] ^= 8; /* XOR c5 (= ..08) */
|
||||
if (aes_128_encrypt_block(k, tmp1, tmp1))
|
||||
return -1;
|
||||
for (i = 0; i < 6; i++)
|
||||
akstar[i] = tmp1[i] ^ opc[i];
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* milenage_generate - Generate AKA AUTN,IK,CK,RES
|
||||
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
|
||||
* @amf: AMF = 16-bit authentication management field
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @sqn: SQN = 48-bit sequence number
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @autn: Buffer for AUTN = 128-bit authentication token
|
||||
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
|
||||
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
|
||||
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
|
||||
* @res_len: Max length for res; set to used length or 0 on failure
|
||||
*/
|
||||
void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
|
||||
const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
|
||||
u8 *ck, u8 *res, size_t *res_len)
|
||||
{
|
||||
int i;
|
||||
u8 mac_a[8], ak[6];
|
||||
|
||||
if (*res_len < 8) {
|
||||
*res_len = 0;
|
||||
return;
|
||||
}
|
||||
if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) ||
|
||||
milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) {
|
||||
*res_len = 0;
|
||||
return;
|
||||
}
|
||||
*res_len = 8;
|
||||
|
||||
/* AUTN = (SQN ^ AK) || AMF || MAC */
|
||||
for (i = 0; i < 6; i++)
|
||||
autn[i] = sqn[i] ^ ak[i];
|
||||
memcpy(autn + 6, amf, 2);
|
||||
memcpy(autn + 8, mac_a, 8);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* milenage_auts - Milenage AUTS validation
|
||||
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @auts: AUTS = 112-bit authentication token from client
|
||||
* @sqn: Buffer for SQN = 48-bit sequence number
|
||||
* Returns: 0 = success (sqn filled), -1 on failure
|
||||
*/
|
||||
int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
|
||||
u8 *sqn)
|
||||
{
|
||||
u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
|
||||
u8 ak[6], mac_s[8];
|
||||
int i;
|
||||
|
||||
if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
|
||||
return -1;
|
||||
for (i = 0; i < 6; i++)
|
||||
sqn[i] = auts[i] ^ ak[i];
|
||||
if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) ||
|
||||
memcmp(mac_s, auts + 6, 8) != 0)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet
|
||||
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @sres: Buffer for SRES = 32-bit SRES
|
||||
* @kc: Buffer for Kc = 64-bit Kc
|
||||
* Returns: 0 on success, -1 on failure
|
||||
*/
|
||||
int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc)
|
||||
{
|
||||
u8 res[8], ck[16], ik[16];
|
||||
int i;
|
||||
|
||||
if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL))
|
||||
return -1;
|
||||
|
||||
for (i = 0; i < 8; i++)
|
||||
kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
|
||||
|
||||
#ifdef GSM_MILENAGE_ALT_SRES
|
||||
memcpy(sres, res, 4);
|
||||
#else /* GSM_MILENAGE_ALT_SRES */
|
||||
for (i = 0; i < 4; i++)
|
||||
sres[i] = res[i] ^ res[i + 4];
|
||||
#endif /* GSM_MILENAGE_ALT_SRES */
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* milenage_generate - Generate AKA AUTN,IK,CK,RES
|
||||
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
|
||||
* @k: K = 128-bit subscriber key
|
||||
* @sqn: SQN = 48-bit sequence number
|
||||
* @_rand: RAND = 128-bit random challenge
|
||||
* @autn: AUTN = 128-bit authentication token
|
||||
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
|
||||
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
|
||||
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
|
||||
* @res_len: Variable that will be set to RES length
|
||||
* @auts: 112-bit buffer for AUTS
|
||||
* Returns: 0 on success, -1 on failure, or -2 on synchronization failure
|
||||
*/
|
||||
int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
|
||||
const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
|
||||
u8 *auts)
|
||||
{
|
||||
int i;
|
||||
u8 mac_a[8], ak[6], rx_sqn[6];
|
||||
const u8 *amf;
|
||||
|
||||
hexdump(LOG_DEBUG, "Milenage: AUTN", autn, 16);
|
||||
hexdump(LOG_DEBUG, "Milenage: RAND", _rand, 16);
|
||||
|
||||
if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
|
||||
return -1;
|
||||
|
||||
*res_len = 8;
|
||||
hexdump(LOG_DEBUG, "Milenage: RES", res, *res_len);
|
||||
hexdump(LOG_DEBUG, "Milenage: CK", ck, 16);
|
||||
hexdump(LOG_DEBUG, "Milenage: IK", ik, 16);
|
||||
hexdump(LOG_DEBUG, "Milenage: AK", ak, 6);
|
||||
|
||||
/* AUTN = (SQN ^ AK) || AMF || MAC */
|
||||
for (i = 0; i < 6; i++)
|
||||
rx_sqn[i] = autn[i] ^ ak[i];
|
||||
hexdump(LOG_DEBUG, "Milenage: SQN", rx_sqn, 6);
|
||||
|
||||
if (memcmp(rx_sqn, sqn, 6) <= 0) {
|
||||
u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
|
||||
if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
|
||||
return -1;
|
||||
hexdump(LOG_DEBUG, "Milenage: AK*", ak, 6);
|
||||
for (i = 0; i < 6; i++)
|
||||
auts[i] = sqn[i] ^ ak[i];
|
||||
if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
|
||||
return -1;
|
||||
hexdump(LOG_DEBUG, "Milenage: AUTS", auts, 14);
|
||||
return -2;
|
||||
}
|
||||
|
||||
amf = autn + 6;
|
||||
hexdump(LOG_DEBUG, "Milenage: AMF", amf, 2);
|
||||
if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
|
||||
return -1;
|
||||
|
||||
hexdump(LOG_DEBUG, "Milenage: MAC_A", mac_a, 8);
|
||||
|
||||
if (memcmp(mac_a, autn + 8, 8) != 0) {
|
||||
ast_log(LOG_DEBUG, "Milenage: MAC mismatch");
|
||||
hexdump(LOG_DEBUG, "Milenage: Received MAC_A",
|
||||
autn + 8, 8);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
|
||||
#include <stdint.h>
|
||||
#include <stddef.h>
|
||||
#include <string.h>
|
||||
|
||||
typedef uint8_t u8;
|
||||
typedef uint16_t u16;
|
||||
typedef uint32_t u32;
|
||||
|
||||
void hexdump(int level, const char *file, int line, const char *func, const char *text, const uint8_t *data, int len);
|
||||
|
||||
int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
|
||||
const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s);
|
||||
int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
|
||||
u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar);
|
||||
void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
|
||||
const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
|
||||
u8 *ck, u8 *res, size_t *res_len);
|
||||
int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
|
||||
u8 *sqn);
|
||||
int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc);
|
||||
int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
|
||||
const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
|
||||
u8 *auts);
|
|
@ -289,6 +289,7 @@ int xfrm_sa_add(struct mnl_socket *mnl_sock, uint32_t reqid,
|
|||
struct nlmsghdr *nlh, *rx_nlh;
|
||||
int rc;
|
||||
|
||||
printf("al=%s, al=%s\n", auth_algo->alg_name, ciph_algo->alg_name);
|
||||
nlh = mnl_nlmsg_put_header(msg_buf);
|
||||
nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL | NLM_F_ACK;
|
||||
nlh->nlmsg_type = XFRM_MSG_NEWSA;
|
||||
|
|
Loading…
Reference in New Issue