static ssize_t decode_value(TALLOC_CTX *ctx, fr_cursor_t *cursor,
fr_dict_attr_t const *parent, uint8_t const *data, size_t data_len)
{
unsigned int values, i; /* How many values we need to decode */
uint8_t const *p = data;
size_t value_len;
ssize_t len;
FR_PROTO_TRACE("%s called to parse %zu byte(s)", __FUNCTION__, data_len);
FR_PROTO_HEX_DUMP(data, data_len, NULL);
/*
* TLVs can't be coalesced as they're variable length
*/
if (parent->type == FR_TYPE_TLV) return decode_tlv(ctx, cursor, parent, data, data_len);
/*
* Values with a fixed length may be coalesced into a single option
*/
values = fr_dhcpv4_array_members(&value_len, data_len, parent);
if (values) {
FR_PROTO_TRACE("found %u coalesced values (%zu bytes each)", values, value_len);
if ((values * value_len) != data_len) {
fr_strerror_printf("Option length not divisible by its fixed value "
"length (probably trailing garbage)");
return -1;
}
}
/*
* Decode each of the (maybe) coalesced values as its own
* attribute.
*/
for (i = 0, p = data; i < values; i++) {
len = decode_value_internal(ctx, cursor, parent, p, value_len);
if (len <= 0) return len;
if (len != (ssize_t)value_len) {
fr_strerror_printf("Failed decoding complete option value");
return -1;
}
p += len;
}
return p - data;
}
/*
* Decode ONE value into a VP
*/
static ssize_t decode_value_internal(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *da,
uint8_t const *data, size_t data_len)
{
VALUE_PAIR *vp;
uint8_t const *p = data;
FR_PROTO_TRACE("%s called to parse %zu bytes", __FUNCTION__, data_len);
FR_PROTO_HEX_DUMP(data, data_len, NULL);
vp = fr_pair_afrom_da(ctx, da);
if (!vp) return -1;
/*
* Unknown attributes always get converted to
* octet types, so there's no way there could
* be multiple attributes, so its safe to
* steal the unknown attribute into the context
* of the pair.
*/
if (da->flags.is_unknown) talloc_steal(vp, da);
if (vp->da->type == FR_TYPE_STRING) {
uint8_t const *q, *end;
q = end = data + data_len;
/*
* Not allowed to be an array, copy the whole value
*/
if (!vp->da->flags.array) {
fr_pair_value_bstrncpy(vp, (char const *)p, end - p);
p = end;
goto finish;
}
for (;;) {
q = memchr(p, '\0', q - p);
/* Malformed but recoverable */
if (!q) q = end;
fr_pair_value_bstrncpy(vp, (char const *)p, q - p);
p = q + 1;
vp->vp_tainted = true;
/* Need another VP for the next round */
if (p < end) {
fr_cursor_append(cursor, vp);
vp = fr_pair_afrom_da(ctx, da);
if (!vp) return -1;
continue;
}
break;
}
goto finish;
}
switch (vp->da->type) {
/*
* Doesn't include scope, whereas the generic format can
*/
case FR_TYPE_IPV6_ADDR:
memcpy(&vp->vp_ipv6addr, p, sizeof(vp->vp_ipv6addr));
vp->vp_ip.af = AF_INET6;
vp->vp_ip.scope_id = 0;
vp->vp_ip.prefix = 128;
vp->vp_tainted = true;
p += sizeof(vp->vp_ipv6addr);
break;
case FR_TYPE_IPV6_PREFIX:
memcpy(&vp->vp_ipv6addr, p + 1, sizeof(vp->vp_ipv6addr));
vp->vp_ip.af = AF_INET6;
vp->vp_ip.scope_id = 0;
vp->vp_ip.prefix = p[0];
vp->vp_tainted = true;
p += sizeof(vp->vp_ipv6addr) + 1;
break;
default:
{
ssize_t ret;
ret = fr_value_box_from_network(vp, &vp->data, vp->da->type, da, p, data_len, true);
if (ret < 0) {
FR_PROTO_TRACE("decoding as unknown type");
if (fr_pair_to_unknown(vp) < 0) return -1;
fr_pair_value_memcpy(vp, p, data_len);
ret = data_len;
}
p += (size_t) ret;
}
}
finish:
FR_PROTO_TRACE("decoding value complete, adding new pair and returning %zu byte(s)", p - data);
fr_cursor_append(cursor, vp);
return p - data;
}
/** Decode DHCP option
*
* @param[in] ctx context to alloc new attributes in.
* @param[in,out] cursor Where to write the decoded options.
* @param[in] dict to lookup attributes in.
* @param[in] data to parse.
* @param[in] data_len of data to parse.
* @param[in] decoder_ctx Unused.
*/
ssize_t fr_dhcpv4_decode_option(TALLOC_CTX *ctx, fr_cursor_t *cursor,
fr_dict_t const *dict, uint8_t const *data, size_t data_len, UNUSED void *decoder_ctx)
{
ssize_t ret;
uint8_t const *p = data;
fr_dict_attr_t const *child;
fr_dict_attr_t const *parent;
FR_PROTO_TRACE("%s called to parse %zu byte(s)", __FUNCTION__, data_len);
if (data_len == 0) return 0;
FR_PROTO_HEX_DUMP(data, data_len, NULL);
parent = fr_dict_root(dict);
/*
* Padding / End of options
*/
if (p[0] == 0) return 1; /* 0x00 - Padding option */
if (p[0] == 255) { /* 0xff - End of options signifier */
size_t i;
for (i = 1; i < data_len; i++) {
if (p[i] != 0) {
FR_PROTO_HEX_DUMP(p + i, data_len - i, "ignoring trailing junk at end of packet");
break;
}
}
return data_len;
}
/*
* Everything else should be real options
*/
if ((data_len < 2) || (data[1] > data_len)) {
fr_strerror_printf("%s: Insufficient data", __FUNCTION__);
return -1;
}
child = fr_dict_attr_child_by_num(parent, p[0]);
if (!child) {
/*
* Unknown attribute, create an octets type
* attribute with the contents of the sub-option.
*/
child = fr_dict_unknown_afrom_fields(ctx, parent, fr_dict_vendor_num_by_da(parent), p[0]);
if (!child) return -1;
}
FR_PROTO_TRACE("decode context changed %s:%s -> %s:%s",
fr_int2str(fr_value_box_type_table, parent->type, "<invalid>"), parent->name,
fr_int2str(fr_value_box_type_table, child->type, "<invalid>"), child->name);
ret = decode_value(ctx, cursor, child, data + 2, data[1]);
if (ret < 0) {
fr_dict_unknown_free(&child);
return ret;
}
ret += 2; /* For header */
FR_PROTO_TRACE("decoding option complete, returning %zu byte(s)", ret);
return ret;
}
/** Create any kind of VP from the attribute contents
*
* @param[in] ctx to allocate new attributes in.
* @param[in] cursor to addd new attributes to.
* @param[in] parent the current attribute we're processing.
* @param[in] data to parse. Points to the data field of the attribute.
* @param[in] attr_len length of the attribute being parsed.
* @param[in] data_len length of the remaining data in the packet.
* @param[in] decoder_ctx IVs, keys etc...
* @return
* - Length on success.
* - -1 on failure.
*/
static ssize_t sim_decode_pair_value(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *parent,
uint8_t const *data, size_t const attr_len, size_t const data_len,
void *decoder_ctx)
{
VALUE_PAIR *vp;
uint8_t const *p = data;
size_t prefix = 0;
fr_sim_decode_ctx_t *packet_ctx = decoder_ctx;
if (!fr_cond_assert(attr_len <= data_len)) return -1;
if (!fr_cond_assert(parent)) return -1;
FR_PROTO_TRACE("Parent %s len %zu", parent->name, attr_len);
FR_PROTO_HEX_DUMP(data, attr_len, __FUNCTION__ );
FR_PROTO_TRACE("Type \"%s\" (%u)", fr_int2str(fr_value_box_type_table, parent->type, "?Unknown?"), parent->type);
/*
* Special cases, attributes that either have odd formats, or need
* have information we need to decode the packet.
*/
switch (parent->attr) {
/*
* We need to record packet_ctx so we can decrypt AT_ENCR attributes.
*
* If we don't find it before, then that's fine, we'll try and
* find it in the rest of the packet after the encrypted
* attribute.
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_IV | Length = 5 | Reserved |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* | Initialization Vector |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_SIM_IV:
if (sim_iv_extract(&packet_ctx->iv[0], data, attr_len) < 0) return -1;
packet_ctx->have_iv = true;
break; /* Now create the attribute */
/*
* AT_RES - Special case (RES length is in bits)
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_RES | Length | RES Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
* | |
* | RES |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_EAP_AKA_RES:
{
uint16_t res_len;
if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */
res_len = (p[0] << 8) | p[1];
if (res_len % 8) {
fr_strerror_printf("%s: RES Length (%hu) is not a multiple of 8",
__FUNCTION__, res_len);
return -1;
}
res_len /= 8;
if (res_len > (attr_len - 2)) {
fr_strerror_printf("%s: RES Length field value (%u bits) > attribute value length (%zu bits)",
__FUNCTION__, res_len * 8, (attr_len - 2) * 8);
return -1;
}
if ((res_len < 4) || (res_len > 16)) {
fr_strerror_printf("%s: RES Length field value must be between 32-128 bits, got %u bits",
__FUNCTION__, (res_len * 8));
return -1;
}
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
fr_pair_value_memcpy(vp, p + 2, res_len, true);
}
goto done;
/*
* AT_CHECKCODE - Special case (Variable length with no length field)
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_CHECKCODE | Length | Reserved |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* | Checkcode (0 or 20 bytes) |
* | |
* | |
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_EAP_AKA_CHECKCODE:
if (attr_len < 2) goto raw; /* Need at least two bytes for reserved field */
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
fr_pair_value_memcpy(vp, p + 2, attr_len - 2, true);
goto done;
default:
break;
}
switch (parent->type) {
case FR_TYPE_STRING:
if (attr_len < 2) goto raw; /* Need at least two bytes for the length field */
if (parent->flags.length && (attr_len != parent->flags.length)) {
wrong_len:
fr_strerror_printf("%s: Attribute \"%s\" needs a value of exactly %zu bytes, "
"but value was %zu bytes", __FUNCTION__,
parent->name, (size_t)parent->flags.length, attr_len);
goto raw;
}
break;
case FR_TYPE_OCTETS:
/*
* Get the number of bytes we expect before the value
*/
prefix = fr_sim_octets_prefix_len(parent);
if (attr_len < prefix) goto raw;
if (parent->flags.length && (attr_len != (parent->flags.length + prefix))) goto wrong_len;
break;
case FR_TYPE_BOOL:
case FR_TYPE_UINT8:
case FR_TYPE_UINT16:
case FR_TYPE_UINT32:
case FR_TYPE_UINT64:
if (attr_len != fr_sim_attr_sizes[parent->type][0]) goto raw;
break;
case FR_TYPE_TLV:
if (attr_len < 2) goto raw;
/*
* We presume that the TLVs all fit into one
* attribute, OR they've already been grouped
* into a contiguous memory buffer.
*/
return sim_decode_tlv(ctx, cursor, parent, p, attr_len, data_len, decoder_ctx);
default:
raw:
/*
* We can't create unknowns for non-skippable attributes
* as we're prohibited from continuing by the SIM RFCs.
*/
if (parent->attr <= SIM_SKIPPABLE_MAX) {
fr_strerror_printf_push("%s: Failed parsing non-skippable attribute '%s'",
__FUNCTION__, parent->name);
return -1;
}
#ifdef __clang_analyzer__
if (!parent->parent) return -1; /* stupid static analyzers */
#endif
rad_assert(parent->parent);
/*
* Re-write the attribute to be "raw". It is
* therefore of type "octets", and will be
* handled below.
*/
parent = fr_dict_unknown_afrom_fields(ctx, parent->parent,
fr_dict_vendor_num_by_da(parent), parent->attr);
if (!parent) {
fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__);
return -1;
}
}
vp = fr_pair_afrom_da(ctx, parent);
if (!vp) return -1;
/*
* For unknown attributes copy the entire value, not skipping
* any reserved bytes.
*/
if (parent->flags.is_unknown || parent->flags.is_raw) {
fr_pair_value_memcpy(vp, p, attr_len, true);
vp->vp_length = attr_len;
goto done;
}
switch (parent->type) {
/*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<STRING> | Length | Actual <STRING> Length |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* . String .
* . .
* | |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
case FR_TYPE_STRING:
{
uint16_t actual_len = (p[0] << 8) | p[1];
if (actual_len > (attr_len - 2)) {
fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)",
__FUNCTION__, actual_len, attr_len - 2);
return -1;
}
fr_pair_value_bstrncpy(vp, p + 2, actual_len);
}
break;
case FR_TYPE_OCTETS:
/*
* Variable length octets buffer
*/
if (!parent->flags.length) {
uint16_t actual_len = (p[0] << 8) | p[1];
if (actual_len > (attr_len - prefix)) {
fr_strerror_printf("%s: Actual length field value (%hu) > attribute value length (%zu)",
__FUNCTION__, actual_len, attr_len - 2);
return -1;
}
fr_pair_value_memcpy(vp, p + prefix, actual_len, true);
/*
* Fixed length octets buffer
*/
} else {
fr_pair_value_memcpy(vp, p + prefix, attr_len - prefix, true);
}
break;
/*
* Not proper bool. We Use packet_ctx to represent
* flag attributes like AT_FULLAUTH_ID_REQ
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<BOOL> | Length = 1 | Reserved |
* +---------------+---------------+-------------------------------+
*/
case FR_TYPE_BOOL:
vp->vp_bool = true;
break;
/*
* Numbers are network byte order.
*
* In the base RFCs only short (16bit) unsigned integers are used.
* We add support for more, just for completeness.
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | AT_<SHORT> | Length = 1 | Short 1 | Short 2 |
* +---------------+---------------+-------------------------------+
*/
case FR_TYPE_UINT8:
vp->vp_uint8 = p[0];
break;
case FR_TYPE_UINT16:
memcpy(&vp->vp_uint16, p, sizeof(vp->vp_uint16));
vp->vp_uint16 = ntohs(vp->vp_uint32);
break;
case FR_TYPE_UINT32:
memcpy(&vp->vp_uint32, p, sizeof(vp->vp_uint32));
vp->vp_uint32 = ntohl(vp->vp_uint32);
break;
case FR_TYPE_UINT64:
memcpy(&vp->vp_uint64, p, sizeof(vp->vp_uint64));
vp->vp_uint64 = ntohll(vp->vp_uint64);
break;
default:
fr_pair_list_free(&vp);
fr_strerror_printf_push("%s[%d]: Internal sanity check failed", __FUNCTION__, __LINE__);
return -1;
}
done:
vp->type = VT_DATA;
fr_cursor_append(cursor, vp);
return attr_len;
}
/** Decode DHCP suboptions
*
* @param[in] ctx context to alloc new attributes in.
* @param[in,out] cursor Where to write the decoded options.
* @param[in] parent of sub TLVs.
* @param[in] data to parse.
* @param[in] data_len of data parsed.
*/
static ssize_t decode_tlv(TALLOC_CTX *ctx, fr_cursor_t *cursor, fr_dict_attr_t const *parent,
uint8_t const *data, size_t data_len)
{
uint8_t const *p = data;
uint8_t const *end = data + data_len;
fr_dict_attr_t const *child;
if (data_len < 3) return -1; /* type, length, value */
FR_PROTO_TRACE("%s called to parse %zu byte(s)", __FUNCTION__, data_len);
FR_PROTO_HEX_DUMP(data, data_len, NULL);
/*
* Each TLV may contain multiple children
*/
while (p < end) {
ssize_t tlv_len;
if (p[0] == 0) {
p++;
continue;
}
/*
* RFC 3046 is very specific about not allowing termination
* with a 255 sub-option. But it's required for decoding
* option 43, and vendors will probably screw it up
* anyway.
*/
if (p[0] == 255) {
p++;
return p - data;
}
/*
* Everything else should be real options
*/
if ((end - p) < 2) {
fr_strerror_printf("%s: Insufficient data: Needed at least 2 bytes, got %zu",
__FUNCTION__, (end - p));
return -1;
}
if (p[1] > (end - p)) {
fr_strerror_printf("%s: Suboption would overflow option. Remaining option data %zu byte(s) "
"(from %zu), Suboption length %u", __FUNCTION__, (end - p), data_len, p[1]);
return -1;
}
child = fr_dict_attr_child_by_num(parent, p[0]);
if (!child) {
fr_dict_attr_t const *unknown_child;
FR_PROTO_TRACE("failed to find child %u of TLV %s", p[0], parent->name);
/*
* Build an unknown attr
*/
unknown_child = fr_dict_unknown_afrom_fields(ctx, parent,
fr_dict_vendor_num_by_da(parent), p[0]);
if (!unknown_child) return -1;
child = unknown_child;
}
FR_PROTO_TRACE("decode context changed %s:%s -> %s:%s",
fr_int2str(fr_value_box_type_table, parent->type, "<invalid>"), parent->name,
fr_int2str(fr_value_box_type_table, child->type, "<invalid>"), child->name);
tlv_len = decode_value(ctx, cursor, child, p + 2, p[1]);
if (tlv_len < 0) {
fr_dict_unknown_free(&child);
return tlv_len;
}
p += tlv_len + 2;
FR_PROTO_TRACE("decode_value returned %zu, adding 2 (for header)", tlv_len);
FR_PROTO_TRACE("remaining TLV data %zu byte(s)" , end - p);
}
FR_PROTO_TRACE("tlv parsing complete, returning %zu byte(s)", p - data);
return p - data;
}
/** Break apart a TLV attribute into individual attributes
*
* @param[in] ctx to allocate new attributes in.
* @param[in] cursor to addd new attributes to.
* @param[in] parent the current attribute TLV attribute we're processing.
* @param[in] data to parse. Points to the data field of the attribute.
* @param[in] attr_len length of the TLV attribute.
* @param[in] data_len remaining data in the packet.
* @param[in] decoder_ctx IVs, keys etc...
* @return
* - Length on success.
* - < 0 on malformed attribute.
*/
static ssize_t sim_decode_tlv(TALLOC_CTX *ctx, fr_cursor_t *cursor,
fr_dict_attr_t const *parent,
uint8_t const *data, size_t const attr_len, size_t data_len,
void *decoder_ctx)
{
uint8_t const *p = data, *end = p + attr_len;
uint8_t *decr = NULL;
ssize_t decr_len;
fr_dict_attr_t const *child;
VALUE_PAIR *head = NULL;
fr_cursor_t tlv_cursor;
ssize_t rcode;
if (data_len < 2) {
fr_strerror_printf("%s: Insufficient data", __FUNCTION__);
return -1; /* minimum attr size */
}
/*
* We have an AES-128-CBC encrypted attribute
*
* IV is from AT_IV, key is from k_encr.
*
* unfortunately the ordering of these two attributes
* aren't specified, so we may have to hunt for the IV.
*/
if (parent->flags.encrypt) {
FR_PROTO_TRACE("found encrypted attribute '%s'", parent->name);
decr_len = sim_value_decrypt(ctx, &decr, p + 2,
attr_len - 2, data_len - 2, decoder_ctx); /* Skip reserved */
if (decr_len < 0) return -1;
p = decr;
end = p + decr_len;
} else {
p += 2; /* Skip the reserved bytes */
}
FR_PROTO_HEX_DUMP(p, end - p, "tlvs");
/*
* Record where we were in the list when packet_ctx function was called
*/
fr_cursor_init(&tlv_cursor, &head);
while ((size_t)(end - p) >= sizeof(uint32_t)) {
uint8_t sim_at = p[0];
size_t sim_at_len = ((size_t)p[1]) << 2;
if ((p + sim_at_len) > end) {
fr_strerror_printf("%s: Malformed nested attribute %d: Length field (%zu bytes) value "
"longer than remaining data in parent (%zu bytes)",
__FUNCTION__, sim_at, sim_at_len, end - p);
error:
talloc_free(decr);
fr_pair_list_free(&head);
return -1;
}
if (sim_at_len == 0) {
fr_strerror_printf("%s: Malformed nested attribute %d: Length field 0", __FUNCTION__, sim_at);
goto error;
}
/*
* Padding attributes are cleartext inside of
* encrypted TLVs to pad out the value to the
* correct length for the block cipher
* (16 in the case of AES-128-CBC).
*/
if (sim_at == FR_SIM_PADDING) {
uint8_t zero = 0;
uint8_t i;
if (!parent->flags.encrypt) {
fr_strerror_printf("%s: Found padding attribute outside of an encrypted TLV",
__FUNCTION__);
goto error;
}
if (!fr_cond_assert(data_len % 4)) goto error;
if (sim_at_len > 12) {
fr_strerror_printf("%s: Expected padding attribute length <= 12 bytes, got %zu bytes",
__FUNCTION__, sim_at_len);
goto error;
}
/*
* RFC says we MUST verify that FR_SIM_PADDING
* data is zeroed out.
*/
for (i = 2; i < sim_at_len; i++) zero |= p[i];
if (zero) {
fr_strerror_printf("%s: Padding attribute value not zeroed 0x%pH", __FUNCTION__,
fr_box_octets(p + 2, sim_at_len - 2));
goto error;
}
p += sim_at_len;
continue;
}
child = fr_dict_attr_child_by_num(parent, p[0]);
if (!child) {
fr_dict_attr_t const *unknown_child;
FR_PROTO_TRACE("Failed to find child %u of TLV %s", p[0], parent->name);
/*
* Encountered none skippable attribute
*
* RFC says we need to die on these if we don't
* understand them. non-skippables are < 128.
*/
if (sim_at <= SIM_SKIPPABLE_MAX) {
fr_strerror_printf("%s: Unknown (non-skippable) attribute %i",
__FUNCTION__, sim_at);
goto error;
}
/*
* Build an unknown attr
*/
unknown_child = fr_dict_unknown_afrom_fields(ctx, parent,
fr_dict_vendor_num_by_da(parent), p[0]);
if (!unknown_child) goto error;
child = unknown_child;
}
FR_PROTO_TRACE("decode context changed %s -> %s", parent->name, child->name);
rcode = sim_decode_pair_value(ctx, &tlv_cursor, child, p + 2, sim_at_len - 2, (end - p) - 2,
decoder_ctx);
if (rcode < 0) goto error;
p += sim_at_len;
}
fr_cursor_head(&tlv_cursor);
fr_cursor_tail(cursor);
fr_cursor_merge(cursor, &tlv_cursor); /* Wind to the end of the new pairs */
talloc_free(decr);
return attr_len;
}
/** Decrypt an AES-128-CBC encrypted attribute
*
* @param[in] ctx to allocate decr buffer in.
* @param[out] out where to write pointer to decr buffer.
* @param[in] data to decrypt.
* @param[in] attr_len length of encrypted data.
* @param[in] data_len length of data remaining in the packet.
* @param[in] decoder_ctx containing keys, and the IV (if we already found it).
* @return
* - Number of decr bytes decrypted on success.
* - < 0 on failure.
*/
static ssize_t sim_value_decrypt(TALLOC_CTX *ctx, uint8_t **out,
uint8_t const *data, size_t const attr_len, size_t const data_len,
void *decoder_ctx)
{
fr_sim_decode_ctx_t *packet_ctx = decoder_ctx;
EVP_CIPHER_CTX *evp_ctx;
EVP_CIPHER const *evp_cipher = EVP_aes_128_cbc();
size_t block_size = EVP_CIPHER_block_size(evp_cipher);
size_t len = 0, decr_len = 0;
uint8_t *decr = NULL;
if (!fr_cond_assert(attr_len <= data_len)) return -1;
FR_PROTO_HEX_DUMP(data, attr_len, "ciphertext");
/*
* Encrypted values must be a multiple of 16.
*
* There's a padding attribute to ensure they
* always can be...
*/
if (attr_len % block_size) {
fr_strerror_printf("%s: Encrypted attribute is not a multiple of cipher's block size (%zu)",
__FUNCTION__, block_size);
return -1;
}
/*
* Ugh, now we have to go hunting for it....
*/
if (!packet_ctx->have_iv) {
uint8_t const *p = data + attr_len; /* Skip to the end of packet_ctx attribute */
uint8_t const *end = data + data_len;
while ((size_t)(end - p) >= sizeof(uint32_t)) {
uint8_t sim_at = p[0];
size_t sim_at_len = p[1] * sizeof(uint32_t);
if (sim_at_len == 0) {
fr_strerror_printf("%s: Failed IV search. AT Length field is zero", __FUNCTION__);
return -1;
}
if ((p + sim_at_len) > end) {
fr_strerror_printf("%s: Invalid IV length, longer than remaining data", __FUNCTION__);
return -1;
}
if (sim_at == FR_SIM_IV) {
if (sim_iv_extract(&(packet_ctx->iv[0]), p + 2, sim_at_len - 2) < 0) return -1;
packet_ctx->have_iv = true;
break;
}
p += sim_at_len;
}
if (!packet_ctx->have_iv) {
fr_strerror_printf("%s: No IV present in packet, can't decrypt data", __FUNCTION__);
return -1;
}
}
evp_ctx = EVP_CIPHER_CTX_new();
if (!evp_ctx) {
tls_strerror_printf("%s: Failed initialising EVP ctx", __FUNCTION__);
return -1;
}
if (!EVP_DecryptInit_ex(evp_ctx, evp_cipher, NULL, packet_ctx->keys->k_encr, packet_ctx->iv)) {
tls_strerror_printf("%s: Failed setting decryption parameters", __FUNCTION__);
error:
talloc_free(decr);
EVP_CIPHER_CTX_free(evp_ctx);
return -1;
}
MEM(decr = talloc_zero_array(ctx, uint8_t, attr_len));
/*
* By default OpenSSL expects 16 bytes of cleartext
* to produce 32 bytes of ciphertext, due to padding
* being added if the decr is a multiple of 16.
*
* There's no way for OpenSSL to determine if a
* 16 byte ciphertext was padded or not, so we need to
* inform OpenSSL explicitly that there's no padding.
*/
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (!EVP_DecryptUpdate(evp_ctx, decr, (int *)&len, data, attr_len)) {
tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
goto error;
}
decr_len = len;
if (!EVP_DecryptFinal_ex(evp_ctx, decr + decr_len, (int *)&len)) {
tls_strerror_printf("%s: Failed decrypting attribute", __FUNCTION__);
goto error;
}
decr_len += len;
EVP_CIPHER_CTX_free(evp_ctx);
/*
* Note: packet_ctx implicitly validates the length of the padding
* attribute (if present), so we don't have to do it later.
*/
if (decr_len % block_size) {
fr_strerror_printf("%s: Expected decrypted value length to be multiple of %zu, got %zu",
__FUNCTION__, block_size, decr_len);
goto error;
}
/*
* Ciphertext should be same length as plaintext.
*/
if (unlikely(attr_len != decr_len)) {
fr_strerror_printf("%s: Invalid plaintext length, expected %zu, got %zu",
__FUNCTION__, attr_len, decr_len);
goto error;
}
FR_PROTO_TRACE("decryption successful, got %zu bytes of cleartext", decr_len);
FR_PROTO_HEX_DUMP(decr, decr_len, "cleartext");
*out = decr;
return decr_len;
}
void test_set_19(void)
{
/*
* Inputs
*/
uint8_t ki[] = { 0x51, 0x22, 0x25, 0x02, 0x14, 0xc3, 0x3e, 0x72,
0x3a, 0x5d, 0xd5, 0x23, 0xfc, 0x14, 0x5f, 0xc0 };
uint8_t rand[] = { 0x81, 0xe9, 0x2b, 0x6c, 0x0e, 0xe0, 0xe1, 0x2e,
0xbc, 0xeb, 0xa8, 0xd9, 0x2a, 0x99, 0xdf, 0xa5 };
uint8_t sqn[] = { 0x16, 0xf3, 0xb3, 0xf7, 0x0f, 0xc2 };
uint8_t amf[] = { 0xc3, 0xab };
uint8_t op[] = { 0xc9, 0xe8, 0x76, 0x32, 0x86, 0xb5, 0xb9, 0xff,
0xbd, 0xf5, 0x6e, 0x12, 0x97, 0xd0, 0x88, 0x7b };
uint8_t opc[] = { 0x98, 0x1d, 0x46, 0x4c, 0x7c, 0x52, 0xeb, 0x6e,
0x50, 0x36, 0x23, 0x49, 0x84, 0xad, 0x0b, 0xcf };
/*
* Outputs
*/
uint8_t opc_out[MILENAGE_OPC_SIZE];
uint8_t mac_a_out[MILENAGE_MAC_A_SIZE];
uint8_t mac_s_out[MILENAGE_MAC_S_SIZE];
uint8_t res_out[MILENAGE_RES_SIZE];
uint8_t ck_out[MILENAGE_CK_SIZE];
uint8_t ik_out[MILENAGE_IK_SIZE];
uint8_t ak_out[MILENAGE_AK_SIZE];
uint8_t ak_resync_out[MILENAGE_AK_SIZE];
/* function 1 */
uint8_t mac_a[] = { 0x2a, 0x5c, 0x23, 0xd1, 0x5e, 0xe3, 0x51, 0xd5 };
/* function 1* */
uint8_t mac_s[] = { 0x62, 0xda, 0xe3, 0x85, 0x3f, 0x3a, 0xf9, 0xd2 };
/* function 2 */
uint8_t res[] = { 0x28, 0xd7, 0xb0, 0xf2, 0xa2, 0xec, 0x3d, 0xe5 };
/* function 3 */
uint8_t ck[] = { 0x53, 0x49, 0xfb, 0xe0, 0x98, 0x64, 0x9f, 0x94,
0x8f, 0x5d, 0x2e, 0x97, 0x3a, 0x81, 0xc0, 0x0f };
/* function 4 */
uint8_t ik[] = { 0x97, 0x44, 0x87, 0x1a, 0xd3, 0x2b, 0xf9, 0xbb,
0xd1, 0xdd, 0x5c, 0xe5, 0x4e, 0x3e, 0x2e, 0x5a };
/* function 5 */
uint8_t ak[] = { 0xad, 0xa1, 0x5a, 0xeb, 0x7b, 0xb8 };
/* function 5* */
uint8_t ak_resync[] = { 0xd4, 0x61, 0xbc, 0x15, 0x47, 0x5d };
int ret = 0;
/*
fr_log_fp = stdout;
fr_debug_lvl = 4;
*/
ret = milenage_opc_generate(opc_out, op, ki);
TEST_CHECK(ret == 0);
FR_PROTO_HEX_DUMP(opc_out, sizeof(opc_out), "opc");
TEST_CHECK(memcmp(opc_out, opc, sizeof(opc_out)) == 0);
if ((milenage_f1(mac_a_out, mac_s_out, opc, ki, rand, sqn, amf) < 0) ||
(milenage_f2345(res_out, ik_out, ck_out, ak_out, ak_resync_out, opc, ki, rand) < 0)) ret = -1;
FR_PROTO_HEX_DUMP(mac_a, sizeof(mac_a_out), "mac_a");
FR_PROTO_HEX_DUMP(mac_s, sizeof(mac_s_out), "mac_s");
FR_PROTO_HEX_DUMP(ik_out, sizeof(ik_out), "ik");
FR_PROTO_HEX_DUMP(ck_out, sizeof(ck_out), "ck");
FR_PROTO_HEX_DUMP(res_out, sizeof(res_out), "res");
FR_PROTO_HEX_DUMP(ak_out, sizeof(ak_out), "ak");
FR_PROTO_HEX_DUMP(ak_resync_out, sizeof(ak_resync_out), "ak_resync");
TEST_CHECK(ret == 0);
TEST_CHECK(memcmp(mac_a_out, mac_a, sizeof(mac_a_out)) == 0);
TEST_CHECK(memcmp(mac_s_out, mac_s, sizeof(mac_s_out)) == 0);
TEST_CHECK(memcmp(res_out, res, sizeof(res_out)) == 0);
TEST_CHECK(memcmp(ck_out, ck, sizeof(ck_out)) == 0);
TEST_CHECK(memcmp(ik_out, ik, sizeof(ik_out)) == 0);
TEST_CHECK(memcmp(ak_out, ak, sizeof(ak_out)) == 0);
TEST_CHECK(memcmp(ak_resync, ak_resync, sizeof(ak_resync_out)) == 0);
}
void test_set_1(void)
{
/*
* Inputs
*/
uint8_t ki[] = { 0x46, 0x5b, 0x5c, 0xe8, 0xb1, 0x99, 0xb4, 0x9f,
0xaa, 0x5f, 0x0a, 0x2e, 0xe2, 0x38, 0xa6, 0xbc };
uint8_t rand[] = { 0x23, 0x55, 0x3c, 0xbe, 0x96, 0x37, 0xa8, 0x9d,
0x21, 0x8a, 0xe6, 0x4d, 0xae, 0x47, 0xbf, 0x35 };
uint8_t sqn[] = { 0xff, 0x9b, 0xb4, 0xd0, 0xb6, 0x07 };
uint8_t amf[] = { 0xb9, 0xb9 };
uint8_t op[] = { 0xcd, 0xc2, 0x02, 0xd5, 0x12, 0x3e, 0x20, 0xf6,
0x2b, 0x6d, 0x67, 0x6a, 0xc7, 0x2c, 0xb3, 0x18 };
uint8_t opc[] = { 0xcd, 0x63, 0xcb, 0x71, 0x95, 0x4a, 0x9f, 0x4e,
0x48, 0xa5, 0x99, 0x4e, 0x37, 0xa0, 0x2b, 0xaf };
/*
* Outputs
*/
uint8_t opc_out[MILENAGE_OPC_SIZE];
uint8_t mac_a_out[MILENAGE_MAC_A_SIZE];
uint8_t mac_s_out[MILENAGE_MAC_S_SIZE];
uint8_t res_out[MILENAGE_RES_SIZE];
uint8_t ck_out[MILENAGE_CK_SIZE];
uint8_t ik_out[MILENAGE_IK_SIZE];
uint8_t ak_out[MILENAGE_AK_SIZE];
uint8_t ak_resync_out[MILENAGE_AK_SIZE];
/* function 1 */
uint8_t mac_a[] = { 0x4a, 0x9f, 0xfa, 0xc3, 0x54, 0xdf, 0xaf, 0xb3 };
/* function 1* */
uint8_t mac_s[] = { 0x01, 0xcf, 0xaf, 0x9e, 0xc4, 0xe8, 0x71, 0xe9 };
/* function 2 */
uint8_t res[] = { 0xa5, 0x42, 0x11, 0xd5, 0xe3, 0xba, 0x50, 0xbf };
/* function 3 */
uint8_t ck[] = { 0xb4, 0x0b, 0xa9, 0xa3, 0xc5, 0x8b, 0x2a, 0x05,
0xbb, 0xf0, 0xd9, 0x87, 0xb2, 0x1b, 0xf8, 0xcb };
/* function 4 */
uint8_t ik[] = { 0xf7, 0x69, 0xbc, 0xd7, 0x51, 0x04, 0x46, 0x04,
0x12, 0x76, 0x72, 0x71, 0x1c, 0x6d, 0x34, 0x41 };
/* function 5 */
uint8_t ak[] = { 0xaa, 0x68, 0x9c, 0x64, 0x83, 0x70 };
/* function 5* */
uint8_t ak_resync[] = { 0x45, 0x1e, 0x8b, 0xec, 0xa4, 0x3b };
int ret = 0;
/*
fr_log_fp = stdout;
fr_debug_lvl = 4;
*/
ret = milenage_opc_generate(opc_out, op, ki);
TEST_CHECK(ret == 0);
FR_PROTO_HEX_DUMP(opc_out, sizeof(opc_out), "opc");
TEST_CHECK(memcmp(opc_out, opc, sizeof(opc_out)) == 0);
if ((milenage_f1(mac_a_out, mac_s_out, opc, ki, rand, sqn, amf) < 0) ||
(milenage_f2345(res_out, ik_out, ck_out, ak_out, ak_resync_out, opc, ki, rand) < 0)) ret = -1;
FR_PROTO_HEX_DUMP(mac_a, sizeof(mac_a_out), "mac_a");
FR_PROTO_HEX_DUMP(mac_s, sizeof(mac_s_out), "mac_s");
FR_PROTO_HEX_DUMP(ik_out, sizeof(ik_out), "ik");
FR_PROTO_HEX_DUMP(ck_out, sizeof(ck_out), "ck");
FR_PROTO_HEX_DUMP(res_out, sizeof(res_out), "res");
FR_PROTO_HEX_DUMP(ak_out, sizeof(ak_out), "ak");
FR_PROTO_HEX_DUMP(ak_resync_out, sizeof(ak_resync_out), "ak_resync");
TEST_CHECK(ret == 0);
TEST_CHECK(memcmp(mac_a_out, mac_a, sizeof(mac_a_out)) == 0);
TEST_CHECK(memcmp(mac_s_out, mac_s, sizeof(mac_s_out)) == 0);
TEST_CHECK(memcmp(res_out, res, sizeof(res_out)) == 0);
TEST_CHECK(memcmp(ck_out, ck, sizeof(ck_out)) == 0);
TEST_CHECK(memcmp(ik_out, ik, sizeof(ik_out)) == 0);
TEST_CHECK(memcmp(ak_out, ak, sizeof(ak_out)) == 0);
TEST_CHECK(memcmp(ak_resync, ak_resync, sizeof(ak_resync_out)) == 0);
}
/** Milenage check
*
* @param[out] ik Buffer for IK = 128-bit integrity key (f4), or NULL.
* @param[out] ck Buffer for CK = 128-bit confidentiality key (f3), or NULL.
* @param[out] res Buffer for RES = 64-bit signed response (f2), or NULL.
* @param[in] auts 112-bit buffer for AUTS.
* @param[in] opc 128-bit operator variant algorithm configuration field (encr.).
* @param[in] ki 128-bit subscriber key.
* @param[in] sqn 48-bit sequence number.
* @param[in] rand 128-bit random challenge.
* @param[in] autn 128-bit authentication token.
* @return
* - 0 on success.
* - -1 on failure.
* - -2 on synchronization failure
*/
int milenage_check(uint8_t ik[MILENAGE_IK_SIZE],
uint8_t ck[MILENAGE_CK_SIZE],
uint8_t res[MILENAGE_RES_SIZE],
uint8_t auts[MILENAGE_AUTS_SIZE],
uint8_t const opc[MILENAGE_OPC_SIZE],
uint8_t const ki[MILENAGE_KI_SIZE],
uint64_t sqn,
uint8_t const rand[MILENAGE_RAND_SIZE],
uint8_t const autn[MILENAGE_AUTN_SIZE])
{
uint8_t mac_a[MILENAGE_MAC_A_SIZE], ak[MILENAGE_AK_SIZE], rx_sqn[MILENAGE_SQN_SIZE];
uint8_t sqn_buff[MILENAGE_SQN_SIZE];
const uint8_t *amf;
size_t i;
uint48_to_buff(sqn_buff, sqn);
FR_PROTO_HEX_DUMP(autn, MILENAGE_AUTN_SIZE, "AUTN");
FR_PROTO_HEX_DUMP(rand, MILENAGE_RAND_SIZE, "RAND");
if (milenage_f2345(res, ck, ik, ak, NULL, opc, ki, rand)) return -1;
FR_PROTO_HEX_DUMP(res, MILENAGE_RES_SIZE, "RES");
FR_PROTO_HEX_DUMP(ck, MILENAGE_CK_SIZE, "CK");
FR_PROTO_HEX_DUMP(ik, MILENAGE_IK_SIZE, "IK");
FR_PROTO_HEX_DUMP(ak, MILENAGE_AK_SIZE, "AK");
/* AUTN = (SQN ^ AK) || AMF || MAC */
for (i = 0; i < 6; i++) rx_sqn[i] = autn[i] ^ ak[i];
FR_PROTO_HEX_DUMP(rx_sqn, MILENAGE_SQN_SIZE, "SQN");
if (memcmp(rx_sqn, sqn_buff, sizeof(rx_sqn)) <= 0) {
uint8_t auts_amf[MILENAGE_AMF_SIZE] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
if (milenage_f2345(NULL, NULL, NULL, NULL, ak, opc, ki, rand)) return -1;
FR_PROTO_HEX_DUMP(ak, sizeof(ak), "AK*");
for (i = 0; i < 6; i++) auts[i] = sqn_buff[i] ^ ak[i];
if (milenage_f1(NULL, auts + 6, opc, ki, rand, sqn_buff, auts_amf) < 0) return -1;
FR_PROTO_HEX_DUMP(auts, 14, "AUTS");
return -2;
}
amf = autn + 6;
FR_PROTO_HEX_DUMP(amf, MILENAGE_AMF_SIZE, "AMF");
if (milenage_f1(mac_a, NULL, opc, ki, rand, rx_sqn, amf) < 0) return -1;
FR_PROTO_HEX_DUMP(mac_a, MILENAGE_MAC_A_SIZE, "MAC_A");
if (CRYPTO_memcmp(mac_a, autn + 8, 8) != 0) {
FR_PROTO_HEX_DUMP(autn + 8, 8, "Received MAC_A");
fr_strerror_printf("MAC mismatch");
return -1;
}
return 0;
}
