/* Initialize an fko context with external (encrypted/encoded) data. * This is used to create a context with the purpose of decoding * and parsing the provided data into the context data. */ int fko_new_with_data(fko_ctx_t *r_ctx, char *enc_msg, char *dec_key) { fko_ctx_t ctx; int res = FKO_SUCCESS; /* Are we optimistic or what? */ ctx = calloc(1, sizeof *ctx); if(ctx == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* First, add the data to the context. */ ctx->encrypted_msg = strdup(enc_msg); if(ctx->encrypted_msg == NULL) { free(ctx); return(FKO_ERROR_MEMORY_ALLOCATION); } /* Consider it initialized here. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); /* If a decryption password is provided, go ahead and decrypt and * decode. */ if(dec_key != NULL) { res = fko_decrypt_spa_data(ctx, dec_key); if(res != FKO_SUCCESS) { fko_destroy(ctx); *r_ctx = NULL; /* Make sure the caller ctx is null just in case */ return(res); } } #if HAVE_LIBGPGME /* Set gpg signature verify on. */ ctx->verify_gpg_sigs = 1; #endif /* HAVE_LIBGPGME */ *r_ctx = ctx; return(res); }
/* Decode the encoded SPA data. */ int fko_decode_spa_data(fko_ctx_t ctx) { char *tbuf, *ndx; int t_size, i, res; /* Array of function pointers to SPA field parsing functions */ int (*field_parser[FIELD_PARSERS])(char *tbuf, char **ndx, int *t_size, fko_ctx_t ctx) = { parse_rand_val, /* Extract random value */ parse_username, /* Extract username */ parse_timestamp, /* Client timestamp */ parse_version, /* SPA version */ parse_msg_type, /* SPA msg type */ parse_msg, /* SPA msg string */ parse_nat_msg, /* SPA NAT msg string */ parse_server_auth, /* optional server authentication method */ parse_client_timeout /* client defined timeout */ }; if (! is_valid_encoded_msg_len(ctx->encoded_msg_len)) return(FKO_ERROR_INVALID_DATA_DECODE_MSGLEN_VALIDFAIL); /* Make sure there are no non-ascii printable chars */ for (i=0; i < (int)strnlen(ctx->encoded_msg, MAX_SPA_ENCODED_MSG_SIZE); i++) if(isprint((int)(unsigned char)ctx->encoded_msg[i]) == 0) return(FKO_ERROR_INVALID_DATA_DECODE_NON_ASCII); /* Make sure there are enough fields in the SPA packet * delimited with ':' chars */ ndx = ctx->encoded_msg; if (num_fields(ndx) < MIN_SPA_FIELDS) return(FKO_ERROR_INVALID_DATA_DECODE_LT_MIN_FIELDS); ndx += last_field(ndx); t_size = strnlen(ndx, SHA512_B64_LEN+1); /* Validate digest length */ res = is_valid_digest_len(t_size, ctx); if(res != FKO_SUCCESS) return res; if(ctx->digest != NULL) free(ctx->digest); /* Copy the digest into the context and terminate the encoded data * at that point so the original digest is not part of the * encoded string. */ ctx->digest = strdup(ndx); if(ctx->digest == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Chop the digest off of the encoded_msg bucket... */ bzero((ndx-1), t_size); ctx->encoded_msg_len -= t_size+1; /* Make a tmp bucket for processing base64 encoded data and * other general use. */ tbuf = calloc(1, FKO_ENCODE_TMP_BUF_SIZE); if(tbuf == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Can now verify the digest. */ res = verify_digest(tbuf, t_size, ctx); if(res != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_DIGEST_VERIFICATION_FAILED); } /* Now we will work through the encoded data and extract (and base64- * decode where necessary), the SPA data fields and populate the context. */ ndx = ctx->encoded_msg; for (i=0; i < FIELD_PARSERS; i++) { res = (*field_parser[i])(tbuf, &ndx, &t_size, ctx); if(res != FKO_SUCCESS) { free(tbuf); return res; } } /* Done with the tmp buffer. */ free(tbuf); /* Call the context initialized. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); return(FKO_SUCCESS); }
/* Decode the encoded SPA data. */ int fko_decode_spa_data(fko_ctx_t ctx) { char *tbuf, *ndx, *tmp; int t_size, i, is_err; if (! is_valid_encoded_msg_len(ctx->encoded_msg_len)) return(FKO_ERROR_INVALID_DATA_DECODE_MSGLEN_VALIDFAIL); /* Make sure there are no non-ascii printable chars */ for (i=0; i < (int)strnlen(ctx->encoded_msg, MAX_SPA_ENCODED_MSG_SIZE); i++) if(isprint(ctx->encoded_msg[i]) == 0) return(FKO_ERROR_INVALID_DATA_DECODE_NON_ASCII); /* Make sure there are enough fields in the SPA packet * delimited with ':' chars */ ndx = ctx->encoded_msg; for (i=0; i < MAX_SPA_FIELDS; i++) { if ((tmp = strchr(ndx, ':')) == NULL) break; ndx = tmp; ndx++; } if (i < MIN_SPA_FIELDS) return(FKO_ERROR_INVALID_DATA_DECODE_LT_MIN_FIELDS); t_size = strnlen(ndx, SHA512_B64_LEN+1); switch(t_size) { case MD5_B64_LEN: ctx->digest_type = FKO_DIGEST_MD5; ctx->digest_len = MD5_B64_LEN; break; case SHA1_B64_LEN: ctx->digest_type = FKO_DIGEST_SHA1; ctx->digest_len = SHA1_B64_LEN; break; case SHA256_B64_LEN: ctx->digest_type = FKO_DIGEST_SHA256; ctx->digest_len = SHA256_B64_LEN; break; case SHA384_B64_LEN: ctx->digest_type = FKO_DIGEST_SHA384; ctx->digest_len = SHA384_B64_LEN; break; case SHA512_B64_LEN: ctx->digest_type = FKO_DIGEST_SHA512; ctx->digest_len = SHA512_B64_LEN; break; default: /* Invalid or unsupported digest */ return(FKO_ERROR_INVALID_DIGEST_TYPE); } if (ctx->encoded_msg_len - t_size < 0) return(FKO_ERROR_INVALID_DATA_DECODE_ENC_MSG_LEN_MT_T_SIZE); if(ctx->digest != NULL) free(ctx->digest); /* Copy the digest into the context and terminate the encoded data * at that point so the original digest is not part of the * encoded string. */ ctx->digest = strdup(ndx); if(ctx->digest == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Zero out the rest of the encoded_msg bucket... */ bzero((ndx-1), t_size); ctx->encoded_msg_len -= t_size+1; /* Make a tmp bucket for processing base64 encoded data and * other general use. */ tbuf = malloc(FKO_ENCODE_TMP_BUF_SIZE); if(tbuf == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Can now verify the digest. */ switch(ctx->digest_type) { case FKO_DIGEST_MD5: md5_base64(tbuf, (unsigned char*)ctx->encoded_msg, ctx->encoded_msg_len); break; case FKO_DIGEST_SHA1: sha1_base64(tbuf, (unsigned char*)ctx->encoded_msg, ctx->encoded_msg_len); break; case FKO_DIGEST_SHA256: sha256_base64(tbuf, (unsigned char*)ctx->encoded_msg, ctx->encoded_msg_len); break; case FKO_DIGEST_SHA384: sha384_base64(tbuf, (unsigned char*)ctx->encoded_msg, ctx->encoded_msg_len); break; case FKO_DIGEST_SHA512: sha512_base64(tbuf, (unsigned char*)ctx->encoded_msg, ctx->encoded_msg_len); break; } /* We give up here if the computed digest does not match the * digest in the message data. */ if(constant_runtime_cmp(ctx->digest, tbuf, t_size) != 0) { free(tbuf); return(FKO_ERROR_DIGEST_VERIFICATION_FAILED); } /* Now we will work through the encoded data and extract (and base64- * decode where necessary), the SPA data fields and populate the context. */ ndx = ctx->encoded_msg; /* The rand val data */ if((t_size = strcspn(ndx, ":")) < FKO_RAND_VAL_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_RAND_MISSING); } if(ctx->rand_val != NULL) free(ctx->rand_val); ctx->rand_val = calloc(1, FKO_RAND_VAL_SIZE+1); if(ctx->rand_val == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } ctx->rand_val = strncpy(ctx->rand_val, ndx, FKO_RAND_VAL_SIZE); /* Jump to the next field (username). We need to use the temp buffer * for the base64 decode step. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_USERNAME_MISSING); } if (t_size > MAX_SPA_USERNAME_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_USERNAME_TOOBIG); } strlcpy(tbuf, ndx, t_size+1); if(ctx->username != NULL) free(ctx->username); ctx->username = malloc(t_size+1); /* Yes, more than we need */ if(ctx->username == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } if(b64_decode(tbuf, (unsigned char*)ctx->username) < 0) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_USERNAME_DECODEFAIL); } if(validate_username(ctx->username) != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_USERNAME_VALIDFAIL); } /* Extract the timestamp value. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMESTAMP_MISSING); } if (t_size > MAX_SPA_TIMESTAMP_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMESTAMP_TOOBIG); } strlcpy(tbuf, ndx, t_size+1); ctx->timestamp = (unsigned int) strtol_wrapper(tbuf, 0, -1, NO_EXIT_UPON_ERR, &is_err); if(is_err != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMESTAMP_DECODEFAIL); } /* Extract the version string. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_VERSION_MISSING); } if (t_size > MAX_SPA_VERSION_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_VERSION_TOOBIG); } if(ctx->version != NULL) free(ctx->version); ctx->version = malloc(t_size+1); if(ctx->version == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } strlcpy(ctx->version, ndx, t_size+1); /* Extract the message type value. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MSGTYPE_MISSING); } if (t_size > MAX_SPA_MESSAGE_TYPE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MSGTYPE_TOOBIG); } strlcpy(tbuf, ndx, t_size+1); ctx->message_type = strtol_wrapper(tbuf, 0, FKO_LAST_MSG_TYPE, NO_EXIT_UPON_ERR, &is_err); if(is_err != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MSGTYPE_DECODEFAIL); } /* Extract the SPA message string. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MESSAGE_MISSING); } if (t_size > MAX_SPA_MESSAGE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MESSAGE_TOOBIG); } strlcpy(tbuf, ndx, t_size+1); if(ctx->message != NULL) free(ctx->message); ctx->message = malloc(t_size+1); /* Yes, more than we need */ if(ctx->message == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } if(b64_decode(tbuf, (unsigned char*)ctx->message) < 0) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MESSAGE_DECODEFAIL); } if(ctx->message_type == FKO_COMMAND_MSG) { /* Require a message similar to: 1.2.3.4,<command> */ if(validate_cmd_msg(ctx->message) != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_MESSAGE_VALIDFAIL); } } else { /* Require a message similar to: 1.2.3.4,tcp/22 */ if(validate_access_msg(ctx->message) != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_ACCESS_VALIDFAIL); } } /* Extract nat_access string if the message_type indicates so. */ if( ctx->message_type == FKO_NAT_ACCESS_MSG || ctx->message_type == FKO_LOCAL_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_NATACCESS_MISSING); } if (t_size > MAX_SPA_MESSAGE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_NATACCESS_TOOBIG); } strlcpy(tbuf, ndx, t_size+1); if(ctx->nat_access != NULL) free(ctx->nat_access); ctx->nat_access = malloc(t_size+1); /* Yes, more than we need */ if(ctx->nat_access == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } if(b64_decode(tbuf, (unsigned char*)ctx->nat_access) < 0) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_NATACCESS_DECODEFAIL); } if(validate_nat_access_msg(ctx->nat_access) != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_NATACCESS_VALIDFAIL); } } /* Now look for a server_auth string. */ ndx += t_size + 1; if((t_size = strlen(ndx)) > 0) { if (t_size > MAX_SPA_MESSAGE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_SRVAUTH_MISSING); } /* There is data, but what is it? * If the message_type does not have a timeout, assume it is a * server_auth field. */ if( ctx->message_type != FKO_CLIENT_TIMEOUT_ACCESS_MSG && ctx->message_type != FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG && ctx->message_type != FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { strlcpy(tbuf, ndx, t_size+1); if(ctx->server_auth != NULL) free(ctx->server_auth); ctx->server_auth = malloc(t_size+1); /* Yes, more than we need */ if(ctx->server_auth == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } if(b64_decode(tbuf, (unsigned char*)ctx->server_auth) < 0) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_SRVAUTH_DECODEFAIL); } /* At this point we should be done. */ free(tbuf); /* Call the context initialized. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); return(FKO_SUCCESS); } /* If we are here then we may still have a server_auth string, * or a timeout, or both. So we look for a ':' delimiter. If * it is there we have both, if not we check the message_type * again. */ if(strchr(ndx, ':')) { t_size = strcspn(ndx, ":"); if (t_size > MAX_SPA_MESSAGE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_EXTRA_TOOBIG); } /* Looks like we have both, so assume this is the */ strlcpy(tbuf, ndx, t_size+1); if(ctx->server_auth != NULL) free(ctx->server_auth); ctx->server_auth = malloc(t_size+1); /* Yes, more than we need */ if(ctx->server_auth == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } if(b64_decode(tbuf, (unsigned char*)ctx->server_auth) < 0) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_EXTRA_DECODEFAIL); } ndx += t_size + 1; } /* Now we look for a timeout value if one is supposed to be there. */ if( ctx->message_type == FKO_CLIENT_TIMEOUT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { if((t_size = strlen(ndx)) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMEOUT_MISSING); } if (t_size > MAX_SPA_MESSAGE_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMEOUT_TOOBIG); } /* Should be a number only. */ if(strspn(ndx, "0123456789") != t_size) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMEOUT_VALIDFAIL); } ctx->client_timeout = (unsigned int) strtol_wrapper(ndx, 0, (2 << 15), NO_EXIT_UPON_ERR, &is_err); if(is_err != FKO_SUCCESS) { free(tbuf); return(FKO_ERROR_INVALID_DATA_DECODE_TIMEOUT_DECODEFAIL); } } } /* Done with the tmp buffer. */ free(tbuf); /* Call the context initialized. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); return(FKO_SUCCESS); }
/* Decrypt the encoded SPA data. */ int fko_decode_spa_data(fko_ctx_t ctx) { char *tbuf, *ndx; int edata_size, t_size; /* Check for required data. */ if(ctx->encoded_msg == NULL || strlen(ctx->encoded_msg) < MIN_SPA_ENCODED_MSG_SIZE) return(FKO_ERROR_INVALID_DATA); edata_size = strlen(ctx->encoded_msg); /* Move the Digest to its place in the context. */ ndx = strrchr(ctx->encoded_msg, ':'); /* Find the last : in the data */ if(ndx == NULL) return(FKO_ERROR_INVALID_DATA); ndx++; t_size = strlen(ndx); switch(t_size) { case MD5_B64_LENGTH: ctx->digest_type = FKO_DIGEST_MD5; break; case SHA1_B64_LENGTH: ctx->digest_type = FKO_DIGEST_SHA1; break; case SHA256_B64_LENGTH: ctx->digest_type = FKO_DIGEST_SHA256; break; case SHA384_B64_LENGTH: ctx->digest_type = FKO_DIGEST_SHA384; break; case SHA512_B64_LENGTH: ctx->digest_type = FKO_DIGEST_SHA512; break; default: /* Invalid or unsupported digest */ return(FKO_ERROR_INVALID_DIGEST_TYPE); } /* Copy the digest into the context and terminate the encoded data * at that point so the original digest is not part of the * encoded string. */ ctx->digest = strdup(ndx); if(ctx->digest == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Zero out the rest of the encoded_msg bucket... */ bzero((ndx-1), t_size); /* Make a tmp bucket for processing base64 encoded data and * other general use. */ tbuf = malloc(FKO_ENCODE_TMP_BUF_SIZE); if(tbuf == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Can now verify the digest. */ switch(ctx->digest_type) { case FKO_DIGEST_MD5: md5_base64(tbuf, (unsigned char*)ctx->encoded_msg, strlen(ctx->encoded_msg)); break; case FKO_DIGEST_SHA1: sha1_base64(tbuf, (unsigned char*)ctx->encoded_msg, strlen(ctx->encoded_msg)); break; case FKO_DIGEST_SHA256: sha256_base64(tbuf, (unsigned char*)ctx->encoded_msg, strlen(ctx->encoded_msg)); break; case FKO_DIGEST_SHA384: sha384_base64(tbuf, (unsigned char*)ctx->encoded_msg, strlen(ctx->encoded_msg)); break; case FKO_DIGEST_SHA512: sha512_base64(tbuf, (unsigned char*)ctx->encoded_msg, strlen(ctx->encoded_msg)); break; } /* We give up here if the computed digest does not match the * digest in the message data. */ if(strcmp(ctx->digest, tbuf)) { free(tbuf); return(FKO_ERROR_DIGEST_VERIFICATION_FAILED); } /* Now we will work through the encoded data and extract (and base64- * decode where necessary), the SPA data fields and populate the context. */ ndx = ctx->encoded_msg; /* The rand val data */ if((t_size = strcspn(ndx, ":")) < FKO_RAND_VAL_SIZE) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } ctx->rand_val = calloc(1, FKO_RAND_VAL_SIZE+1); if(ctx->rand_val == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } ctx->rand_val = strncpy(ctx->rand_val, ndx, FKO_RAND_VAL_SIZE); /* Jump to the next field (username). We need to use the temp buffer * for the base64 decode step. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } strlcpy(tbuf, ndx, t_size+1); ctx->username = malloc(t_size+1); /* Yes, more than we need */ if(ctx->username == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } b64_decode(tbuf, (unsigned char*)ctx->username, t_size); /* Extract the timestamp value. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } strlcpy(tbuf, ndx, t_size+1); ctx->timestamp = (unsigned int)atoi(tbuf); /* Extract the version string. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } ctx->version = malloc(t_size+1); if(ctx->version == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } strlcpy(ctx->version, ndx, t_size+1); /* Extract the message type value. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } strlcpy(tbuf, ndx, t_size+1); ctx->message_type = (unsigned int)atoi(tbuf); /* Extract the SPA message string. */ ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } strlcpy(tbuf, ndx, t_size+1); ctx->message = malloc(t_size+1); /* Yes, more than we need */ if(ctx->message == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } b64_decode(tbuf, (unsigned char*)ctx->message, t_size); /* Extract nat_access string if the message_type indicates so. */ if( ctx->message_type == FKO_NAT_ACCESS_MSG || ctx->message_type == FKO_LOCAL_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { ndx += t_size + 1; if((t_size = strcspn(ndx, ":")) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } strlcpy(tbuf, ndx, t_size+1); ctx->nat_access = malloc(t_size+1); /* Yes, more than we need */ if(ctx->nat_access == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } b64_decode(tbuf, (unsigned char*)ctx->nat_access, t_size); } /* Now look for a server_auth string. */ ndx += t_size + 1; if((t_size = strlen(ndx)) > 0) { /* There is data, but what is it? * If the message_type does not have a timeout, assume it is a * server_auth field. */ if( ctx->message_type != FKO_CLIENT_TIMEOUT_ACCESS_MSG && ctx->message_type != FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG && ctx->message_type != FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { strlcpy(tbuf, ndx, t_size+1); ctx->server_auth = malloc(t_size+1); /* Yes, more than we need */ if(ctx->server_auth == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } b64_decode(tbuf, (unsigned char*)ctx->server_auth, t_size); /* At this point we should be done. */ free(tbuf); /* Call the context initialized. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); return(FKO_SUCCESS); } /* If we are here then we may still have a server_auth string, * or a timeout, or both. So we look for a ':' delimiter. If * it is there we have both, if not we check the message_type * again. */ if(strchr(ndx, ':')) { t_size = strcspn(ndx, ":"); /* Looks like we have both, so assume this is the */ strlcpy(tbuf, ndx, t_size+1); ctx->server_auth = malloc(t_size+1); /* Yes, more than we need */ if(ctx->server_auth == NULL) { free(tbuf); return(FKO_ERROR_MEMORY_ALLOCATION); } b64_decode(tbuf, (unsigned char*)ctx->server_auth, t_size); ndx += t_size + 1; } /* Now we look for a timeout value if one is supposed to be there. */ if( ctx->message_type == FKO_CLIENT_TIMEOUT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG || ctx->message_type == FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG) { if((t_size = strlen(ndx)) < 1) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } /* Should be a number only. */ if(strspn(ndx, "0123456789") != t_size) { free(tbuf); return(FKO_ERROR_INVALID_DATA); } ctx->client_timeout = (unsigned int)atoi(ndx); } } /* Done with the tmp buffer. */ free(tbuf); /* Call the context initialized. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); return(FKO_SUCCESS); }
/* Initialize an fko context. */ int fko_new(fko_ctx_t *r_ctx) { fko_ctx_t ctx; int res; char *ver; ctx = calloc(1, sizeof *ctx); if(ctx == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Set default values and state. * * Note: We have to explicitly set the ctx->state to initialized * just before making an fko_xxx function call, then set it * back to zero just afer. During initialization, we need * to make these functions think they are operating on an * initialized context, or else they would fail. */ /* Set the version string. */ ctx->initval = FKO_CTX_INITIALIZED; ver = strdup(FKO_PROTOCOL_VERSION); ctx->initval = 0; if(ver == NULL) { free(ctx); return(FKO_ERROR_MEMORY_ALLOCATION); } ctx->version = ver; /* Rand value. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_rand_value(ctx, NULL); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } /* Username. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_username(ctx, NULL); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } /* Timestamp. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_timestamp(ctx, 0); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } /* Default Digest Type. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_spa_digest_type(ctx, FKO_DEFAULT_DIGEST); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } /* Default Message Type. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_spa_message_type(ctx, FKO_DEFAULT_MSG_TYPE); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } /* Default Encryption Type. */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_spa_encryption_type(ctx, FKO_DEFAULT_ENCRYPTION); ctx->initval = 0; if(res != FKO_SUCCESS) { fko_destroy(ctx); return res; } #if HAVE_LIBGPGME /* Set gpg signature verify on. */ ctx->verify_gpg_sigs = 1; #endif /* HAVE_LIBGPGME */ /* Now we mean it. */ ctx->initval = FKO_CTX_INITIALIZED; FKO_SET_CTX_INITIALIZED(ctx); *r_ctx = ctx; return(FKO_SUCCESS); }
/* Initialize an fko context. */ int fko_new(fko_ctx_t *r_ctx) { fko_ctx_t ctx = NULL; int res; char *ver; #if HAVE_LIBFIU fiu_return_on("fko_new_calloc", FKO_ERROR_MEMORY_ALLOCATION); #endif ctx = calloc(1, sizeof *ctx); if(ctx == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); /* Set default values and state. * * Note: We initialize the context early so that the fko_set_xxx * functions can operate properly. If there are any problems during * initialization, then fko_destroy() is called which will clean up * the context. */ ctx->initval = FKO_CTX_INITIALIZED; /* Set the version string. */ ver = strdup(FKO_PROTOCOL_VERSION); if(ver == NULL) { fko_destroy(ctx); ctx = NULL; return(FKO_ERROR_MEMORY_ALLOCATION); } ctx->version = ver; /* Rand value. */ res = fko_set_rand_value(ctx, NULL); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Username. */ res = fko_set_username(ctx, NULL); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Timestamp. */ res = fko_set_timestamp(ctx, 0); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Default Digest Type. */ res = fko_set_spa_digest_type(ctx, FKO_DEFAULT_DIGEST); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Default Message Type. */ res = fko_set_spa_message_type(ctx, FKO_DEFAULT_MSG_TYPE); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Default Encryption Type. */ res = fko_set_spa_encryption_type(ctx, FKO_DEFAULT_ENCRYPTION); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Default is Rijndael in CBC mode */ res = fko_set_spa_encryption_mode(ctx, FKO_DEFAULT_ENC_MODE); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } #if HAVE_LIBGPGME /* Set gpg signature verify on. */ ctx->verify_gpg_sigs = 1; #endif /* HAVE_LIBGPGME */ FKO_SET_CTX_INITIALIZED(ctx); *r_ctx = ctx; return(FKO_SUCCESS); }
/* Initialize an fko context with external (encrypted/encoded) data. * This is used to create a context with the purpose of decoding * and parsing the provided data into the context data. */ int fko_new_with_data(fko_ctx_t *r_ctx, const char * const enc_msg, const char * const dec_key, const int dec_key_len, int encryption_mode, const char * const hmac_key, const int hmac_key_len, const int hmac_type) { fko_ctx_t ctx = NULL; int res = FKO_SUCCESS; /* Are we optimistic or what? */ int enc_msg_len; #if HAVE_LIBFIU fiu_return_on("fko_new_with_data_msg", FKO_ERROR_INVALID_DATA_FUNCS_NEW_ENCMSG_MISSING); #endif if(enc_msg == NULL) return(FKO_ERROR_INVALID_DATA_FUNCS_NEW_ENCMSG_MISSING); #if HAVE_LIBFIU fiu_return_on("fko_new_with_data_keylen", FKO_ERROR_INVALID_KEY_LEN); #endif if(dec_key_len < 0 || hmac_key_len < 0) return(FKO_ERROR_INVALID_KEY_LEN); ctx = calloc(1, sizeof *ctx); if(ctx == NULL) return(FKO_ERROR_MEMORY_ALLOCATION); enc_msg_len = strnlen(enc_msg, MAX_SPA_ENCODED_MSG_SIZE); if(! is_valid_encoded_msg_len(enc_msg_len)) { free(ctx); return(FKO_ERROR_INVALID_DATA_FUNCS_NEW_MSGLEN_VALIDFAIL); } /* First, add the data to the context. */ ctx->encrypted_msg = strdup(enc_msg); ctx->encrypted_msg_len = enc_msg_len; if(ctx->encrypted_msg == NULL) { free(ctx); return(FKO_ERROR_MEMORY_ALLOCATION); } /* Default Encryption Mode (Rijndael in CBC mode) */ ctx->initval = FKO_CTX_INITIALIZED; res = fko_set_spa_encryption_mode(ctx, encryption_mode); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* HMAC digest type */ res = fko_set_spa_hmac_type(ctx, hmac_type); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Check HMAC if the access stanza had an HMAC key */ if(hmac_key_len > 0 && hmac_key != NULL) res = fko_verify_hmac(ctx, hmac_key, hmac_key_len); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; return res; } /* Consider it initialized here. */ FKO_SET_CTX_INITIALIZED(ctx); /* If a decryption key is provided, go ahead and decrypt and decode. */ if(dec_key != NULL) { res = fko_decrypt_spa_data(ctx, dec_key, dec_key_len); if(res != FKO_SUCCESS) { fko_destroy(ctx); ctx = NULL; *r_ctx = NULL; /* Make sure the caller ctx is null just in case */ return(res); } } #if HAVE_LIBGPGME /* Set gpg signature verify on. */ ctx->verify_gpg_sigs = 1; #endif /* HAVE_LIBGPGME */ *r_ctx = ctx; return(res); }