/* Return the fko SPA encrypted data.
*/
int
fko_get_spa_data(fko_ctx_t ctx, char **spa_data)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
/* We expect to have encrypted data to process. If not, we bail.
*/
if(ctx->encrypted_msg == NULL || (strlen(ctx->encrypted_msg) < 1))
return(FKO_ERROR_MISSING_ENCODED_DATA);
*spa_data = ctx->encrypted_msg;
/* Notice we omit the first 10 bytes if Rijndael encryption is
* used (to eliminate the consistent 'Salted__' string), and
* in GnuPG mode we eliminate the consistent 'hQ' base64 encoded
* prefix
*/
if(ctx->encryption_type == FKO_ENCRYPTION_RIJNDAEL)
*spa_data += strlen(B64_RIJNDAEL_SALT);
else if(ctx->encryption_type == FKO_ENCRYPTION_GPG)
*spa_data += strlen(B64_GPG_PREFIX);
return(FKO_SUCCESS);
}
/* Set the timestamp.
*/
int
fko_set_timestamp(fko_ctx_t ctx, const int offset)
{
time_t ts;
#if HAVE_LIBFIU
fiu_return_on("fko_set_timestamp_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
ts = time(NULL) + offset;
#if HAVE_LIBFIU
fiu_return_on("fko_set_timestamp_val",
FKO_ERROR_INVALID_DATA_TIMESTAMP_VALIDFAIL);
#endif
if(ts < 0)
return(FKO_ERROR_INVALID_DATA_TIMESTAMP_VALIDFAIL);
ctx->timestamp = ts;
ctx->state |= FKO_DATA_MODIFIED;
return(FKO_SUCCESS);
}
/* Set the SPA encryption mode.
*/
int
fko_set_spa_encryption_mode(fko_ctx_t ctx, const int encrypt_mode)
{
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_encryption_mode_init",
FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_encryption_mode_val",
FKO_ERROR_INVALID_DATA_ENCRYPT_MODE_VALIDFAIL);
#endif
if(encrypt_mode < 0 || encrypt_mode >= FKO_LAST_ENC_MODE)
return(FKO_ERROR_INVALID_DATA_ENCRYPT_MODE_VALIDFAIL);
ctx->encryption_mode = encrypt_mode;
ctx->state |= FKO_ENCRYPT_MODE_MODIFIED;
return(FKO_SUCCESS);
}
/* Set the HMAC type
*/
int
fko_set_spa_hmac_type(fko_ctx_t ctx, const short hmac_type)
{
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_hmac_type_init",
FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_hmac_type_val",
FKO_ERROR_INVALID_DATA_HMAC_TYPE_VALIDFAIL);
#endif
if(hmac_type < 0 || hmac_type >= FKO_LAST_HMAC_MODE)
return(FKO_ERROR_INVALID_DATA_HMAC_TYPE_VALIDFAIL);
ctx->hmac_type = hmac_type;
ctx->state |= FKO_HMAC_MODE_MODIFIED;
return(FKO_SUCCESS);
}
/* provide a way to set the encrypted data directly without base64 encoding.
* This allows direct AFL fuzzing against decryption routines.
*/
int
fko_afl_set_spa_data(fko_ctx_t ctx, const char * const enc_msg, const int enc_msg_len)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
if(enc_msg == NULL)
return(FKO_ERROR_INVALID_DATA_FUNCS_SET_MSGLEN_VALIDFAIL);
if(! is_valid_encoded_msg_len(enc_msg_len))
return(FKO_ERROR_INVALID_DATA_FUNCS_SET_MSGLEN_VALIDFAIL);
if(ctx->encrypted_msg != NULL)
free(ctx->encrypted_msg);
/* Copy the raw encrypted data into the context
*/
ctx->encrypted_msg = calloc(1, enc_msg_len);
if(ctx->encrypted_msg == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
memcpy(ctx->encrypted_msg, enc_msg, enc_msg_len);
ctx->encrypted_msg_len = enc_msg_len;
return(FKO_SUCCESS);
}
/* Set the fko SPA encrypted data.
*/
int
fko_set_spa_data(fko_ctx_t ctx, const char * const enc_msg)
{
int enc_msg_len;
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
if(enc_msg == NULL)
return(FKO_ERROR_INVALID_DATA_FUNCS_SET_MSGLEN_VALIDFAIL);
enc_msg_len = strnlen(enc_msg, MAX_SPA_ENCODED_MSG_SIZE);
if(! is_valid_encoded_msg_len(enc_msg_len))
return(FKO_ERROR_INVALID_DATA_FUNCS_SET_MSGLEN_VALIDFAIL);
if(ctx->encrypted_msg != NULL)
free(ctx->encrypted_msg);
/* First, add the data to the context.
*/
ctx->encrypted_msg = strdup(enc_msg);
ctx->encrypted_msg_len = enc_msg_len;
if(ctx->encrypted_msg == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
return(FKO_SUCCESS);
}
/* Set the SPA digest type.
*/
static int
set_spa_digest_type(fko_ctx_t ctx,
short *digest_type_field, const short digest_type)
{
#if HAVE_LIBFIU
fiu_return_on("set_spa_digest_type_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
#if HAVE_LIBFIU
fiu_return_on("set_spa_digest_type_val",
FKO_ERROR_INVALID_DATA_ENCODE_DIGEST_VALIDFAIL);
#endif
if(digest_type < 1 || digest_type >= FKO_LAST_DIGEST_TYPE)
return(FKO_ERROR_INVALID_DATA_ENCODE_DIGEST_VALIDFAIL);
*digest_type_field = digest_type;
ctx->state |= FKO_DIGEST_TYPE_MODIFIED;
return(FKO_SUCCESS);
}
/* Final update and encoding of data in the context.
* This does require all requisite fields be properly
* set.
*/
int
fko_spa_data_final(fko_ctx_t ctx, char *enc_key)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
return(fko_encrypt_spa_data(ctx, enc_key));
}
/* Return the fko version
*/
int
fko_get_version(fko_ctx_t ctx, char **version)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*version = ctx->version;
return(FKO_SUCCESS);
}
/* Return the fko SPA encrypted data.
*/
int
fko_get_encoded_data(fko_ctx_t ctx, char **enc_msg)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*enc_msg = ctx->encoded_msg;
return(FKO_SUCCESS);
}
/* Return the SPA message data.
*/
int
fko_get_spa_server_auth(fko_ctx_t ctx, char **server_auth)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*server_auth = ctx->server_auth;
return(FKO_SUCCESS);
}
/* Return the SPA message data.
*/
int
fko_get_spa_client_timeout(fko_ctx_t ctx, int *timeout)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*timeout = ctx->client_timeout;
return(FKO_SUCCESS);
}
/* Return the SPA encryption mode.
*/
int
fko_get_spa_encryption_mode(fko_ctx_t ctx, int *enc_mode)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*enc_mode = ctx->encryption_mode;
return(FKO_SUCCESS);
}
/* Return the fko HMAC type
*/
int
fko_get_spa_hmac_type(fko_ctx_t ctx, short *hmac_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*hmac_type = ctx->hmac_type;
return(FKO_SUCCESS);
}
/* Return the current username for this fko context.
*/
int
fko_get_username(fko_ctx_t ctx, char **username)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*username = ctx->username;
return(FKO_SUCCESS);
}
/* Return the fko HMAC data
*/
int
fko_get_spa_hmac(fko_ctx_t ctx, char **hmac_data)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*hmac_data = ctx->msg_hmac;
return(FKO_SUCCESS);
}
int
fko_get_raw_spa_digest(fko_ctx_t ctx, char **md)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*md = ctx->raw_digest;
return(FKO_SUCCESS);
}
/* Set the SPA Nat Access data
*/
int
fko_set_spa_nat_access(fko_ctx_t ctx, const char * const msg)
{
int res = FKO_SUCCESS;
/* Context must be initialized.
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
/* Gotta have a valid string.
*/
if(msg == NULL || strnlen(msg, MAX_SPA_NAT_ACCESS_SIZE) == 0)
return(FKO_ERROR_INVALID_DATA_NAT_EMPTY);
/* --DSS XXX: Bail out for now. But consider just
* truncating in the future...
*/
if(strnlen(msg, MAX_SPA_NAT_ACCESS_SIZE) == MAX_SPA_NAT_ACCESS_SIZE)
return(FKO_ERROR_DATA_TOO_LARGE);
if((res = validate_nat_access_msg(msg)) != FKO_SUCCESS)
return(res);
/* Just in case this is a subsquent call to this function. We
* do not want to be leaking memory.
*/
if(ctx->nat_access != NULL)
free(ctx->nat_access);
ctx->nat_access = strdup(msg);
ctx->state |= FKO_DATA_MODIFIED;
if(ctx->nat_access == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
/* If we set the nat_access message Then we force the message_type
* as well. Technically, the message type should be set already.
* This will serve a half-protective measure.
* --DSS XXX: should do this better.
*/
if(ctx->client_timeout > 0)
{
if(ctx->message_type != FKO_CLIENT_TIMEOUT_LOCAL_NAT_ACCESS_MSG)
ctx->message_type = FKO_CLIENT_TIMEOUT_NAT_ACCESS_MSG;
}
else
if(ctx->message_type != FKO_LOCAL_NAT_ACCESS_MSG)
ctx->message_type = FKO_NAT_ACCESS_MSG;
return(FKO_SUCCESS);
}
/* Return the SPA message data.
*/
int
fko_get_spa_nat_access(fko_ctx_t ctx, char **nat_access)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*nat_access = ctx->nat_access;
return(FKO_SUCCESS);
}
/* Final update and encoding of data in the context.
* This does require all requisite fields be properly
* set.
*/
int
fko_spa_data_final(fko_ctx_t ctx,
const char * const enc_key, const int enc_key_len,
const char * const hmac_key, const int hmac_key_len)
{
char *tbuf;
int res = 0, data_with_hmac_len = 0;
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(enc_key_len < 0)
return(FKO_ERROR_INVALID_KEY_LEN);
res = fko_encrypt_spa_data(ctx, enc_key, enc_key_len);
/* Now calculate hmac if so configured
*/
if (res == FKO_SUCCESS && ctx->hmac_type != FKO_HMAC_UNKNOWN)
{
if(hmac_key_len < 0)
return(FKO_ERROR_INVALID_KEY_LEN);
if(hmac_key == NULL)
return(FKO_ERROR_INVALID_KEY_LEN);
res = fko_set_spa_hmac(ctx, hmac_key, hmac_key_len);
if (res == FKO_SUCCESS)
{
/* Now that we have the hmac, append it to the
* encrypted data (which has already been base64-encoded
* and the trailing '=' chars stripped off).
*/
data_with_hmac_len
= ctx->encrypted_msg_len+1+ctx->msg_hmac_len+1;
tbuf = realloc(ctx->encrypted_msg, data_with_hmac_len);
if (tbuf == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
strlcat(tbuf, ctx->msg_hmac, data_with_hmac_len);
ctx->encrypted_msg = tbuf;
ctx->encrypted_msg_len = data_with_hmac_len;
}
}
return res;
}
/* Set the SPA Server Auth data
*/
int
fko_set_spa_server_auth(fko_ctx_t ctx, const char * const msg)
{
/****************************************
* --DSS This is not supported yet
****************************************
*/
//return(FKO_ERROR_UNSUPPORTED_FEATURE);
#if HAVE_LIBFIU
fiu_return_on("fko_set_spa_server_auth_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Context must be initialized.
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
/* Gotta have a valid string.
*/
if(msg == NULL || strnlen(msg, MAX_SPA_SERVER_AUTH_SIZE) == 0)
return(FKO_ERROR_INVALID_DATA_SRVAUTH_MISSING);
/* --DSS XXX: Bail out for now. But consider just
* truncating in the future...
*/
if(strnlen(msg, MAX_SPA_SERVER_AUTH_SIZE) == MAX_SPA_SERVER_AUTH_SIZE)
return(FKO_ERROR_DATA_TOO_LARGE);
/* --DSS TODO: ???
* Do we want to add message type and format checking here
* or continue to leave it to the implementor?
*/
/**/
/* Just in case this is a subsquent call to this function. We
* do not want to be leaking memory.
*/
if(ctx->server_auth != NULL)
free(ctx->server_auth);
ctx->server_auth = strdup(msg);
ctx->state |= FKO_DATA_MODIFIED;
if(ctx->server_auth == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
return(FKO_SUCCESS);
}
/* Return the SPA digest type.
*/
int
fko_get_spa_digest_type(fko_ctx_t ctx, short *digest_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(digest_type == NULL)
return(FKO_ERROR_INVALID_DATA);
*digest_type = ctx->digest_type;
return(FKO_SUCCESS);
}
int
fko_get_spa_digest(fko_ctx_t ctx, char **md)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(md == NULL)
return(FKO_ERROR_INVALID_DATA);
*md = ctx->digest;
return(FKO_SUCCESS);
}
int
fko_get_raw_spa_digest(fko_ctx_t ctx, char **md)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_raw_spa_digest_init", FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*md = ctx->raw_digest;
return(FKO_SUCCESS);
}
/* Return the current rand value.
*/
int
fko_get_rand_value(fko_ctx_t ctx, char **rand_value)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(rand_value == NULL)
return(FKO_ERROR_INVALID_DATA);
*rand_value = ctx->rand_val;
return(FKO_SUCCESS);
}
int
fko_set_raw_spa_digest(fko_ctx_t ctx)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
/* Must have encoded message data to start with.
*/
if(ctx->encrypted_msg == NULL)
return(FKO_ERROR_MISSING_ENCODED_DATA);
return set_digest(ctx->encrypted_msg, &ctx->raw_digest,
ctx->raw_digest_type, &ctx->raw_digest_len);
}
/* Return the SPA digest type.
*/
int
fko_get_raw_spa_digest_type(fko_ctx_t ctx, short *raw_digest_type)
{
#if HAVE_LIBFIU
fiu_return_on("fko_get_raw_spa_digest_type_init",
FKO_ERROR_CTX_NOT_INITIALIZED);
#endif
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
*raw_digest_type = ctx->raw_digest_type;
return(FKO_SUCCESS);
}
/* Set the fko SPA encrypted data.
*/
int
fko_set_spa_data(fko_ctx_t ctx, char *enc_msg)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return FKO_ERROR_CTX_NOT_INITIALIZED;
/* First, add the data to the context.
*/
ctx->encrypted_msg = strdup(enc_msg);
if(ctx->encrypted_msg == NULL)
return(FKO_ERROR_MEMORY_ALLOCATION);
return(FKO_SUCCESS);
}
/* Set the HMAC type
*/
int
fko_set_spa_hmac_type(fko_ctx_t ctx, const short hmac_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(hmac_type < 0 || hmac_type >= FKO_LAST_HMAC_MODE)
return(FKO_ERROR_INVALID_DATA_HMAC_TYPE_VALIDFAIL);
ctx->hmac_type = hmac_type;
ctx->state |= FKO_HMAC_MODE_MODIFIED;
return(FKO_SUCCESS);
}
/* Set the SPA encryption type.
*/
int
fko_set_spa_encryption_type(fko_ctx_t ctx, const short encrypt_type)
{
/* Must be initialized
*/
if(!CTX_INITIALIZED(ctx))
return(FKO_ERROR_CTX_NOT_INITIALIZED);
if(encrypt_type < 0 || encrypt_type >= FKO_LAST_ENCRYPTION_TYPE)
return(FKO_ERROR_INVALID_DATA);
ctx->encryption_type = encrypt_type;
ctx->state |= FKO_ENCRYPT_TYPE_MODIFIED;
return(FKO_SUCCESS);
}
