v3_auth.c

wm PNE 3.3 source code, running at more than vxworks6.x version.

/* v3_auth.c - v3_auth.c routines */

/*
 *  Copyright 2000-2005 Wind River Systems, Inc.
 *  All rights reserved.  Provided under license only.
 *  Distribution or other use of this software is only
 *  permitted pursuant to the terms of a license agreement
 *  from Wind River Systems (and is otherwise prohibited).
 *  Refer to that license agreement for terms of use.
 */

/*
 *  Copyright 1998 Integrated Systems, Inc.
 *  All rights reserved.
 */

/*
 * $Log: v3_auth.c,v $
 * Revision 1.4  2003/01/15 14:05:09  josh
 * directory structure shifting
 *
 * Revision 1.3  2001/11/06 21:50:51  josh
 * second (and hopefully final) pass of new path hacking
 *
 * Revision 1.2  2001/11/06 21:20:30  josh
 * revised new path hacking
 *
 * Revision 1.1.1.1  2001/11/05 17:47:44  tneale
 * Tornado shuffle
 *
 * Revision 9.2  2001/01/19 22:22:28  paul
 * Update copyright.
 *
 * Revision 9.1  2000/03/17 00:19:28  meister
 * Update copyright message
 *
 * Revision 9.0  1998/10/16 22:12:29  sar
 * Update version stamp to match release
 *
 * Revision 1.8  1998/08/12 04:44:03  sar
 * Move the initialization routines around some in order to minimize
 * the amount of code that gets pulled in for init purposes.
 *
 * Revision 1.7  1998/06/21 21:46:45  sar
 * Free the context only if heap large vars is installed
 *
 * Revision 1.6  1998/06/19 20:13:57  sar
 * make sure all files include asn1conf.h and snmp.h to pick up all of
 * the common code
 *
 * Revision 1.5  1998/06/18 04:29:41  sar
 * Update lengths in HMAC calls to match the bits32_t lengths there.
 *
 * Revision 1.4  1998/06/05 18:53:25  sra
 * "#include <foo.h>" => "#include <envoy/h/foo.h>".
 *
 * Revision 1.3  1998/05/29 17:05:11  josh
 * option to allocate big structures off of the heap
 *
 * Revision 1.2  1998/05/27 22:55:45  sar
 * Added routines to manipulate the auth and priv lists (add and find)
 * and put code into the init routine to install those routines we know
 * about (if they are installed).
 *
 * Revision 1.1  1998/05/24 04:14:48  sar
 * Support for processing SNMPv3 packets.
 * acc = access and group structure control functions
 * auth & prive = authentication and privacy code (not including the
 *                actual digest or encryption routines)
 * ber = routines for encoding and decoding v3 packets
 * eng = engine sructure control functions
 * user = user structure control functions
 *
 */

/* [clearcase]
modification history
-------------------
01h,17may05,job  fix up the DH code
01g,12may05,job  fix apigen comments
01f,06may05,asl  Diffie-Hellman work
01e,29apr05,job  nomanual for new functions
01d,15apr05,asl  Diffie-Hellman work
01c,13apr05,asl  Diffie-Hellman work
01b,16feb05,job  apigen for documented APIs
01a,24nov03,job  update copyright information
*/

/*
DESCRIPTION
This library contains v3_auth.c routines.

INCLUDE FILES: snmp.h, v3_auth.h
*/

#include <wrn/wm/snmp/engine/asn1conf.h>
#include <wrn/wm/snmp/engine/snmp.h>
#include <wrn/wm/snmp/engine/v3_auth.h>
#include <wrn/wm/snmp/engine/auxfuncs.h>
#include <wrn/wm/snmp/engine/v3_user.h>

#include <wrn/wm/common/bug.h>
#include <wrn/wm/common/md5.h>
#include <wrn/wm/common/sha.h>
#include <wrn/wm/common/hmac.h>

#if INSTALL_SNMP_V3_DIFFIE_HELLMAN
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <wrn/wm/snmp/engine/v3_dh.h>
#endif /* INSTALL_SNMP_V3_DIFFIE_HELLMAN */

/* list of object ids we know about */
OIDC_T v3_auth_noauth[] = {1, 3, 6, 1, 6, 3, 10, 1, 1, 1};
int    v3_auth_noauth_size = sizeof(v3_auth_noauth)/sizeof(OIDC_T);

/*******************************************************************************
*
* SNMP_Auth_Find - finds an OID tlist from 'SNMP_AUTH_T'
* SYNOPSIS
*
* \cs
* SNMP_AUTH_T *SNMP_Auth_Find 
*     ( 
*     int                       tcount 
*     OID_T                  *  tlist 
*     )
* \ce
*
* DESCRIPTION
*
* This function finds the 'SNMP_AUTH_T' structure which corresponds to the OID 
* signified by the <tcount> and <tlist> values that you pass in to the routine. 
* This routine returns a pointer to the 'SNMP_AUTH_T' structure corresponding 
* to this OID, if one exists. You may then use the SNMP_User_Create() routine 
* to create new 'SNMP_USER_T' structures.
* There are three well-known OIDs for which Wind Manage SNMP provides 
* 'SNMP_AUTH_T' structures:
* \is
* \i 1.3.6.1.6.3.10.1.1.1 -- 'usmNoAuthProtocol'
* This well-known OID is always available.
* \i 1.3.6.1.6.3.10.1.1.2 -- 'usmHMACMD5AuthProtocol'
* This well-known OID is available if you have installed the 'ENVOY_MD5' 
* option.
* \i 1.3.6.1.6.3.10.1.1.3 -- 'usmHMACSHAAuthProtocol'
* This well-known OID is available if you have installed the 'ENVOY_SHA' 
* option.
* \ie
*
* PARAMETERS
* \is
* \i <tcount>
* Specify the number of sub-IDs in <tlist>.
* \i <*tlist>
* Point to the object ID.
* \ie
*
* RETURNS: If successful, this routine returns a pointer to the 'SNMP_AUTH_T' 
* structure corresponding to this OID.
*
* ERRNO: N/A
*
* SEE ALSO: SNMP_Auth_Add(), SNMP_Priv_Add(), SNMP_Priv_Find(), 
* SNMP_V3_Pass2Key()
*/
SNMP_AUTH_T *
  SNMP_Auth_Find(int     tcount,
                 OIDC_T *tlist)
{
SNMP_AUTH_T *auth;
for (auth = v3_auth_root; auth; auth = auth->next) {
    if (oidcmp2(auth->name.num_components, auth->name.component_list,
                tcount, tlist) == 0)
        return(auth);
    }
return(0);
}

/*******************************************************************************
*
* SNMP_Auth_Add - add an authentication algorithm to the list algorithm list
* SYNOPSIS
*
* \cs
* typedef struct SNMP_AUTH_S 
*     { 
*     struct SNMP_AUTH_S       *  next; 
*     OBJ_ID_T                    name 
*     hashfcn_init_t              hashinit 
*     hashfcn_update_t            hashupdate 
*     hashfcn_final_t             hashfinal 
*     int (*  authenticate)(
*       struct SNMP_AUTH_S    *  auth, 
*       bits8_t               *  key,
*       ALENGTH_T                key_len, 
*       bits8_t *             *  data,
*       ALENGTH_T                data_len, 
*       bits8_t               *  digest, 
*       int                      verify
*       ) 
*     ALENGTH_T                   need 
*     ALENGTH_T                   digestsize 
*     ALENGTH_T                   keysize 
*     ALENGTH_T                   ctxsize 
*         } SNMP_AUTH_T 
*
*     int SNMP_Auth_Add( SNMP_AUTH_T  *  auth
*     )
* \ce
*
* DESCRIPTION
*
* This routine adds an authentication algorithm to the list of algorithms used 
* by WIND MANAGE SNMP. You must construct <auth> yourself.
*
* \&NOTE: The password-to-key function assumes that the hash* fields contain 
* the raw digesting functions. If you add a new authentication scheme, you must 
* add those functions or use a different password-to-key function.
*
* PARAMETERS
* \is
* \i <*next>
* Point to the next 'SNMP_AUTH_S' structure, filled in by the SNMP_Auth_Add() 
* routine.
* \i <name>
* Specify the object identifier that names the protocol. For standard based 
* protocols, this value is assigned by IANA. For non-standard protocols, assign 
* the object identifier from the organization\抯 private branch of the MIB 
* tree.
* \i <*authenticate>
* Use <key> to digest the data. If <verify> is 1, it compares the value of 
* <digest> to the generated result and returns a 0 when they are the same. If 
* <verify> is 0, the generated result is placed into <digest>. Currently, WIND 
* MANAGE SNMP has a single authenticate routine that implements the HMAC 
* algorithm using the <hash*> functions to perform the digest function. The 
* following parameters are passed to the authentication routine that is passed 
* to SNMP_Auth_Add().
* \is
* \i <*auth>
* Point to an 'SNMP_AUTH_S' structure.
* \i <*key>
* Point to the authentication key.
* \i <key_len>
* Specify the length in bytes of the key.
* \i <*data>
* Point to the data to digest.
* \i <data_len>
* Specify the length in bytes of the data.
* \i <*digest>
* Point to the digest.
* \i <verify>
* If <verify> is 1, then the digest calculated from the other parameters is 
* compared against <digest> and the authenticate function returns a 0 if they 
* match. If <verify> is 0, the generated digest is placed into <digest>.
* \ie
* \i <need>
* Specify the length required in bytes. SNMP uses 12 bytes for both HMAC-MD5 
* and HMAC-SHA.
* \i <digestsize>
* Specify the length in bytes of the actual digest. MD5 uses 16 and SHA uses 
* 20.
* \i <keysize>
* Specify the size of the key for the algorithm. SNMP uses keys that are equal 
* to the digest size for both MD5 and SHA.
* \i <ctxsize>
* If <hash*> functions are in use, specifies the size of the context to be 
* passed.
* \ie
*
* RETURNS: If successful, this routine returns 0. If you attempt to add a 
* routine more than once, it returns 1.
*
* ERRNO: N/A
*
* SEE ALSO: SNMP_Priv_Add(), SNMP_V3_Pass2Key()
*/
int
  SNMP_Auth_Add(SNMP_AUTH_T *auth)
{
if (SNMP_Auth_Find(auth->name.num_components, auth->name.component_list))
    return(1);

auth->next = v3_auth_root;
v3_auth_root = auth;
return(0);
}

/****************************************************************************
\NOMANUAL
NAME: v3_auth_authenticate

PURPOSE: run the hmac digest routine and either verify the current
         digest or insert the new digest into the space.

PARAMETERS: SNMP_AUTH_T * authentication block (routines etc)
            bits8_t     * key to use
            ALENGTH_T     length of key
            bits8_t     * buffer to digest
            ALENGTH_T     length of buffer
            bits8_t     * place to find/place digest, must be size that
                          the auth block is expecting
            int           verify flag 1 is verify, 0 is digest

RETURNS: int, 0 on success
****************************************************************************/
int
  v3_auth_authenticate(SNMP_AUTH_T *auth,
                       bits8_t     *key,
                       ALENGTH_T    keylen,
                       bits8_t     *buffp,
                       ALENGTH_T    buflen,
                       bits8_t     *digest,
                       int          verify)
{
bits8_t saved_digest[V3_HMAC_MAX_NEEDS], out_digest[V3_HMAC_MAX_DIGEST];
HMAC_CTX *ctx;
#if (INSTALL_ENVOY_HEAP_LARGE_VARS == 0)
HMAC_CTX real_ctx;
#endif

#if INSTALL_ENVOY_HEAP_LARGE_VARS
/* allocate ctx */
ctx = (HMAC_CTX *)SNMP_memory_alloc(sizeof(HMAC_CTX));
if (ctx ==  0) {
    BUG(BUG_ENVOY_INSUFFICIENT_MEMORY, BUG_CONTINUABLE, 0, 
        (BUG_OUT, "v3_auth_authenticate(): insufficient memory", 0));
    return(-1);
   }
#else