* sha1 authentication

- remove warnings and test code svn path=/trunk/; revision=20366
author: Luis Ontanon <luis.ontanon@gmail.com> 2007-01-10 01:15:18 +0000
committer: Luis Ontanon <luis.ontanon@gmail.com> 2007-01-10 01:15:18 +0000
commit: 0ddb0fd48fdd008f627b688926618c680916f1cc (patch)
tree: 8e5fd8700789beb47aec147e02a2a398a20f5912 /asn1
parent: ae2ca85c925356cefde382972ba0d9f0d9e6df3d (diff)
3 files changed, 94 insertions, 54 deletions
diff --git a/asn1/snmp/packet-snmp-template.c b/asn1/snmp/packet-snmp-template.c
index 09b416f55f..ca89d1d1e0 100644
--- a/asn1/snmp/packet-snmp-template.c
+++ b/asn1/snmp/packet-snmp-template.c
@@ -95,12 +95,15 @@
 #include "packet-snmp.h"
 #include "format-oid.h"
 
-#include <epan/crypt/airpdcap_sha1.h>
+#include <epan/sha1.h>
 #include <epan/crypt/crypt-md5.h>
-#include <epan/crypt/hmac.h>
 #include <epan/expert.h>
 #include <epan/report_err.h>
 
+#ifdef _WIN32
+#include <winposixtype.h>
+#endif /* _WIN32 */
+
 #ifdef HAVE_LIBGCRYPT
 #include <gcrypt.h>
 #endif
@@ -850,7 +853,7 @@ snmp_variable_decode(tvbuff_t *tvb, proto_tree *snmp_tree, packet_info *pinfo,tv
 	switch (vb_type) {
 
 	case SNMP_INTEGER:
-		offset = dissect_ber_integer(FALSE, pinfo, NULL, tvb, start, -1, &(vb_integer_value));
+		offset = dissect_ber_integer(FALSE, pinfo, NULL, tvb, start, -1, (void*)&(vb_integer_value));
 		length = offset - vb_value_start;
 		if (snmp_tree) {
 #ifdef HAVE_NET_SNMP
@@ -1048,6 +1051,11 @@ snmp_variable_decode(tvbuff_t *tvb, proto_tree *snmp_tree, packet_info *pinfo,tv
 	return;
 }
 
+
+
+
+
+
 static snmp_ue_assoc_t* get_user_assoc(tvbuff_t* engine_tvb, tvbuff_t* user_tvb) {
 	static snmp_ue_assoc_t* a;
 	guint given_username_len;
@@ -1095,7 +1103,7 @@ static snmp_ue_assoc_t* get_user_assoc(tvbuff_t* engine_tvb, tvbuff_t* user_tvb)
 #define D(p)
 #endif
 
-gboolean snmp_usm_auth_md5(snmp_usm_params_t* p, gchar** error) {
+gboolean snmp_usm_auth_md5(snmp_usm_params_t* p, gchar const** error) {
 	guint msg_len;
 	guint8* msg;
 	guint auth_len;
@@ -1148,12 +1156,59 @@ gboolean snmp_usm_auth_md5(snmp_usm_params_t* p, gchar** error) {
 }
 
 
-gboolean snmp_usm_auth_sha1(snmp_usm_params_t* p _U_, gchar** error _U_) {
-	*error = "SHA1 authentication Not Yet Implemented";
-	return FALSE;
+gboolean snmp_usm_auth_sha1(snmp_usm_params_t* p _U_, gchar const** error _U_) {
+	guint msg_len;
+	guint8* msg;
+	guint auth_len;
+	guint8* auth;
+	guint8* key;
+	guint key_len;
+	guint8 calc_auth[20];
+	guint start;
+	guint end;
+	guint i;
+	
+	if (!p->auth_tvb) {
+		*error = "No Authenticator";
+		return FALSE;		
+	}
+	
+	key = p->user_assoc->user.authKey.data;
+	key_len = p->user_assoc->user.authKey.len;
+	
+	if (! key ) {
+		*error = "User has no authKey";
+		return FALSE;
+	}
+	
+	
+	auth_len = tvb_length_remaining(p->auth_tvb,0);
+	
+	
+	if (auth_len != 12) {
+		*error = "Authenticator length wrong";
+		return FALSE;
+	}
+	
+	msg_len = tvb_length_remaining(p->msg_tvb,0);
+	msg = ep_tvb_memdup(p->msg_tvb,0,msg_len);
+
+	auth = ep_tvb_memdup(p->auth_tvb,0,auth_len);
+	
+	start = p->auth_offset - p->start_offset;
+	end = 	start + auth_len;
+	
+	/* fill the authenticator with zeros */
+	for ( i = start ; i < end ; i++ ) {
+		msg[i] = '\0';
+	}
+	
+	sha1_hmac(key, key_len, msg, msg_len, calc_auth);
+	
+	return ( memcmp(auth,calc_auth,12) != 0 ) ? FALSE : TRUE;
 }
 
-tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar** error _U_) {
+tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar const** error _U_) {
 #ifdef HAVE_LIBGCRYPT
     gcry_error_t err;
     gcry_cipher_hd_t hd = NULL;
@@ -1166,12 +1221,11 @@ tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U
 	gint cryptgrm_len;
 	guint8* cryptgrm;
 	tvbuff_t* clear_tvb;
-	guint8 iv[8];;
+	guint8 iv[8];
 	guint i;
 	
 	
 	salt_len = tvb_length_remaining(p->priv_tvb,0);
-	D(("salt_len=%d\n",salt_len));
 	
 	if (salt_len != 8)  {
 		*error = "msgPrivacyParameters lenght != 8";
@@ -1180,21 +1234,14 @@ tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U
 
 	salt = ep_tvb_memdup(p->priv_tvb,0,salt_len);
 
-	DUMP_DATA("salt",salt,salt_len);
-	DUMP_DATA("pre_iv",iv,8);
-
 	/*
 	 The resulting "salt" is XOR-ed with the pre-IV to obtain the IV.
 	 */
 	for (i=0; i<8; i++) {
 		iv[i] = pre_iv[i] ^ salt[i];
 	}
-	
-	DUMP_DATA("iv",iv,8);
-	DUMP_DATA("des_key",des_key,8);
 
 	cryptgrm_len = tvb_length_remaining(encryptedData,0);
-	D(("cryptgrm_len=%d\n",cryptgrm_len));
 
 	if (cryptgrm_len % 8) {
 		*error = "the length of the encrypted data is noty a mutiple of 8";
@@ -1202,7 +1249,6 @@ tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U
 	}
 	
 	cryptgrm = ep_tvb_memdup(encryptedData,0,-1);
-	DUMP_DATA("cryptgrm",cryptgrm,cryptgrm_len);
 
 	cleartext = ep_alloc(cryptgrm_len);
 	
@@ -1220,20 +1266,6 @@ tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U
 	
 	gcry_cipher_close(hd);
 	
-	DUMP_DATA("cleartext",cryptgrm,cryptgrm_len);
-
-	/*
-	 ???
-			The first ciphertext block is decrypted, the decryption output is
-		 XOR-ed with the Initialization Vector, and the result is the first
-		 plaintext block.
-		 
-		 For each subsequent block, the ciphertext block is decrypted, the
-		 decryption output is XOR-ed with the previous ciphertext block and
-		 the result is the plaintext block.
-	 */
-	
-	
 	clear_tvb = tvb_new_real_data(cleartext, cryptgrm_len, cryptgrm_len);
 	
 	return clear_tvb;
@@ -1248,7 +1280,7 @@ on_gcry_error:
 #endif
 }
 
-tvbuff_t* snmp_usm_priv_aes(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar** error _U_) {
+tvbuff_t* snmp_usm_priv_aes(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U_, gchar const** error _U_) {
 #ifdef HAVE_LIBGCRYPT
 	*error = "AES decryption Not Yet Implemented";
 	return NULL;
@@ -1258,6 +1290,11 @@ tvbuff_t* snmp_usm_priv_aes(snmp_usm_params_t* p _U_, tvbuff_t* encryptedData _U
 #endif
 }
 
+
+
+
+
+
 #include "packet-snmp-fn.c"
 
 
@@ -1578,8 +1615,6 @@ void snmp_usm_password_to_key_md5(
 /*
    SHA1 Password to Key Algorithm COPIED from RFC 3414 A.2.2
  */
-#define SHAUpdate(c,b,l) sha1_loop((c),(b),(l))
-#define SHAFinal(d,c) sha1_result((c),(d))
 
 void snmp_usm_password_to_key_sha1(
 						 guint8 *password,    /* IN */
@@ -1588,12 +1623,12 @@ void snmp_usm_password_to_key_sha1(
 						 guint   engineLength,/* IN  - length of snmpEngineID */
 						 guint8 *key)         /* OUT - pointer to caller 20-octet buffer */
 						 {
-	SHA1_CONTEXT     SH;
+	sha1_context     SH;
 	guint8     *cp, password_buf[72];
 	guint32      password_index = 0;
 	guint32      count = 0, i;
 	
-	sha1_init (&SH);   /* initialize SHA */
+	sha1_starts(&SH);   /* initialize SHA */
 	
 	/**********************************************/
 	/* Use while loop until we've done 1 Megabyte */
@@ -1607,10 +1642,10 @@ void snmp_usm_password_to_key_sha1(
 			/*************************************************/
 			*cp++ = password[password_index++ % passwordlen];
 		}
-		SHAUpdate (&SH, password_buf, 64);
+		sha1_update (&SH, password_buf, 64);
 		count += 64;
 	}
-	SHAFinal (key, &SH);          /* tell SHA we're done */
+	sha1_finish(&SH, key);
 	
 	/*****************************************************/
 	/* Now localize the key with the engineID and pass   */
@@ -1622,9 +1657,9 @@ void snmp_usm_password_to_key_sha1(
 	memcpy(password_buf+20, engineID, engineLength);
 	memcpy(password_buf+20+engineLength, key, 20);
 	
-	sha1_init(&SH);
-	SHAUpdate(&SH, password_buf, 40+engineLength);
-	SHAFinal(key, &SH);
+	sha1_starts(&SH);
+	sha1_update(&SH, password_buf, 40+engineLength);
+	sha1_finish(&SH, key);
 	return;
  }
 
@@ -1793,7 +1828,7 @@ void proto_register_snmp(void) {
 				{ "Authentication OK", "snmp.v3.authOK", FT_BOOLEAN, 8,
 					TFS(&auth_flags), 0, "", HFILL }},
 		  { &hf_snmp_decryptedPDU, {
-					"Decrypted PDU", "snmp.decryptedPdu", FT_BYTES, BASE_HEX,
+					"Decrypted ScopedPDU", "snmp.decrypted_pdu", FT_BYTES, BASE_HEX,
 					NULL, 0, "Decrypted PDU", HFILL }},
 	  
 #include "packet-snmp-hfarr.c"
diff --git a/asn1/snmp/packet-snmp-template.h b/asn1/snmp/packet-snmp-template.h
index 5c99f70d8e..3a833b84fe 100644
--- a/asn1/snmp/packet-snmp-template.h
+++ b/asn1/snmp/packet-snmp-template.h
@@ -33,8 +33,8 @@ typedef struct _snmp_usm_key {
 typedef struct _snmp_ue_assoc_t snmp_ue_assoc_t;
 typedef struct _snmp_usm_params_t snmp_usm_params_t;
 
-typedef gboolean (*snmp_usm_authenticator_t)(snmp_usm_params_t*, gchar** error);
-typedef tvbuff_t* (*snmp_usm_decoder_t)(snmp_usm_params_t*, tvbuff_t* encryptedData, gchar** error);
+typedef gboolean (*snmp_usm_authenticator_t)(snmp_usm_params_t*, gchar const** error);
+typedef tvbuff_t* (*snmp_usm_decoder_t)(snmp_usm_params_t*, tvbuff_t* encryptedData, gchar const** error);
 typedef void (*snmp_usm_password_to_key_t)(guint8 *password, guint passwordlen, guint8 *engineID, guint engineLength, guint8 *key);
 
 typedef struct _snmp_usm_auth_model_t {
@@ -89,12 +89,12 @@ extern guint dissect_snmp_pdu(tvbuff_t *, int, packet_info *, proto_tree *tree,
 extern int dissect_snmp_engineid(proto_tree *, tvbuff_t *, int, int);
 
 /* SNMPv3 USM authentication functions */
-gboolean snmp_usm_auth_md5(snmp_usm_params_t* p, gchar**);
-gboolean snmp_usm_auth_sha1(snmp_usm_params_t* p, gchar**);
+gboolean snmp_usm_auth_md5(snmp_usm_params_t* p, gchar const**);
+gboolean snmp_usm_auth_sha1(snmp_usm_params_t* p, gchar const**);
 
 /* SNMPv3 USM privacy functions */
-tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t*, tvbuff_t*, gchar**);
-tvbuff_t* snmp_usm_priv_aes(snmp_usm_params_t*, tvbuff_t*, gchar**);
+tvbuff_t* snmp_usm_priv_des(snmp_usm_params_t*, tvbuff_t*, gchar const**);
+tvbuff_t* snmp_usm_priv_aes(snmp_usm_params_t*, tvbuff_t*, gchar const**);
 
 
 void snmp_usm_password_to_key_md5(guint8 *password, guint passwordlen, guint8 *engineID, guint engineLength, guint8 *key);
diff --git a/asn1/snmp/snmp.cnf b/asn1/snmp/snmp.cnf
index 9af11329e7..2f7dce769b 100644
--- a/asn1/snmp/snmp.cnf
+++ b/asn1/snmp/snmp.cnf
@@ -202,7 +202,7 @@ gint pdu_type;
 	if( usm_p.encrypted && crypt_tvb
 		&& usm_p.user_assoc
 		&& usm_p.user_assoc->user.privProtocol ) {
-			gchar* error = NULL;
+			const gchar* error = NULL;
 
 		tvbuff_t* cleartext_tvb = usm_p.user_assoc->user.privProtocol(&usm_p,
 														   crypt_tvb,
@@ -212,10 +212,16 @@ gint pdu_type;
 			proto_item* item = get_ber_last_created_item();
 			expert_add_info_format( pinfo, item, PI_UNDECODED, PI_WARN, "Failed to decrypt encryptedPDU: %%s", error );
 		} else {
-			proto_tree* decrypted_tree = proto_item_add_subtree(get_ber_last_created_item(),ett_decrypted);
-			
+			proto_tree* encryptedpdu_tree;
+			proto_item* decrypted_item;
+			proto_tree* decrypted_tree;
+
             add_new_data_source(pinfo, cleartext_tvb, "Decrypted ScopedPDU");
 			tvb_set_child_real_data_tvbuff(tvb, cleartext_tvb);
+			
+			encryptedpdu_tree = proto_item_add_subtree(get_ber_last_created_item(),ett_encryptedPDU);
+			decrypted_item = proto_tree_add_item(encryptedpdu_tree, hf_snmp_decryptedPDU,cleartext_tvb,0,-1,FALSE);
+			decrypted_tree = proto_item_add_subtree(decrypted_item,ett_decrypted);
 			dissect_snmp_ScopedPDU(FALSE, cleartext_tvb, 0, pinfo, decrypted_tree, -1);
 		 }
 
@@ -223,7 +229,6 @@ gint pdu_type;
 
 #.FN_BODY SNMPv3Message/msgSecurityParameters
 
-//	printf(">msgSecurityParameters\n");
 	switch(MsgSecurityModel){
 		case SNMP_SEC_USM:	/* 3 */		
 			offset = dissect_snmp_UsmSecurityParameters(FALSE, tvb, offset+2, pinfo, tree, -1);
@@ -242,7 +247,7 @@ gint pdu_type;
 	if( usm_p.authenticated
 		&& usm_p.user_assoc
 		&& usm_p.user_assoc->user.authModel ) {
-		gchar* error = NULL;
+		const gchar* error = NULL;
 		proto_item* authen_item;
 		proto_tree* authen_tree = proto_item_add_subtree(usm_p.auth_item,ett_authParameters);
author	Luis Ontanon <luis.ontanon@gmail.com>	2007-01-10 01:15:18 +0000
committer	Luis Ontanon <luis.ontanon@gmail.com>	2007-01-10 01:15:18 +0000
commit	0ddb0fd48fdd008f627b688926618c680916f1cc (patch)
tree	8e5fd8700789beb47aec147e02a2a398a20f5912 /asn1
parent	ae2ca85c925356cefde382972ba0d9f0d9e6df3d (diff)