From e6b03b77766dce8009ad7b4a2392e14addf4ab0f Mon Sep 17 00:00:00 2001
From: Fritz Reichmann <fritz@reichmann.nl>
Date: Sat, 1 Oct 2011 17:49:48 +0400
Subject: isisd: implement MD5 circuit authentication

* Replace command "isis passwd" with "isis passwd {clear|md5}"
* Verify HMAC MD5 on ISIS Hello PDUs
* Add HMAC MD5 authentication to md5.h/md5.c from RFC2104
---
 lib/md5.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/md5.h |  3 +++
 2 files changed, 76 insertions(+)

(limited to 'lib')

diff --git a/lib/md5.c b/lib/md5.c
index 894de648..2fc36e17 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -298,3 +298,76 @@ static void md5_calc(const uint8_t *b64, md5_ctxt * ctxt)
 	ctxt->md5_stc += C;
 	ctxt->md5_std += D;
 }
+
+/* From RFC 2104 */
+void
+hmac_md5(text, text_len, key, key_len, digest)
+unsigned char*  text;			/* pointer to data stream */
+int             text_len;		/* length of data stream */
+unsigned char*  key;			/* pointer to authentication key */
+int             key_len;		/* length of authentication key */
+caddr_t         digest;		/* caller digest to be filled in */
+
+{
+    MD5_CTX context;
+    unsigned char k_ipad[65];    /* inner padding -
+				 * key XORd with ipad
+				 */
+    unsigned char k_opad[65];    /* outer padding -
+				 * key XORd with opad
+				 */
+    unsigned char tk[16];
+    int i;
+    /* if key is longer than 64 bytes reset it to key=MD5(key) */
+    if (key_len > 64) {
+
+       MD5_CTX      tctx;
+
+       MD5Init(&tctx);
+       MD5Update(&tctx, key, key_len);
+       MD5Final(tk, &tctx);
+
+       key = tk;
+       key_len = 16;
+    }
+
+    /*
+     * the HMAC_MD5 transform looks like:
+     *
+     * MD5(K XOR opad, MD5(K XOR ipad, text))
+     *
+     * where K is an n byte key
+     * ipad is the byte 0x36 repeated 64 times
+     * opad is the byte 0x5c repeated 64 times
+     * and text is the data being protected
+     */
+
+    /* start out by storing key in pads */
+    bzero( k_ipad, sizeof k_ipad);
+    bzero( k_opad, sizeof k_opad);
+    bcopy( key, k_ipad, key_len);
+    bcopy( key, k_opad, key_len);
+
+    /* XOR key with ipad and opad values */
+    for (i=0; i<64; i++) {
+       k_ipad[i] ^= 0x36;
+       k_opad[i] ^= 0x5c;
+    }
+    /*
+     * perform inner MD5
+     */
+    MD5Init(&context);			/* init context for 1st
+					 * pass */
+    MD5Update(&context, k_ipad, 64);	/* start with inner pad */
+    MD5Update(&context, text, text_len); /* then text of datagram */
+    MD5Final(digest, &context);	/* finish up 1st pass */
+    /*
+     * perform outer MD5
+     */
+    MD5Init(&context);			/* init context for 2nd
+					 * pass */
+    MD5Update(&context, k_opad, 64);	/* start with outer pad */
+    MD5Update(&context, digest, 16);	/* then results of 1st
+					 * hash */
+    MD5Final(digest, &context);	/* finish up 2nd pass */
+}
diff --git a/lib/md5.h b/lib/md5.h
index 89b9a320..3ce83a63 100644
--- a/lib/md5.h
+++ b/lib/md5.h
@@ -82,4 +82,7 @@ do {				\
 	md5_result((x), (y));	\
 } while (0)
 
+/* From RFC 2104 */
+void hmac_md5(unsigned char* text, int text_len, unsigned char* key, int key_len, caddr_t digest);
+
 #endif /* ! _LIBZEBRA_MD5_H_*/
-- 
cgit v1.2.1