Beispiel #1
0
/** sends a list of all available anchor elements in the BEX store
 * to the hipd
 *
 * @param   hcstore the BEX store
 * @param   use_hash_trees indicates whether hash chains or hash trees are stored
 * @return  0 on success, -1 on error
 */
int send_bex_store_update_to_hipd(struct hchain_store *hcstore,
                                  const int use_hash_trees)
{
    struct hip_common *msg = NULL;
    int                err = 0;

    HIP_ASSERT(hcstore != NULL);

    HIP_DEBUG("sending bex-store update to hipd...\n");

    HIP_IFEL(!(msg = create_bex_store_update_msg(hcstore, use_hash_trees)),
             -1, "failed to create bex store anchors update message\n");

    HIP_DUMP_MSG(msg);

    /* send msg to hipd and receive corresponding reply */
    HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_sock), -1, "send_recv msg failed\n");

    /* check error value */
    HIP_IFEL(hip_get_msg_err(msg), -1, "hipd returned error message!\n");

    HIP_DEBUG("send_recv msg succeeded\n");

out_err:
    free(msg);
    return err;
}
Beispiel #2
0
int hip_setup_hit_sp_pair(hip_hit_t *src_hit, hip_hit_t *dst_hit,
			  struct in6_addr *src_addr,
			  struct in6_addr *dst_addr, u8 proto,
			  int use_full_prefix, int update)
{
	int so, len, err = 0;
	u_int prefs, prefd;
	u8 prefix = (use_full_prefix) ? 128 : HIP_HIT_PREFIX_LEN;
	int cmd = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;

	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("Adding a pair of SP\n");

	HIP_IFEBL((hip_pfkey_policy_modify(so, dst_hit, prefix, src_hit, 
					   prefix, src_addr, dst_addr, 
					   proto, cmd, IPSEC_DIR_INBOUND)<0),
		  -1, pfkey_close(so), "ERROR in %s the inbound policy\n", update ? "updating" : "adding");

	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_IFEBL((hip_pfkey_policy_modify(so, src_hit, prefix, dst_hit, 
					   prefix, dst_addr, src_addr,
					   proto, cmd, IPSEC_DIR_OUTBOUND)<0),
		  -1, pfkey_close(so), "ERROR in %s the outbound policy\n", update ? "updating" : "adding");
	return 0;
out_err:
	return err;
}
/**
 * Handle ECHO_REQUEST_UNSIGNED parameter.
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *             the packet handling (received message, source and destination
 *             address, the ports and the corresponding entry from the host
 *             association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_echo_request_param(UNUSED const uint8_t packet_type,
                                  UNUSED const uint32_t ha_state,
                                  struct hip_packet_context *ctx)
{
    const struct hip_echo_request *echo_request = NULL;
    int                            err          = 0;

    if (!(echo_request = hip_get_param(ctx->input_msg,
                                       HIP_PARAM_ECHO_REQUEST))) {
        HIP_DEBUG("no ECHO_REQUEST parameter in UPDATE packet, skipping\n");

        /* This condition is no error! There simply was no request by the peer
         * to add a ECHO_RESPONSE parameter to the outbound message. */
        return 0;
    }

    HIP_DEBUG("echo opaque data len=%d\n",
              hip_get_param_contents_len(echo_request));
    HIP_HEXDUMP("ECHO_REQUEST ",
                (const uint8_t *) echo_request + sizeof(struct hip_tlv_common),
                hip_get_param_contents_len(echo_request));
    HIP_IFEL(hip_build_param_echo(ctx->output_msg,
                                  (const uint8_t *) echo_request + sizeof(struct hip_tlv_common),
                                  hip_get_param_contents_len(echo_request), 0, 0),
             -1, "Building of ECHO_RESPONSE failed\n");

out_err:
    return err;
}
Beispiel #4
0
/** 
 * opendht_rm - Builds XML RPC packet and sends it through given socket and reads the response
 * @param sockfd Socket to be used with the send
 * @param key Key for the openDHT
 * @param value Value to be removed to the openDHT
 * @param secret Value to be used as a secret in remove
 * @param host Host address
 * @param response Buffer where the possible error message is saved 
 *
 * @return Returns integer -1 on error, on success 0
 */
int opendht_rm(int sockfd, 
                   unsigned char * key,
                   unsigned char * value, 
                   unsigned char * secret,
                   unsigned char * host,
                   int opendht_port,
                   int opendht_ttl)
{
    int key_len = 0;
    char put_packet[HIP_MAX_PACKET];
    char tmp_key[21];
    
    key_len = opendht_handle_key(key, tmp_key);
    
    /* Rm operation */
    memset(put_packet, '\0', sizeof(put_packet));
    if (build_packet_rm((unsigned char *)tmp_key,
                         key_len,
                         (unsigned char *)value,
	                 strlen((char *)value),
                         (unsigned char *)secret,
                         strlen((char *)secret),
                         opendht_port,
                         (unsigned char *)host,
                         put_packet, opendht_ttl) != 0)
        {
            HIP_DEBUG("Rm packet creation failed.\n");
            return(-1);
        }
    _HIP_DEBUG("Host address in OpenDHT rm : %s\n", host); 
    HIP_DEBUG("Actual OpenDHT send starts here\n");
    send(sockfd, put_packet, strlen(put_packet), 0);
    return(0);
}
Beispiel #5
0
Datei: dh.c Projekt: surki/hipl
/**
 * hip_regen_dh_keys - Regenerate Diffie-Hellman keys for HIP
 * @param bitmask Mask of groups to generate.
 *
 * Use only this function to generate DH keys.
 */
void hip_regen_dh_keys(u32 bitmask)
{
	DH *tmp,*okey;
	int maxmask,i;
	int cnt = 0;

	/* if MAX_DH_GROUP_ID = 4 --> maxmask = 0...01111 */
	maxmask = (1 << (HIP_MAX_DH_GROUP_ID+1)) - 1;
	bitmask &= maxmask;

	for(i=1; i<=HIP_MAX_DH_GROUP_ID; i++) {
		if (bitmask & (1 << i)) {
			tmp = hip_generate_dh_key(i);
			if (!tmp) {
				HIP_INFO("Error while generating group: %d\n",i);
				continue;
			}

			okey = dh_table[i];
			dh_table[i] = tmp;

			hip_free_dh(okey);

			cnt++;

			HIP_DEBUG("DH key for group %d generated\n",i);
		} 
	}
	HIP_DEBUG("%d keys generated\n",cnt);
}
Beispiel #6
0
int main(int argc, char *argv[]) {
        int err = 0, i = 0;
        sqlite3 * db = NULL;
        char dbpath[] = "/tmp/hip_sqltest.db";
        char table_sql[] = "CREATE TABLE test (num INTEGER, value VARCHAR(128));";
        char insert_sql[256];
        char delete_sql[] = "DELETE FROM test WHERE num = 3;";
        char select_sql[] = "SELECT * FROM test;";
        
        db = hip_sqlite_open_db(dbpath, table_sql);
        HIP_IFEL((db == NULL), -1, "Failed to open/create the database\n");
        for(i = 1; i < 10; i++) {
                memset(insert_sql, '\0', sizeof(insert_sql));
                sprintf(insert_sql, "INSERT INTO test VALUES(%d, "
                        "'Hi to you. #%d times said');", i,i); 
                HIP_IFEL(hip_sqlite_insert_into_table(db, insert_sql),
                         -1, "Failed to execute insert into query\n"); 
        }
        HIP_IFEL(hip_sqlite_select(db, select_sql, hip_sqlite_callback), -1,
                 "Failed to execute select query on the db\n");
        HIP_DEBUG("Removing row where num is 3\n");
        HIP_IFEL(hip_sqlite_delete_from_table(db, delete_sql),
                         -1, "Failed to execute delete query\n"); 
        HIP_IFEL(hip_sqlite_select(db, select_sql, hip_sqlite_callback), -1,
                 "Failed to execute select query on the db\n");
        HIP_DEBUG("Did the num 3 disappear?\n");
        HIP_IFEL(hip_sqlite_close_db(db), -1, "Failed to close the db\n");
       
 out_err:
        return(err);
}
Beispiel #7
0
int hip_daemon_bind_socket(int socket, struct sockaddr *sa) {
	int err = 0, port = 0, on = 1;
	struct sockaddr_in6 *addr = (struct sockaddr_in6 *) sa;

	HIP_ASSERT(addr->sin6_family == AF_INET6);

	errno = 0;

	if (setsockopt(socket, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) {
		HIP_DEBUG ("Failed to set socket option SO_REUSEADDR %s \n",  strerror(errno));
	}

	if (addr->sin6_port) {
		HIP_DEBUG("Bind to fixed port %d\n", addr->sin6_port);
		err = bind(socket,(struct sockaddr *)addr,
			   sizeof(struct sockaddr_in6));
		err = -errno;
		goto out_err;
	}

	/* try to bind first to a priviledged port and then to ephemeral */
	port = 1000;
	while (port++ < 61000) {
		_HIP_DEBUG("trying bind() to port %d\n", port);
		addr->sin6_port = htons(port);
		err = bind(socket,(struct sockaddr *)addr,
			   hip_sockaddr_len(addr));
		if (err == -1) {
			if (errno == EACCES) {
				/* Ephemeral ports:
				   /proc/sys/net/ipv4/ip_local_port_range */
				_HIP_DEBUG("Skipping to ephemeral range\n");
				port = 32768;
				errno = 0;
				err = 0;
			} else if (errno == EADDRINUSE) {
				_HIP_DEBUG("Port %d in use, skip\n", port);
				errno = 0;
				err = 0;
			} else {
				HIP_ERROR("Error %d bind() wasn't succesful\n",
					  errno);
				err = -1;
				goto out_err;
			}
		}
		else {
			_HIP_DEBUG("Bind() to port %d successful\n", port);
			goto out_err;
		}
	}

	if (port == 61000) {
		HIP_ERROR("All privileged ports were occupied\n");
		err = -1;
	}

 out_err:
	return err;
}
Beispiel #8
0
/**
 * tell firewall to turn on or off the ESP relay mode
 *
 * @param action HIP_MSG_OFFER_FULLRELAY or HIP_MSG_CANCEL_FULLRELAY
 *
 * @return zero on success or negative on failure
 */
int hip_firewall_set_esp_relay(int action)
{
    struct hip_common *msg = NULL;
    int                err = 0;
    int                sent;

    HIP_DEBUG("Setting ESP relay to %d\n", action);
    if (!(msg = hip_msg_alloc())) {
        return -ENOMEM;
    }
    HIP_IFEL(hip_build_user_hdr(msg,
                                action ? HIP_MSG_OFFER_FULLRELAY : HIP_MSG_CANCEL_FULLRELAY, 0),
             -1, "Build header failed\n");

    sent = hip_sendto_firewall(msg);
    if (sent < 0) {
        HIP_PERROR("Send to firewall failed: ");
        err = -1;
        goto out_err;
    }
    HIP_DEBUG("Sent %d bytes to firewall.\n", sent);

out_err:
    free(msg);
    return err;
}
Beispiel #9
0
/*
 * Execute nsupdate.pl with IP and HIT given as environment variables
 */
int run_nsupdate(char *ips, char *hit, int start)
{
	struct sigaction act;
	pid_t child_pid;

	HIP_DEBUG("Updating dns records...\n");

	act.sa_handler = sig_chld;

	/* We don't want to block any other signals */
	sigemptyset(&act.sa_mask);

	/*
	 * We're only interested in children that have terminated, not ones
	 * which have been stopped (eg user pressing control-Z at terminal)
	 */
	act.sa_flags = SA_NOCLDSTOP | SA_RESTART;

	/* Make the handler effective */
	if (sigaction(SIGCHLD, &act, NULL) < 0) {
		HIP_PERROR("sigaction");
        	return ERR;
	}

	/* Let us fork to execute nsupdate as a separate process */
	child_pid=fork();

	if (child_pid<0) {
		HIP_PERROR("fork");
		return ERR;
	}
	else if (child_pid == 0) {// CHILD
		char start_str[2];
#if 0
		/* Close open sockets since FD_CLOEXEC was not used */
		close_all_fds_except_stdout_and_stderr();
#endif

		snprintf(start_str, sizeof(start_str), "%i", start);

		char *env_ips = make_env(VAR_IPS, ips);
		char *env_hit = make_env(VAR_HIT, hit);
		char *env_start = make_env(VAR_START, start_str);

		char *cmd[] = { NSUPDATE_ARG0, NULL };
		char *env[] = { env_ips, env_hit, env_start, NULL };

		HIP_DEBUG("Executing %s with %s; %s; %s\n", NSUPDATE_PL, env_hit, env_ips, env_start);
		execve (NSUPDATE_PL, cmd, env);

		/* Executed only if error */
		HIP_PERROR("execve");
		exit(1); // just in case
	}
	else {// PARENT
		/* We execute waitpid in SIGCHLD handler */
		return OK;
	}
}
/**
 * Handle LOCATOR parameter in first update packet.
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *             the packet handling (received message, source and destination
 *             address, the ports and the corresponding entry from the host
 *             association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_locator_parameter(UNUSED const uint8_t packet_type,
                                 UNUSED const uint32_t ha_state,
                                 struct hip_packet_context *ctx)
{
    int                                locator_addr_count   = 0;
    union hip_locator_info_addr       *locator_info_addr    = NULL;
    struct hip_locator_info_addr_item *locator_address_item = NULL;
    struct update_state               *localstate           = NULL;
    struct hip_locator                *locator              = NULL;

    if (hip_classify_update_type(ctx->input_msg) == FIRST_UPDATE_PACKET) {
        if (!(locator = hip_get_param_readwrite(ctx->input_msg,
                                                HIP_PARAM_LOCATOR))) {
            HIP_ERROR("no LOCATOR parameter found\n");
            return -1;
        }

        locator_addr_count = hip_get_locator_addr_item_count(locator);

        HIP_DEBUG("LOCATOR has %d address(es), loc param len=%d\n",
                  locator_addr_count, hip_get_param_total_len(locator));

        // Empty the addresses_to_send_echo_request list before adding the
        // new addresses
        localstate = lmod_get_state_item(ctx->hadb_entry->hip_modular_state,
                                         "update");

        HIP_DEBUG("hip_get_state_item returned localstate: %p\n", localstate);
        hip_remove_addresses_to_send_echo_request(localstate);

        locator_address_item = (struct hip_locator_info_addr_item *) (locator + 1);

        HIP_DEBUG_IN6ADDR("Adding IP source address to locator set",
                          &ctx->src_addr);

        if (!hip_add_address_to_send_echo_request(localstate, ctx->src_addr)) {
            HIP_ERROR("Adding source address to the container for update locators failed!\n");
            return -1;
        }

        for (int i = 0; i < locator_addr_count; i++) {
            locator_info_addr = hip_get_locator_item(locator_address_item, i);
            const struct in6_addr *const peer_addr = hip_get_locator_item_address(locator_info_addr);

            if (ipv6_addr_cmp(&ctx->src_addr, peer_addr) != 0) {
                HIP_DEBUG_IN6ADDR("adding locator", peer_addr);
                if (!hip_add_address_to_send_echo_request(localstate, *peer_addr)) {
                    HIP_ERROR("Adding an address to the container for update locators failed!\n");
                    return -1;
                }
            }
        }

        hip_print_addresses_to_send_update_request(ctx->hadb_entry);
    }

    return 0;
}
Beispiel #11
0
/**
 * an iterator to handle packet retransmission for a given host association
 *
 * @param entry the host association which to handle
 * @param current_time current time
 * @return zero on success or negative on failure
 */
static int hip_handle_retransmission(struct hip_hadb_state *entry,
                                     void *current_time)
{
    int     err = 0;
    time_t *now = (time_t *) current_time;

    if (entry->hip_msg_retrans.buf == NULL ||
        entry->hip_msg_retrans.count == 0) {
        goto out_err;
    }

    /* check if the last transmision was at least RETRANSMIT_WAIT seconds ago */
    if (*now - HIP_RETRANSMIT_WAIT > entry->hip_msg_retrans.last_transmit) {
        if ((entry->hip_msg_retrans.count > 0) && entry->hip_msg_retrans.buf &&
            ((entry->state != HIP_STATE_ESTABLISHED && entry->retrans_state != entry->state) ||
             (entry->update_state != 0 && entry->retrans_state != entry->update_state) ||
             entry->light_update_retrans == 1)) {
            HIP_DEBUG("state=%d, retrans_state=%d, update_state=%d\n",
                      entry->state, entry->retrans_state, entry->update_state, entry->retrans_state);

            /* @todo: verify that this works over slow ADSL line */
            err = hip_send_pkt(&entry->hip_msg_retrans.saddr,
                               &entry->hip_msg_retrans.daddr,
                               (entry->nat_mode ? hip_get_local_nat_udp_port() : 0),
                               entry->peer_udp_port,
                               entry->hip_msg_retrans.buf,
                               entry, 0);

            /* Set entry state, if previous state was unassosiated
             * and type is I1. */
            if (!err && hip_get_msg_type(entry->hip_msg_retrans.buf)
                == HIP_I1 && entry->state == HIP_STATE_UNASSOCIATED) {
                HIP_DEBUG("Resent I1 succcesfully\n");
                entry->state = HIP_STATE_I1_SENT;
            }

            entry->hip_msg_retrans.count--;
            /* set the last transmission time to the current time value */
            time(&entry->hip_msg_retrans.last_transmit);
        } else {
            if (entry->hip_msg_retrans.buf) {
                entry->hip_msg_retrans.count = 0;
                memset(entry->hip_msg_retrans.buf, 0, HIP_MAX_NETWORK_PACKET);
            }

            if (entry->state == HIP_STATE_ESTABLISHED) {
                entry->retrans_state = entry->update_state;
            } else {
                entry->retrans_state = entry->state;
            }
        }
    }

out_err:

    return err;
}
Beispiel #12
0
/*
 * checks for ip address for hit
 */
int hip_hit_to_ip(hip_hit_t *hit, struct in6_addr *retval) {
	struct addrinfo *rp = NULL; // no C99 :(
	char hit_to_ip_hostname[64+HIT_TO_IP_ZONE_MAX_LEN+1];
	int found_addr = 0;
	struct addrinfo hints;
	struct addrinfo *result = NULL;
	int res;

	if ((hit == NULL)||(retval == NULL))
		return ERR;

	if (hip_get_hit_to_ip_hostname(hit, hit_to_ip_hostname, sizeof(hit_to_ip_hostname))!=OK)
		return ERR;

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = AF_UNSPEC;    /* Allow IPv4 or IPv6 */
	hints.ai_socktype = SOCK_DGRAM; /* Datagram socket. Right? */
	hints.ai_flags = AI_PASSIVE;    /* For wildcard IP address */
	hints.ai_protocol = 0;          /* Any protocol */
	hints.ai_canonname = NULL;
	hints.ai_addr = NULL;
	hints.ai_next = NULL;

	/* getaddrinfo is too complex for DNS lookup, but let us use it now */
	res = getaddrinfo( hit_to_ip_hostname, NULL, &hints, &result );
	HIP_DEBUG("getaddrinfo(%s) returned %d\n", hit_to_ip_hostname, res);

	if (res!=0) {
		HIP_DEBUG("getaddrinfo error %s\n", gai_strerror(res));
		return ERR;
	}

	/* Look at the list and return only one address, let us prefer AF_INET */
	for (rp = result; rp != NULL; rp = rp->ai_next) {
		HIP_DEBUG_SOCKADDR("getaddrinfo result", rp->ai_addr);

		if (rp->ai_family == AF_INET) {
			struct sockaddr_in *tmp_sockaddr_in_ptr = (struct sockaddr_in *) (rp->ai_addr);
			IPV4_TO_IPV6_MAP(&(tmp_sockaddr_in_ptr->sin_addr), retval)
			found_addr = 1;
			break;
		} else if (rp->ai_family == AF_INET6) {
			struct sockaddr_in6 *tmp_sockaddr_in6_ptr = (struct sockaddr_in6 *) (rp->ai_addr);
			ipv6_addr_copy(retval, &(tmp_sockaddr_in6_ptr->sin6_addr));
			found_addr = 1;
		}
	}

	if (result)
		freeaddrinfo(result);

	if (found_addr)
		return OK;
	else
		return ERR;
}
Beispiel #13
0
void hip_delete_sa(u32 spi, struct in6_addr *peer_addr, struct in6_addr *dst_addr,
		   int direction, hip_ha_t *entry)
{
	int so, len, err = 0;
	struct sockaddr_storage ss_addr, dd_addr;
	struct sockaddr *saddr;
	struct sockaddr *daddr;
	in_port_t sport, dport;

	/* @todo: sport and dport should be used! */

	if (direction == HIP_SPI_DIRECTION_OUT)
	{
		sport = entry->local_udp_port;
		dport = entry->peer_udp_port;
		entry->outbound_sa_count--;
		if (entry->outbound_sa_count < 0) {
			HIP_ERROR("Warning: out sa count negative\n");
			entry->outbound_sa_count = 0;
		}
	}
	else
	{
		sport = entry->peer_udp_port;
		dport = entry->local_udp_port;
		entry->inbound_sa_count--;
		if (entry->inbound_sa_count < 0) {
			HIP_ERROR("Warning: in sa count negative\n");
			entry->inbound_sa_count = 0;
		}
	}

	saddr = (struct sockaddr*) &ss_addr;
	daddr = (struct sockaddr*) &dd_addr;

	HIP_DEBUG("\n");
	HIP_DEBUG("spi=0x%x\n", spi);
	HIP_DEBUG_IN6ADDR("peer_addr", peer_addr);
	HIP_DEBUG_IN6ADDR("dst_addr", dst_addr);
	// Sanity check
	HIP_IFEL((!peer_addr || !dst_addr), -1, "Addresses not valid when deleting SA's\n");

	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	get_sock_addr_from_in6(saddr, peer_addr);
	get_sock_addr_from_in6(daddr, dst_addr);

	HIP_IFEBL(((len = pfkey_send_delete(so, SADB_SATYPE_ESP,  HIP_IPSEC_DEFAULT_MODE, saddr, daddr, spi))<0), -1,
		  pfkey_close(so), "ERROR in deleting sa %s", ipsec_strerror());
out_err:
	return;
}
Beispiel #14
0
int hip_flush_all_sa()
{
	int so, len, err = 0;
	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("Flushing all SA's\n");
	HIP_IFEBL(((len = pfkey_send_flush(so, SADB_SATYPE_ESP))<0), -1,
		   pfkey_close(so), "ERROR in flushing policies %s\n", ipsec_strerror());
	return len;
out_err:
	return err;
}
Beispiel #15
0
/**
 *
 * get the current running status of firewall
 *
 * @return one if firewall is running or zero otherwise
 */
int hip_firewall_is_alive(void)
{
#ifdef CONFIG_HIP_FIREWALL
    if (hip_firewall_status) {
        HIP_DEBUG("Firewall is alive.\n");
    } else {
        HIP_DEBUG("Firewall is not alive.\n");
    }
    return hip_firewall_status;
#else
    HIP_DEBUG("Firewall is disabled.\n");
    return 0;
#endif // CONFIG_HIP_FIREWALL
}
Beispiel #16
0
int hip_flush_all_policy()
{
	int so, len, err = 0;
	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("FLushing all SP's\n");
	HIP_IFEBL(((len = pfkey_send_spdflush(so))<0), -1, 
		  pfkey_close(so), "ERROR in flushing policies %s\n", ipsec_strerror());
	HIP_DEBUG("FLushing all SP's was successful\n");
	return len;
out_err:
	HIP_ERROR("FLushing all SP's\n");
	return err;
}
/**
 * This function stores the LOCATOR parameter into the hadb entry
 * of a connection in question. The whole LOCATOR is stored and
 * handled later as the LOCATOR is received before the connection
 * state has reached ESTABLISHED (UPDATEs are not allowed before
 * the state is ESTABLISHED) and the address verification is
 * handled later during the BEX (after receiving the R2).
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *            the packet handling (received message, source and destination
 *            address, the ports and the corresponding entry from the host
 *            association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_locator(UNUSED const uint8_t packet_type,
                       UNUSED const uint32_t ha_state,
                       struct hip_packet_context *ctx)
{
    const struct hip_locator *locator = NULL;
    int                       n_addrs = 0, loc_size = 0, err = 0;

    locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
    if (locator) {
        n_addrs  = hip_get_locator_addr_item_count(locator);
        loc_size = sizeof(struct hip_locator) +
                   (n_addrs * sizeof(struct hip_locator_info_addr_item));

        /* this handle function is called during BEX, there should be no
         * locators yet. */
        HIP_ASSERT(!ctx->hadb_entry->locator);

        HIP_IFEL(!(ctx->hadb_entry->locator = malloc(loc_size)),
                 -1, "Malloc for entry->locators failed\n");
        memcpy(ctx->hadb_entry->locator, locator, loc_size);
    } else {
        HIP_DEBUG("R1 did not have locator\n");
    }

out_err:
    return err;
}
Beispiel #18
0
static int hip_sqlite_callback(void *NotUsed, int argc, char **argv, char **azColName) {
        int i;
        for(i=0; i<argc; i++){
                HIP_DEBUG("%s = %s\n", azColName[i], argv[i] ? argv[i] : "NULL");
        }
        return 0;
}
Beispiel #19
0
/*
 * Called from hip_for_each_hi
 */
int run_nsupdate_for_hit (struct hip_host_id_entry *entry, void *opaq)
{
	int start = 0;
	char ip_str[40]; // buffer for one IP address
	char ips_str[1024] = ""; // list of IP addresses
  	hip_list_t *item, *tmp_hip_list_t;
  	int i;
	char hit[INET6_ADDRSTRLEN + 2];

	if (opaq != NULL)
		start = * (int *) opaq;

	HIP_DEBUG("run_nsupdate_for_hit (start=%d)\n", start);

	hip_convert_hit_to_str(&entry->lhi.hit,NULL, hit);

	/* make space-separated list of IP addresses in ips_str */
  	list_for_each_safe(item, tmp_hip_list_t, addresses, i) {
		struct netdev_address *n = list_entry(item);

		if (netdev_address_to_str(n, ip_str, sizeof(ip_str))==NULL)
			HIP_PERROR("netdev_address_to_str");
		else {
			if (ips_str[0]!=0) // not empty
				strncat(ips_str, " ", sizeof(ips_str)-strlen(ips_str));
			strncat(ips_str, ip_str, sizeof(ips_str)-strlen(ips_str));
		}
	}

	run_nsupdate(ips_str, hit, start);

	return 0;
}
Beispiel #20
0
/**
	Quits connection thread. Function agent_exit() should be called before
	calling this.
*/
void connhipd_quit(void)
{
	if (!hip_agent_thread_started) return;
	HIP_DEBUG("Stopping connection thread...\n");
	hip_agent_thread_started = 0;
	pthread_join(connhipd_pthread, NULL);
}
Beispiel #21
0
/**
 * verify_hddr_lib - It sends the dht response to hipdaemon
 * first appending one more user param for holding a structure hdrr_info
 * hdrr_info is used by daemon to mark signature and host id verification results to flags
 * Then adding user header for recognizing the message at daemon side
 * 
 * @param *hipcommonmsg packet returned from the lookup service
 * @param *addrkey key used for the lookup
 * @return OR of the signature and host id verification, 0 in case of success
 */
int verify_hddr_lib (struct hip_common *hipcommonmsg,struct in6_addr *addrkey)
{
	struct hip_hdrr_info hdrr_info;	
	struct hip_hdrr_info *hdrr_info_response; 
	int err = 0 ;
	
	memcpy(&hdrr_info.dht_key, addrkey, sizeof(struct in6_addr));
	hdrr_info.sig_verified = -1;
	hdrr_info.hit_verified = -1;
	hip_build_param_hip_hdrr_info(hipcommonmsg, &hdrr_info);
	_HIP_DUMP_MSG (hipcommonmsg);

	HIP_INFO("Asking signature verification info from daemon...\n");
	HIP_IFEL(hip_build_user_hdr(hipcommonmsg, SO_HIP_VERIFY_DHT_HDRR_RESP,0),-1,
			"Building daemon header failed\n");
	HIP_IFEL(hip_send_recv_daemon_info(hipcommonmsg, 0, 0), 
		 -1, "Send recv daemon info failed\n");
      
	hdrr_info_response = hip_get_param (hipcommonmsg, HIP_PARAM_HDRR_INFO);
	_HIP_DUMP_MSG (hipcommonmsg);
	HIP_DEBUG ("Sig verified (0=true): %d\nHit Verified (0=true): %d \n"
		,hdrr_info_response->sig_verified, hdrr_info_response->hit_verified);
	return (hdrr_info_response->sig_verified | hdrr_info_response->hit_verified);

out_err:
	return err;
}
Beispiel #22
0
/** 
 * opendht_get - Builds XML RPC packet and sends it through given socket and reads the response
 * @param sockfd Socket to be used with the send
 * @param key Key for the openDHT
 * @param value Value to be stored to the openDHT
 * @param host Host address
 * @param response Buffer where the possible error message is saved 
 *
 * @return Returns integer -1 on error, on success 0
 */
int opendht_get(int sockfd, 
                unsigned char * key, 
                unsigned char * host,
                int port)
{
    int key_len = 0;
    char get_packet[HIP_MAX_PACKET];
    char tmp_key[21];

    key_len = opendht_handle_key(key, tmp_key);
    
    /* Get operation */
    memset(get_packet, '\0', sizeof(get_packet));
    if (build_packet_get((unsigned char *)tmp_key,
                         key_len,
                         port,
                         (unsigned char *)host,
                         get_packet) !=0)
        {
            HIP_DEBUG("Get packet creation failed.\n");  
            return(-1);
        }
    
    send(sockfd, get_packet, strlen(get_packet), 0);
    return(0);
}
Beispiel #23
0
/**
 * Send the ip of a peer to hipd, so that it can:
 * - unblock the packets that are sent to a particular peer.
 * - add it to the blacklist database.
 *
 * @param peer_ip	peer ip.
 * @return		nothing
 */
int hip_fw_unblock_and_blacklist(const struct in6_addr *peer_ip){
	struct hip_common *msg = NULL;
	int err = 0;

	HIP_DEBUG("\n");

	HIP_IFE(!(msg = hip_msg_alloc()), -1);

	HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip),
					HIP_PARAM_IPV6_ADDR,
					sizeof(struct in6_addr)),
			-1, "build param HIP_PARAM_IPV6_ADDR failed\n");

	/* build the message header */
	HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_UNBLOCK_AND_BLACKLIST, 0),
		 -1, "build hdr failed\n");
	HIP_DUMP_MSG(msg);

	/* send and receive msg to/from hipd */
	HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n");
	_HIP_DEBUG("send_recv msg succeed\n");
	/* check error value */
	HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");

out_err:
	return err;
}
Beispiel #24
0
int hip_set_hip_proxy_off(void){
	int err = 0;
	hipproxy = 0;
	HIP_DEBUG("hip_set_hip_proxy_off() invoked.\n");
 out_err:
	return err;
}
Beispiel #25
0
/**
 * No description.
 */
int hip_set_opportunistic_mode(const struct hip_common *msg){
	int err =  0;
	unsigned int *mode = NULL;
	
	mode = hip_get_param_contents(msg, HIP_PARAM_UINT);
	if (!mode) {
		err = -EINVAL;
		goto out_err;
	}
  
	HIP_DEBUG("mode=%d\n", *mode);

	if(*mode == 0 || *mode == 1 || *mode == 2){
		opportunistic_mode = *mode;
	} else {
		HIP_ERROR("Invalid value for opportunistic mode\n");
		err = -EINVAL;
		goto out_err;
	}

	memset(msg, 0, HIP_MAX_PACKET);
	HIP_IFE(hip_build_user_hdr(msg, (opportunistic_mode == 2 ? SO_HIP_SET_OPPTCP_ON : SO_HIP_SET_OPPTCP_OFF),
				   0), -1);
	hip_set_opportunistic_tcp_status(msg);
	
 out_err:
	return err;
}
Beispiel #26
0
int hip_read_user_control_msg(int socket, struct hip_common *hip_msg,
			      struct sockaddr_in6 *saddr)
{
	int err = 0, bytes, hdr_size = sizeof(struct hip_common), total;
	socklen_t len;

	memset(saddr, 0, sizeof(*saddr));

	len = sizeof(*saddr);

	HIP_IFEL(((total = hip_peek_recv_total_len(socket, 0, HIP_DEFAULT_MSG_TIMEOUT)) <= 0), -1,
		 "recv peek failed\n");

	_HIP_DEBUG("msg total length = %d\n", total);

	/** @todo Compiler warning;
	    warning: pointer targets in passing argument 6 of 'recvfrom'
	    differ in signedness. */
	HIP_IFEL(((bytes = recvfrom(socket, hip_msg, total, 0,
				    (struct sockaddr *) saddr,
				    &len)) != total), -1, "recv\n");

	HIP_DEBUG("received user message from local port %d\n",
		   ntohs(saddr->sin6_port));
	_HIP_DEBUG("read_user_control_msg recv len=%d\n", len);
	_HIP_HEXDUMP("recv saddr ", saddr, sizeof(struct sockaddr_un));
	_HIP_DEBUG("read %d bytes succesfully\n", bytes);
 out_err:
	if (bytes < 0 || err)
		HIP_PERROR("perror: ");

	return err;
}
/**
 * Uninitialize the middlebox firewall application.
 * So far, there's nothing to be done.
 *
 * @return 0 on success, negative on error
 */
int signaling_hipfw_feedback_uninit(void)
{
    HIP_DEBUG("Uninit signaling firewall feedback module \n");
    EC_KEY_free(ecdsa_key);
    RSA_free(rsa_key);
    X509_free(mb_cert);
    return 0;
}
Beispiel #28
0
/** checks if a hash is verifiable by a hash chain
 *
 * @param       current_hash the hash value to be verified
 * @param       last_hash the last known hash value
 * @param       hash_func the hash function to be used
 * @param       hash_length length of the hash values
 * @param       tolerance the maximum number of hash calculations
 * @param       secret the potentially incorporated secret
 * @param       secret_length length og the secret
 * @return      hash distance if the hash authentication was successful, 0 otherwise
 */
int hchain_verify(const unsigned char *current_hash,
                  const unsigned char *last_hash,
                  const hash_function hash_func,
                  const int hash_length,
                  const int tolerance,
                  const unsigned char *secret,
                  const int secret_length)
{
    /* stores intermediate hash results and allow to concat
     * with a secret at each step */
    unsigned char buffer[MAX_HASH_LENGTH + secret_length];
    int           err = 0, i;

    HIP_ASSERT(current_hash != NULL && last_hash != NULL);
    HIP_ASSERT(hash_func != NULL);
    HIP_ASSERT(hash_length > 0 && tolerance >= 0);

    // init buffer with the hash we want to verify
    memcpy(buffer, current_hash, hash_length);

    if (secret && secret_length > 0) {
        HIP_HEXDUMP("secret: ", secret, secret_length);
    }

    for (i = 1; i <= tolerance; i++) {
        // add the secret
        if (secret != NULL && secret_length > 0) {
            memcpy(&buffer[hash_length], secret, secret_length);
        }

        hash_func(buffer, hash_length + secret_length, buffer);

        // compare the elements
        if (!(memcmp(buffer, last_hash, hash_length))) {
            HIP_DEBUG("hash verfied\n");

            err = i;
            goto out_err;
        }
    }

    HIP_DEBUG("no matches found within tolerance: %i!\n", tolerance);

out_err:
    return err;
}
/**
 * Print all IP addresses where an update packet should be sent to.
 *
 * @param ha    pointer to a host association
 */
static void hip_print_addresses_to_send_update_request(const struct hip_hadb_state *const ha)
{
    const struct update_state *const localstate = lmod_get_state_item(ha->hip_modular_state, "update");

    HIP_DEBUG("Addresses to send update:\n");
    for (unsigned i = 0; i < localstate->valid_locators; i++) {
        HIP_DEBUG_IN6ADDR("", &localstate->addresses_to_send_echo_request[i]);
    }
}
Beispiel #30
0
/**
 * connhipd_send_hitdata_to_daemon - builds a param containing hits to be
 * sent to the daemon
 * @param *msg packet to be sent to daemon
 * @param *hitr remote hit accepted
 * @param *hitl local hit used
 * @return 0 on success, -1 on error
 */
int connhipd_send_hitdata_to_daemon(struct hip_common * msg , struct in6_addr * hitr, struct in6_addr * hitl)
{
	int err = 0;
	struct hip_uadb_info uadb_info ;
	char hittest[40];
	HIP_DEBUG("Building User Agent DB info message to be sent to daemon.\n");
	memcpy(&uadb_info.hitr,hitr, sizeof(struct in6_addr)) ;
	memcpy(&uadb_info.hitl,hitl, sizeof(struct in6_addr)) ;
	hip_in6_ntop(&uadb_info.hitr, hittest);
    HIP_DEBUG("Value: %s\n", hittest);
	
	memcpy(uadb_info.cert,"certificate\0",sizeof("certificate\0"));
	
	hip_build_param_hip_uadb_info(msg, &uadb_info);
	HIP_DUMP_MSG (msg);
out_err:
	return (err);
}