Beispiel #1
0
int hip_read_user_control_msg(int socket, struct hip_common *hip_msg,
			      struct sockaddr_in6 *saddr)
{
	int err = 0, bytes, hdr_size = sizeof(struct hip_common), total;
	socklen_t len;

	memset(saddr, 0, sizeof(*saddr));

	len = sizeof(*saddr);

	HIP_IFEL(((total = hip_peek_recv_total_len(socket, 0, HIP_DEFAULT_MSG_TIMEOUT)) <= 0), -1,
		 "recv peek failed\n");

	_HIP_DEBUG("msg total length = %d\n", total);

	/** @todo Compiler warning;
	    warning: pointer targets in passing argument 6 of 'recvfrom'
	    differ in signedness. */
	HIP_IFEL(((bytes = recvfrom(socket, hip_msg, total, 0,
				    (struct sockaddr *) saddr,
				    &len)) != total), -1, "recv\n");

	HIP_DEBUG("received user message from local port %d\n",
		   ntohs(saddr->sin6_port));
	_HIP_DEBUG("read_user_control_msg recv len=%d\n", len);
	_HIP_HEXDUMP("recv saddr ", saddr, sizeof(struct sockaddr_un));
	_HIP_DEBUG("read %d bytes succesfully\n", bytes);
 out_err:
	if (bytes < 0 || err)
		HIP_PERROR("perror: ");

	return err;
}
Beispiel #2
0
/** sends a list of all available anchor elements in the BEX store
 * to the hipd
 *
 * @param   hcstore the BEX store
 * @param   use_hash_trees indicates whether hash chains or hash trees are stored
 * @return  0 on success, -1 on error
 */
int send_bex_store_update_to_hipd(struct hchain_store *hcstore,
                                  const int use_hash_trees)
{
    struct hip_common *msg = NULL;
    int                err = 0;

    HIP_ASSERT(hcstore != NULL);

    HIP_DEBUG("sending bex-store update to hipd...\n");

    HIP_IFEL(!(msg = create_bex_store_update_msg(hcstore, use_hash_trees)),
             -1, "failed to create bex store anchors update message\n");

    HIP_DUMP_MSG(msg);

    /* send msg to hipd and receive corresponding reply */
    HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_sock), -1, "send_recv msg failed\n");

    /* check error value */
    HIP_IFEL(hip_get_msg_err(msg), -1, "hipd returned error message!\n");

    HIP_DEBUG("send_recv msg succeeded\n");

out_err:
    free(msg);
    return err;
}
Beispiel #3
0
int hip_setup_hit_sp_pair(hip_hit_t *src_hit, hip_hit_t *dst_hit,
			  struct in6_addr *src_addr,
			  struct in6_addr *dst_addr, u8 proto,
			  int use_full_prefix, int update)
{
	int so, len, err = 0;
	u_int prefs, prefd;
	u8 prefix = (use_full_prefix) ? 128 : HIP_HIT_PREFIX_LEN;
	int cmd = update ? SADB_X_SPDUPDATE : SADB_X_SPDADD;

	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("Adding a pair of SP\n");

	HIP_IFEBL((hip_pfkey_policy_modify(so, dst_hit, prefix, src_hit, 
					   prefix, src_addr, dst_addr, 
					   proto, cmd, IPSEC_DIR_INBOUND)<0),
		  -1, pfkey_close(so), "ERROR in %s the inbound policy\n", update ? "updating" : "adding");

	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_IFEBL((hip_pfkey_policy_modify(so, src_hit, prefix, dst_hit, 
					   prefix, dst_addr, src_addr,
					   proto, cmd, IPSEC_DIR_OUTBOUND)<0),
		  -1, pfkey_close(so), "ERROR in %s the outbound policy\n", update ? "updating" : "adding");
	return 0;
out_err:
	return err;
}
Beispiel #4
0
/**
 * verify_hddr_lib - It sends the dht response to hipdaemon
 * first appending one more user param for holding a structure hdrr_info
 * hdrr_info is used by daemon to mark signature and host id verification results to flags
 * Then adding user header for recognizing the message at daemon side
 * 
 * @param *hipcommonmsg packet returned from the lookup service
 * @param *addrkey key used for the lookup
 * @return OR of the signature and host id verification, 0 in case of success
 */
int verify_hddr_lib (struct hip_common *hipcommonmsg,struct in6_addr *addrkey)
{
	struct hip_hdrr_info hdrr_info;	
	struct hip_hdrr_info *hdrr_info_response; 
	int err = 0 ;
	
	memcpy(&hdrr_info.dht_key, addrkey, sizeof(struct in6_addr));
	hdrr_info.sig_verified = -1;
	hdrr_info.hit_verified = -1;
	hip_build_param_hip_hdrr_info(hipcommonmsg, &hdrr_info);
	_HIP_DUMP_MSG (hipcommonmsg);

	HIP_INFO("Asking signature verification info from daemon...\n");
	HIP_IFEL(hip_build_user_hdr(hipcommonmsg, SO_HIP_VERIFY_DHT_HDRR_RESP,0),-1,
			"Building daemon header failed\n");
	HIP_IFEL(hip_send_recv_daemon_info(hipcommonmsg, 0, 0), 
		 -1, "Send recv daemon info failed\n");
      
	hdrr_info_response = hip_get_param (hipcommonmsg, HIP_PARAM_HDRR_INFO);
	_HIP_DUMP_MSG (hipcommonmsg);
	HIP_DEBUG ("Sig verified (0=true): %d\nHit Verified (0=true): %d \n"
		,hdrr_info_response->sig_verified, hdrr_info_response->hit_verified);
	return (hdrr_info_response->sig_verified | hdrr_info_response->hit_verified);

out_err:
	return err;
}
Beispiel #5
0
/**
 * No description.
 */
int hip_query_ip_hit_mapping(struct hip_common *msg){
	int err = 0;
	unsigned int mapping = 0;
	struct in6_addr *hit = NULL;
	hip_ha_t *entry = NULL;
	
	
	hit = (struct in6_addr *) hip_get_param_contents(msg, HIP_PARAM_PSEUDO_HIT);
	HIP_ASSERT(hit_is_opportunistic_hashed_hit(hit));
	
	entry = hip_hadb_try_to_find_by_peer_hit(hit);
	if(entry)
		mapping = 1;
	else 
		mapping = 0;
	
	hip_msg_init(msg);
	HIP_IFEL(hip_build_param_contents(msg, (void *) &mapping,
					  HIP_PARAM_UINT,
					  sizeof(unsigned int)), -1,
		 "build param mapping failed\n");
	
	HIP_IFEL(hip_build_user_hdr(msg,
				    SO_HIP_ANSWER_IP_HIT_MAPPING_QUERY, 0),
		 -1, "build user header failed\n");

 out_err:
	return err;
}
Beispiel #6
0
/**
 * Initialize raw IPv4 sockets for TCP
 *
 * @param firewall_raw_sock_v4 the result will be written here
 *
 * @return zero on success, non-zero on error
 */
static int hip_firewall_init_raw_sock_tcp_v4(int *firewall_raw_sock_v4)
{
    int on  = 1, err = 0;
    int off = 0;

    *firewall_raw_sock_v4 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
    HIP_IFEL(*firewall_raw_sock_v4 <= 0, 1, "Raw socket v4 creation failed. Not root?\n");

    /* RECV_ERR is off because it is not handled properly by hipd
     * (message length is -1 and this causes msg reading problems) */
    err = setsockopt(*firewall_raw_sock_v4, IPPROTO_IP,
                     IP_RECVERR, &off, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 recverr failed\n");
    err = setsockopt(*firewall_raw_sock_v4, SOL_SOCKET,
                     SO_BROADCAST, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 failed to set broadcast \n");
    err = setsockopt(*firewall_raw_sock_v4, IPPROTO_IP,
                     IP_PKTINFO, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 pktinfo failed\n");
    err = setsockopt(*firewall_raw_sock_v4, SOL_SOCKET,
                     SO_REUSEADDR, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 reuseaddr failed\n");

out_err:
    return err;
}
/**
 * Handle SEQ parameter in first and second update packet.
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *             the packet handling (received message, source and destination
 *             address, the ports and the corresponding entry from the host
 *             association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_seq_param(UNUSED const uint8_t packet_type,
                         UNUSED const uint32_t ha_state,
                         struct hip_packet_context *ctx)
{
    const struct hip_seq   *seq         = NULL;
    const enum update_types update_type = hip_classify_update_type(ctx->input_msg);
    struct update_state    *localstate  = NULL;
    int                     err         = 0;

    if (update_type == FIRST_UPDATE_PACKET ||
        update_type == SECOND_UPDATE_PACKET) {
        HIP_IFEL(!(seq = hip_get_param(ctx->input_msg, HIP_PARAM_SEQ)),
                 -1, "SEQ parameter not found\n");

        HIP_IFEL(!(localstate = lmod_get_state_item(ctx->hadb_entry->hip_modular_state,
                                                    "update")),
                 -1, "failed to look up update state\n");

        // progress update sequence to currently processed update
        if (localstate->update_id_in < ntohl(seq->update_id)) {
            localstate->update_id_in = ntohl(seq->update_id);
        }

        HIP_IFEL(hip_build_param_ack(ctx->output_msg, ntohl(seq->update_id)),
                 -1, "Building of ACK parameter failed\n");
    }

out_err:
    return err;
}
static int init_raw_sock_v4(int proto)
{
    int on = 1, off = 0, err = 0;
    int sock;

    sock = socket(AF_INET, SOCK_RAW, proto);
    set_cloexec_flag(sock, 1);
    HIP_IFEL(sock <= 0, 1, "Raw socket v4 creation failed. Not root?\n");

    /* RECV_ERR is off because it is not handled properly by hipd
     * (message length is -1 and this causes msg reading problems) */
    err = setsockopt(sock, IPPROTO_IP, IP_RECVERR, &off, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 recverr failed\n");
    err = setsockopt(sock, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 failed to set broadcast \n");
    err = setsockopt(sock, IPPROTO_IP, IP_PKTINFO, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 pktinfo failed\n");
    err = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v4 reuseaddr failed\n");

    return sock;

out_err:
    return -1;
}
Beispiel #9
0
/**
 * Send the ip of a peer to hipd, so that it can:
 * - unblock the packets that are sent to a particular peer.
 * - add it to the blacklist database.
 *
 * @param peer_ip	peer ip.
 * @return		nothing
 */
int hip_fw_unblock_and_blacklist(const struct in6_addr *peer_ip){
	struct hip_common *msg = NULL;
	int err = 0;

	HIP_DEBUG("\n");

	HIP_IFE(!(msg = hip_msg_alloc()), -1);

	HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip),
					HIP_PARAM_IPV6_ADDR,
					sizeof(struct in6_addr)),
			-1, "build param HIP_PARAM_IPV6_ADDR failed\n");

	/* build the message header */
	HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_UNBLOCK_AND_BLACKLIST, 0),
		 -1, "build hdr failed\n");
	HIP_DUMP_MSG(msg);

	/* send and receive msg to/from hipd */
	HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n");
	_HIP_DEBUG("send_recv msg succeed\n");
	/* check error value */
	HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");

out_err:
	return err;
}
Beispiel #10
0
/* returns an unused anchor element for the given transform
 *
 * @param transform     the ESP protection extension transform
 * @return              anchor, NULL if empty
 */
unsigned char *anchor_db_get_anchor(const uint8_t transform)
{
    unsigned char *stored_anchor = NULL;
    int            anchor_offset = 0;
    int            err           = 0;

    // ensure correct boundaries
    HIP_ASSERT(transform > 0);

    // get index of last unused anchor for this transform
    HIP_IFEL((anchor_offset = anchor_db.num_anchors[transform] - 1) < 0, -1,
             "anchor_db is empty for this transform\n");

    // ensure correct boundaries
    HIP_ASSERT(anchor_offset >= 0 && anchor_offset < HCSTORE_MAX_HCHAINS_PER_ITEM);
    HIP_IFEL(!(stored_anchor = anchor_db.anchors[transform][anchor_offset]), -1,
             "anchor_offset points to empty slot\n");

    // remove anchor from db
    anchor_db.anchors[transform][anchor_offset] = NULL;
    anchor_offset                               = anchor_db.num_anchors[transform]--;

out_err:
    if (err) {
        free(stored_anchor);
        stored_anchor = NULL;
    }

    return stored_anchor;
}
Beispiel #11
0
int hip_pfkey_policy_modify(int so, hip_hit_t *src_hit, u_int prefs, 
			    hip_hit_t *dst_hit, u_int prefd,
			    struct in6_addr *src_addr, struct in6_addr *dst_addr,
			    u8 proto, int cmd, int direction)
{
	int err = 0;
	struct sockaddr_storage ss_addr, dd_addr, ss_hit, dd_hit;
	struct sockaddr *s_saddr, *s_shit;
	struct sockaddr *d_saddr, *d_shit;
	caddr_t policy = NULL;
	int policylen = 0;
	int len = 0;
	u_int mode;
	HIP_DEBUG("\n");
	// Sanity check
	HIP_IFEL((src_hit == NULL || dst_hit == NULL), -1, "Invalid hit's\n");

	if (src_addr) { // could happen with the delete
		s_saddr = (struct sockaddr*) &ss_addr;
		get_sock_addr_from_in6(s_saddr, src_addr);
	}

	if (dst_addr) { // could happen with the delete
		d_saddr = (struct sockaddr*) &dd_addr;
		get_sock_addr_from_in6(d_saddr, dst_addr);
	}

	s_shit = (struct sockaddr*) &ss_hit;
	get_sock_addr_from_in6(s_shit, src_hit);
	d_shit = (struct sockaddr*) &dd_hit;
	get_sock_addr_from_in6(d_shit, dst_hit);
	if (proto)
		mode = HIP_IPSEC_DEFAULT_MODE;
	else
		mode = IPSEC_MODE_TRANSPORT;

	HIP_IFEL((getsadbpolicy(&policy, &policylen, direction, s_saddr, d_saddr, mode, cmd)<0),
		 -1, "Error in building the policy\n");

	if (cmd == SADB_X_SPDUPDATE) {
		HIP_IFEL((len = pfkey_send_spdupdate(so, s_shit, prefs, d_shit, prefd,
						  proto, policy, policylen, 0)<0), -1,
			 "libipsec failed send_x4 (%s)\n", ipsec_strerror());
	} else if (cmd == SADB_X_SPDADD) {
		HIP_IFEL((len = pfkey_send_spdadd(so, s_shit, prefs, d_shit, prefd,
						  proto, policy, policylen, 0)<0), -1,
			 "libipsec failed send_x4 (%s)\n", ipsec_strerror());
	} else {  // SADB_X_SPDDELETE
		HIP_IFEL((len = pfkey_send_spddelete(so, s_shit, prefs, d_shit, prefd,
						  proto, policy, policylen, 0)<0), -1,
			 "libipsec failed send_x4 (%s)\n", ipsec_strerror());
	}

	return len;
out_err:
	return err;
}
Beispiel #12
0
void hip_delete_sa(u32 spi, struct in6_addr *peer_addr, struct in6_addr *dst_addr,
		   int direction, hip_ha_t *entry)
{
	int so, len, err = 0;
	struct sockaddr_storage ss_addr, dd_addr;
	struct sockaddr *saddr;
	struct sockaddr *daddr;
	in_port_t sport, dport;

	/* @todo: sport and dport should be used! */

	if (direction == HIP_SPI_DIRECTION_OUT)
	{
		sport = entry->local_udp_port;
		dport = entry->peer_udp_port;
		entry->outbound_sa_count--;
		if (entry->outbound_sa_count < 0) {
			HIP_ERROR("Warning: out sa count negative\n");
			entry->outbound_sa_count = 0;
		}
	}
	else
	{
		sport = entry->peer_udp_port;
		dport = entry->local_udp_port;
		entry->inbound_sa_count--;
		if (entry->inbound_sa_count < 0) {
			HIP_ERROR("Warning: in sa count negative\n");
			entry->inbound_sa_count = 0;
		}
	}

	saddr = (struct sockaddr*) &ss_addr;
	daddr = (struct sockaddr*) &dd_addr;

	HIP_DEBUG("\n");
	HIP_DEBUG("spi=0x%x\n", spi);
	HIP_DEBUG_IN6ADDR("peer_addr", peer_addr);
	HIP_DEBUG_IN6ADDR("dst_addr", dst_addr);
	// Sanity check
	HIP_IFEL((!peer_addr || !dst_addr), -1, "Addresses not valid when deleting SA's\n");

	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	get_sock_addr_from_in6(saddr, peer_addr);
	get_sock_addr_from_in6(daddr, dst_addr);

	HIP_IFEBL(((len = pfkey_send_delete(so, SADB_SATYPE_ESP,  HIP_IPSEC_DEFAULT_MODE, saddr, daddr, spi))<0), -1,
		  pfkey_close(so), "ERROR in deleting sa %s", ipsec_strerror());
out_err:
	return;
}
/**
 * Handle ECHO_REQUEST_UNSIGNED parameter.
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *             the packet handling (received message, source and destination
 *             address, the ports and the corresponding entry from the host
 *             association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_echo_request_param(UNUSED const uint8_t packet_type,
                                  UNUSED const uint32_t ha_state,
                                  struct hip_packet_context *ctx)
{
    const struct hip_echo_request *echo_request = NULL;
    int                            err          = 0;

    if (!(echo_request = hip_get_param(ctx->input_msg,
                                       HIP_PARAM_ECHO_REQUEST))) {
        HIP_DEBUG("no ECHO_REQUEST parameter in UPDATE packet, skipping\n");

        /* This condition is no error! There simply was no request by the peer
         * to add a ECHO_RESPONSE parameter to the outbound message. */
        return 0;
    }

    HIP_DEBUG("echo opaque data len=%d\n",
              hip_get_param_contents_len(echo_request));
    HIP_HEXDUMP("ECHO_REQUEST ",
                (const uint8_t *) echo_request + sizeof(struct hip_tlv_common),
                hip_get_param_contents_len(echo_request));
    HIP_IFEL(hip_build_param_echo(ctx->output_msg,
                                  (const uint8_t *) echo_request + sizeof(struct hip_tlv_common),
                                  hip_get_param_contents_len(echo_request), 0, 0),
             -1, "Building of ECHO_RESPONSE failed\n");

out_err:
    return err;
}
/**
 * This function stores the LOCATOR parameter into the hadb entry
 * of a connection in question. The whole LOCATOR is stored and
 * handled later as the LOCATOR is received before the connection
 * state has reached ESTABLISHED (UPDATEs are not allowed before
 * the state is ESTABLISHED) and the address verification is
 * handled later during the BEX (after receiving the R2).
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *            the packet handling (received message, source and destination
 *            address, the ports and the corresponding entry from the host
 *            association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_handle_locator(UNUSED const uint8_t packet_type,
                       UNUSED const uint32_t ha_state,
                       struct hip_packet_context *ctx)
{
    const struct hip_locator *locator = NULL;
    int                       n_addrs = 0, loc_size = 0, err = 0;

    locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
    if (locator) {
        n_addrs  = hip_get_locator_addr_item_count(locator);
        loc_size = sizeof(struct hip_locator) +
                   (n_addrs * sizeof(struct hip_locator_info_addr_item));

        /* this handle function is called during BEX, there should be no
         * locators yet. */
        HIP_ASSERT(!ctx->hadb_entry->locator);

        HIP_IFEL(!(ctx->hadb_entry->locator = malloc(loc_size)),
                 -1, "Malloc for entry->locators failed\n");
        memcpy(ctx->hadb_entry->locator, locator, loc_size);
    } else {
        HIP_DEBUG("R1 did not have locator\n");
    }

out_err:
    return err;
}
Beispiel #15
0
/**
 * tell firewall to turn on or off the ESP relay mode
 *
 * @param action HIP_MSG_OFFER_FULLRELAY or HIP_MSG_CANCEL_FULLRELAY
 *
 * @return zero on success or negative on failure
 */
int hip_firewall_set_esp_relay(int action)
{
    struct hip_common *msg = NULL;
    int                err = 0;
    int                sent;

    HIP_DEBUG("Setting ESP relay to %d\n", action);
    if (!(msg = hip_msg_alloc())) {
        return -ENOMEM;
    }
    HIP_IFEL(hip_build_user_hdr(msg,
                                action ? HIP_MSG_OFFER_FULLRELAY : HIP_MSG_CANCEL_FULLRELAY, 0),
             -1, "Build header failed\n");

    sent = hip_sendto_firewall(msg);
    if (sent < 0) {
        HIP_PERROR("Send to firewall failed: ");
        err = -1;
        goto out_err;
    }
    HIP_DEBUG("Sent %d bytes to firewall.\n", sent);

out_err:
    free(msg);
    return err;
}
Beispiel #16
0
/**
 * No description.
 */
int hip_query_opportunistic_mode(struct hip_common *msg){
	int err = 0;
	unsigned int opp_mode = opportunistic_mode;
	
	hip_msg_init(msg);
	
	HIP_IFEL(hip_build_param_contents(msg, (void *) &opp_mode,
					  HIP_PARAM_UINT,
					  sizeof(unsigned int)), -1,
		 "build param opp_mode failed\n");
	
	HIP_IFEL(hip_build_user_hdr(msg,
				    SO_HIP_ANSWER_OPPORTUNISTIC_MODE_QUERY, 0),
		 -1, "build user header failed\n");
	
 out_err:
  return err;
}
Beispiel #17
0
/**
 * hip_keymat_draw_and_copy - draw keying material and copy it to the given buffer
 * @param dst destination buffer
 * @param keymat pointer to the keymat structure which contains information
 *          about the actual
 * @param length size of keymat structure
 *
 * @return pointer the next point where one can draw the next keymaterial
 */
int hip_keymat_draw_and_copy(char *dst,
			     struct hip_keymat_keymat *keymat, 
			     int len){
	int err  = 0;
	void *p = hip_keymat_draw(keymat, len);
	HIP_IFEL(!p, -EINVAL, "Could not draw from keymat\n");
	memcpy(dst, p, len);
out_err:
	return err;
}
Beispiel #18
0
/**
 * Periodic maintenance.
 *
 * @return zero on success or negative on failure
 */
int hip_periodic_maintenance(void)
{
    int err = 0;

    if (hipd_get_state() == HIPD_STATE_CLOSING) {
        if (force_exit_counter > 0) {
            err = hip_count_open_connections();
            if (err < 1) {
                hipd_set_state(HIPD_STATE_CLOSED);
            }
        } else {
            hip_exit();
            exit(EXIT_SUCCESS);
        }
        force_exit_counter--;
    }

    /* If some HAs are still remaining after certain grace period
     * in closing or closed state, delete them */
    hip_for_each_ha(hip_purge_closing_ha, NULL);

    if (retrans_counter < 0) {
        HIP_IFEL(hip_scan_retransmissions(), -1,
                 "retransmission scan failed\n");
        retrans_counter = HIP_RETRANSMIT_INIT;
    } else {
        retrans_counter--;
    }

    if (precreate_counter < 0) {
        HIP_IFEL(hip_recreate_all_precreated_r1_packets(), -1,
                 "Failed to recreate puzzles\n");
        precreate_counter = HIP_R1_PRECREATE_INIT;
    } else {
        precreate_counter--;
    }

    hip_run_maint_functions();

out_err:

    return err;
}
Beispiel #19
0
/**
	Initialize connection to hip daemon.

	@return 0 on success, -1 on errors.
*/
int connhipd_init_sock(void)
{
	int err = 0;
	struct sockaddr_in6 agent_addr;

	hip_agent_sock = socket(AF_INET6, SOCK_DGRAM, 0);
	HIP_IFEL(hip_agent_sock < 0, -1, "Failed to create socket.\n");

	memset(&agent_addr, 0, sizeof(agent_addr));
        agent_addr.sin6_family = AF_INET6;
        agent_addr.sin6_addr = in6addr_loopback;
	agent_addr.sin6_port = htons(HIP_AGENT_PORT);

	HIP_IFEL(hip_daemon_bind_socket(hip_agent_sock, &agent_addr), -1,
		 "bind failed\n");

	HIP_IFEL(hip_daemon_connect(hip_agent_sock), -1, "connect");

  out_err:
	return err;
}
Beispiel #20
0
int main(int argc, char *argv[]) {
        int err = 0, i = 0;
        sqlite3 * db = NULL;
        char dbpath[] = "/tmp/hip_sqltest.db";
        char table_sql[] = "CREATE TABLE test (num INTEGER, value VARCHAR(128));";
        char insert_sql[256];
        char delete_sql[] = "DELETE FROM test WHERE num = 3;";
        char select_sql[] = "SELECT * FROM test;";
        
        db = hip_sqlite_open_db(dbpath, table_sql);
        HIP_IFEL((db == NULL), -1, "Failed to open/create the database\n");
        for(i = 1; i < 10; i++) {
                memset(insert_sql, '\0', sizeof(insert_sql));
                sprintf(insert_sql, "INSERT INTO test VALUES(%d, "
                        "'Hi to you. #%d times said');", i,i); 
                HIP_IFEL(hip_sqlite_insert_into_table(db, insert_sql),
                         -1, "Failed to execute insert into query\n"); 
        }
        HIP_IFEL(hip_sqlite_select(db, select_sql, hip_sqlite_callback), -1,
                 "Failed to execute select query on the db\n");
        HIP_DEBUG("Removing row where num is 3\n");
        HIP_IFEL(hip_sqlite_delete_from_table(db, delete_sql),
                         -1, "Failed to execute delete query\n"); 
        HIP_IFEL(hip_sqlite_select(db, select_sql, hip_sqlite_callback), -1,
                 "Failed to execute select query on the db\n");
        HIP_DEBUG("Did the num 3 disappear?\n");
        HIP_IFEL(hip_sqlite_close_db(db), -1, "Failed to close the db\n");
       
 out_err:
        return(err);
}
Beispiel #21
0
int hip_flush_all_sa()
{
	int so, len, err = 0;
	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("Flushing all SA's\n");
	HIP_IFEBL(((len = pfkey_send_flush(so, SADB_SATYPE_ESP))<0), -1,
		   pfkey_close(so), "ERROR in flushing policies %s\n", ipsec_strerror());
	return len;
out_err:
	return err;
}
/**
 * Add SEQ parameter to second update packet.
 *
 * @param packet_type The packet type of the control message (RFC 5201, 5.3.)
 * @param ha_state The host association state (RFC 5201, 4.4.1.)
 * @param ctx Pointer to the packet context, containing all information for
 *             the packet handling (received message, source and destination
 *             address, the ports and the corresponding entry from the host
 *             association database).
 *
 * @return zero on success, or negative error value on error.
 */
int hip_add_seq_param(UNUSED const uint8_t packet_type,
                      UNUSED const uint32_t ha_state,
                      struct hip_packet_context *ctx)
{
    struct update_state *localstate = NULL;
    int                  err        = 0;

    if (hip_classify_update_type(ctx->input_msg) == FIRST_UPDATE_PACKET) {
        HIP_IFEL(!(localstate = lmod_get_state_item(ctx->hadb_entry->hip_modular_state,
                                                    "update")),
                 -1, "failed to look up update state\n");
        localstate->update_id_out++;
        HIP_DEBUG("outgoing UPDATE ID=%u\n", hip_update_get_out_id(localstate));
        HIP_IFEL(hip_build_param_seq(ctx->output_msg,
                                     hip_update_get_out_id(localstate)),
                 -1,
                 "Building of SEQ parameter failed\n");
    }

out_err:
    return err;
}
Beispiel #23
0
Datei: lsi.c Projekt: surki/hipl
hip_lsi_t *hip_fw_get_default_lsi() {
        int err = 0;
        struct hip_common *msg = NULL;
        struct hip_tlv_common *param;

	/* Use cached LSI if possible */
	if (local_lsi.s_addr != 0) {
		//memcpy(lsi, &local_lsi, sizeof(*lsi));
		return &local_lsi;
		goto out_err;
	}

	/* Query hipd for the LSI */
       
        HIP_IFE(!(msg = hip_msg_alloc()), -1);

	HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_DEFAULT_HIT, 0),
		 -1, "build hdr failed\n");
        
	/* send and receive msg to/from hipd */
	HIP_IFEL(hip_send_recv_daemon_info(msg, 0, hip_fw_sock), -1, "send_recv msg failed\n");
	HIP_DEBUG("send_recv msg succeed\n");
	/* check error value */
	HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");

	HIP_IFEL(!(param = hip_get_param(msg, HIP_PARAM_LSI)), -1,
		 "Did not find LSI\n");
	memcpy(&local_lsi, hip_get_param_contents_direct(param),
	       sizeof(local_lsi));
	//memcpy(lsi, &local_lsi, sizeof(*lsi));

out_err:
        if(msg)
                HIP_FREE(msg);
        if (err)
		return NULL;
	else
		return &local_lsi;
}
Beispiel #24
0
/**
 * Initialize an ICMP raw socket
 *
 * @param firewall_raw_sock_v6 the raw socket is written into this pointer
 *
 * @return zero on success, non-zero on error
 */
static int hip_firewall_init_raw_sock_icmp_outbound(int *firewall_raw_sock_v6)
{
    int on = 1, off = 0, err = 0;

    *firewall_raw_sock_v6 = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMP);
    HIP_IFEL(*firewall_raw_sock_v6 <= 0, 1, "Raw socket creation failed. Not root?\n");

    /* RECV_ERR is off because it is not handled properly by hipd
     * (message length is -1 and this causes msg reading problems) */
    err = setsockopt(*firewall_raw_sock_v6, IPPROTO_IPV6,
                     IPV6_RECVERR, &off, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt recverr failed\n");
    err = setsockopt(*firewall_raw_sock_v6, IPPROTO_IPV6,
                     IPV6_2292PKTINFO, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt pktinfo failiped\n");
    err = setsockopt(*firewall_raw_sock_v6, SOL_SOCKET,
                     SO_REUSEADDR, &on, sizeof(on));
    HIP_IFEL(err, -1, "setsockopt v6 reuseaddr failed\n");

out_err:
    return err;
}
Beispiel #25
0
/**
 * Update firewall on host association state. Currently used by the
 * LSI mode in the firewall.
 *
 * @param action HIP_MSG_FW_UPDATE_DB or HIP_MSG_FW_BEX_DONE
 * @param hit_s optional source HIT
 * @param hit_r optional destination HIT
 *
 * @return zero on success or negative on failure
 */
int hip_firewall_set_bex_data(int action, struct in6_addr *hit_s, struct in6_addr *hit_r)
{
    struct hip_common *msg = NULL;
    int                err = 0, n = 0, r_is_our;

    if (!hip_get_firewall_status()) {
        goto out_err;
    }

    /* Makes sure that the hits are sent always in the same order */
    r_is_our = hip_hidb_hit_is_our(hit_r);

    HIP_IFEL(!(msg = malloc(HIP_MAX_PACKET)), -1, "alloc\n");
    hip_msg_init(msg);
    HIP_IFEL(hip_build_user_hdr(msg, action, 0), -1,
             "Build hdr failed\n");

    HIP_IFEL(hip_build_param_contents(msg,
                                      r_is_our ? hit_s : hit_r, HIP_PARAM_HIT,
                                      sizeof(struct in6_addr)), -1, "build param contents failed\n");
    HIP_IFEL(hip_build_param_contents(msg,
                                      r_is_our ? hit_r : hit_s, HIP_PARAM_HIT,
                                      sizeof(struct in6_addr)), -1, "build param contents failed\n");

    n = sendto(hip_firewall_sock_lsi_fd,
               (char *) msg,
               hip_get_msg_total_len(msg),
               0,
               (struct sockaddr *) &hip_firewall_addr,
               sizeof(struct sockaddr_in6));

    HIP_IFEL(n < 0, -1, "Send to firewall failed. str errno %s\n", strerror(errno));

    HIP_DEBUG("BEX DATA Send to firewall OK.\n");

out_err:
    free(msg);
    return err;
}
Beispiel #26
0
void hip_delete_hit_sp_pair(hip_hit_t *src_hit, hip_hit_t *dst_hit, u8 proto,
			    int use_full_prefix)
{
	int so, len, err = 0;
	u8 prefix = (use_full_prefix) ? 128 : HIP_HIT_PREFIX_LEN;

	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_IFEBL((hip_pfkey_policy_modify(so, dst_hit, prefix, src_hit, 
					   prefix, NULL, NULL, 
					   proto, SADB_X_SPDDELETE, IPSEC_DIR_INBOUND)<0),
		  -1, pfkey_close(so), "ERROR in deleting the inbound policy\n");

	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_IFEBL((hip_pfkey_policy_modify(so, src_hit, prefix, dst_hit, 
					   prefix, NULL, NULL,
					   proto, SADB_X_SPDDELETE, IPSEC_DIR_OUTBOUND)<0),
		  -1, pfkey_close(so), "ERROR in deleting the outbound policy\n");
out_err:
	return;
}
Beispiel #27
0
Datei: lsi.c Projekt: surki/hipl
/*
 * similar to the hip_request_peer_hit_from_hipd(...) function
 * 
 */
int hip_request_peer_hit_from_hipd_at_firewall(
			const struct in6_addr *peer_ip,
	         	struct in6_addr       *peer_hit,
			const struct in6_addr *local_hit,
			in_port_t             *src_tcp_port,
			in_port_t             *dst_tcp_port,
			int                   *fallback,
			int                   *reject){
	struct hip_common *msg = NULL;
	struct in6_addr *hit_recv = NULL;
	hip_hit_t *ptr = NULL;
	int err = 0;
	int ret = 0;

	*fallback = 1;
	*reject = 0;

	HIP_IFE(!(msg = hip_msg_alloc()), -1);

	HIP_IFEL(hip_build_param_contents(msg, (void *)(local_hit),
					  HIP_PARAM_HIT_LOCAL,
					  sizeof(struct in6_addr)),
			-1, "build param HIP_PARAM_HIT  failed\n");

	if (hip_opptcp) {
		HIP_IFEL(hip_build_param_contents(msg, (void *)(src_tcp_port),
						  HIP_PARAM_SRC_TCP_PORT,
						  sizeof(in_port_t)),
			 -1, "build param HIP_PARAM_SRC_TCP_PORT failed\n");
		
		HIP_IFEL(hip_build_param_contents(msg, (void *)(dst_tcp_port),
						  HIP_PARAM_DST_TCP_PORT,
						  sizeof(in_port_t)),
			 -1, "build param HIP_PARAM_DST_TCP_PORT failed\n");
	}

	HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip),
					  HIP_PARAM_IPV6_ADDR_PEER,
					  sizeof(struct in6_addr)),
			-1, "build param HIP_PARAM_IPV6_ADDR failed\n");

	/* build the message header */
	HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_GET_PEER_HIT, 0),
		 -1, "build hdr failed\n");

	/* this message has to be delivered with the async socket because
	   opportunistic mode responds asynchronously */
	HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock),
		 -1, "send msg failed\n");

	_HIP_DEBUG("send_recv msg succeed\n");

 out_err:
	if(msg)
		free(msg);
	return err;
}
Beispiel #28
0
int hip_send_recv_daemon_info(struct hip_common *msg, int send_only, int opt_socket) {
	int hip_user_sock = 0, err = 0, n, len;
	struct sockaddr_in6 addr;

	if (!send_only)
		return hip_send_recv_daemon_info_internal(msg, opt_socket);

	if (opt_socket) {
		hip_user_sock = opt_socket;
	} else {
		HIP_IFE(((hip_user_sock = socket(AF_INET6, SOCK_DGRAM, 0)) < 0), -1);
		memset(&addr, 0, sizeof(addr));
		addr.sin6_family = AF_INET6;
		addr.sin6_addr = in6addr_loopback;
		
		HIP_IFEL(hip_daemon_bind_socket(hip_user_sock,
						(struct sockaddr *) &addr), -1,
			 "bind failed\n");
		HIP_IFEL(hip_daemon_connect(hip_user_sock), -1,
			 "connect failed\n");
	}

	len = hip_get_msg_total_len(msg);
	n = send(hip_user_sock, msg, len, 0);

	if (n < len) {
		HIP_ERROR("Could not send message to daemon.\n");
		err = -1;
		goto out_err;
	}

 out_err:
	if (!opt_socket && hip_user_sock)
		close(hip_user_sock);

	return err;
}
Beispiel #29
0
int hip_flush_all_policy()
{
	int so, len, err = 0;
	HIP_DEBUG("\n");
	HIP_IFEL(((so = pfkey_open()) < 0), -1, "ERROR in opening pfkey socket: %s\n", ipsec_strerror());

	HIP_DEBUG("FLushing all SP's\n");
	HIP_IFEBL(((len = pfkey_send_spdflush(so))<0), -1, 
		  pfkey_close(so), "ERROR in flushing policies %s\n", ipsec_strerror());
	HIP_DEBUG("FLushing all SP's was successful\n");
	return len;
out_err:
	HIP_ERROR("FLushing all SP's\n");
	return err;
}
Beispiel #30
0
/**
 * Send the necessary data to hipd, so that a tcp packet is sent from there. This was done because it was not possible to send a packet directly from here.
 * 
 * @param *hdr		pointer to the packet that is to be sent.
 * @param packet_size	the size of the packet.
 * @param ip_version	ipv4 or ipv6.
 * @param addHit	whether the local HIT is to be added at the tcp options
 * @param addOption	whether the i1 option is to be added at the tcp options
 * @return		nothing
 */
int hip_request_send_tcp_packet(void *hdr,
				int   packet_size,
				int   ip_version,
				int   addHit,
				int   addOption){
	const struct hip_common *msg = NULL;
	int err = 0;
	
	HIP_DEBUG("\n");

	HIP_IFE(!(msg = hip_msg_alloc()), -1);

	HIP_IFEL(hip_build_param_contents(msg, (void *)hdr,
					  HIP_PARAM_IP_HEADER,
					  packet_size),
		-1, "build param HIP_PARAM_IP_HEADER failed\n");
	
	HIP_IFEL(hip_build_param_contents(msg, (int *)(&packet_size),
					  HIP_PARAM_PACKET_SIZE,
					  sizeof(int)),
		-1, "build param HIP_PARAM_PACKET_SIZE failed\n");

	HIP_IFEL(hip_build_param_contents(msg, (int *)(&ip_version),
					  HIP_PARAM_TRAFFIC_TYPE,
					  sizeof(int)),
		-1, "build param HIP_PARAM_TRAFFIC_TYPE failed\n");

	HIP_IFEL(hip_build_param_contents(msg, (int *)(&addHit),
					  HIP_PARAM_ADD_HIT,
					  sizeof(int)),
		-1, "build param HIP_PARAM_ADD_HIT failed\n");

	HIP_IFEL(hip_build_param_contents(msg, (int *)(&addOption),
					  HIP_PARAM_ADD_OPTION,
					  sizeof(int)),
		-1, "build param HIP_PARAM_ADD_OPTION failed\n");

	/* build the message header */
	HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_SEND_TCP_PACKET, 0),
		-1, "build hdr failed\n");
	HIP_DUMP_MSG(msg);
	/* send and receive msg to/from hipd */
	HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n");
	_HIP_DEBUG("send_recv msg succeed\n");
	/* check error value */
	//HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");

 out_err:
	return err;
}