int
pkg_finish_repo(char *path, pem_password_cb *password_cb, char *rsa_key_path)
{
char repo_path[MAXPATHLEN + 1];
char repo_archive[MAXPATHLEN + 1];
struct packing *pack;
int max_len = 0;
unsigned char *sigret = NULL;
int siglen = 0;
RSA *rsa = NULL;
char sha256[SHA256_DIGEST_LENGTH * 2 +1];
snprintf(repo_path, sizeof(repo_path), "%s/repo.sqlite", path);
snprintf(repo_archive, sizeof(repo_archive), "%s/repo", path);
packing_init(&pack, repo_archive, TXZ);
if (rsa_key_path != NULL) {
if (access(rsa_key_path, R_OK) == -1) {
pkg_emit_errno("access", rsa_key_path);
return EPKG_FATAL;
}
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
rsa = load_rsa_private_key(rsa_key_path, password_cb);
max_len = RSA_size(rsa);
sigret = malloc(max_len + 1);
memset(sigret, 0, max_len);
sha256_file(repo_path, sha256);
if (RSA_sign(NID_sha1, sha256, sizeof(sha256), sigret, &siglen, rsa) == 0) {
/* XXX pass back RSA errors correctly */
pkg_emit_error("%s: %lu", rsa_key_path, ERR_get_error());
return EPKG_FATAL;
}
packing_append_buffer(pack, sigret, "signature", siglen + 1);
free(sigret);
RSA_free(rsa);
ERR_free_strings();
}
packing_append_file(pack, repo_path, "repo.sqlite");
unlink(repo_path);
packing_finish(pack);
return (EPKG_OK);
}
/**
* Initialize the middlebox firewall application.
* This sets up the firewall's policies.
*
* @param policy_file the configuration file (in libconfig format) that specifies
* the firewall's policy. If NULL, a default policy is used.
*
* @return 0 on success, negative on error
*/
int signaling_hipfw_feedback_init(const char *key_file, const char *cert_file)
{
int err = 0;
/* Load the host identity */
if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_ECDSA) {
load_ecdsa_private_key(key_file, &ecdsa_key);
hip_any_key_to_hit(ecdsa_key, &our_hit, 0, HIP_HI_ECDSA);
} else if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_RSA) {
load_rsa_private_key(key_file, &rsa_key);
hip_any_key_to_hit(rsa_key, &our_hit, 0, HIP_HI_RSA);
}
HIP_DEBUG("Successfully Loaded the MiddleBox key.\n");
HIP_INFO_HIT("Our hit: ", &our_hit);
mb_cert = load_x509_certificate(cert_file);
/* Sockets */
hipfw_nat_sock_output_udp = init_raw_sock_v4(IPPROTO_UDP);
if (hipfw_nat_sock_output_udp > 0) {
HIP_DEBUG("Successfully initialized nat output socket. \n");
} else {
HIP_DEBUG("Failed to bind output socket. \n");
}
if (rtnl_open_byproto(&hipfw_nl_route,
RTMGRP_LINK | RTMGRP_IPV6_IFADDR | IPPROTO_IPV6
| RTMGRP_IPV4_IFADDR | IPPROTO_IP,
NETLINK_ROUTE) < 0) {
err = 1;
HIP_ERROR("Routing socket error: %s\n", strerror(errno));
goto out_err;
} else {
HIP_DEBUG("Successfully opened netlink socket \n");
}
/* flush ip table rules to not catch our own notify... */
system_print("iptables -D HIPFW-OUTPUT 1");
system_print("iptables -D HIPFW-OUTPUT 1");
out_err:
return err;
}
