/**
* tell firewall to turn on or off the ESP relay mode
*
* @param action HIP_MSG_OFFER_FULLRELAY or HIP_MSG_CANCEL_FULLRELAY
*
* @return zero on success or negative on failure
*/
int hip_firewall_set_esp_relay(int action)
{
struct hip_common *msg = NULL;
int err = 0;
int sent;
HIP_DEBUG("Setting ESP relay to %d\n", action);
if (!(msg = hip_msg_alloc())) {
return -ENOMEM;
}
HIP_IFEL(hip_build_user_hdr(msg,
action ? HIP_MSG_OFFER_FULLRELAY : HIP_MSG_CANCEL_FULLRELAY, 0),
-1, "Build header failed\n");
sent = hip_sendto_firewall(msg);
if (sent < 0) {
HIP_PERROR("Send to firewall failed: ");
err = -1;
goto out_err;
}
HIP_DEBUG("Sent %d bytes to firewall.\n", sent);
out_err:
free(msg);
return err;
}
/**
* Send the ip of a peer to hipd, so that it can:
* - unblock the packets that are sent to a particular peer.
* - add it to the blacklist database.
*
* @param peer_ip peer ip.
* @return nothing
*/
int hip_fw_unblock_and_blacklist(const struct in6_addr *peer_ip){
struct hip_common *msg = NULL;
int err = 0;
HIP_DEBUG("\n");
HIP_IFE(!(msg = hip_msg_alloc()), -1);
HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip),
HIP_PARAM_IPV6_ADDR,
sizeof(struct in6_addr)),
-1, "build param HIP_PARAM_IPV6_ADDR failed\n");
/* build the message header */
HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_UNBLOCK_AND_BLACKLIST, 0),
-1, "build hdr failed\n");
HIP_DUMP_MSG(msg);
/* send and receive msg to/from hipd */
HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n");
_HIP_DEBUG("send_recv msg succeed\n");
/* check error value */
HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");
out_err:
return err;
}
/*
* similar to the hip_request_peer_hit_from_hipd(...) function
*
*/
int hip_request_peer_hit_from_hipd_at_firewall(
const struct in6_addr *peer_ip,
struct in6_addr *peer_hit,
const struct in6_addr *local_hit,
in_port_t *src_tcp_port,
in_port_t *dst_tcp_port,
int *fallback,
int *reject){
struct hip_common *msg = NULL;
struct in6_addr *hit_recv = NULL;
hip_hit_t *ptr = NULL;
int err = 0;
int ret = 0;
*fallback = 1;
*reject = 0;
HIP_IFE(!(msg = hip_msg_alloc()), -1);
HIP_IFEL(hip_build_param_contents(msg, (void *)(local_hit),
HIP_PARAM_HIT_LOCAL,
sizeof(struct in6_addr)),
-1, "build param HIP_PARAM_HIT failed\n");
if (hip_opptcp) {
HIP_IFEL(hip_build_param_contents(msg, (void *)(src_tcp_port),
HIP_PARAM_SRC_TCP_PORT,
sizeof(in_port_t)),
-1, "build param HIP_PARAM_SRC_TCP_PORT failed\n");
HIP_IFEL(hip_build_param_contents(msg, (void *)(dst_tcp_port),
HIP_PARAM_DST_TCP_PORT,
sizeof(in_port_t)),
-1, "build param HIP_PARAM_DST_TCP_PORT failed\n");
}
HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip),
HIP_PARAM_IPV6_ADDR_PEER,
sizeof(struct in6_addr)),
-1, "build param HIP_PARAM_IPV6_ADDR failed\n");
/* build the message header */
HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_GET_PEER_HIT, 0),
-1, "build hdr failed\n");
/* this message has to be delivered with the async socket because
opportunistic mode responds asynchronously */
HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock),
-1, "send msg failed\n");
_HIP_DEBUG("send_recv msg succeed\n");
out_err:
if(msg)
free(msg);
return err;
}
/**
* Send the necessary data to hipd, so that a tcp packet is sent from there. This was done because it was not possible to send a packet directly from here.
*
* @param *hdr pointer to the packet that is to be sent.
* @param packet_size the size of the packet.
* @param ip_version ipv4 or ipv6.
* @param addHit whether the local HIT is to be added at the tcp options
* @param addOption whether the i1 option is to be added at the tcp options
* @return nothing
*/
int hip_request_send_tcp_packet(void *hdr,
int packet_size,
int ip_version,
int addHit,
int addOption){
const struct hip_common *msg = NULL;
int err = 0;
HIP_DEBUG("\n");
HIP_IFE(!(msg = hip_msg_alloc()), -1);
HIP_IFEL(hip_build_param_contents(msg, (void *)hdr,
HIP_PARAM_IP_HEADER,
packet_size),
-1, "build param HIP_PARAM_IP_HEADER failed\n");
HIP_IFEL(hip_build_param_contents(msg, (int *)(&packet_size),
HIP_PARAM_PACKET_SIZE,
sizeof(int)),
-1, "build param HIP_PARAM_PACKET_SIZE failed\n");
HIP_IFEL(hip_build_param_contents(msg, (int *)(&ip_version),
HIP_PARAM_TRAFFIC_TYPE,
sizeof(int)),
-1, "build param HIP_PARAM_TRAFFIC_TYPE failed\n");
HIP_IFEL(hip_build_param_contents(msg, (int *)(&addHit),
HIP_PARAM_ADD_HIT,
sizeof(int)),
-1, "build param HIP_PARAM_ADD_HIT failed\n");
HIP_IFEL(hip_build_param_contents(msg, (int *)(&addOption),
HIP_PARAM_ADD_OPTION,
sizeof(int)),
-1, "build param HIP_PARAM_ADD_OPTION failed\n");
/* build the message header */
HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_SEND_TCP_PACKET, 0),
-1, "build hdr failed\n");
HIP_DUMP_MSG(msg);
/* send and receive msg to/from hipd */
HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n");
_HIP_DEBUG("send_recv msg succeed\n");
/* check error value */
//HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");
out_err:
return err;
}
hip_lsi_t *hip_fw_get_default_lsi() {
int err = 0;
struct hip_common *msg = NULL;
struct hip_tlv_common *param;
/* Use cached LSI if possible */
if (local_lsi.s_addr != 0) {
//memcpy(lsi, &local_lsi, sizeof(*lsi));
return &local_lsi;
goto out_err;
}
/* Query hipd for the LSI */
HIP_IFE(!(msg = hip_msg_alloc()), -1);
HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_DEFAULT_HIT, 0),
-1, "build hdr failed\n");
/* send and receive msg to/from hipd */
HIP_IFEL(hip_send_recv_daemon_info(msg, 0, hip_fw_sock), -1, "send_recv msg failed\n");
HIP_DEBUG("send_recv msg succeed\n");
/* check error value */
HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n");
HIP_IFEL(!(param = hip_get_param(msg, HIP_PARAM_LSI)), -1,
"Did not find LSI\n");
memcpy(&local_lsi, hip_get_param_contents_direct(param),
sizeof(local_lsi));
//memcpy(lsi, &local_lsi, sizeof(*lsi));
out_err:
if(msg)
HIP_FREE(msg);
if (err)
return NULL;
else
return &local_lsi;
}
int connhipd_run_thread(void)
{
int err = 0;
struct hip_common *msg = NULL;
HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Failed to Allocate message.\n");
hip_agent_thread_started = 0;
pthread_create(&connhipd_pthread, NULL, connhipd_thread, msg);
while (hip_agent_thread_started == 0)
usleep(100 * 1000);
usleep(100 * 1000);
out_err:
if (err && hip_agent_sock)
close(hip_agent_sock);
if (err && msg)
HIP_FREE(msg);
return err;
}
/**
* Build and send a notification about failed connection establishment.
*
* @param reason the reason why the authentication failed
*/
int signaling_hipfw_send_connection_failed_ntf(struct hip_common *common,
UNUSED struct tuple *tuple,
const struct hip_fw_context *ctx,
const int reason,
const struct signaling_connection *conn)
{
int err = 0;
uint16_t mask = 0;
struct hip_common *msg_buf = NULL;
struct hip_common *msg_buf2 = NULL;
unsigned char *buf;
int cert_len = 0;
/* Allocate and build message */
HIP_IFEL(!(msg_buf = hip_msg_alloc()),
-ENOMEM, "Out of memory while allocation memory for the notify packet\n");
hip_build_network_hdr(msg_buf, HIP_NOTIFY, mask, &our_hit, &common->hits);
HIP_IFEL(!(msg_buf2 = hip_msg_alloc()),
-ENOMEM, "Out of memory while allocation memory for the notify packet\n");
hip_build_network_hdr(msg_buf2, HIP_NOTIFY, mask, &our_hit, &common->hitr);
/* Append certificate */
HIP_IFEL((cert_len = signaling_X509_to_DER(mb_cert, &buf)) < 0,
-1, "Could not get DER encoding of certificate\n");
HIP_IFEL(hip_build_param_cert(msg_buf, 0, 1, 1, HIP_CERT_X509V3, buf, cert_len),
-1, "Could not build cert parameter\n");
HIP_IFEL(hip_build_param_cert(msg_buf2, 0, 1, 1, HIP_CERT_X509V3, buf, cert_len),
-1, "Could not build cert parameter\n");
free(buf);
/* Append notification parameter */
signaling_build_param_connection_fail(msg_buf, reason);
signaling_build_param_connection_fail(msg_buf2, reason);
/* Append connection identifier */
signaling_build_param_signaling_connection(msg_buf, conn);
signaling_build_param_signaling_connection(msg_buf2, conn);
/* Append hits */
HIP_IFEL(hip_build_param_contents(msg_buf, &common->hitr, HIP_PARAM_HIT, sizeof(hip_hit_t)),
-1, "build param contents (dst hit) failed\n");
HIP_IFEL(hip_build_param_contents(msg_buf2, &common->hits, HIP_PARAM_HIT, sizeof(hip_hit_t)),
-1, "build param contents (src hit) failed\n");
if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_ECDSA) {
/* Sign the packet */
HIP_IFEL(hip_ecdsa_sign(ecdsa_key, msg_buf),
-1, "Could not sign notification for source host \n");
HIP_IFEL(hip_ecdsa_sign(ecdsa_key, msg_buf2),
-1, "Could not sign notification for destination host\n");
} else if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_RSA) {
/* Sign the packet */
HIP_IFEL(hip_rsa_sign(rsa_key, msg_buf),
-1, "Could not sign notification for source host \n");
HIP_IFEL(hip_rsa_sign(rsa_key, msg_buf2),
-1, "Could not sign notification for destination host\n");
}
/* Send to source and destination of the connection */
if (send_pkt(NULL, &ctx->src, 10500, 10500, msg_buf)) {
HIP_ERROR("Could not notify the source of a connection reject \n");
}
free(msg_buf);
if (send_pkt(NULL, &ctx->dst, 10500, 10500, msg_buf2)) {
HIP_ERROR("Could not notify the destination of a connection reject \n");
}
free(msg_buf2);
out_err:
return err;
}
/**
* distribute a message from hipd to the respective extension handler
*
* @param msg pointer to the received user message
* @return 0 on success, else -1
*/
int hip_handle_msg(struct hip_common *msg)
{
int type, err = 0;
struct hip_common *msg_out = NULL;
HIP_DEBUG("Handling message from hipd\n");
type = hip_get_msg_type(msg);
HIP_DEBUG("of type %d\n", type);
switch (type) {
case HIP_MSG_FW_BEX_DONE:
case HIP_MSG_FW_UPDATE_DB:
if (hip_lsi_support) {
hip_handle_bex_state_update(msg);
}
break;
case HIP_MSG_IPSEC_ADD_SA:
HIP_DEBUG("Received add sa request from hipd\n");
HIP_IFEL(handle_sa_add_request(msg), -1,
"hip userspace sadb add did NOT succeed\n");
break;
case HIP_MSG_IPSEC_DELETE_SA:
HIP_DEBUG("Received delete sa request from hipd\n");
HIP_IFEL(handle_sa_delete_request(msg), -1,
"hip userspace sadb delete did NOT succeed\n");
break;
case HIP_MSG_IPSEC_FLUSH_ALL_SA:
HIP_DEBUG("Received flush all sa request from hipd\n");
hip_sadb_flush();
break;
case HIP_MSG_RESET_FIREWALL_DB:
hip_firewall_cache_delete_hldb(0);
break;
case HIP_MSG_OFFER_FULLRELAY:
if (!esp_relay) {
HIP_DEBUG("Enabling ESP relay\n");
hip_fw_init_esp_relay();
} else {
HIP_DEBUG("ESP relay already enabled\n");
}
break;
case HIP_MSG_CANCEL_FULLRELAY:
HIP_DEBUG("Disabling ESP relay\n");
hip_fw_uninit_esp_relay();
break;
case HIP_MSG_FIREWALL_STATUS:
msg_out = hip_msg_alloc();
HIP_IFEL(hip_build_user_hdr(msg_out, HIP_MSG_FIREWALL_START, 0), -1,
"Couldn't build message to daemon\n");
HIP_IFEL(hip_send_recv_daemon_info(msg_out, 1, hip_fw_sock), -1,
"Couldn't notify daemon of firewall presence\n");
break;
case HIP_MSG_SIGNALING_HIPD_CONNECTION_CONFIRMATION:
signaling_handle_hipd_connection_confirmation(msg);
break;
default:
HIP_ERROR("Unhandled message type %d\n", type);
err = -1;
break;
}
out_err:
free(msg_out);
return err;
}
