/** * tell firewall to turn on or off the ESP relay mode * * @param action HIP_MSG_OFFER_FULLRELAY or HIP_MSG_CANCEL_FULLRELAY * * @return zero on success or negative on failure */ int hip_firewall_set_esp_relay(int action) { struct hip_common *msg = NULL; int err = 0; int sent; HIP_DEBUG("Setting ESP relay to %d\n", action); if (!(msg = hip_msg_alloc())) { return -ENOMEM; } HIP_IFEL(hip_build_user_hdr(msg, action ? HIP_MSG_OFFER_FULLRELAY : HIP_MSG_CANCEL_FULLRELAY, 0), -1, "Build header failed\n"); sent = hip_sendto_firewall(msg); if (sent < 0) { HIP_PERROR("Send to firewall failed: "); err = -1; goto out_err; } HIP_DEBUG("Sent %d bytes to firewall.\n", sent); out_err: free(msg); return err; }
/** * Send the ip of a peer to hipd, so that it can: * - unblock the packets that are sent to a particular peer. * - add it to the blacklist database. * * @param peer_ip peer ip. * @return nothing */ int hip_fw_unblock_and_blacklist(const struct in6_addr *peer_ip){ struct hip_common *msg = NULL; int err = 0; HIP_DEBUG("\n"); HIP_IFE(!(msg = hip_msg_alloc()), -1); HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip), HIP_PARAM_IPV6_ADDR, sizeof(struct in6_addr)), -1, "build param HIP_PARAM_IPV6_ADDR failed\n"); /* build the message header */ HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_UNBLOCK_AND_BLACKLIST, 0), -1, "build hdr failed\n"); HIP_DUMP_MSG(msg); /* send and receive msg to/from hipd */ HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n"); _HIP_DEBUG("send_recv msg succeed\n"); /* check error value */ HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n"); out_err: return err; }
/* * similar to the hip_request_peer_hit_from_hipd(...) function * */ int hip_request_peer_hit_from_hipd_at_firewall( const struct in6_addr *peer_ip, struct in6_addr *peer_hit, const struct in6_addr *local_hit, in_port_t *src_tcp_port, in_port_t *dst_tcp_port, int *fallback, int *reject){ struct hip_common *msg = NULL; struct in6_addr *hit_recv = NULL; hip_hit_t *ptr = NULL; int err = 0; int ret = 0; *fallback = 1; *reject = 0; HIP_IFE(!(msg = hip_msg_alloc()), -1); HIP_IFEL(hip_build_param_contents(msg, (void *)(local_hit), HIP_PARAM_HIT_LOCAL, sizeof(struct in6_addr)), -1, "build param HIP_PARAM_HIT failed\n"); if (hip_opptcp) { HIP_IFEL(hip_build_param_contents(msg, (void *)(src_tcp_port), HIP_PARAM_SRC_TCP_PORT, sizeof(in_port_t)), -1, "build param HIP_PARAM_SRC_TCP_PORT failed\n"); HIP_IFEL(hip_build_param_contents(msg, (void *)(dst_tcp_port), HIP_PARAM_DST_TCP_PORT, sizeof(in_port_t)), -1, "build param HIP_PARAM_DST_TCP_PORT failed\n"); } HIP_IFEL(hip_build_param_contents(msg, (void *)(peer_ip), HIP_PARAM_IPV6_ADDR_PEER, sizeof(struct in6_addr)), -1, "build param HIP_PARAM_IPV6_ADDR failed\n"); /* build the message header */ HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_GET_PEER_HIT, 0), -1, "build hdr failed\n"); /* this message has to be delivered with the async socket because opportunistic mode responds asynchronously */ HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send msg failed\n"); _HIP_DEBUG("send_recv msg succeed\n"); out_err: if(msg) free(msg); return err; }
/** * Send the necessary data to hipd, so that a tcp packet is sent from there. This was done because it was not possible to send a packet directly from here. * * @param *hdr pointer to the packet that is to be sent. * @param packet_size the size of the packet. * @param ip_version ipv4 or ipv6. * @param addHit whether the local HIT is to be added at the tcp options * @param addOption whether the i1 option is to be added at the tcp options * @return nothing */ int hip_request_send_tcp_packet(void *hdr, int packet_size, int ip_version, int addHit, int addOption){ const struct hip_common *msg = NULL; int err = 0; HIP_DEBUG("\n"); HIP_IFE(!(msg = hip_msg_alloc()), -1); HIP_IFEL(hip_build_param_contents(msg, (void *)hdr, HIP_PARAM_IP_HEADER, packet_size), -1, "build param HIP_PARAM_IP_HEADER failed\n"); HIP_IFEL(hip_build_param_contents(msg, (int *)(&packet_size), HIP_PARAM_PACKET_SIZE, sizeof(int)), -1, "build param HIP_PARAM_PACKET_SIZE failed\n"); HIP_IFEL(hip_build_param_contents(msg, (int *)(&ip_version), HIP_PARAM_TRAFFIC_TYPE, sizeof(int)), -1, "build param HIP_PARAM_TRAFFIC_TYPE failed\n"); HIP_IFEL(hip_build_param_contents(msg, (int *)(&addHit), HIP_PARAM_ADD_HIT, sizeof(int)), -1, "build param HIP_PARAM_ADD_HIT failed\n"); HIP_IFEL(hip_build_param_contents(msg, (int *)(&addOption), HIP_PARAM_ADD_OPTION, sizeof(int)), -1, "build param HIP_PARAM_ADD_OPTION failed\n"); /* build the message header */ HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_OPPTCP_SEND_TCP_PACKET, 0), -1, "build hdr failed\n"); HIP_DUMP_MSG(msg); /* send and receive msg to/from hipd */ HIP_IFEL(hip_send_recv_daemon_info(msg, 1, hip_fw_async_sock), -1, "send_recv msg failed\n"); _HIP_DEBUG("send_recv msg succeed\n"); /* check error value */ //HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n"); out_err: return err; }
hip_lsi_t *hip_fw_get_default_lsi() { int err = 0; struct hip_common *msg = NULL; struct hip_tlv_common *param; /* Use cached LSI if possible */ if (local_lsi.s_addr != 0) { //memcpy(lsi, &local_lsi, sizeof(*lsi)); return &local_lsi; goto out_err; } /* Query hipd for the LSI */ HIP_IFE(!(msg = hip_msg_alloc()), -1); HIP_IFEL(hip_build_user_hdr(msg, SO_HIP_DEFAULT_HIT, 0), -1, "build hdr failed\n"); /* send and receive msg to/from hipd */ HIP_IFEL(hip_send_recv_daemon_info(msg, 0, hip_fw_sock), -1, "send_recv msg failed\n"); HIP_DEBUG("send_recv msg succeed\n"); /* check error value */ HIP_IFEL(hip_get_msg_err(msg), -1, "Got erroneous message!\n"); HIP_IFEL(!(param = hip_get_param(msg, HIP_PARAM_LSI)), -1, "Did not find LSI\n"); memcpy(&local_lsi, hip_get_param_contents_direct(param), sizeof(local_lsi)); //memcpy(lsi, &local_lsi, sizeof(*lsi)); out_err: if(msg) HIP_FREE(msg); if (err) return NULL; else return &local_lsi; }
int connhipd_run_thread(void) { int err = 0; struct hip_common *msg = NULL; HIP_IFEL(!(msg = hip_msg_alloc()), -1, "Failed to Allocate message.\n"); hip_agent_thread_started = 0; pthread_create(&connhipd_pthread, NULL, connhipd_thread, msg); while (hip_agent_thread_started == 0) usleep(100 * 1000); usleep(100 * 1000); out_err: if (err && hip_agent_sock) close(hip_agent_sock); if (err && msg) HIP_FREE(msg); return err; }
/** * Build and send a notification about failed connection establishment. * * @param reason the reason why the authentication failed */ int signaling_hipfw_send_connection_failed_ntf(struct hip_common *common, UNUSED struct tuple *tuple, const struct hip_fw_context *ctx, const int reason, const struct signaling_connection *conn) { int err = 0; uint16_t mask = 0; struct hip_common *msg_buf = NULL; struct hip_common *msg_buf2 = NULL; unsigned char *buf; int cert_len = 0; /* Allocate and build message */ HIP_IFEL(!(msg_buf = hip_msg_alloc()), -ENOMEM, "Out of memory while allocation memory for the notify packet\n"); hip_build_network_hdr(msg_buf, HIP_NOTIFY, mask, &our_hit, &common->hits); HIP_IFEL(!(msg_buf2 = hip_msg_alloc()), -ENOMEM, "Out of memory while allocation memory for the notify packet\n"); hip_build_network_hdr(msg_buf2, HIP_NOTIFY, mask, &our_hit, &common->hitr); /* Append certificate */ HIP_IFEL((cert_len = signaling_X509_to_DER(mb_cert, &buf)) < 0, -1, "Could not get DER encoding of certificate\n"); HIP_IFEL(hip_build_param_cert(msg_buf, 0, 1, 1, HIP_CERT_X509V3, buf, cert_len), -1, "Could not build cert parameter\n"); HIP_IFEL(hip_build_param_cert(msg_buf2, 0, 1, 1, HIP_CERT_X509V3, buf, cert_len), -1, "Could not build cert parameter\n"); free(buf); /* Append notification parameter */ signaling_build_param_connection_fail(msg_buf, reason); signaling_build_param_connection_fail(msg_buf2, reason); /* Append connection identifier */ signaling_build_param_signaling_connection(msg_buf, conn); signaling_build_param_signaling_connection(msg_buf2, conn); /* Append hits */ HIP_IFEL(hip_build_param_contents(msg_buf, &common->hitr, HIP_PARAM_HIT, sizeof(hip_hit_t)), -1, "build param contents (dst hit) failed\n"); HIP_IFEL(hip_build_param_contents(msg_buf2, &common->hits, HIP_PARAM_HIT, sizeof(hip_hit_t)), -1, "build param contents (src hit) failed\n"); if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_ECDSA) { /* Sign the packet */ HIP_IFEL(hip_ecdsa_sign(ecdsa_key, msg_buf), -1, "Could not sign notification for source host \n"); HIP_IFEL(hip_ecdsa_sign(ecdsa_key, msg_buf2), -1, "Could not sign notification for destination host\n"); } else if (HIP_DEFAULT_HIPFW_ALGO == HIP_HI_RSA) { /* Sign the packet */ HIP_IFEL(hip_rsa_sign(rsa_key, msg_buf), -1, "Could not sign notification for source host \n"); HIP_IFEL(hip_rsa_sign(rsa_key, msg_buf2), -1, "Could not sign notification for destination host\n"); } /* Send to source and destination of the connection */ if (send_pkt(NULL, &ctx->src, 10500, 10500, msg_buf)) { HIP_ERROR("Could not notify the source of a connection reject \n"); } free(msg_buf); if (send_pkt(NULL, &ctx->dst, 10500, 10500, msg_buf2)) { HIP_ERROR("Could not notify the destination of a connection reject \n"); } free(msg_buf2); out_err: return err; }
/** * distribute a message from hipd to the respective extension handler * * @param msg pointer to the received user message * @return 0 on success, else -1 */ int hip_handle_msg(struct hip_common *msg) { int type, err = 0; struct hip_common *msg_out = NULL; HIP_DEBUG("Handling message from hipd\n"); type = hip_get_msg_type(msg); HIP_DEBUG("of type %d\n", type); switch (type) { case HIP_MSG_FW_BEX_DONE: case HIP_MSG_FW_UPDATE_DB: if (hip_lsi_support) { hip_handle_bex_state_update(msg); } break; case HIP_MSG_IPSEC_ADD_SA: HIP_DEBUG("Received add sa request from hipd\n"); HIP_IFEL(handle_sa_add_request(msg), -1, "hip userspace sadb add did NOT succeed\n"); break; case HIP_MSG_IPSEC_DELETE_SA: HIP_DEBUG("Received delete sa request from hipd\n"); HIP_IFEL(handle_sa_delete_request(msg), -1, "hip userspace sadb delete did NOT succeed\n"); break; case HIP_MSG_IPSEC_FLUSH_ALL_SA: HIP_DEBUG("Received flush all sa request from hipd\n"); hip_sadb_flush(); break; case HIP_MSG_RESET_FIREWALL_DB: hip_firewall_cache_delete_hldb(0); break; case HIP_MSG_OFFER_FULLRELAY: if (!esp_relay) { HIP_DEBUG("Enabling ESP relay\n"); hip_fw_init_esp_relay(); } else { HIP_DEBUG("ESP relay already enabled\n"); } break; case HIP_MSG_CANCEL_FULLRELAY: HIP_DEBUG("Disabling ESP relay\n"); hip_fw_uninit_esp_relay(); break; case HIP_MSG_FIREWALL_STATUS: msg_out = hip_msg_alloc(); HIP_IFEL(hip_build_user_hdr(msg_out, HIP_MSG_FIREWALL_START, 0), -1, "Couldn't build message to daemon\n"); HIP_IFEL(hip_send_recv_daemon_info(msg_out, 1, hip_fw_sock), -1, "Couldn't notify daemon of firewall presence\n"); break; case HIP_MSG_SIGNALING_HIPD_CONNECTION_CONFIRMATION: signaling_handle_hipd_connection_confirmation(msg); break; default: HIP_ERROR("Unhandled message type %d\n", type); err = -1; break; } out_err: free(msg_out); return err; }