Merge lp:~fahad-aizaz/hipl/cert-config into lp:hipl
- cert-config
- Merge into trunk
Status: | Superseded |
---|---|
Proposed branch: | lp:~fahad-aizaz/hipl/cert-config |
Merge into: | lp:hipl |
Diff against target: |
3876 lines (+6/-3611) 21 files modified
Makefile.am (+1/-10) hipd/cert.c (+0/-1029) hipd/cert.h (+0/-48) hipd/init.c (+1/-82) hipd/input.c (+0/-1) hipd/output.c (+0/-1) hipd/pisa.c (+0/-83) hipd/pisa.h (+0/-44) hipd/user.c (+1/-36) hipfw/conntrack.c (+3/-3) hipfw/hipfw.c (+0/-7) hipfw/pisa.c (+0/-575) hipfw/pisa.h (+0/-48) hipfw/pisa_cert.c (+0/-205) hipfw/pisa_cert.h (+0/-47) lib/core/builder.c (+0/-101) lib/core/builder.h (+0/-6) lib/core/certtools.c (+0/-856) lib/core/certtools.h (+0/-79) test/certteststub.c (+0/-196) tools/pisacert.c (+0/-154) |
To merge this branch: | bzr merge lp:~fahad-aizaz/hipl/cert-config |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Diego Biurrun | Needs Fixing | ||
Miika Komu | Approve | ||
Review via email: mp+93727@code.launchpad.net |
This proposal has been superseded by a proposal from 2012-02-20.
Commit message
Description of the change
Configuration file code removal. Continuing the removal of configuration file code removal. Though this branch also contain some other changes in relation to 'hip_cert.conf' configuration file.
As decided by hipl core team, there is no more requirement of 'hip_cert.conf' file anymore to be part of HIPL codebase at all. So the following changes has been done.
1. The removal of runtime generation of 'hip_cert.conf' file.
2. The references to the functions that read, sign and verify certificates.
Note: here the references to the function from the codebase is removed. But the files containing the declarations and definitions are still not yet removed. I need your approval for doing that. (files: cert.h, cert.c). Please also note I looked in the codebase for anymore references towards the functions in these files and safely I can say I didn't find any. Therefore these files are feasible to be removed from the HIPL.
There exist some other helper functions (such as opening configuration file, read it section by section) being used in functions defined in 'cert.c' but are part of hipl core library. (lib/core/
Any comment on keeping this code will also be helpful.
Miika Komu (miika-iki) : | # |
- 6288. By Fahad Aizaz
-
Certificate code for signing and verification removal.
As agreed, the certificate signing and verification code is no longer required.
And therefore is being removed from hipl codebase. With it any reference
to the headers are also removed. - 6289. By Fahad Aizaz
-
Removing files that are no longer required from make.
- 6290. By Fahad Aizaz
-
Removing certificate related code.
The code was utilized by other library functions defined in the file
"certtools.c". Since "certtools.c" is no longer required thus these
functions were also redundant and therefore removed from the codebase. - 6291. By Fahad Aizaz
-
Fixing Makefile to handle the removed code and let it compile properly.
- 6292. By Fahad Aizaz
-
Cosmetics: stylecheck changes that were found and fixed.
- 6293. By Fahad Aizaz
-
Adding, removing and fixing the redundant code.
This commit contains the files which contained headers of removed code files
having the certificate functionality which is no longer required.Thus the headers were removed from the following files and also the
the redundant functions in case "hipfw.c" is removed. - 6294. By Fahad Aizaz
-
Removing useless code.
The code that was related to reading, signing and verfication of
certificates is removed.Starting from certtools.c/h which contains code for reading certificate
configuration file, reading it section by section, verifictaion etc
is removed.certtools.c uses functions defined in builder.c; thus these functions
are also removed since they are no longer required.hipfw/pisa.c/.h uses also functions from certtools.c and thus removed.
hipfw/pisa_cert.c/ .h uses also functions from certtools.c and is removed. certteststub and pisacert.c were the only code files generating and
testing certificates and thus are removed. - 6295. By Fahad Aizaz
-
Missing file to be removed from Makefile
Unmerged revisions
- 6295. By Fahad Aizaz
-
Missing file to be removed from Makefile
- 6294. By Fahad Aizaz
-
Removing useless code.
The code that was related to reading, signing and verfication of
certificates is removed.Starting from certtools.c/h which contains code for reading certificate
configuration file, reading it section by section, verifictaion etc
is removed.certtools.c uses functions defined in builder.c; thus these functions
are also removed since they are no longer required.hipfw/pisa.c/.h uses also functions from certtools.c and thus removed.
hipfw/pisa_cert.c/ .h uses also functions from certtools.c and is removed. certteststub and pisacert.c were the only code files generating and
testing certificates and thus are removed. - 6293. By Fahad Aizaz
-
Adding, removing and fixing the redundant code.
This commit contains the files which contained headers of removed code files
having the certificate functionality which is no longer required.Thus the headers were removed from the following files and also the
the redundant functions in case "hipfw.c" is removed. - 6292. By Fahad Aizaz
-
Cosmetics: stylecheck changes that were found and fixed.
- 6291. By Fahad Aizaz
-
Fixing Makefile to handle the removed code and let it compile properly.
- 6290. By Fahad Aizaz
-
Removing certificate related code.
The code was utilized by other library functions defined in the file
"certtools.c". Since "certtools.c" is no longer required thus these
functions were also redundant and therefore removed from the codebase. - 6289. By Fahad Aizaz
-
Removing files that are no longer required from make.
- 6288. By Fahad Aizaz
-
Certificate code for signing and verification removal.
As agreed, the certificate signing and verification code is no longer required.
And therefore is being removed from hipl codebase. With it any reference
to the headers are also removed. - 6287. By Fahad Aizaz
-
The references for certificate sigining and verifications removal.
The references to the functions that are used to sign and verify
certificates are removed. (As they are no longer required)Note: this change makes the files cert.c and cert.h and all the functions
declared and defined in these files redundant. - 6286. By Fahad Aizaz
-
Removing configuration file generation code.
The cofiguration file 'hip_cert.conf' that is being generated at runtime
is removed from the hipl code base.
Preview Diff
1 | === modified file 'Makefile.am' |
2 | --- Makefile.am 2012-02-13 11:20:22 +0000 |
3 | +++ Makefile.am 2012-02-20 21:42:18 +0000 |
4 | @@ -35,11 +35,9 @@ |
5 | EXTRA_DIST += $(wildcard $(addprefix $(srcdir)/tools/,*.cfg *.pl *.sh *.xml)) |
6 | EXTRA_DIST += $(wildcard $(addprefix $(srcdir)/hipfw/,*.cfg)) |
7 | EXTRA_DIST += $(HIPL_HEADER_LIST) |
8 | -EXTRA_DIST += hipd/pisa.c hipfw/pisa.c hipfw/pisa_cert.c |
9 | |
10 | ### user programs ### |
11 | bin_PROGRAMS = test/auth_performance \ |
12 | - test/certteststub \ |
13 | test/hc_performance |
14 | |
15 | if HIP_PERFORMANCE |
16 | @@ -49,8 +47,7 @@ |
17 | |
18 | ### superuser programs ### |
19 | sbin_PROGRAMS = hipd/hipd \ |
20 | - tools/hipconf \ |
21 | - tools/pisacert |
22 | + tools/hipconf |
23 | |
24 | if HIP_FIREWALL |
25 | sbin_PROGRAMS += hipfw/hipfw |
26 | @@ -84,7 +81,6 @@ |
27 | ### source declarations ### |
28 | |
29 | test_auth_performance_SOURCES = test/auth_performance.c |
30 | -test_certteststub_SOURCES = test/certteststub.c |
31 | test_dh_performance_SOURCES = test/dh_performance.c |
32 | test_fw_port_bindings_performance_SOURCES = hipfw/file_buffer.c \ |
33 | hipfw/line_parser.c \ |
34 | @@ -93,10 +89,8 @@ |
35 | test_hc_performance_SOURCES = test/hc_performance.c |
36 | |
37 | tools_hipconf_SOURCES = tools/hipconf.c |
38 | -tools_pisacert_SOURCES = tools/pisacert.c |
39 | |
40 | hipd_hipd_sources = hipd/accessor.c \ |
41 | - hipd/cert.c \ |
42 | hipd/close.c \ |
43 | hipd/configfilereader.c \ |
44 | hipd/cookie.c \ |
45 | @@ -175,7 +169,6 @@ |
46 | |
47 | lib_core_libhipcore_la_SOURCES = lib/core/builder.c \ |
48 | lib/core/capability.c \ |
49 | - lib/core/certtools.c \ |
50 | lib/core/conf.c \ |
51 | lib/core/crypto.c \ |
52 | lib/core/debug.c \ |
53 | @@ -251,12 +244,10 @@ |
54 | test_check_lib_core_LDADD = lib/core/libhipcore.la |
55 | test_check_lib_tool_LDADD = lib/core/libhipcore.la |
56 | test_check_modules_midauth_LDADD = lib/core/libhipcore.la |
57 | -test_certteststub_LDADD = lib/core/libhipcore.la |
58 | test_dh_performance_LDADD = lib/core/libhipcore.la |
59 | test_fw_port_bindings_performance_LDADD = lib/core/libhipcore.la |
60 | test_hc_performance_LDADD = lib/core/libhipcore.la |
61 | tools_hipconf_LDADD = lib/core/libhipcore.la |
62 | -tools_pisacert_LDADD = lib/core/libhipcore.la |
63 | |
64 | ### dynamic library dependencies ### |
65 | |
66 | |
67 | === removed file 'hipd/cert.c' |
68 | --- hipd/cert.c 2012-01-16 22:12:49 +0000 |
69 | +++ hipd/cert.c 1970-01-01 00:00:00 +0000 |
70 | @@ -1,1029 +0,0 @@ |
71 | -/* |
72 | - * Copyright (c) 2010-2012 Aalto University and RWTH Aachen University. |
73 | - * |
74 | - * Permission is hereby granted, free of charge, to any person |
75 | - * obtaining a copy of this software and associated documentation |
76 | - * files (the "Software"), to deal in the Software without |
77 | - * restriction, including without limitation the rights to use, |
78 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
79 | - * copies of the Software, and to permit persons to whom the |
80 | - * Software is furnished to do so, subject to the following |
81 | - * conditions: |
82 | - * |
83 | - * The above copyright notice and this permission notice shall be |
84 | - * included in all copies or substantial portions of the Software. |
85 | - * |
86 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
87 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
88 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
89 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
90 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
91 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
92 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
93 | - * OTHER DEALINGS IN THE SOFTWARE. |
94 | - */ |
95 | - |
96 | -/** |
97 | - * @file |
98 | - * |
99 | - * This file defines the certificate signing and verification |
100 | - * functions to use with HIP |
101 | - */ |
102 | - |
103 | -#include <errno.h> |
104 | -#include <stdint.h> |
105 | -#include <stdio.h> |
106 | -#include <stdlib.h> |
107 | -#include <string.h> |
108 | -#include <arpa/inet.h> |
109 | -#include <openssl/conf.h> |
110 | -#include <openssl/dsa.h> |
111 | -#include <openssl/err.h> |
112 | -#include <openssl/evp.h> |
113 | -#include <openssl/rsa.h> |
114 | -#include <openssl/x509.h> |
115 | -#include <openssl/x509v3.h> |
116 | - |
117 | -#include "lib/core/builder.h" |
118 | -#include "lib/core/certtools.h" |
119 | -#include "lib/core/common.h" |
120 | -#include "lib/core/crypto.h" |
121 | -#include "lib/core/debug.h" |
122 | -#include "lib/core/ife.h" |
123 | -#include "lib/core/protodefs.h" |
124 | -#include "lib/core/straddr.h" |
125 | -#include "lib/tool/pk.h" |
126 | -#include "hidb.h" |
127 | -#include "cert.h" |
128 | - |
129 | - |
130 | -/**************************************************************************** |
131 | - * |
132 | - * SPKI |
133 | - * |
134 | - ***************************************************************************/ |
135 | - |
136 | -/** |
137 | - * Function that signs the cert sequence and creates the public key |
138 | - * sequence and the signature sequence |
139 | - * |
140 | - * @param msg points to the msg gotten from "client" that should |
141 | - * contain HIP_PARAM_CERT_SPKI_INFO |
142 | - * |
143 | - * @return 0 if signature was created without errors, negative value |
144 | - * is returned on errors |
145 | - */ |
146 | -int hip_cert_spki_sign(struct hip_common *msg) |
147 | -{ |
148 | - int err = 0, sig_len = 0, algo = 0, t = 0; |
149 | - const struct hip_cert_spki_info *p_cert; |
150 | - struct hip_cert_spki_info *cert; |
151 | - struct hip_host_id *host_id = NULL; |
152 | - unsigned char sha_digest[SHA_DIGEST_LENGTH]; |
153 | - unsigned char *signature_b64 = NULL; |
154 | - unsigned char *digest_b64 = NULL; |
155 | - unsigned char *sha_retval; |
156 | - uint8_t *signature = NULL; |
157 | - DSA_SIG *dsa_sig = NULL; |
158 | - |
159 | - /* RSA needed variables */ |
160 | - RSA *rsa = NULL; |
161 | - unsigned char *e_bin = NULL, *n_bin = NULL, *n_b64 = NULL; |
162 | - char *e_hex = NULL; |
163 | - |
164 | - /* DSA needed variables */ |
165 | - DSA *dsa = NULL; |
166 | - unsigned char *p_bin = NULL, *q_bin = NULL, *g_bin = NULL, *y_bin = NULL; |
167 | - unsigned char *p_b64 = NULL, *q_b64 = NULL, *g_b64 = NULL, *y_b64 = NULL; |
168 | - |
169 | - HIP_IFEL(!(cert = calloc(1, sizeof(struct hip_cert_spki_info))), |
170 | - -1, "calloc for cert failed\n"); |
171 | - HIP_IFEL(!(p_cert = hip_get_param(msg, HIP_PARAM_CERT_SPKI_INFO)), |
172 | - -1, "No cert_info struct found\n"); |
173 | - memcpy(cert, p_cert, sizeof(struct hip_cert_spki_info)); |
174 | - |
175 | - HIP_DEBUG_HIT("Getting keys for HIT", &cert->issuer_hit); |
176 | - |
177 | - HIP_IFEL(hip_get_host_id_and_priv_key(&cert->issuer_hit, |
178 | - HIP_ANY_ALGO, |
179 | - &host_id, |
180 | - (void **) &rsa), |
181 | - -1, "Private key not found\n"); |
182 | - |
183 | - algo = host_id->rdata.algorithm; |
184 | - if (algo == HIP_HI_DSA) { |
185 | - dsa = (DSA *) rsa; |
186 | - } |
187 | - |
188 | - // Note: EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen) (vintage SSLeay |
189 | - // code) is used to generate the different BASE64 representations. It requires an area of |
190 | - // ((dlen + 2) / 3 * 4 + 1) bytes - so, obviously larger than the size of the input - to be |
191 | - // available for its output (at location "t") - you have been warned. |
192 | - digest_b64 = calloc(1, (SHA_DIGEST_LENGTH + 2) / 3 * 4 + 1); |
193 | - HIP_IFEL(!digest_b64, -1, "calloc for digest_b64 failed\n"); |
194 | - |
195 | - /* build sha1 digest that will be signed */ |
196 | - HIP_IFEL(!(sha_retval = SHA1((unsigned char *) cert->cert, strlen(cert->cert), sha_digest)), |
197 | - -1, "SHA1 error when creating digest.\n"); |
198 | - |
199 | - switch (algo) { |
200 | - case HIP_HI_RSA: |
201 | - sig_len = RSA_size(rsa); |
202 | - |
203 | - signature = calloc(1, sig_len); |
204 | - HIP_IFEL(!signature, -1, "calloc for signature failed\n"); |
205 | - |
206 | - signature_b64 = calloc(1, (sig_len + 2) / 3 * 4 + 1); |
207 | - HIP_IFEL(!signature_b64, -1, "calloc for signature_b64 failed\n"); |
208 | - |
209 | - n_bin = calloc(1, BN_num_bytes(rsa->n)); |
210 | - HIP_IFEL(!n_bin, -1, "calloc for n_bin failed\n"); |
211 | - |
212 | - n_b64 = calloc(1, (BN_num_bytes(rsa->n) + 2) / 3 * 4 + 1); |
213 | - HIP_IFEL(!n_b64, -1, "calloc for n_b64 failed\n"); |
214 | - |
215 | - e_bin = calloc(1, BN_num_bytes(rsa->e)); |
216 | - HIP_IFEL(!e_bin, -1, "calloc for e_bin failed\n"); |
217 | - |
218 | - /* RSA sign the digest */ |
219 | - err = RSA_sign(NID_sha1, sha_digest, SHA_DIGEST_LENGTH, signature, |
220 | - (unsigned int *) &sig_len, rsa); |
221 | - HIP_IFEL((err = err == 0 ? -1 : 0), -1, "RSA_sign error\n"); |
222 | - break; |
223 | - case HIP_HI_ECDSA: |
224 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
225 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
226 | - break; |
227 | - case HIP_HI_DSA: |
228 | - p_bin = malloc(BN_num_bytes(dsa->p) + 1); |
229 | - HIP_IFEL(!p_bin, -1, "Malloc for p_bin failed\n"); |
230 | - |
231 | - q_bin = malloc(BN_num_bytes(dsa->q) + 1); |
232 | - HIP_IFEL(!q_bin, -1, "Malloc for q_bin failed\n"); |
233 | - |
234 | - g_bin = malloc(BN_num_bytes(dsa->g) + 1); |
235 | - HIP_IFEL(!g_bin, -1, "Malloc for g_bin failed\n"); |
236 | - |
237 | - y_bin = malloc(BN_num_bytes(dsa->pub_key) + 1); |
238 | - HIP_IFEL(!y_bin, -1, "Malloc for y_bin failed\n"); |
239 | - |
240 | - p_b64 = malloc(BN_num_bytes(dsa->p) + 20); |
241 | - HIP_IFEL(!p_b64, -1, "Malloc for p_b64 failed\n"); |
242 | - |
243 | - q_b64 = malloc(BN_num_bytes(dsa->q) + 20); |
244 | - HIP_IFEL(!q_b64, -1, "Malloc for q_b64 failed\n"); |
245 | - |
246 | - g_b64 = malloc(BN_num_bytes(dsa->g) + 20); |
247 | - HIP_IFEL(!g_b64, -1, "Malloc for g_b64 failed\n"); |
248 | - |
249 | - y_b64 = malloc(BN_num_bytes(dsa->pub_key) + 20); |
250 | - HIP_IFEL(!y_b64, -1, "Malloc for y_b64 failed\n"); |
251 | - |
252 | -#define HIP_DSA_SIG_SIZE 41 /* T(1) + R(20) + S(20) from RFC 2536 */ |
253 | - signature = calloc(1, HIP_DSA_SIG_SIZE); |
254 | - |
255 | - t = BN_num_bytes(dsa->p); |
256 | - t = (t - 64) / 8; |
257 | - HIP_IFEL(t > 8, 1, "Illegal DSA key\n"); |
258 | - |
259 | - signature[0] = t; |
260 | - dsa_sig = DSA_do_sign(sha_digest, SHA_DIGEST_LENGTH, dsa); |
261 | - bn2bin_safe(dsa_sig->r, &signature[1], DSA_PRIV); |
262 | - bn2bin_safe(dsa_sig->s, &signature[1 + DSA_PRIV], DSA_PRIV); |
263 | - sig_len = SHA_DIGEST_LENGTH + DSA_PRIV * 2; |
264 | - break; |
265 | - default: |
266 | - HIP_OUT_ERR(-1, "Unknown algorithm for signing\n"); |
267 | - } |
268 | - |
269 | - HIP_IFEL(!EVP_EncodeBlock(digest_b64, sha_digest, SHA_DIGEST_LENGTH), |
270 | - -1, "Failed to encode digest_b64\n"); |
271 | - HIP_IFEL(!EVP_EncodeBlock(signature_b64, signature, sig_len), |
272 | - -1, "Failed to encode signature_b64\n"); |
273 | - |
274 | - /* create (signature (hash sha1 |digest|)|signature|) */ |
275 | - sprintf(cert->signature, "(signature (hash sha1 |%s|)|%s|)", |
276 | - digest_b64, signature_b64); |
277 | - |
278 | - /* Create the public key sequence */ |
279 | - switch (algo) { |
280 | - case HIP_HI_RSA: |
281 | - /* |
282 | - * RSA public-key |
283 | - * draft-paajarvi-xml-spki-cert-00 section 3.1.1 |
284 | - * |
285 | - * <!ELEMENT rsa-pubkey (rsa-e,rsa-n)> |
286 | - * <!ELEMENT rsa-e (#PCDATA)> |
287 | - * <!ELEMENT rsa-n (#PCDATA)> |
288 | - */ |
289 | - HIP_IFEL(!BN_bn2bin(rsa->n, n_bin), |
290 | - -1, |
291 | - "Error in converting public exponent from BN to bin\n"); |
292 | - |
293 | - HIP_IFEL(!EVP_EncodeBlock(n_b64, n_bin, BN_num_bytes(rsa->n)), |
294 | - -1, |
295 | - "Failed to encode n_b64\n"); |
296 | - |
297 | - HIP_IFEL(!BN_bn2bin(rsa->e, e_bin), |
298 | - -1, |
299 | - "Error in converting public exponent from BN to bin\n"); |
300 | - |
301 | - e_hex = BN_bn2hex(rsa->e); |
302 | - |
303 | - sprintf(cert->public_key, "(public_key (rsa-pkcs1-sha1 (e #%s#)(n |%s|)))", |
304 | - e_hex, |
305 | - n_b64); |
306 | - break; |
307 | - case HIP_HI_ECDSA: |
308 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
309 | - HIP_OUT_ERR(-1, "Unknown algorithm for signing\n"); |
310 | - break; |
311 | - case HIP_HI_DSA: |
312 | - /* |
313 | - * DSA public-key |
314 | - * draft-paajarvi-xml-spki-cert-00 section 3.1.2 |
315 | - * |
316 | - * <!ELEMENT dsa-pubkey (dsa-p,dsa-q,dsa-g,dsa-y)> |
317 | - * <!ELEMENT dsa-p (#PCDATA)> |
318 | - * <!ELEMENT dsa-q (#PCDATA)> |
319 | - * <!ELEMENT dsa-g (#PCDATA)> |
320 | - * <!ELEMENT dsa-y (#PCDATA)> |
321 | - */ |
322 | - HIP_IFEL(!BN_bn2bin(dsa->p, p_bin), -1, |
323 | - "Error in converting public exponent from BN to bin\n"); |
324 | - HIP_IFEL(!EVP_EncodeBlock(p_b64, p_bin, BN_num_bytes(dsa->p)), |
325 | - -1, "Failed to encode p_b64\n"); |
326 | - |
327 | - HIP_IFEL(!BN_bn2bin(dsa->q, q_bin), -1, |
328 | - "Error in converting public exponent from BN to bin\n"); |
329 | - HIP_IFEL(!EVP_EncodeBlock(q_b64, q_bin, BN_num_bytes(dsa->q)), |
330 | - -1, "Failed to encode q_64"); |
331 | - |
332 | - HIP_IFEL(!(BN_bn2bin(dsa->g, g_bin)), -1, |
333 | - "Error in converting public exponent from BN to bin\n"); |
334 | - HIP_IFEL(!EVP_EncodeBlock(g_b64, g_bin, BN_num_bytes(dsa->g)), |
335 | - -1, "Failed to encode g_b64\n"); |
336 | - |
337 | - HIP_IFEL(!BN_bn2bin(dsa->pub_key, y_bin), -1, |
338 | - "Error in converting public exponent from BN to bin\n"); |
339 | - HIP_IFEL(!EVP_EncodeBlock(y_b64, y_bin, BN_num_bytes(dsa->pub_key)), |
340 | - -1, "Failed to encode y_b64\n"); |
341 | - |
342 | - sprintf(cert->public_key, "(public_key (dsa-pkcs1-sha1 (p |%s|)(q |%s|)" |
343 | - "(g |%s|)(y |%s|)))", |
344 | - p_b64, q_b64, g_b64, y_b64); |
345 | - break; |
346 | - default: |
347 | - HIP_OUT_ERR(-1, "Unknown algorithm for public-key element\n"); |
348 | - } |
349 | - |
350 | - /* Put the results into the msg back */ |
351 | - hip_msg_init(msg); |
352 | - |
353 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_SPKI_SIGN, 0), -1, |
354 | - "Failed to build user header\n"); |
355 | - HIP_IFEL(hip_build_param_cert_spki_info(msg, cert), -1, |
356 | - "Failed to build cert_info\n"); |
357 | - |
358 | -out_err: |
359 | - |
360 | - /* free malloced memory */ |
361 | - free(digest_b64); |
362 | - free(signature_b64); |
363 | - free(signature); |
364 | - free(host_id); |
365 | - |
366 | - /* RSA pubkey */ |
367 | - free(e_bin); |
368 | - free(n_bin); |
369 | - /* encoded */ |
370 | - OPENSSL_free(e_hex); |
371 | - free(n_b64); |
372 | - |
373 | - /* DSA pubkey */ |
374 | - free(p_bin); |
375 | - free(q_bin); |
376 | - free(g_bin); |
377 | - free(y_bin); |
378 | - /* encoded */ |
379 | - free(p_b64); |
380 | - free(q_b64); |
381 | - free(g_b64); |
382 | - free(y_b64); |
383 | - |
384 | - DSA_SIG_free(dsa_sig); |
385 | - |
386 | - free(cert); |
387 | - |
388 | - return err; |
389 | -} |
390 | - |
391 | -/** |
392 | - * Function that verifies the signature in the given SPKI cert sent by |
393 | - * the "client" |
394 | - * |
395 | - * @param msg points to the msg gotten from "client" that contains a |
396 | - * spki cert in CERT parameter |
397 | - * |
398 | - * @return 0 if signature matches, -1 if error or signature did NOT match |
399 | - */ |
400 | -int hip_cert_spki_verify(struct hip_common *msg) |
401 | -{ |
402 | - int err = 0, start = 0, stop = 0, evpret = 0, keylen = 0, algo = 0; |
403 | - char buf[200]; |
404 | - |
405 | - unsigned char sha_digest[21]; |
406 | - unsigned char *sha_retval; |
407 | - unsigned char *signature_hash = NULL; |
408 | - unsigned char *signature_hash_b64 = NULL; |
409 | - unsigned char *signature_b64 = NULL; |
410 | - |
411 | - const struct hip_cert_spki_info *p_cert; |
412 | - struct hip_cert_spki_info *cert = NULL; |
413 | - unsigned char *signature = NULL; |
414 | - |
415 | - /** RSA */ |
416 | - RSA *rsa = NULL; |
417 | - unsigned long e_code; |
418 | - char *e_hex = NULL; |
419 | - unsigned char *modulus_b64 = NULL; |
420 | - unsigned char *modulus = NULL; |
421 | - |
422 | - /** DSA */ |
423 | - DSA *dsa = NULL; |
424 | - unsigned char *p_bin = NULL, *q_bin = NULL, *g_bin = NULL, *y_bin = NULL; |
425 | - unsigned char *p_b64 = NULL, *q_b64 = NULL, *g_b64 = NULL, *y_b64 = NULL; |
426 | - DSA_SIG *dsa_sig = NULL; |
427 | - |
428 | - /* rules for regular expressions */ |
429 | - |
430 | - /* |
431 | - * Rule to get the info if we are using DSA |
432 | - */ |
433 | - char dsa_rule[] = "[d][s][a][-][p][k][c][s][1][-][s][h][a][1]"; |
434 | - |
435 | - /* |
436 | - * Rule to get the info if we are using RSA |
437 | - */ |
438 | - char rsa_rule[] = "[r][s][a][-][p][k][c][s][1][-][s][h][a][1]"; |
439 | - |
440 | - /* |
441 | - * Rule to get DSA p |
442 | - * Look for pattern "(p |" and stop when first "|" |
443 | - * anything in base 64 is accepted inbetween |
444 | - */ |
445 | - char p_rule[] = "[(][p][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
446 | - |
447 | - /* |
448 | - * Rule to get DSA q |
449 | - * Look for pattern "(q |" and stop when first "|" |
450 | - * anything in base 64 is accepted inbetween |
451 | - */ |
452 | - char q_rule[] = "[(][q][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
453 | - |
454 | - /* |
455 | - * Rule to get DSA g |
456 | - * Look for pattern "(g |" and stop when first "|" |
457 | - * anything in base 64 is accepted inbetween |
458 | - */ |
459 | - char g_rule[] = "[(][g][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
460 | - |
461 | - /* |
462 | - * Rule to get DSA y / pub_key |
463 | - * Look for pattern "(y |" and stop when first "|" |
464 | - * anything in base 64 is accepted inbetween |
465 | - */ |
466 | - char y_rule[] = "[(][y][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
467 | - |
468 | - /* |
469 | - * rule to get the public exponent RSA |
470 | - * Look for the part that says # and after that some hex blob and # |
471 | - */ |
472 | - char e_rule[] = "[#][0-9A-Fa-f]*[#]"; |
473 | - |
474 | - /* |
475 | - * rule to get the public modulus RSA |
476 | - * Look for the part that starts with '|' and after that anything |
477 | - * that is in base 64 char set and then '|' again |
478 | - */ |
479 | - char n_rule[] = "[|][A-Za-z0-9+/()#=-]*[|]"; |
480 | - |
481 | - /* |
482 | - * rule to get the signature hash |
483 | - * Look for the similar than the n_rule |
484 | - */ |
485 | - char h_rule[] = "[|][A-Za-z0-9+/()#=-]*[|]"; |
486 | - |
487 | - /* |
488 | - * rule to get the signature |
489 | - * Look for part that starts ")|" and base 64 blob after it |
490 | - * and stops to '|' char remember to add and subtract 2 from |
491 | - * the indexes below |
492 | - */ |
493 | - char s_rule[] = "[)][|][A-Za-z0-9+/()#=-]*[|]"; |
494 | - |
495 | - cert = calloc(1, sizeof(struct hip_cert_spki_info)); |
496 | - HIP_IFEL(!cert, -1, "calloc for cert failed\n"); |
497 | - |
498 | - HIP_IFEL(!(p_cert = hip_get_param(msg, HIP_PARAM_CERT_SPKI_INFO)), |
499 | - -1, "No cert_info struct found\n"); |
500 | - memcpy(cert, p_cert, sizeof(struct hip_cert_spki_info)); |
501 | - |
502 | - /* check the algo DSA or RSA */ |
503 | - HIP_DEBUG("Verifying\nRunning regexps to identify algo\n"); |
504 | - start = stop = 0; |
505 | - algo = hip_cert_regex(dsa_rule, cert->public_key, &start, &stop); |
506 | - if (algo != -1) { |
507 | - HIP_DEBUG("Public-key is DSA\n"); |
508 | - algo = HIP_HI_DSA; |
509 | - goto algo_check_done; |
510 | - } |
511 | - start = stop = 0; |
512 | - algo = hip_cert_regex(rsa_rule, cert->public_key, &start, &stop); |
513 | - if (algo != -1) { |
514 | - HIP_DEBUG("Public-key is RSA\n"); |
515 | - algo = HIP_HI_RSA; |
516 | - goto algo_check_done; |
517 | - } |
518 | - |
519 | -algo_check_done: |
520 | - switch (algo) { |
521 | - case HIP_HI_RSA: |
522 | - /* malloc space for new rsa */ |
523 | - rsa = RSA_new(); |
524 | - HIP_IFEL(!rsa, -1, "Failed to malloc RSA\n"); |
525 | - |
526 | - /* extract the public-key from cert to rsa */ |
527 | - |
528 | - /* public exponent first */ |
529 | - start = stop = 0; |
530 | - HIP_IFEL(hip_cert_regex(e_rule, cert->public_key, &start, &stop), -1, |
531 | - "Failed to run hip_cert_regex (exponent)\n"); |
532 | - e_hex = malloc(stop - start); |
533 | - HIP_IFEL(!e_hex, -1, "Malloc for e_hex failed\n"); |
534 | - snprintf(e_hex, stop - start - 1, "%s", &cert->public_key[start + 1]); |
535 | - |
536 | - /* public modulus */ |
537 | - start = stop = 0; |
538 | - HIP_IFEL(hip_cert_regex(n_rule, cert->public_key, &start, &stop), -1, |
539 | - "Failed to run hip_cert_regex (modulus)\n"); |
540 | - modulus_b64 = calloc(1, stop - start + 1); |
541 | - HIP_IFEL(!modulus_b64, -1, "calloc for modulus_b64 failed\n"); |
542 | - modulus = calloc(1, stop - start + 1); |
543 | - HIP_IFEL(!modulus, -1, "calloc for modulus failed\n"); |
544 | - snprintf((char *) modulus_b64, stop - start - 1, "%s", |
545 | - &cert->public_key[start + 1]); |
546 | - |
547 | - /* put the stuff into the RSA struct */ |
548 | - BN_hex2bn(&rsa->e, e_hex); |
549 | - evpret = EVP_DecodeBlock(modulus, modulus_b64, |
550 | - strlen((char *) modulus_b64)); |
551 | - |
552 | - /* EVP returns a multiple of 3 octets, subtract any extra */ |
553 | - keylen = evpret; |
554 | - if (keylen % 4 != 0) { |
555 | - --keylen; |
556 | - keylen = keylen - keylen % 2; |
557 | - } |
558 | - signature = malloc(keylen); |
559 | - HIP_IFEL(!signature, -1, "Malloc for signature failed.\n"); |
560 | - rsa->n = BN_bin2bn(modulus, keylen, 0); |
561 | - break; |
562 | - case HIP_HI_DSA: |
563 | - /* malloc space for new dsa */ |
564 | - dsa = DSA_new(); |
565 | - HIP_IFEL(!dsa, -1, "Failed to malloc DSA\n"); |
566 | - |
567 | - /* Extract public key from the cert */ |
568 | - |
569 | - /* dsa->p */ |
570 | - start = stop = 0; |
571 | - HIP_IFEL(hip_cert_regex(p_rule, cert->public_key, &start, &stop), -1, |
572 | - "Failed to run hip_cert_regex dsa->p\n"); |
573 | - p_b64 = calloc(1, stop - start + 1); |
574 | - HIP_IFEL(!p_b64, -1, "calloc for p_b64 failed\n"); |
575 | - p_bin = calloc(1, stop - start + 1); |
576 | - HIP_IFEL(!p_bin, -1, "calloc for p_bin failed\n"); |
577 | - snprintf((char *) p_b64, stop - start - 1, "%s", |
578 | - &cert->public_key[start + 1]); |
579 | - evpret = EVP_DecodeBlock(p_bin, p_b64, strlen((char *) p_b64)); |
580 | - |
581 | - /* dsa->q */ |
582 | - start = stop = 0; |
583 | - HIP_IFEL(hip_cert_regex(q_rule, cert->public_key, &start, &stop), -1, |
584 | - "Failed to run hip_cert_regex dsa->q\n"); |
585 | - q_b64 = calloc(1, stop - start + 1); |
586 | - HIP_IFEL(!q_b64, -1, "calloc for q_b64 failed\n"); |
587 | - q_bin = calloc(1, stop - start + 1); |
588 | - HIP_IFEL(!q_bin, -1, "calloc for q_bin failed\n"); |
589 | - snprintf((char *) q_b64, stop - start - 1, "%s", |
590 | - &cert->public_key[start + 1]); |
591 | - evpret = EVP_DecodeBlock(q_bin, q_b64, strlen((char *) q_b64)); |
592 | - |
593 | - /* dsa->g */ |
594 | - start = stop = 0; |
595 | - HIP_IFEL(hip_cert_regex(g_rule, cert->public_key, &start, &stop), -1, |
596 | - "Failed to run hip_cert_regex dsa->g\n"); |
597 | - g_b64 = calloc(1, stop - start + 1); |
598 | - HIP_IFEL(!g_b64, -1, "calloc for g_b64 failed\n"); |
599 | - g_bin = calloc(1, stop - start + 1); |
600 | - HIP_IFEL(!g_bin, -1, "calloc for g_bin failed\n"); |
601 | - snprintf((char *) g_b64, stop - start - 1, "%s", |
602 | - &cert->public_key[start + 1]); |
603 | - evpret = EVP_DecodeBlock(g_bin, g_b64, strlen((char *) g_b64)); |
604 | - |
605 | - /* dsa->y */ |
606 | - start = stop = 0; |
607 | - HIP_IFEL(hip_cert_regex(y_rule, cert->public_key, &start, &stop), -1, |
608 | - "Failed to run hip_cert_regex dsa->y\n"); |
609 | - y_b64 = calloc(1, stop - start + 1); |
610 | - HIP_IFEL(!y_b64, -1, "calloc for y_b64 failed\n"); |
611 | - y_bin = calloc(1, stop - start + 1); |
612 | - HIP_IFEL(!y_bin, -1, "calloc for y_bin failed\n"); |
613 | - snprintf((char *) y_b64, stop - start - 1, "%s", |
614 | - &cert->public_key[start + 1]); |
615 | - evpret = EVP_DecodeBlock(y_bin, y_b64, strlen((char *) y_b64)); |
616 | - break; |
617 | - case HIP_HI_ECDSA: |
618 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
619 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
620 | - break; |
621 | - default: |
622 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
623 | - } |
624 | - |
625 | - /* build sha1 digest that will be signed */ |
626 | - HIP_IFEL(!(sha_retval = SHA1((unsigned char *) cert->cert, |
627 | - strlen(cert->cert), sha_digest)), |
628 | - -1, "SHA1 error when creating digest.\n"); |
629 | - |
630 | - /* Get the signature hash and compare it to the sha_digest we just made */ |
631 | - start = stop = 0; |
632 | - HIP_IFEL(hip_cert_regex(h_rule, cert->signature, &start, &stop), -1, |
633 | - "Failed to run hip_cert_regex (signature hash)\n"); |
634 | - signature_hash_b64 = calloc(1, stop - start + 1); |
635 | - HIP_IFEL(!signature_hash_b64, -1, "Failed to calloc signature_hash_b64\n"); |
636 | - signature_hash = malloc(stop - start + 1); |
637 | - HIP_IFEL(!signature_hash, -1, "Failed to malloc signature_hash\n"); |
638 | - snprintf((char *) signature_hash_b64, stop - start - 1, "%s", |
639 | - &cert->signature[start + 1]); |
640 | - evpret = EVP_DecodeBlock(signature_hash, signature_hash_b64, |
641 | - strlen((char *) signature_hash_b64)); |
642 | - HIP_IFEL(memcmp(sha_digest, signature_hash, 20), -1, |
643 | - "Signature hash did not match of the one made from the" |
644 | - "cert sequence in the certificate\n"); |
645 | - |
646 | - /* memset signature and put it into its place */ |
647 | - start = stop = 0; |
648 | - HIP_IFEL(hip_cert_regex(s_rule, cert->signature, &start, &stop), -1, |
649 | - "Failed to run hip_cert_regex (signature)\n"); |
650 | - signature_b64 = calloc(1, stop - start + 1); |
651 | - HIP_IFEL(!signature_b64, -1, "Failed to calloc signature_b64\n"); |
652 | - snprintf((char *) signature_b64, stop - start - 2, "%s", |
653 | - &cert->signature[start + 2]); |
654 | - if (algo == HIP_HI_DSA) { |
655 | - signature = malloc(stop - start + 1); |
656 | - HIP_IFEL(!signature, -1, "Failed to malloc signature (dsa)\n"); |
657 | - } |
658 | - evpret = EVP_DecodeBlock(signature, signature_b64, |
659 | - strlen((char *) signature_b64)); |
660 | - |
661 | - switch (algo) { |
662 | - case HIP_HI_RSA: |
663 | - /* do the verification */ |
664 | - err = RSA_verify(NID_sha1, sha_digest, SHA_DIGEST_LENGTH, |
665 | - signature, RSA_size(rsa), rsa); |
666 | - e_code = ERR_get_error(); |
667 | - ERR_load_crypto_strings(); |
668 | - ERR_error_string(e_code, buf); |
669 | - |
670 | - /* RSA_verify returns 1 if success. */ |
671 | - cert->success = err == 1 ? 0 : -1; |
672 | - HIP_IFEL((err = err == 1 ? 0 : -1), -1, "RSA_verify error\n"); |
673 | - break; |
674 | - case HIP_HI_DSA: |
675 | - /* build the signature structure */ |
676 | - dsa_sig = DSA_SIG_new(); |
677 | - HIP_IFEL(!dsa_sig, 1, "Failed to allocate DSA_SIG\n"); |
678 | - dsa_sig->r = BN_bin2bn(&signature[1], DSA_PRIV, NULL); |
679 | - dsa_sig->s = BN_bin2bn(&signature[1 + DSA_PRIV], DSA_PRIV, NULL); |
680 | - |
681 | - /* verify the DSA signature */ |
682 | - err = DSA_do_verify(sha_digest, SHA_DIGEST_LENGTH, |
683 | - dsa_sig, dsa) == 0 ? 1 : 0; |
684 | - |
685 | - /* DSA_do_verify returns 1 if success. */ |
686 | - cert->success = err == 1 ? 0 : -1; |
687 | - HIP_IFEL((err = err == 1 ? 0 : -1), -1, "DSA_do_verify error\n"); |
688 | - break; |
689 | - case HIP_HI_ECDSA: |
690 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
691 | - HIP_OUT_ERR(-1, "Unknown algorithm for signing\n"); |
692 | - break; |
693 | - default: |
694 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
695 | - } |
696 | - |
697 | - hip_msg_init(msg); |
698 | - |
699 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_SPKI_SIGN, 0), -1, |
700 | - "Failed to build user header\n"); |
701 | - HIP_IFEL(hip_build_param_cert_spki_info(msg, cert), -1, |
702 | - "Failed to build cert_info\n"); |
703 | - |
704 | -out_err: |
705 | - free(signature_hash_b64); |
706 | - free(signature_hash); |
707 | - free(modulus_b64); |
708 | - free(modulus); |
709 | - free(cert); |
710 | - free(signature); |
711 | - free(e_hex); |
712 | - RSA_free(rsa); |
713 | - DSA_free(dsa); |
714 | - DSA_SIG_free(dsa_sig); |
715 | - |
716 | - return err; |
717 | -} |
718 | - |
719 | -/**************************************************************************** |
720 | - * |
721 | - * X.509v3 |
722 | - * |
723 | - ***************************************************************************/ |
724 | - |
725 | -/** |
726 | - * Function that creates the certificate and sends it to back to the client. |
727 | - * |
728 | - * @param msg is a pointer to the msg containing a x509v3 cert in cert parameter |
729 | - * |
730 | - * @return 0 on success negative otherwise. |
731 | - */ |
732 | -int hip_cert_x509v3_handle_request_to_sign(struct hip_common *msg) |
733 | -{ |
734 | - int err = 0, i = 0, nid = 0, ret = 0, secs = 0, algo = 0; |
735 | - CONF *conf; |
736 | - CONF_VALUE *item; |
737 | - STACK_OF(CONF_VALUE) *sec_general = NULL; |
738 | - STACK_OF(CONF_VALUE) *sec_name = NULL; |
739 | - STACK_OF(CONF_VALUE) *sec_ext = NULL; |
740 | - |
741 | - X509_REQ *req = NULL; |
742 | - X509_NAME *issuer = NULL; |
743 | - X509_NAME *subj = NULL; |
744 | - X509_EXTENSION *ext = NULL; |
745 | - STACK_OF(X509_EXTENSION) *extlist = NULL; |
746 | - X509_NAME_ENTRY *ent; |
747 | - EVP_PKEY *pkey; |
748 | - /** XX TODO THIS should come from a configuration file |
749 | - * monotonically increasing counter */ |
750 | - long serial = 0; |
751 | - const EVP_MD *digest = NULL; |
752 | - X509 *cert; |
753 | - X509V3_CTX ctx; |
754 | - const struct hip_cert_x509_req *subject; |
755 | - char subject_hit[41]; |
756 | - char issuer_hit[41]; |
757 | - char ialtname[45]; |
758 | - char saltname[45]; |
759 | - struct in6_addr *issuer_hit_n; |
760 | - struct hip_host_id *host_id; |
761 | - RSA *rsa = NULL; |
762 | - DSA *dsa = NULL; |
763 | - unsigned char *der_cert = NULL; |
764 | - int der_cert_len = 0; |
765 | - char arg1[21]; |
766 | - char arg2[21]; |
767 | - |
768 | - HIP_IFEL(!(issuer_hit_n = malloc(sizeof(struct in6_addr))), -1, |
769 | - "Malloc for subject failed\n"); |
770 | - HIP_IFEL(!(pkey = malloc(sizeof(EVP_PKEY))), -1, |
771 | - "Malloc for pkey failed\n"); |
772 | - |
773 | - OpenSSL_add_all_algorithms(); |
774 | - ERR_load_crypto_strings(); |
775 | - |
776 | - HIP_DEBUG("Reading configuration file (%s)\n", HIP_CERT_CONF_PATH); |
777 | - conf = hip_open_conf(HIP_CERT_CONF_PATH); |
778 | - sec_general = hip_read_conf_section("hip_x509v3", conf); |
779 | - sec_name = hip_read_conf_section("hip_x509v3_name", conf); |
780 | - sec_ext = hip_read_conf_section("hip_x509v3_extensions", conf); |
781 | - NCONF_free(conf); |
782 | - |
783 | - /* Get the general information */ |
784 | - HIP_IFEL(sec_general == NULL, -1, |
785 | - "Failed to load general certificate information\n"); |
786 | - HIP_IFEL(!(req = X509_REQ_new()), -1, "Failed to create X509_REQ object"); |
787 | - |
788 | - HIP_IFEL(sec_name == NULL, -1, |
789 | - "Failed to load issuer naming information for the certificate\n"); |
790 | - |
791 | - /* Issuer naming */ |
792 | - if (sec_general != NULL) { |
793 | - /* Loop through the conf stack for general information */ |
794 | - extlist = sk_X509_EXTENSION_new_null(); |
795 | - for (i = 0; i < sk_CONF_VALUE_num(sec_general); i++) { |
796 | - item = sk_CONF_VALUE_value(sec_general, i); |
797 | - if (!strcmp(item->name, "issuerhit")) { |
798 | - strcpy(issuer_hit, item->value); |
799 | - ret = inet_pton(AF_INET6, item->value, issuer_hit_n); |
800 | - HIP_IFEL(ret < 0 && errno == EAFNOSUPPORT, -1, |
801 | - "Failed to convert issuer HIT to hip_hit_t\n"); |
802 | - HIP_DEBUG_HIT("Issuer HIT", issuer_hit_n); |
803 | - HIP_IFEL(!inet_ntop(AF_INET6, issuer_hit_n, |
804 | - issuer_hit, sizeof(issuer_hit)), |
805 | - -1, "Failed to convert subject hit to " |
806 | - "presentation format\n"); |
807 | - } |
808 | - if (!strcmp(item->name, "days")) { |
809 | - secs = HIP_CERT_DAY * atoi(item->value); |
810 | - } |
811 | - } |
812 | - } |
813 | - HIP_IFEL(!(issuer = X509_NAME_new()), -1, "Failed to set create issuer name"); |
814 | - nid = OBJ_txt2nid("commonName"); |
815 | - HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n"); |
816 | - HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC, |
817 | - (unsigned char *) issuer_hit, -1)), -1, |
818 | - "Failed to create name entry for issuer\n"); |
819 | - HIP_IFEL(X509_NAME_add_entry(issuer, ent, -1, 0) != 1, -1, |
820 | - "Failed to add entry to issuer name\n"); |
821 | - |
822 | - /* Subject naming */ |
823 | - /* Get the subject hit from msg */ |
824 | - HIP_IFEL(!(subject = hip_get_param(msg, HIP_PARAM_CERT_X509_REQ)), |
825 | - -1, "No cert_info struct found\n"); |
826 | - HIP_IFEL(!inet_ntop(AF_INET6, &subject->addr, subject_hit, sizeof(subject_hit)), |
827 | - -1, "Failed to convert subject hit to presentation format\n"); |
828 | - HIP_IFEL(!(subj = X509_NAME_new()), -1, "Failed to set create subject name"); |
829 | - nid = OBJ_txt2nid("commonName"); |
830 | - HIP_IFEL(nid == NID_undef, -1, "NID text not defined\n"); |
831 | - HIP_IFEL(!(ent = X509_NAME_ENTRY_create_by_NID(NULL, nid, MBSTRING_ASC, |
832 | - (unsigned char *) subject_hit, -1)), -1, |
833 | - "Failed to create name entry for subject\n"); |
834 | - HIP_IFEL(X509_NAME_add_entry(subj, ent, -1, 0) != 1, -1, |
835 | - "Failed to add entry to subject name\n"); |
836 | - HIP_IFEL(X509_REQ_set_subject_name(req, subj) != 1, -1, |
837 | - "Failed to add subject name to certificate request\n"); |
838 | - |
839 | - /* XX TODO add a check to skip subjectAltName and issuerAltName because they are |
840 | - * already in use by with IP:<hit> stuff */ |
841 | - if (sec_ext != NULL) { |
842 | - /* Loop through the conf stack and add extensions to ext stack */ |
843 | - extlist = sk_X509_EXTENSION_new_null(); |
844 | - for (i = 0; i < sk_CONF_VALUE_num(sec_ext); i++) { |
845 | - item = sk_CONF_VALUE_value(sec_ext, i); |
846 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
847 | - item->name, item->value)), -1, |
848 | - "Failed to create extension\n"); |
849 | - sk_X509_EXTENSION_push(extlist, ext); |
850 | - } |
851 | - HIP_IFEL(!X509_REQ_add_extensions(req, extlist), -1, |
852 | - "Failed to add extensions to the request\n"); |
853 | - } |
854 | - |
855 | - /** NOW WE ARE READY TO CREATE A CERTIFICATE FROM THE REQUEST */ |
856 | - HIP_DEBUG("Starting the certificate creation\n"); |
857 | - |
858 | - HIP_IFEL(!(cert = X509_new()), -1, |
859 | - "Failed to create X509 object\n"); |
860 | - |
861 | - HIP_IFEL(X509_set_version(cert, 2L) != 1, -1, |
862 | - "Failed to set certificate version\n"); |
863 | - /** XX TODO serial should be stored after increasing it */ |
864 | - ASN1_INTEGER_set(X509_get_serialNumber(cert), serial++); |
865 | - |
866 | - HIP_IFEL(X509_set_subject_name(cert, subj) != 1, -1, |
867 | - "Failed to set subject name of certificate\n"); |
868 | - HIP_IFEL(X509_set_issuer_name(cert, issuer) != 1, -1, |
869 | - "Failed to set issuer name of certificate\n"); |
870 | - HIP_IFEL(!X509_gmtime_adj(X509_get_notBefore(cert), 0), -1, |
871 | - "Error setting beginning time of the certificate"); |
872 | - HIP_IFEL(!X509_gmtime_adj(X509_get_notAfter(cert), secs), -1, |
873 | - "Error setting ending time of the certificate"); |
874 | - |
875 | - HIP_DEBUG("Getting the key\n"); |
876 | - |
877 | - HIP_IFEL(hip_get_host_id_and_priv_key(issuer_hit_n, |
878 | - HIP_ANY_ALGO, |
879 | - &host_id, |
880 | - (void *) &rsa), |
881 | - -1, "Private key not found\n"); |
882 | - |
883 | - algo = host_id->rdata.algorithm; |
884 | - if (algo == HIP_HI_DSA) { |
885 | - dsa = (DSA *) rsa; |
886 | - } |
887 | - |
888 | - switch (algo) { |
889 | - case HIP_HI_RSA: |
890 | - HIP_IFEL(!EVP_PKEY_assign_RSA(pkey, rsa), -1, |
891 | - "Failed to convert RSA to EVP_PKEY\n"); |
892 | - HIP_IFEL(X509_set_pubkey(cert, pkey) != 1, -1, |
893 | - "Failed to set public key of the certificate\n"); |
894 | - break; |
895 | - case HIP_HI_DSA: |
896 | - HIP_IFEL(!EVP_PKEY_assign_DSA(pkey, dsa), -1, |
897 | - "Failed to convert DSA to EVP_PKEY\n"); |
898 | - HIP_IFEL(X509_set_pubkey(cert, pkey) != 1, -1, |
899 | - "Failed to set public key of the certificate\n"); |
900 | - break; |
901 | - case HIP_HI_ECDSA: |
902 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
903 | - HIP_OUT_ERR(-1, "Unknown algorithm for signing\n"); |
904 | - break; |
905 | - default: |
906 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
907 | - } |
908 | - |
909 | - if (sec_ext != NULL) { |
910 | - for (i = 0; i < sk_CONF_VALUE_num(sec_ext); i++) { |
911 | - item = sk_CONF_VALUE_value(sec_ext, i); |
912 | - /* |
913 | - * Skip issuerAltName and subjectAltName because |
914 | - * HITs use them already. Skip also basicConstraint = |
915 | - * CA:true and subjectKeyIdentifier because they are |
916 | - * added automatically in the code below |
917 | - */ |
918 | - if (!strcmp(item->name, "issuerAltname")) { |
919 | - continue; |
920 | - } |
921 | - if (!strcmp(item->name, "subjectAltname")) { |
922 | - continue; |
923 | - } |
924 | - if (0 == memcmp(subject_hit, issuer_hit, sizeof(issuer_hit))) { |
925 | - if (!strcmp(item->name, "basicConstraints") && |
926 | - !strcmp(item->value, "CA:true")) { |
927 | - continue; |
928 | - } |
929 | - if (!strcmp(item->name, "subjectKeyIdentifier")) { |
930 | - continue; |
931 | - } |
932 | - } |
933 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
934 | - item->name, item->value)), -1, |
935 | - "Failed to create extension\n"); |
936 | - HIP_IFEL(!X509_add_ext(cert, ext, -1), -1, |
937 | - "Failed to add extensions to the cert\n"); |
938 | - } |
939 | - } |
940 | - |
941 | - if (0 == memcmp(subject_hit, issuer_hit, sizeof(issuer_hit))) { |
942 | - /* Subjects and issuers hit match so |
943 | - * we are writing a CA cert and in CA self-signed |
944 | - * certificate you have to have subject key identifier |
945 | - * present, when adding subjectKeyIdentifier give string |
946 | - * hash to the X509_EXT_conf it knows what to do with it */ |
947 | - |
948 | - /* X509V3_EXT_conf() doesn't accept const char *, so we |
949 | - * write the arguments to a buffer first */ |
950 | - sprintf(arg1, "basicConstraints"); |
951 | - sprintf(arg2, "CA:true"); |
952 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
953 | - arg1, arg2)), -1, |
954 | - "Failed to create extension\n"); |
955 | - HIP_IFEL(!X509_add_ext(cert, ext, -1), -1, |
956 | - "Failed to add extensions to the cert\n"); |
957 | - |
958 | - sprintf(arg1, "subjectKeyIdentifier"); |
959 | - sprintf(arg2, "hash"); |
960 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
961 | - arg1, arg2)), -1, |
962 | - "Failed to create extension\n"); |
963 | - HIP_IFEL(!X509_add_ext(cert, ext, -1), -1, |
964 | - "Failed to add extensions to the cert\n"); |
965 | - } |
966 | - |
967 | - /* add subjectAltName = IP:<HIT> */ |
968 | - sprintf(arg1, "issuerAltName"); |
969 | - sprintf(ialtname, "IP:%s", issuer_hit); |
970 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
971 | - arg1, ialtname)), -1, |
972 | - "Failed to create extension\n"); |
973 | - HIP_IFEL(!X509_add_ext(cert, ext, -1), -1, |
974 | - "Failed to add extensions to the cert\n"); |
975 | - /* add subjectAltName = IP:<HIT> */ |
976 | - sprintf(arg1, "subjectAltName"); |
977 | - sprintf(saltname, "IP:%s", subject_hit); |
978 | - HIP_IFEL(!(ext = X509V3_EXT_conf(NULL, &ctx, |
979 | - arg1, saltname)), -1, |
980 | - "Failed to create extension\n"); |
981 | - HIP_IFEL(!X509_add_ext(cert, ext, -1), -1, |
982 | - "Failed to add extensions to the cert\n"); |
983 | - |
984 | - switch (algo) { |
985 | - case HIP_HI_RSA: |
986 | - digest = EVP_sha1(); |
987 | - break; |
988 | - case HIP_HI_DSA: |
989 | - digest = EVP_dss1(); |
990 | - break; |
991 | - case HIP_HI_ECDSA: |
992 | - HIP_DEBUG("CALL TO UNIMPLEMENTED ECDSA CASE\n"); |
993 | - HIP_OUT_ERR(-1, "Unknown algorithm for signing\n"); |
994 | - break; |
995 | - default: |
996 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
997 | - } |
998 | - |
999 | - HIP_IFEL(!X509_sign(cert, pkey, digest), -1, |
1000 | - "Failed to sign x509v3 certificate\n"); |
1001 | - |
1002 | - /** DER */ |
1003 | - HIP_IFEL((der_cert_len = i2d_X509(cert, &der_cert)) < 0, -1, |
1004 | - "Failed to convert cert to DER\n"); |
1005 | - /** end DER */ |
1006 | - |
1007 | - hip_msg_init(msg); |
1008 | - |
1009 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_X509V3_SIGN, 0), -1, |
1010 | - "Failed to build user header\n"); |
1011 | - HIP_IFEL(hip_build_param_cert_x509_resp(msg, (char *) der_cert, der_cert_len), -1, |
1012 | - "Failed to create x509 response parameter\n"); |
1013 | - |
1014 | -out_err: |
1015 | - free(host_id); |
1016 | - X509_REQ_free(req); |
1017 | - sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free); |
1018 | - return err; |
1019 | -} |
1020 | - |
1021 | -static int verify_callback(int ok, DBG X509_STORE_CTX *stor) |
1022 | -{ |
1023 | - /* This is not called from anywhere else than this file */ |
1024 | - if (!ok) { |
1025 | - HIP_DEBUG("Error: %s\n", X509_verify_cert_error_string(stor->error)); |
1026 | - } |
1027 | - return ok; |
1028 | -} |
1029 | - |
1030 | -/** |
1031 | - * Function verifies the given certificate and sends it to back to the client. |
1032 | - * |
1033 | - * @param msg is a pointer to the requesting msg that contains a cert parameter with x509v3 cert |
1034 | - * |
1035 | - * @return 0 on success negative otherwise. |
1036 | - */ |
1037 | -int hip_cert_x509v3_handle_request_to_verify(struct hip_common *msg) |
1038 | -{ |
1039 | - int err = 0; |
1040 | - struct hip_cert_x509_resp verify; |
1041 | - const struct hip_cert_x509_resp *p; |
1042 | - X509 *cert = NULL; |
1043 | - X509_STORE *store = NULL; |
1044 | - X509_STORE_CTX *verify_ctx = NULL; |
1045 | - unsigned char *der_cert = NULL; |
1046 | - const unsigned char *vessel; |
1047 | - |
1048 | - OpenSSL_add_all_algorithms(); |
1049 | - ERR_load_crypto_strings(); |
1050 | - |
1051 | - HIP_IFEL(!(p = hip_get_param(msg, HIP_PARAM_CERT_X509_REQ)), -1, |
1052 | - "Failed to get cert info from the msg\n"); |
1053 | - memcpy(&verify, p, sizeof(struct hip_cert_x509_resp)); |
1054 | - |
1055 | - der_cert = (unsigned char *) &p->der; |
1056 | - |
1057 | - vessel = p->der; |
1058 | - HIP_IFEL((cert = d2i_X509(NULL, &vessel, verify.der_len)) == NULL, -1, |
1059 | - "Failed to convert cert from DER to internal format\n"); |
1060 | - /* |
1061 | - * HIP_IFEL(!X509_print_fp(stdout, cert), -1, |
1062 | - * "Failed to print x.509v3 in human readable format\n"); |
1063 | - */ |
1064 | - |
1065 | - HIP_IFEL(!(store = X509_STORE_new()), -1, |
1066 | - "Failed to create X509_STORE_CTX object\n"); |
1067 | - X509_STORE_set_verify_cb_func(store, verify_callback); |
1068 | - |
1069 | - /* self signed so te cert itself should verify itself */ |
1070 | - |
1071 | - HIP_IFEL(!X509_STORE_add_cert(store, cert), -1, |
1072 | - "Failed to add cert to ctx\n"); |
1073 | - |
1074 | - HIP_IFEL(!(verify_ctx = X509_STORE_CTX_new()), -1, |
1075 | - "Failed to create X509_STORE_CTX object\n"); |
1076 | - |
1077 | - HIP_IFEL(X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1, -1, |
1078 | - "Failed to initialize verification context\n"); |
1079 | - |
1080 | - if (X509_verify_cert(verify_ctx) != 1) { |
1081 | - HIP_DEBUG("Error verifying the certificate\n"); |
1082 | - err = -1; |
1083 | - } else { |
1084 | - HIP_DEBUG("Certificate verified correctly!\n"); |
1085 | - err = 0; |
1086 | - } |
1087 | - |
1088 | - hip_msg_init(msg); |
1089 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_X509V3_VERIFY, err), -1, |
1090 | - "Failed to build user header\n"); |
1091 | - HIP_IFEL(hip_build_param_cert_x509_resp(msg, (char *) &der_cert, p->der_len), -1, |
1092 | - "Failed to create x509 response parameter\n"); |
1093 | - |
1094 | -out_err: |
1095 | - X509_STORE_CTX_cleanup(verify_ctx); |
1096 | - X509_STORE_free(store); |
1097 | - X509_free(cert); |
1098 | - return err; |
1099 | -} |
1100 | |
1101 | === removed file 'hipd/cert.h' |
1102 | --- hipd/cert.h 2011-11-25 17:56:24 +0000 |
1103 | +++ hipd/cert.h 1970-01-01 00:00:00 +0000 |
1104 | @@ -1,48 +0,0 @@ |
1105 | -/* |
1106 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1107 | - * |
1108 | - * Permission is hereby granted, free of charge, to any person |
1109 | - * obtaining a copy of this software and associated documentation |
1110 | - * files (the "Software"), to deal in the Software without |
1111 | - * restriction, including without limitation the rights to use, |
1112 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1113 | - * copies of the Software, and to permit persons to whom the |
1114 | - * Software is furnished to do so, subject to the following |
1115 | - * conditions: |
1116 | - * |
1117 | - * The above copyright notice and this permission notice shall be |
1118 | - * included in all copies or substantial portions of the Software. |
1119 | - * |
1120 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1121 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1122 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1123 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1124 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1125 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1126 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1127 | - * OTHER DEALINGS IN THE SOFTWARE. |
1128 | - */ |
1129 | - |
1130 | -/** |
1131 | - * @file |
1132 | - * |
1133 | - * Certificate signing and verification functions. |
1134 | - */ |
1135 | - |
1136 | -#ifndef HIPL_HIPD_CERT_H |
1137 | -#define HIPL_HIPD_CERT_H |
1138 | - |
1139 | -#include <openssl/rsa.h> |
1140 | - |
1141 | -#include "lib/core/hashtable.h" |
1142 | -#include "lib/core/protodefs.h" |
1143 | - |
1144 | -/** SPKI */ |
1145 | -int hip_cert_spki_sign(struct hip_common *); |
1146 | -int hip_cert_spki_verify(struct hip_common *); |
1147 | - |
1148 | -/** x509v3 */ |
1149 | -int hip_cert_x509v3_handle_request_to_sign(struct hip_common *); |
1150 | -int hip_cert_x509v3_handle_request_to_verify(struct hip_common *); |
1151 | - |
1152 | -#endif /* HIPL_HIPD_CERT_H */ |
1153 | |
1154 | === modified file 'hipd/init.c' |
1155 | --- hipd/init.c 2012-01-18 21:21:26 +0000 |
1156 | +++ hipd/init.c 2012-02-20 21:42:18 +0000 |
1157 | @@ -435,81 +435,6 @@ |
1158 | return err; |
1159 | } |
1160 | |
1161 | -/* Needed if the configuration file for certs did not exist */ |
1162 | -#define HIP_CERT_INIT_DAYS 10 |
1163 | - |
1164 | -/** |
1165 | - * Initialize certificates for the local host |
1166 | - * |
1167 | - * @return zero on success or negative on failure |
1168 | - */ |
1169 | -static int init_certs(void) |
1170 | -{ |
1171 | - int err = 0; |
1172 | - char hit[41]; |
1173 | - FILE *conf_file; |
1174 | - struct local_host_id *entry; |
1175 | - char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX]; |
1176 | - |
1177 | - HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1, |
1178 | - "gethostname failed\n"); |
1179 | - |
1180 | - conf_file = fopen(HIP_CERT_CONF_PATH, "r"); |
1181 | - if (!conf_file) { |
1182 | - HIP_DEBUG("Configuration file did NOT exist creating it and " |
1183 | - "filling it with default information\n"); |
1184 | - /* Fetch the first RSA HIT */ |
1185 | - entry = hip_get_hostid_entry_by_lhi_and_algo(NULL, HIP_HI_RSA, -1); |
1186 | - if (entry == NULL) { |
1187 | - HIP_DEBUG("Failed to get the first RSA HI"); |
1188 | - goto out_err; |
1189 | - } |
1190 | - hip_in6_ntop(&entry->hit, hit); |
1191 | - conf_file = fopen(HIP_CERT_CONF_PATH, "w+"); |
1192 | - fprintf(conf_file, |
1193 | - "# Section containing SPKI related information\n" |
1194 | - "#\n" |
1195 | - "# issuerhit = what hit is to be used when signing\n" |
1196 | - "# days = how long is this key valid\n" |
1197 | - "\n" |
1198 | - "[ hip_spki ]\n" |
1199 | - "issuerhit = %s\n" |
1200 | - "days = %d\n" |
1201 | - "\n" |
1202 | - "# Section containing HIP related information\n" |
1203 | - "#\n" |
1204 | - "# issuerhit = what hit is to be used when signing\n" |
1205 | - "# days = how long is this key valid\n" |
1206 | - "\n" |
1207 | - "[ hip_x509v3 ]\n" |
1208 | - "issuerhit = %s\n" |
1209 | - "days = %d\n" |
1210 | - "\n" |
1211 | - "#Section containing the name section for the x509v3 issuer name" |
1212 | - "\n" |
1213 | - "[ hip_x509v3_name ]\n" |
1214 | - "issuerhit = %s\n" |
1215 | - "\n" |
1216 | - "# Uncomment this section to add x509 extensions\n" |
1217 | - "# to the certificate\n" |
1218 | - "#\n" |
1219 | - "# DO NOT use subjectAltName, issuerAltName or\n" |
1220 | - "# basicConstraints implementation uses them already\n" |
1221 | - "# All other extensions are allowed\n" |
1222 | - "\n" |
1223 | - "# [ hip_x509v3_extensions ]\n", |
1224 | - hit, HIP_CERT_INIT_DAYS, |
1225 | - hit, HIP_CERT_INIT_DAYS, |
1226 | - hit /* TODO SAMU: removed because not used:*/ /*, hostname*/); |
1227 | - } else { |
1228 | - HIP_DEBUG("Configuration file existed exiting init_certs\n"); |
1229 | - } |
1230 | - fclose(conf_file); |
1231 | - |
1232 | -out_err: |
1233 | - return err; |
1234 | -} |
1235 | - |
1236 | static void init_packet_types(void) |
1237 | { |
1238 | lmod_register_packet_type(HIP_I1, "HIP_I1"); |
1239 | @@ -894,7 +819,7 @@ |
1240 | */ |
1241 | int hipd_init(const uint64_t flags) |
1242 | { |
1243 | - int err = 0, certerr = 0, i, j; |
1244 | + int err = 0, i, j; |
1245 | int killold = (flags & HIPD_START_KILL_OLD) > 0; |
1246 | unsigned int mtu_val = HIP_HIT_DEV_MTU; |
1247 | char str[64]; |
1248 | @@ -1035,12 +960,6 @@ |
1249 | return -1; |
1250 | } |
1251 | |
1252 | - certerr = 0; |
1253 | - certerr = init_certs(); |
1254 | - if (certerr < 0) { |
1255 | - HIP_DEBUG("Initializing cert configuration file returned error\n"); |
1256 | - } |
1257 | - |
1258 | /* Service initialization. */ |
1259 | hip_init_services(); |
1260 | |
1261 | |
1262 | === modified file 'hipd/input.c' |
1263 | --- hipd/input.c 2012-02-17 10:45:47 +0000 |
1264 | +++ hipd/input.c 2012-02-20 21:42:18 +0000 |
1265 | @@ -73,7 +73,6 @@ |
1266 | #include "netdev.h" |
1267 | #include "opp_mode.h" |
1268 | #include "output.h" |
1269 | -#include "pisa.h" |
1270 | #include "pkt_handling.h" |
1271 | #include "registration.h" |
1272 | #include "input.h" |
1273 | |
1274 | === modified file 'hipd/output.c' |
1275 | --- hipd/output.c 2012-02-15 17:37:10 +0000 |
1276 | +++ hipd/output.c 2012-02-20 21:42:18 +0000 |
1277 | @@ -65,7 +65,6 @@ |
1278 | #include "hiprelay.h" |
1279 | #include "nat.h" |
1280 | #include "netdev.h" |
1281 | -#include "pisa.h" |
1282 | #include "registration.h" |
1283 | #include "output.h" |
1284 | |
1285 | |
1286 | === removed file 'hipd/pisa.c' |
1287 | --- hipd/pisa.c 2011-10-25 21:14:16 +0000 |
1288 | +++ hipd/pisa.c 1970-01-01 00:00:00 +0000 |
1289 | @@ -1,83 +0,0 @@ |
1290 | -/* |
1291 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1292 | - * |
1293 | - * Permission is hereby granted, free of charge, to any person |
1294 | - * obtaining a copy of this software and associated documentation |
1295 | - * files (the "Software"), to deal in the Software without |
1296 | - * restriction, including without limitation the rights to use, |
1297 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1298 | - * copies of the Software, and to permit persons to whom the |
1299 | - * Software is furnished to do so, subject to the following |
1300 | - * conditions: |
1301 | - * |
1302 | - * The above copyright notice and this permission notice shall be |
1303 | - * included in all copies or substantial portions of the Software. |
1304 | - * |
1305 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1306 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1307 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1308 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1309 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1310 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1311 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1312 | - * OTHER DEALINGS IN THE SOFTWARE. |
1313 | - */ |
1314 | - |
1315 | -/** |
1316 | - * @file |
1317 | - * This file contains functions that are specific to PISA. They deal with the |
1318 | - * certificate loading. |
1319 | - * |
1320 | - * @brief Functions for certificate loading |
1321 | - */ |
1322 | - |
1323 | -#include <stdio.h> |
1324 | -#include <stdlib.h> |
1325 | -#include <string.h> |
1326 | - |
1327 | -#include "config.h" |
1328 | -#include "lib/core/debug.h" |
1329 | -#include "hipd.h" |
1330 | -#include "pisa.h" |
1331 | - |
1332 | -#define CERT_MAX_SIZE 1024 |
1333 | - |
1334 | -static char *midauth_cert = NULL; |
1335 | - |
1336 | -/** |
1337 | - * Load a certificate from the file HIPL_SYSCONFDIR/cert and store it in memory |
1338 | - * |
1339 | - * @return 0 on success |
1340 | - */ |
1341 | -static int pisa_load_certificate(void) |
1342 | -{ |
1343 | - FILE *f = NULL; |
1344 | - |
1345 | - free(midauth_cert); |
1346 | - midauth_cert = calloc(1, CERT_MAX_SIZE); |
1347 | - |
1348 | - if (!(f = fopen(HIPL_SYSCONFDIR "/cert", "r"))) { |
1349 | - HIP_ERROR("Could not open certificate file.\n"); |
1350 | - return -1; |
1351 | - } |
1352 | - |
1353 | - if (fread(midauth_cert, CERT_MAX_SIZE - 1, 1, f) == 0) { |
1354 | - perror("fread returned 0"); |
1355 | - } |
1356 | - fclose(f); |
1357 | - return 0; |
1358 | -} |
1359 | - |
1360 | -/** |
1361 | - * Load a certificate from disk and return a pointer to the global |
1362 | - * variable containing it. |
1363 | - * |
1364 | - * @see pisa_load_certificate* |
1365 | - * |
1366 | - * @return pointer to midauth_cert |
1367 | - */ |
1368 | -char *hip_pisa_get_certificate(void) |
1369 | -{ |
1370 | - pisa_load_certificate(); |
1371 | - return midauth_cert; |
1372 | -} |
1373 | |
1374 | === removed file 'hipd/pisa.h' |
1375 | --- hipd/pisa.h 2011-11-25 17:56:24 +0000 |
1376 | +++ hipd/pisa.h 1970-01-01 00:00:00 +0000 |
1377 | @@ -1,44 +0,0 @@ |
1378 | -/* |
1379 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1380 | - * |
1381 | - * Permission is hereby granted, free of charge, to any person |
1382 | - * obtaining a copy of this software and associated documentation |
1383 | - * files (the "Software"), to deal in the Software without |
1384 | - * restriction, including without limitation the rights to use, |
1385 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1386 | - * copies of the Software, and to permit persons to whom the |
1387 | - * Software is furnished to do so, subject to the following |
1388 | - * conditions: |
1389 | - * |
1390 | - * The above copyright notice and this permission notice shall be |
1391 | - * included in all copies or substantial portions of the Software. |
1392 | - * |
1393 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1394 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1395 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1396 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1397 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1398 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1399 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1400 | - * OTHER DEALINGS IN THE SOFTWARE. |
1401 | - */ |
1402 | - |
1403 | -/** |
1404 | - * @file |
1405 | - * This file contains function declarations specific to PISA. They deal with the |
1406 | - * certificate loading. |
1407 | - * |
1408 | - * @brief Functions declarations for certificate loading |
1409 | - */ |
1410 | - |
1411 | -#ifndef HIPL_HIPD_PISA_H |
1412 | -#define HIPL_HIPD_PISA_H |
1413 | - |
1414 | -/** |
1415 | - * Get the certificate text that will be appended to R2 and U2 packets |
1416 | - * |
1417 | - * @return pointer to the certificate text |
1418 | - */ |
1419 | -char *hip_pisa_get_certificate(void); |
1420 | - |
1421 | -#endif /* HIPL_HIPD_PISA_H */ |
1422 | |
1423 | === modified file 'hipd/user.c' |
1424 | --- hipd/user.c 2012-02-15 17:37:10 +0000 |
1425 | +++ hipd/user.c 2012-02-20 21:42:18 +0000 |
1426 | @@ -65,7 +65,6 @@ |
1427 | #include "lib/tool/nlink.h" |
1428 | #include "config.h" |
1429 | #include "accessor.h" |
1430 | -#include "cert.h" |
1431 | #include "close.h" |
1432 | #include "cookie.h" |
1433 | #include "esp_prot_anchordb.h" |
1434 | @@ -240,7 +239,7 @@ |
1435 | { |
1436 | const hip_hit_t *src_hit = NULL, *dst_hit = NULL; |
1437 | struct hip_hadb_state *entry = NULL; |
1438 | - int err = 0, msg_type = 0, reti = 0; |
1439 | + int err = 0, msg_type = 0; |
1440 | int access_ok = 0, is_root = 0, name_len; |
1441 | const struct hip_tlv_common *param = NULL; |
1442 | const struct hip_transformation_order *transorder; |
1443 | @@ -359,40 +358,6 @@ |
1444 | dst_hit = hip_get_param_contents(msg, HIP_PARAM_HIT); |
1445 | hip_dec_cookie_difficulty(); |
1446 | break; |
1447 | - case HIP_MSG_CERT_SPKI_VERIFY: |
1448 | - { |
1449 | - HIP_DEBUG("Got an request to verify SPKI cert\n"); |
1450 | - reti = hip_cert_spki_verify(msg); |
1451 | - HIP_IFEL(reti, -1, "Verifying SPKI cert returned an error\n"); |
1452 | - HIP_DEBUG("SPKI cert verified sending it back to requester\n"); |
1453 | - } |
1454 | - break; |
1455 | - case HIP_MSG_CERT_SPKI_SIGN: |
1456 | - { |
1457 | - HIP_DEBUG("Got an request to sign SPKI cert sequence\n"); |
1458 | - reti = hip_cert_spki_sign(msg); |
1459 | - HIP_IFEL(reti, -1, "Signing SPKI cert returned an error\n"); |
1460 | - HIP_DEBUG("SPKI cert signed sending it back to requester\n"); |
1461 | - } |
1462 | - break; |
1463 | - case HIP_MSG_CERT_X509V3_SIGN: |
1464 | - { |
1465 | - HIP_DEBUG("Got an request to sign X509v3 cert\n"); |
1466 | - reti = hip_cert_x509v3_handle_request_to_sign(msg); |
1467 | - HIP_IFEL(reti, -1, "Signing of x509v3 cert returned an error\n"); |
1468 | - HIP_DEBUG("X509v3 cert signed sending it back to requester\n"); |
1469 | - } |
1470 | - break; |
1471 | - case HIP_MSG_CERT_X509V3_VERIFY: |
1472 | - { |
1473 | - HIP_DEBUG("Got an request to verify X509v3 cert\n"); |
1474 | - reti = hip_cert_x509v3_handle_request_to_verify(msg); |
1475 | - HIP_IFEL(reti, -1, "Verification of x509v3 cert " |
1476 | - "returned an error\n"); |
1477 | - HIP_DEBUG("X509v3 verification ended " |
1478 | - "sending it back to requester\n"); |
1479 | - } |
1480 | - break; |
1481 | case HIP_MSG_TRANSFORM_ORDER: |
1482 | { |
1483 | err = 0; |
1484 | |
1485 | === modified file 'hipfw/conntrack.c' |
1486 | --- hipfw/conntrack.c 2012-02-17 18:01:18 +0000 |
1487 | +++ hipfw/conntrack.c 2012-02-20 21:42:18 +0000 |
1488 | @@ -72,8 +72,8 @@ |
1489 | #include "hipfw.h" |
1490 | #include "helpers.h" |
1491 | #include "hslist.h" |
1492 | -#include "pisa.h" |
1493 | #include "reinject.h" |
1494 | +#include "midauth.h" |
1495 | |
1496 | |
1497 | static struct dlist *hip_list = NULL; |
1498 | @@ -1386,7 +1386,7 @@ |
1499 | return 0; |
1500 | } |
1501 | |
1502 | - esp_tuple->spi = ntohl(esp_info->new_spi); |
1503 | + esp_tuple->spi = ntohl(esp_info->new_spi); |
1504 | esp_tuple->spi_update_id = seq->update_id; |
1505 | |
1506 | HIP_IFEL(!update_esp_dest_addr(locator, seq, esp_tuple), |
1507 | @@ -1400,7 +1400,7 @@ |
1508 | return 0; |
1509 | } |
1510 | |
1511 | - esp_tuple->spi = ntohl(esp_info->new_spi); |
1512 | + esp_tuple->spi = ntohl(esp_info->new_spi); |
1513 | esp_tuple->spi_update_id = seq->update_id; |
1514 | } else if (locator && seq) { |
1515 | HIP_DEBUG("locator and seq\n"); |
1516 | |
1517 | === modified file 'hipfw/hipfw.c' |
1518 | --- hipfw/hipfw.c 2011-11-25 16:40:40 +0000 |
1519 | +++ hipfw/hipfw.c 2012-02-20 21:42:18 +0000 |
1520 | @@ -87,7 +87,6 @@ |
1521 | #include "helpers.h" |
1522 | #include "lsi.h" |
1523 | #include "midauth.h" |
1524 | -#include "pisa.h" |
1525 | #include "port_bindings.h" |
1526 | #include "reinject.h" |
1527 | #include "rewrite.h" |
1528 | @@ -1885,12 +1884,6 @@ |
1529 | continue; |
1530 | } |
1531 | |
1532 | -#ifdef CONFIG_HIP_PISA |
1533 | - if (use_midauth) { |
1534 | - pisa_check_for_random_update(); |
1535 | - } |
1536 | -#endif |
1537 | - |
1538 | if (FD_ISSET(h4->fd, &read_fdset)) { |
1539 | HIP_DEBUG("received IPv4 packet from iptables queue\n"); |
1540 | err = fw_handle_packet(buf, h4, 4, &ctx); |
1541 | |
1542 | === removed file 'hipfw/pisa.c' |
1543 | --- hipfw/pisa.c 2011-11-25 13:52:20 +0000 |
1544 | +++ hipfw/pisa.c 1970-01-01 00:00:00 +0000 |
1545 | @@ -1,575 +0,0 @@ |
1546 | -/* |
1547 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
1548 | - * |
1549 | - * Permission is hereby granted, free of charge, to any person |
1550 | - * obtaining a copy of this software and associated documentation |
1551 | - * files (the "Software"), to deal in the Software without |
1552 | - * restriction, including without limitation the rights to use, |
1553 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
1554 | - * copies of the Software, and to permit persons to whom the |
1555 | - * Software is furnished to do so, subject to the following |
1556 | - * conditions: |
1557 | - * |
1558 | - * The above copyright notice and this permission notice shall be |
1559 | - * included in all copies or substantial portions of the Software. |
1560 | - * |
1561 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
1562 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
1563 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
1564 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
1565 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
1566 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
1567 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
1568 | - * OTHER DEALINGS IN THE SOFTWARE. |
1569 | - */ |
1570 | - |
1571 | -/** |
1572 | - * @file |
1573 | - * This file contains PISA specific functions for the firewall. The basic idea |
1574 | - * is to modify the HIP messages and manage state for allowed connections to |
1575 | - * allow or reject associated ESP traffic. |
1576 | - * |
1577 | - * @brief PISA functions for the firewall |
1578 | - */ |
1579 | - |
1580 | -#define _BSD_SOURCE |
1581 | - |
1582 | -#include <stdint.h> |
1583 | -#include <stdio.h> |
1584 | -#include <stdlib.h> |
1585 | -#include <string.h> |
1586 | -#include <time.h> |
1587 | -#include <arpa/inet.h> |
1588 | -#include <netinet/in.h> |
1589 | -#include <linux/netfilter.h> |
1590 | -#include <openssl/hmac.h> |
1591 | - |
1592 | -#include "config.h" |
1593 | -#include "lib/core/builder.h" |
1594 | -#include "lib/core/certtools.h" |
1595 | -#include "lib/core/crypto.h" |
1596 | -#include "lib/core/debug.h" |
1597 | -#include "lib/core/ife.h" |
1598 | -#include "lib/core/performance.h" |
1599 | -#include "lib/core/prefix.h" |
1600 | -#include "modules/midauth/hipd/midauth.h" |
1601 | -#include "conntrack.h" |
1602 | -#include "hipfw_defines.h" |
1603 | -#include "midauth.h" |
1604 | -#include "pisa_cert.h" |
1605 | -#include "pisa.h" |
1606 | - |
1607 | - |
1608 | -#define PISA_RANDOM_LEN 16 |
1609 | -#define PISA_PUZZLE_SEED 0xDEADC0DE |
1610 | -#define PISA_PUZZLE_OPAQUE_LEN (4 + HIP_AH_SHA_LEN) |
1611 | - |
1612 | -/* pisa_check_for_random_update is called at least every PISA_RANDOM_TTL |
1613 | - * seconds. Worst case timer resolution depends on the timeout in the select |
1614 | - * call */ |
1615 | -#define PISA_RANDOM_TTL 2.0 |
1616 | - |
1617 | -static char pisa_random_data[2][PISA_RANDOM_LEN]; |
1618 | -static struct in6_addr community_operator_hit; |
1619 | - |
1620 | -/* @todo make this configurable, issuer HIT */ |
1621 | -#define CO_HIT "2001:001a:b1b0:0aad:0f92:15ca:280c:9430" |
1622 | -#define CO_HIT_FILE HIPL_SYSCONFDIR "/co_hit" |
1623 | - |
1624 | -/** |
1625 | - * Generate a new random number and shift the old one down. |
1626 | - */ |
1627 | -static void pisa_generate_random(void) |
1628 | -{ |
1629 | - void *p0, *p1; |
1630 | - |
1631 | - p0 = &pisa_random_data[0][0]; |
1632 | - p1 = &pisa_random_data[1][0]; |
1633 | - |
1634 | - memcpy(p0, p1, PISA_RANDOM_LEN); |
1635 | - get_random_bytes(p1, PISA_RANDOM_LEN); |
1636 | -} |
1637 | - |
1638 | -/** |
1639 | - * Reads out the HIT of the Community-Operator |
1640 | - * from file CO_HIT_FILE |
1641 | - * @param hit A pointer to the char where the HIT should be stored |
1642 | - * @return 1-> success |
1643 | - * @return 0-> error |
1644 | - */ |
1645 | -static int pisa_read_communit_operator_hit(char *hit) |
1646 | -{ |
1647 | - FILE *f; |
1648 | - char *eofline; |
1649 | - |
1650 | - f = fopen(CO_HIT_FILE, "r"); |
1651 | - |
1652 | - if (f == NULL) { |
1653 | - return 0; |
1654 | - } |
1655 | - |
1656 | - if (fgets(hit, INET6_ADDRSTRLEN, f) != NULL) { |
1657 | - eofline = strchr(hit, '\n'); |
1658 | - if (eofline) { |
1659 | - *eofline = '\0'; |
1660 | - } |
1661 | - } else { |
1662 | - HIP_ERROR("Fgets failed"); |
1663 | - } |
1664 | - fclose(f); |
1665 | - |
1666 | - return 1; |
1667 | -} |
1668 | - |
1669 | -void pisa_check_for_random_update(void) |
1670 | -{ |
1671 | - static time_t lastupdate = 0; |
1672 | - time_t now; |
1673 | - |
1674 | - time(&now); |
1675 | - if (difftime(now, lastupdate) > PISA_RANDOM_TTL) { |
1676 | - pisa_generate_random(); |
1677 | - lastupdate = now; |
1678 | - } |
1679 | -} |
1680 | - |
1681 | -/** |
1682 | - * Appends HMAC/SHA1 to a block of data. |
1683 | - * |
1684 | - * @param hit1 first HIT |
1685 | - * @param hit2 second HIT |
1686 | - * @param rnd which random number to use, either 0 or 1 |
1687 | - * @param data pointer to buffer for data and the HMAC |
1688 | - * @param data_len length of data |
1689 | - * @return 0 on success |
1690 | - */ |
1691 | -static int pisa_append_hmac(struct in6_addr *hit1, struct in6_addr *hit2, |
1692 | - int rnd, void *data, int data_len) |
1693 | -{ |
1694 | - uint8_t key[32 + PISA_RANDOM_LEN]; |
1695 | - int err = 0; |
1696 | - unsigned int len = HIP_AH_SHA_LEN; |
1697 | - |
1698 | - /* sanity checks for arguments */ |
1699 | - HIP_IFEL(data == NULL, -1, "No data given.\n"); |
1700 | - HIP_IFEL(hit1 == NULL, -1, "No first HIT given.\n"); |
1701 | - HIP_IFEL(hit2 == NULL, -1, "No second HIT given.\n"); |
1702 | - HIP_IFEL(data_len < 1, -1, "Data has invalid length.\n"); |
1703 | - HIP_IFEL(rnd != 0 && rnd != 1, -1, "Random ID is neither 0 nor 1.\n"); |
1704 | - |
1705 | - /* The key for HMAC/SHA1 consists of: |
1706 | - * 16 bytes HIT1 |
1707 | - * 16 bytes HIT2 |
1708 | - * PISA_RANDOM_LEN bytes pisa_random_data |
1709 | - */ |
1710 | - |
1711 | - ipv6_addr_copy((struct in6_addr *) (key + 0), hit1); |
1712 | - ipv6_addr_copy((struct in6_addr *) (key + 16), hit2); |
1713 | - memcpy(key + 32, &pisa_random_data[rnd][0], PISA_RANDOM_LEN); |
1714 | - |
1715 | - HMAC(EVP_sha1(), key, 32 + PISA_RANDOM_LEN, data, data_len, |
1716 | - (uint8_t *) data + data_len, &len); |
1717 | - |
1718 | -out_err: |
1719 | - return err; |
1720 | -} |
1721 | - |
1722 | -/** |
1723 | - * Insert a PISA puzzle into a packet. |
1724 | - * |
1725 | - * @param ctx context of the packet where the puzzle will be inserted |
1726 | - * @return success (0) or failure |
1727 | - */ |
1728 | -static int pisa_insert_puzzle(struct hip_fw_context *ctx) |
1729 | -{ |
1730 | - uint8_t opaque[PISA_PUZZLE_OPAQUE_LEN]; |
1731 | - |
1732 | - struct hip_common *hip = ctx->transport_hdr.hip; |
1733 | - int seed = PISA_PUZZLE_SEED; |
1734 | - |
1735 | - memcpy(&opaque, &seed, 4); |
1736 | - |
1737 | - /* here we switch order of initiator and receiver to obtain a |
1738 | - * different SHA1 hash */ |
1739 | - pisa_append_hmac(&hip->hitr, &hip->hits, 1, &opaque, 4); |
1740 | - |
1741 | - return midauth_add_challenge_request(ctx, 3, 4, opaque, PISA_PUZZLE_OPAQUE_LEN); |
1742 | -} |
1743 | - |
1744 | -/** |
1745 | - * Check the validity of a PISA challenge_response. |
1746 | - * |
1747 | - * @param ctx context of the packet with the puzzle to check |
1748 | - * @return pointer to the puzzle we accepted or NULL at failure |
1749 | - */ |
1750 | -static struct hip_challenge_response *pisa_check_challenge_response(struct hip_fw_context *ctx) |
1751 | -{ |
1752 | - struct hip_challenge_response *response; |
1753 | - struct hip_common *hip = ctx->transport_hdr.hip; |
1754 | - uint8_t hash[2][PISA_PUZZLE_OPAQUE_LEN]; |
1755 | - int seed = PISA_PUZZLE_SEED; |
1756 | - |
1757 | - memcpy(&hash[0][0], &seed, 4); |
1758 | - memcpy(&hash[1][0], &seed, 4); |
1759 | - |
1760 | - pisa_append_hmac(&hip->hits, &hip->hitr, 0, &hash[0], 4); |
1761 | - pisa_append_hmac(&hip->hits, &hip->hitr, 1, &hash[1], 4); |
1762 | - |
1763 | - response = hip_get_param_readwrite(hip, HIP_PARAM_CHALLENGE_RESPONSE); |
1764 | - |
1765 | - while (response) { |
1766 | - /* loop over all HIP_PARAM_CHALLENGE_RESPONSE */ |
1767 | - if (hip_get_param_type(response) != HIP_PARAM_CHALLENGE_RESPONSE) { |
1768 | - break; |
1769 | - } |
1770 | - if ((!memcmp(response->opaque, &hash[1][0], PISA_PUZZLE_OPAQUE_LEN)) || |
1771 | - (!memcmp(response->opaque, &hash[0][0], PISA_PUZZLE_OPAQUE_LEN))) { |
1772 | - if (!midauth_verify_challenge_response(response, |
1773 | - hip->hits, |
1774 | - hip->hitr)) { |
1775 | - return response; |
1776 | - } |
1777 | - } |
1778 | - |
1779 | - response = (struct hip_challenge_response *) |
1780 | - hip_get_next_param_readwrite(hip, |
1781 | - (struct hip_tlv_common *) response); |
1782 | - } |
1783 | - |
1784 | - return NULL; |
1785 | -} |
1786 | - |
1787 | -/** |
1788 | - * Check the certificate of the packet. |
1789 | - * |
1790 | - * @param ctx context of the packet with the certificate to check |
1791 | - * @return success (0) or failure |
1792 | - */ |
1793 | -static int pisa_check_certificate(struct hip_fw_context *ctx) |
1794 | -{ |
1795 | - struct hip_common *hip = ctx->transport_hdr.hip; |
1796 | - const struct hip_cert *cert; |
1797 | - struct hip_cert_spki_info ci; |
1798 | - struct pisa_cert pc; |
1799 | - char *buf = NULL; |
1800 | - int err = 0, len; |
1801 | - time_t now = time(NULL); |
1802 | - |
1803 | - cert = hip_get_param(hip, HIP_PARAM_CERT); |
1804 | - HIP_IFEL(cert == NULL, -1, "No certificate found.\n"); |
1805 | - |
1806 | - len = ntohs(cert->length); |
1807 | - buf = calloc(1, len); |
1808 | - memcpy(buf, cert + 1, len); |
1809 | - |
1810 | - HIP_IFEL(hip_cert_spki_char2certinfo(buf, &ci), -1, |
1811 | - "Certificate could not be parsed.\n"); |
1812 | - HIP_IFEL(hip_cert_spki_lib_verify(&ci), -1, |
1813 | - "Certificate could not be verified.\n"); |
1814 | - |
1815 | - pisa_split_cert(ci.cert, &pc); |
1816 | - |
1817 | - /* Three conditions must be fulfilled for a certificate to be valid: |
1818 | - * |
1819 | - * - The current time on the middlebox must be in the before/after |
1820 | - * interval |
1821 | - * - The certificate must be issued by the community operator (i.e. |
1822 | - * the CO HIT must be used by the issuer) |
1823 | - * - The host sending the certificate must be the one mentioned in |
1824 | - * the certificate |
1825 | - */ |
1826 | - HIP_IFEL(now < pc.not_before, -1, |
1827 | - "Certificate is not valid yet.\n"); |
1828 | - HIP_IFEL(now > pc.not_after, -1, |
1829 | - "Certificate has expired.\n"); |
1830 | - |
1831 | - |
1832 | - HIP_IFEL(ipv6_addr_cmp(&pc.hit_issuer, &community_operator_hit) != 0, |
1833 | - -1, "Certificate not issued by the community operator.\n"); |
1834 | - HIP_IFEL(ipv6_addr_cmp(&pc.hit_subject, &hip->hits) != 0, -1, |
1835 | - "Certificate does not belong to subject.\n"); |
1836 | - |
1837 | - HIP_INFO("Certificate successfully verified.\n"); |
1838 | - |
1839 | -out_err: |
1840 | - free(buf); |
1841 | - return err; |
1842 | -} |
1843 | - |
1844 | -/** |
1845 | - * Accept a connection via PISA. Update firewall to allow data packets to |
1846 | - * pass through. |
1847 | - * |
1848 | - * @param ctx context of the packet that belongs to that connection |
1849 | - */ |
1850 | -static void pisa_accept_connection(const struct hip_fw_context *ctx) |
1851 | -{ |
1852 | - struct hip_common *hip = ctx->transport_hdr.hip; |
1853 | - struct tuple *t = get_tuple_by_hits(&hip->hits, &hip->hitr); |
1854 | - |
1855 | - if (t) { |
1856 | - t->connection->pisa_state = PISA_STATE_ALLOW; |
1857 | - HIP_INFO("PISA accepted the connection.\n"); |
1858 | - hip_fw_manage_all_esp_tuples(t, true); |
1859 | - } else { |
1860 | - HIP_ERROR("Connection not found.\n"); |
1861 | - } |
1862 | -} |
1863 | - |
1864 | -/** |
1865 | - * Remove a connection from the list of accepted connections based on the hits |
1866 | - * of a packet. |
1867 | - * |
1868 | - * @param ctx context of the packet that contains HITs of the connection |
1869 | - */ |
1870 | -static void pisa_remove_connection(const struct hip_fw_context *ctx) |
1871 | -{ |
1872 | - struct hip_common *hip = ctx->transport_hdr.hip; |
1873 | - struct tuple *t = get_tuple_by_hits(&hip->hits, &hip->hitr); |
1874 | - |
1875 | - if (t) { |
1876 | - t->connection->pisa_state = PISA_STATE_DISALLOW; |
1877 | - HIP_INFO("PISA removed the connection.\n"); |
1878 | - hip_fw_manage_all_esp_tuples(t, false); |
1879 | - } else { |
1880 | - HIP_ERROR("Connection not found.\n"); |
1881 | - } |
1882 | -} |
1883 | - |
1884 | -/** |
1885 | - * Reject a connection via PISA. Update firewall to allow no data packets |
1886 | - * to pass through. |
1887 | - * |
1888 | - * @param ctx context of the packet that belongs to that connection |
1889 | - */ |
1890 | -static void pisa_reject_connection(const struct hip_fw_context *ctx) |
1891 | -{ |
1892 | - HIP_INFO("PISA rejected the connection.\n"); |
1893 | - pisa_remove_connection(ctx); |
1894 | -} |
1895 | - |
1896 | -/** |
1897 | - * Dummy function, necessary only for performance measurements. |
1898 | - * |
1899 | - * @param ctx context of the packet containing the I1 |
1900 | - * @return NF_ACCEPT verdict |
1901 | - */ |
1902 | -static int pisa_handler_i1(UNUSED struct hip_fw_context *ctx) |
1903 | -{ |
1904 | -#ifdef CONFIG_HIP_PERFORMANCE |
1905 | - HIP_DEBUG("Start PERF_BASE, PERF_I1\n"); |
1906 | - hip_perf_start_benchmark(perf_set, PERF_BASE); |
1907 | - hip_perf_start_benchmark(perf_set, PERF_I1); |
1908 | -#endif |
1909 | - |
1910 | -#ifdef CONFIG_HIP_PERFORMANCE |
1911 | - HIP_DEBUG("Stop and write PERF_I1\n"); |
1912 | - hip_perf_stop_benchmark(perf_set, PERF_I1); |
1913 | - hip_perf_write_benchmark(perf_set, PERF_I1); |
1914 | -#endif |
1915 | - |
1916 | - return NF_ACCEPT; |
1917 | -} |
1918 | - |
1919 | -/** |
1920 | - * Dummy function, necessary only for performance measurements. |
1921 | - * |
1922 | - * @param ctx context of the packet containing the R1 |
1923 | - * @return NF_ACCEPT verdict |
1924 | - */ |
1925 | -static int pisa_handler_r1(UNUSED struct hip_fw_context *ctx) |
1926 | -{ |
1927 | -#ifdef CONFIG_HIP_PERFORMANCE |
1928 | - HIP_DEBUG("Start PERF_R1\n"); |
1929 | - hip_perf_start_benchmark(perf_set, PERF_R1); |
1930 | -#endif |
1931 | - |
1932 | -#ifdef CONFIG_HIP_PERFORMANCE |
1933 | - HIP_DEBUG("Stop and write PERF_R1\n"); |
1934 | - hip_perf_stop_benchmark(perf_set, PERF_R1); |
1935 | - hip_perf_write_benchmark(perf_set, PERF_R1); |
1936 | -#endif |
1937 | - |
1938 | - return NF_ACCEPT; |
1939 | -} |
1940 | - |
1941 | -/** |
1942 | - * Insert a PISA puzzle into the I2 packet. |
1943 | - * |
1944 | - * @param ctx context of the packet to modify |
1945 | - * @return NF_ACCEPT verdict |
1946 | - */ |
1947 | -static int pisa_handler_i2(struct hip_fw_context *ctx) |
1948 | -{ |
1949 | -#ifdef CONFIG_HIP_PERFORMANCE |
1950 | - HIP_DEBUG("Start PERF_I2\n"); |
1951 | - hip_perf_start_benchmark(perf_set, PERF_I2); |
1952 | -#endif |
1953 | - pisa_insert_puzzle(ctx); |
1954 | - |
1955 | -#ifdef CONFIG_HIP_PERFORMANCE |
1956 | - HIP_DEBUG("Stop and write PERF_I2\n"); |
1957 | - hip_perf_stop_benchmark(perf_set, PERF_I2); |
1958 | - hip_perf_write_benchmark(perf_set, PERF_I2); |
1959 | -#endif |
1960 | - |
1961 | - return NF_ACCEPT; |
1962 | -} |
1963 | - |
1964 | -/** |
1965 | - * Check for a PISA puzzle, a valid signature and a valid |
1966 | - * certificate in the R2 packet. |
1967 | - * |
1968 | - * @param ctx context of the packet to check |
1969 | - * @return verdict, either NF_ACCEPT or NF_DROP |
1970 | - */ |
1971 | -static int pisa_handler_r2(struct hip_fw_context *ctx) |
1972 | -{ |
1973 | - int verdict = NF_DROP, sig = 0, cert = 0; |
1974 | - struct hip_challenge_response *solution = NULL; |
1975 | - |
1976 | -#ifdef CONFIG_HIP_PERFORMANCE |
1977 | - HIP_DEBUG("Start PERF_R2\n"); |
1978 | - hip_perf_start_benchmark(perf_set, PERF_R2); |
1979 | -#endif |
1980 | - |
1981 | - solution = pisa_check_challenge_response(ctx); |
1982 | - cert = pisa_check_certificate(ctx); |
1983 | - |
1984 | - if (solution == NULL || sig != 0 || cert != 0) { |
1985 | - /* disallow further communication if either nonce, solution, |
1986 | - * signature or certificate were not correct */ |
1987 | - pisa_reject_connection(ctx); |
1988 | - verdict = NF_DROP; |
1989 | - } else { |
1990 | - /* allow futher communication otherwise */ |
1991 | - pisa_accept_connection(ctx); |
1992 | - verdict = NF_ACCEPT; |
1993 | - } |
1994 | - |
1995 | -#ifdef CONFIG_HIP_PERFORMANCE |
1996 | - HIP_DEBUG("Stop and write PERF_R2, PERF_BASE\n"); |
1997 | - hip_perf_stop_benchmark(perf_set, PERF_R2); |
1998 | - hip_perf_stop_benchmark(perf_set, PERF_BASE); |
1999 | - hip_perf_write_benchmark(perf_set, PERF_R2); |
2000 | - hip_perf_write_benchmark(perf_set, PERF_BASE); |
2001 | -#endif |
2002 | - |
2003 | - return verdict; |
2004 | -} |
2005 | - |
2006 | -/** |
2007 | - * Insert a PISA nonce and a PISA puzzle into the U1 packet. |
2008 | - * |
2009 | - * @param ctx context of the packet to modify |
2010 | - * @return NF_ACCEPT verdict |
2011 | - */ |
2012 | -static int pisa_handler_u1(struct hip_fw_context *ctx) |
2013 | -{ |
2014 | - pisa_insert_puzzle(ctx); |
2015 | - |
2016 | - return NF_ACCEPT; |
2017 | -} |
2018 | - |
2019 | -/** |
2020 | - * Check for a PISA nonce, a PISA puzzle, a valid signature and a valid |
2021 | - * certificate in the U2 packet. |
2022 | - * |
2023 | - * @param ctx context of the packet to check |
2024 | - * @return verdict, either NF_ACCEPT or NF_DROP |
2025 | - */ |
2026 | -static int pisa_handler_u2(struct hip_fw_context *ctx) |
2027 | -{ |
2028 | - int verdict = NF_DROP; |
2029 | - int sig = 0; |
2030 | - int cert = 0; |
2031 | - struct hip_challenge_response *solution = NULL; |
2032 | - |
2033 | - solution = pisa_check_challenge_response(ctx); |
2034 | - cert = pisa_check_certificate(ctx); |
2035 | - |
2036 | - if (solution == NULL || sig != 0 || cert != 0) { |
2037 | - HIP_DEBUG("U2 packet did not match criteria: " |
2038 | - "solution %p, signature %i, cert %i\n", |
2039 | - solution, sig, cert); |
2040 | - verdict = NF_DROP; |
2041 | - } else { |
2042 | - /* packet was ok, insert another puzzle */ |
2043 | - pisa_insert_puzzle(ctx); |
2044 | - verdict = NF_ACCEPT; |
2045 | - } |
2046 | - |
2047 | - return verdict; |
2048 | -} |
2049 | - |
2050 | -/** |
2051 | - * Check for a PISA nonce and a valid signature in the U3 packet. |
2052 | - * |
2053 | - * @param ctx context of the packet to check |
2054 | - * @return verdict, either NF_ACCEPT or NF_DROP |
2055 | - */ |
2056 | -static int pisa_handler_u3(struct hip_fw_context *ctx) |
2057 | -{ |
2058 | - int verdict = NF_DROP; |
2059 | - int sig = 0; |
2060 | - struct hip_challenge_response *solution = NULL; |
2061 | - |
2062 | - solution = pisa_check_challenge_response(ctx); |
2063 | - |
2064 | - if (solution == NULL || sig != 0) { |
2065 | - HIP_DEBUG("U2 packet did not match criteria: " |
2066 | - "solution %p\n", |
2067 | - solution); |
2068 | - pisa_reject_connection(ctx); |
2069 | - verdict = NF_DROP; |
2070 | - } else { |
2071 | - pisa_accept_connection(ctx); |
2072 | - verdict = NF_ACCEPT; |
2073 | - } |
2074 | - return verdict; |
2075 | -} |
2076 | - |
2077 | -/** |
2078 | - * Handle CLOSE_ACK packet. Remove the connection from the list of accepted |
2079 | - * connections |
2080 | - * |
2081 | - * @param ctx context of the packet |
2082 | - * @return verdict, either NF_ACCEPT or NF_DROP |
2083 | - */ |
2084 | -static int pisa_handler_close_ack(struct hip_fw_context *ctx) |
2085 | -{ |
2086 | - pisa_remove_connection(ctx); |
2087 | - return NF_ACCEPT; |
2088 | -} |
2089 | - |
2090 | -/** |
2091 | - * Initialize basic PISA functionality |
2092 | - * |
2093 | - * @param h function pointers for packet handlers |
2094 | - */ |
2095 | -void pisa_init(struct midauth_handlers *h) |
2096 | -{ |
2097 | - char hit[INET6_ADDRSTRLEN]; |
2098 | - h->i1 = pisa_handler_i1; |
2099 | - h->r1 = pisa_handler_r1; |
2100 | - h->i2 = pisa_handler_i2; |
2101 | - h->r2 = pisa_handler_r2; |
2102 | - h->u1 = pisa_handler_u1; |
2103 | - h->u2 = pisa_handler_u2; |
2104 | - h->u3 = pisa_handler_u3; |
2105 | - h->close = midauth_handler_accept; |
2106 | - h->close_ack = pisa_handler_close_ack; |
2107 | - |
2108 | - pisa_generate_random(); |
2109 | - pisa_generate_random(); |
2110 | - |
2111 | - if (!pisa_read_communit_operator_hit(hit)) { |
2112 | - hit[0] = '\0'; |
2113 | - HIP_ERROR("Could not load Communit-Operator HIT from file %s\n", |
2114 | - CO_HIT_FILE); |
2115 | - } |
2116 | - |
2117 | - if (inet_pton(AF_INET6, hit, &community_operator_hit) <= 0) { |
2118 | - HIP_ERROR("Coult not parse Community-Operator HIT\n"); |
2119 | - } |
2120 | -} |
2121 | |
2122 | === removed file 'hipfw/pisa.h' |
2123 | --- hipfw/pisa.h 2011-11-25 13:52:20 +0000 |
2124 | +++ hipfw/pisa.h 1970-01-01 00:00:00 +0000 |
2125 | @@ -1,48 +0,0 @@ |
2126 | -/* |
2127 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
2128 | - * |
2129 | - * Permission is hereby granted, free of charge, to any person |
2130 | - * obtaining a copy of this software and associated documentation |
2131 | - * files (the "Software"), to deal in the Software without |
2132 | - * restriction, including without limitation the rights to use, |
2133 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
2134 | - * copies of the Software, and to permit persons to whom the |
2135 | - * Software is furnished to do so, subject to the following |
2136 | - * conditions: |
2137 | - * |
2138 | - * The above copyright notice and this permission notice shall be |
2139 | - * included in all copies or substantial portions of the Software. |
2140 | - * |
2141 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
2142 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
2143 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
2144 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
2145 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
2146 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
2147 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
2148 | - * OTHER DEALINGS IN THE SOFTWARE. |
2149 | - */ |
2150 | - |
2151 | -#ifndef HIPL_HIPFW_PISA_H |
2152 | -#define HIPL_HIPFW_PISA_H |
2153 | - |
2154 | -#include "midauth.h" |
2155 | - |
2156 | -#define PISA_STATE_DISALLOW 0 |
2157 | -#define PISA_STATE_ALLOW 1 |
2158 | - |
2159 | -#ifdef CONFIG_HIP_PISA |
2160 | -/** |
2161 | - * Register PISA handlers with midauth and initialize data structures. |
2162 | - * |
2163 | - * @param h pointer to the handlers |
2164 | - */ |
2165 | -void pisa_init(struct midauth_handlers *h); |
2166 | -#endif |
2167 | - |
2168 | -/** |
2169 | - * Check if a new random number is necessary. |
2170 | - */ |
2171 | -void pisa_check_for_random_update(void); |
2172 | - |
2173 | -#endif /* HIPL_HIPFW_PISA_H */ |
2174 | |
2175 | === removed file 'hipfw/pisa_cert.c' |
2176 | --- hipfw/pisa_cert.c 2011-08-15 14:11:56 +0000 |
2177 | +++ hipfw/pisa_cert.c 1970-01-01 00:00:00 +0000 |
2178 | @@ -1,205 +0,0 @@ |
2179 | -/* |
2180 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
2181 | - * |
2182 | - * Permission is hereby granted, free of charge, to any person |
2183 | - * obtaining a copy of this software and associated documentation |
2184 | - * files (the "Software"), to deal in the Software without |
2185 | - * restriction, including without limitation the rights to use, |
2186 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
2187 | - * copies of the Software, and to permit persons to whom the |
2188 | - * Software is furnished to do so, subject to the following |
2189 | - * conditions: |
2190 | - * |
2191 | - * The above copyright notice and this permission notice shall be |
2192 | - * included in all copies or substantial portions of the Software. |
2193 | - * |
2194 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
2195 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
2196 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
2197 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
2198 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
2199 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
2200 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
2201 | - * OTHER DEALINGS IN THE SOFTWARE. |
2202 | - */ |
2203 | - |
2204 | -/** |
2205 | - * @file |
2206 | - * This file deals with the PISA specific handling of SPKI certificates. The |
2207 | - * certificate is parsed and split into small chunks. |
2208 | - * |
2209 | - * @brief PISA handling for SPKI certificates |
2210 | - */ |
2211 | - |
2212 | -#define _BSD_SOURCE |
2213 | - |
2214 | -#include <string.h> |
2215 | -#include <time.h> |
2216 | -#include <arpa/inet.h> |
2217 | -#include <netinet/in.h> |
2218 | -#include <sys/types.h> |
2219 | - |
2220 | -#include "pisa_cert.h" |
2221 | - |
2222 | - |
2223 | -/** |
2224 | - * Extract parts of a SPKI certificate. |
2225 | - * |
2226 | - * @param cert pointer to the certificate text or part of a certificate text |
2227 | - * @param name pointer to the pattern we are looking for |
2228 | - * @param r pointer to a buffer that the search result will be copied to |
2229 | - * @return 0 on success |
2230 | - */ |
2231 | -static char *pisa_cert_get_part(char *cert, const char *name, char *r) |
2232 | -{ |
2233 | - int level = 0, len = 0; |
2234 | - char *p = cert, *start = NULL; |
2235 | - |
2236 | - if (!r) { |
2237 | - return NULL; |
2238 | - } |
2239 | - |
2240 | - if (!cert) { |
2241 | - goto out_err; |
2242 | - } |
2243 | - |
2244 | - if (!name) { |
2245 | - goto out_err; |
2246 | - } |
2247 | - |
2248 | - len = strlen(name); |
2249 | - if (len == 0) { |
2250 | - goto out_err; |
2251 | - } |
2252 | - |
2253 | - while (*p) { |
2254 | - if (*p == '(') { |
2255 | - level++; |
2256 | - if (level == 2 && !strncmp(p + 1, name, len)) { |
2257 | - if (*(p + len + 1) == ' ') { |
2258 | - start = p++; |
2259 | - break; |
2260 | - } |
2261 | - } |
2262 | - } |
2263 | - if (*p == ')') { |
2264 | - level--; |
2265 | - } |
2266 | - if (level == 0) { |
2267 | - break; |
2268 | - } |
2269 | - p++; |
2270 | - } |
2271 | - |
2272 | - if (!start) { |
2273 | - goto out_err; |
2274 | - } |
2275 | - |
2276 | - len = 0; |
2277 | - |
2278 | - while (*p) { |
2279 | - if (*p == '(') { |
2280 | - level++; |
2281 | - } |
2282 | - if (*p == ')') { |
2283 | - level--; |
2284 | - if (level == 1) { |
2285 | - len = p - start + 1; |
2286 | - break; |
2287 | - } |
2288 | - } |
2289 | - if (level == 0) { |
2290 | - break; |
2291 | - } |
2292 | - p++; |
2293 | - } |
2294 | - |
2295 | - strncpy(r, start, len); |
2296 | - r[len] = '\0'; |
2297 | - |
2298 | - return r; |
2299 | - |
2300 | -out_err: |
2301 | - r[0] = '\0'; |
2302 | - return NULL; |
2303 | -} |
2304 | - |
2305 | -/** |
2306 | - * Get the content from a SPKI certificate part. |
2307 | - * |
2308 | - * @param cert pointer to the certificate text or part of a certificate text |
2309 | - * @param name pointer to the pattern we are looking for |
2310 | - * @param r pointer to a buffer that the search result will be copied to |
2311 | - * @return 0 on success |
2312 | - */ |
2313 | -static void pisa_cert_get_content(char *cert, const char *name, char *r) |
2314 | -{ |
2315 | - char *start = cert; |
2316 | - int len = 0; |
2317 | - |
2318 | - if (!r) { |
2319 | - return; |
2320 | - } |
2321 | - |
2322 | - if (!cert || !name || !*name == '(') { |
2323 | - goto out_err; |
2324 | - } |
2325 | - |
2326 | - if (strlen(name) + 3 > strlen(cert)) { |
2327 | - goto out_err; |
2328 | - } |
2329 | - |
2330 | - if (strncmp(name, cert + 1, strlen(name))) { |
2331 | - goto out_err; |
2332 | - } |
2333 | - start = cert + strlen(name) + 2; |
2334 | - |
2335 | - if (*start == '\0') { |
2336 | - goto out_err; |
2337 | - } |
2338 | - |
2339 | - len = strlen(start) - 1; |
2340 | - if (*(start + len) != ')') { |
2341 | - goto out_err; |
2342 | - } |
2343 | - strncpy(r, start, len); |
2344 | - |
2345 | -out_err: |
2346 | - r[len] = '\0'; |
2347 | -} |
2348 | - |
2349 | -/** |
2350 | - * Splits a certificate into semantic chunks and converts these to |
2351 | - * sensible binary representations. |
2352 | - * |
2353 | - * @param cert the original certificate |
2354 | - * @param pc internal representation of the certificate |
2355 | - */ |
2356 | -void pisa_split_cert(char *cert, struct pisa_cert *pc) |
2357 | -{ |
2358 | - struct tm t; |
2359 | - char buffer1[224], buffer2[224]; |
2360 | - struct in6_addr addr; |
2361 | - |
2362 | - pisa_cert_get_part(cert, "not-before", buffer1); |
2363 | - pisa_cert_get_content(buffer1, "not-before", buffer2); |
2364 | - strptime(buffer2, "\"%Y-%m-%d_%H:%M:%S\"", &t); |
2365 | - pc->not_before = mktime(&t); |
2366 | - |
2367 | - pisa_cert_get_part(cert, "not-after", buffer1); |
2368 | - pisa_cert_get_content(buffer1, "not-after", buffer2); |
2369 | - strptime(buffer2, "\"%Y-%m-%d_%H:%M:%S\"", &t); |
2370 | - pc->not_after = mktime(&t); |
2371 | - |
2372 | - pisa_cert_get_part(cert, "issuer", buffer1); |
2373 | - pisa_cert_get_part(buffer1, "hash hit", buffer2); |
2374 | - pisa_cert_get_content(buffer2, "hash hit", buffer1); |
2375 | - inet_pton(AF_INET6, buffer1, &addr); |
2376 | - memcpy(&pc->hit_issuer, &addr, sizeof(struct in6_addr)); |
2377 | - |
2378 | - pisa_cert_get_part(cert, "subject", buffer1); |
2379 | - pisa_cert_get_part(buffer1, "hash hit", buffer2); |
2380 | - pisa_cert_get_content(buffer2, "hash hit", buffer1); |
2381 | - inet_pton(AF_INET6, buffer1, &addr); |
2382 | - memcpy(&pc->hit_subject, &addr, sizeof(struct in6_addr)); |
2383 | -} |
2384 | |
2385 | === removed file 'hipfw/pisa_cert.h' |
2386 | --- hipfw/pisa_cert.h 2011-11-25 13:52:20 +0000 |
2387 | +++ hipfw/pisa_cert.h 1970-01-01 00:00:00 +0000 |
2388 | @@ -1,47 +0,0 @@ |
2389 | -/* |
2390 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
2391 | - * |
2392 | - * Permission is hereby granted, free of charge, to any person |
2393 | - * obtaining a copy of this software and associated documentation |
2394 | - * files (the "Software"), to deal in the Software without |
2395 | - * restriction, including without limitation the rights to use, |
2396 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
2397 | - * copies of the Software, and to permit persons to whom the |
2398 | - * Software is furnished to do so, subject to the following |
2399 | - * conditions: |
2400 | - * |
2401 | - * The above copyright notice and this permission notice shall be |
2402 | - * included in all copies or substantial portions of the Software. |
2403 | - * |
2404 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
2405 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
2406 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
2407 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
2408 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
2409 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
2410 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
2411 | - * OTHER DEALINGS IN THE SOFTWARE. |
2412 | - */ |
2413 | - |
2414 | -#ifndef HIPL_HIPFW_PISA_CERT_H |
2415 | -#define HIPL_HIPFW_PISA_CERT_H |
2416 | - |
2417 | -#include <time.h> |
2418 | -#include <netinet/in.h> |
2419 | - |
2420 | -struct pisa_cert { |
2421 | - struct in6_addr hit_issuer; |
2422 | - struct in6_addr hit_subject; |
2423 | - time_t not_before; |
2424 | - time_t not_after; |
2425 | -}; |
2426 | - |
2427 | -/** |
2428 | - * Split the hip_cert_spki_info.cert part into small chunks |
2429 | - * |
2430 | - * @param cert the hip_cert_spki_info.cert part of the certificate |
2431 | - * @param pc datastructure that will contain the chunks |
2432 | - */ |
2433 | -void pisa_split_cert(char *cert, struct pisa_cert *pc); |
2434 | - |
2435 | -#endif /* HIPL_HIPFW_PISA_CERT_H */ |
2436 | |
2437 | === modified file 'lib/core/builder.c' |
2438 | --- lib/core/builder.c 2012-01-10 17:53:47 +0000 |
2439 | +++ lib/core/builder.c 2012-02-20 21:42:18 +0000 |
2440 | @@ -3326,107 +3326,6 @@ |
2441 | } |
2442 | |
2443 | /** |
2444 | - * Build and append a SPKI infor parameter into a HIP control message (on-the-wire) |
2445 | - * |
2446 | - * @param msg a pointer to the message where the parameter will be |
2447 | - * appended |
2448 | - * @param cert_info certificate information |
2449 | - * @return zero on success, or negative on failure |
2450 | - * @see <a href="http://tools.ietf.org/html/draft-ietf-hip-cert">draft-ietf-hip-cert</a> |
2451 | - * |
2452 | - */ |
2453 | -int hip_build_param_cert_spki_info(struct hip_common *msg, |
2454 | - struct hip_cert_spki_info *cert_info) |
2455 | -{ |
2456 | - struct hip_cert_spki_info local; |
2457 | - |
2458 | - memcpy(&local, cert_info, sizeof(struct hip_cert_spki_info)); |
2459 | - hip_set_param_type((struct hip_tlv_common *) &local, |
2460 | - HIP_PARAM_CERT_SPKI_INFO); |
2461 | - hip_calc_param_len((struct hip_tlv_common *) &local, |
2462 | - sizeof(struct hip_cert_spki_info) |
2463 | - - sizeof(struct hip_tlv_common)); |
2464 | - |
2465 | - return hip_build_param(msg, &local); |
2466 | -} |
2467 | - |
2468 | -/** |
2469 | - * Build and append a X509 certiticate request parameter into a HIP control |
2470 | - * message (on-the-wire) |
2471 | - * |
2472 | - * @param msg a pointer to the message where the parameter will be |
2473 | - * appended |
2474 | - * @param addr the subject for the certificate |
2475 | - * @return zero on success, or negative on failure |
2476 | - * @see <a href="http://tools.ietf.org/html/draft-ietf-hip-cert">draft-ietf-hip-cert</a> |
2477 | - * |
2478 | - */ |
2479 | -int hip_build_param_cert_x509_req(struct hip_common *msg, struct in6_addr *addr) |
2480 | -{ |
2481 | - struct hip_cert_x509_req subj; |
2482 | - |
2483 | - hip_set_param_type((struct hip_tlv_common *) &subj, HIP_PARAM_CERT_X509_REQ); |
2484 | - hip_calc_param_len((struct hip_tlv_common *) &subj, |
2485 | - sizeof(struct hip_cert_x509_req) |
2486 | - - sizeof(struct hip_tlv_common)); |
2487 | - ipv6_addr_copy(&subj.addr, addr); |
2488 | - |
2489 | - return hip_build_param(msg, &subj); |
2490 | -} |
2491 | - |
2492 | -/** |
2493 | - * build and append a X509 certificate verification parameter into a |
2494 | - * HIP control message (on-the-wire) |
2495 | - * |
2496 | - * @param msg a pointer to the message where the parameter will be |
2497 | - * appended |
2498 | - * @param der der field |
2499 | - * @param len length of the der field in bytes |
2500 | - * @return zero on success, or negative on failure |
2501 | - * @see <a href="http://tools.ietf.org/html/draft-ietf-hip-cert">draft-ietf-hip-cert</a> |
2502 | - * |
2503 | - */ |
2504 | -int hip_build_param_cert_x509_ver(struct hip_common *msg, char *der, int len) |
2505 | -{ |
2506 | - struct hip_cert_x509_resp subj; |
2507 | - |
2508 | - hip_set_param_type((struct hip_tlv_common *) &subj, HIP_PARAM_CERT_X509_REQ); |
2509 | - hip_calc_param_len((struct hip_tlv_common *) &subj, |
2510 | - sizeof(struct hip_cert_x509_resp) |
2511 | - - sizeof(struct hip_tlv_common)); |
2512 | - memcpy(&subj.der, der, len); |
2513 | - subj.der_len = len; |
2514 | - |
2515 | - return hip_build_param(msg, &subj); |
2516 | -} |
2517 | - |
2518 | -/** |
2519 | - * build and append a X509 certificate response into a HIP control message |
2520 | - * (on-the-wire) |
2521 | - * |
2522 | - * @param msg a pointer to the message where the parameter will be |
2523 | - * appended |
2524 | - * @param der der field |
2525 | - * @param len length of the der field in bytes |
2526 | - * @return zero on success, or negative on failure |
2527 | - * @see <a href="http://tools.ietf.org/html/draft-ietf-hip-cert">draft-ietf-hip-cert</a> |
2528 | - * |
2529 | - */ |
2530 | -int hip_build_param_cert_x509_resp(struct hip_common *msg, char *der, int len) |
2531 | -{ |
2532 | - struct hip_cert_x509_resp local; |
2533 | - hip_set_param_type((struct hip_tlv_common *) &local, |
2534 | - HIP_PARAM_CERT_X509_RESP); |
2535 | - hip_calc_param_len((struct hip_tlv_common *) &local, |
2536 | - sizeof(struct hip_cert_x509_resp) |
2537 | - - sizeof(struct hip_tlv_common)); |
2538 | - memcpy(&local.der, der, len); |
2539 | - local.der_len = len; |
2540 | - |
2541 | - return hip_build_param(msg, &local); |
2542 | -} |
2543 | - |
2544 | -/** |
2545 | * Build an append a zone parameter for hit-to-ip extension. |
2546 | * |
2547 | * @param msg a pointer to the message where the parameter will be |
2548 | |
2549 | === modified file 'lib/core/builder.h' |
2550 | --- lib/core/builder.h 2011-04-04 11:46:20 +0000 |
2551 | +++ lib/core/builder.h 2012-02-20 21:42:18 +0000 |
2552 | @@ -36,7 +36,6 @@ |
2553 | #include <openssl/ec.h> |
2554 | #endif /* HAVE_EC_CRYPTO */ |
2555 | |
2556 | -#include "certtools.h" |
2557 | #include "debug.h" |
2558 | #include "icomm.h" |
2559 | #include "state.h" |
2560 | @@ -156,11 +155,6 @@ |
2561 | const in_port_t port); |
2562 | int hip_build_param_via_rvs(struct hip_common *msg, |
2563 | const struct in6_addr rvs_addresses[]); |
2564 | -int hip_build_param_cert_spki_info(struct hip_common *msg, |
2565 | - struct hip_cert_spki_info *cert_info); |
2566 | -int hip_build_param_cert_x509_req(struct hip_common *, struct in6_addr *); |
2567 | -int hip_build_param_cert_x509_resp(struct hip_common *, char *, int); |
2568 | -int hip_build_param_cert_x509_ver(struct hip_common *, char *, int); |
2569 | |
2570 | int hip_build_param_hit_to_ip_set(struct hip_common *, const char *); |
2571 | int hip_build_user_hdr(struct hip_common *, hip_hdr, hip_hdr_err); |
2572 | |
2573 | === removed file 'lib/core/certtools.c' |
2574 | --- lib/core/certtools.c 2012-01-14 15:29:47 +0000 |
2575 | +++ lib/core/certtools.c 1970-01-01 00:00:00 +0000 |
2576 | @@ -1,856 +0,0 @@ |
2577 | -/* |
2578 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
2579 | - * |
2580 | - * Permission is hereby granted, free of charge, to any person |
2581 | - * obtaining a copy of this software and associated documentation |
2582 | - * files (the "Software"), to deal in the Software without |
2583 | - * restriction, including without limitation the rights to use, |
2584 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
2585 | - * copies of the Software, and to permit persons to whom the |
2586 | - * Software is furnished to do so, subject to the following |
2587 | - * conditions: |
2588 | - * |
2589 | - * The above copyright notice and this permission notice shall be |
2590 | - * included in all copies or substantial portions of the Software. |
2591 | - * |
2592 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
2593 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
2594 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
2595 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
2596 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
2597 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
2598 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
2599 | - * OTHER DEALINGS IN THE SOFTWARE. |
2600 | - */ |
2601 | - |
2602 | -/** |
2603 | - * @file |
2604 | - * certificate building and verification functions to use with HIP |
2605 | - */ |
2606 | - |
2607 | -#include <regex.h> |
2608 | -#include <stdio.h> |
2609 | -#include <stdlib.h> |
2610 | -#include <string.h> |
2611 | -#include <openssl/bn.h> |
2612 | -#include <openssl/conf.h> |
2613 | -#include <openssl/dsa.h> |
2614 | -#include <openssl/err.h> |
2615 | -#include <openssl/evp.h> |
2616 | -#include <openssl/rsa.h> |
2617 | -#include <openssl/safestack.h> |
2618 | - |
2619 | -#include "crypto.h" |
2620 | -#include "debug.h" |
2621 | -#include "ife.h" |
2622 | -#include "message.h" |
2623 | -#include "prefix.h" |
2624 | -#include "straddr.h" |
2625 | -#include "certtools.h" |
2626 | - |
2627 | -/******************************************************************************* |
2628 | - * FUNCTIONS FOR SPKI * |
2629 | - *******************************************************************************/ |
2630 | - |
2631 | -/** |
2632 | - * Function that verifies the signature in |
2633 | - * the given SPKI cert sent by the "client" |
2634 | - * |
2635 | - * @param cert points to hip_cert_spki_info that is going to be verified |
2636 | - * |
2637 | - * @return 0 if signature matches, -1 if error or signature did NOT match |
2638 | - * |
2639 | - * @note see hip_cert_spki_char2certinfo to convert from wire to hip_cert_spki_info |
2640 | - */ |
2641 | -int hip_cert_spki_lib_verify(struct hip_cert_spki_info *cert) |
2642 | -{ |
2643 | - int err = 0, start = 0, stop = 0, evpret = 0, keylen = 0, algo = 0; |
2644 | - char buf[200]; |
2645 | - |
2646 | - unsigned char sha_digest[21]; |
2647 | - unsigned char *sha_retval; |
2648 | - unsigned char *signature_hash = NULL; |
2649 | - unsigned char *signature_hash_b64 = NULL; |
2650 | - unsigned char *signature_b64 = NULL; |
2651 | - |
2652 | - unsigned char *signature = NULL; |
2653 | - |
2654 | - /** RSA */ |
2655 | - RSA *rsa = NULL; |
2656 | - unsigned long e_code; |
2657 | - char *e_hex = NULL; |
2658 | - unsigned char *modulus_b64 = NULL; |
2659 | - unsigned char *modulus = NULL; |
2660 | - |
2661 | - /** DSA */ |
2662 | - DSA *dsa = NULL; |
2663 | - unsigned char *p_bin = NULL, *q_bin = NULL, *g_bin = NULL, *y_bin = NULL; |
2664 | - unsigned char *p_b64 = NULL, *q_b64 = NULL, *g_b64 = NULL, *y_b64 = NULL; |
2665 | - DSA_SIG *dsa_sig; |
2666 | - |
2667 | - /* rules for regular expressions */ |
2668 | - |
2669 | - /* |
2670 | - * Rule to get the info if we are using DSA |
2671 | - */ |
2672 | - char dsa_rule[] = "[d][s][a][-][p][k][c][s][1][-][s][h][a][1]"; |
2673 | - |
2674 | - /* |
2675 | - * Rule to get the info if we are using RSA |
2676 | - */ |
2677 | - char rsa_rule[] = "[r][s][a][-][p][k][c][s][1][-][s][h][a][1]"; |
2678 | - |
2679 | - /* |
2680 | - * Rule to get DSA p |
2681 | - * Look for pattern "(p |" and stop when first "|" |
2682 | - * anything in base 64 is accepted inbetween |
2683 | - */ |
2684 | - char p_rule[] = "[(][p][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
2685 | - |
2686 | - /* |
2687 | - * Rule to get DSA q |
2688 | - * Look for pattern "(q |" and stop when first "|" |
2689 | - * anything in base 64 is accepted inbetween |
2690 | - */ |
2691 | - char q_rule[] = "[(][q][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
2692 | - |
2693 | - /* |
2694 | - * Rule to get DSA g |
2695 | - * Look for pattern "(g |" and stop when first "|" |
2696 | - * anything in base 64 is accepted inbetween |
2697 | - */ |
2698 | - char g_rule[] = "[(][g][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
2699 | - |
2700 | - /* |
2701 | - * Rule to get DSA y / pub_key |
2702 | - * Look for pattern "(y |" and stop when first "|" |
2703 | - * anything in base 64 is accepted inbetween |
2704 | - */ |
2705 | - char y_rule[] = "[(][y][ ][|][[A-Za-z0-9+/()#=-]*[|]"; |
2706 | - |
2707 | - /* |
2708 | - * rule to get the public exponent RSA |
2709 | - * Look for the part that says # and after that some hex blob and # |
2710 | - */ |
2711 | - char e_rule[] = "[#][0-9A-Fa-f]*[#]"; |
2712 | - |
2713 | - /* |
2714 | - * rule to get the public modulus RSA |
2715 | - * Look for the part that starts with '|' and after that anything |
2716 | - * that is in base 64 char set and then '|' again |
2717 | - */ |
2718 | - char n_rule[] = "[|][A-Za-z0-9+/()#=-]*[|]"; |
2719 | - |
2720 | - /* |
2721 | - * rule to get the signature hash |
2722 | - * Look for the similar than the n_rule |
2723 | - */ |
2724 | - char h_rule[] = "[|][A-Za-z0-9+/()#=-]*[|]"; |
2725 | - |
2726 | - /* |
2727 | - * rule to get the signature |
2728 | - * Look for part that starts ")|" and base 64 blob after it |
2729 | - * and stops to '|' char remember to add and subtract 2 from |
2730 | - * the indexes below |
2731 | - */ |
2732 | - char s_rule[] = "[)][|][A-Za-z0-9+/()#=-]*[|]"; |
2733 | - |
2734 | - /* check the algo DSA or RSA */ |
2735 | - HIP_DEBUG("Verifying\nRunning regexps to identify algo\n"); |
2736 | - start = stop = 0; |
2737 | - algo = hip_cert_regex(dsa_rule, cert->public_key, &start, &stop); |
2738 | - if (algo != -1) { |
2739 | - HIP_DEBUG("Public-key is DSA\n"); |
2740 | - algo = HIP_HI_DSA; |
2741 | - goto algo_check_done; |
2742 | - } |
2743 | - start = stop = 0; |
2744 | - algo = hip_cert_regex(rsa_rule, cert->public_key, &start, &stop); |
2745 | - if (algo != -1) { |
2746 | - HIP_DEBUG("Public-key is RSA\n"); |
2747 | - algo = HIP_HI_RSA; |
2748 | - goto algo_check_done; |
2749 | - } |
2750 | - HIP_DEBUG((1 != 1), -1, "Unknown algorithm\n"); |
2751 | - |
2752 | -algo_check_done: |
2753 | - if (algo == HIP_HI_RSA) { |
2754 | - /* malloc space for new rsa */ |
2755 | - rsa = RSA_new(); |
2756 | - HIP_IFEL(!rsa, -1, "Failed to malloc RSA\n"); |
2757 | - |
2758 | - /* extract the public-key from cert to rsa */ |
2759 | - |
2760 | - /* public exponent first */ |
2761 | - start = stop = 0; |
2762 | - HIP_IFEL(hip_cert_regex(e_rule, cert->public_key, &start, &stop), -1, |
2763 | - "Failed to run hip_cert_regex (exponent)\n"); |
2764 | - e_hex = malloc(stop - start); |
2765 | - HIP_IFEL(!e_hex, -1, "Malloc for e_hex failed\n"); |
2766 | - snprintf((char *) e_hex, stop - start - 1, "%s", |
2767 | - &cert->public_key[start + 1]); |
2768 | - |
2769 | - /* public modulus */ |
2770 | - start = stop = 0; |
2771 | - HIP_IFEL(hip_cert_regex(n_rule, cert->public_key, &start, &stop), -1, |
2772 | - "Failed to run hip_cert_regex (modulus)\n"); |
2773 | - modulus_b64 = calloc(1, stop - start + 1); |
2774 | - HIP_IFEL(!modulus_b64, -1, "calloc for modulus_b64 failed\n"); |
2775 | - modulus = calloc(1, stop - start + 1); |
2776 | - HIP_IFEL(!modulus, -1, "calloc for modulus failed\n"); |
2777 | - snprintf((char *) modulus_b64, stop - start - 1, "%s", |
2778 | - &cert->public_key[start + 1]); |
2779 | - |
2780 | - /* put the stuff into the RSA struct */ |
2781 | - BN_hex2bn(&rsa->e, e_hex); |
2782 | - evpret = EVP_DecodeBlock(modulus, modulus_b64, |
2783 | - strlen((char *) modulus_b64)); |
2784 | - |
2785 | - /* EVP returns a multiple of 3 octets, subtract any extra */ |
2786 | - keylen = evpret; |
2787 | - if (keylen % 4 != 0) { |
2788 | - --keylen; |
2789 | - keylen = keylen - keylen % 2; |
2790 | - } |
2791 | - signature = malloc(keylen); |
2792 | - HIP_IFEL(!signature, -1, "Malloc for signature failed.\n"); |
2793 | - rsa->n = BN_bin2bn(modulus, keylen, 0); |
2794 | - } else if (algo == HIP_HI_DSA) { |
2795 | - /* malloc space for new dsa */ |
2796 | - dsa = DSA_new(); |
2797 | - HIP_IFEL(!dsa, -1, "Failed to malloc DSA\n"); |
2798 | - |
2799 | - /* Extract public key from the cert */ |
2800 | - |
2801 | - /* dsa->p */ |
2802 | - start = stop = 0; |
2803 | - HIP_IFEL(hip_cert_regex(p_rule, cert->public_key, &start, &stop), -1, |
2804 | - "Failed to run hip_cert_regex dsa->p\n"); |
2805 | - p_b64 = calloc(1, stop - start + 1); |
2806 | - HIP_IFEL(!p_b64, -1, "calloc for p_b64 failed\n"); |
2807 | - p_bin = calloc(1, stop - start + 1); |
2808 | - HIP_IFEL(!p_bin, -1, "calloc for p_bin failed\n"); |
2809 | - snprintf((char *) p_b64, stop - start - 1, "%s", |
2810 | - &cert->public_key[start + 1]); |
2811 | - evpret = EVP_DecodeBlock(p_bin, p_b64, strlen((char *) p_b64)); |
2812 | - |
2813 | - /* dsa->q */ |
2814 | - start = stop = 0; |
2815 | - HIP_IFEL(hip_cert_regex(q_rule, cert->public_key, &start, &stop), -1, |
2816 | - "Failed to run hip_cert_regex dsa->q\n"); |
2817 | - q_b64 = calloc(1, stop - start + 1); |
2818 | - HIP_IFEL(!q_b64, -1, "calloc for q_b64 failed\n"); |
2819 | - q_bin = calloc(1, stop - start + 1); |
2820 | - HIP_IFEL(!q_bin, -1, "calloc for q_bin failed\n"); |
2821 | - snprintf((char *) q_b64, stop - start - 1, "%s", |
2822 | - &cert->public_key[start + 1]); |
2823 | - evpret = EVP_DecodeBlock(q_bin, q_b64, strlen((char *) q_b64)); |
2824 | - |
2825 | - /* dsa->g */ |
2826 | - start = stop = 0; |
2827 | - HIP_IFEL(hip_cert_regex(g_rule, cert->public_key, &start, &stop), -1, |
2828 | - "Failed to run hip_cert_regex dsa->g\n"); |
2829 | - g_b64 = calloc(1, stop - start + 1); |
2830 | - HIP_IFEL(!g_b64, -1, "calloc for g_b64 failed\n"); |
2831 | - g_bin = calloc(1, stop - start + 1); |
2832 | - HIP_IFEL(!g_bin, -1, "calloc for g_bin failed\n"); |
2833 | - snprintf((char *) g_b64, stop - start - 1, "%s", |
2834 | - &cert->public_key[start + 1]); |
2835 | - evpret = EVP_DecodeBlock(g_bin, g_b64, strlen((char *) g_b64)); |
2836 | - |
2837 | - /* dsa->y */ |
2838 | - start = stop = 0; |
2839 | - HIP_IFEL(hip_cert_regex(y_rule, cert->public_key, &start, &stop), -1, |
2840 | - "Failed to run hip_cert_regex dsa->y\n"); |
2841 | - y_b64 = calloc(1, stop - start + 1); |
2842 | - HIP_IFEL(!y_b64, -1, "calloc for y_b64 failed\n"); |
2843 | - y_bin = calloc(1, stop - start + 1); |
2844 | - HIP_IFEL(!y_bin, -1, "calloc for y_bin failed\n"); |
2845 | - snprintf((char *) y_b64, stop - start - 1, "%s", |
2846 | - &cert->public_key[start + 1]); |
2847 | - evpret = EVP_DecodeBlock(y_bin, y_b64, strlen((char *) y_b64)); |
2848 | - } else if (algo == HIP_HI_ECDSA) { |
2849 | - HIP_OUT_ERR(-1, "Call to unimplemented ECDSA case.\n"); |
2850 | - } else { |
2851 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
2852 | - } |
2853 | - |
2854 | - /* build sha1 digest that will be signed */ |
2855 | - HIP_IFEL(!(sha_retval = SHA1((unsigned char *) cert->cert, |
2856 | - strlen((char *) cert->cert), sha_digest)), |
2857 | - -1, "SHA1 error when creating digest.\n"); |
2858 | - |
2859 | - /* Get the signature hash and compare it to the sha_digest we just made */ |
2860 | - start = stop = 0; |
2861 | - HIP_IFEL(hip_cert_regex(h_rule, cert->signature, &start, &stop), -1, |
2862 | - "Failed to run hip_cert_regex (signature hash)\n"); |
2863 | - signature_hash_b64 = calloc(1, stop - start + 1); |
2864 | - HIP_IFEL(!signature_hash_b64, -1, "Failed to calloc signature_hash_b64\n"); |
2865 | - signature_hash = malloc(stop - start + 1); |
2866 | - HIP_IFEL(!signature_hash, -1, "Failed to malloc signature_hash\n"); |
2867 | - snprintf((char *) signature_hash_b64, stop - start - 1, "%s", |
2868 | - &cert->signature[start + 1]); |
2869 | - evpret = EVP_DecodeBlock(signature_hash, signature_hash_b64, |
2870 | - strlen((char *) signature_hash_b64)); |
2871 | - HIP_IFEL(memcmp(sha_digest, signature_hash, 20), -1, |
2872 | - "Signature hash did not match of the one made from the" |
2873 | - "cert sequence in the certificate\n"); |
2874 | - |
2875 | - /* memset signature and put it into its place */ |
2876 | - start = stop = 0; |
2877 | - HIP_IFEL(hip_cert_regex(s_rule, cert->signature, &start, &stop), -1, |
2878 | - "Failed to run hip_cert_regex (signature)\n"); |
2879 | - signature_b64 = calloc(1, stop - start + 1); |
2880 | - HIP_IFEL(!signature_b64, -1, "Failed to calloc signature_b64\n"); |
2881 | - snprintf((char *) signature_b64, stop - start - 2, "%s", |
2882 | - &cert->signature[start + 2]); |
2883 | - if (algo == HIP_HI_DSA) { |
2884 | - signature = malloc(stop - start + 1); |
2885 | - HIP_IFEL(!signature, -1, "Failed to malloc signature (dsa)\n"); |
2886 | - } |
2887 | - evpret = EVP_DecodeBlock(signature, signature_b64, |
2888 | - strlen((char *) signature_b64)); |
2889 | - |
2890 | - if (algo == HIP_HI_RSA) { |
2891 | - /* do the verification */ |
2892 | - err = RSA_verify(NID_sha1, sha_digest, SHA_DIGEST_LENGTH, |
2893 | - signature, RSA_size(rsa), rsa); |
2894 | - e_code = ERR_get_error(); |
2895 | - ERR_load_crypto_strings(); |
2896 | - ERR_error_string(e_code, buf); |
2897 | - |
2898 | - /* RSA_verify returns 1 if success. */ |
2899 | - cert->success = err == 1 ? 0 : -1; |
2900 | - HIP_IFEL((err = err == 1 ? 0 : -1), -1, "RSA_verify error\n"); |
2901 | - } else if (algo == HIP_HI_DSA) { |
2902 | - /* build the signature structure */ |
2903 | - dsa_sig = DSA_SIG_new(); |
2904 | - HIP_IFEL(!dsa_sig, 1, "Failed to allocate DSA_SIG\n"); |
2905 | - dsa_sig->r = BN_bin2bn(&signature[1], DSA_PRIV, NULL); |
2906 | - dsa_sig->s = BN_bin2bn(&signature[1 + DSA_PRIV], DSA_PRIV, NULL); |
2907 | - |
2908 | - /* verify the DSA signature */ |
2909 | - err = DSA_do_verify(sha_digest, SHA_DIGEST_LENGTH, |
2910 | - dsa_sig, dsa) == 0 ? 1 : 0; |
2911 | - |
2912 | - /* DSA_do_verify returns 1 if success. */ |
2913 | - cert->success = err == 1 ? 0 : -1; |
2914 | - HIP_IFEL((err = err == 1 ? 0 : -1), -1, "DSA_do_verify error\n"); |
2915 | - } else if (algo == HIP_HI_ECDSA) { |
2916 | - HIP_OUT_ERR(-1, "Call to unimplemented ECDSA case.\n"); |
2917 | - } else { |
2918 | - HIP_OUT_ERR(-1, "Unknown algorithm\n"); |
2919 | - } |
2920 | - |
2921 | -out_err: |
2922 | - free(signature_hash_b64); |
2923 | - free(signature_hash); |
2924 | - free(modulus_b64); |
2925 | - free(modulus); |
2926 | - free(e_hex); |
2927 | - RSA_free(rsa); |
2928 | - DSA_free(dsa); |
2929 | - return err; |
2930 | -} |
2931 | - |
2932 | -/** |
2933 | - * Function to build the basic cert object of SPKI clears public-key |
2934 | - * object and signature in hip_cert_spki_header |
2935 | - * |
2936 | - * @param minimal_content holds the struct hip_cert_spki_header |
2937 | - * containing the minimal needed information for |
2938 | - * cert object, also contains the char table where |
2939 | - * the cert object is to be stored |
2940 | - * |
2941 | - * @return always 0 |
2942 | - */ |
2943 | -static int cert_spki_build_cert(struct hip_cert_spki_info *minimal_content) |
2944 | -{ |
2945 | - char needed[] = "(cert )"; |
2946 | - memset(minimal_content->public_key, '\0', sizeof(minimal_content->public_key)); |
2947 | - memset(minimal_content->cert, '\0', sizeof(minimal_content->cert)); |
2948 | - memset(minimal_content->signature, '\0', sizeof(minimal_content->signature)); |
2949 | - sprintf(minimal_content->cert, "%s", needed); |
2950 | - |
2951 | - return 0; |
2952 | -} |
2953 | - |
2954 | -/** |
2955 | - * Function for injecting objects to cert object |
2956 | - * |
2957 | - * @param to hip_cert_spki_info containing the char table where to insert |
2958 | - * @param after is a char pointer for the regcomp after which the inject happens |
2959 | - * @param what is char pointer of what to |
2960 | - * |
2961 | - * @return 0 if ok and negative if error. -1 returned for example when after is NOT found |
2962 | - */ |
2963 | -static int cert_spki_inject(struct hip_cert_spki_info *to, |
2964 | - const char *after, const char *what) |
2965 | -{ |
2966 | - int err = 0, status = 0; |
2967 | - regex_t re; |
2968 | - regmatch_t pm[1]; |
2969 | - char *tmp_cert; |
2970 | - |
2971 | - tmp_cert = calloc(1, strlen(to->cert) + strlen(what) + 1); |
2972 | - if (!tmp_cert) { |
2973 | - return -ENOMEM; |
2974 | - } |
2975 | - /* Compiling the regular expression */ |
2976 | - HIP_IFEL(regcomp(&re, after, REG_EXTENDED), -1, |
2977 | - "Compilation of the regular expression failed\n"); |
2978 | - /* Running the regular expression */ |
2979 | - HIP_IFEL((status = regexec(&re, to->cert, 1, pm, 0)), -1, |
2980 | - "Handling of regular expression failed\n"); |
2981 | - /* Using tmp char table to do the inject (remember the terminators) |
2982 | - * first the beginning */ |
2983 | - snprintf(tmp_cert, pm[0].rm_eo + 2, "%s", to->cert); |
2984 | - /* Then the middle part to be injected */ |
2985 | - snprintf(&tmp_cert[pm[0].rm_eo + 1], strlen(what) + 1, "%s", what); |
2986 | - /* then glue back the rest of the original at the end */ |
2987 | - snprintf(&tmp_cert[(pm[0].rm_eo + strlen(what) + 1)], |
2988 | - (strlen(to->cert) - pm[0].rm_eo), "%s", &to->cert[pm[0].rm_eo + 1]); |
2989 | - /* move tmp to the result */ |
2990 | - sprintf(to->cert, "%s", tmp_cert); |
2991 | -out_err: |
2992 | - free(tmp_cert); |
2993 | - regfree(&re); |
2994 | - return err; |
2995 | -} |
2996 | - |
2997 | -/** |
2998 | - * Function to build the create minimal SPKI cert (plus socket parameter) |
2999 | - * |
3000 | - * @param content holds the struct hip_cert_spki_info containing |
3001 | - * the minimal needed information for cert object, |
3002 | - * also contains the char table where the cert object |
3003 | - * is to be stored |
3004 | - * @param issuer_type With HIP its HIT |
3005 | - * @param issuer HIT in representation encoding 2001:001... |
3006 | - * @param subject_type With HIP its HIT |
3007 | - * @param subject HIT in representation encoding 2001:001... |
3008 | - * @param not_before time in timeval before which the cert should not be used |
3009 | - * @param not_after time in timeval after which the cert should not be used |
3010 | - * @param hip_user_socket socket, already connected to hipd, to pass through to |
3011 | - * hip_send_recv_daemon_info |
3012 | - * @return 0 if ok -1 if error |
3013 | - */ |
3014 | -static int cert_spki_create_cert_sock(struct hip_cert_spki_info *content, |
3015 | - const char *issuer_type, |
3016 | - struct in6_addr *issuer, |
3017 | - const char *subject_type, |
3018 | - struct in6_addr *subject, |
3019 | - time_t *not_before, |
3020 | - time_t *not_after, |
3021 | - int hip_user_socket) |
3022 | -{ |
3023 | - int err = 0; |
3024 | - char *tmp_issuer = NULL; |
3025 | - char *tmp_subject = NULL; |
3026 | - char *tmp_before = NULL; |
3027 | - char *tmp_after = NULL; |
3028 | - struct tm *ts = NULL; |
3029 | - char buf_before[80]; |
3030 | - char buf_after[80]; |
3031 | - char present_issuer[41] = { 0 }; |
3032 | - char present_subject[41] = { 0 }; |
3033 | - struct hip_common *msg = NULL; |
3034 | - const struct hip_cert_spki_info *returned = NULL; |
3035 | - |
3036 | - /* Malloc needed */ |
3037 | - tmp_issuer = calloc(1, 128); |
3038 | - if (!tmp_issuer) { |
3039 | - goto out_err; /* Why does this return 0? */ |
3040 | - } |
3041 | - tmp_subject = calloc(1, 128); |
3042 | - if (!tmp_subject) { |
3043 | - goto out_err; |
3044 | - } |
3045 | - tmp_before = calloc(1, 128); |
3046 | - if (!tmp_before) { |
3047 | - goto out_err; |
3048 | - } |
3049 | - tmp_after = calloc(1, 128); |
3050 | - if (!tmp_after) { |
3051 | - goto out_err; |
3052 | - } |
3053 | - HIP_IFEL(!(msg = malloc(HIP_MAX_PACKET)), -1, |
3054 | - "Malloc for msg failed\n"); |
3055 | - |
3056 | - /* Make needed transforms to the date */ |
3057 | - /* Format and print the time, "yyyy-mm-dd hh:mm:ss" |
3058 | - * (not-after "1998-04-15_00:00:00") */ |
3059 | - ts = localtime(not_before); |
3060 | - strftime(buf_before, sizeof(buf_before), "%Y-%m-%d_%H:%M:%S", ts); |
3061 | - ts = localtime(not_after); |
3062 | - strftime(buf_after, sizeof(buf_after), "%Y-%m-%d_%H:%M:%S", ts); |
3063 | - |
3064 | - sprintf(tmp_before, "(not-before \"%s\")", buf_before); |
3065 | - sprintf(tmp_after, "(not-after \"%s\")", buf_after); |
3066 | - |
3067 | - ipv6_addr_copy(&content->issuer_hit, issuer); |
3068 | - inet_ntop(AF_INET6, issuer, present_issuer, INET6_ADDRSTRLEN); |
3069 | - inet_ntop(AF_INET6, subject, present_subject, INET6_ADDRSTRLEN); |
3070 | - |
3071 | - sprintf(tmp_issuer, "(hash %s %s)", issuer_type, present_issuer); |
3072 | - sprintf(tmp_subject, "(hash %s %s)", subject_type, present_subject); |
3073 | - |
3074 | - /* Create the cert sequence */ |
3075 | - HIP_IFEL(cert_spki_build_cert(content), -1, |
3076 | - "cert_spki_build_cert failed\n"); |
3077 | - |
3078 | - HIP_IFEL(cert_spki_inject(content, "cert", tmp_after), -1, |
3079 | - "cert_spki_inject failed to inject\n"); |
3080 | - HIP_IFEL(cert_spki_inject(content, "cert", tmp_before), -1, |
3081 | - "cert_spki_inject failed to inject\n"); |
3082 | - HIP_IFEL(cert_spki_inject(content, "cert", "(subject )"), -1, |
3083 | - "cert_spki_inject failed to inject\n"); |
3084 | - HIP_IFEL(cert_spki_inject(content, "subject", tmp_subject), -1, |
3085 | - "cert_spki_inject failed to inject\n"); |
3086 | - HIP_IFEL(cert_spki_inject(content, "cert", "(issuer )"), -1, |
3087 | - "cert_spki_inject failed to inject\n"); |
3088 | - HIP_IFEL(cert_spki_inject(content, "issuer", tmp_issuer), -1, |
3089 | - "cert_spki_inject failed to inject\n"); |
3090 | - |
3091 | - /* Create the signature and the public-key sequences */ |
3092 | - |
3093 | - /* Send the daemon the struct hip_cert_spki_header |
3094 | - * containing the cert sequence in content->cert. |
3095 | - * As a result you should get the struct back with |
3096 | - * public-key and signature fields filled */ |
3097 | - |
3098 | - /* build the msg to be sent to the daemon */ |
3099 | - hip_msg_init(msg); |
3100 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_SPKI_SIGN, 0), -1, |
3101 | - "Failed to build user header\n"); |
3102 | - HIP_IFEL(hip_build_param_cert_spki_info(msg, content), -1, |
3103 | - "Failed to build cert_info\n"); |
3104 | - /* send and wait */ |
3105 | - HIP_DEBUG("Sending request to sign SPKI cert sequence to " |
3106 | - "daemon and waiting for answer\n"); |
3107 | - hip_send_recv_daemon_info(msg, 0, hip_user_socket); |
3108 | - |
3109 | - /* get the struct from the message sent back by the daemon */ |
3110 | - HIP_IFEL(!(returned = hip_get_param(msg, HIP_PARAM_CERT_SPKI_INFO)), |
3111 | - -1, "No hip_cert_spki_info struct found from daemons msg\n"); |
3112 | - |
3113 | - memcpy(content, returned, sizeof(struct hip_cert_spki_info)); |
3114 | - |
3115 | -out_err: |
3116 | - /* free everything malloced */ |
3117 | - free(tmp_before); |
3118 | - free(tmp_after); |
3119 | - free(tmp_issuer); |
3120 | - free(tmp_subject); |
3121 | - free(msg); |
3122 | - return err; |
3123 | -} |
3124 | - |
3125 | -/** |
3126 | - * Function to build the create minimal SPKI cert |
3127 | - * |
3128 | - * @param content holds the struct hip_cert_spki_info containing |
3129 | - * the minimal needed information for cert object, |
3130 | - * also contains the char table where the cert object |
3131 | - * is to be stored |
3132 | - * @param issuer_type With HIP its HIT |
3133 | - * @param issuer HIT in representation encoding 2001:001... |
3134 | - * @param subject_type With HIP its HIT |
3135 | - * @param subject HIT in representation encoding 2001:001... |
3136 | - * @param not_before time in timeval before which the cert should not be used |
3137 | - * @param not_after time in timeval after which the cert should not be used |
3138 | - * @return 0 if ok -1 if error |
3139 | - */ |
3140 | -int hip_cert_spki_create_cert(struct hip_cert_spki_info *content, |
3141 | - const char *issuer_type, struct in6_addr *issuer, |
3142 | - const char *subject_type, struct in6_addr *subject, |
3143 | - time_t *not_before, time_t *not_after) |
3144 | -{ |
3145 | - return cert_spki_create_cert_sock(content, issuer_type, issuer, |
3146 | - subject_type, subject, not_before, |
3147 | - not_after, 0); |
3148 | -} |
3149 | - |
3150 | -/** |
3151 | - * Function that takes the cert in single char table and constructs |
3152 | - * hip_cert_spki_info from it |
3153 | - * |
3154 | - * @param from char pointer to the whole certificate |
3155 | - * @param to hip_cert_spki_info containing the char table where to insert |
3156 | - * |
3157 | - * @return 0 if ok and negative if error. |
3158 | - */ |
3159 | -int hip_cert_spki_char2certinfo(char *from, struct hip_cert_spki_info *to) |
3160 | -{ |
3161 | - int start = 0, stop = 0; |
3162 | - /* |
3163 | - * p_rule looks for string "(public_key " after which there can be |
3164 | - * pretty much anything until string "|)))" is encountered. |
3165 | - * This is the public-key sequence. |
3166 | - */ |
3167 | - char p_rule[] = "[(]public_key [ A-Za-z0-9+|/()#=-]*[|][)][)][)]"; |
3168 | - /* |
3169 | - * c_rule looks for string "(cert " after which there can be |
3170 | - * pretty much anything until string '"))' is encountered. |
3171 | - * This is the cert sequence. |
3172 | - */ |
3173 | - char c_rule[] = "[(]cert [ A-Za-z0-9+|/():=_\"-]*[\"][)][)]"; //\" is one char |
3174 | - /* |
3175 | - * s_rule looks for string "(signature " after which there can be |
3176 | - * pretty much anything until string "|))" is encountered. |
3177 | - * This is the signature sequence. |
3178 | - */ |
3179 | - char s_rule[] = "[(]signature [ A-Za-z0-9+/|()=]*[|][)][)]"; |
3180 | - |
3181 | - /* Look for the public key */ |
3182 | - if (hip_cert_regex(p_rule, from, &start, &stop)) { |
3183 | - HIP_ERROR("Failed to run hip_cert_regex (public-key)\n"); |
3184 | - return -1; |
3185 | - } |
3186 | - snprintf(to->public_key, stop - start + 1, "%s", &from[start]); |
3187 | - |
3188 | - /* Look for the cert sequence */ |
3189 | - start = stop = 0; |
3190 | - if (hip_cert_regex(c_rule, from, &start, &stop)) { |
3191 | - HIP_ERROR("Failed to run hip_cert_regex (cert)\n"); |
3192 | - return -1; |
3193 | - } |
3194 | - snprintf(to->cert, stop - start + 1, "%s", &from[start]); |
3195 | - |
3196 | - /* look for the signature sequence */ |
3197 | - start = stop = 0; |
3198 | - if (hip_cert_regex(s_rule, from, &start, &stop)) { |
3199 | - HIP_ERROR("Failed to run hip_cert_regex (signature)\n"); |
3200 | - return -1; |
3201 | - } |
3202 | - snprintf(to->signature, stop - start + 1, "%s", &from[start]); |
3203 | - |
3204 | - return 0; |
3205 | -} |
3206 | - |
3207 | -/** |
3208 | - * Function that sends the given hip_cert_spki_info to the daemon to |
3209 | - * verification |
3210 | - * |
3211 | - * @param to_verification is the cert to be verified |
3212 | - * |
3213 | - * @return 0 if ok and negative if error or unsuccessful. |
3214 | - * |
3215 | - * @note use hip_cert_spki_char2certinfo to build the hip_cert_spki_info |
3216 | - */ |
3217 | -int hip_cert_spki_send_to_verification(struct hip_cert_spki_info *to_verification) |
3218 | -{ |
3219 | - int err = 0; |
3220 | - struct hip_common *msg; |
3221 | - const struct hip_cert_spki_info *returned; |
3222 | - |
3223 | - if (!(msg = malloc(HIP_MAX_PACKET))) { |
3224 | - HIP_ERROR("Malloc for msg failed\n"); |
3225 | - return -ENOMEM; |
3226 | - } |
3227 | - hip_msg_init(msg); |
3228 | - /* build the msg to be sent to the daemon */ |
3229 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_SPKI_VERIFY, 0), -1, |
3230 | - "Failed to build user header\n"); |
3231 | - HIP_IFEL(hip_build_param_cert_spki_info(msg, to_verification), -1, |
3232 | - "Failed to build cert_info\n"); |
3233 | - |
3234 | - /* send and wait */ |
3235 | - HIP_DEBUG("Sending request to verify SPKI cert to " |
3236 | - "daemon and waiting for answer\n"); |
3237 | - hip_send_recv_daemon_info(msg, 0, 0); |
3238 | - |
3239 | - HIP_IFEL(!(returned = hip_get_param(msg, HIP_PARAM_CERT_SPKI_INFO)), |
3240 | - -1, "No hip_cert_spki_info struct found from daemons msg\n"); |
3241 | - |
3242 | - memcpy(to_verification, returned, sizeof(struct hip_cert_spki_info)); |
3243 | - |
3244 | -out_err: |
3245 | - free(msg); |
3246 | - return err; |
3247 | -} |
3248 | - |
3249 | -/****************************************************************************** |
3250 | - * FUNCTIONS FOR x509v3 * |
3251 | - ******************************************************************************/ |
3252 | - |
3253 | -/** |
3254 | - * Function that requests for a certificate from daemon and gives it back. |
3255 | - * |
3256 | - * @param subject is the subjects HIT |
3257 | - * |
3258 | - * @param certificate is pointer to a buffer to which this function writes the completed cert |
3259 | - * |
3260 | - * @return positive on success negative otherwise |
3261 | - * |
3262 | - * @note The certificate is given in DER encoding |
3263 | - */ |
3264 | -int hip_cert_x509v3_request_certificate(struct in6_addr *subject, |
3265 | - unsigned char *certificate) |
3266 | -{ |
3267 | - int err = 0; |
3268 | - struct hip_common *msg; |
3269 | - const struct hip_cert_x509_resp *p; |
3270 | - |
3271 | - if (!(msg = malloc(HIP_MAX_PACKET))) { |
3272 | - HIP_ERROR("Malloc for msg failed\n"); |
3273 | - return -ENOMEM; |
3274 | - } |
3275 | - hip_msg_init(msg); |
3276 | - /* build the msg to be sent to the daemon */ |
3277 | - |
3278 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_X509V3_SIGN, 0), -1, |
3279 | - "Failed to build user header\n"); |
3280 | - HIP_IFEL(hip_build_param_cert_x509_req(msg, subject), -1, |
3281 | - "Failed to build cert_info\n"); |
3282 | - /* send and wait */ |
3283 | - HIP_DEBUG("Sending request to sign x509 cert to " |
3284 | - "daemon and waiting for answer\n"); |
3285 | - hip_send_recv_daemon_info(msg, 0, 0); |
3286 | - /* get the struct from the message sent back by the daemon */ |
3287 | - HIP_IFEL(!(p = hip_get_param(msg, HIP_PARAM_CERT_X509_RESP)), -1, |
3288 | - "No name x509 struct found\n"); |
3289 | - memcpy(certificate, p->der, p->der_len); |
3290 | - err = p->der_len; |
3291 | - |
3292 | -out_err: |
3293 | - free(msg); |
3294 | - return err; |
3295 | -} |
3296 | - |
3297 | -/** |
3298 | - * Function that requests for a verification of a certificate from |
3299 | - * daemon and tells the result. |
3300 | - * |
3301 | - * @param certificate is pointer to a certificate to be verified |
3302 | - * @param len is the length of the cert in certificate parameter in bytes |
3303 | - * |
3304 | - * @return 0 on success negative otherwise |
3305 | - * |
3306 | - * @note give the certificate in PEM encoding |
3307 | - */ |
3308 | -int hip_cert_x509v3_request_verification(unsigned char *certificate, int len) |
3309 | -{ |
3310 | - int err = 0; |
3311 | - struct hip_common *msg; |
3312 | - const struct hip_cert_x509_resp *received; |
3313 | - |
3314 | - if (!(msg = malloc(HIP_MAX_PACKET))) { |
3315 | - HIP_ERROR("Malloc for msg failed\n"); |
3316 | - return -ENOMEM; |
3317 | - } |
3318 | - hip_msg_init(msg); |
3319 | - |
3320 | - /* build the msg to be sent to the daemon */ |
3321 | - HIP_IFEL(hip_build_user_hdr(msg, HIP_MSG_CERT_X509V3_VERIFY, 0), -1, |
3322 | - "Failed to build user header\n"); |
3323 | - HIP_IFEL(hip_build_param_cert_x509_ver(msg, (char *) certificate, len), -1, |
3324 | - "Failed to build cert_info\n"); |
3325 | - |
3326 | - /* send and wait */ |
3327 | - HIP_DEBUG("Sending request to verify x509 cert to " |
3328 | - "daemon and waiting for answer\n"); |
3329 | - hip_send_recv_daemon_info(msg, 0, 0); |
3330 | - |
3331 | - /* get the struct from the message sent back by the daemon */ |
3332 | - HIP_IFEL(!(received = hip_get_param(msg, HIP_PARAM_CERT_X509_RESP)), -1, |
3333 | - "No x509 struct found\n"); |
3334 | - err = hip_get_msg_err(msg); |
3335 | - if (err == 0) { |
3336 | - HIP_DEBUG("Verified successfully\n"); |
3337 | - } else { |
3338 | - HIP_DEBUG("Verification failed\n"); |
3339 | - } |
3340 | - |
3341 | -out_err: |
3342 | - free(msg); |
3343 | - return err; |
3344 | -} |
3345 | - |
3346 | -/***************************************************************************** |
3347 | - * UTILITY FUNCTIONS * |
3348 | - *****************************************************************************/ |
3349 | - |
3350 | -/** |
3351 | - * Read configuration section from loaded configuration file. |
3352 | - * |
3353 | - * @param section_name the name of the section to be retrieved |
3354 | - * @param conf the loaded configuration to read from |
3355 | - * |
3356 | - * @return STACK_OF(CONF_VALUE) pointer if OK, NULL on error |
3357 | - * |
3358 | - * @note Remember to open the configuration file with hip_cert_open_conf() and |
3359 | - * close it after processing with NCONF_free(). |
3360 | - */ |
3361 | -STACK_OF(CONF_VALUE) *hip_read_conf_section(const char *section_name, |
3362 | - CONF *conf) |
3363 | -{ |
3364 | - STACK_OF(CONF_VALUE) *sec; |
3365 | - |
3366 | - if (!(sec = NCONF_get_section(conf, section_name))) { |
3367 | - HIP_ERROR("Section %s was not in the configuration (%s)\n", |
3368 | - section_name, HIP_CERT_CONF_PATH); |
3369 | - return NULL; |
3370 | - } |
3371 | - |
3372 | - return sec; |
3373 | -} |
3374 | - |
3375 | -/** |
3376 | - * Load a configuration file from HIP_CERT_CONF_PATH. |
3377 | - * |
3378 | - * @return CONF pointer if OK, NULL on error |
3379 | - */ |
3380 | -CONF *hip_open_conf(const char *filename) |
3381 | -{ |
3382 | - long err; |
3383 | - CONF *conf; |
3384 | - |
3385 | - conf = NCONF_new(NCONF_default()); |
3386 | - if (!NCONF_load(conf, filename, &err)) { |
3387 | - HIP_ERROR("Error opening the configuration file"); |
3388 | - return NULL; |
3389 | - } |
3390 | - return conf; |
3391 | -} |
3392 | - |
3393 | -/** |
3394 | - * Function that wraps regular expression stuff and gives the answer :) |
3395 | - * |
3396 | - * @param what is a char pointer to the rule used in the search (POSIX) |
3397 | - * @param from where are we looking for it char pointer |
3398 | - * @param start will store the start point of the found substr |
3399 | - * @param stop will store the end point of the found substr |
3400 | - * |
3401 | - * @return 0 if ok and negative if error. |
3402 | - * |
3403 | - * @note Be carefull with the what so you get what you want :) |
3404 | - */ |
3405 | -int hip_cert_regex(char *what, char *from, int *start, int *stop) |
3406 | -{ |
3407 | - int err = 0, status = 0; |
3408 | - regex_t re; |
3409 | - regmatch_t answer[1]; |
3410 | - |
3411 | - *start = *stop = 0; |
3412 | - |
3413 | - /* Compiling the regular expression */ |
3414 | - if (regcomp(&re, what, REG_EXTENDED)) { |
3415 | - HIP_ERROR("Compilation of the regular expression failed\n"); |
3416 | - return -1; |
3417 | - } |
3418 | - /* Running the regular expression */ |
3419 | - // TODO this might need to be an error!? |
3420 | - // this needs to be separated to found, not found, and error -Samu |
3421 | - if ((status = regexec(&re, from, 1, answer, 0))) { |
3422 | - err = -1; |
3423 | - goto out_err; |
3424 | - } |
3425 | - |
3426 | - *start = answer[0].rm_so; |
3427 | - *stop = answer[0].rm_eo; |
3428 | - |
3429 | -out_err: |
3430 | - regfree(&re); |
3431 | - return err; |
3432 | -} |
3433 | |
3434 | === removed file 'lib/core/certtools.h' |
3435 | --- lib/core/certtools.h 2012-01-14 15:29:47 +0000 |
3436 | +++ lib/core/certtools.h 1970-01-01 00:00:00 +0000 |
3437 | @@ -1,79 +0,0 @@ |
3438 | -/* |
3439 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
3440 | - * |
3441 | - * Permission is hereby granted, free of charge, to any person |
3442 | - * obtaining a copy of this software and associated documentation |
3443 | - * files (the "Software"), to deal in the Software without |
3444 | - * restriction, including without limitation the rights to use, |
3445 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
3446 | - * copies of the Software, and to permit persons to whom the |
3447 | - * Software is furnished to do so, subject to the following |
3448 | - * conditions: |
3449 | - * |
3450 | - * The above copyright notice and this permission notice shall be |
3451 | - * included in all copies or substantial portions of the Software. |
3452 | - * |
3453 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
3454 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
3455 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
3456 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
3457 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
3458 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
3459 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
3460 | - * OTHER DEALINGS IN THE SOFTWARE. |
3461 | - */ |
3462 | - |
3463 | -/** |
3464 | - * @file |
3465 | - * Certificate building, parseing and verification functions. |
3466 | - */ |
3467 | - |
3468 | -#ifndef HIPL_LIB_CORE_CERTTOOLS_H |
3469 | -#define HIPL_LIB_CORE_CERTTOOLS_H |
3470 | - |
3471 | -#include <stdint.h> |
3472 | -#include <netinet/in.h> |
3473 | -#include <openssl/rsa.h> |
3474 | -#include <openssl/ossl_typ.h> |
3475 | -#include <sys/types.h> |
3476 | - |
3477 | -#include "protodefs.h" |
3478 | - |
3479 | - |
3480 | -/** Defines */ |
3481 | -#define HIP_CERT_CONF_PATH HIPL_SYSCONFDIR "/hip_cert.conf" |
3482 | - |
3483 | -#define HIP_CERT_DAY 86400 |
3484 | - |
3485 | -/** Struct used to deliver the minimal needed information to build SPKI cert */ |
3486 | -struct hip_cert_spki_info { |
3487 | - hip_tlv type; |
3488 | - hip_tlv_len length; |
3489 | - char public_key[768]; |
3490 | - char cert[224]; |
3491 | - char signature[768]; |
3492 | - struct in6_addr issuer_hit; |
3493 | - /* 0 if successfully verified otherwise negative */ |
3494 | - uint32_t success; |
3495 | -}; |
3496 | - |
3497 | -/** SPKI cert related functions */ |
3498 | -int hip_cert_spki_lib_verify(struct hip_cert_spki_info *); |
3499 | -int hip_cert_spki_create_cert(struct hip_cert_spki_info *, |
3500 | - const char *, struct in6_addr *, |
3501 | - const char *, struct in6_addr *, |
3502 | - time_t *, time_t *); |
3503 | -int hip_cert_spki_char2certinfo(char *, struct hip_cert_spki_info *); |
3504 | -int hip_cert_spki_send_to_verification(struct hip_cert_spki_info *); |
3505 | - |
3506 | -/* x509v3 cert related functions */ |
3507 | -int hip_cert_x509v3_request_certificate(struct in6_addr *, unsigned char *); |
3508 | -int hip_cert_x509v3_request_verification(unsigned char *, int); |
3509 | - |
3510 | -/** utility functions */ |
3511 | -STACK_OF(CONF_VALUE) *hip_read_conf_section(const char *section_name, |
3512 | - CONF *conf); |
3513 | -CONF *hip_open_conf(const char *filename); |
3514 | -int hip_cert_regex(char *, char *, int *, int *); |
3515 | - |
3516 | -#endif /* HIPL_LIB_CORE_CERTTOOLS_H */ |
3517 | |
3518 | === removed file 'test/certteststub.c' |
3519 | --- test/certteststub.c 2012-01-14 15:29:47 +0000 |
3520 | +++ test/certteststub.c 1970-01-01 00:00:00 +0000 |
3521 | @@ -1,196 +0,0 @@ |
3522 | -/* |
3523 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
3524 | - * |
3525 | - * Permission is hereby granted, free of charge, to any person |
3526 | - * obtaining a copy of this software and associated documentation |
3527 | - * files (the "Software"), to deal in the Software without |
3528 | - * restriction, including without limitation the rights to use, |
3529 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
3530 | - * copies of the Software, and to permit persons to whom the |
3531 | - * Software is furnished to do so, subject to the following |
3532 | - * conditions: |
3533 | - * |
3534 | - * The above copyright notice and this permission notice shall be |
3535 | - * included in all copies or substantial portions of the Software. |
3536 | - * |
3537 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
3538 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
3539 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
3540 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
3541 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
3542 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
3543 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
3544 | - * OTHER DEALINGS IN THE SOFTWARE. |
3545 | - */ |
3546 | - |
3547 | -/** |
3548 | - * @file |
3549 | - * A teststub for certtools.c/h |
3550 | - * |
3551 | - * File for testing the main operations of certtools. |
3552 | - * First this test takes the default HIT and the corresponding key. |
3553 | - * Secondly it creates a certificate where itself is the issuer and the subject. |
3554 | - * Then it tries to verify it. If it succeeds everything should be OK :) |
3555 | - */ |
3556 | - |
3557 | -#include <stdio.h> |
3558 | -#include <stdlib.h> |
3559 | -#include <string.h> |
3560 | -#include <time.h> |
3561 | -#include <arpa/inet.h> |
3562 | -#include <openssl/conf.h> |
3563 | -#include <openssl/ossl_typ.h> |
3564 | -#include <openssl/safestack.h> |
3565 | - |
3566 | -#include "lib/core/certtools.h" |
3567 | -#include "lib/core/debug.h" |
3568 | -#include "lib/core/ife.h" |
3569 | -#include "lib/core/protodefs.h" |
3570 | - |
3571 | - |
3572 | -int main(int argc, char *argv[]) |
3573 | -{ |
3574 | - int err = 0, i = 0, len; |
3575 | - struct hip_cert_spki_info *cert = NULL; |
3576 | - struct hip_cert_spki_info *to_verification = NULL; |
3577 | - time_t not_before = 0, not_after = 0; |
3578 | - struct hip_common *msg; |
3579 | - struct in6_addr *defhit; |
3580 | - char certificate[1024]; |
3581 | - unsigned char der_cert[1024]; |
3582 | - CONF *conf; |
3583 | - CONF_VALUE *item; |
3584 | - STACK_OF(CONF_VALUE) *sec = NULL; |
3585 | - STACK_OF(CONF_VALUE) *sec_name = NULL; |
3586 | - |
3587 | - if (argc != 2) { |
3588 | - printf("Usage: %s spki|x509\n", argv[0]); |
3589 | - exit(EXIT_SUCCESS); |
3590 | - } |
3591 | - |
3592 | - HIP_DEBUG("- This test tool has to be run as root otherwise this will fail!\n"); |
3593 | - HIP_DEBUG("- Hipd has to run otherwise this will hang!\n"); |
3594 | - |
3595 | - HIP_IFEL(!(msg = malloc(HIP_MAX_PACKET)), -1, |
3596 | - "Malloc for msg failed\n"); |
3597 | - defhit = malloc(sizeof(struct in6_addr)); |
3598 | - if (!defhit) { |
3599 | - goto out_err; |
3600 | - } |
3601 | - |
3602 | - if (strcmp(argv[1], "spki")) { |
3603 | - goto skip_spki; |
3604 | - } |
3605 | - |
3606 | - HIP_DEBUG("Starting to test SPKI certficate tools\n"); |
3607 | - |
3608 | - cert = malloc(sizeof(struct hip_cert_spki_info)); |
3609 | - if (!cert) { |
3610 | - goto out_err; |
3611 | - } |
3612 | - |
3613 | - to_verification = malloc(sizeof(struct hip_cert_spki_info)); |
3614 | - if (!to_verification) { |
3615 | - goto out_err; |
3616 | - } |
3617 | - |
3618 | - time(¬_before); |
3619 | - time(¬_after); |
3620 | - HIP_DEBUG("Reading configuration file (%s)\n", HIP_CERT_CONF_PATH); |
3621 | - conf = hip_open_conf(HIP_CERT_CONF_PATH); |
3622 | - sec = hip_read_conf_section("hip_spki", conf); |
3623 | - |
3624 | - for (i = 0; i < sk_CONF_VALUE_num(sec); i++) { |
3625 | - item = sk_CONF_VALUE_value(sec, i); |
3626 | - if (!strcmp(item->name, "issuerhit")) { |
3627 | - err = inet_pton(AF_INET6, item->value, defhit); |
3628 | - if (err < 1) { |
3629 | - err = -1; |
3630 | - goto out_err; |
3631 | - } |
3632 | - } |
3633 | - if (!strcmp(item->name, "days")) { |
3634 | - not_after += HIP_CERT_DAY * atoi(item->value); |
3635 | - } |
3636 | - } |
3637 | - NCONF_free(conf); |
3638 | - |
3639 | - hip_cert_spki_create_cert(cert, |
3640 | - "hit", defhit, |
3641 | - "hit", defhit, |
3642 | - ¬_before, |
3643 | - ¬_after); |
3644 | - |
3645 | - /* |
3646 | - * Concatenate everything together as if we would have gotten |
3647 | - * it from someone else and we would be starting to verify. |
3648 | - * |
3649 | - * So the process would be take the cert blob and take out |
3650 | - * public-key sequence, cert sequence and signature sequence |
3651 | - * and create a hip_cert_spki_info and send it to the daemon |
3652 | - * for verification. |
3653 | - */ |
3654 | - sprintf((char *) &certificate, "(sequence %s%s%s)", |
3655 | - cert->public_key, |
3656 | - cert->cert, |
3657 | - cert->signature); |
3658 | - HIP_DEBUG("\n\nCertificate gotten back from daemon:\n\n" |
3659 | - "%s\n\nCertificate len %d\n\n", |
3660 | - certificate, |
3661 | - strlen(certificate)); |
3662 | - |
3663 | - HIP_IFEL(hip_cert_spki_char2certinfo(certificate, to_verification), -1, |
3664 | - "Failed to construct the hip_cert_spki_info from certificate\n"); |
3665 | - |
3666 | - /* |
3667 | - * below, commented out, is the daemons version of the verification |
3668 | - * and below that is the lib version of the verification |
3669 | - */ |
3670 | - /* |
3671 | - * HIP_DEBUG("Sending the certificate to daemon for verification\n"); |
3672 | - * |
3673 | - * HIP_IFEL(hip_cert_spki_send_to_verification(to_verification), -1, |
3674 | - * "Failed in sending to verification\n"); |
3675 | - * HIP_IFEL(to_verification->success, -1, |
3676 | - * "Verification was not successful\n"); |
3677 | - * HIP_DEBUG("Verification was successful (return value %d)\n", |
3678 | - * to_verification->success); |
3679 | - */ |
3680 | - /* Lets do the verification in library */ |
3681 | - HIP_IFEL(hip_cert_spki_lib_verify(to_verification), -1, |
3682 | - "Verification was not successful\n"); |
3683 | - HIP_DEBUG("Verification was successful (return value %d)\n", |
3684 | - to_verification->success); |
3685 | - |
3686 | - goto out_err; |
3687 | - |
3688 | -skip_spki: |
3689 | - HIP_DEBUG("Starting to test x509v3 support\n"); |
3690 | - |
3691 | - conf = hip_open_conf(HIP_CERT_CONF_PATH); |
3692 | - sec_name = hip_read_conf_section("hip_x509v3_name", conf); |
3693 | - |
3694 | - for (i = 0; i < sk_CONF_VALUE_num(sec_name); i++) { |
3695 | - item = sk_CONF_VALUE_value(sec_name, i); |
3696 | - if (!strcmp(item->name, "issuerhit")) { |
3697 | - err = inet_pton(AF_INET6, item->value, defhit); |
3698 | - if (err < 1) { |
3699 | - err = -1; |
3700 | - goto out_err; |
3701 | - } |
3702 | - } |
3703 | - } |
3704 | - NCONF_free(conf); |
3705 | - len = hip_cert_x509v3_request_certificate(defhit, der_cert); |
3706 | - |
3707 | - /** Now send it back for the verification */ |
3708 | - HIP_IFEL((err = hip_cert_x509v3_request_verification(der_cert, len) < 0), |
3709 | - -1, "Failed to verify a certificate\n"); |
3710 | - |
3711 | -out_err: |
3712 | - HIP_DEBUG("If there was no errors above, \"everything\" is OK\n"); |
3713 | - |
3714 | - free(cert); |
3715 | - free(to_verification); |
3716 | - exit(err); |
3717 | -} |
3718 | |
3719 | === removed file 'tools/pisacert.c' |
3720 | --- tools/pisacert.c 2011-08-15 14:11:56 +0000 |
3721 | +++ tools/pisacert.c 1970-01-01 00:00:00 +0000 |
3722 | @@ -1,154 +0,0 @@ |
3723 | -/* |
3724 | - * Copyright (c) 2010 Aalto University and RWTH Aachen University. |
3725 | - * |
3726 | - * Permission is hereby granted, free of charge, to any person |
3727 | - * obtaining a copy of this software and associated documentation |
3728 | - * files (the "Software"), to deal in the Software without |
3729 | - * restriction, including without limitation the rights to use, |
3730 | - * copy, modify, merge, publish, distribute, sublicense, and/or sell |
3731 | - * copies of the Software, and to permit persons to whom the |
3732 | - * Software is furnished to do so, subject to the following |
3733 | - * conditions: |
3734 | - * |
3735 | - * The above copyright notice and this permission notice shall be |
3736 | - * included in all copies or substantial portions of the Software. |
3737 | - * |
3738 | - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, |
3739 | - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES |
3740 | - * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND |
3741 | - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
3742 | - * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, |
3743 | - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
3744 | - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR |
3745 | - * OTHER DEALINGS IN THE SOFTWARE. |
3746 | - */ |
3747 | - |
3748 | -/** |
3749 | - * @file |
3750 | - * Generate a SPKI certificate for use with PISA. |
3751 | - */ |
3752 | - |
3753 | -#include <errno.h> |
3754 | -#include <stdio.h> |
3755 | -#include <stdlib.h> |
3756 | -#include <string.h> |
3757 | -#include <time.h> |
3758 | -#include <unistd.h> |
3759 | -#include <sys/types.h> |
3760 | - |
3761 | -#include "lib/core/builder.h" |
3762 | -#include "lib/core/certtools.h" |
3763 | -#include "lib/core/icomm.h" |
3764 | -#include "lib/core/ife.h" |
3765 | -#include "lib/core/message.h" |
3766 | -#include "lib/core/protodefs.h" |
3767 | - |
3768 | - |
3769 | -/** |
3770 | - * Get the default hit of the local HIPD. |
3771 | - * |
3772 | - * @param result location to store the result in |
3773 | - * @return 0 on success |
3774 | - */ |
3775 | -static int get_default_hit(struct in6_addr *result) |
3776 | -{ |
3777 | - int err = 0; |
3778 | - struct hip_common *msg = NULL; |
3779 | - const struct hip_tlv_common *param = NULL; |
3780 | - const struct in6_addr *hit = NULL; |
3781 | - |
3782 | - if (!(msg = hip_msg_alloc())) { |
3783 | - return -1; |
3784 | - } |
3785 | - |
3786 | - HIP_IFE(hip_build_user_hdr(msg, HIP_MSG_GET_DEFAULT_HIT, 0), -1); |
3787 | - HIP_IFE(hip_send_recv_daemon_info(msg, 0, 0), -ECOMM); |
3788 | - |
3789 | - param = hip_get_param(msg, HIP_PARAM_HIT); |
3790 | - hit = hip_get_param_contents_direct(param); |
3791 | - memcpy(result, hit, sizeof(struct in6_addr)); |
3792 | - |
3793 | -out_err: |
3794 | - free(msg); |
3795 | - return err; |
3796 | -} |
3797 | - |
3798 | -/** |
3799 | - * Create the certificate with the given parameters. |
3800 | - * |
3801 | - * @param not_before start of certificate lifetime |
3802 | - * @param not_after end of certificate lifetime |
3803 | - * @param hit HIT of issuer and subject |
3804 | - * @param certificate buffer to store the resulting certificate in |
3805 | - * @param size size of the certificate buffer |
3806 | - * @return 0 on success |
3807 | - */ |
3808 | -static int create_certificate(time_t *not_before, time_t *not_after, |
3809 | - struct in6_addr *hit, char *certificate, |
3810 | - size_t size) |
3811 | -{ |
3812 | - int err = 0; |
3813 | - struct hip_cert_spki_info cert; |
3814 | - |
3815 | - HIP_IFEL(!not_before || !not_after || !hit || !certificate, -1, |
3816 | - "NULL parameter found.\n"); |
3817 | - |
3818 | - hip_cert_spki_create_cert(&cert, "hit", hit, "hit", hit, not_before, |
3819 | - not_after); |
3820 | - |
3821 | - snprintf(certificate, size, "(sequence %s%s%s)", cert.public_key, |
3822 | - cert.cert, cert.signature); |
3823 | -out_err: |
3824 | - if (err != 0 && certificate) { |
3825 | - certificate[0] = '\0'; |
3826 | - } |
3827 | - return err; |
3828 | -} |
3829 | - |
3830 | -int main(int argc, char *argv[]) |
3831 | -{ |
3832 | - time_t not_before = 0, not_after = 0; |
3833 | - struct in6_addr hit; |
3834 | - int err = 0, days = 0; |
3835 | - FILE *f = NULL; |
3836 | - char certificate[1024] = ""; |
3837 | - size_t cert_len, cert_out; |
3838 | - |
3839 | - HIP_IFEL(argc != 3, -1, "Wrong number of arguments.\n"); |
3840 | - |
3841 | - HIP_IFEL(getuid() != 0, -1, "You're not superuser.\n"); |
3842 | - |
3843 | - days = atoi(argv[1]); |
3844 | - HIP_IFEL(days <= 0, -1, "Specify a positive number of days.\n"); |
3845 | - |
3846 | - f = fopen(argv[2], "w"); |
3847 | - HIP_IFEL(f == NULL, -1, "Could not write to file.\n"); |
3848 | - |
3849 | - time(¬_before); |
3850 | - time(¬_after); |
3851 | - not_after += days * 24 * 60 * 60; |
3852 | - |
3853 | - HIP_IFEL(get_default_hit(&hit), -1, "Could not get HIT from hipd.\n"); |
3854 | - HIP_IFEL(create_certificate(¬_before, ¬_after, &hit, |
3855 | - certificate, sizeof(certificate)) != 0, |
3856 | - -1, "Could not create the certificate.\n"); |
3857 | - |
3858 | - cert_len = strlen(certificate); |
3859 | - cert_out = fwrite(certificate, cert_len, 1, f); |
3860 | - if (cert_len != cert_out) { |
3861 | - HIP_ERROR("Failed to write certificate to file\n"); |
3862 | - err = -1; |
3863 | - } |
3864 | - |
3865 | -out_err: |
3866 | - if (err == -1) { |
3867 | - fprintf(stderr, "usage: pisacert days filename\n"); |
3868 | - fprintf(stderr, "must be run as superuser, e.g. with sudo\n"); |
3869 | - } |
3870 | - |
3871 | - if (f) { |
3872 | - fclose(f); |
3873 | - } |
3874 | - |
3875 | - return err; |
3876 | -} |
review needs-fixing
On Sun, Feb 19, 2012 at 12:29:18PM +0000, Fahad Aizaz wrote: certtools. c/h). Though these functions are referenced from a test code, but also being used in the firewall code with PISA specific handling of SPKI certificates.
>
> Configuration file code removal. Continuing the removal of configuration file code removal. Though this branch also contain some other changes in relation to 'hip_cert.conf' configuration file.
>
> As decided by hipl core team, there is no more requirement of 'hip_cert.conf' file anymore to be part of HIPL codebase at all. So the following changes has been done.
>
> 1. The removal of runtime generation of 'hip_cert.conf' file.
> 2. The references to the functions that read, sign and verify certificates.
>
> Note: here the references to the function from the codebase is removed. But the files containing the declarations and definitions are still not yet removed. I need your approval for doing that. (files: cert.h, cert.c). Please also note I looked in the codebase for anymore references towards the functions in these files and safely I can say I didn't find any. Therefore these files are feasible to be removed from the HIPL.
>
> There exist some other helper functions (such as opening configuration file, read it section by section) being used in functions defined in 'cert.c' but are part of hipl core library. (lib/core/
I say nuke them all.
Diego