Committer: Diego Biurrun <diego@xxxxxxxxxx> Date: 26/04/2010 at 22:48:31 Revision: 4417 Revision-id: diego@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Branch nick: trunk Log: Restore disabled PISA code that was removed. According to Thomas Jansen this code will be used in the future. Modified: M firewall/pisa.c === modified file 'firewall/pisa.c' --- firewall/pisa.c 2010-04-15 23:29:49 +0000 +++ firewall/pisa.c 2010-04-26 19:43:52 +0000 @@ -210,6 +210,41 @@ } /** + * Check the signature of the packet. + * + * @param ctx context of the packet with the signature to check + * @return success (0) or failure + */ +/* This function is not used */ +#if 0 +static int pisa_check_signature(hip_fw_context_t *ctx) +{ + struct hip_common *hip = ctx->transport_hdr.hip; + int err = -1; + struct hip_host_id *host_id; + + host_id = hip_get_param(hip, HIP_PARAM_HOST_ID); + HIP_IFEL(host_id == 0, -1, "Cannot check signature: No HOST_ID found.\n"); + + if (hip_get_host_id_algo(host_id) == HIP_HI_RSA) { + RSA *rsa; + rsa = hip_key_rr_to_rsa(host_id, 0); + err = hip_rsa_verify(rsa, hip); + RSA_free(rsa); + } else { + DSA *dsa; + dsa = hip_key_rr_to_dsa(host_id, 0); + err = hip_dsa_verify(dsa, hip); + DSA_free(dsa); + } + +out_err: + return err; +} + +#endif /* 0 */ + +/** * Check the certificate of the packet. * * @param ctx context of the packet with the certificate to check @@ -257,6 +292,10 @@ HIP_IFEL(ipv6_addr_cmp(&pc.hit_issuer, &community_operator_hit) != 0, -1, "Certificate not issued by the community operator.\n"); +#if 0 + HIP_IFEL(ipv6_addr_cmp(&pc.hit_subject, &hip->hits) != 0, -1, + "Certificate does not belong to subject.\n"); +#endif HIP_INFO("Certificate successfully verified.\n"); @@ -400,6 +439,8 @@ #endif solution = pisa_check_challenge_response(ctx); + // Done in conntrack.c + //sig = pisa_check_signature(ctx); cert = pisa_check_certificate(ctx); if (solution == NULL || sig != 0 || cert != 0) { @@ -452,6 +493,8 @@ struct hip_challenge_response *solution = NULL; solution = pisa_check_challenge_response(ctx); + // Done in conntrack.c + //sig = pisa_check_signature(ctx); cert = pisa_check_certificate(ctx); if (solution == NULL || sig != 0 || cert != 0) {