Author: biurrun Date: Thu Oct 15 13:17:37 2009 New Revision: 1157 Log: Revert r1152, it fails to compile and has multiple issues. Deleted: trunk/community-operator/co_common_packets.h Modified: trunk/community-operator/Makefile.am trunk/community-operator/co_client.c trunk/community-operator/co_client.cfg trunk/community-operator/co_server.c trunk/community-operator/hipl.c trunk/community-operator/hipl.h Modified: trunk/community-operator/Makefile.am ============================================================================== --- trunk/community-operator/Makefile.am Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/Makefile.am Thu Oct 15 13:17:37 2009 (r1157) @@ -26,9 +26,8 @@ INCLUDES = -I@PISA_HIPL_SRCDIR@/libinet6/include INCLUDES += -I@PISA_HIPL_SRCDIR@/libinet6 INCLUDES += -I@PISA_HIPL_SRCDIR@/libhiptool -INCLUDES += -I@PISA_HIPL_SRCDIR@/opendht +INCLUDES += -I@PISA_HIPL_SRCDIR@/libdht INCLUDES += -I@PISA_HIPL_SRCDIR@/hipd -INCLUDES += -I@PISA_HIPL_SRCDIR@/firewall INCLUDES += -I@PISA_HIPL_SRCDIR@/i3/i3_client INCLUDES += -I@PISA_HIPL_SRCDIR@/pjproject/pjnath/include INCLUDES += -I@PISA_HIPL_SRCDIR@/pjproject/pjlib/include @@ -43,11 +42,6 @@ co_server_SOURCES = co_server.c hipl.c co_client_LDADD = $(LDADD) -lm -lcrypto -if PISA_WITH_HIPL -# TODO correct linking -# pisa_split_cert function is needed in co_client.c - co_client_LDADD += @PISA_HIPL_SRCDIR@/firewall/pisa_cert.o -endif co_client_SOURCES = co_client.c include_HEADERS = hipl.h Modified: trunk/community-operator/co_client.c ============================================================================== --- trunk/community-operator/co_client.c Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/co_client.c Thu Oct 15 13:17:37 2009 (r1157) @@ -3,61 +3,17 @@ * All rights reserved. */ -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <signal.h> -#include <unistd.h> -#include <dirent.h> +#include <errno.h> +#include <stdio.h> -#include "global.h" - -#define __USE_XOPEN -#include <time.h> - -#include "co_common_packets.h" #include "config.h" -#include "debug.h" -//#include "util.h" - -#ifdef CONFIG_PISA_WITH_HIPL -# include "pisa_cert.h" /* in firewall under the hipl source tree */ -#endif /* CONFIG_PISA_WITH_HIPL */ - -#define CERT_FILENAME_FORMAT "%Y%m%d%H%M%S" - -#define PATH_BUFFER 1000 /** @todo */ - -static int check_certs_dir(void); -static void co_client_check_certs(int signal); -static void co_client_init(void); -static void co_client_main(void); -static void co_client_quit(int signal); -static int copy_cert(const char * source,char * destination); -static int create_client_socket(struct sockaddr_in6 *srv_addr); -static int is_valid_cert(const char *filename); -static void print_deny_reason(int reason); -static int receive_certificate(char **cert); -static int retrieve_new_cert(void); -static int request_cert(void); -static int write_cert_file(char *cert,const char *filename); -typedef struct co_client_conf -{ - int retries; - char srv_hit[INET6_ADDRSTRLEN]; - int port; - char cert_filename[PATH_BUFFER]; - int check_interval; - char certs_dir[PATH_BUFFER]; - int save_certs; -} -co_client_conf_t; - -co_client_conf_t co_client_conf; -static int running; -static int sock; -char last_used_cert[PATH_BUFFER]; +#include <sys/socket.h> +#include <arpa/inet.h> +#include <netinet/in.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> /** * Write a certificate to a file. @@ -82,27 +38,6 @@ } /** - * Prints the corresponding deny reason to the given reason number. - * @param reason Reason number - */ -static void print_deny_reason(int reason) -{ - PISA_ERROR("Certificate request denied:\n"); - switch(reason) - { - case DENY_HIT_EXPIRED: - PISA_ERROR("The HIT has expired.\n"); - break; - case DENY_HIT_NOT_ALLOWED: - PISA_ERROR("The HIT is not allowed to request certificates.\n"); - break; - case DENY_UNKNOWN_ERROR: - PISA_ERROR("An unknown error occurred.\n"); - break; - } -} - -/** * Create a UDP socket connected to the server with a receive timeout. * * @param srv_addr HIT of the server @@ -116,57 +51,38 @@ to.tv_sec = 5; to.tv_usec = 0; - if ((s = socket(PF_INET6, SOCK_DGRAM, 0)) == 0) - { - PISA_ERROR("socket() failed.\n"); - exit(-1); - } - - if (connect(s, (struct sockaddr *)srv_addr, - sizeof(struct sockaddr_in6)) == -1) - { - PISA_ERROR("connect to srv_addr failed.\n"); - exit(-1); - } + if ((s = socket(PF_INET6, SOCK_DGRAM, 0)) == 0) { + printf("socket() failed.\n"); + exit(-1); + } + + if (connect(s, (struct sockaddr *)srv_addr, + sizeof(struct sockaddr_in6)) == -1) { + printf("connect to srv_addr failed.\n"); + exit(-1); + } - if (setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &to, sizeof(to))) - PISA_ERROR("Could not set a receive timeout.\n"); + if (setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &to, sizeof(to))) + printf("Could not set a receive timeout.\n"); - return s; + return s; } +static int sock; + /** * Request a certificate from the server using the previously opened socket. * @todo define protocol * - * @return 1 on success, 0 otherwise + * @return 0 on success, -1 otherwise */ -static int request_cert(void) +static int sendRequest(void) { - int sent; - co_packet *packet; - packet = malloc(sizeof(co_packet)); - - packet->message_type = MESSAGE_CERTIFICATE_REQUEST; - - sent = send(sock,packet,sizeof(co_packet),0); - free(packet); - if(sent == -1) - { - PISA_ERROR("send failed.\n"); - - return 0; - } - - if (sent!=sizeof(co_packet)) - { - PISA_ERROR("sent bytes (%i) do not match expected value (%i).\n", - sent, sizeof(co_packet)); - - return 0; - } - - return 1; + if (send(sock, "blah", 4, 0) != 4) { + printf("failed to request the certificate\n"); + return -1; + } + return 0; } /** @@ -176,390 +92,69 @@ * @param cert place to store the newly malloced certificate * @return 0 for success, -1 for permanent failure, -2 for retry */ -static int receive_certificate(char **cert) +static int receiveCertificate(char **cert) { - co_packet *packet; - ssize_t count; - - int result; - - *cert = NULL; + char buffer[10240] = ""; + ssize_t count; - packet = malloc(sizeof(co_packet)); + *cert = NULL; - if ((count = recv(sock, packet, sizeof(co_packet) , 0)) == -1) - { - PISA_ERROR("Receive failed (errno %i): %s\n", errno, - strerror(errno)); - if (errno == EAGAIN) - result = -2; - result = -1; - } - - switch(packet->message_type) - { - case MESSAGE_CERTIFICATE_DENY: - print_deny_reason(packet->message.deny.reason); - result = -1; - break; - case MESSAGE_CERTIFICATE_ACCEPT: - PISA_INFO("Certificate request approved!\n"); - *cert = strdup(packet->message.cert.cert); - result = 0; - break; - case MESSAGE_ERROR: - PISA_ERROR("Error(%i): %s\n",packet->message.error.error_type,packet->message.error.error_message); - result = -1; - break; - default: - PISA_ERROR("Unknown error occurred.\n"); - result = -2; - break; - } - - free(packet); - return result; -} - - -/** - * Terminate community-operator client by receiving signal - * @param signal signal quit code - */ -static void co_client_quit(int signal) -{ - running = 0; - PISA_INFO("Shutting down Community-Operator client...\n"); - pisa_cfg_cleanup(); -} - -/** - * Main loop - */ -static void co_client_main(void) -{ - while(running) - { } -} - -/** - * Copies cert file to destination. - * @param source Source filename - * @param destination Destination filename - * @return 1 -> success - * @return 0 -> error - */ -static int copy_cert(const char * source,char * destination) -{ - FILE *from,*to; - char ch; - - if((from = fopen(source,"r")) == NULL) - { - perror("open"); - return 0; - } - - if((to = fopen(destination, "w")) == NULL) - { - perror("open"); - return 0; - } - - while(!feof(from)) - { - ch = fgetc(from); - if(ferror(from)) - { - PISA_ERROR("Error reading source file.\n"); - return 0; - } - if(!feof(from)) - fputc(ch, to); - if(ferror(to)) - { - PISA_ERROR("Error writing destination file.\n"); - return 0; - } - } - - if(fclose(from)==EOF) - { - PISA_ERROR("Error closing source file.\n"); - return 0; - } - - if(fclose(to)==EOF) - { - PISA_ERROR("Error closing destination file.\n"); - return 0; - } - return 1; -} - -/** - * Reads the settings from the config file. - */ -static void co_client_init(void) -{ - pisa_cfg_get_string_value("hit", co_client_conf.srv_hit, INET6_ADDRSTRLEN); - pisa_cfg_get_int_value("port", &co_client_conf.port); - pisa_cfg_get_int_value("retry", &co_client_conf.retries); - pisa_cfg_get_string_value("filename",co_client_conf.cert_filename,PATH_BUFFER); - pisa_cfg_get_int_value("check_interval",&co_client_conf.check_interval); - pisa_cfg_get_string_value("certs_dir",co_client_conf.certs_dir,PATH_BUFFER); - pisa_cfg_get_bool_value("save_certs",&co_client_conf.save_certs); - - /* sanity check configuration values */ - if (co_client_conf.retries < 1) - co_client_conf.retries = 1; - if (co_client_conf.retries > 100) /* @todo find reasonable maximum */ - co_client_conf.retries = 100; - - if(co_client_conf.check_interval<=0) - co_client_conf.check_interval = 60; -} - -/** - * Retrieves new certificates from community-operator server - * @return 1 -> success - * @return 0 -> error - */ -static int retrieve_new_cert(void) -{ - struct sockaddr_in6 srv_addr = { 0 }; - char *cert = NULL; - int count; - - srv_addr.sin6_family = AF_INET6; - inet_pton(PF_INET6, co_client_conf.srv_hit, &(srv_addr.sin6_addr)); - srv_addr.sin6_port = htons(co_client_conf.port); - sock = create_client_socket(&srv_addr); - - for (count = 0; count < co_client_conf.retries; count++) - { - if (request_cert() == 0) - break; - if (receive_certificate(&cert) != -2) - break; - } - - close(sock); - - // Successfully received certificate - if (cert) - { - PISA_INFO("Certificate was successfully retrieved.\n"); -#ifdef CONFIG_PISA_WITH_HIPL - if(co_client_conf.save_certs) - { - struct pisa_cert pc; - struct tm *ts; - char buf_before[15]; - char buf_after[15]; - char path[100]; - time_t now; - char *cert_start; - - // Workaround: - // Because pisa_cert.c seems to be made for a different cert file format - cert_start = strstr(cert,"(cert"); - // Create pisa_struct from cert file - pisa_split_cert(cert_start, &pc); - - // Convert dates to format yyyymmddhhmmss - PISA_DEBUG(PL_GENERIC,"Certificate is valid from: %s",ctime(&pc.not_before)); - ts = localtime(&pc.not_before); - strftime(buf_before, sizeof(buf_before), CERT_FILENAME_FORMAT, ts); - ts = localtime(&pc.not_after); - PISA_DEBUG(PL_GENERIC,"Certificate expires at: %s",ctime(&pc.not_after)); - strftime(buf_after, sizeof(buf_after), CERT_FILENAME_FORMAT, ts); - - // Create filename notbefore-notaftercert (yyyymmddhhmmss-yyyymmddhhmmsscert) - // in co_client_conf.certs_dir - snprintf((char *)path,sizeof(path),"%s/%s-%scert",co_client_conf.certs_dir ,buf_before,buf_after); - write_cert_file(cert, path); - time(&now); - - // Certificate is already valid - if(difftime(now,pc.not_before)>=0) - { - PISA_DEBUG(PL_GENERIC,"Copying to cert location...\n"); - strncpy(last_used_cert,path,PATH_BUFFER); - write_cert_file(cert,co_client_conf.cert_filename); - } - else - { - PISA_DEBUG(PL_GENERIC,"Certificate not yet valid.\n"); - } - free(cert); - return 1; - } -#else - write_cert_file(cert,co_client_conf.cert_filename); -#endif - - } - else - { - PISA_ERROR("Certificate could not be obtained.\n"); - return 0; - } - - return 1; -} - -/** - * Checks expiration dates of a cert filename - * @param filename filename to check - * @return 1 -> cert is valid - * @return 0 -> cert not yet valid - * @return -1 -> cert expired - */ -static int is_valid_cert(const char *filename) -{ - struct tm ts_before,ts_after; - char buf_before[15]; - char buf_after[15]; - time_t now,not_before,not_after; - - // Read not-before date - strncpy(buf_before,filename,14); - strptime(buf_before,CERT_FILENAME_FORMAT,&ts_before); - - // Read not-after date - strncpy(buf_after,filename+15,14); - strptime(buf_after,CERT_FILENAME_FORMAT,&ts_after); - - time(&now); - not_before = mktime(&ts_before); - not_after = mktime(&ts_after); - - // Expired - if(difftime(now,not_after)>0) - { - PISA_DEBUG(PL_GENERIC,"Cert: %s expired.\n",filename); - return -1; - } - - // Not yet valid - if(difftime(now,not_before)<0) - { - PISA_DEBUG(PL_GENERIC,"Cert: %s is not yet valid.\n",filename); - return 0; - } - - PISA_DEBUG(PL_GENERIC,"Cert: %s is valid.\n",filename); - return 1; -} + if ((count = recv(sock, buffer, sizeof(buffer) -1, 0)) == -1) { + printf("Receive failed (errno %i): %s\n", errno, + strerror(errno)); + if (errno == EAGAIN) + return -2; + return -1; + } -/** - * Checks if there is a valid cert in co_client_conf.certs_dir - * and copies the cert to co_client_conf.filename - * @return 1 -> a valid cert file existent - * @return 0 -> no valid cert file found - */ -static int check_certs_dir(void) -{ - struct dirent **namelist; - int n,i,found,result; - char path[PATH_BUFFER]; - - found = 0; - n = scandir(co_client_conf.certs_dir, &namelist, 0, alphasort); - if (n < 0) - perror("scandir"); - else - { - for(i = 0; i<n && !found; i++) - { - // Skip . and .. - if(strcmp(namelist[i]->d_name,".")!=0 && strcmp(namelist[i]->d_name,"..")!=0) - { - result = is_valid_cert(namelist[i]->d_name); - snprintf((char *)path,sizeof(path),"%s/%s",co_client_conf.certs_dir ,namelist[i]->d_name); - // Cert expired - if(result == -1) - { - PISA_DEBUG(PL_GENERIC,"Removing cert...\n"); - if(remove(path)!=0) - { - perror("Removing cert failed"); - } - } - else if(result) - { - found = 1; - if(strcmp(path,last_used_cert)!=0) - { - strncpy(last_used_cert,path,PATH_BUFFER); - PISA_DEBUG(PL_GENERIC,"Found valid cert.\n"); - PISA_DEBUG(PL_GENERIC,"Copying to cert location...\n"); - copy_cert(path,co_client_conf.cert_filename); - } - } - } - free(namelist[i]); - } - free(namelist); - } - return found; -} + buffer[count] = 0; + if (!strcmp(buffer, "denied")) { + printf("Community operator server denied the certificate.\n"); + return -1; + } -/** - * Function is called periodically to retrieve new certs if old certs in co_client_conf.certs_dir expired. - * @param signal signal code - */ -static void co_client_check_certs(int signal) -{ - if(co_client_conf.save_certs) - { - PISA_INFO("Checking existing certificates...\n"); - if(!check_certs_dir()) - { - PISA_INFO("Did not find a valid cert\n"); - PISA_INFO("Requesting new cert...\n"); - retrieve_new_cert(); - } - alarm(co_client_conf.check_interval); - } - else - { - retrieve_new_cert(); - } + *cert = strdup(buffer); + return 0; } int main(int argc, char **argv) { - - signal(SIGTERM, co_client_quit); - signal(SIGINT, co_client_quit); - signal(SIGQUIT, co_client_quit); - signal(SIGILL, co_client_quit); - signal(SIGHUP, co_client_quit); - signal(SIGPIPE, SIG_IGN); - signal(SIGBUS, co_client_quit); - signal(SIGSEGV, co_client_quit); - signal(SIGALRM, co_client_check_certs); + struct sockaddr_in6 srv_addr = { 0 }; + char *cert = NULL; + char srv_hit[1000]; /* @todo */ + int count, port, retries = 3; pisa_cfg_setup_file("co_client.cfg"); + pisa_cfg_get_string_value("hit", srv_hit, 1000); + pisa_cfg_get_int_value("port", &port); + pisa_cfg_get_int_value("retry", &retries); + + /* sanity check configuration values */ + if (retries < 1) + retries = 1; + if (retries > 100) /* @todo find reasonable maximum */ + retries = 100; + + srv_addr.sin6_family = AF_INET6; + inet_pton(PF_INET6, srv_hit, &(srv_addr.sin6_addr)); + srv_addr.sin6_port = htons(port); + sock = createClientSocket(&srv_addr); + + for (count = 0; count < retries; count++) { + if (sendRequest() < 0) + break; + if (receiveCertificate(&cert) != -2) + break; + } + + if (cert) { + writeCertFile(cert, "test-cert"); + free(cert); + printf("Certificate was successfully retrieved.\n"); + } else + printf("Certificate could not be obtained.\n"); - co_client_init(); - - running = 1; - - co_client_check_certs(SIGALRM); - - // Only enter infinite loop if we periodically check for valid certs - if(co_client_conf.save_certs) - { - co_client_main(); - } - - co_client_quit(0); - - exit(EXIT_SUCCESS); - - return 0; - + pisa_cfg_cleanup(); + close(sock); + return 0; } Modified: trunk/community-operator/co_client.cfg ============================================================================== --- trunk/community-operator/co_client.cfg Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/co_client.cfg Thu Oct 15 13:17:37 2009 (r1157) @@ -5,15 +5,5 @@ # How often should we retry if we don't receive an answer before the timeout retry=3; -# Saves valid certs to certs_dir and only retrieves new certs if no valid cert is found. -# Otherwise, the cert is received directly from server and is written to "filename" -save_certs=false; - -# Directory to save received certificates -certs_dir="certs"; - -# Interval (in seconds) to check certs_dir for expired certificates -check_interval=60; - # should be /etc/hip/cert for deployment -filename="/etc/hip/cert"; +filename="test.file"; Modified: trunk/community-operator/co_server.c ============================================================================== --- trunk/community-operator/co_server.c Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/co_server.c Thu Oct 15 13:17:37 2009 (r1157) @@ -7,35 +7,19 @@ #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> -#include <sys/select.h> -#include <signal.h> #include "ac_config.h" #include "global.h" #include "debug.h" -#include "co_common_packets.h" #include "config.h" #include "hitlist.h" #include "hipl.h" -//#define BUFSIZE 10240 +#define BUFSIZE 10240 #define CERT_BUF_SIZE 10240 -#define DEFAULT_NUMBER_OF_PARALLEL_USERS 3 - -static int running; static struct in6_addr issuer_hit; static pisa_hitlist *allowed = NULL; -static int sock; - - -static int create_server_socket(void); -static int answer_certificate_query(struct sockaddr_in6 *cl_addr); -static int handle_certificate_request(struct sockaddr_in6 *socket_addr,co_certificate_request *request); -static void co_quit(int quitcode); -static char *get_certificate_for_hit(struct in6_addr *hit,int *reason); -static int handle_packet(struct sockaddr_in6 *socket_addr, co_packet *co_packet); -static int get_number_of_parallel_users(pisa_hitlist_entry *entry); /** * Create a socket and port specified in the config file. @@ -66,34 +50,12 @@ exit(-1); } - PISA_INFO("socket created and bound to port %i\n", port); + printf("socket created and bound to port %i\n", port); return s; } /** - * Terminate community-operator server by receiving signal - * @param signal signal quit code - */ -static void co_quit(int quitcode) -{ - switch (quitcode) - { - case SIGTERM: - case SIGINT: - case SIGQUIT: - case SIGBUS: - PISA_INFO("Shutting down Community-Operator Server...\n"); - running = 0; - break; - - case SIGILL: - case SIGPIPE: - break; - } -} - -/** * Request a certificate for a specified hit, if all requirements are met: * - HIT must be whitelisted in the allowed HIT list. * - expiration date for that HIT must not be in the past. @@ -102,252 +64,124 @@ * date is within that week. * * @param hit HIT of the requesting host - * @param reason Pointer to an int which holds the reason for the deny * @return pointer to certificate on success, NULL otherwise */ -static char *get_certificate_for_hit(struct in6_addr *hit,int *reason) +static char *getCertificateForHit(struct in6_addr *hit) { - - char *cert; - time_t not_before, not_after; - pisa_hitlist_entry*conn; - int parallel_users; - - time(¬_before); - time(¬_after); - - /* certificate for one week */ - not_after += 7 * 24 * 60 * 60; - - if (!(conn = pisa_hitlist_find(allowed, hit))) - { - *reason = DENY_HIT_NOT_ALLOWED; - return NULL; - } - if (conn->expiration < not_before) - { - *reason = DENY_HIT_EXPIRED; - return NULL; - } - if (conn->expiration < not_after) - { - not_after = conn->expiration; - } - - parallel_users = get_number_of_parallel_users(conn); - - cert = malloc(CERT_BUF_SIZE); - if (createCertificate(¬_before, ¬_after, hit, &issuer_hit, parallel_users, cert, - CERT_BUF_SIZE) != 0) - { - free(cert); - *reason = DENY_UNKNOWN_ERROR; - return NULL; - } - - return cert; -} - -static int get_number_of_parallel_users(pisa_hitlist_entry *entry) -{ - config_setting_t *users; - users =config_setting_get_member(entry->group,"parallel_users"); - if(users!=NULL) - { - return config_setting_get_int(users); - }else - { - return DEFAULT_NUMBER_OF_PARALLEL_USERS; + char *cert; + time_t not_before, not_after; + pisa_hitlist_entry *conn; + + time(¬_before); + time(¬_after); + + /* certificate for one week */ + not_after += 7 * 24 * 60 * 60; + + if (!(conn = pisa_hitlist_find(allowed, hit))) + return NULL; + if (conn->expiration < not_before) + return NULL; + if (conn->expiration < not_after) + not_after = conn->expiration; + cert = malloc(CERT_BUF_SIZE); + if (createCertificate(¬_before, ¬_after, hit, &issuer_hit, cert, + CERT_BUF_SIZE) != 0) { + free(cert); + return NULL; } + return cert; } +static int sock; /** * Process a request from a specified client and send back the result + * @todo specify protocol * * @param cl_addr client that requested the certificate - * @param number_of_access_points Number of Access-Points the client provides - * @return 1 -> success; 0 -> error; */ static void answerCertificateQuery(struct sockaddr_in6 *cl_addr) { - char *cert; - int sent,reason; - co_packet *packet; - - packet = malloc(sizeof(co_packet)); - - if (!(cert = get_certificate_for_hit(&cl_addr->sin6_addr,&reason))) - { - // Deny request - packet->message_type = MESSAGE_CERTIFICATE_DENY; - packet->message.deny.reason = reason; - } - else - { - // Accept request - packet->message_type = MESSAGE_CERTIFICATE_ACCEPT; - strncpy(packet->message.cert.cert,cert,strlen(cert)); - } - - sent = sendto(sock,packet,sizeof(co_packet),0,(struct sockaddr *) cl_addr, - sizeof(struct sockaddr_in6)); - if(sent == -1) - { - PISA_ERROR("sendto failed.\n"); - free(cert); - return 0; - } - - if (sent!=sizeof(co_packet)) - { - PISA_ERROR("sent bytes (%i) do not match expected value (%i).\n", - sent, sizeof(co_packet)); - return 0; - } - else - { - PISA_INFO("the request has been answered.\n"); - return 1; - } + char *cert; + int bytes, sent; + + if (!(cert = getCertificateForHit(&cl_addr->sin6_addr))) { + cert = strdup("denied"); + } + bytes = strlen(cert); + + if ((sent = sendto(sock, cert, bytes, 0, (struct sockaddr *) cl_addr, + sizeof(struct sockaddr_in6))) == -1) { + printf("sendto failed.\n"); + free(cert); + return; + } - free(cert); - free(packet); + if (bytes != sent) + printf("sent bytes (%i) do not match expected value (%i).\n", + sent, bytes); + else + printf("the request has been answered.\n"); + + free(cert); } int main(int argc, char **argv) { + int received; + size_t addrlen; + struct sockaddr_in6 cl_addr = { 0 }; + char *buf, *addr_string; + + if (getuid() != 0) { + printf("You're not root. HIPD won't sign certificates.\n"); + return -1; + } + + buf = malloc(BUFSIZE); + addr_string = malloc(INET6_ADDRSTRLEN); - signal(SIGTERM, co_quit); - signal(SIGINT, co_quit); - signal(SIGQUIT, co_quit); - signal(SIGILL, co_quit); - signal(SIGPIPE, SIG_IGN); - signal(SIGBUS, co_quit); - - int received; - size_t addrlen; - char *addr_string; - co_packet *packet; - struct sockaddr_in6 cl_addr = { 0 }; - - - if (getuid() != 0) - { - PISA_ERROR("You're not root. HIPD won't sign certificates.\n"); - return -1; - } - - running = 1; - - packet = malloc(sizeof(co_packet)); - addr_string = malloc(INET6_ADDRSTRLEN); - - pisa_cfg_authorized_hosts_setup_file("co_server.cfg"); - pisa_cfg_setup_file("co_server.cfg"); - allowed = pisa_hitlist_build("allowed_hosts"); + pisa_cfg_setup_file("co_server.cfg"); + allowed = pisa_hitlist_build("allowed_hosts"); #ifdef CONFIG_PISA_WITH_HIPL hip_set_logdebug(1); /* disable the debug output from HIPL code */ #endif /* CONFIG_PISA_WITH_HIPL */ + sock = createServerSocket(); + getDefaultHIT(&issuer_hit); - sock = create_server_socket(); - - getDefaultHIT(&issuer_hit); - - PISA_INFO("community operator server ready\n"); - PISA_INFO("\nwaiting for incoming packet...\n"); - while (running) - { - fd_set readfds; - struct timeval select_to; - - FD_ZERO(&readfds); - - select_to.tv_sec = 1; - select_to.tv_usec = 0; - - FD_SET(sock,&readfds); - - if (select(sock + 1, &readfds, NULL, NULL, &select_to) > 0) - { - // Receive request - if(FD_ISSET(sock,&readfds)) - { - addrlen = sizeof(cl_addr); - received = recvfrom(sock,packet,sizeof(co_packet),0, (struct sockaddr *)&cl_addr, &addrlen); - - if (received < 0) - { - perror("error in recvfrom:"); - continue; - } - else if (received == 0) - continue; - - inet_ntop(AF_INET6, &cl_addr.sin6_addr, addr_string, - INET6_ADDRSTRLEN); - PISA_DEBUG(PL_GENERIC,"received %i bytes from %s\n", received, addr_string); - - if (pisa_ipv6_addr_is_hit(&cl_addr.sin6_addr)) - { - PISA_DEBUG(PL_GENERIC,"sender was a HIT, processing request.\n"); - handle_packet(&cl_addr,packet); - } - else - { - PISA_DEBUG(PL_GENERIC,"sender was not a HIT, ignoring request.\n"); - } - - PISA_INFO("\nwaiting for incoming packet...\n"); - } - } - } - - pisa_hitlist_destroy(allowed); - pisa_cfg_cleanup(); - pisa_cfg_authorized_hosts_cleanup(); - free(packet); - free(addr_string); - close(sock); - - return 0; -} - -/** - * This function handles any packet received. - * - * @param socket_addr IP address where the packet was received - * @param co_packet A pointer to a co_packet_t structure - * - * @return 1 if successfully handled; 0 if packet unrecognized - */ -static int handle_packet(struct sockaddr_in6 *socket_addr, co_packet *packet) -{ - int result; - - assert(socket_addr != NULL); - assert(packet != NULL); + printf("community operator server ready\n"); - switch (packet->message_type) - { - case MESSAGE_CERTIFICATE_REQUEST: - result = handle_certificate_request(socket_addr,&(packet->message.request)); - break; - case MESSAGE_ERROR: - PISA_ERROR("Error: %i\n",packet->message.error.error_type); - result = 0; - break; - default: - result = 0; - break; - } + while (1) { + printf("\nwaiting for incoming packet...\n"); + addrlen = sizeof(cl_addr); + received = recvfrom(sock, buf, BUFSIZE, 0, + (struct sockaddr *)&cl_addr, &addrlen); + + if (received < 0) { + perror("error in recvfrom:"); + continue; + } else if (received == 0) + continue; + + inet_ntop(AF_INET6, &cl_addr.sin6_addr, addr_string, + INET6_ADDRSTRLEN); + printf("received %i bytes from %s\n", received, addr_string); + + if (pisa_ipv6_addr_is_hit(&cl_addr.sin6_addr)) { + printf("sender was a HIT, processing request.\n"); + answerCertificateQuery(&cl_addr); + } else { + printf("sender was not a HIT, ignoring request.\n"); + } + } - return result; -} + pisa_hitlist_destroy(allowed); + configCleanup(); + close(sock); + free(buf); + free(addr_string); -static int handle_certificate_request(struct sockaddr_in6 *socket_addr,co_certificate_request *request) -{ - return answer_certificate_query(socket_addr); + return 0; } - Modified: trunk/community-operator/hipl.c ============================================================================== --- trunk/community-operator/hipl.c Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/hipl.c Thu Oct 15 13:17:37 2009 (r1157) @@ -14,15 +14,9 @@ #include <string.h> #include <netinet/in.h> -#ifdef HIPL_CERTIFICATE_CHANGES -int createCertificate(time_t *not_before, time_t *not_after, - struct in6_addr *hit, struct in6_addr *issuer_hit, - int parallel_users, char *certificate, size_t size) -#else int createCertificate(time_t *not_before, time_t *not_after, struct in6_addr *hit, struct in6_addr *issuer_hit, char *certificate, size_t size) -#endif { #ifdef CONFIG_PISA_WITH_HIPL struct hip_cert_spki_info cert = { 0 }; @@ -32,13 +26,8 @@ return -1; } -#ifdef HIPL_CERTIFICATE_CHANGES hip_cert_spki_create_cert(&cert, "hit", issuer_hit, "hit", hit, not_before, not_after); -#else - hip_cert_spki_create_cert(&cert, "hit", issuer_hit, "hit", hit, - not_before, not_after, parallel_users); -#endif snprintf(certificate, size, "(sequence %s%s%s)", cert.public_key, cert.cert, cert.signature); Modified: trunk/community-operator/hipl.h ============================================================================== --- trunk/community-operator/hipl.h Thu Oct 15 13:01:26 2009 (r1156) +++ trunk/community-operator/hipl.h Thu Oct 15 13:17:37 2009 (r1157) @@ -7,27 +7,9 @@ #define PISA_HIPL_H #include <time.h> +#include <string.h> #include <netinet/in.h> -#ifdef HIPL_CERTIFICATE_CHANGES -/** - * Create the certificate with the given parameters. This is a wrapper - * function for hip_cert_spki_create_cert. It requires a running hipd on - * the same machine and superuser privileges. - * - * @param not_before start of certificate lifetime - * @param not_after end of certificate lifetime - * @param hit HIT of subject (the home router HIT) - * @param issuer_hit HIT of issuer (the community operator HIT) - * @param certificate buffer to store the resulting certificate in - * @param size size of the certificate buffer - * @param parallel_users The number of allowed parallel users - * @return 0 on success - */ -int createCertificate(time_t *not_before, time_t *not_after, - struct in6_addr *hit, struct in6_addr *issuer_hit, - int parallel_users, char *certificate, size_t size); -#else /** * Create the certificate with the given parameters. This is a wrapper * function for hip_cert_spki_create_cert. It requires a running hipd on @@ -44,7 +26,7 @@ int createCertificate(time_t *not_before, time_t *not_after, struct in6_addr *hit, struct in6_addr *issuer_hit, char *certificate, size_t size); -#endif + /** * Get the default hit of the local HIPD. Requires a running hipd on the same * machine. Sends a query to hipd and expects the default HIT to be returned.