Merge lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl
- ecdsa-redhat
- Merge into trunk
Status: | Superseded | ||||
---|---|---|---|---|---|
Proposed branch: | lp:~hipl-core/hipl/ecdsa-redhat | ||||
Merge into: | lp:hipl | ||||
Diff against target: |
855 lines (+176/-48) 13 files modified
firewall/conntrack.c (+4/-0) firewall/rule_management.c (+7/-1) hipd/cookie.c (+2/-0) hipd/hadb.c (+6/-0) hipd/hidb.c (+13/-0) lib/core/builder.c (+8/-1) lib/core/builder.h (+8/-3) lib/core/crypto.c (+12/-0) lib/core/crypto.h (+12/-0) lib/core/hostid.c (+81/-41) lib/core/hostid.h (+8/-0) lib/tool/pk.c (+13/-2) test/lib/tool/pk.c (+2/-0) |
||||
To merge this branch: | bzr merge lp:~hipl-core/hipl/ecdsa-redhat | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Diego Biurrun | Needs Fixing | ||
HIPL core team | preliminary | Pending | |
Review via email: mp+80750@code.launchpad.net |
This proposal has been superseded by a proposal from 2011-11-03.
Commit message
Description of the change
Compilation has been broken long time for Fedora and other RPM-based systems because they decided to drop elliptic curve support from OpenSSL. To put more heat on this bug #838116 and to make detailed code review easier, I decided to propose for early merging.
I would suggest to comment details here and design-level issues in the actual bug item:
- 6103. By Miika Komu
-
Cleaned up previous commit for ECC code
According to feedback from Diego:
* Removed unnecessary defines or reduced to minimum
* System headers before localAlso, "make checkheaders" target succeeds.
- 6104. By Miika Komu
-
Synchronized with trunk revision 6110
Miika Komu (miika-iki) wrote : | # |
> review needs-fixing
>
> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> lp:hipl.
> >
> > --- firewall/
> > +++ firewall/
> > @@ -81,8 +81,9 @@
> > /* filename needs to contain one of these to be valid HI file */
> > #define RSA_FILE "_rsa_"
> > #define DSA_FILE "_dsa_"
> > +#ifdef HAVE_EC_CRYPTO
> > #define ECDSA_FILE "_ecdsa_"
> > -
> > +#endif /* HAVE_EC_CRYPTO */
> > #define MAX_LINE_LENGTH 512
>
> unnecessary
Fixed.
> > @@ -444,6 +445,7 @@
> > return err;
> > }
> >
> > +#ifdef HAVE_EC_CRYPTO
> > /**
> > * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > *
> > @@ -479,6 +481,8 @@
> > return err;
> > }
> >
> > +#endif /* HAVE_EC_CRYPTO */
> > +
> > /**
> > * load a public key from a file and convert it to a hip_host_id structure
> > *
>
> Drop the empty line before the #endif, same below
Done.
> > --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> > +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> > @@ -26,18 +26,21 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <openssl/rsa.h>
> > #include <openssl/dsa.h>
> > -#include <openssl/ec.h>
> >
> > -#include "config.h"
> > #include "certtools.h"
> > #include "debug.h"
> > #include "icomm.h"
> > #include "state.h"
> >
> > +#ifdef HAVE_EC_CRYPTO
> > +#include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
>
> We have system headers before local headers for a reason.
Fixed.
> > --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> > +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> > @@ -26,12 +26,16 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <sys/types.h>
> > #include <openssl/dsa.h>
> > #include <openssl/rsa.h>
> > +#ifdef HAVE_EC_CRYPTO
> > #include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
> > #include <openssl/dh.h>
> > #include <openssl/pem.h>
>
> .. like you did here ..
>
> > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > @@ -28,6 +28,8 @@
> > * @brief Host identifier manipulation functions
> > */
> >
> > +#include "config.h"
> > +
> > #include <errno.h>
> > #include <stdint.h>
> > #include <stdlib.h>
> > @@ -40,7 +42,6 @@
> > #include <openssl/pem.h>
> > #include <openssl/rsa.h>
> >
> > -#include "config.h"
> > #include "lib/tool/pk.h"
> > #include "builder.h"
> > #include "crypto.h"
>
> unnecessary / unrelated
Removed.
> > @@ -689,6 +715,12 @@
> > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > struct endpoint_hip *endpoint_
> >
> > + if (ecdsa_nid < 0) {
> > + err = -1;
> > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > + goto out_err;
> > + }
>
> ?
Does not compile otherwise when ECDSA is mi...
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> > lp:hipl.
> > >
> > > --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
> > > +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
> > > @@ -27,7 +27,9 @@
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include <stdio.h>
> > > +#ifdef HAVE_EC_CRYPTO
> > > #include <openssl/ec.h>
> > > +#endif /* HAVE_EC_CRYPTO */
> > > #include <openssl/pem.h>
> >
> > see above
>
> Did not get this.
missing config.h
Diego
Miika Komu (miika-iki) wrote : | # |
Hi,
On 11/03/2011 05:27 PM, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
>>> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
>>>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
>>> lp:hipl.
>>>>
>>>> --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
>>>> +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
>>>> @@ -27,7 +27,9 @@
>>>> #include<stdlib.h>
>>>> #include<string.h>
>>>> #include<stdio.h>
>>>> +#ifdef HAVE_EC_CRYPTO
>>>> #include<
>>>> +#endif /* HAVE_EC_CRYPTO */
>>>> #include<
>>>
>>> see above
>>
>> Did not get this.
>
> missing config.h
thanks for the correction, committed.
- 6105. By Miika Komu
-
Added a missing include
File test/lib/tool/pk.c was missing a include for "config.h". It's
needed due to the conditional compilation of elliptic curves in
OpenSSL.
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
> > >
> > > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > > @@ -689,6 +715,12 @@
> > > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > > struct endpoint_hip *endpoint_
> > >
> > > + if (ecdsa_nid < 0) {
> > > + err = -1;
> > > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > > + goto out_err;
> > > + }
> >
> > ?
>
> Does not compile otherwise when ECDSA is missing (gcc complains about
> missing variable). If you insist, I'll commit this separately to trunk
> or suggest a better fix.
You mean that gcc complains about unused parameter? This is badly designed.
The function should not need one extra parameter for each crypto algorithm
that is added.
Diego
- 6106. By Miika Komu
-
Cleaning up the ECDSA changes
As suggested by Diego:
* Removed unrelated changes and stray empty lines
* Reverted incorrectly deleted empty lines
* Regrouped ifdeffery
* Fixed one occurrence of config.h - 6107. By Miika Komu
-
Syncronized with trunk revision 6119
- 6108. By Miika Komu
-
Deleted some empty lines between function bodies and #endif statements
According to the new crustify policy, there is no need need to have an
empty line between the end of a function body (closing curly bracket)
and following #endif (if any present). Adjusted ECDSA-related code
according to the new policy.
Unmerged revisions
Preview Diff
1 | === modified file 'firewall/conntrack.c' |
2 | --- firewall/conntrack.c 2011-10-25 21:14:16 +0000 |
3 | +++ firewall/conntrack.c 2011-11-03 14:41:31 +0000 |
4 | @@ -695,9 +695,11 @@ |
5 | case HIP_HI_RSA: |
6 | RSA_free(hip_tuple->data->src_pub_key); |
7 | break; |
8 | +#ifdef HAVE_EC_CRYPTO |
9 | case HIP_HI_ECDSA: |
10 | EC_KEY_free(hip_tuple->data->src_pub_key); |
11 | break; |
12 | +#endif /* HAVE_EC_CRYPTO */ |
13 | case HIP_HI_DSA: |
14 | DSA_free(hip_tuple->data->src_pub_key); |
15 | break; |
16 | @@ -1063,10 +1065,12 @@ |
17 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0); |
18 | tuple->hip_tuple->data->verify = hip_rsa_verify; |
19 | break; |
20 | +#ifdef HAVE_EC_CRYPTO |
21 | case HIP_HI_ECDSA: |
22 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0); |
23 | tuple->hip_tuple->data->verify = hip_ecdsa_verify; |
24 | break; |
25 | +#endif /* HAVE_EC_CRYPTO */ |
26 | case HIP_HI_DSA: |
27 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0); |
28 | tuple->hip_tuple->data->verify = hip_dsa_verify; |
29 | |
30 | === modified file 'firewall/rule_management.c' |
31 | --- firewall/rule_management.c 2011-08-15 14:11:56 +0000 |
32 | +++ firewall/rule_management.c 2011-11-03 14:41:31 +0000 |
33 | @@ -82,7 +82,6 @@ |
34 | #define RSA_FILE "_rsa_" |
35 | #define DSA_FILE "_dsa_" |
36 | #define ECDSA_FILE "_ecdsa_" |
37 | - |
38 | #define MAX_LINE_LENGTH 512 |
39 | |
40 | #define HIP_FW_DEFAULT_RULE_FILE HIPL_SYSCONFDIR "/firewall_conf" |
41 | @@ -444,6 +443,7 @@ |
42 | return err; |
43 | } |
44 | |
45 | +#ifdef HAVE_EC_CRYPTO |
46 | /** |
47 | * Load an ECDSA public key from a file and convert it into a hip_host_id. |
48 | * |
49 | @@ -479,6 +479,8 @@ |
50 | return err; |
51 | } |
52 | |
53 | +#endif /* HAVE_EC_CRYPTO */ |
54 | + |
55 | /** |
56 | * load a public key from a file and convert it to a hip_host_id structure |
57 | * |
58 | @@ -506,8 +508,10 @@ |
59 | algo = HIP_HI_RSA; |
60 | } else if (strstr(token, DSA_FILE)) { |
61 | algo = HIP_HI_DSA; |
62 | +#ifdef HAVE_EC_CRYPTO |
63 | } else if (strstr(token, ECDSA_FILE)) { |
64 | algo = HIP_HI_ECDSA; |
65 | +#endif /* HAVE_EC_CRYPTO */ |
66 | } else { |
67 | HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n"); |
68 | return NULL; |
69 | @@ -519,9 +523,11 @@ |
70 | case HIP_HI_RSA: |
71 | HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n"); |
72 | break; |
73 | +#ifdef HAVE_EC_CRYPTO |
74 | case HIP_HI_ECDSA: |
75 | HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n") |
76 | break; |
77 | +#endif /* HAVE_EC_CRYPTO */ |
78 | case HIP_HI_DSA: |
79 | HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n") |
80 | break; |
81 | |
82 | === modified file 'hipd/cookie.c' |
83 | --- hipd/cookie.c 2011-10-25 21:14:16 +0000 |
84 | +++ hipd/cookie.c 2011-11-03 14:41:31 +0000 |
85 | @@ -349,9 +349,11 @@ |
86 | case HIP_HI_DSA: |
87 | signature_func = hip_dsa_sign; |
88 | break; |
89 | +#ifdef HAVE_EC_CRYPTO |
90 | case HIP_HI_ECDSA: |
91 | signature_func = hip_ecdsa_sign; |
92 | break; |
93 | +#endif /* HAVE_EC_CRYPTO */ |
94 | default: |
95 | HIP_ERROR("Unkown algorithm"); |
96 | return -1; |
97 | |
98 | === modified file 'hipd/hadb.c' |
99 | --- hipd/hadb.c 2011-10-25 21:44:47 +0000 |
100 | +++ hipd/hadb.c 2011-11-03 14:41:31 +0000 |
101 | @@ -818,9 +818,11 @@ |
102 | case HIP_HI_RSA: |
103 | RSA_free(ha->peer_pub_key); |
104 | break; |
105 | +#ifdef HAVE_EC_CRYPTO |
106 | case HIP_HI_ECDSA: |
107 | EC_KEY_free(ha->peer_pub_key); |
108 | break; |
109 | +#endif /* HAVE_EC_CRYPTO */ |
110 | case HIP_HI_DSA: |
111 | DSA_free(ha->peer_pub_key); |
112 | break; |
113 | @@ -909,10 +911,12 @@ |
114 | entry->verify = hip_dsa_verify; |
115 | entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
116 | break; |
117 | +#ifdef HAVE_EC_CRYPTO |
118 | case HIP_HI_ECDSA: |
119 | entry->verify = hip_ecdsa_verify; |
120 | entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
121 | break; |
122 | +#endif /* HAVE_EC_CRYPTO */ |
123 | default: |
124 | HIP_OUT_ERR(-1, "Unkown algorithm"); |
125 | } |
126 | @@ -978,9 +982,11 @@ |
127 | case HIP_HI_RSA: |
128 | entry->sign = hip_rsa_sign; |
129 | break; |
130 | +#ifdef HAVE_EC_CRYPTO |
131 | case HIP_HI_ECDSA: |
132 | entry->sign = hip_ecdsa_sign; |
133 | break; |
134 | +#endif /* HAVE_EC_CRYPTO */ |
135 | default: |
136 | err = -1; |
137 | } |
138 | |
139 | === modified file 'hipd/hidb.c' |
140 | --- hipd/hidb.c 2011-10-25 21:14:16 +0000 |
141 | +++ hipd/hidb.c 2011-11-03 14:41:31 +0000 |
142 | @@ -63,6 +63,7 @@ |
143 | |
144 | static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" }; |
145 | |
146 | +#ifdef HAVE_EC_CRYPTO |
147 | /** |
148 | * Strips the private key component from an ECDSA-based host id. |
149 | * |
150 | @@ -103,6 +104,8 @@ |
151 | return 0; |
152 | } |
153 | |
154 | +#endif /* HAVE_EC_CRYPTO */ |
155 | + |
156 | /** |
157 | * Strips a DSA public key out of a host id with private key component |
158 | * |
159 | @@ -192,8 +195,10 @@ |
160 | return get_rsa_public_key(hid, ret); |
161 | case HIP_HI_DSA: |
162 | return get_dsa_public_key(hid, ret); |
163 | +#ifdef HAVE_EC_CRYPTO |
164 | case HIP_HI_ECDSA: |
165 | return get_ecdsa_public_key(hid, ret); |
166 | +#endif /* HAVE_EC_CRYPTO */ |
167 | default: |
168 | HIP_ERROR("Unsupported HI algorithm\n"); |
169 | return -1; |
170 | @@ -284,9 +289,11 @@ |
171 | case HIP_HI_RSA: |
172 | RSA_free(id->private_key); |
173 | break; |
174 | +#ifdef HAVE_EC_CRYPTO |
175 | case HIP_HI_ECDSA: |
176 | EC_KEY_free(id->private_key); |
177 | break; |
178 | +#endif /* HAVE_EC_CRYPTO */ |
179 | case HIP_HI_DSA: |
180 | DSA_free(id->private_key); |
181 | break; |
182 | @@ -510,9 +517,11 @@ |
183 | case HIP_HI_RSA: |
184 | id_entry->private_key = hip_key_rr_to_rsa(host_id, 1); |
185 | break; |
186 | +#ifdef HAVE_EC_CRYPTO |
187 | case HIP_HI_ECDSA: |
188 | id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1); |
189 | break; |
190 | +#endif /* HAVE_EC_CRYPTO */ |
191 | case HIP_HI_DSA: |
192 | id_entry->private_key = hip_key_rr_to_dsa(host_id, 1); |
193 | break; |
194 | @@ -530,9 +539,11 @@ |
195 | case HIP_HI_DSA: |
196 | signature_func = hip_dsa_sign; |
197 | break; |
198 | +#ifdef HAVE_EC_CRYPTO |
199 | case HIP_HI_ECDSA: |
200 | signature_func = hip_ecdsa_sign; |
201 | break; |
202 | +#endif /* HAVE_EC_CRYPTO */ |
203 | default: |
204 | HIP_ERROR("Unsupported algorithms\n"); |
205 | err = -1; |
206 | @@ -558,9 +569,11 @@ |
207 | case HIP_HI_RSA: |
208 | RSA_free(id_entry->private_key); |
209 | break; |
210 | +#ifdef HAVE_EC_CRYPTO |
211 | case HIP_HI_ECDSA: |
212 | EC_KEY_free(id_entry->private_key); |
213 | break; |
214 | +#endif /* HAVE_EC_CRYPTO */ |
215 | case HIP_HI_DSA: |
216 | DSA_free(id_entry->private_key); |
217 | break; |
218 | |
219 | === modified file 'lib/core/builder.c' |
220 | --- lib/core/builder.c 2011-11-03 09:21:12 +0000 |
221 | +++ lib/core/builder.c 2011-11-03 14:41:31 +0000 |
222 | @@ -3460,6 +3460,7 @@ |
223 | return hip_build_param(msg, &name_info); |
224 | } |
225 | |
226 | +#ifdef HAVE_EC_CRYPTO |
227 | /** |
228 | * Convert an EC structure from OpenSSL into an endpoint_hip structure |
229 | * used internally by the implementation. |
230 | @@ -3505,6 +3506,8 @@ |
231 | return err; |
232 | } |
233 | |
234 | +#endif /* HAVE_EC_CRYPTO */ |
235 | + |
236 | /** |
237 | * Convert a DSA structure from OpenSSL into an endpoint_hip structure |
238 | * used internally by the implementation. |
239 | @@ -3606,7 +3609,9 @@ |
240 | struct hip_host_id *host_id_pub = NULL; |
241 | const RSA *const rsa_key = any_key; |
242 | const DSA *const dsa_key = any_key; |
243 | - const EC_KEY *const ecdsa_key = any_key; |
244 | +#ifdef HAVE_EC_CRYPTO |
245 | + const EC_KEY *const ecdsa_key = any_key; |
246 | +#endif /* HAVE_EC_CRYPTO */ |
247 | |
248 | HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1, |
249 | "gethostname failed\n"); |
250 | @@ -3616,10 +3621,12 @@ |
251 | HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1, |
252 | "key_rr_len\n"); |
253 | break; |
254 | +#ifdef HAVE_EC_CRYPTO |
255 | case HIP_HI_ECDSA: |
256 | HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1, |
257 | "key_rr_len\n"); |
258 | break; |
259 | +#endif /* HAVE_EC_CRYPTO */ |
260 | case HIP_HI_RSA: |
261 | HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1, |
262 | "key_rr_len\n"); |
263 | |
264 | === modified file 'lib/core/builder.h' |
265 | --- lib/core/builder.h 2011-08-15 14:11:56 +0000 |
266 | +++ lib/core/builder.h 2011-11-03 14:41:31 +0000 |
267 | @@ -26,19 +26,22 @@ |
268 | #ifndef HIP_LIB_CORE_BUILDER_H |
269 | #define HIP_LIB_CORE_BUILDER_H |
270 | |
271 | +#include "config.h" |
272 | + |
273 | #include <stdint.h> |
274 | #include <netinet/in.h> |
275 | #include <openssl/rsa.h> |
276 | #include <openssl/dsa.h> |
277 | +#ifdef HAVE_EC_CRYPTO |
278 | #include <openssl/ec.h> |
279 | - |
280 | -#include "config.h" |
281 | +#endif /* HAVE_EC_CRYPTO */ |
282 | + |
283 | + |
284 | #include "certtools.h" |
285 | #include "debug.h" |
286 | #include "icomm.h" |
287 | #include "state.h" |
288 | |
289 | - |
290 | /* Removed in 2.6.11 - why ? */ |
291 | extern struct hip_cert_spki_info hip_cert_spki_info; |
292 | |
293 | @@ -219,10 +222,12 @@ |
294 | struct endpoint_hip **endpoint, |
295 | se_hip_flags endpoint_flags, |
296 | const char *const hostname); |
297 | +#ifdef HAVE_EC_CRYPTO |
298 | int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa, |
299 | struct endpoint_hip **const endpoint, |
300 | const se_hip_flags endpoint_flags, |
301 | const char *const hostname); |
302 | +#endif /* HAVE_EC_CRYPTO */ |
303 | int hip_any_key_to_hit(const void *const any_key, |
304 | hip_hit_t *const hit, |
305 | const int is_public, |
306 | |
307 | === modified file 'lib/core/crypto.c' |
308 | --- lib/core/crypto.c 2011-09-21 14:22:17 +0000 |
309 | +++ lib/core/crypto.c 2011-11-03 14:41:31 +0000 |
310 | @@ -459,6 +459,7 @@ |
311 | return err; |
312 | } |
313 | |
314 | +#ifdef HAVE_EC_CRYPTO |
315 | /** |
316 | * Sign using ECDSA |
317 | * |
318 | @@ -495,6 +496,8 @@ |
319 | return err; |
320 | } |
321 | |
322 | +#endif /* HAVE_EC_CRYPTO */ |
323 | + |
324 | /** |
325 | * Sign using DSA |
326 | * |
327 | @@ -536,6 +539,7 @@ |
328 | return err; |
329 | } |
330 | |
331 | +#ifdef HAVE_EC_CRYPTO |
332 | /** |
333 | * Verify an ECDSA signature |
334 | * |
335 | @@ -571,6 +575,8 @@ |
336 | return err; |
337 | } |
338 | |
339 | +#endif /* HAVE_EC_CRYPTO */ |
340 | + |
341 | /** |
342 | * Verify a DSA signature |
343 | * |
344 | @@ -780,6 +786,7 @@ |
345 | return NULL; |
346 | } |
347 | |
348 | +#ifdef HAVE_EC_CRYPTO |
349 | /** |
350 | * Generate ECDSA parameters and a new key pair. |
351 | * |
352 | @@ -819,6 +826,8 @@ |
353 | return err; |
354 | } |
355 | |
356 | +#endif /* HAVE_EC_CRYPTO */ |
357 | + |
358 | /** |
359 | * Save host DSA keys to disk. |
360 | * @param filenamebase the filename base where DSA key should be saved |
361 | @@ -1015,6 +1024,7 @@ |
362 | return err; |
363 | } |
364 | |
365 | +#ifdef HAVE_EC_CRYPTO |
366 | /** |
367 | * Save the host's ECDSA keys to disk. |
368 | * |
369 | @@ -1170,6 +1180,8 @@ |
370 | return 0; |
371 | } |
372 | |
373 | +#endif /* HAVE_EC_CRYPTO */ |
374 | + |
375 | /** |
376 | * Load host DSA private keys from disk. |
377 | * @param filename the file name base of the host DSA key |
378 | |
379 | === modified file 'lib/core/crypto.h' |
380 | --- lib/core/crypto.h 2011-10-30 11:54:44 +0000 |
381 | +++ lib/core/crypto.h 2011-11-03 14:41:31 +0000 |
382 | @@ -26,12 +26,16 @@ |
383 | #ifndef HIP_LIB_CORE_CRYPTO_H |
384 | #define HIP_LIB_CORE_CRYPTO_H |
385 | |
386 | +#include "config.h" |
387 | + |
388 | #include <stdint.h> |
389 | #include <netinet/in.h> |
390 | #include <sys/types.h> |
391 | #include <openssl/dsa.h> |
392 | #include <openssl/rsa.h> |
393 | +#ifdef HAVE_EC_CRYPTO |
394 | #include <openssl/ec.h> |
395 | +#endif /* HAVE_EC_CRYPTO */ |
396 | #include <openssl/dh.h> |
397 | #include <openssl/pem.h> |
398 | |
399 | @@ -92,25 +96,33 @@ |
400 | uint16_t hip_get_dh_size(uint8_t hip_dh_group_type); |
401 | DSA *create_dsa_key(const int bits); |
402 | RSA *create_rsa_key(const int bits); |
403 | +#ifdef HAVE_EC_CRYPTO |
404 | EC_KEY *create_ecdsa_key(const int nid); |
405 | +#endif /* HAVE_EC_CRYPTO */ |
406 | int save_dsa_private_key(const char *const filenamebase, DSA *const dsa); |
407 | int save_rsa_private_key(const char *const filenamebase, RSA *const rsa); |
408 | +#ifdef HAVE_EC_CRYPTO |
409 | int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa); |
410 | +#endif /* HAVE_EC_CRYPTO */ |
411 | int load_dsa_private_key(const char *const filenamebase, DSA **const dsa); |
412 | int load_rsa_private_key(const char *const filename, RSA **const rsa); |
413 | +#ifdef HAVE_EC_CRYPTO |
414 | int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec); |
415 | +#endif /* HAVE_EC_CRYPTO */ |
416 | int impl_dsa_sign(const unsigned char *const digest, |
417 | DSA *const dsa, |
418 | unsigned char *const signature); |
419 | int impl_dsa_verify(const unsigned char *const digest, |
420 | DSA *const dsa, |
421 | const unsigned char *const signature); |
422 | +#ifdef HAVE_EC_CRYPTO |
423 | int impl_ecdsa_sign(const unsigned char *const digest, |
424 | EC_KEY *const ecdsa, |
425 | unsigned char *const signature); |
426 | int impl_ecdsa_verify(const unsigned char *const digest, |
427 | EC_KEY *const ecdsa, |
428 | const unsigned char *const signature); |
429 | +#endif /* HAVE_EC_CRYPTO */ |
430 | int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out); |
431 | int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len, |
432 | uint8_t *enc_key, int direction); |
433 | |
434 | === modified file 'lib/core/hostid.c' |
435 | --- lib/core/hostid.c 2011-10-25 21:14:16 +0000 |
436 | +++ lib/core/hostid.c 2011-11-03 14:41:31 +0000 |
437 | @@ -40,7 +40,6 @@ |
438 | #include <openssl/pem.h> |
439 | #include <openssl/rsa.h> |
440 | |
441 | -#include "config.h" |
442 | #include "lib/tool/pk.h" |
443 | #include "builder.h" |
444 | #include "crypto.h" |
445 | @@ -250,6 +249,7 @@ |
446 | return err; |
447 | } |
448 | |
449 | +#ifdef HAVE_EC_CRYPTO |
450 | /** |
451 | * Convert ECDSA-based private host id to a HIT. |
452 | * |
453 | @@ -291,6 +291,8 @@ |
454 | return 0; |
455 | } |
456 | |
457 | +#endif /* HAVE_EC_CRYPTO */ |
458 | + |
459 | /** |
460 | * Convert RSA, DSA, or ECDSA-based private host id to a HIT |
461 | * |
462 | @@ -310,13 +312,16 @@ |
463 | return private_dsa_host_id_to_hit(host_id, hit, hit_type); |
464 | case HIP_HI_RSA: |
465 | return private_rsa_host_id_to_hit(host_id, hit, hit_type); |
466 | +#ifdef HAVE_EC_CRYPTO |
467 | case HIP_HI_ECDSA: |
468 | return private_ecdsa_host_id_to_hit(host_id, hit, hit_type); |
469 | +#endif /* HAVE_EC_CRYPTO */ |
470 | default: |
471 | return -ENOSYS; |
472 | } |
473 | } |
474 | |
475 | +#ifdef HAVE_EC_CRYPTO |
476 | /* |
477 | * Translate the openssl specific curve id into the coressponding HIP id. |
478 | * |
479 | @@ -423,6 +428,8 @@ |
480 | return 0; |
481 | } |
482 | |
483 | +#endif /* HAVE_EC_CRYPTO */ |
484 | + |
485 | /** |
486 | * dig out RSA key length from an host id |
487 | * |
488 | @@ -553,6 +560,7 @@ |
489 | return dsa; |
490 | } |
491 | |
492 | +#ifdef HAVE_EC_CRYPTO |
493 | /** |
494 | * convert a ECDSA-based host id into an OpenSSL structure |
495 | * |
496 | @@ -632,6 +640,8 @@ |
497 | return ret; |
498 | } |
499 | |
500 | +#endif /* HAVE_EC_CRYPTO */ |
501 | + |
502 | /** |
503 | * (Re)create new host identities or load existing ones, and append the |
504 | * private identities into a message. This functionality is used by hipd |
505 | @@ -664,30 +674,44 @@ |
506 | const int dsa_key_bits, |
507 | const int ecdsa_nid) |
508 | { |
509 | - int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0, ecdsa_key_rr_len = 0; |
510 | - int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; |
511 | + int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0; |
512 | + int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0; |
513 | hip_hdr numeric_action = 0; |
514 | char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX]; |
515 | - const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
516 | - const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
517 | - const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
518 | - const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
519 | - const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
520 | - const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
521 | - unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL, *ecdsa_key_rr = NULL; |
522 | - unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL, *ecdsa_pub_key_rr = NULL; |
523 | - DSA *dsa_key = NULL, *dsa_pub_key = NULL; |
524 | - RSA *rsa_key = NULL, *rsa_pub_key = NULL; |
525 | - EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; |
526 | - struct hip_host_id_local rsa_lhi, dsa_lhi, ecdsa_lhi, rsa_pub_lhi, dsa_pub_lhi, ecdsa_pub_lhi; |
527 | - struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL, *ecdsa_host_id = NULL; |
528 | - struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL, *ecdsa_pub_host_id = NULL; |
529 | + const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
530 | + const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
531 | + const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
532 | + const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
533 | + unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL; |
534 | + unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL; |
535 | + DSA *dsa_key = NULL, *dsa_pub_key = NULL; |
536 | + RSA *rsa_key = NULL, *rsa_pub_key = NULL; |
537 | + struct hip_host_id_local rsa_lhi, dsa_lhi, rsa_pub_lhi, dsa_pub_lhi; |
538 | + struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL; |
539 | + struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL; |
540 | struct endpoint_hip *endpoint_dsa_hip = NULL; |
541 | struct endpoint_hip *endpoint_dsa_pub_hip = NULL; |
542 | struct endpoint_hip *endpoint_rsa_hip = NULL; |
543 | struct endpoint_hip *endpoint_rsa_pub_hip = NULL; |
544 | struct endpoint_hip *endpoint_ecdsa_hip = NULL; |
545 | struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL; |
546 | +#ifdef HAVE_EC_CRYPTO |
547 | + int ecdsa_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; |
548 | + const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
549 | + const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
550 | + unsigned char *ecdsa_key_rr = NULL; |
551 | + unsigned char *ecdsa_pub_key_rr = NULL; |
552 | + EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; |
553 | + struct hip_host_id_local ecdsa_lhi, ecdsa_pub_lhi; |
554 | + struct hip_host_id *ecdsa_host_id = NULL; |
555 | + struct hip_host_id *ecdsa_pub_host_id = NULL; |
556 | +#endif /* HAVE_EC_CRYPTO */ |
557 | + |
558 | + if (ecdsa_nid < 0) { |
559 | + err = -1; |
560 | + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid); |
561 | + goto out_err; |
562 | + } |
563 | |
564 | if (action == ACTION_ADD) { |
565 | numeric_action = HIP_MSG_ADD_LOCAL_HI; |
566 | @@ -726,6 +750,7 @@ |
567 | HIP_ERROR("Saving of DSA key failed.\n"); |
568 | goto out_err; |
569 | } |
570 | +#ifdef HAVE_EC_CRYPTO |
571 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
572 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
573 | HIP_IFEL(!ecdsa_key, -EINVAL, |
574 | @@ -734,6 +759,7 @@ |
575 | HIP_ERROR("Saving of ECDSA key failed.\n"); |
576 | goto out_err; |
577 | } |
578 | +#endif /* HAVE_EC_CRYPTO */ |
579 | } else { /*RSA*/ |
580 | rsa_key = create_rsa_key(rsa_key_bits); |
581 | HIP_IFEL(!rsa_key, -EINVAL, |
582 | @@ -764,6 +790,7 @@ |
583 | HIP_IFEL(!rsa_pub_key, -EINVAL, |
584 | "Creation of public RSA key failed.\n"); |
585 | |
586 | +#ifdef HAVE_EC_CRYPTO |
587 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
588 | HIP_IFEL(!ecdsa_key, -EINVAL, |
589 | "Creation of ECDSA key failed.\n"); |
590 | @@ -772,6 +799,17 @@ |
591 | HIP_IFEL(!ecdsa_pub_key, -EINVAL, |
592 | "Creation of public ECDSA key failed.\n"); |
593 | |
594 | + if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { |
595 | + HIP_ERROR("Saving of ECDSA key failed.\n"); |
596 | + goto out_err; |
597 | + } |
598 | + |
599 | + if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { |
600 | + HIP_ERROR("Saving of public ECDSA key failed.\n"); |
601 | + goto out_err; |
602 | + } |
603 | +#endif /* HAVE_EC_CRYPTO */ |
604 | + |
605 | if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) { |
606 | HIP_ERROR("Saving of DSA key failed.\n"); |
607 | goto out_err; |
608 | @@ -792,16 +830,6 @@ |
609 | goto out_err; |
610 | } |
611 | |
612 | - if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { |
613 | - HIP_ERROR("Saving of ECDSA key failed.\n"); |
614 | - goto out_err; |
615 | - } |
616 | - |
617 | - if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { |
618 | - HIP_ERROR("Saving of public ECDSA key failed.\n"); |
619 | - goto out_err; |
620 | - } |
621 | - |
622 | break; |
623 | |
624 | case ACTION_ADD: |
625 | @@ -823,6 +851,7 @@ |
626 | HIP_ERROR("Building of host id failed\n"); |
627 | goto out_err; |
628 | } |
629 | +#ifdef HAVE_EC_CRYPTO |
630 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
631 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
632 | HIP_ERROR("Loading of the ECDSA key failed\n"); |
633 | @@ -839,6 +868,7 @@ |
634 | HIP_ERROR("Building of host id failed\n"); |
635 | goto out_err; |
636 | } |
637 | +#endif /* HAVE_EC_CRYPTO */ |
638 | } else { /*RSA*/ |
639 | if ((err = load_rsa_private_key(hi_file, &rsa_key))) { |
640 | HIP_ERROR("Failed to load RSA key from file %s\n", hi_file); |
641 | @@ -910,6 +940,7 @@ |
642 | goto out_err; |
643 | } |
644 | } |
645 | +#ifdef HAVE_EC_CRYPTO |
646 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
647 | if (anon) { |
648 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
649 | @@ -958,6 +989,7 @@ |
650 | goto out_err; |
651 | } |
652 | } |
653 | +#endif /* HAVE_EC_CRYPTO */ |
654 | } else if (anon) { /* rsa anon */ |
655 | if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) { |
656 | HIP_ERROR("Loading of the RSA key failed\n"); |
657 | @@ -1059,41 +1091,47 @@ |
658 | if (rsa_filenamebase_pub != NULL) { |
659 | change_key_file_perms(rsa_filenamebase_pub); |
660 | } |
661 | - if (ecdsa_filenamebase_pub != NULL) { |
662 | - change_key_file_perms(ecdsa_filenamebase_pub); |
663 | - } |
664 | - if (ecdsa_filenamebase_pub != NULL) { |
665 | - change_key_file_perms(ecdsa_filenamebase_pub); |
666 | - } |
667 | |
668 | free(dsa_host_id); |
669 | free(dsa_pub_host_id); |
670 | - free(ecdsa_host_id); |
671 | - free(ecdsa_pub_host_id); |
672 | free(rsa_host_id); |
673 | free(rsa_pub_host_id); |
674 | DSA_free(dsa_key); |
675 | - EC_KEY_free(ecdsa_key); |
676 | RSA_free(rsa_key); |
677 | DSA_free(dsa_pub_key); |
678 | - EC_KEY_free(ecdsa_pub_key); |
679 | RSA_free(rsa_pub_key); |
680 | free(dsa_key_rr); |
681 | - free(ecdsa_key_rr); |
682 | free(rsa_key_rr); |
683 | free(dsa_pub_key_rr); |
684 | - free(ecdsa_pub_key_rr); |
685 | free(rsa_pub_key_rr); |
686 | free(endpoint_dsa_hip); |
687 | - free(endpoint_ecdsa_hip); |
688 | free(endpoint_rsa_hip); |
689 | free(endpoint_dsa_pub_hip); |
690 | + free(endpoint_rsa_pub_hip); |
691 | + |
692 | +#ifdef HAVE_EC_CRYPTO |
693 | + /* We make exeception to the common memory deallocation policy (LIFO) |
694 | + * here to group of all ECDSA deallocations between a single ifdef */ |
695 | + if (ecdsa_filenamebase_pub != NULL) { |
696 | + change_key_file_perms(ecdsa_filenamebase_pub); |
697 | + } |
698 | + if (ecdsa_filenamebase_pub != NULL) { |
699 | + change_key_file_perms(ecdsa_filenamebase_pub); |
700 | + } |
701 | + free(ecdsa_host_id); |
702 | + free(ecdsa_pub_host_id); |
703 | + EC_KEY_free(ecdsa_key); |
704 | + EC_KEY_free(ecdsa_pub_key); |
705 | + free(ecdsa_key_rr); |
706 | + free(ecdsa_pub_key_rr); |
707 | + free(endpoint_ecdsa_hip); |
708 | free(endpoint_ecdsa_pub_hip); |
709 | - free(endpoint_rsa_pub_hip); |
710 | +#endif /* HAVE_EC_CRYPTO */ |
711 | |
712 | return err; |
713 | } |
714 | |
715 | +#ifdef HAVE_EC_CRYPTO |
716 | /** |
717 | * Serialize an ECDSA public key. |
718 | * |
719 | @@ -1167,6 +1205,8 @@ |
720 | return err; |
721 | } |
722 | |
723 | +#endif /* HAVE_EC_CRYPTO */ |
724 | + |
725 | /** |
726 | * create DNS KEY RR record from host DSA key |
727 | * @param dsa the DSA structure from where the KEY RR record is to be created |
728 | |
729 | === modified file 'lib/core/hostid.h' |
730 | --- lib/core/hostid.h 2011-07-18 13:10:26 +0000 |
731 | +++ lib/core/hostid.h 2011-11-03 14:41:31 +0000 |
732 | @@ -26,10 +26,14 @@ |
733 | #ifndef HIP_LIB_CORE_HOSTID_H |
734 | #define HIP_LIB_CORE_HOSTID_H |
735 | |
736 | +#include "config.h" |
737 | + |
738 | #include <netinet/in.h> |
739 | #include <openssl/dsa.h> |
740 | #include <openssl/rsa.h> |
741 | +#ifdef HAVE_EC_CRYPTO |
742 | #include <openssl/ec.h> |
743 | +#endif /* HAVE_EC_CRYPTO */ |
744 | |
745 | #include "protodefs.h" |
746 | #include "state.h" |
747 | @@ -62,11 +66,15 @@ |
748 | struct hip_ecdsa_keylen *const ret); |
749 | RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
750 | DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
751 | +#ifdef HAVE_EC_CRYPTO |
752 | EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
753 | +#endif /* HAVE_EC_CRYPTO */ |
754 | |
755 | int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf); |
756 | int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr); |
757 | +#ifdef HAVE_EC_CRYPTO |
758 | int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr); |
759 | +#endif /* HAVE_EC_CRYPTO */ |
760 | |
761 | int hip_serialize_host_id_action(struct hip_common *msg, |
762 | const int action, |
763 | |
764 | === modified file 'lib/tool/pk.c' |
765 | --- lib/tool/pk.c 2011-08-15 14:11:56 +0000 |
766 | +++ lib/tool/pk.c 2011-11-03 14:41:31 +0000 |
767 | @@ -8,6 +8,8 @@ |
768 | * @brief HIPL wrappers for OpenSSL public key operations. |
769 | */ |
770 | |
771 | +#include "config.h" |
772 | + |
773 | #include <errno.h> |
774 | #include <stdint.h> |
775 | #include <stdlib.h> |
776 | @@ -15,9 +17,11 @@ |
777 | #include <netinet/in.h> |
778 | #include <openssl/bn.h> |
779 | #include <openssl/dsa.h> |
780 | -#include <openssl/ecdsa.h> |
781 | #include <openssl/objects.h> |
782 | #include <openssl/rsa.h> |
783 | +#ifdef HAVE_EC_CRYPTO |
784 | +#include <openssl/ecdsa.h> |
785 | +#endif /* HAVE_EC_CRYPTO */ |
786 | |
787 | #include "lib/core/builder.h" |
788 | #include "lib/core/crypto.h" |
789 | @@ -26,7 +30,6 @@ |
790 | #include "lib/core/performance.h" |
791 | #include "lib/core/prefix.h" |
792 | #include "lib/core/protodefs.h" |
793 | -#include "config.h" |
794 | #include "pk.h" |
795 | |
796 | /** |
797 | @@ -75,6 +78,7 @@ |
798 | return err; |
799 | } |
800 | |
801 | +#ifdef HAVE_EC_CRYPTO |
802 | /** |
803 | * Sign a HIP control message with a private ECDSA key. |
804 | * |
805 | @@ -129,6 +133,8 @@ |
806 | return 0; |
807 | } |
808 | |
809 | +#endif /* HAVE_EC_CRYPTO */ |
810 | + |
811 | /** |
812 | * sign a HIP control message with a private DSA key |
813 | * |
814 | @@ -225,8 +231,10 @@ |
815 | /* RSA_verify returns 0 on failure */ |
816 | err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH, |
817 | sig->signature, RSA_size(peer_pub), peer_pub); |
818 | +#ifdef HAVE_EC_CRYPTO |
819 | } else if (type == HIP_HI_ECDSA) { |
820 | err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature); |
821 | +#endif /* HAVE_EC_CRYPTO */ |
822 | } else { |
823 | err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature); |
824 | } |
825 | @@ -259,6 +267,7 @@ |
826 | return err; |
827 | } |
828 | |
829 | +#ifdef HAVE_EC_CRYPTO |
830 | /** |
831 | * Verify the ECDSA signature from a message. |
832 | * |
833 | @@ -272,6 +281,8 @@ |
834 | return verify(peer_pub, msg, HIP_HI_ECDSA); |
835 | } |
836 | |
837 | +#endif /* HAVE_EC_CRYPTO */ |
838 | + |
839 | /** |
840 | * RSA signature verification function |
841 | * |
842 | |
843 | === modified file 'test/lib/tool/pk.c' |
844 | --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000 |
845 | +++ test/lib/tool/pk.c 2011-11-03 14:41:31 +0000 |
846 | @@ -27,7 +27,9 @@ |
847 | #include <stdlib.h> |
848 | #include <string.h> |
849 | #include <stdio.h> |
850 | +#ifdef HAVE_EC_CRYPTO |
851 | #include <openssl/ec.h> |
852 | +#endif /* HAVE_EC_CRYPTO */ |
853 | #include <openssl/pem.h> |
854 | |
855 | #include "lib/core/debug.h" |
review needs-fixing
On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote: rule_management .c 2011-08-15 14:11:56 +0000 rule_management .c 2011-10-30 07:48:24 +0000
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> --- firewall/
> +++ firewall/
> @@ -81,8 +81,9 @@
> /* filename needs to contain one of these to be valid HI file */
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> +#ifdef HAVE_EC_CRYPTO
> #define ECDSA_FILE "_ecdsa_"
> -
> +#endif /* HAVE_EC_CRYPTO */
> #define MAX_LINE_LENGTH 512
unnecessary
> @@ -444,6 +445,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +481,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *
Drop the empty line before the #endif, same below
> --- lib/core/builder.h 2011-08-15 14:11:56 +0000 CORE_BUILDER_ H CORE_BUILDER_ H
> +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> @@ -26,18 +26,21 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> -#include <openssl/ec.h>
>
> -#include "config.h"
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> +#ifdef HAVE_EC_CRYPTO
> +#include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
We have system headers before local headers for a reason.
> --- lib/core/crypto.h 2011-07-18 13:10:26 +0000 CORE_CRYPTO_ H CORE_CRYPTO_ H
> +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> @@ -26,12 +26,16 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <openssl/dsa.h>
> #include <openssl/rsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
> #include <openssl/dh.h>
> #include <openssl/pem.h>
.. like you did here ..
> --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> @@ -28,6 +28,8 @@
> * @brief Host identifier manipulation functions
> */
>
> +#include "config.h"
> +
> #include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> @@ -40,7 +42,6 @@
> #include <openssl/pem.h>
> #include <openssl/rsa.h>
>
> -#include "config.h"
> #include "lib/tool/pk.h"
> #include "builder.h"
> #include "crypto.h"
unnecessary / unrelated
> @@ -689,6 +715,12 @@ ecdsa_pub_ hip = NULL;
> struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> struct endpoint_hip *endpoint_
>
> + if (ecdsa_nid < 0) {
> + err = -1;
> + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> + goto out_err;
> + }
?
> @@ -1059,41 +1101,58 @@ se_pub != NULL) { key_file_ perms(rsa_ filenamebase_ pub); filenamebase_ pub != NULL) { key_file_ perms(ecdsa_ filenamebase_ pub); filenamebase_ pub != NULL) {
> if (rsa_filenameba
> change_
> }
> - if (ecdsa_
> - change_
> - }
> - if (ecdsa_
> - change_key_file...