HIPL

Merge lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl

  1. ecdsa-redhat
  2. Merge into trunk
Proposed by Miika Komu
Status: Superseded
Proposed branch: lp:~hipl-core/hipl/ecdsa-redhat
Merge into: lp:hipl
Diff against target: 855 lines (+176/-48)
13 files modified
firewall/conntrack.c (+4/-0)
firewall/rule_management.c (+7/-1)
hipd/cookie.c (+2/-0)
hipd/hadb.c (+6/-0)
hipd/hidb.c (+13/-0)
lib/core/builder.c (+8/-1)
lib/core/builder.h (+8/-3)
lib/core/crypto.c (+12/-0)
lib/core/crypto.h (+12/-0)
lib/core/hostid.c (+81/-41)
lib/core/hostid.h (+8/-0)
lib/tool/pk.c (+13/-2)
test/lib/tool/pk.c (+2/-0)
To merge this branch: bzr merge lp:~hipl-core/hipl/ecdsa-redhat
Reviewer Review Type Date Requested Status
Diego Biurrun Needs Fixing
HIPL core team preliminary Pending
Review via email: mp+80750@code.launchpad.net

This proposal has been superseded by a proposal from 2011-11-03.

Description of the change

Compilation has been broken long time for Fedora and other RPM-based systems because they decided to drop elliptic curve support from OpenSSL. To put more heat on this bug #838116 and to make detailed code review easier, I decided to propose for early merging.

I would suggest to comment details here and design-level issues in the actual bug item:

https://bugs.launchpad.net/hipl/+bug/838116

To post a comment you must log in.
Revision history for this message
Diego Biurrun (diego-biurrun) wrote :
Download full text (5.9 KiB)

 review needs-fixing

On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> +++ firewall/rule_management.c 2011-10-30 07:48:24 +0000
> @@ -81,8 +81,9 @@
> /* filename needs to contain one of these to be valid HI file */
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> +#ifdef HAVE_EC_CRYPTO
> #define ECDSA_FILE "_ecdsa_"
> -
> +#endif /* HAVE_EC_CRYPTO */
> #define MAX_LINE_LENGTH 512

unnecessary

> @@ -444,6 +445,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +481,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *

Drop the empty line before the #endif, same below

> --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> @@ -26,18 +26,21 @@
> #ifndef HIP_LIB_CORE_BUILDER_H
> #define HIP_LIB_CORE_BUILDER_H
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> -#include <openssl/ec.h>
>
> -#include "config.h"
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> +#ifdef HAVE_EC_CRYPTO
> +#include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */

We have system headers before local headers for a reason.

> --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> @@ -26,12 +26,16 @@
> #ifndef HIP_LIB_CORE_CRYPTO_H
> #define HIP_LIB_CORE_CRYPTO_H
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <openssl/dsa.h>
> #include <openssl/rsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
> #include <openssl/dh.h>
> #include <openssl/pem.h>

.. like you did here ..

> --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> @@ -28,6 +28,8 @@
> * @brief Host identifier manipulation functions
> */
>
> +#include "config.h"
> +
> #include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> @@ -40,7 +42,6 @@
> #include <openssl/pem.h>
> #include <openssl/rsa.h>
>
> -#include "config.h"
> #include "lib/tool/pk.h"
> #include "builder.h"
> #include "crypto.h"

unnecessary / unrelated

> @@ -689,6 +715,12 @@
> struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
>
> + if (ecdsa_nid < 0) {
> + err = -1;
> + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> + goto out_err;
> + }

?

> @@ -1059,41 +1101,58 @@
> if (rsa_filenamebase_pub != NULL) {
> change_key_file_perms(rsa_filenamebase_pub);
> }
> - if (ecdsa_filenamebase_pub != NULL) {
> - change_key_file_perms(ecdsa_filenamebase_pub);
> - }
> - if (ecdsa_filenamebase_pub != NULL) {
> - change_key_file...

Read more...

review: Needs Fixing
lp:~hipl-core/hipl/ecdsa-redhat updated
6103. By Miika Komu

Cleaned up previous commit for ECC code

According to feedback from Diego:

* Removed unnecessary defines or reduced to minimum
* System headers before local

Also, "make checkheaders" target succeeds.

6104. By Miika Komu

Synchronized with trunk revision 6110

Revision history for this message
Miika Komu (miika-iki) wrote :
Download full text (6.7 KiB)

> review needs-fixing
>
> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> lp:hipl.
> >
> > --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> > +++ firewall/rule_management.c 2011-10-30 07:48:24 +0000
> > @@ -81,8 +81,9 @@
> > /* filename needs to contain one of these to be valid HI file */
> > #define RSA_FILE "_rsa_"
> > #define DSA_FILE "_dsa_"
> > +#ifdef HAVE_EC_CRYPTO
> > #define ECDSA_FILE "_ecdsa_"
> > -
> > +#endif /* HAVE_EC_CRYPTO */
> > #define MAX_LINE_LENGTH 512
>
> unnecessary

Fixed.

> > @@ -444,6 +445,7 @@
> > return err;
> > }
> >
> > +#ifdef HAVE_EC_CRYPTO
> > /**
> > * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > *
> > @@ -479,6 +481,8 @@
> > return err;
> > }
> >
> > +#endif /* HAVE_EC_CRYPTO */
> > +
> > /**
> > * load a public key from a file and convert it to a hip_host_id structure
> > *
>
> Drop the empty line before the #endif, same below

Done.

> > --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> > +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> > @@ -26,18 +26,21 @@
> > #ifndef HIP_LIB_CORE_BUILDER_H
> > #define HIP_LIB_CORE_BUILDER_H
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <openssl/rsa.h>
> > #include <openssl/dsa.h>
> > -#include <openssl/ec.h>
> >
> > -#include "config.h"
> > #include "certtools.h"
> > #include "debug.h"
> > #include "icomm.h"
> > #include "state.h"
> >
> > +#ifdef HAVE_EC_CRYPTO
> > +#include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
>
> We have system headers before local headers for a reason.

Fixed.

> > --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> > +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> > @@ -26,12 +26,16 @@
> > #ifndef HIP_LIB_CORE_CRYPTO_H
> > #define HIP_LIB_CORE_CRYPTO_H
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <sys/types.h>
> > #include <openssl/dsa.h>
> > #include <openssl/rsa.h>
> > +#ifdef HAVE_EC_CRYPTO
> > #include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
> > #include <openssl/dh.h>
> > #include <openssl/pem.h>
>
> .. like you did here ..
>
> > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > @@ -28,6 +28,8 @@
> > * @brief Host identifier manipulation functions
> > */
> >
> > +#include "config.h"
> > +
> > #include <errno.h>
> > #include <stdint.h>
> > #include <stdlib.h>
> > @@ -40,7 +42,6 @@
> > #include <openssl/pem.h>
> > #include <openssl/rsa.h>
> >
> > -#include "config.h"
> > #include "lib/tool/pk.h"
> > #include "builder.h"
> > #include "crypto.h"
>
> unnecessary / unrelated

Removed.

> > @@ -689,6 +715,12 @@
> > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
> >
> > + if (ecdsa_nid < 0) {
> > + err = -1;
> > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > + goto out_err;
> > + }
>
> ?

Does not compile otherwise when ECDSA is mi...

Read more...

Revision history for this message
Diego Biurrun (diego-biurrun) wrote :

On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> > lp:hipl.
> > >
> > > --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
> > > +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
> > > @@ -27,7 +27,9 @@
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include <stdio.h>
> > > +#ifdef HAVE_EC_CRYPTO
> > > #include <openssl/ec.h>
> > > +#endif /* HAVE_EC_CRYPTO */
> > > #include <openssl/pem.h>
> >
> > see above
>
> Did not get this.

missing config.h

Diego

Revision history for this message
Miika Komu (miika-iki) wrote :

Hi,

On 11/03/2011 05:27 PM, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
>>> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
>>>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
>>> lp:hipl.
>>>>
>>>> --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
>>>> +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
>>>> @@ -27,7 +27,9 @@
>>>> #include<stdlib.h>
>>>> #include<string.h>
>>>> #include<stdio.h>
>>>> +#ifdef HAVE_EC_CRYPTO
>>>> #include<openssl/ec.h>
>>>> +#endif /* HAVE_EC_CRYPTO */
>>>> #include<openssl/pem.h>
>>>
>>> see above
>>
>> Did not get this.
>
> missing config.h

thanks for the correction, committed.

lp:~hipl-core/hipl/ecdsa-redhat updated
6105. By Miika Komu

Added a missing include

File test/lib/tool/pk.c was missing a include for "config.h". It's
needed due to the conditional compilation of elliptic curves in
OpenSSL.

Revision history for this message
Diego Biurrun (diego-biurrun) wrote :

On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
> > >
> > > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > > @@ -689,6 +715,12 @@
> > > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > > struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
> > >
> > > + if (ecdsa_nid < 0) {
> > > + err = -1;
> > > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > > + goto out_err;
> > > + }
> >
> > ?
>
> Does not compile otherwise when ECDSA is missing (gcc complains about
> missing variable). If you insist, I'll commit this separately to trunk
> or suggest a better fix.

You mean that gcc complains about unused parameter? This is badly designed.
The function should not need one extra parameter for each crypto algorithm
that is added.

Diego

lp:~hipl-core/hipl/ecdsa-redhat updated
6106. By Miika Komu

Cleaning up the ECDSA changes

As suggested by Diego:

* Removed unrelated changes and stray empty lines
* Reverted incorrectly deleted empty lines
* Regrouped ifdeffery
* Fixed one occurrence of config.h

6107. By Miika Komu

Syncronized with trunk revision 6119

6108. By Miika Komu

Deleted some empty lines between function bodies and #endif statements

According to the new crustify policy, there is no need need to have an
empty line between the end of a function body (closing curly bracket)
and following #endif (if any present). Adjusted ECDSA-related code
according to the new policy.

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'firewall/conntrack.c'
--- firewall/conntrack.c 2011-10-25 21:14:16 +0000
+++ firewall/conntrack.c 2011-11-03 14:41:31 +0000
@@ -695,9 +695,11 @@
695 case HIP_HI_RSA:695 case HIP_HI_RSA:
696 RSA_free(hip_tuple->data->src_pub_key);696 RSA_free(hip_tuple->data->src_pub_key);
697 break;697 break;
698#ifdef HAVE_EC_CRYPTO
698 case HIP_HI_ECDSA:699 case HIP_HI_ECDSA:
699 EC_KEY_free(hip_tuple->data->src_pub_key);700 EC_KEY_free(hip_tuple->data->src_pub_key);
700 break;701 break;
702#endif /* HAVE_EC_CRYPTO */
701 case HIP_HI_DSA:703 case HIP_HI_DSA:
702 DSA_free(hip_tuple->data->src_pub_key);704 DSA_free(hip_tuple->data->src_pub_key);
703 break;705 break;
@@ -1063,10 +1065,12 @@
1063 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0);1065 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0);
1064 tuple->hip_tuple->data->verify = hip_rsa_verify;1066 tuple->hip_tuple->data->verify = hip_rsa_verify;
1065 break;1067 break;
1068#ifdef HAVE_EC_CRYPTO
1066 case HIP_HI_ECDSA:1069 case HIP_HI_ECDSA:
1067 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0);1070 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0);
1068 tuple->hip_tuple->data->verify = hip_ecdsa_verify;1071 tuple->hip_tuple->data->verify = hip_ecdsa_verify;
1069 break;1072 break;
1073#endif /* HAVE_EC_CRYPTO */
1070 case HIP_HI_DSA:1074 case HIP_HI_DSA:
1071 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0);1075 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0);
1072 tuple->hip_tuple->data->verify = hip_dsa_verify;1076 tuple->hip_tuple->data->verify = hip_dsa_verify;
10731077
=== modified file 'firewall/rule_management.c'
--- firewall/rule_management.c 2011-08-15 14:11:56 +0000
+++ firewall/rule_management.c 2011-11-03 14:41:31 +0000
@@ -82,7 +82,6 @@
82#define RSA_FILE "_rsa_"82#define RSA_FILE "_rsa_"
83#define DSA_FILE "_dsa_"83#define DSA_FILE "_dsa_"
84#define ECDSA_FILE "_ecdsa_"84#define ECDSA_FILE "_ecdsa_"
85
86#define MAX_LINE_LENGTH 51285#define MAX_LINE_LENGTH 512
8786
88#define HIP_FW_DEFAULT_RULE_FILE HIPL_SYSCONFDIR "/firewall_conf"87#define HIP_FW_DEFAULT_RULE_FILE HIPL_SYSCONFDIR "/firewall_conf"
@@ -444,6 +443,7 @@
444 return err;443 return err;
445}444}
446445
446#ifdef HAVE_EC_CRYPTO
447/**447/**
448 * Load an ECDSA public key from a file and convert it into a hip_host_id.448 * Load an ECDSA public key from a file and convert it into a hip_host_id.
449 *449 *
@@ -479,6 +479,8 @@
479 return err;479 return err;
480}480}
481481
482#endif /* HAVE_EC_CRYPTO */
483
482/**484/**
483 * load a public key from a file and convert it to a hip_host_id structure485 * load a public key from a file and convert it to a hip_host_id structure
484 *486 *
@@ -506,8 +508,10 @@
506 algo = HIP_HI_RSA;508 algo = HIP_HI_RSA;
507 } else if (strstr(token, DSA_FILE)) {509 } else if (strstr(token, DSA_FILE)) {
508 algo = HIP_HI_DSA;510 algo = HIP_HI_DSA;
511#ifdef HAVE_EC_CRYPTO
509 } else if (strstr(token, ECDSA_FILE)) {512 } else if (strstr(token, ECDSA_FILE)) {
510 algo = HIP_HI_ECDSA;513 algo = HIP_HI_ECDSA;
514#endif /* HAVE_EC_CRYPTO */
511 } else {515 } else {
512 HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n");516 HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n");
513 return NULL;517 return NULL;
@@ -519,9 +523,11 @@
519 case HIP_HI_RSA:523 case HIP_HI_RSA:
520 HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n");524 HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n");
521 break;525 break;
526#ifdef HAVE_EC_CRYPTO
522 case HIP_HI_ECDSA:527 case HIP_HI_ECDSA:
523 HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n")528 HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n")
524 break;529 break;
530#endif /* HAVE_EC_CRYPTO */
525 case HIP_HI_DSA:531 case HIP_HI_DSA:
526 HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n")532 HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n")
527 break;533 break;
528534
=== modified file 'hipd/cookie.c'
--- hipd/cookie.c 2011-10-25 21:14:16 +0000
+++ hipd/cookie.c 2011-11-03 14:41:31 +0000
@@ -349,9 +349,11 @@
349 case HIP_HI_DSA:349 case HIP_HI_DSA:
350 signature_func = hip_dsa_sign;350 signature_func = hip_dsa_sign;
351 break;351 break;
352#ifdef HAVE_EC_CRYPTO
352 case HIP_HI_ECDSA:353 case HIP_HI_ECDSA:
353 signature_func = hip_ecdsa_sign;354 signature_func = hip_ecdsa_sign;
354 break;355 break;
356#endif /* HAVE_EC_CRYPTO */
355 default:357 default:
356 HIP_ERROR("Unkown algorithm");358 HIP_ERROR("Unkown algorithm");
357 return -1;359 return -1;
358360
=== modified file 'hipd/hadb.c'
--- hipd/hadb.c 2011-10-25 21:44:47 +0000
+++ hipd/hadb.c 2011-11-03 14:41:31 +0000
@@ -818,9 +818,11 @@
818 case HIP_HI_RSA:818 case HIP_HI_RSA:
819 RSA_free(ha->peer_pub_key);819 RSA_free(ha->peer_pub_key);
820 break;820 break;
821#ifdef HAVE_EC_CRYPTO
821 case HIP_HI_ECDSA:822 case HIP_HI_ECDSA:
822 EC_KEY_free(ha->peer_pub_key);823 EC_KEY_free(ha->peer_pub_key);
823 break;824 break;
825#endif /* HAVE_EC_CRYPTO */
824 case HIP_HI_DSA:826 case HIP_HI_DSA:
825 DSA_free(ha->peer_pub_key);827 DSA_free(ha->peer_pub_key);
826 break;828 break;
@@ -909,10 +911,12 @@
909 entry->verify = hip_dsa_verify;911 entry->verify = hip_dsa_verify;
910 entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0);912 entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0);
911 break;913 break;
914#ifdef HAVE_EC_CRYPTO
912 case HIP_HI_ECDSA:915 case HIP_HI_ECDSA:
913 entry->verify = hip_ecdsa_verify;916 entry->verify = hip_ecdsa_verify;
914 entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0);917 entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0);
915 break;918 break;
919#endif /* HAVE_EC_CRYPTO */
916 default:920 default:
917 HIP_OUT_ERR(-1, "Unkown algorithm");921 HIP_OUT_ERR(-1, "Unkown algorithm");
918 }922 }
@@ -978,9 +982,11 @@
978 case HIP_HI_RSA:982 case HIP_HI_RSA:
979 entry->sign = hip_rsa_sign;983 entry->sign = hip_rsa_sign;
980 break;984 break;
985#ifdef HAVE_EC_CRYPTO
981 case HIP_HI_ECDSA:986 case HIP_HI_ECDSA:
982 entry->sign = hip_ecdsa_sign;987 entry->sign = hip_ecdsa_sign;
983 break;988 break;
989#endif /* HAVE_EC_CRYPTO */
984 default:990 default:
985 err = -1;991 err = -1;
986 }992 }
987993
=== modified file 'hipd/hidb.c'
--- hipd/hidb.c 2011-10-25 21:14:16 +0000
+++ hipd/hidb.c 2011-11-03 14:41:31 +0000
@@ -63,6 +63,7 @@
6363
64static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" };64static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" };
6565
66#ifdef HAVE_EC_CRYPTO
66/**67/**
67 * Strips the private key component from an ECDSA-based host id.68 * Strips the private key component from an ECDSA-based host id.
68 *69 *
@@ -103,6 +104,8 @@
103 return 0;104 return 0;
104}105}
105106
107#endif /* HAVE_EC_CRYPTO */
108
106/**109/**
107 * Strips a DSA public key out of a host id with private key component110 * Strips a DSA public key out of a host id with private key component
108 *111 *
@@ -192,8 +195,10 @@
192 return get_rsa_public_key(hid, ret);195 return get_rsa_public_key(hid, ret);
193 case HIP_HI_DSA:196 case HIP_HI_DSA:
194 return get_dsa_public_key(hid, ret);197 return get_dsa_public_key(hid, ret);
198#ifdef HAVE_EC_CRYPTO
195 case HIP_HI_ECDSA:199 case HIP_HI_ECDSA:
196 return get_ecdsa_public_key(hid, ret);200 return get_ecdsa_public_key(hid, ret);
201#endif /* HAVE_EC_CRYPTO */
197 default:202 default:
198 HIP_ERROR("Unsupported HI algorithm\n");203 HIP_ERROR("Unsupported HI algorithm\n");
199 return -1;204 return -1;
@@ -284,9 +289,11 @@
284 case HIP_HI_RSA:289 case HIP_HI_RSA:
285 RSA_free(id->private_key);290 RSA_free(id->private_key);
286 break;291 break;
292#ifdef HAVE_EC_CRYPTO
287 case HIP_HI_ECDSA:293 case HIP_HI_ECDSA:
288 EC_KEY_free(id->private_key);294 EC_KEY_free(id->private_key);
289 break;295 break;
296#endif /* HAVE_EC_CRYPTO */
290 case HIP_HI_DSA:297 case HIP_HI_DSA:
291 DSA_free(id->private_key);298 DSA_free(id->private_key);
292 break;299 break;
@@ -510,9 +517,11 @@
510 case HIP_HI_RSA:517 case HIP_HI_RSA:
511 id_entry->private_key = hip_key_rr_to_rsa(host_id, 1);518 id_entry->private_key = hip_key_rr_to_rsa(host_id, 1);
512 break;519 break;
520#ifdef HAVE_EC_CRYPTO
513 case HIP_HI_ECDSA:521 case HIP_HI_ECDSA:
514 id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1);522 id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1);
515 break;523 break;
524#endif /* HAVE_EC_CRYPTO */
516 case HIP_HI_DSA:525 case HIP_HI_DSA:
517 id_entry->private_key = hip_key_rr_to_dsa(host_id, 1);526 id_entry->private_key = hip_key_rr_to_dsa(host_id, 1);
518 break;527 break;
@@ -530,9 +539,11 @@
530 case HIP_HI_DSA:539 case HIP_HI_DSA:
531 signature_func = hip_dsa_sign;540 signature_func = hip_dsa_sign;
532 break;541 break;
542#ifdef HAVE_EC_CRYPTO
533 case HIP_HI_ECDSA:543 case HIP_HI_ECDSA:
534 signature_func = hip_ecdsa_sign;544 signature_func = hip_ecdsa_sign;
535 break;545 break;
546#endif /* HAVE_EC_CRYPTO */
536 default:547 default:
537 HIP_ERROR("Unsupported algorithms\n");548 HIP_ERROR("Unsupported algorithms\n");
538 err = -1;549 err = -1;
@@ -558,9 +569,11 @@
558 case HIP_HI_RSA:569 case HIP_HI_RSA:
559 RSA_free(id_entry->private_key);570 RSA_free(id_entry->private_key);
560 break;571 break;
572#ifdef HAVE_EC_CRYPTO
561 case HIP_HI_ECDSA:573 case HIP_HI_ECDSA:
562 EC_KEY_free(id_entry->private_key);574 EC_KEY_free(id_entry->private_key);
563 break;575 break;
576#endif /* HAVE_EC_CRYPTO */
564 case HIP_HI_DSA:577 case HIP_HI_DSA:
565 DSA_free(id_entry->private_key);578 DSA_free(id_entry->private_key);
566 break;579 break;
567580
=== modified file 'lib/core/builder.c'
--- lib/core/builder.c 2011-11-03 09:21:12 +0000
+++ lib/core/builder.c 2011-11-03 14:41:31 +0000
@@ -3460,6 +3460,7 @@
3460 return hip_build_param(msg, &name_info);3460 return hip_build_param(msg, &name_info);
3461}3461}
34623462
3463#ifdef HAVE_EC_CRYPTO
3463/**3464/**
3464 * Convert an EC structure from OpenSSL into an endpoint_hip structure3465 * Convert an EC structure from OpenSSL into an endpoint_hip structure
3465 * used internally by the implementation.3466 * used internally by the implementation.
@@ -3505,6 +3506,8 @@
3505 return err;3506 return err;
3506}3507}
35073508
3509#endif /* HAVE_EC_CRYPTO */
3510
3508/**3511/**
3509 * Convert a DSA structure from OpenSSL into an endpoint_hip structure3512 * Convert a DSA structure from OpenSSL into an endpoint_hip structure
3510 * used internally by the implementation.3513 * used internally by the implementation.
@@ -3606,7 +3609,9 @@
3606 struct hip_host_id *host_id_pub = NULL;3609 struct hip_host_id *host_id_pub = NULL;
3607 const RSA *const rsa_key = any_key;3610 const RSA *const rsa_key = any_key;
3608 const DSA *const dsa_key = any_key;3611 const DSA *const dsa_key = any_key;
3609 const EC_KEY *const ecdsa_key = any_key;3612#ifdef HAVE_EC_CRYPTO
3613 const EC_KEY *const ecdsa_key = any_key;
3614#endif /* HAVE_EC_CRYPTO */
36103615
3611 HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1,3616 HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1,
3612 "gethostname failed\n");3617 "gethostname failed\n");
@@ -3616,10 +3621,12 @@
3616 HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1,3621 HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1,
3617 "key_rr_len\n");3622 "key_rr_len\n");
3618 break;3623 break;
3624#ifdef HAVE_EC_CRYPTO
3619 case HIP_HI_ECDSA:3625 case HIP_HI_ECDSA:
3620 HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1,3626 HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1,
3621 "key_rr_len\n");3627 "key_rr_len\n");
3622 break;3628 break;
3629#endif /* HAVE_EC_CRYPTO */
3623 case HIP_HI_RSA:3630 case HIP_HI_RSA:
3624 HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1,3631 HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1,
3625 "key_rr_len\n");3632 "key_rr_len\n");
36263633
=== modified file 'lib/core/builder.h'
--- lib/core/builder.h 2011-08-15 14:11:56 +0000
+++ lib/core/builder.h 2011-11-03 14:41:31 +0000
@@ -26,19 +26,22 @@
26#ifndef HIP_LIB_CORE_BUILDER_H26#ifndef HIP_LIB_CORE_BUILDER_H
27#define HIP_LIB_CORE_BUILDER_H27#define HIP_LIB_CORE_BUILDER_H
2828
29#include "config.h"
30
29#include <stdint.h>31#include <stdint.h>
30#include <netinet/in.h>32#include <netinet/in.h>
31#include <openssl/rsa.h>33#include <openssl/rsa.h>
32#include <openssl/dsa.h>34#include <openssl/dsa.h>
35#ifdef HAVE_EC_CRYPTO
33#include <openssl/ec.h>36#include <openssl/ec.h>
3437#endif /* HAVE_EC_CRYPTO */
35#include "config.h"38
39
36#include "certtools.h"40#include "certtools.h"
37#include "debug.h"41#include "debug.h"
38#include "icomm.h"42#include "icomm.h"
39#include "state.h"43#include "state.h"
4044
41
42/* Removed in 2.6.11 - why ? */45/* Removed in 2.6.11 - why ? */
43extern struct hip_cert_spki_info hip_cert_spki_info;46extern struct hip_cert_spki_info hip_cert_spki_info;
4447
@@ -219,10 +222,12 @@
219 struct endpoint_hip **endpoint,222 struct endpoint_hip **endpoint,
220 se_hip_flags endpoint_flags,223 se_hip_flags endpoint_flags,
221 const char *const hostname);224 const char *const hostname);
225#ifdef HAVE_EC_CRYPTO
222int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa,226int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa,
223 struct endpoint_hip **const endpoint,227 struct endpoint_hip **const endpoint,
224 const se_hip_flags endpoint_flags,228 const se_hip_flags endpoint_flags,
225 const char *const hostname);229 const char *const hostname);
230#endif /* HAVE_EC_CRYPTO */
226int hip_any_key_to_hit(const void *const any_key,231int hip_any_key_to_hit(const void *const any_key,
227 hip_hit_t *const hit,232 hip_hit_t *const hit,
228 const int is_public,233 const int is_public,
229234
=== modified file 'lib/core/crypto.c'
--- lib/core/crypto.c 2011-09-21 14:22:17 +0000
+++ lib/core/crypto.c 2011-11-03 14:41:31 +0000
@@ -459,6 +459,7 @@
459 return err;459 return err;
460}460}
461461
462#ifdef HAVE_EC_CRYPTO
462/**463/**
463 * Sign using ECDSA464 * Sign using ECDSA
464 *465 *
@@ -495,6 +496,8 @@
495 return err;496 return err;
496}497}
497498
499#endif /* HAVE_EC_CRYPTO */
500
498/**501/**
499 * Sign using DSA502 * Sign using DSA
500 *503 *
@@ -536,6 +539,7 @@
536 return err;539 return err;
537}540}
538541
542#ifdef HAVE_EC_CRYPTO
539/**543/**
540 * Verify an ECDSA signature544 * Verify an ECDSA signature
541 *545 *
@@ -571,6 +575,8 @@
571 return err;575 return err;
572}576}
573577
578#endif /* HAVE_EC_CRYPTO */
579
574/**580/**
575 * Verify a DSA signature581 * Verify a DSA signature
576 *582 *
@@ -780,6 +786,7 @@
780 return NULL;786 return NULL;
781}787}
782788
789#ifdef HAVE_EC_CRYPTO
783/**790/**
784 * Generate ECDSA parameters and a new key pair.791 * Generate ECDSA parameters and a new key pair.
785 *792 *
@@ -819,6 +826,8 @@
819 return err;826 return err;
820}827}
821828
829#endif /* HAVE_EC_CRYPTO */
830
822/**831/**
823 * Save host DSA keys to disk.832 * Save host DSA keys to disk.
824 * @param filenamebase the filename base where DSA key should be saved833 * @param filenamebase the filename base where DSA key should be saved
@@ -1015,6 +1024,7 @@
1015 return err;1024 return err;
1016}1025}
10171026
1027#ifdef HAVE_EC_CRYPTO
1018/**1028/**
1019 * Save the host's ECDSA keys to disk.1029 * Save the host's ECDSA keys to disk.
1020 *1030 *
@@ -1170,6 +1180,8 @@
1170 return 0;1180 return 0;
1171}1181}
11721182
1183#endif /* HAVE_EC_CRYPTO */
1184
1173/**1185/**
1174 * Load host DSA private keys from disk.1186 * Load host DSA private keys from disk.
1175 * @param filename the file name base of the host DSA key1187 * @param filename the file name base of the host DSA key
11761188
=== modified file 'lib/core/crypto.h'
--- lib/core/crypto.h 2011-10-30 11:54:44 +0000
+++ lib/core/crypto.h 2011-11-03 14:41:31 +0000
@@ -26,12 +26,16 @@
26#ifndef HIP_LIB_CORE_CRYPTO_H26#ifndef HIP_LIB_CORE_CRYPTO_H
27#define HIP_LIB_CORE_CRYPTO_H27#define HIP_LIB_CORE_CRYPTO_H
2828
29#include "config.h"
30
29#include <stdint.h>31#include <stdint.h>
30#include <netinet/in.h>32#include <netinet/in.h>
31#include <sys/types.h>33#include <sys/types.h>
32#include <openssl/dsa.h>34#include <openssl/dsa.h>
33#include <openssl/rsa.h>35#include <openssl/rsa.h>
36#ifdef HAVE_EC_CRYPTO
34#include <openssl/ec.h>37#include <openssl/ec.h>
38#endif /* HAVE_EC_CRYPTO */
35#include <openssl/dh.h>39#include <openssl/dh.h>
36#include <openssl/pem.h>40#include <openssl/pem.h>
3741
@@ -92,25 +96,33 @@
92uint16_t hip_get_dh_size(uint8_t hip_dh_group_type);96uint16_t hip_get_dh_size(uint8_t hip_dh_group_type);
93DSA *create_dsa_key(const int bits);97DSA *create_dsa_key(const int bits);
94RSA *create_rsa_key(const int bits);98RSA *create_rsa_key(const int bits);
99#ifdef HAVE_EC_CRYPTO
95EC_KEY *create_ecdsa_key(const int nid);100EC_KEY *create_ecdsa_key(const int nid);
101#endif /* HAVE_EC_CRYPTO */
96int save_dsa_private_key(const char *const filenamebase, DSA *const dsa);102int save_dsa_private_key(const char *const filenamebase, DSA *const dsa);
97int save_rsa_private_key(const char *const filenamebase, RSA *const rsa);103int save_rsa_private_key(const char *const filenamebase, RSA *const rsa);
104#ifdef HAVE_EC_CRYPTO
98int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa);105int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa);
106#endif /* HAVE_EC_CRYPTO */
99int load_dsa_private_key(const char *const filenamebase, DSA **const dsa);107int load_dsa_private_key(const char *const filenamebase, DSA **const dsa);
100int load_rsa_private_key(const char *const filename, RSA **const rsa);108int load_rsa_private_key(const char *const filename, RSA **const rsa);
109#ifdef HAVE_EC_CRYPTO
101int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec);110int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec);
111#endif /* HAVE_EC_CRYPTO */
102int impl_dsa_sign(const unsigned char *const digest,112int impl_dsa_sign(const unsigned char *const digest,
103 DSA *const dsa,113 DSA *const dsa,
104 unsigned char *const signature);114 unsigned char *const signature);
105int impl_dsa_verify(const unsigned char *const digest,115int impl_dsa_verify(const unsigned char *const digest,
106 DSA *const dsa,116 DSA *const dsa,
107 const unsigned char *const signature);117 const unsigned char *const signature);
118#ifdef HAVE_EC_CRYPTO
108int impl_ecdsa_sign(const unsigned char *const digest,119int impl_ecdsa_sign(const unsigned char *const digest,
109 EC_KEY *const ecdsa,120 EC_KEY *const ecdsa,
110 unsigned char *const signature);121 unsigned char *const signature);
111int impl_ecdsa_verify(const unsigned char *const digest,122int impl_ecdsa_verify(const unsigned char *const digest,
112 EC_KEY *const ecdsa,123 EC_KEY *const ecdsa,
113 const unsigned char *const signature);124 const unsigned char *const signature);
125#endif /* HAVE_EC_CRYPTO */
114int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out);126int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out);
115int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len,127int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len,
116 uint8_t *enc_key, int direction);128 uint8_t *enc_key, int direction);
117129
=== modified file 'lib/core/hostid.c'
--- lib/core/hostid.c 2011-10-25 21:14:16 +0000
+++ lib/core/hostid.c 2011-11-03 14:41:31 +0000
@@ -40,7 +40,6 @@
40#include <openssl/pem.h>40#include <openssl/pem.h>
41#include <openssl/rsa.h>41#include <openssl/rsa.h>
4242
43#include "config.h"
44#include "lib/tool/pk.h"43#include "lib/tool/pk.h"
45#include "builder.h"44#include "builder.h"
46#include "crypto.h"45#include "crypto.h"
@@ -250,6 +249,7 @@
250 return err;249 return err;
251}250}
252251
252#ifdef HAVE_EC_CRYPTO
253/**253/**
254 * Convert ECDSA-based private host id to a HIT.254 * Convert ECDSA-based private host id to a HIT.
255 *255 *
@@ -291,6 +291,8 @@
291 return 0;291 return 0;
292}292}
293293
294#endif /* HAVE_EC_CRYPTO */
295
294/**296/**
295 * Convert RSA, DSA, or ECDSA-based private host id to a HIT297 * Convert RSA, DSA, or ECDSA-based private host id to a HIT
296 *298 *
@@ -310,13 +312,16 @@
310 return private_dsa_host_id_to_hit(host_id, hit, hit_type);312 return private_dsa_host_id_to_hit(host_id, hit, hit_type);
311 case HIP_HI_RSA:313 case HIP_HI_RSA:
312 return private_rsa_host_id_to_hit(host_id, hit, hit_type);314 return private_rsa_host_id_to_hit(host_id, hit, hit_type);
315#ifdef HAVE_EC_CRYPTO
313 case HIP_HI_ECDSA:316 case HIP_HI_ECDSA:
314 return private_ecdsa_host_id_to_hit(host_id, hit, hit_type);317 return private_ecdsa_host_id_to_hit(host_id, hit, hit_type);
318#endif /* HAVE_EC_CRYPTO */
315 default:319 default:
316 return -ENOSYS;320 return -ENOSYS;
317 }321 }
318}322}
319323
324#ifdef HAVE_EC_CRYPTO
320/*325/*
321 * Translate the openssl specific curve id into the coressponding HIP id.326 * Translate the openssl specific curve id into the coressponding HIP id.
322 *327 *
@@ -423,6 +428,8 @@
423 return 0;428 return 0;
424}429}
425430
431#endif /* HAVE_EC_CRYPTO */
432
426/**433/**
427 * dig out RSA key length from an host id434 * dig out RSA key length from an host id
428 *435 *
@@ -553,6 +560,7 @@
553 return dsa;560 return dsa;
554}561}
555562
563#ifdef HAVE_EC_CRYPTO
556/**564/**
557 * convert a ECDSA-based host id into an OpenSSL structure565 * convert a ECDSA-based host id into an OpenSSL structure
558 *566 *
@@ -632,6 +640,8 @@
632 return ret;640 return ret;
633}641}
634642
643#endif /* HAVE_EC_CRYPTO */
644
635/**645/**
636 * (Re)create new host identities or load existing ones, and append the646 * (Re)create new host identities or load existing ones, and append the
637 * private identities into a message. This functionality is used by hipd647 * private identities into a message. This functionality is used by hipd
@@ -664,30 +674,44 @@
664 const int dsa_key_bits,674 const int dsa_key_bits,
665 const int ecdsa_nid)675 const int ecdsa_nid)
666{676{
667 int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0, ecdsa_key_rr_len = 0;677 int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0;
668 int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0, ecdsa_pub_key_rr_len = 0;678 int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0;
669 hip_hdr numeric_action = 0;679 hip_hdr numeric_action = 0;
670 char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX];680 char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX];
671 const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;681 const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
672 const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;682 const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
673 const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;683 const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
674 const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;684 const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
675 const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;685 unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL;
676 const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;686 unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL;
677 unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL, *ecdsa_key_rr = NULL;687 DSA *dsa_key = NULL, *dsa_pub_key = NULL;
678 unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL, *ecdsa_pub_key_rr = NULL;688 RSA *rsa_key = NULL, *rsa_pub_key = NULL;
679 DSA *dsa_key = NULL, *dsa_pub_key = NULL;689 struct hip_host_id_local rsa_lhi, dsa_lhi, rsa_pub_lhi, dsa_pub_lhi;
680 RSA *rsa_key = NULL, *rsa_pub_key = NULL;690 struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL;
681 EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL;691 struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL;
682 struct hip_host_id_local rsa_lhi, dsa_lhi, ecdsa_lhi, rsa_pub_lhi, dsa_pub_lhi, ecdsa_pub_lhi;
683 struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL, *ecdsa_host_id = NULL;
684 struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL, *ecdsa_pub_host_id = NULL;
685 struct endpoint_hip *endpoint_dsa_hip = NULL;692 struct endpoint_hip *endpoint_dsa_hip = NULL;
686 struct endpoint_hip *endpoint_dsa_pub_hip = NULL;693 struct endpoint_hip *endpoint_dsa_pub_hip = NULL;
687 struct endpoint_hip *endpoint_rsa_hip = NULL;694 struct endpoint_hip *endpoint_rsa_hip = NULL;
688 struct endpoint_hip *endpoint_rsa_pub_hip = NULL;695 struct endpoint_hip *endpoint_rsa_pub_hip = NULL;
689 struct endpoint_hip *endpoint_ecdsa_hip = NULL;696 struct endpoint_hip *endpoint_ecdsa_hip = NULL;
690 struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;697 struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
698#ifdef HAVE_EC_CRYPTO
699 int ecdsa_key_rr_len = 0, ecdsa_pub_key_rr_len = 0;
700 const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
701 const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
702 unsigned char *ecdsa_key_rr = NULL;
703 unsigned char *ecdsa_pub_key_rr = NULL;
704 EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL;
705 struct hip_host_id_local ecdsa_lhi, ecdsa_pub_lhi;
706 struct hip_host_id *ecdsa_host_id = NULL;
707 struct hip_host_id *ecdsa_pub_host_id = NULL;
708#endif /* HAVE_EC_CRYPTO */
709
710 if (ecdsa_nid < 0) {
711 err = -1;
712 HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
713 goto out_err;
714 }
691715
692 if (action == ACTION_ADD) {716 if (action == ACTION_ADD) {
693 numeric_action = HIP_MSG_ADD_LOCAL_HI;717 numeric_action = HIP_MSG_ADD_LOCAL_HI;
@@ -726,6 +750,7 @@
726 HIP_ERROR("Saving of DSA key failed.\n");750 HIP_ERROR("Saving of DSA key failed.\n");
727 goto out_err;751 goto out_err;
728 }752 }
753#ifdef HAVE_EC_CRYPTO
729 } else if (!strcmp(hi_fmt, "ecdsa")) {754 } else if (!strcmp(hi_fmt, "ecdsa")) {
730 ecdsa_key = create_ecdsa_key(ecdsa_nid);755 ecdsa_key = create_ecdsa_key(ecdsa_nid);
731 HIP_IFEL(!ecdsa_key, -EINVAL,756 HIP_IFEL(!ecdsa_key, -EINVAL,
@@ -734,6 +759,7 @@
734 HIP_ERROR("Saving of ECDSA key failed.\n");759 HIP_ERROR("Saving of ECDSA key failed.\n");
735 goto out_err;760 goto out_err;
736 }761 }
762#endif /* HAVE_EC_CRYPTO */
737 } else { /*RSA*/763 } else { /*RSA*/
738 rsa_key = create_rsa_key(rsa_key_bits);764 rsa_key = create_rsa_key(rsa_key_bits);
739 HIP_IFEL(!rsa_key, -EINVAL,765 HIP_IFEL(!rsa_key, -EINVAL,
@@ -764,6 +790,7 @@
764 HIP_IFEL(!rsa_pub_key, -EINVAL,790 HIP_IFEL(!rsa_pub_key, -EINVAL,
765 "Creation of public RSA key failed.\n");791 "Creation of public RSA key failed.\n");
766792
793#ifdef HAVE_EC_CRYPTO
767 ecdsa_key = create_ecdsa_key(ecdsa_nid);794 ecdsa_key = create_ecdsa_key(ecdsa_nid);
768 HIP_IFEL(!ecdsa_key, -EINVAL,795 HIP_IFEL(!ecdsa_key, -EINVAL,
769 "Creation of ECDSA key failed.\n");796 "Creation of ECDSA key failed.\n");
@@ -772,6 +799,17 @@
772 HIP_IFEL(!ecdsa_pub_key, -EINVAL,799 HIP_IFEL(!ecdsa_pub_key, -EINVAL,
773 "Creation of public ECDSA key failed.\n");800 "Creation of public ECDSA key failed.\n");
774801
802 if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) {
803 HIP_ERROR("Saving of ECDSA key failed.\n");
804 goto out_err;
805 }
806
807 if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) {
808 HIP_ERROR("Saving of public ECDSA key failed.\n");
809 goto out_err;
810 }
811#endif /* HAVE_EC_CRYPTO */
812
775 if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) {813 if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) {
776 HIP_ERROR("Saving of DSA key failed.\n");814 HIP_ERROR("Saving of DSA key failed.\n");
777 goto out_err;815 goto out_err;
@@ -792,16 +830,6 @@
792 goto out_err;830 goto out_err;
793 }831 }
794832
795 if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) {
796 HIP_ERROR("Saving of ECDSA key failed.\n");
797 goto out_err;
798 }
799
800 if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) {
801 HIP_ERROR("Saving of public ECDSA key failed.\n");
802 goto out_err;
803 }
804
805 break;833 break;
806834
807 case ACTION_ADD:835 case ACTION_ADD:
@@ -823,6 +851,7 @@
823 HIP_ERROR("Building of host id failed\n");851 HIP_ERROR("Building of host id failed\n");
824 goto out_err;852 goto out_err;
825 }853 }
854#ifdef HAVE_EC_CRYPTO
826 } else if (!strcmp(hi_fmt, "ecdsa")) {855 } else if (!strcmp(hi_fmt, "ecdsa")) {
827 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {856 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {
828 HIP_ERROR("Loading of the ECDSA key failed\n");857 HIP_ERROR("Loading of the ECDSA key failed\n");
@@ -839,6 +868,7 @@
839 HIP_ERROR("Building of host id failed\n");868 HIP_ERROR("Building of host id failed\n");
840 goto out_err;869 goto out_err;
841 }870 }
871#endif /* HAVE_EC_CRYPTO */
842 } else { /*RSA*/872 } else { /*RSA*/
843 if ((err = load_rsa_private_key(hi_file, &rsa_key))) {873 if ((err = load_rsa_private_key(hi_file, &rsa_key))) {
844 HIP_ERROR("Failed to load RSA key from file %s\n", hi_file);874 HIP_ERROR("Failed to load RSA key from file %s\n", hi_file);
@@ -910,6 +940,7 @@
910 goto out_err;940 goto out_err;
911 }941 }
912 }942 }
943#ifdef HAVE_EC_CRYPTO
913 } else if (!strcmp(hi_fmt, "ecdsa")) {944 } else if (!strcmp(hi_fmt, "ecdsa")) {
914 if (anon) {945 if (anon) {
915 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {946 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {
@@ -958,6 +989,7 @@
958 goto out_err;989 goto out_err;
959 }990 }
960 }991 }
992#endif /* HAVE_EC_CRYPTO */
961 } else if (anon) { /* rsa anon */993 } else if (anon) { /* rsa anon */
962 if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) {994 if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) {
963 HIP_ERROR("Loading of the RSA key failed\n");995 HIP_ERROR("Loading of the RSA key failed\n");
@@ -1059,41 +1091,47 @@
1059 if (rsa_filenamebase_pub != NULL) {1091 if (rsa_filenamebase_pub != NULL) {
1060 change_key_file_perms(rsa_filenamebase_pub);1092 change_key_file_perms(rsa_filenamebase_pub);
1061 }1093 }
1062 if (ecdsa_filenamebase_pub != NULL) {
1063 change_key_file_perms(ecdsa_filenamebase_pub);
1064 }
1065 if (ecdsa_filenamebase_pub != NULL) {
1066 change_key_file_perms(ecdsa_filenamebase_pub);
1067 }
10681094
1069 free(dsa_host_id);1095 free(dsa_host_id);
1070 free(dsa_pub_host_id);1096 free(dsa_pub_host_id);
1071 free(ecdsa_host_id);
1072 free(ecdsa_pub_host_id);
1073 free(rsa_host_id);1097 free(rsa_host_id);
1074 free(rsa_pub_host_id);1098 free(rsa_pub_host_id);
1075 DSA_free(dsa_key);1099 DSA_free(dsa_key);
1076 EC_KEY_free(ecdsa_key);
1077 RSA_free(rsa_key);1100 RSA_free(rsa_key);
1078 DSA_free(dsa_pub_key);1101 DSA_free(dsa_pub_key);
1079 EC_KEY_free(ecdsa_pub_key);
1080 RSA_free(rsa_pub_key);1102 RSA_free(rsa_pub_key);
1081 free(dsa_key_rr);1103 free(dsa_key_rr);
1082 free(ecdsa_key_rr);
1083 free(rsa_key_rr);1104 free(rsa_key_rr);
1084 free(dsa_pub_key_rr);1105 free(dsa_pub_key_rr);
1085 free(ecdsa_pub_key_rr);
1086 free(rsa_pub_key_rr);1106 free(rsa_pub_key_rr);
1087 free(endpoint_dsa_hip);1107 free(endpoint_dsa_hip);
1088 free(endpoint_ecdsa_hip);
1089 free(endpoint_rsa_hip);1108 free(endpoint_rsa_hip);
1090 free(endpoint_dsa_pub_hip);1109 free(endpoint_dsa_pub_hip);
1110 free(endpoint_rsa_pub_hip);
1111
1112#ifdef HAVE_EC_CRYPTO
1113 /* We make exeception to the common memory deallocation policy (LIFO)
1114 * here to group of all ECDSA deallocations between a single ifdef */
1115 if (ecdsa_filenamebase_pub != NULL) {
1116 change_key_file_perms(ecdsa_filenamebase_pub);
1117 }
1118 if (ecdsa_filenamebase_pub != NULL) {
1119 change_key_file_perms(ecdsa_filenamebase_pub);
1120 }
1121 free(ecdsa_host_id);
1122 free(ecdsa_pub_host_id);
1123 EC_KEY_free(ecdsa_key);
1124 EC_KEY_free(ecdsa_pub_key);
1125 free(ecdsa_key_rr);
1126 free(ecdsa_pub_key_rr);
1127 free(endpoint_ecdsa_hip);
1091 free(endpoint_ecdsa_pub_hip);1128 free(endpoint_ecdsa_pub_hip);
1092 free(endpoint_rsa_pub_hip);1129#endif /* HAVE_EC_CRYPTO */
10931130
1094 return err;1131 return err;
1095}1132}
10961133
1134#ifdef HAVE_EC_CRYPTO
1097/**1135/**
1098 * Serialize an ECDSA public key.1136 * Serialize an ECDSA public key.
1099 *1137 *
@@ -1167,6 +1205,8 @@
1167 return err;1205 return err;
1168}1206}
11691207
1208#endif /* HAVE_EC_CRYPTO */
1209
1170/**1210/**
1171 * create DNS KEY RR record from host DSA key1211 * create DNS KEY RR record from host DSA key
1172 * @param dsa the DSA structure from where the KEY RR record is to be created1212 * @param dsa the DSA structure from where the KEY RR record is to be created
11731213
=== modified file 'lib/core/hostid.h'
--- lib/core/hostid.h 2011-07-18 13:10:26 +0000
+++ lib/core/hostid.h 2011-11-03 14:41:31 +0000
@@ -26,10 +26,14 @@
26#ifndef HIP_LIB_CORE_HOSTID_H26#ifndef HIP_LIB_CORE_HOSTID_H
27#define HIP_LIB_CORE_HOSTID_H27#define HIP_LIB_CORE_HOSTID_H
2828
29#include "config.h"
30
29#include <netinet/in.h>31#include <netinet/in.h>
30#include <openssl/dsa.h>32#include <openssl/dsa.h>
31#include <openssl/rsa.h>33#include <openssl/rsa.h>
34#ifdef HAVE_EC_CRYPTO
32#include <openssl/ec.h>35#include <openssl/ec.h>
36#endif /* HAVE_EC_CRYPTO */
3337
34#include "protodefs.h"38#include "protodefs.h"
35#include "state.h"39#include "state.h"
@@ -62,11 +66,15 @@
62 struct hip_ecdsa_keylen *const ret);66 struct hip_ecdsa_keylen *const ret);
63RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv);67RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv);
64DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv);68DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv);
69#ifdef HAVE_EC_CRYPTO
65EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv);70EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv);
71#endif /* HAVE_EC_CRYPTO */
6672
67int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf);73int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf);
68int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr);74int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr);
75#ifdef HAVE_EC_CRYPTO
69int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr);76int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr);
77#endif /* HAVE_EC_CRYPTO */
7078
71int hip_serialize_host_id_action(struct hip_common *msg,79int hip_serialize_host_id_action(struct hip_common *msg,
72 const int action,80 const int action,
7381
=== modified file 'lib/tool/pk.c'
--- lib/tool/pk.c 2011-08-15 14:11:56 +0000
+++ lib/tool/pk.c 2011-11-03 14:41:31 +0000
@@ -8,6 +8,8 @@
8 * @brief HIPL wrappers for OpenSSL public key operations.8 * @brief HIPL wrappers for OpenSSL public key operations.
9 */9 */
1010
11#include "config.h"
12
11#include <errno.h>13#include <errno.h>
12#include <stdint.h>14#include <stdint.h>
13#include <stdlib.h>15#include <stdlib.h>
@@ -15,9 +17,11 @@
15#include <netinet/in.h>17#include <netinet/in.h>
16#include <openssl/bn.h>18#include <openssl/bn.h>
17#include <openssl/dsa.h>19#include <openssl/dsa.h>
18#include <openssl/ecdsa.h>
19#include <openssl/objects.h>20#include <openssl/objects.h>
20#include <openssl/rsa.h>21#include <openssl/rsa.h>
22#ifdef HAVE_EC_CRYPTO
23#include <openssl/ecdsa.h>
24#endif /* HAVE_EC_CRYPTO */
2125
22#include "lib/core/builder.h"26#include "lib/core/builder.h"
23#include "lib/core/crypto.h"27#include "lib/core/crypto.h"
@@ -26,7 +30,6 @@
26#include "lib/core/performance.h"30#include "lib/core/performance.h"
27#include "lib/core/prefix.h"31#include "lib/core/prefix.h"
28#include "lib/core/protodefs.h"32#include "lib/core/protodefs.h"
29#include "config.h"
30#include "pk.h"33#include "pk.h"
3134
32/**35/**
@@ -75,6 +78,7 @@
75 return err;78 return err;
76}79}
7780
81#ifdef HAVE_EC_CRYPTO
78/**82/**
79 * Sign a HIP control message with a private ECDSA key.83 * Sign a HIP control message with a private ECDSA key.
80 *84 *
@@ -129,6 +133,8 @@
129 return 0;133 return 0;
130}134}
131135
136#endif /* HAVE_EC_CRYPTO */
137
132/**138/**
133 * sign a HIP control message with a private DSA key139 * sign a HIP control message with a private DSA key
134 *140 *
@@ -225,8 +231,10 @@
225 /* RSA_verify returns 0 on failure */231 /* RSA_verify returns 0 on failure */
226 err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH,232 err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH,
227 sig->signature, RSA_size(peer_pub), peer_pub);233 sig->signature, RSA_size(peer_pub), peer_pub);
234#ifdef HAVE_EC_CRYPTO
228 } else if (type == HIP_HI_ECDSA) {235 } else if (type == HIP_HI_ECDSA) {
229 err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature);236 err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature);
237#endif /* HAVE_EC_CRYPTO */
230 } else {238 } else {
231 err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature);239 err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature);
232 }240 }
@@ -259,6 +267,7 @@
259 return err;267 return err;
260}268}
261269
270#ifdef HAVE_EC_CRYPTO
262/**271/**
263 * Verify the ECDSA signature from a message.272 * Verify the ECDSA signature from a message.
264 *273 *
@@ -272,6 +281,8 @@
272 return verify(peer_pub, msg, HIP_HI_ECDSA);281 return verify(peer_pub, msg, HIP_HI_ECDSA);
273}282}
274283
284#endif /* HAVE_EC_CRYPTO */
285
275/**286/**
276 * RSA signature verification function287 * RSA signature verification function
277 *288 *
278289
=== modified file 'test/lib/tool/pk.c'
--- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
+++ test/lib/tool/pk.c 2011-11-03 14:41:31 +0000
@@ -27,7 +27,9 @@
27#include <stdlib.h>27#include <stdlib.h>
28#include <string.h>28#include <string.h>
29#include <stdio.h>29#include <stdio.h>
30#ifdef HAVE_EC_CRYPTO
30#include <openssl/ec.h>31#include <openssl/ec.h>
32#endif /* HAVE_EC_CRYPTO */
31#include <openssl/pem.h>33#include <openssl/pem.h>
3234
33#include "lib/core/debug.h"35#include "lib/core/debug.h"

Subscribers

People subscribed via source and target branches

to all changes: