Merge lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl
- ecdsa-redhat
- Merge into trunk
Status: | Superseded | ||||
---|---|---|---|---|---|
Proposed branch: | lp:~hipl-core/hipl/ecdsa-redhat | ||||
Merge into: | lp:hipl | ||||
Diff against target: |
855 lines (+176/-48) 13 files modified
firewall/conntrack.c (+4/-0) firewall/rule_management.c (+7/-1) hipd/cookie.c (+2/-0) hipd/hadb.c (+6/-0) hipd/hidb.c (+13/-0) lib/core/builder.c (+8/-1) lib/core/builder.h (+8/-3) lib/core/crypto.c (+12/-0) lib/core/crypto.h (+12/-0) lib/core/hostid.c (+81/-41) lib/core/hostid.h (+8/-0) lib/tool/pk.c (+13/-2) test/lib/tool/pk.c (+2/-0) |
||||
To merge this branch: | bzr merge lp:~hipl-core/hipl/ecdsa-redhat | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Diego Biurrun | Needs Fixing | ||
HIPL core team | preliminary | Pending | |
Review via email: mp+80750@code.launchpad.net |
This proposal has been superseded by a proposal from 2011-11-03.
Commit message
Description of the change
Compilation has been broken long time for Fedora and other RPM-based systems because they decided to drop elliptic curve support from OpenSSL. To put more heat on this bug #838116 and to make detailed code review easier, I decided to propose for early merging.
I would suggest to comment details here and design-level issues in the actual bug item:
- 6103. By Miika Komu
-
Cleaned up previous commit for ECC code
According to feedback from Diego:
* Removed unnecessary defines or reduced to minimum
* System headers before localAlso, "make checkheaders" target succeeds.
- 6104. By Miika Komu
-
Synchronized with trunk revision 6110
Miika Komu (miika-iki) wrote : | # |
> review needs-fixing
>
> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> lp:hipl.
> >
> > --- firewall/
> > +++ firewall/
> > @@ -81,8 +81,9 @@
> > /* filename needs to contain one of these to be valid HI file */
> > #define RSA_FILE "_rsa_"
> > #define DSA_FILE "_dsa_"
> > +#ifdef HAVE_EC_CRYPTO
> > #define ECDSA_FILE "_ecdsa_"
> > -
> > +#endif /* HAVE_EC_CRYPTO */
> > #define MAX_LINE_LENGTH 512
>
> unnecessary
Fixed.
> > @@ -444,6 +445,7 @@
> > return err;
> > }
> >
> > +#ifdef HAVE_EC_CRYPTO
> > /**
> > * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > *
> > @@ -479,6 +481,8 @@
> > return err;
> > }
> >
> > +#endif /* HAVE_EC_CRYPTO */
> > +
> > /**
> > * load a public key from a file and convert it to a hip_host_id structure
> > *
>
> Drop the empty line before the #endif, same below
Done.
> > --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> > +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> > @@ -26,18 +26,21 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <openssl/rsa.h>
> > #include <openssl/dsa.h>
> > -#include <openssl/ec.h>
> >
> > -#include "config.h"
> > #include "certtools.h"
> > #include "debug.h"
> > #include "icomm.h"
> > #include "state.h"
> >
> > +#ifdef HAVE_EC_CRYPTO
> > +#include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
>
> We have system headers before local headers for a reason.
Fixed.
> > --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> > +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> > @@ -26,12 +26,16 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <sys/types.h>
> > #include <openssl/dsa.h>
> > #include <openssl/rsa.h>
> > +#ifdef HAVE_EC_CRYPTO
> > #include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
> > #include <openssl/dh.h>
> > #include <openssl/pem.h>
>
> .. like you did here ..
>
> > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > @@ -28,6 +28,8 @@
> > * @brief Host identifier manipulation functions
> > */
> >
> > +#include "config.h"
> > +
> > #include <errno.h>
> > #include <stdint.h>
> > #include <stdlib.h>
> > @@ -40,7 +42,6 @@
> > #include <openssl/pem.h>
> > #include <openssl/rsa.h>
> >
> > -#include "config.h"
> > #include "lib/tool/pk.h"
> > #include "builder.h"
> > #include "crypto.h"
>
> unnecessary / unrelated
Removed.
> > @@ -689,6 +715,12 @@
> > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > struct endpoint_hip *endpoint_
> >
> > + if (ecdsa_nid < 0) {
> > + err = -1;
> > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > + goto out_err;
> > + }
>
> ?
Does not compile otherwise when ECDSA is mi...
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> > lp:hipl.
> > >
> > > --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
> > > +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
> > > @@ -27,7 +27,9 @@
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include <stdio.h>
> > > +#ifdef HAVE_EC_CRYPTO
> > > #include <openssl/ec.h>
> > > +#endif /* HAVE_EC_CRYPTO */
> > > #include <openssl/pem.h>
> >
> > see above
>
> Did not get this.
missing config.h
Diego
Miika Komu (miika-iki) wrote : | # |
Hi,
On 11/03/2011 05:27 PM, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
>>> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
>>>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
>>> lp:hipl.
>>>>
>>>> --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
>>>> +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
>>>> @@ -27,7 +27,9 @@
>>>> #include<stdlib.h>
>>>> #include<string.h>
>>>> #include<stdio.h>
>>>> +#ifdef HAVE_EC_CRYPTO
>>>> #include<
>>>> +#endif /* HAVE_EC_CRYPTO */
>>>> #include<
>>>
>>> see above
>>
>> Did not get this.
>
> missing config.h
thanks for the correction, committed.
- 6105. By Miika Komu
-
Added a missing include
File test/lib/tool/pk.c was missing a include for "config.h". It's
needed due to the conditional compilation of elliptic curves in
OpenSSL.
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
> > >
> > > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > > @@ -689,6 +715,12 @@
> > > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > > struct endpoint_hip *endpoint_
> > >
> > > + if (ecdsa_nid < 0) {
> > > + err = -1;
> > > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > > + goto out_err;
> > > + }
> >
> > ?
>
> Does not compile otherwise when ECDSA is missing (gcc complains about
> missing variable). If you insist, I'll commit this separately to trunk
> or suggest a better fix.
You mean that gcc complains about unused parameter? This is badly designed.
The function should not need one extra parameter for each crypto algorithm
that is added.
Diego
- 6106. By Miika Komu
-
Cleaning up the ECDSA changes
As suggested by Diego:
* Removed unrelated changes and stray empty lines
* Reverted incorrectly deleted empty lines
* Regrouped ifdeffery
* Fixed one occurrence of config.h - 6107. By Miika Komu
-
Syncronized with trunk revision 6119
- 6108. By Miika Komu
-
Deleted some empty lines between function bodies and #endif statements
According to the new crustify policy, there is no need need to have an
empty line between the end of a function body (closing curly bracket)
and following #endif (if any present). Adjusted ECDSA-related code
according to the new policy.
Unmerged revisions
Preview Diff
1 | === modified file 'firewall/conntrack.c' | |||
2 | --- firewall/conntrack.c 2011-10-25 21:14:16 +0000 | |||
3 | +++ firewall/conntrack.c 2011-11-03 14:41:31 +0000 | |||
4 | @@ -695,9 +695,11 @@ | |||
5 | 695 | case HIP_HI_RSA: | 695 | case HIP_HI_RSA: |
6 | 696 | RSA_free(hip_tuple->data->src_pub_key); | 696 | RSA_free(hip_tuple->data->src_pub_key); |
7 | 697 | break; | 697 | break; |
8 | 698 | #ifdef HAVE_EC_CRYPTO | ||
9 | 698 | case HIP_HI_ECDSA: | 699 | case HIP_HI_ECDSA: |
10 | 699 | EC_KEY_free(hip_tuple->data->src_pub_key); | 700 | EC_KEY_free(hip_tuple->data->src_pub_key); |
11 | 700 | break; | 701 | break; |
12 | 702 | #endif /* HAVE_EC_CRYPTO */ | ||
13 | 701 | case HIP_HI_DSA: | 703 | case HIP_HI_DSA: |
14 | 702 | DSA_free(hip_tuple->data->src_pub_key); | 704 | DSA_free(hip_tuple->data->src_pub_key); |
15 | 703 | break; | 705 | break; |
16 | @@ -1063,10 +1065,12 @@ | |||
17 | 1063 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0); | 1065 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0); |
18 | 1064 | tuple->hip_tuple->data->verify = hip_rsa_verify; | 1066 | tuple->hip_tuple->data->verify = hip_rsa_verify; |
19 | 1065 | break; | 1067 | break; |
20 | 1068 | #ifdef HAVE_EC_CRYPTO | ||
21 | 1066 | case HIP_HI_ECDSA: | 1069 | case HIP_HI_ECDSA: |
22 | 1067 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0); | 1070 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0); |
23 | 1068 | tuple->hip_tuple->data->verify = hip_ecdsa_verify; | 1071 | tuple->hip_tuple->data->verify = hip_ecdsa_verify; |
24 | 1069 | break; | 1072 | break; |
25 | 1073 | #endif /* HAVE_EC_CRYPTO */ | ||
26 | 1070 | case HIP_HI_DSA: | 1074 | case HIP_HI_DSA: |
27 | 1071 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0); | 1075 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0); |
28 | 1072 | tuple->hip_tuple->data->verify = hip_dsa_verify; | 1076 | tuple->hip_tuple->data->verify = hip_dsa_verify; |
29 | 1073 | 1077 | ||
30 | === modified file 'firewall/rule_management.c' | |||
31 | --- firewall/rule_management.c 2011-08-15 14:11:56 +0000 | |||
32 | +++ firewall/rule_management.c 2011-11-03 14:41:31 +0000 | |||
33 | @@ -82,7 +82,6 @@ | |||
34 | 82 | #define RSA_FILE "_rsa_" | 82 | #define RSA_FILE "_rsa_" |
35 | 83 | #define DSA_FILE "_dsa_" | 83 | #define DSA_FILE "_dsa_" |
36 | 84 | #define ECDSA_FILE "_ecdsa_" | 84 | #define ECDSA_FILE "_ecdsa_" |
37 | 85 | |||
38 | 86 | #define MAX_LINE_LENGTH 512 | 85 | #define MAX_LINE_LENGTH 512 |
39 | 87 | 86 | ||
40 | 88 | #define HIP_FW_DEFAULT_RULE_FILE HIPL_SYSCONFDIR "/firewall_conf" | 87 | #define HIP_FW_DEFAULT_RULE_FILE HIPL_SYSCONFDIR "/firewall_conf" |
41 | @@ -444,6 +443,7 @@ | |||
42 | 444 | return err; | 443 | return err; |
43 | 445 | } | 444 | } |
44 | 446 | 445 | ||
45 | 446 | #ifdef HAVE_EC_CRYPTO | ||
46 | 447 | /** | 447 | /** |
47 | 448 | * Load an ECDSA public key from a file and convert it into a hip_host_id. | 448 | * Load an ECDSA public key from a file and convert it into a hip_host_id. |
48 | 449 | * | 449 | * |
49 | @@ -479,6 +479,8 @@ | |||
50 | 479 | return err; | 479 | return err; |
51 | 480 | } | 480 | } |
52 | 481 | 481 | ||
53 | 482 | #endif /* HAVE_EC_CRYPTO */ | ||
54 | 483 | |||
55 | 482 | /** | 484 | /** |
56 | 483 | * load a public key from a file and convert it to a hip_host_id structure | 485 | * load a public key from a file and convert it to a hip_host_id structure |
57 | 484 | * | 486 | * |
58 | @@ -506,8 +508,10 @@ | |||
59 | 506 | algo = HIP_HI_RSA; | 508 | algo = HIP_HI_RSA; |
60 | 507 | } else if (strstr(token, DSA_FILE)) { | 509 | } else if (strstr(token, DSA_FILE)) { |
61 | 508 | algo = HIP_HI_DSA; | 510 | algo = HIP_HI_DSA; |
62 | 511 | #ifdef HAVE_EC_CRYPTO | ||
63 | 509 | } else if (strstr(token, ECDSA_FILE)) { | 512 | } else if (strstr(token, ECDSA_FILE)) { |
64 | 510 | algo = HIP_HI_ECDSA; | 513 | algo = HIP_HI_ECDSA; |
65 | 514 | #endif /* HAVE_EC_CRYPTO */ | ||
66 | 511 | } else { | 515 | } else { |
67 | 512 | HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n"); | 516 | HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n"); |
68 | 513 | return NULL; | 517 | return NULL; |
69 | @@ -519,9 +523,11 @@ | |||
70 | 519 | case HIP_HI_RSA: | 523 | case HIP_HI_RSA: |
71 | 520 | HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n"); | 524 | HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n"); |
72 | 521 | break; | 525 | break; |
73 | 526 | #ifdef HAVE_EC_CRYPTO | ||
74 | 522 | case HIP_HI_ECDSA: | 527 | case HIP_HI_ECDSA: |
75 | 523 | HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n") | 528 | HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n") |
76 | 524 | break; | 529 | break; |
77 | 530 | #endif /* HAVE_EC_CRYPTO */ | ||
78 | 525 | case HIP_HI_DSA: | 531 | case HIP_HI_DSA: |
79 | 526 | HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n") | 532 | HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n") |
80 | 527 | break; | 533 | break; |
81 | 528 | 534 | ||
82 | === modified file 'hipd/cookie.c' | |||
83 | --- hipd/cookie.c 2011-10-25 21:14:16 +0000 | |||
84 | +++ hipd/cookie.c 2011-11-03 14:41:31 +0000 | |||
85 | @@ -349,9 +349,11 @@ | |||
86 | 349 | case HIP_HI_DSA: | 349 | case HIP_HI_DSA: |
87 | 350 | signature_func = hip_dsa_sign; | 350 | signature_func = hip_dsa_sign; |
88 | 351 | break; | 351 | break; |
89 | 352 | #ifdef HAVE_EC_CRYPTO | ||
90 | 352 | case HIP_HI_ECDSA: | 353 | case HIP_HI_ECDSA: |
91 | 353 | signature_func = hip_ecdsa_sign; | 354 | signature_func = hip_ecdsa_sign; |
92 | 354 | break; | 355 | break; |
93 | 356 | #endif /* HAVE_EC_CRYPTO */ | ||
94 | 355 | default: | 357 | default: |
95 | 356 | HIP_ERROR("Unkown algorithm"); | 358 | HIP_ERROR("Unkown algorithm"); |
96 | 357 | return -1; | 359 | return -1; |
97 | 358 | 360 | ||
98 | === modified file 'hipd/hadb.c' | |||
99 | --- hipd/hadb.c 2011-10-25 21:44:47 +0000 | |||
100 | +++ hipd/hadb.c 2011-11-03 14:41:31 +0000 | |||
101 | @@ -818,9 +818,11 @@ | |||
102 | 818 | case HIP_HI_RSA: | 818 | case HIP_HI_RSA: |
103 | 819 | RSA_free(ha->peer_pub_key); | 819 | RSA_free(ha->peer_pub_key); |
104 | 820 | break; | 820 | break; |
105 | 821 | #ifdef HAVE_EC_CRYPTO | ||
106 | 821 | case HIP_HI_ECDSA: | 822 | case HIP_HI_ECDSA: |
107 | 822 | EC_KEY_free(ha->peer_pub_key); | 823 | EC_KEY_free(ha->peer_pub_key); |
108 | 823 | break; | 824 | break; |
109 | 825 | #endif /* HAVE_EC_CRYPTO */ | ||
110 | 824 | case HIP_HI_DSA: | 826 | case HIP_HI_DSA: |
111 | 825 | DSA_free(ha->peer_pub_key); | 827 | DSA_free(ha->peer_pub_key); |
112 | 826 | break; | 828 | break; |
113 | @@ -909,10 +911,12 @@ | |||
114 | 909 | entry->verify = hip_dsa_verify; | 911 | entry->verify = hip_dsa_verify; |
115 | 910 | entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0); | 912 | entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
116 | 911 | break; | 913 | break; |
117 | 914 | #ifdef HAVE_EC_CRYPTO | ||
118 | 912 | case HIP_HI_ECDSA: | 915 | case HIP_HI_ECDSA: |
119 | 913 | entry->verify = hip_ecdsa_verify; | 916 | entry->verify = hip_ecdsa_verify; |
120 | 914 | entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0); | 917 | entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
121 | 915 | break; | 918 | break; |
122 | 919 | #endif /* HAVE_EC_CRYPTO */ | ||
123 | 916 | default: | 920 | default: |
124 | 917 | HIP_OUT_ERR(-1, "Unkown algorithm"); | 921 | HIP_OUT_ERR(-1, "Unkown algorithm"); |
125 | 918 | } | 922 | } |
126 | @@ -978,9 +982,11 @@ | |||
127 | 978 | case HIP_HI_RSA: | 982 | case HIP_HI_RSA: |
128 | 979 | entry->sign = hip_rsa_sign; | 983 | entry->sign = hip_rsa_sign; |
129 | 980 | break; | 984 | break; |
130 | 985 | #ifdef HAVE_EC_CRYPTO | ||
131 | 981 | case HIP_HI_ECDSA: | 986 | case HIP_HI_ECDSA: |
132 | 982 | entry->sign = hip_ecdsa_sign; | 987 | entry->sign = hip_ecdsa_sign; |
133 | 983 | break; | 988 | break; |
134 | 989 | #endif /* HAVE_EC_CRYPTO */ | ||
135 | 984 | default: | 990 | default: |
136 | 985 | err = -1; | 991 | err = -1; |
137 | 986 | } | 992 | } |
138 | 987 | 993 | ||
139 | === modified file 'hipd/hidb.c' | |||
140 | --- hipd/hidb.c 2011-10-25 21:14:16 +0000 | |||
141 | +++ hipd/hidb.c 2011-11-03 14:41:31 +0000 | |||
142 | @@ -63,6 +63,7 @@ | |||
143 | 63 | 63 | ||
144 | 64 | static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" }; | 64 | static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" }; |
145 | 65 | 65 | ||
146 | 66 | #ifdef HAVE_EC_CRYPTO | ||
147 | 66 | /** | 67 | /** |
148 | 67 | * Strips the private key component from an ECDSA-based host id. | 68 | * Strips the private key component from an ECDSA-based host id. |
149 | 68 | * | 69 | * |
150 | @@ -103,6 +104,8 @@ | |||
151 | 103 | return 0; | 104 | return 0; |
152 | 104 | } | 105 | } |
153 | 105 | 106 | ||
154 | 107 | #endif /* HAVE_EC_CRYPTO */ | ||
155 | 108 | |||
156 | 106 | /** | 109 | /** |
157 | 107 | * Strips a DSA public key out of a host id with private key component | 110 | * Strips a DSA public key out of a host id with private key component |
158 | 108 | * | 111 | * |
159 | @@ -192,8 +195,10 @@ | |||
160 | 192 | return get_rsa_public_key(hid, ret); | 195 | return get_rsa_public_key(hid, ret); |
161 | 193 | case HIP_HI_DSA: | 196 | case HIP_HI_DSA: |
162 | 194 | return get_dsa_public_key(hid, ret); | 197 | return get_dsa_public_key(hid, ret); |
163 | 198 | #ifdef HAVE_EC_CRYPTO | ||
164 | 195 | case HIP_HI_ECDSA: | 199 | case HIP_HI_ECDSA: |
165 | 196 | return get_ecdsa_public_key(hid, ret); | 200 | return get_ecdsa_public_key(hid, ret); |
166 | 201 | #endif /* HAVE_EC_CRYPTO */ | ||
167 | 197 | default: | 202 | default: |
168 | 198 | HIP_ERROR("Unsupported HI algorithm\n"); | 203 | HIP_ERROR("Unsupported HI algorithm\n"); |
169 | 199 | return -1; | 204 | return -1; |
170 | @@ -284,9 +289,11 @@ | |||
171 | 284 | case HIP_HI_RSA: | 289 | case HIP_HI_RSA: |
172 | 285 | RSA_free(id->private_key); | 290 | RSA_free(id->private_key); |
173 | 286 | break; | 291 | break; |
174 | 292 | #ifdef HAVE_EC_CRYPTO | ||
175 | 287 | case HIP_HI_ECDSA: | 293 | case HIP_HI_ECDSA: |
176 | 288 | EC_KEY_free(id->private_key); | 294 | EC_KEY_free(id->private_key); |
177 | 289 | break; | 295 | break; |
178 | 296 | #endif /* HAVE_EC_CRYPTO */ | ||
179 | 290 | case HIP_HI_DSA: | 297 | case HIP_HI_DSA: |
180 | 291 | DSA_free(id->private_key); | 298 | DSA_free(id->private_key); |
181 | 292 | break; | 299 | break; |
182 | @@ -510,9 +517,11 @@ | |||
183 | 510 | case HIP_HI_RSA: | 517 | case HIP_HI_RSA: |
184 | 511 | id_entry->private_key = hip_key_rr_to_rsa(host_id, 1); | 518 | id_entry->private_key = hip_key_rr_to_rsa(host_id, 1); |
185 | 512 | break; | 519 | break; |
186 | 520 | #ifdef HAVE_EC_CRYPTO | ||
187 | 513 | case HIP_HI_ECDSA: | 521 | case HIP_HI_ECDSA: |
188 | 514 | id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1); | 522 | id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1); |
189 | 515 | break; | 523 | break; |
190 | 524 | #endif /* HAVE_EC_CRYPTO */ | ||
191 | 516 | case HIP_HI_DSA: | 525 | case HIP_HI_DSA: |
192 | 517 | id_entry->private_key = hip_key_rr_to_dsa(host_id, 1); | 526 | id_entry->private_key = hip_key_rr_to_dsa(host_id, 1); |
193 | 518 | break; | 527 | break; |
194 | @@ -530,9 +539,11 @@ | |||
195 | 530 | case HIP_HI_DSA: | 539 | case HIP_HI_DSA: |
196 | 531 | signature_func = hip_dsa_sign; | 540 | signature_func = hip_dsa_sign; |
197 | 532 | break; | 541 | break; |
198 | 542 | #ifdef HAVE_EC_CRYPTO | ||
199 | 533 | case HIP_HI_ECDSA: | 543 | case HIP_HI_ECDSA: |
200 | 534 | signature_func = hip_ecdsa_sign; | 544 | signature_func = hip_ecdsa_sign; |
201 | 535 | break; | 545 | break; |
202 | 546 | #endif /* HAVE_EC_CRYPTO */ | ||
203 | 536 | default: | 547 | default: |
204 | 537 | HIP_ERROR("Unsupported algorithms\n"); | 548 | HIP_ERROR("Unsupported algorithms\n"); |
205 | 538 | err = -1; | 549 | err = -1; |
206 | @@ -558,9 +569,11 @@ | |||
207 | 558 | case HIP_HI_RSA: | 569 | case HIP_HI_RSA: |
208 | 559 | RSA_free(id_entry->private_key); | 570 | RSA_free(id_entry->private_key); |
209 | 560 | break; | 571 | break; |
210 | 572 | #ifdef HAVE_EC_CRYPTO | ||
211 | 561 | case HIP_HI_ECDSA: | 573 | case HIP_HI_ECDSA: |
212 | 562 | EC_KEY_free(id_entry->private_key); | 574 | EC_KEY_free(id_entry->private_key); |
213 | 563 | break; | 575 | break; |
214 | 576 | #endif /* HAVE_EC_CRYPTO */ | ||
215 | 564 | case HIP_HI_DSA: | 577 | case HIP_HI_DSA: |
216 | 565 | DSA_free(id_entry->private_key); | 578 | DSA_free(id_entry->private_key); |
217 | 566 | break; | 579 | break; |
218 | 567 | 580 | ||
219 | === modified file 'lib/core/builder.c' | |||
220 | --- lib/core/builder.c 2011-11-03 09:21:12 +0000 | |||
221 | +++ lib/core/builder.c 2011-11-03 14:41:31 +0000 | |||
222 | @@ -3460,6 +3460,7 @@ | |||
223 | 3460 | return hip_build_param(msg, &name_info); | 3460 | return hip_build_param(msg, &name_info); |
224 | 3461 | } | 3461 | } |
225 | 3462 | 3462 | ||
226 | 3463 | #ifdef HAVE_EC_CRYPTO | ||
227 | 3463 | /** | 3464 | /** |
228 | 3464 | * Convert an EC structure from OpenSSL into an endpoint_hip structure | 3465 | * Convert an EC structure from OpenSSL into an endpoint_hip structure |
229 | 3465 | * used internally by the implementation. | 3466 | * used internally by the implementation. |
230 | @@ -3505,6 +3506,8 @@ | |||
231 | 3505 | return err; | 3506 | return err; |
232 | 3506 | } | 3507 | } |
233 | 3507 | 3508 | ||
234 | 3509 | #endif /* HAVE_EC_CRYPTO */ | ||
235 | 3510 | |||
236 | 3508 | /** | 3511 | /** |
237 | 3509 | * Convert a DSA structure from OpenSSL into an endpoint_hip structure | 3512 | * Convert a DSA structure from OpenSSL into an endpoint_hip structure |
238 | 3510 | * used internally by the implementation. | 3513 | * used internally by the implementation. |
239 | @@ -3606,7 +3609,9 @@ | |||
240 | 3606 | struct hip_host_id *host_id_pub = NULL; | 3609 | struct hip_host_id *host_id_pub = NULL; |
241 | 3607 | const RSA *const rsa_key = any_key; | 3610 | const RSA *const rsa_key = any_key; |
242 | 3608 | const DSA *const dsa_key = any_key; | 3611 | const DSA *const dsa_key = any_key; |
244 | 3609 | const EC_KEY *const ecdsa_key = any_key; | 3612 | #ifdef HAVE_EC_CRYPTO |
245 | 3613 | const EC_KEY *const ecdsa_key = any_key; | ||
246 | 3614 | #endif /* HAVE_EC_CRYPTO */ | ||
247 | 3610 | 3615 | ||
248 | 3611 | HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1, | 3616 | HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1, |
249 | 3612 | "gethostname failed\n"); | 3617 | "gethostname failed\n"); |
250 | @@ -3616,10 +3621,12 @@ | |||
251 | 3616 | HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1, | 3621 | HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1, |
252 | 3617 | "key_rr_len\n"); | 3622 | "key_rr_len\n"); |
253 | 3618 | break; | 3623 | break; |
254 | 3624 | #ifdef HAVE_EC_CRYPTO | ||
255 | 3619 | case HIP_HI_ECDSA: | 3625 | case HIP_HI_ECDSA: |
256 | 3620 | HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1, | 3626 | HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1, |
257 | 3621 | "key_rr_len\n"); | 3627 | "key_rr_len\n"); |
258 | 3622 | break; | 3628 | break; |
259 | 3629 | #endif /* HAVE_EC_CRYPTO */ | ||
260 | 3623 | case HIP_HI_RSA: | 3630 | case HIP_HI_RSA: |
261 | 3624 | HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1, | 3631 | HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1, |
262 | 3625 | "key_rr_len\n"); | 3632 | "key_rr_len\n"); |
263 | 3626 | 3633 | ||
264 | === modified file 'lib/core/builder.h' | |||
265 | --- lib/core/builder.h 2011-08-15 14:11:56 +0000 | |||
266 | +++ lib/core/builder.h 2011-11-03 14:41:31 +0000 | |||
267 | @@ -26,19 +26,22 @@ | |||
268 | 26 | #ifndef HIP_LIB_CORE_BUILDER_H | 26 | #ifndef HIP_LIB_CORE_BUILDER_H |
269 | 27 | #define HIP_LIB_CORE_BUILDER_H | 27 | #define HIP_LIB_CORE_BUILDER_H |
270 | 28 | 28 | ||
271 | 29 | #include "config.h" | ||
272 | 30 | |||
273 | 29 | #include <stdint.h> | 31 | #include <stdint.h> |
274 | 30 | #include <netinet/in.h> | 32 | #include <netinet/in.h> |
275 | 31 | #include <openssl/rsa.h> | 33 | #include <openssl/rsa.h> |
276 | 32 | #include <openssl/dsa.h> | 34 | #include <openssl/dsa.h> |
277 | 35 | #ifdef HAVE_EC_CRYPTO | ||
278 | 33 | #include <openssl/ec.h> | 36 | #include <openssl/ec.h> |
281 | 34 | 37 | #endif /* HAVE_EC_CRYPTO */ | |
282 | 35 | #include "config.h" | 38 | |
283 | 39 | |||
284 | 36 | #include "certtools.h" | 40 | #include "certtools.h" |
285 | 37 | #include "debug.h" | 41 | #include "debug.h" |
286 | 38 | #include "icomm.h" | 42 | #include "icomm.h" |
287 | 39 | #include "state.h" | 43 | #include "state.h" |
288 | 40 | 44 | ||
289 | 41 | |||
290 | 42 | /* Removed in 2.6.11 - why ? */ | 45 | /* Removed in 2.6.11 - why ? */ |
291 | 43 | extern struct hip_cert_spki_info hip_cert_spki_info; | 46 | extern struct hip_cert_spki_info hip_cert_spki_info; |
292 | 44 | 47 | ||
293 | @@ -219,10 +222,12 @@ | |||
294 | 219 | struct endpoint_hip **endpoint, | 222 | struct endpoint_hip **endpoint, |
295 | 220 | se_hip_flags endpoint_flags, | 223 | se_hip_flags endpoint_flags, |
296 | 221 | const char *const hostname); | 224 | const char *const hostname); |
297 | 225 | #ifdef HAVE_EC_CRYPTO | ||
298 | 222 | int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa, | 226 | int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa, |
299 | 223 | struct endpoint_hip **const endpoint, | 227 | struct endpoint_hip **const endpoint, |
300 | 224 | const se_hip_flags endpoint_flags, | 228 | const se_hip_flags endpoint_flags, |
301 | 225 | const char *const hostname); | 229 | const char *const hostname); |
302 | 230 | #endif /* HAVE_EC_CRYPTO */ | ||
303 | 226 | int hip_any_key_to_hit(const void *const any_key, | 231 | int hip_any_key_to_hit(const void *const any_key, |
304 | 227 | hip_hit_t *const hit, | 232 | hip_hit_t *const hit, |
305 | 228 | const int is_public, | 233 | const int is_public, |
306 | 229 | 234 | ||
307 | === modified file 'lib/core/crypto.c' | |||
308 | --- lib/core/crypto.c 2011-09-21 14:22:17 +0000 | |||
309 | +++ lib/core/crypto.c 2011-11-03 14:41:31 +0000 | |||
310 | @@ -459,6 +459,7 @@ | |||
311 | 459 | return err; | 459 | return err; |
312 | 460 | } | 460 | } |
313 | 461 | 461 | ||
314 | 462 | #ifdef HAVE_EC_CRYPTO | ||
315 | 462 | /** | 463 | /** |
316 | 463 | * Sign using ECDSA | 464 | * Sign using ECDSA |
317 | 464 | * | 465 | * |
318 | @@ -495,6 +496,8 @@ | |||
319 | 495 | return err; | 496 | return err; |
320 | 496 | } | 497 | } |
321 | 497 | 498 | ||
322 | 499 | #endif /* HAVE_EC_CRYPTO */ | ||
323 | 500 | |||
324 | 498 | /** | 501 | /** |
325 | 499 | * Sign using DSA | 502 | * Sign using DSA |
326 | 500 | * | 503 | * |
327 | @@ -536,6 +539,7 @@ | |||
328 | 536 | return err; | 539 | return err; |
329 | 537 | } | 540 | } |
330 | 538 | 541 | ||
331 | 542 | #ifdef HAVE_EC_CRYPTO | ||
332 | 539 | /** | 543 | /** |
333 | 540 | * Verify an ECDSA signature | 544 | * Verify an ECDSA signature |
334 | 541 | * | 545 | * |
335 | @@ -571,6 +575,8 @@ | |||
336 | 571 | return err; | 575 | return err; |
337 | 572 | } | 576 | } |
338 | 573 | 577 | ||
339 | 578 | #endif /* HAVE_EC_CRYPTO */ | ||
340 | 579 | |||
341 | 574 | /** | 580 | /** |
342 | 575 | * Verify a DSA signature | 581 | * Verify a DSA signature |
343 | 576 | * | 582 | * |
344 | @@ -780,6 +786,7 @@ | |||
345 | 780 | return NULL; | 786 | return NULL; |
346 | 781 | } | 787 | } |
347 | 782 | 788 | ||
348 | 789 | #ifdef HAVE_EC_CRYPTO | ||
349 | 783 | /** | 790 | /** |
350 | 784 | * Generate ECDSA parameters and a new key pair. | 791 | * Generate ECDSA parameters and a new key pair. |
351 | 785 | * | 792 | * |
352 | @@ -819,6 +826,8 @@ | |||
353 | 819 | return err; | 826 | return err; |
354 | 820 | } | 827 | } |
355 | 821 | 828 | ||
356 | 829 | #endif /* HAVE_EC_CRYPTO */ | ||
357 | 830 | |||
358 | 822 | /** | 831 | /** |
359 | 823 | * Save host DSA keys to disk. | 832 | * Save host DSA keys to disk. |
360 | 824 | * @param filenamebase the filename base where DSA key should be saved | 833 | * @param filenamebase the filename base where DSA key should be saved |
361 | @@ -1015,6 +1024,7 @@ | |||
362 | 1015 | return err; | 1024 | return err; |
363 | 1016 | } | 1025 | } |
364 | 1017 | 1026 | ||
365 | 1027 | #ifdef HAVE_EC_CRYPTO | ||
366 | 1018 | /** | 1028 | /** |
367 | 1019 | * Save the host's ECDSA keys to disk. | 1029 | * Save the host's ECDSA keys to disk. |
368 | 1020 | * | 1030 | * |
369 | @@ -1170,6 +1180,8 @@ | |||
370 | 1170 | return 0; | 1180 | return 0; |
371 | 1171 | } | 1181 | } |
372 | 1172 | 1182 | ||
373 | 1183 | #endif /* HAVE_EC_CRYPTO */ | ||
374 | 1184 | |||
375 | 1173 | /** | 1185 | /** |
376 | 1174 | * Load host DSA private keys from disk. | 1186 | * Load host DSA private keys from disk. |
377 | 1175 | * @param filename the file name base of the host DSA key | 1187 | * @param filename the file name base of the host DSA key |
378 | 1176 | 1188 | ||
379 | === modified file 'lib/core/crypto.h' | |||
380 | --- lib/core/crypto.h 2011-10-30 11:54:44 +0000 | |||
381 | +++ lib/core/crypto.h 2011-11-03 14:41:31 +0000 | |||
382 | @@ -26,12 +26,16 @@ | |||
383 | 26 | #ifndef HIP_LIB_CORE_CRYPTO_H | 26 | #ifndef HIP_LIB_CORE_CRYPTO_H |
384 | 27 | #define HIP_LIB_CORE_CRYPTO_H | 27 | #define HIP_LIB_CORE_CRYPTO_H |
385 | 28 | 28 | ||
386 | 29 | #include "config.h" | ||
387 | 30 | |||
388 | 29 | #include <stdint.h> | 31 | #include <stdint.h> |
389 | 30 | #include <netinet/in.h> | 32 | #include <netinet/in.h> |
390 | 31 | #include <sys/types.h> | 33 | #include <sys/types.h> |
391 | 32 | #include <openssl/dsa.h> | 34 | #include <openssl/dsa.h> |
392 | 33 | #include <openssl/rsa.h> | 35 | #include <openssl/rsa.h> |
393 | 36 | #ifdef HAVE_EC_CRYPTO | ||
394 | 34 | #include <openssl/ec.h> | 37 | #include <openssl/ec.h> |
395 | 38 | #endif /* HAVE_EC_CRYPTO */ | ||
396 | 35 | #include <openssl/dh.h> | 39 | #include <openssl/dh.h> |
397 | 36 | #include <openssl/pem.h> | 40 | #include <openssl/pem.h> |
398 | 37 | 41 | ||
399 | @@ -92,25 +96,33 @@ | |||
400 | 92 | uint16_t hip_get_dh_size(uint8_t hip_dh_group_type); | 96 | uint16_t hip_get_dh_size(uint8_t hip_dh_group_type); |
401 | 93 | DSA *create_dsa_key(const int bits); | 97 | DSA *create_dsa_key(const int bits); |
402 | 94 | RSA *create_rsa_key(const int bits); | 98 | RSA *create_rsa_key(const int bits); |
403 | 99 | #ifdef HAVE_EC_CRYPTO | ||
404 | 95 | EC_KEY *create_ecdsa_key(const int nid); | 100 | EC_KEY *create_ecdsa_key(const int nid); |
405 | 101 | #endif /* HAVE_EC_CRYPTO */ | ||
406 | 96 | int save_dsa_private_key(const char *const filenamebase, DSA *const dsa); | 102 | int save_dsa_private_key(const char *const filenamebase, DSA *const dsa); |
407 | 97 | int save_rsa_private_key(const char *const filenamebase, RSA *const rsa); | 103 | int save_rsa_private_key(const char *const filenamebase, RSA *const rsa); |
408 | 104 | #ifdef HAVE_EC_CRYPTO | ||
409 | 98 | int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa); | 105 | int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa); |
410 | 106 | #endif /* HAVE_EC_CRYPTO */ | ||
411 | 99 | int load_dsa_private_key(const char *const filenamebase, DSA **const dsa); | 107 | int load_dsa_private_key(const char *const filenamebase, DSA **const dsa); |
412 | 100 | int load_rsa_private_key(const char *const filename, RSA **const rsa); | 108 | int load_rsa_private_key(const char *const filename, RSA **const rsa); |
413 | 109 | #ifdef HAVE_EC_CRYPTO | ||
414 | 101 | int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec); | 110 | int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec); |
415 | 111 | #endif /* HAVE_EC_CRYPTO */ | ||
416 | 102 | int impl_dsa_sign(const unsigned char *const digest, | 112 | int impl_dsa_sign(const unsigned char *const digest, |
417 | 103 | DSA *const dsa, | 113 | DSA *const dsa, |
418 | 104 | unsigned char *const signature); | 114 | unsigned char *const signature); |
419 | 105 | int impl_dsa_verify(const unsigned char *const digest, | 115 | int impl_dsa_verify(const unsigned char *const digest, |
420 | 106 | DSA *const dsa, | 116 | DSA *const dsa, |
421 | 107 | const unsigned char *const signature); | 117 | const unsigned char *const signature); |
422 | 118 | #ifdef HAVE_EC_CRYPTO | ||
423 | 108 | int impl_ecdsa_sign(const unsigned char *const digest, | 119 | int impl_ecdsa_sign(const unsigned char *const digest, |
424 | 109 | EC_KEY *const ecdsa, | 120 | EC_KEY *const ecdsa, |
425 | 110 | unsigned char *const signature); | 121 | unsigned char *const signature); |
426 | 111 | int impl_ecdsa_verify(const unsigned char *const digest, | 122 | int impl_ecdsa_verify(const unsigned char *const digest, |
427 | 112 | EC_KEY *const ecdsa, | 123 | EC_KEY *const ecdsa, |
428 | 113 | const unsigned char *const signature); | 124 | const unsigned char *const signature); |
429 | 125 | #endif /* HAVE_EC_CRYPTO */ | ||
430 | 114 | int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out); | 126 | int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out); |
431 | 115 | int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len, | 127 | int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len, |
432 | 116 | uint8_t *enc_key, int direction); | 128 | uint8_t *enc_key, int direction); |
433 | 117 | 129 | ||
434 | === modified file 'lib/core/hostid.c' | |||
435 | --- lib/core/hostid.c 2011-10-25 21:14:16 +0000 | |||
436 | +++ lib/core/hostid.c 2011-11-03 14:41:31 +0000 | |||
437 | @@ -40,7 +40,6 @@ | |||
438 | 40 | #include <openssl/pem.h> | 40 | #include <openssl/pem.h> |
439 | 41 | #include <openssl/rsa.h> | 41 | #include <openssl/rsa.h> |
440 | 42 | 42 | ||
441 | 43 | #include "config.h" | ||
442 | 44 | #include "lib/tool/pk.h" | 43 | #include "lib/tool/pk.h" |
443 | 45 | #include "builder.h" | 44 | #include "builder.h" |
444 | 46 | #include "crypto.h" | 45 | #include "crypto.h" |
445 | @@ -250,6 +249,7 @@ | |||
446 | 250 | return err; | 249 | return err; |
447 | 251 | } | 250 | } |
448 | 252 | 251 | ||
449 | 252 | #ifdef HAVE_EC_CRYPTO | ||
450 | 253 | /** | 253 | /** |
451 | 254 | * Convert ECDSA-based private host id to a HIT. | 254 | * Convert ECDSA-based private host id to a HIT. |
452 | 255 | * | 255 | * |
453 | @@ -291,6 +291,8 @@ | |||
454 | 291 | return 0; | 291 | return 0; |
455 | 292 | } | 292 | } |
456 | 293 | 293 | ||
457 | 294 | #endif /* HAVE_EC_CRYPTO */ | ||
458 | 295 | |||
459 | 294 | /** | 296 | /** |
460 | 295 | * Convert RSA, DSA, or ECDSA-based private host id to a HIT | 297 | * Convert RSA, DSA, or ECDSA-based private host id to a HIT |
461 | 296 | * | 298 | * |
462 | @@ -310,13 +312,16 @@ | |||
463 | 310 | return private_dsa_host_id_to_hit(host_id, hit, hit_type); | 312 | return private_dsa_host_id_to_hit(host_id, hit, hit_type); |
464 | 311 | case HIP_HI_RSA: | 313 | case HIP_HI_RSA: |
465 | 312 | return private_rsa_host_id_to_hit(host_id, hit, hit_type); | 314 | return private_rsa_host_id_to_hit(host_id, hit, hit_type); |
466 | 315 | #ifdef HAVE_EC_CRYPTO | ||
467 | 313 | case HIP_HI_ECDSA: | 316 | case HIP_HI_ECDSA: |
468 | 314 | return private_ecdsa_host_id_to_hit(host_id, hit, hit_type); | 317 | return private_ecdsa_host_id_to_hit(host_id, hit, hit_type); |
469 | 318 | #endif /* HAVE_EC_CRYPTO */ | ||
470 | 315 | default: | 319 | default: |
471 | 316 | return -ENOSYS; | 320 | return -ENOSYS; |
472 | 317 | } | 321 | } |
473 | 318 | } | 322 | } |
474 | 319 | 323 | ||
475 | 324 | #ifdef HAVE_EC_CRYPTO | ||
476 | 320 | /* | 325 | /* |
477 | 321 | * Translate the openssl specific curve id into the coressponding HIP id. | 326 | * Translate the openssl specific curve id into the coressponding HIP id. |
478 | 322 | * | 327 | * |
479 | @@ -423,6 +428,8 @@ | |||
480 | 423 | return 0; | 428 | return 0; |
481 | 424 | } | 429 | } |
482 | 425 | 430 | ||
483 | 431 | #endif /* HAVE_EC_CRYPTO */ | ||
484 | 432 | |||
485 | 426 | /** | 433 | /** |
486 | 427 | * dig out RSA key length from an host id | 434 | * dig out RSA key length from an host id |
487 | 428 | * | 435 | * |
488 | @@ -553,6 +560,7 @@ | |||
489 | 553 | return dsa; | 560 | return dsa; |
490 | 554 | } | 561 | } |
491 | 555 | 562 | ||
492 | 563 | #ifdef HAVE_EC_CRYPTO | ||
493 | 556 | /** | 564 | /** |
494 | 557 | * convert a ECDSA-based host id into an OpenSSL structure | 565 | * convert a ECDSA-based host id into an OpenSSL structure |
495 | 558 | * | 566 | * |
496 | @@ -632,6 +640,8 @@ | |||
497 | 632 | return ret; | 640 | return ret; |
498 | 633 | } | 641 | } |
499 | 634 | 642 | ||
500 | 643 | #endif /* HAVE_EC_CRYPTO */ | ||
501 | 644 | |||
502 | 635 | /** | 645 | /** |
503 | 636 | * (Re)create new host identities or load existing ones, and append the | 646 | * (Re)create new host identities or load existing ones, and append the |
504 | 637 | * private identities into a message. This functionality is used by hipd | 647 | * private identities into a message. This functionality is used by hipd |
505 | @@ -664,30 +674,44 @@ | |||
506 | 664 | const int dsa_key_bits, | 674 | const int dsa_key_bits, |
507 | 665 | const int ecdsa_nid) | 675 | const int ecdsa_nid) |
508 | 666 | { | 676 | { |
511 | 667 | int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0, ecdsa_key_rr_len = 0; | 677 | int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0; |
512 | 668 | int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; | 678 | int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0; |
513 | 669 | hip_hdr numeric_action = 0; | 679 | hip_hdr numeric_action = 0; |
514 | 670 | char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX]; | 680 | char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX]; |
529 | 671 | const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; | 681 | const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
530 | 672 | const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; | 682 | const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
531 | 673 | const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; | 683 | const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
532 | 674 | const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; | 684 | const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
533 | 675 | const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; | 685 | unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL; |
534 | 676 | const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; | 686 | unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL; |
535 | 677 | unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL, *ecdsa_key_rr = NULL; | 687 | DSA *dsa_key = NULL, *dsa_pub_key = NULL; |
536 | 678 | unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL, *ecdsa_pub_key_rr = NULL; | 688 | RSA *rsa_key = NULL, *rsa_pub_key = NULL; |
537 | 679 | DSA *dsa_key = NULL, *dsa_pub_key = NULL; | 689 | struct hip_host_id_local rsa_lhi, dsa_lhi, rsa_pub_lhi, dsa_pub_lhi; |
538 | 680 | RSA *rsa_key = NULL, *rsa_pub_key = NULL; | 690 | struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL; |
539 | 681 | EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; | 691 | struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL; |
526 | 682 | struct hip_host_id_local rsa_lhi, dsa_lhi, ecdsa_lhi, rsa_pub_lhi, dsa_pub_lhi, ecdsa_pub_lhi; | ||
527 | 683 | struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL, *ecdsa_host_id = NULL; | ||
528 | 684 | struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL, *ecdsa_pub_host_id = NULL; | ||
540 | 685 | struct endpoint_hip *endpoint_dsa_hip = NULL; | 692 | struct endpoint_hip *endpoint_dsa_hip = NULL; |
541 | 686 | struct endpoint_hip *endpoint_dsa_pub_hip = NULL; | 693 | struct endpoint_hip *endpoint_dsa_pub_hip = NULL; |
542 | 687 | struct endpoint_hip *endpoint_rsa_hip = NULL; | 694 | struct endpoint_hip *endpoint_rsa_hip = NULL; |
543 | 688 | struct endpoint_hip *endpoint_rsa_pub_hip = NULL; | 695 | struct endpoint_hip *endpoint_rsa_pub_hip = NULL; |
544 | 689 | struct endpoint_hip *endpoint_ecdsa_hip = NULL; | 696 | struct endpoint_hip *endpoint_ecdsa_hip = NULL; |
545 | 690 | struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL; | 697 | struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL; |
546 | 698 | #ifdef HAVE_EC_CRYPTO | ||
547 | 699 | int ecdsa_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; | ||
548 | 700 | const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; | ||
549 | 701 | const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; | ||
550 | 702 | unsigned char *ecdsa_key_rr = NULL; | ||
551 | 703 | unsigned char *ecdsa_pub_key_rr = NULL; | ||
552 | 704 | EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; | ||
553 | 705 | struct hip_host_id_local ecdsa_lhi, ecdsa_pub_lhi; | ||
554 | 706 | struct hip_host_id *ecdsa_host_id = NULL; | ||
555 | 707 | struct hip_host_id *ecdsa_pub_host_id = NULL; | ||
556 | 708 | #endif /* HAVE_EC_CRYPTO */ | ||
557 | 709 | |||
558 | 710 | if (ecdsa_nid < 0) { | ||
559 | 711 | err = -1; | ||
560 | 712 | HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid); | ||
561 | 713 | goto out_err; | ||
562 | 714 | } | ||
563 | 691 | 715 | ||
564 | 692 | if (action == ACTION_ADD) { | 716 | if (action == ACTION_ADD) { |
565 | 693 | numeric_action = HIP_MSG_ADD_LOCAL_HI; | 717 | numeric_action = HIP_MSG_ADD_LOCAL_HI; |
566 | @@ -726,6 +750,7 @@ | |||
567 | 726 | HIP_ERROR("Saving of DSA key failed.\n"); | 750 | HIP_ERROR("Saving of DSA key failed.\n"); |
568 | 727 | goto out_err; | 751 | goto out_err; |
569 | 728 | } | 752 | } |
570 | 753 | #ifdef HAVE_EC_CRYPTO | ||
571 | 729 | } else if (!strcmp(hi_fmt, "ecdsa")) { | 754 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
572 | 730 | ecdsa_key = create_ecdsa_key(ecdsa_nid); | 755 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
573 | 731 | HIP_IFEL(!ecdsa_key, -EINVAL, | 756 | HIP_IFEL(!ecdsa_key, -EINVAL, |
574 | @@ -734,6 +759,7 @@ | |||
575 | 734 | HIP_ERROR("Saving of ECDSA key failed.\n"); | 759 | HIP_ERROR("Saving of ECDSA key failed.\n"); |
576 | 735 | goto out_err; | 760 | goto out_err; |
577 | 736 | } | 761 | } |
578 | 762 | #endif /* HAVE_EC_CRYPTO */ | ||
579 | 737 | } else { /*RSA*/ | 763 | } else { /*RSA*/ |
580 | 738 | rsa_key = create_rsa_key(rsa_key_bits); | 764 | rsa_key = create_rsa_key(rsa_key_bits); |
581 | 739 | HIP_IFEL(!rsa_key, -EINVAL, | 765 | HIP_IFEL(!rsa_key, -EINVAL, |
582 | @@ -764,6 +790,7 @@ | |||
583 | 764 | HIP_IFEL(!rsa_pub_key, -EINVAL, | 790 | HIP_IFEL(!rsa_pub_key, -EINVAL, |
584 | 765 | "Creation of public RSA key failed.\n"); | 791 | "Creation of public RSA key failed.\n"); |
585 | 766 | 792 | ||
586 | 793 | #ifdef HAVE_EC_CRYPTO | ||
587 | 767 | ecdsa_key = create_ecdsa_key(ecdsa_nid); | 794 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
588 | 768 | HIP_IFEL(!ecdsa_key, -EINVAL, | 795 | HIP_IFEL(!ecdsa_key, -EINVAL, |
589 | 769 | "Creation of ECDSA key failed.\n"); | 796 | "Creation of ECDSA key failed.\n"); |
590 | @@ -772,6 +799,17 @@ | |||
591 | 772 | HIP_IFEL(!ecdsa_pub_key, -EINVAL, | 799 | HIP_IFEL(!ecdsa_pub_key, -EINVAL, |
592 | 773 | "Creation of public ECDSA key failed.\n"); | 800 | "Creation of public ECDSA key failed.\n"); |
593 | 774 | 801 | ||
594 | 802 | if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { | ||
595 | 803 | HIP_ERROR("Saving of ECDSA key failed.\n"); | ||
596 | 804 | goto out_err; | ||
597 | 805 | } | ||
598 | 806 | |||
599 | 807 | if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { | ||
600 | 808 | HIP_ERROR("Saving of public ECDSA key failed.\n"); | ||
601 | 809 | goto out_err; | ||
602 | 810 | } | ||
603 | 811 | #endif /* HAVE_EC_CRYPTO */ | ||
604 | 812 | |||
605 | 775 | if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) { | 813 | if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) { |
606 | 776 | HIP_ERROR("Saving of DSA key failed.\n"); | 814 | HIP_ERROR("Saving of DSA key failed.\n"); |
607 | 777 | goto out_err; | 815 | goto out_err; |
608 | @@ -792,16 +830,6 @@ | |||
609 | 792 | goto out_err; | 830 | goto out_err; |
610 | 793 | } | 831 | } |
611 | 794 | 832 | ||
612 | 795 | if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { | ||
613 | 796 | HIP_ERROR("Saving of ECDSA key failed.\n"); | ||
614 | 797 | goto out_err; | ||
615 | 798 | } | ||
616 | 799 | |||
617 | 800 | if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { | ||
618 | 801 | HIP_ERROR("Saving of public ECDSA key failed.\n"); | ||
619 | 802 | goto out_err; | ||
620 | 803 | } | ||
621 | 804 | |||
622 | 805 | break; | 833 | break; |
623 | 806 | 834 | ||
624 | 807 | case ACTION_ADD: | 835 | case ACTION_ADD: |
625 | @@ -823,6 +851,7 @@ | |||
626 | 823 | HIP_ERROR("Building of host id failed\n"); | 851 | HIP_ERROR("Building of host id failed\n"); |
627 | 824 | goto out_err; | 852 | goto out_err; |
628 | 825 | } | 853 | } |
629 | 854 | #ifdef HAVE_EC_CRYPTO | ||
630 | 826 | } else if (!strcmp(hi_fmt, "ecdsa")) { | 855 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
631 | 827 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { | 856 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
632 | 828 | HIP_ERROR("Loading of the ECDSA key failed\n"); | 857 | HIP_ERROR("Loading of the ECDSA key failed\n"); |
633 | @@ -839,6 +868,7 @@ | |||
634 | 839 | HIP_ERROR("Building of host id failed\n"); | 868 | HIP_ERROR("Building of host id failed\n"); |
635 | 840 | goto out_err; | 869 | goto out_err; |
636 | 841 | } | 870 | } |
637 | 871 | #endif /* HAVE_EC_CRYPTO */ | ||
638 | 842 | } else { /*RSA*/ | 872 | } else { /*RSA*/ |
639 | 843 | if ((err = load_rsa_private_key(hi_file, &rsa_key))) { | 873 | if ((err = load_rsa_private_key(hi_file, &rsa_key))) { |
640 | 844 | HIP_ERROR("Failed to load RSA key from file %s\n", hi_file); | 874 | HIP_ERROR("Failed to load RSA key from file %s\n", hi_file); |
641 | @@ -910,6 +940,7 @@ | |||
642 | 910 | goto out_err; | 940 | goto out_err; |
643 | 911 | } | 941 | } |
644 | 912 | } | 942 | } |
645 | 943 | #ifdef HAVE_EC_CRYPTO | ||
646 | 913 | } else if (!strcmp(hi_fmt, "ecdsa")) { | 944 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
647 | 914 | if (anon) { | 945 | if (anon) { |
648 | 915 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { | 946 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
649 | @@ -958,6 +989,7 @@ | |||
650 | 958 | goto out_err; | 989 | goto out_err; |
651 | 959 | } | 990 | } |
652 | 960 | } | 991 | } |
653 | 992 | #endif /* HAVE_EC_CRYPTO */ | ||
654 | 961 | } else if (anon) { /* rsa anon */ | 993 | } else if (anon) { /* rsa anon */ |
655 | 962 | if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) { | 994 | if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) { |
656 | 963 | HIP_ERROR("Loading of the RSA key failed\n"); | 995 | HIP_ERROR("Loading of the RSA key failed\n"); |
657 | @@ -1059,41 +1091,47 @@ | |||
658 | 1059 | if (rsa_filenamebase_pub != NULL) { | 1091 | if (rsa_filenamebase_pub != NULL) { |
659 | 1060 | change_key_file_perms(rsa_filenamebase_pub); | 1092 | change_key_file_perms(rsa_filenamebase_pub); |
660 | 1061 | } | 1093 | } |
661 | 1062 | if (ecdsa_filenamebase_pub != NULL) { | ||
662 | 1063 | change_key_file_perms(ecdsa_filenamebase_pub); | ||
663 | 1064 | } | ||
664 | 1065 | if (ecdsa_filenamebase_pub != NULL) { | ||
665 | 1066 | change_key_file_perms(ecdsa_filenamebase_pub); | ||
666 | 1067 | } | ||
667 | 1068 | 1094 | ||
668 | 1069 | free(dsa_host_id); | 1095 | free(dsa_host_id); |
669 | 1070 | free(dsa_pub_host_id); | 1096 | free(dsa_pub_host_id); |
670 | 1071 | free(ecdsa_host_id); | ||
671 | 1072 | free(ecdsa_pub_host_id); | ||
672 | 1073 | free(rsa_host_id); | 1097 | free(rsa_host_id); |
673 | 1074 | free(rsa_pub_host_id); | 1098 | free(rsa_pub_host_id); |
674 | 1075 | DSA_free(dsa_key); | 1099 | DSA_free(dsa_key); |
675 | 1076 | EC_KEY_free(ecdsa_key); | ||
676 | 1077 | RSA_free(rsa_key); | 1100 | RSA_free(rsa_key); |
677 | 1078 | DSA_free(dsa_pub_key); | 1101 | DSA_free(dsa_pub_key); |
678 | 1079 | EC_KEY_free(ecdsa_pub_key); | ||
679 | 1080 | RSA_free(rsa_pub_key); | 1102 | RSA_free(rsa_pub_key); |
680 | 1081 | free(dsa_key_rr); | 1103 | free(dsa_key_rr); |
681 | 1082 | free(ecdsa_key_rr); | ||
682 | 1083 | free(rsa_key_rr); | 1104 | free(rsa_key_rr); |
683 | 1084 | free(dsa_pub_key_rr); | 1105 | free(dsa_pub_key_rr); |
684 | 1085 | free(ecdsa_pub_key_rr); | ||
685 | 1086 | free(rsa_pub_key_rr); | 1106 | free(rsa_pub_key_rr); |
686 | 1087 | free(endpoint_dsa_hip); | 1107 | free(endpoint_dsa_hip); |
687 | 1088 | free(endpoint_ecdsa_hip); | ||
688 | 1089 | free(endpoint_rsa_hip); | 1108 | free(endpoint_rsa_hip); |
689 | 1090 | free(endpoint_dsa_pub_hip); | 1109 | free(endpoint_dsa_pub_hip); |
690 | 1110 | free(endpoint_rsa_pub_hip); | ||
691 | 1111 | |||
692 | 1112 | #ifdef HAVE_EC_CRYPTO | ||
693 | 1113 | /* We make exeception to the common memory deallocation policy (LIFO) | ||
694 | 1114 | * here to group of all ECDSA deallocations between a single ifdef */ | ||
695 | 1115 | if (ecdsa_filenamebase_pub != NULL) { | ||
696 | 1116 | change_key_file_perms(ecdsa_filenamebase_pub); | ||
697 | 1117 | } | ||
698 | 1118 | if (ecdsa_filenamebase_pub != NULL) { | ||
699 | 1119 | change_key_file_perms(ecdsa_filenamebase_pub); | ||
700 | 1120 | } | ||
701 | 1121 | free(ecdsa_host_id); | ||
702 | 1122 | free(ecdsa_pub_host_id); | ||
703 | 1123 | EC_KEY_free(ecdsa_key); | ||
704 | 1124 | EC_KEY_free(ecdsa_pub_key); | ||
705 | 1125 | free(ecdsa_key_rr); | ||
706 | 1126 | free(ecdsa_pub_key_rr); | ||
707 | 1127 | free(endpoint_ecdsa_hip); | ||
708 | 1091 | free(endpoint_ecdsa_pub_hip); | 1128 | free(endpoint_ecdsa_pub_hip); |
710 | 1092 | free(endpoint_rsa_pub_hip); | 1129 | #endif /* HAVE_EC_CRYPTO */ |
711 | 1093 | 1130 | ||
712 | 1094 | return err; | 1131 | return err; |
713 | 1095 | } | 1132 | } |
714 | 1096 | 1133 | ||
715 | 1134 | #ifdef HAVE_EC_CRYPTO | ||
716 | 1097 | /** | 1135 | /** |
717 | 1098 | * Serialize an ECDSA public key. | 1136 | * Serialize an ECDSA public key. |
718 | 1099 | * | 1137 | * |
719 | @@ -1167,6 +1205,8 @@ | |||
720 | 1167 | return err; | 1205 | return err; |
721 | 1168 | } | 1206 | } |
722 | 1169 | 1207 | ||
723 | 1208 | #endif /* HAVE_EC_CRYPTO */ | ||
724 | 1209 | |||
725 | 1170 | /** | 1210 | /** |
726 | 1171 | * create DNS KEY RR record from host DSA key | 1211 | * create DNS KEY RR record from host DSA key |
727 | 1172 | * @param dsa the DSA structure from where the KEY RR record is to be created | 1212 | * @param dsa the DSA structure from where the KEY RR record is to be created |
728 | 1173 | 1213 | ||
729 | === modified file 'lib/core/hostid.h' | |||
730 | --- lib/core/hostid.h 2011-07-18 13:10:26 +0000 | |||
731 | +++ lib/core/hostid.h 2011-11-03 14:41:31 +0000 | |||
732 | @@ -26,10 +26,14 @@ | |||
733 | 26 | #ifndef HIP_LIB_CORE_HOSTID_H | 26 | #ifndef HIP_LIB_CORE_HOSTID_H |
734 | 27 | #define HIP_LIB_CORE_HOSTID_H | 27 | #define HIP_LIB_CORE_HOSTID_H |
735 | 28 | 28 | ||
736 | 29 | #include "config.h" | ||
737 | 30 | |||
738 | 29 | #include <netinet/in.h> | 31 | #include <netinet/in.h> |
739 | 30 | #include <openssl/dsa.h> | 32 | #include <openssl/dsa.h> |
740 | 31 | #include <openssl/rsa.h> | 33 | #include <openssl/rsa.h> |
741 | 34 | #ifdef HAVE_EC_CRYPTO | ||
742 | 32 | #include <openssl/ec.h> | 35 | #include <openssl/ec.h> |
743 | 36 | #endif /* HAVE_EC_CRYPTO */ | ||
744 | 33 | 37 | ||
745 | 34 | #include "protodefs.h" | 38 | #include "protodefs.h" |
746 | 35 | #include "state.h" | 39 | #include "state.h" |
747 | @@ -62,11 +66,15 @@ | |||
748 | 62 | struct hip_ecdsa_keylen *const ret); | 66 | struct hip_ecdsa_keylen *const ret); |
749 | 63 | RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv); | 67 | RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
750 | 64 | DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv); | 68 | DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
751 | 69 | #ifdef HAVE_EC_CRYPTO | ||
752 | 65 | EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv); | 70 | EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
753 | 71 | #endif /* HAVE_EC_CRYPTO */ | ||
754 | 66 | 72 | ||
755 | 67 | int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf); | 73 | int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf); |
756 | 68 | int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr); | 74 | int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr); |
757 | 75 | #ifdef HAVE_EC_CRYPTO | ||
758 | 69 | int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr); | 76 | int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr); |
759 | 77 | #endif /* HAVE_EC_CRYPTO */ | ||
760 | 70 | 78 | ||
761 | 71 | int hip_serialize_host_id_action(struct hip_common *msg, | 79 | int hip_serialize_host_id_action(struct hip_common *msg, |
762 | 72 | const int action, | 80 | const int action, |
763 | 73 | 81 | ||
764 | === modified file 'lib/tool/pk.c' | |||
765 | --- lib/tool/pk.c 2011-08-15 14:11:56 +0000 | |||
766 | +++ lib/tool/pk.c 2011-11-03 14:41:31 +0000 | |||
767 | @@ -8,6 +8,8 @@ | |||
768 | 8 | * @brief HIPL wrappers for OpenSSL public key operations. | 8 | * @brief HIPL wrappers for OpenSSL public key operations. |
769 | 9 | */ | 9 | */ |
770 | 10 | 10 | ||
771 | 11 | #include "config.h" | ||
772 | 12 | |||
773 | 11 | #include <errno.h> | 13 | #include <errno.h> |
774 | 12 | #include <stdint.h> | 14 | #include <stdint.h> |
775 | 13 | #include <stdlib.h> | 15 | #include <stdlib.h> |
776 | @@ -15,9 +17,11 @@ | |||
777 | 15 | #include <netinet/in.h> | 17 | #include <netinet/in.h> |
778 | 16 | #include <openssl/bn.h> | 18 | #include <openssl/bn.h> |
779 | 17 | #include <openssl/dsa.h> | 19 | #include <openssl/dsa.h> |
780 | 18 | #include <openssl/ecdsa.h> | ||
781 | 19 | #include <openssl/objects.h> | 20 | #include <openssl/objects.h> |
782 | 20 | #include <openssl/rsa.h> | 21 | #include <openssl/rsa.h> |
783 | 22 | #ifdef HAVE_EC_CRYPTO | ||
784 | 23 | #include <openssl/ecdsa.h> | ||
785 | 24 | #endif /* HAVE_EC_CRYPTO */ | ||
786 | 21 | 25 | ||
787 | 22 | #include "lib/core/builder.h" | 26 | #include "lib/core/builder.h" |
788 | 23 | #include "lib/core/crypto.h" | 27 | #include "lib/core/crypto.h" |
789 | @@ -26,7 +30,6 @@ | |||
790 | 26 | #include "lib/core/performance.h" | 30 | #include "lib/core/performance.h" |
791 | 27 | #include "lib/core/prefix.h" | 31 | #include "lib/core/prefix.h" |
792 | 28 | #include "lib/core/protodefs.h" | 32 | #include "lib/core/protodefs.h" |
793 | 29 | #include "config.h" | ||
794 | 30 | #include "pk.h" | 33 | #include "pk.h" |
795 | 31 | 34 | ||
796 | 32 | /** | 35 | /** |
797 | @@ -75,6 +78,7 @@ | |||
798 | 75 | return err; | 78 | return err; |
799 | 76 | } | 79 | } |
800 | 77 | 80 | ||
801 | 81 | #ifdef HAVE_EC_CRYPTO | ||
802 | 78 | /** | 82 | /** |
803 | 79 | * Sign a HIP control message with a private ECDSA key. | 83 | * Sign a HIP control message with a private ECDSA key. |
804 | 80 | * | 84 | * |
805 | @@ -129,6 +133,8 @@ | |||
806 | 129 | return 0; | 133 | return 0; |
807 | 130 | } | 134 | } |
808 | 131 | 135 | ||
809 | 136 | #endif /* HAVE_EC_CRYPTO */ | ||
810 | 137 | |||
811 | 132 | /** | 138 | /** |
812 | 133 | * sign a HIP control message with a private DSA key | 139 | * sign a HIP control message with a private DSA key |
813 | 134 | * | 140 | * |
814 | @@ -225,8 +231,10 @@ | |||
815 | 225 | /* RSA_verify returns 0 on failure */ | 231 | /* RSA_verify returns 0 on failure */ |
816 | 226 | err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH, | 232 | err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH, |
817 | 227 | sig->signature, RSA_size(peer_pub), peer_pub); | 233 | sig->signature, RSA_size(peer_pub), peer_pub); |
818 | 234 | #ifdef HAVE_EC_CRYPTO | ||
819 | 228 | } else if (type == HIP_HI_ECDSA) { | 235 | } else if (type == HIP_HI_ECDSA) { |
820 | 229 | err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature); | 236 | err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature); |
821 | 237 | #endif /* HAVE_EC_CRYPTO */ | ||
822 | 230 | } else { | 238 | } else { |
823 | 231 | err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature); | 239 | err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature); |
824 | 232 | } | 240 | } |
825 | @@ -259,6 +267,7 @@ | |||
826 | 259 | return err; | 267 | return err; |
827 | 260 | } | 268 | } |
828 | 261 | 269 | ||
829 | 270 | #ifdef HAVE_EC_CRYPTO | ||
830 | 262 | /** | 271 | /** |
831 | 263 | * Verify the ECDSA signature from a message. | 272 | * Verify the ECDSA signature from a message. |
832 | 264 | * | 273 | * |
833 | @@ -272,6 +281,8 @@ | |||
834 | 272 | return verify(peer_pub, msg, HIP_HI_ECDSA); | 281 | return verify(peer_pub, msg, HIP_HI_ECDSA); |
835 | 273 | } | 282 | } |
836 | 274 | 283 | ||
837 | 284 | #endif /* HAVE_EC_CRYPTO */ | ||
838 | 285 | |||
839 | 275 | /** | 286 | /** |
840 | 276 | * RSA signature verification function | 287 | * RSA signature verification function |
841 | 277 | * | 288 | * |
842 | 278 | 289 | ||
843 | === modified file 'test/lib/tool/pk.c' | |||
844 | --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000 | |||
845 | +++ test/lib/tool/pk.c 2011-11-03 14:41:31 +0000 | |||
846 | @@ -27,7 +27,9 @@ | |||
847 | 27 | #include <stdlib.h> | 27 | #include <stdlib.h> |
848 | 28 | #include <string.h> | 28 | #include <string.h> |
849 | 29 | #include <stdio.h> | 29 | #include <stdio.h> |
850 | 30 | #ifdef HAVE_EC_CRYPTO | ||
851 | 30 | #include <openssl/ec.h> | 31 | #include <openssl/ec.h> |
852 | 32 | #endif /* HAVE_EC_CRYPTO */ | ||
853 | 31 | #include <openssl/pem.h> | 33 | #include <openssl/pem.h> |
854 | 32 | 34 | ||
855 | 33 | #include "lib/core/debug.h" | 35 | #include "lib/core/debug.h" |
review needs-fixing
On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote: rule_management .c 2011-08-15 14:11:56 +0000 rule_management .c 2011-10-30 07:48:24 +0000
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> --- firewall/
> +++ firewall/
> @@ -81,8 +81,9 @@
> /* filename needs to contain one of these to be valid HI file */
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> +#ifdef HAVE_EC_CRYPTO
> #define ECDSA_FILE "_ecdsa_"
> -
> +#endif /* HAVE_EC_CRYPTO */
> #define MAX_LINE_LENGTH 512
unnecessary
> @@ -444,6 +445,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +481,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *
Drop the empty line before the #endif, same below
> --- lib/core/builder.h 2011-08-15 14:11:56 +0000 CORE_BUILDER_ H CORE_BUILDER_ H
> +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> @@ -26,18 +26,21 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> -#include <openssl/ec.h>
>
> -#include "config.h"
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> +#ifdef HAVE_EC_CRYPTO
> +#include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
We have system headers before local headers for a reason.
> --- lib/core/crypto.h 2011-07-18 13:10:26 +0000 CORE_CRYPTO_ H CORE_CRYPTO_ H
> +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> @@ -26,12 +26,16 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <openssl/dsa.h>
> #include <openssl/rsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
> #include <openssl/dh.h>
> #include <openssl/pem.h>
.. like you did here ..
> --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> @@ -28,6 +28,8 @@
> * @brief Host identifier manipulation functions
> */
>
> +#include "config.h"
> +
> #include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> @@ -40,7 +42,6 @@
> #include <openssl/pem.h>
> #include <openssl/rsa.h>
>
> -#include "config.h"
> #include "lib/tool/pk.h"
> #include "builder.h"
> #include "crypto.h"
unnecessary / unrelated
> @@ -689,6 +715,12 @@ ecdsa_pub_ hip = NULL;
> struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> struct endpoint_hip *endpoint_
>
> + if (ecdsa_nid < 0) {
> + err = -1;
> + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> + goto out_err;
> + }
?
> @@ -1059,41 +1101,58 @@ se_pub != NULL) { key_file_ perms(rsa_ filenamebase_ pub); filenamebase_ pub != NULL) { key_file_ perms(ecdsa_ filenamebase_ pub); filenamebase_ pub != NULL) {
> if (rsa_filenameba
> change_
> }
> - if (ecdsa_
> - change_
> - }
> - if (ecdsa_
> - change_key_file...