Merge lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl
- ecdsa-redhat
- Merge into trunk
Status: | Merged | ||||
---|---|---|---|---|---|
Merged at revision: | 6123 | ||||
Proposed branch: | lp:~hipl-core/hipl/ecdsa-redhat | ||||
Merge into: | lp:hipl | ||||
Diff against target: |
832 lines (+164/-52) 13 files modified
firewall/conntrack.c (+4/-0) firewall/rule_management.c (+6/-0) hipd/cookie.c (+2/-0) hipd/hadb.c (+6/-0) hipd/hidb.c (+12/-0) lib/core/builder.c (+7/-1) lib/core/builder.h (+6/-1) lib/core/crypto.c (+8/-0) lib/core/crypto.h (+14/-7) lib/core/hostid.c (+77/-40) lib/core/hostid.h (+8/-1) lib/tool/pk.c (+10/-1) test/lib/tool/pk.c (+4/-1) |
||||
To merge this branch: | bzr merge lp:~hipl-core/hipl/ecdsa-redhat | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
René Hummen | Needs Information | ||
Diego Biurrun | Needs Fixing | ||
HIPL core team | preliminary | Pending | |
Review via email: mp+81159@code.launchpad.net |
This proposal supersedes a proposal from 2011-10-30.
Commit message
Description of the change
Compilation has been broken long time for Fedora and other RPM-based systems because they decided to drop elliptic curve support from OpenSSL. To put more heat on this bug #838116 and to make detailed code review easier, I decided to propose for early merging.
I would suggest to comment details here and design-level issues in the actual bug item:
https:/
NEW: I believe I have resolved the comments from Diego.
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal | # |
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
> review needs-fixing
>
> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> lp:hipl.
> >
> > --- firewall/
> > +++ firewall/
> > @@ -81,8 +81,9 @@
> > /* filename needs to contain one of these to be valid HI file */
> > #define RSA_FILE "_rsa_"
> > #define DSA_FILE "_dsa_"
> > +#ifdef HAVE_EC_CRYPTO
> > #define ECDSA_FILE "_ecdsa_"
> > -
> > +#endif /* HAVE_EC_CRYPTO */
> > #define MAX_LINE_LENGTH 512
>
> unnecessary
Fixed.
> > @@ -444,6 +445,7 @@
> > return err;
> > }
> >
> > +#ifdef HAVE_EC_CRYPTO
> > /**
> > * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > *
> > @@ -479,6 +481,8 @@
> > return err;
> > }
> >
> > +#endif /* HAVE_EC_CRYPTO */
> > +
> > /**
> > * load a public key from a file and convert it to a hip_host_id structure
> > *
>
> Drop the empty line before the #endif, same below
Done.
> > --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> > +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> > @@ -26,18 +26,21 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <openssl/rsa.h>
> > #include <openssl/dsa.h>
> > -#include <openssl/ec.h>
> >
> > -#include "config.h"
> > #include "certtools.h"
> > #include "debug.h"
> > #include "icomm.h"
> > #include "state.h"
> >
> > +#ifdef HAVE_EC_CRYPTO
> > +#include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
>
> We have system headers before local headers for a reason.
Fixed.
> > --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> > +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> > @@ -26,12 +26,16 @@
> > #ifndef HIP_LIB_
> > #define HIP_LIB_
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <sys/types.h>
> > #include <openssl/dsa.h>
> > #include <openssl/rsa.h>
> > +#ifdef HAVE_EC_CRYPTO
> > #include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
> > #include <openssl/dh.h>
> > #include <openssl/pem.h>
>
> .. like you did here ..
>
> > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > @@ -28,6 +28,8 @@
> > * @brief Host identifier manipulation functions
> > */
> >
> > +#include "config.h"
> > +
> > #include <errno.h>
> > #include <stdint.h>
> > #include <stdlib.h>
> > @@ -40,7 +42,6 @@
> > #include <openssl/pem.h>
> > #include <openssl/rsa.h>
> >
> > -#include "config.h"
> > #include "lib/tool/pk.h"
> > #include "builder.h"
> > #include "crypto.h"
>
> unnecessary / unrelated
Removed.
> > @@ -689,6 +715,12 @@
> > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > struct endpoint_hip *endpoint_
> >
> > + if (ecdsa_nid < 0) {
> > + err = -1;
> > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > + goto out_err;
> > + }
>
> ?
Does not compile otherwise when ECDSA is mi...
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> > lp:hipl.
> > >
> > > --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
> > > +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
> > > @@ -27,7 +27,9 @@
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include <stdio.h>
> > > +#ifdef HAVE_EC_CRYPTO
> > > #include <openssl/ec.h>
> > > +#endif /* HAVE_EC_CRYPTO */
> > > #include <openssl/pem.h>
> >
> > see above
>
> Did not get this.
missing config.h
Diego
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal | # |
Hi,
On 11/03/2011 05:27 PM, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
>>> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
>>>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
>>> lp:hipl.
>>>>
>>>> --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
>>>> +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
>>>> @@ -27,7 +27,9 @@
>>>> #include<stdlib.h>
>>>> #include<string.h>
>>>> #include<stdio.h>
>>>> +#ifdef HAVE_EC_CRYPTO
>>>> #include<
>>>> +#endif /* HAVE_EC_CRYPTO */
>>>> #include<
>>>
>>> see above
>>
>> Did not get this.
>
> missing config.h
thanks for the correction, committed.
- 6105. By Miika Komu
-
Added a missing include
File test/lib/tool/pk.c was missing a include for "config.h". It's
needed due to the conditional compilation of elliptic curves in
OpenSSL.
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal | # |
On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
> > >
> > > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > > @@ -689,6 +715,12 @@
> > > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > > struct endpoint_hip *endpoint_
> > >
> > > + if (ecdsa_nid < 0) {
> > > + err = -1;
> > > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > > + goto out_err;
> > > + }
> >
> > ?
>
> Does not compile otherwise when ECDSA is missing (gcc complains about
> missing variable). If you insist, I'll commit this separately to trunk
> or suggest a better fix.
You mean that gcc complains about unused parameter? This is badly designed.
The function should not need one extra parameter for each crypto algorithm
that is added.
Diego
Diego Biurrun (diego-biurrun) wrote : | # |
review needs-fixing
On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> NEW: I believe I have resolved the comments from Diego.
sort of :)
> --- firewall/
> +++ firewall/
> @@ -82,7 +82,6 @@
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> #define ECDSA_FILE "_ecdsa_"
> -
> #define MAX_LINE_LENGTH 512
stray unrelated change
> @@ -444,6 +443,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +479,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *
Please drop the empty line befor the #ifdef.
same elsewhere
> --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> +++ lib/core/builder.h 2011-11-03 15:00:34 +0000
> @@ -26,19 +26,22 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> -
> -#include "config.h"
> +#endif /* HAVE_EC_CRYPTO */
> +
> +
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> -
> /* Removed in 2.6.11 - why ? */
> extern struct hip_cert_spki_info hip_cert_spki_info;
one stray empty line inserted, one removed
> --- lib/core/crypto.h 2011-10-30 11:54:44 +0000
> +++ lib/core/crypto.h 2011-11-03 15:00:34 +0000
> @@ -92,25 +96,33 @@
> uint16_t hip_get_
> DSA *create_
> RSA *create_
> +#ifdef HAVE_EC_CRYPTO
> EC_KEY *create_
> +#endif /* HAVE_EC_CRYPTO */
> int save_dsa_
> int save_rsa_
> +#ifdef HAVE_EC_CRYPTO
> int save_ecdsa_
> +#endif /* HAVE_EC_CRYPTO */
> int load_dsa_
> int load_rsa_
> +#ifdef HAVE_EC_CRYPTO
> int load_ecdsa_
> +#endif /* HAVE_EC_CRYPTO */
> int impl_dsa_sign(const unsigned char *const digest,
> DSA *const dsa,
> unsigned char *const signature);
> int impl_dsa_
> DSA *const dsa,
> const unsigned char *const signature);
> +#ifdef HAVE_EC_CRYPTO
> int impl_ecdsa_
> EC_KEY *const ecdsa,
> unsigned char *const signature);
> int impl_ecdsa_
> EC_KEY *const ecdsa,
> const unsigned char *const signa...
- 6106. By Miika Komu
-
Cleaning up the ECDSA changes
As suggested by Diego:
* Removed unrelated changes and stray empty lines
* Reverted incorrectly deleted empty lines
* Regrouped ifdeffery
* Fixed one occurrence of config.h
Miika Komu (miika-iki) wrote : | # |
On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> review needs-fixing
>
> On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>>
>> NEW: I believe I have resolved the comments from Diego.
>
> sort of :)
>
>> --- firewall/
>> +++ firewall/
>> @@ -82,7 +82,6 @@
>> #define RSA_FILE "_rsa_"
>> #define DSA_FILE "_dsa_"
>> #define ECDSA_FILE "_ecdsa_"
>> -
>> #define MAX_LINE_LENGTH 512
>
> stray unrelated change
Fixed.
>> @@ -444,6 +443,7 @@
>> return err;
>> }
>>
>> +#ifdef HAVE_EC_CRYPTO
>> /**
>> * Load an ECDSA public key from a file and convert it into a hip_host_id.
>> *
>> @@ -479,6 +479,8 @@
>> return err;
>> }
>>
>> +#endif /* HAVE_EC_CRYPTO */
>> +
>> /**
>> * load a public key from a file and convert it to a hip_host_id structure
>> *
>
> Please drop the empty line befor the #ifdef.
>
> same elsewhere
I thought this was the policy, observe bzr commit:
The following differences were found between the code to commit and the
rules in '.uncrustify-
---
/home/mkomu/
2011-11-03 23:08:00.909848709 +0200
+++ - 2011-11-03 23:29:16.724968313 +0200
@@ -479,6 +479,7 @@
free(
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
--- /home/mkomu/
23:11:13.994806140 +0200
+++ - 2011-11-03 23:29:16.747797056 +0200
@@ -103,6 +103,7 @@
return 0;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
--- /home/mkomu/
2011-11-03 23:14:08.179669916 +0200
+++ - 2011-11-03 23:29:16.766928680 +0200
@@ -3505,6 +3505,7 @@
*endpoint = NULL;
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
--- /home/mkomu/
2011-11-03 23:16:09.272270365 +0200
+++ - 2011-11-03 23:29:16.831275760 +0200
@@ -495,6 +495,7 @@
ECDSA_
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -573,6 +574,7 @@
ECDSA_
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -823,6 +825,7 @@
EC_
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -1176,6 +1179,7 @@
return 0;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
--- /home/mkomu/
2011-11-03 23:21:15.901790851 +0200
+++ - 2011-11-03 23:29:16.870163381 +0200
@@ -291,6 +291,7 @@
return 0;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -427,6 +428,7 @@
return 0;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -638,6 +640,7 @@
return ret;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@ -1202,6 +1205,7 @@
free(buffer);
return err;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
--- /home/mkomu/
23:22:35.954187819 +0200
+++ - 2011-11-03 23:29:16.912158459 +0200
@@ -132,6 +132,7 @@
return 0;
}
+
#endif /* HAVE_EC_CRYPTO */
/**
@@...
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
> On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> >On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> >>--- firewall/
> >>+++ firewall/
> >>@@ -444,6 +443,7 @@
> >> return err;
> >> }
> >>
> >>+#ifdef HAVE_EC_CRYPTO
> >> /**
> >> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> >> *
> >>@@ -479,6 +479,8 @@
> >> return err;
> >> }
> >>
> >>+#endif /* HAVE_EC_CRYPTO */
> >>+
> >> /**
> >> * load a public key from a file and convert it to a hip_host_id structure
> >> *
> >
> >Please drop the empty line befor the #ifdef.
> >
> >same elsewhere
>
> I thought this was the policy, observe bzr commit:
>
> The following differences were found between the code to commit and
> the rules in '.uncrustify-
>
> ---
> /home/mkomu/
> 2011-11-03 23:08:00.909848709 +0200
> +++ - 2011-11-03 23:29:16.724968313 +0200
> @@ -479,6 +479,7 @@
> free(ecdsa_key_rr);
> return err;
> }
> +
> #endif /* HAVE_EC_CRYPTO */
>
> /**
>
> The above changes are also available in the file /tmp/stylecheck
>
> What to do about this... any help?
It seems our uncrustify configuration is in need of fixing.
I'll look into it next week - harass me if I don't.
Diego
René Hummen (rene-hummen) wrote : | # |
Apart from Diego's comments, this looks good to me. Did you check "make doxygen", "make check", and "make alltests"? Especially, "make alltests" may through errors as you ifdef the ecdsa.h include but node code in test/lib/tool/pk.c.
René Hummen (rene-hummen) wrote : | # |
Sorry, "make check" might be the trouble-maker.
Miika Komu (miika-iki) wrote : | # |
Good catch. All tests work on Ubuntu but check and alltests fail on Fedora 15:
[mkomu@hipserver hipl-1.0.6]$ make check
make check-am
make[1]: Entering directory `/home/
make test/check_firewall test/check_lib_core test/check_lib_tool test/check_
make[2]: Entering directory `/home/
CC test/check_
CC test/mocks.o
CC test/firewall/
CC test/firewall/
CC test/firewall/
CC test/firewall/
CC test/firewall/
CCLD test/check_firewall
CC test/check_
CC test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
test/lib/
Diego Biurrun (diego-biurrun) wrote : | # |
On Thu, Nov 03, 2011 at 10:07:31PM +0000, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
> > On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> > >On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> > >>--- firewall/
> > >>+++ firewall/
> > >>@@ -444,6 +443,7 @@
> > >>
> > >>+#ifdef HAVE_EC_CRYPTO
> > >> /**
> > >> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > >> *
> > >>@@ -479,6 +479,8 @@
> > >> return err;
> > >> }
> > >>
> > >>+#endif /* HAVE_EC_CRYPTO */
> > >>+
> > >> /**
> > >> * load a public key from a file and convert it to a hip_host_id structure
> > >> *
> > >
> > >Please drop the empty line befor the #ifdef.
> > >
> > >same elsewhere
> >
> > I thought this was the policy, observe bzr commit:
> >
> > The following differences were found between the code to commit and
> > the rules in '.uncrustify-
> >
> > ---
> > /home/mkomu/
> > 2011-11-03 23:08:00.909848709 +0200
> > +++ - 2011-11-03 23:29:16.724968313 +0200
> > @@ -479,6 +479,7 @@
> > free(ecdsa_key_rr);
> > return err;
> > }
> > +
> > #endif /* HAVE_EC_CRYPTO */
> >
> > /**
> >
> > The above changes are also available in the file /tmp/stylecheck
> >
> > What to do about this... any help?
>
> It seems our uncrustify configuration is in need of fixing.
> I'll look into it next week - harass me if I don't.
It's the following setting:
# The number of newlines after '}' of a multi-line function body
nl_after_
This will force an empty line between functions. It does not take #endifs
into account, however. I don't much care how we handle this. We can
either live with the newline before the #endif or drop the setting.
Make your choice.
Diego
- 6107. By Miika Komu
-
Syncronized with trunk revision 6119
- 6108. By Miika Komu
-
Deleted some empty lines between function bodies and #endif statements
According to the new crustify policy, there is no need need to have an
empty line between the end of a function body (closing curly bracket)
and following #endif (if any present). Adjusted ECDSA-related code
according to the new policy.
Miika Komu (miika-iki) wrote : | # |
Hi,
On 08/11/11 18:16, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 10:07:31PM +0000, Diego Biurrun wrote:
>> On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
>>> On 11/03/2011 07:38 PM, Diego Biurrun wrote:
>>>> On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
>>>>> --- firewall/
>>>>> +++ firewall/
>>>>> @@ -444,6 +443,7 @@
>>>>>
>>>>> +#ifdef HAVE_EC_CRYPTO
>>>>> /**
>>>>> * Load an ECDSA public key from a file and convert it into a hip_host_id.
>>>>> *
>>>>> @@ -479,6 +479,8 @@
>>>>> return err;
>>>>> }
>>>>>
>>>>> +#endif /* HAVE_EC_CRYPTO */
>>>>> +
>>>>> /**
>>>>> * load a public key from a file and convert it to a hip_host_id structure
>>>>> *
>>>>
>>>> Please drop the empty line befor the #ifdef.
>>>>
>>>> same elsewhere
>>>
>>> I thought this was the policy, observe bzr commit:
>>>
>>> The following differences were found between the code to commit and
>>> the rules in '.uncrustify-
>>>
>>> ---
>>> /home/mkomu/
>>> 2011-11-03 23:08:00.909848709 +0200
>>> +++ - 2011-11-03 23:29:16.724968313 +0200
>>> @@ -479,6 +479,7 @@
>>> free(ecdsa_key_rr);
>>> return err;
>>> }
>>> +
>>> #endif /* HAVE_EC_CRYPTO */
>>>
>>> /**
>>>
>>> The above changes are also available in the file /tmp/stylecheck
>>>
>>> What to do about this... any help?
>>
>> It seems our uncrustify configuration is in need of fixing.
>> I'll look into it next week - harass me if I don't.
>
> It's the following setting:
>
> # The number of newlines after '}' of a multi-line function body
> nl_after_func_body = 2 # number
>
> This will force an empty line between functions. It does not take #endifs
> into account, however. I don't much care how we handle this. We can
> either live with the newline before the #endif or drop the setting.
> Make your choice.
done, changed this to "1" and adjusted trunk code to match this new policy.
Preview Diff
1 | === modified file 'firewall/conntrack.c' |
2 | --- firewall/conntrack.c 2011-11-08 18:22:33 +0000 |
3 | +++ firewall/conntrack.c 2011-11-09 06:56:25 +0000 |
4 | @@ -695,9 +695,11 @@ |
5 | case HIP_HI_RSA: |
6 | RSA_free(hip_tuple->data->src_pub_key); |
7 | break; |
8 | +#ifdef HAVE_EC_CRYPTO |
9 | case HIP_HI_ECDSA: |
10 | EC_KEY_free(hip_tuple->data->src_pub_key); |
11 | break; |
12 | +#endif /* HAVE_EC_CRYPTO */ |
13 | case HIP_HI_DSA: |
14 | DSA_free(hip_tuple->data->src_pub_key); |
15 | break; |
16 | @@ -1070,10 +1072,12 @@ |
17 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0); |
18 | tuple->hip_tuple->data->verify = hip_rsa_verify; |
19 | break; |
20 | +#ifdef HAVE_EC_CRYPTO |
21 | case HIP_HI_ECDSA: |
22 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0); |
23 | tuple->hip_tuple->data->verify = hip_ecdsa_verify; |
24 | break; |
25 | +#endif /* HAVE_EC_CRYPTO */ |
26 | case HIP_HI_DSA: |
27 | tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0); |
28 | tuple->hip_tuple->data->verify = hip_dsa_verify; |
29 | |
30 | === modified file 'firewall/rule_management.c' |
31 | --- firewall/rule_management.c 2011-08-15 14:11:56 +0000 |
32 | +++ firewall/rule_management.c 2011-11-09 06:56:25 +0000 |
33 | @@ -444,6 +444,7 @@ |
34 | return err; |
35 | } |
36 | |
37 | +#ifdef HAVE_EC_CRYPTO |
38 | /** |
39 | * Load an ECDSA public key from a file and convert it into a hip_host_id. |
40 | * |
41 | @@ -478,6 +479,7 @@ |
42 | free(ecdsa_key_rr); |
43 | return err; |
44 | } |
45 | +#endif /* HAVE_EC_CRYPTO */ |
46 | |
47 | /** |
48 | * load a public key from a file and convert it to a hip_host_id structure |
49 | @@ -506,8 +508,10 @@ |
50 | algo = HIP_HI_RSA; |
51 | } else if (strstr(token, DSA_FILE)) { |
52 | algo = HIP_HI_DSA; |
53 | +#ifdef HAVE_EC_CRYPTO |
54 | } else if (strstr(token, ECDSA_FILE)) { |
55 | algo = HIP_HI_ECDSA; |
56 | +#endif /* HAVE_EC_CRYPTO */ |
57 | } else { |
58 | HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n"); |
59 | return NULL; |
60 | @@ -519,9 +523,11 @@ |
61 | case HIP_HI_RSA: |
62 | HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n"); |
63 | break; |
64 | +#ifdef HAVE_EC_CRYPTO |
65 | case HIP_HI_ECDSA: |
66 | HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n") |
67 | break; |
68 | +#endif /* HAVE_EC_CRYPTO */ |
69 | case HIP_HI_DSA: |
70 | HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n") |
71 | break; |
72 | |
73 | === modified file 'hipd/cookie.c' |
74 | --- hipd/cookie.c 2011-10-25 21:14:16 +0000 |
75 | +++ hipd/cookie.c 2011-11-09 06:56:25 +0000 |
76 | @@ -349,9 +349,11 @@ |
77 | case HIP_HI_DSA: |
78 | signature_func = hip_dsa_sign; |
79 | break; |
80 | +#ifdef HAVE_EC_CRYPTO |
81 | case HIP_HI_ECDSA: |
82 | signature_func = hip_ecdsa_sign; |
83 | break; |
84 | +#endif /* HAVE_EC_CRYPTO */ |
85 | default: |
86 | HIP_ERROR("Unkown algorithm"); |
87 | return -1; |
88 | |
89 | === modified file 'hipd/hadb.c' |
90 | --- hipd/hadb.c 2011-11-09 06:32:02 +0000 |
91 | +++ hipd/hadb.c 2011-11-09 06:56:25 +0000 |
92 | @@ -818,9 +818,11 @@ |
93 | case HIP_HI_RSA: |
94 | RSA_free(ha->peer_pub_key); |
95 | break; |
96 | +#ifdef HAVE_EC_CRYPTO |
97 | case HIP_HI_ECDSA: |
98 | EC_KEY_free(ha->peer_pub_key); |
99 | break; |
100 | +#endif /* HAVE_EC_CRYPTO */ |
101 | case HIP_HI_DSA: |
102 | DSA_free(ha->peer_pub_key); |
103 | break; |
104 | @@ -909,10 +911,12 @@ |
105 | entry->verify = hip_dsa_verify; |
106 | entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
107 | break; |
108 | +#ifdef HAVE_EC_CRYPTO |
109 | case HIP_HI_ECDSA: |
110 | entry->verify = hip_ecdsa_verify; |
111 | entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0); |
112 | break; |
113 | +#endif /* HAVE_EC_CRYPTO */ |
114 | default: |
115 | HIP_OUT_ERR(-1, "Unkown algorithm"); |
116 | } |
117 | @@ -978,9 +982,11 @@ |
118 | case HIP_HI_RSA: |
119 | entry->sign = hip_rsa_sign; |
120 | break; |
121 | +#ifdef HAVE_EC_CRYPTO |
122 | case HIP_HI_ECDSA: |
123 | entry->sign = hip_ecdsa_sign; |
124 | break; |
125 | +#endif /* HAVE_EC_CRYPTO */ |
126 | default: |
127 | err = -1; |
128 | } |
129 | |
130 | === modified file 'hipd/hidb.c' |
131 | --- hipd/hidb.c 2011-10-25 21:14:16 +0000 |
132 | +++ hipd/hidb.c 2011-11-09 06:56:25 +0000 |
133 | @@ -63,6 +63,7 @@ |
134 | |
135 | static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" }; |
136 | |
137 | +#ifdef HAVE_EC_CRYPTO |
138 | /** |
139 | * Strips the private key component from an ECDSA-based host id. |
140 | * |
141 | @@ -102,6 +103,7 @@ |
142 | |
143 | return 0; |
144 | } |
145 | +#endif /* HAVE_EC_CRYPTO */ |
146 | |
147 | /** |
148 | * Strips a DSA public key out of a host id with private key component |
149 | @@ -192,8 +194,10 @@ |
150 | return get_rsa_public_key(hid, ret); |
151 | case HIP_HI_DSA: |
152 | return get_dsa_public_key(hid, ret); |
153 | +#ifdef HAVE_EC_CRYPTO |
154 | case HIP_HI_ECDSA: |
155 | return get_ecdsa_public_key(hid, ret); |
156 | +#endif /* HAVE_EC_CRYPTO */ |
157 | default: |
158 | HIP_ERROR("Unsupported HI algorithm\n"); |
159 | return -1; |
160 | @@ -284,9 +288,11 @@ |
161 | case HIP_HI_RSA: |
162 | RSA_free(id->private_key); |
163 | break; |
164 | +#ifdef HAVE_EC_CRYPTO |
165 | case HIP_HI_ECDSA: |
166 | EC_KEY_free(id->private_key); |
167 | break; |
168 | +#endif /* HAVE_EC_CRYPTO */ |
169 | case HIP_HI_DSA: |
170 | DSA_free(id->private_key); |
171 | break; |
172 | @@ -510,9 +516,11 @@ |
173 | case HIP_HI_RSA: |
174 | id_entry->private_key = hip_key_rr_to_rsa(host_id, 1); |
175 | break; |
176 | +#ifdef HAVE_EC_CRYPTO |
177 | case HIP_HI_ECDSA: |
178 | id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1); |
179 | break; |
180 | +#endif /* HAVE_EC_CRYPTO */ |
181 | case HIP_HI_DSA: |
182 | id_entry->private_key = hip_key_rr_to_dsa(host_id, 1); |
183 | break; |
184 | @@ -530,9 +538,11 @@ |
185 | case HIP_HI_DSA: |
186 | signature_func = hip_dsa_sign; |
187 | break; |
188 | +#ifdef HAVE_EC_CRYPTO |
189 | case HIP_HI_ECDSA: |
190 | signature_func = hip_ecdsa_sign; |
191 | break; |
192 | +#endif /* HAVE_EC_CRYPTO */ |
193 | default: |
194 | HIP_ERROR("Unsupported algorithms\n"); |
195 | err = -1; |
196 | @@ -558,9 +568,11 @@ |
197 | case HIP_HI_RSA: |
198 | RSA_free(id_entry->private_key); |
199 | break; |
200 | +#ifdef HAVE_EC_CRYPTO |
201 | case HIP_HI_ECDSA: |
202 | EC_KEY_free(id_entry->private_key); |
203 | break; |
204 | +#endif /* HAVE_EC_CRYPTO */ |
205 | case HIP_HI_DSA: |
206 | DSA_free(id_entry->private_key); |
207 | break; |
208 | |
209 | === modified file 'lib/core/builder.c' |
210 | --- lib/core/builder.c 2011-11-09 06:32:02 +0000 |
211 | +++ lib/core/builder.c 2011-11-09 06:56:25 +0000 |
212 | @@ -3459,6 +3459,7 @@ |
213 | return hip_build_param(msg, &name_info); |
214 | } |
215 | |
216 | +#ifdef HAVE_EC_CRYPTO |
217 | /** |
218 | * Convert an EC structure from OpenSSL into an endpoint_hip structure |
219 | * used internally by the implementation. |
220 | @@ -3503,6 +3504,7 @@ |
221 | *endpoint = NULL; |
222 | return err; |
223 | } |
224 | +#endif /* HAVE_EC_CRYPTO */ |
225 | |
226 | /** |
227 | * Convert a DSA structure from OpenSSL into an endpoint_hip structure |
228 | @@ -3605,7 +3607,9 @@ |
229 | struct hip_host_id *host_id_pub = NULL; |
230 | const RSA *const rsa_key = any_key; |
231 | const DSA *const dsa_key = any_key; |
232 | - const EC_KEY *const ecdsa_key = any_key; |
233 | +#ifdef HAVE_EC_CRYPTO |
234 | + const EC_KEY *const ecdsa_key = any_key; |
235 | +#endif /* HAVE_EC_CRYPTO */ |
236 | |
237 | HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1, |
238 | "gethostname failed\n"); |
239 | @@ -3615,10 +3619,12 @@ |
240 | HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1, |
241 | "key_rr_len\n"); |
242 | break; |
243 | +#ifdef HAVE_EC_CRYPTO |
244 | case HIP_HI_ECDSA: |
245 | HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1, |
246 | "key_rr_len\n"); |
247 | break; |
248 | +#endif /* HAVE_EC_CRYPTO */ |
249 | case HIP_HI_RSA: |
250 | HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1, |
251 | "key_rr_len\n"); |
252 | |
253 | === modified file 'lib/core/builder.h' |
254 | --- lib/core/builder.h 2011-08-15 14:11:56 +0000 |
255 | +++ lib/core/builder.h 2011-11-09 06:56:25 +0000 |
256 | @@ -26,13 +26,16 @@ |
257 | #ifndef HIP_LIB_CORE_BUILDER_H |
258 | #define HIP_LIB_CORE_BUILDER_H |
259 | |
260 | +#include "config.h" |
261 | + |
262 | #include <stdint.h> |
263 | #include <netinet/in.h> |
264 | #include <openssl/rsa.h> |
265 | #include <openssl/dsa.h> |
266 | +#ifdef HAVE_EC_CRYPTO |
267 | #include <openssl/ec.h> |
268 | +#endif /* HAVE_EC_CRYPTO */ |
269 | |
270 | -#include "config.h" |
271 | #include "certtools.h" |
272 | #include "debug.h" |
273 | #include "icomm.h" |
274 | @@ -219,10 +222,12 @@ |
275 | struct endpoint_hip **endpoint, |
276 | se_hip_flags endpoint_flags, |
277 | const char *const hostname); |
278 | +#ifdef HAVE_EC_CRYPTO |
279 | int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa, |
280 | struct endpoint_hip **const endpoint, |
281 | const se_hip_flags endpoint_flags, |
282 | const char *const hostname); |
283 | +#endif /* HAVE_EC_CRYPTO */ |
284 | int hip_any_key_to_hit(const void *const any_key, |
285 | hip_hit_t *const hit, |
286 | const int is_public, |
287 | |
288 | === modified file 'lib/core/crypto.c' |
289 | --- lib/core/crypto.c 2011-09-21 14:22:17 +0000 |
290 | +++ lib/core/crypto.c 2011-11-09 06:56:25 +0000 |
291 | @@ -459,6 +459,7 @@ |
292 | return err; |
293 | } |
294 | |
295 | +#ifdef HAVE_EC_CRYPTO |
296 | /** |
297 | * Sign using ECDSA |
298 | * |
299 | @@ -494,6 +495,7 @@ |
300 | ECDSA_SIG_free(ecdsa_sig); |
301 | return err; |
302 | } |
303 | +#endif /* HAVE_EC_CRYPTO */ |
304 | |
305 | /** |
306 | * Sign using DSA |
307 | @@ -536,6 +538,7 @@ |
308 | return err; |
309 | } |
310 | |
311 | +#ifdef HAVE_EC_CRYPTO |
312 | /** |
313 | * Verify an ECDSA signature |
314 | * |
315 | @@ -570,6 +573,7 @@ |
316 | ECDSA_SIG_free(ecdsa_sig); |
317 | return err; |
318 | } |
319 | +#endif /* HAVE_EC_CRYPTO */ |
320 | |
321 | /** |
322 | * Verify a DSA signature |
323 | @@ -780,6 +784,7 @@ |
324 | return NULL; |
325 | } |
326 | |
327 | +#ifdef HAVE_EC_CRYPTO |
328 | /** |
329 | * Generate ECDSA parameters and a new key pair. |
330 | * |
331 | @@ -818,6 +823,7 @@ |
332 | EC_GROUP_free(group); |
333 | return err; |
334 | } |
335 | +#endif /* HAVE_EC_CRYPTO */ |
336 | |
337 | /** |
338 | * Save host DSA keys to disk. |
339 | @@ -1015,6 +1021,7 @@ |
340 | return err; |
341 | } |
342 | |
343 | +#ifdef HAVE_EC_CRYPTO |
344 | /** |
345 | * Save the host's ECDSA keys to disk. |
346 | * |
347 | @@ -1169,6 +1176,7 @@ |
348 | |
349 | return 0; |
350 | } |
351 | +#endif /* HAVE_EC_CRYPTO */ |
352 | |
353 | /** |
354 | * Load host DSA private keys from disk. |
355 | |
356 | === modified file 'lib/core/crypto.h' |
357 | --- lib/core/crypto.h 2011-10-30 11:54:44 +0000 |
358 | +++ lib/core/crypto.h 2011-11-09 06:56:25 +0000 |
359 | @@ -26,12 +26,16 @@ |
360 | #ifndef HIP_LIB_CORE_CRYPTO_H |
361 | #define HIP_LIB_CORE_CRYPTO_H |
362 | |
363 | +#include "config.h" |
364 | + |
365 | #include <stdint.h> |
366 | #include <netinet/in.h> |
367 | #include <sys/types.h> |
368 | #include <openssl/dsa.h> |
369 | #include <openssl/rsa.h> |
370 | +#ifdef HAVE_EC_CRYPTO |
371 | #include <openssl/ec.h> |
372 | +#endif /* HAVE_EC_CRYPTO */ |
373 | #include <openssl/dh.h> |
374 | #include <openssl/pem.h> |
375 | |
376 | @@ -92,28 +96,31 @@ |
377 | uint16_t hip_get_dh_size(uint8_t hip_dh_group_type); |
378 | DSA *create_dsa_key(const int bits); |
379 | RSA *create_rsa_key(const int bits); |
380 | -EC_KEY *create_ecdsa_key(const int nid); |
381 | int save_dsa_private_key(const char *const filenamebase, DSA *const dsa); |
382 | int save_rsa_private_key(const char *const filenamebase, RSA *const rsa); |
383 | -int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa); |
384 | int load_dsa_private_key(const char *const filenamebase, DSA **const dsa); |
385 | int load_rsa_private_key(const char *const filename, RSA **const rsa); |
386 | -int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec); |
387 | int impl_dsa_sign(const unsigned char *const digest, |
388 | DSA *const dsa, |
389 | unsigned char *const signature); |
390 | int impl_dsa_verify(const unsigned char *const digest, |
391 | DSA *const dsa, |
392 | const unsigned char *const signature); |
393 | +int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out); |
394 | +int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len, |
395 | + uint8_t *enc_key, int direction); |
396 | +void get_random_bytes(void *buf, int n); |
397 | + |
398 | +#ifdef HAVE_EC_CRYPTO |
399 | +EC_KEY *create_ecdsa_key(const int nid); |
400 | +int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa); |
401 | +int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec); |
402 | int impl_ecdsa_sign(const unsigned char *const digest, |
403 | EC_KEY *const ecdsa, |
404 | unsigned char *const signature); |
405 | int impl_ecdsa_verify(const unsigned char *const digest, |
406 | EC_KEY *const ecdsa, |
407 | const unsigned char *const signature); |
408 | -int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out); |
409 | -int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len, |
410 | - uint8_t *enc_key, int direction); |
411 | -void get_random_bytes(void *buf, int n); |
412 | +#endif /* HAVE_EC_CRYPTO */ |
413 | |
414 | #endif /* HIP_LIB_CORE_CRYPTO_H */ |
415 | |
416 | === modified file 'lib/core/hostid.c' |
417 | --- lib/core/hostid.c 2011-10-25 21:14:16 +0000 |
418 | +++ lib/core/hostid.c 2011-11-09 06:56:25 +0000 |
419 | @@ -250,6 +250,7 @@ |
420 | return err; |
421 | } |
422 | |
423 | +#ifdef HAVE_EC_CRYPTO |
424 | /** |
425 | * Convert ECDSA-based private host id to a HIT. |
426 | * |
427 | @@ -290,6 +291,7 @@ |
428 | |
429 | return 0; |
430 | } |
431 | +#endif /* HAVE_EC_CRYPTO */ |
432 | |
433 | /** |
434 | * Convert RSA, DSA, or ECDSA-based private host id to a HIT |
435 | @@ -310,13 +312,16 @@ |
436 | return private_dsa_host_id_to_hit(host_id, hit, hit_type); |
437 | case HIP_HI_RSA: |
438 | return private_rsa_host_id_to_hit(host_id, hit, hit_type); |
439 | +#ifdef HAVE_EC_CRYPTO |
440 | case HIP_HI_ECDSA: |
441 | return private_ecdsa_host_id_to_hit(host_id, hit, hit_type); |
442 | +#endif /* HAVE_EC_CRYPTO */ |
443 | default: |
444 | return -ENOSYS; |
445 | } |
446 | } |
447 | |
448 | +#ifdef HAVE_EC_CRYPTO |
449 | /* |
450 | * Translate the openssl specific curve id into the coressponding HIP id. |
451 | * |
452 | @@ -422,6 +427,7 @@ |
453 | |
454 | return 0; |
455 | } |
456 | +#endif /* HAVE_EC_CRYPTO */ |
457 | |
458 | /** |
459 | * dig out RSA key length from an host id |
460 | @@ -553,6 +559,7 @@ |
461 | return dsa; |
462 | } |
463 | |
464 | +#ifdef HAVE_EC_CRYPTO |
465 | /** |
466 | * convert a ECDSA-based host id into an OpenSSL structure |
467 | * |
468 | @@ -631,6 +638,7 @@ |
469 | |
470 | return ret; |
471 | } |
472 | +#endif /* HAVE_EC_CRYPTO */ |
473 | |
474 | /** |
475 | * (Re)create new host identities or load existing ones, and append the |
476 | @@ -664,30 +672,44 @@ |
477 | const int dsa_key_bits, |
478 | const int ecdsa_nid) |
479 | { |
480 | - int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0, ecdsa_key_rr_len = 0; |
481 | - int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; |
482 | + int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0; |
483 | + int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0; |
484 | hip_hdr numeric_action = 0; |
485 | char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX]; |
486 | - const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
487 | - const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
488 | - const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
489 | - const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
490 | - const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
491 | - const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
492 | - unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL, *ecdsa_key_rr = NULL; |
493 | - unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL, *ecdsa_pub_key_rr = NULL; |
494 | - DSA *dsa_key = NULL, *dsa_pub_key = NULL; |
495 | - RSA *rsa_key = NULL, *rsa_pub_key = NULL; |
496 | - EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; |
497 | - struct hip_host_id_local rsa_lhi, dsa_lhi, ecdsa_lhi, rsa_pub_lhi, dsa_pub_lhi, ecdsa_pub_lhi; |
498 | - struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL, *ecdsa_host_id = NULL; |
499 | - struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL, *ecdsa_pub_host_id = NULL; |
500 | + const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
501 | + const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
502 | + const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
503 | + const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
504 | + unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL; |
505 | + unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL; |
506 | + DSA *dsa_key = NULL, *dsa_pub_key = NULL; |
507 | + RSA *rsa_key = NULL, *rsa_pub_key = NULL; |
508 | + struct hip_host_id_local rsa_lhi, dsa_lhi, rsa_pub_lhi, dsa_pub_lhi; |
509 | + struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL; |
510 | + struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL; |
511 | struct endpoint_hip *endpoint_dsa_hip = NULL; |
512 | struct endpoint_hip *endpoint_dsa_pub_hip = NULL; |
513 | struct endpoint_hip *endpoint_rsa_hip = NULL; |
514 | struct endpoint_hip *endpoint_rsa_pub_hip = NULL; |
515 | struct endpoint_hip *endpoint_ecdsa_hip = NULL; |
516 | struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL; |
517 | +#ifdef HAVE_EC_CRYPTO |
518 | + int ecdsa_key_rr_len = 0, ecdsa_pub_key_rr_len = 0; |
519 | + const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX; |
520 | + const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX; |
521 | + unsigned char *ecdsa_key_rr = NULL; |
522 | + unsigned char *ecdsa_pub_key_rr = NULL; |
523 | + EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL; |
524 | + struct hip_host_id_local ecdsa_lhi, ecdsa_pub_lhi; |
525 | + struct hip_host_id *ecdsa_host_id = NULL; |
526 | + struct hip_host_id *ecdsa_pub_host_id = NULL; |
527 | +#endif /* HAVE_EC_CRYPTO */ |
528 | + |
529 | + if (ecdsa_nid < 0) { |
530 | + err = -1; |
531 | + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid); |
532 | + goto out_err; |
533 | + } |
534 | |
535 | if (action == ACTION_ADD) { |
536 | numeric_action = HIP_MSG_ADD_LOCAL_HI; |
537 | @@ -726,6 +748,7 @@ |
538 | HIP_ERROR("Saving of DSA key failed.\n"); |
539 | goto out_err; |
540 | } |
541 | +#ifdef HAVE_EC_CRYPTO |
542 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
543 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
544 | HIP_IFEL(!ecdsa_key, -EINVAL, |
545 | @@ -734,6 +757,7 @@ |
546 | HIP_ERROR("Saving of ECDSA key failed.\n"); |
547 | goto out_err; |
548 | } |
549 | +#endif /* HAVE_EC_CRYPTO */ |
550 | } else { /*RSA*/ |
551 | rsa_key = create_rsa_key(rsa_key_bits); |
552 | HIP_IFEL(!rsa_key, -EINVAL, |
553 | @@ -764,6 +788,7 @@ |
554 | HIP_IFEL(!rsa_pub_key, -EINVAL, |
555 | "Creation of public RSA key failed.\n"); |
556 | |
557 | +#ifdef HAVE_EC_CRYPTO |
558 | ecdsa_key = create_ecdsa_key(ecdsa_nid); |
559 | HIP_IFEL(!ecdsa_key, -EINVAL, |
560 | "Creation of ECDSA key failed.\n"); |
561 | @@ -772,6 +797,17 @@ |
562 | HIP_IFEL(!ecdsa_pub_key, -EINVAL, |
563 | "Creation of public ECDSA key failed.\n"); |
564 | |
565 | + if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { |
566 | + HIP_ERROR("Saving of ECDSA key failed.\n"); |
567 | + goto out_err; |
568 | + } |
569 | + |
570 | + if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { |
571 | + HIP_ERROR("Saving of public ECDSA key failed.\n"); |
572 | + goto out_err; |
573 | + } |
574 | +#endif /* HAVE_EC_CRYPTO */ |
575 | + |
576 | if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) { |
577 | HIP_ERROR("Saving of DSA key failed.\n"); |
578 | goto out_err; |
579 | @@ -792,16 +828,6 @@ |
580 | goto out_err; |
581 | } |
582 | |
583 | - if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) { |
584 | - HIP_ERROR("Saving of ECDSA key failed.\n"); |
585 | - goto out_err; |
586 | - } |
587 | - |
588 | - if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) { |
589 | - HIP_ERROR("Saving of public ECDSA key failed.\n"); |
590 | - goto out_err; |
591 | - } |
592 | - |
593 | break; |
594 | |
595 | case ACTION_ADD: |
596 | @@ -823,6 +849,7 @@ |
597 | HIP_ERROR("Building of host id failed\n"); |
598 | goto out_err; |
599 | } |
600 | +#ifdef HAVE_EC_CRYPTO |
601 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
602 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
603 | HIP_ERROR("Loading of the ECDSA key failed\n"); |
604 | @@ -839,6 +866,7 @@ |
605 | HIP_ERROR("Building of host id failed\n"); |
606 | goto out_err; |
607 | } |
608 | +#endif /* HAVE_EC_CRYPTO */ |
609 | } else { /*RSA*/ |
610 | if ((err = load_rsa_private_key(hi_file, &rsa_key))) { |
611 | HIP_ERROR("Failed to load RSA key from file %s\n", hi_file); |
612 | @@ -910,6 +938,7 @@ |
613 | goto out_err; |
614 | } |
615 | } |
616 | +#ifdef HAVE_EC_CRYPTO |
617 | } else if (!strcmp(hi_fmt, "ecdsa")) { |
618 | if (anon) { |
619 | if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) { |
620 | @@ -958,6 +987,7 @@ |
621 | goto out_err; |
622 | } |
623 | } |
624 | +#endif /* HAVE_EC_CRYPTO */ |
625 | } else if (anon) { /* rsa anon */ |
626 | if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) { |
627 | HIP_ERROR("Loading of the RSA key failed\n"); |
628 | @@ -1059,41 +1089,47 @@ |
629 | if (rsa_filenamebase_pub != NULL) { |
630 | change_key_file_perms(rsa_filenamebase_pub); |
631 | } |
632 | - if (ecdsa_filenamebase_pub != NULL) { |
633 | - change_key_file_perms(ecdsa_filenamebase_pub); |
634 | - } |
635 | - if (ecdsa_filenamebase_pub != NULL) { |
636 | - change_key_file_perms(ecdsa_filenamebase_pub); |
637 | - } |
638 | |
639 | free(dsa_host_id); |
640 | free(dsa_pub_host_id); |
641 | - free(ecdsa_host_id); |
642 | - free(ecdsa_pub_host_id); |
643 | free(rsa_host_id); |
644 | free(rsa_pub_host_id); |
645 | DSA_free(dsa_key); |
646 | - EC_KEY_free(ecdsa_key); |
647 | RSA_free(rsa_key); |
648 | DSA_free(dsa_pub_key); |
649 | - EC_KEY_free(ecdsa_pub_key); |
650 | RSA_free(rsa_pub_key); |
651 | free(dsa_key_rr); |
652 | - free(ecdsa_key_rr); |
653 | free(rsa_key_rr); |
654 | free(dsa_pub_key_rr); |
655 | - free(ecdsa_pub_key_rr); |
656 | free(rsa_pub_key_rr); |
657 | free(endpoint_dsa_hip); |
658 | - free(endpoint_ecdsa_hip); |
659 | free(endpoint_rsa_hip); |
660 | free(endpoint_dsa_pub_hip); |
661 | + free(endpoint_rsa_pub_hip); |
662 | + |
663 | +#ifdef HAVE_EC_CRYPTO |
664 | + /* We make exeception to the common memory deallocation policy (LIFO) |
665 | + * here to group of all ECDSA deallocations between a single ifdef */ |
666 | + if (ecdsa_filenamebase_pub != NULL) { |
667 | + change_key_file_perms(ecdsa_filenamebase_pub); |
668 | + } |
669 | + if (ecdsa_filenamebase_pub != NULL) { |
670 | + change_key_file_perms(ecdsa_filenamebase_pub); |
671 | + } |
672 | + free(ecdsa_host_id); |
673 | + free(ecdsa_pub_host_id); |
674 | + EC_KEY_free(ecdsa_key); |
675 | + EC_KEY_free(ecdsa_pub_key); |
676 | + free(ecdsa_key_rr); |
677 | + free(ecdsa_pub_key_rr); |
678 | + free(endpoint_ecdsa_hip); |
679 | free(endpoint_ecdsa_pub_hip); |
680 | - free(endpoint_rsa_pub_hip); |
681 | +#endif /* HAVE_EC_CRYPTO */ |
682 | |
683 | return err; |
684 | } |
685 | |
686 | +#ifdef HAVE_EC_CRYPTO |
687 | /** |
688 | * Serialize an ECDSA public key. |
689 | * |
690 | @@ -1166,6 +1202,7 @@ |
691 | free(buffer); |
692 | return err; |
693 | } |
694 | +#endif /* HAVE_EC_CRYPTO */ |
695 | |
696 | /** |
697 | * create DNS KEY RR record from host DSA key |
698 | |
699 | === modified file 'lib/core/hostid.h' |
700 | --- lib/core/hostid.h 2011-07-18 13:10:26 +0000 |
701 | +++ lib/core/hostid.h 2011-11-09 06:56:25 +0000 |
702 | @@ -26,10 +26,14 @@ |
703 | #ifndef HIP_LIB_CORE_HOSTID_H |
704 | #define HIP_LIB_CORE_HOSTID_H |
705 | |
706 | +#include "config.h" |
707 | + |
708 | #include <netinet/in.h> |
709 | #include <openssl/dsa.h> |
710 | #include <openssl/rsa.h> |
711 | +#ifdef HAVE_EC_CRYPTO |
712 | #include <openssl/ec.h> |
713 | +#endif /* HAVE_EC_CRYPTO */ |
714 | |
715 | #include "protodefs.h" |
716 | #include "state.h" |
717 | @@ -62,11 +66,14 @@ |
718 | struct hip_ecdsa_keylen *const ret); |
719 | RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
720 | DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
721 | -EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
722 | |
723 | int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf); |
724 | int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr); |
725 | + |
726 | +#ifdef HAVE_EC_CRYPTO |
727 | +EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv); |
728 | int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr); |
729 | +#endif /* HAVE_EC_CRYPTO */ |
730 | |
731 | int hip_serialize_host_id_action(struct hip_common *msg, |
732 | const int action, |
733 | |
734 | === modified file 'lib/tool/pk.c' |
735 | --- lib/tool/pk.c 2011-08-15 14:11:56 +0000 |
736 | +++ lib/tool/pk.c 2011-11-09 06:56:25 +0000 |
737 | @@ -8,6 +8,8 @@ |
738 | * @brief HIPL wrappers for OpenSSL public key operations. |
739 | */ |
740 | |
741 | +#include "config.h" |
742 | + |
743 | #include <errno.h> |
744 | #include <stdint.h> |
745 | #include <stdlib.h> |
746 | @@ -15,7 +17,9 @@ |
747 | #include <netinet/in.h> |
748 | #include <openssl/bn.h> |
749 | #include <openssl/dsa.h> |
750 | +#ifdef HAVE_EC_CRYPTO |
751 | #include <openssl/ecdsa.h> |
752 | +#endif /* HAVE_EC_CRYPTO */ |
753 | #include <openssl/objects.h> |
754 | #include <openssl/rsa.h> |
755 | |
756 | @@ -26,7 +30,6 @@ |
757 | #include "lib/core/performance.h" |
758 | #include "lib/core/prefix.h" |
759 | #include "lib/core/protodefs.h" |
760 | -#include "config.h" |
761 | #include "pk.h" |
762 | |
763 | /** |
764 | @@ -75,6 +78,7 @@ |
765 | return err; |
766 | } |
767 | |
768 | +#ifdef HAVE_EC_CRYPTO |
769 | /** |
770 | * Sign a HIP control message with a private ECDSA key. |
771 | * |
772 | @@ -128,6 +132,7 @@ |
773 | |
774 | return 0; |
775 | } |
776 | +#endif /* HAVE_EC_CRYPTO */ |
777 | |
778 | /** |
779 | * sign a HIP control message with a private DSA key |
780 | @@ -225,8 +230,10 @@ |
781 | /* RSA_verify returns 0 on failure */ |
782 | err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH, |
783 | sig->signature, RSA_size(peer_pub), peer_pub); |
784 | +#ifdef HAVE_EC_CRYPTO |
785 | } else if (type == HIP_HI_ECDSA) { |
786 | err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature); |
787 | +#endif /* HAVE_EC_CRYPTO */ |
788 | } else { |
789 | err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature); |
790 | } |
791 | @@ -259,6 +266,7 @@ |
792 | return err; |
793 | } |
794 | |
795 | +#ifdef HAVE_EC_CRYPTO |
796 | /** |
797 | * Verify the ECDSA signature from a message. |
798 | * |
799 | @@ -271,6 +279,7 @@ |
800 | { |
801 | return verify(peer_pub, msg, HIP_HI_ECDSA); |
802 | } |
803 | +#endif /* HAVE_EC_CRYPTO */ |
804 | |
805 | /** |
806 | * RSA signature verification function |
807 | |
808 | === modified file 'test/lib/tool/pk.c' |
809 | --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000 |
810 | +++ test/lib/tool/pk.c 2011-11-09 06:56:25 +0000 |
811 | @@ -23,17 +23,20 @@ |
812 | * OTHER DEALINGS IN THE SOFTWARE. |
813 | */ |
814 | |
815 | +#include "config.h" |
816 | + |
817 | #include <check.h> |
818 | #include <stdlib.h> |
819 | #include <string.h> |
820 | #include <stdio.h> |
821 | +#ifdef HAVE_EC_CRYPTO |
822 | #include <openssl/ec.h> |
823 | +#endif /* HAVE_EC_CRYPTO */ |
824 | #include <openssl/pem.h> |
825 | |
826 | #include "lib/core/debug.h" |
827 | #include "lib/core/crypto.h" |
828 | #include "lib/tool/pk.h" |
829 | -#include "config.h" |
830 | #include "test_suites.h" |
831 | |
832 | START_TEST(test_ecdsa_sign_verify) |
review needs-fixing
On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote: rule_management .c 2011-08-15 14:11:56 +0000 rule_management .c 2011-10-30 07:48:24 +0000
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> --- firewall/
> +++ firewall/
> @@ -81,8 +81,9 @@
> /* filename needs to contain one of these to be valid HI file */
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> +#ifdef HAVE_EC_CRYPTO
> #define ECDSA_FILE "_ecdsa_"
> -
> +#endif /* HAVE_EC_CRYPTO */
> #define MAX_LINE_LENGTH 512
unnecessary
> @@ -444,6 +445,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +481,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *
Drop the empty line before the #endif, same below
> --- lib/core/builder.h 2011-08-15 14:11:56 +0000 CORE_BUILDER_ H CORE_BUILDER_ H
> +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> @@ -26,18 +26,21 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> -#include <openssl/ec.h>
>
> -#include "config.h"
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> +#ifdef HAVE_EC_CRYPTO
> +#include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
We have system headers before local headers for a reason.
> --- lib/core/crypto.h 2011-07-18 13:10:26 +0000 CORE_CRYPTO_ H CORE_CRYPTO_ H
> +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> @@ -26,12 +26,16 @@
> #ifndef HIP_LIB_
> #define HIP_LIB_
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <openssl/dsa.h>
> #include <openssl/rsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
> #include <openssl/dh.h>
> #include <openssl/pem.h>
.. like you did here ..
> --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> @@ -28,6 +28,8 @@
> * @brief Host identifier manipulation functions
> */
>
> +#include "config.h"
> +
> #include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> @@ -40,7 +42,6 @@
> #include <openssl/pem.h>
> #include <openssl/rsa.h>
>
> -#include "config.h"
> #include "lib/tool/pk.h"
> #include "builder.h"
> #include "crypto.h"
unnecessary / unrelated
> @@ -689,6 +715,12 @@ ecdsa_pub_ hip = NULL;
> struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> struct endpoint_hip *endpoint_
>
> + if (ecdsa_nid < 0) {
> + err = -1;
> + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> + goto out_err;
> + }
?
> @@ -1059,41 +1101,58 @@ se_pub != NULL) { key_file_ perms(rsa_ filenamebase_ pub); filenamebase_ pub != NULL) { key_file_ perms(ecdsa_ filenamebase_ pub); filenamebase_ pub != NULL) {
> if (rsa_filenameba
> change_
> }
> - if (ecdsa_
> - change_
> - }
> - if (ecdsa_
> - change_key_file...