HIPL

Merge lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl

  1. ecdsa-redhat
  2. Merge into trunk
Proposed by Miika Komu
Status: Merged
Merged at revision: 6123
Proposed branch: lp:~hipl-core/hipl/ecdsa-redhat
Merge into: lp:hipl
Diff against target: 832 lines (+164/-52)
13 files modified
firewall/conntrack.c (+4/-0)
firewall/rule_management.c (+6/-0)
hipd/cookie.c (+2/-0)
hipd/hadb.c (+6/-0)
hipd/hidb.c (+12/-0)
lib/core/builder.c (+7/-1)
lib/core/builder.h (+6/-1)
lib/core/crypto.c (+8/-0)
lib/core/crypto.h (+14/-7)
lib/core/hostid.c (+77/-40)
lib/core/hostid.h (+8/-1)
lib/tool/pk.c (+10/-1)
test/lib/tool/pk.c (+4/-1)
To merge this branch: bzr merge lp:~hipl-core/hipl/ecdsa-redhat
Reviewer Review Type Date Requested Status
René Hummen Needs Information
Diego Biurrun Needs Fixing
HIPL core team preliminary Pending
Review via email: mp+81159@code.launchpad.net

This proposal supersedes a proposal from 2011-10-30.

Description of the change

Compilation has been broken long time for Fedora and other RPM-based systems because they decided to drop elliptic curve support from OpenSSL. To put more heat on this bug #838116 and to make detailed code review easier, I decided to propose for early merging.

I would suggest to comment details here and design-level issues in the actual bug item:

https://bugs.launchpad.net/hipl/+bug/838116

NEW: I believe I have resolved the comments from Diego.

To post a comment you must log in.
Revision history for this message
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal
Download full text (5.9 KiB)

 review needs-fixing

On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> +++ firewall/rule_management.c 2011-10-30 07:48:24 +0000
> @@ -81,8 +81,9 @@
> /* filename needs to contain one of these to be valid HI file */
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> +#ifdef HAVE_EC_CRYPTO
> #define ECDSA_FILE "_ecdsa_"
> -
> +#endif /* HAVE_EC_CRYPTO */
> #define MAX_LINE_LENGTH 512

unnecessary

> @@ -444,6 +445,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +481,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *

Drop the empty line before the #endif, same below

> --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> @@ -26,18 +26,21 @@
> #ifndef HIP_LIB_CORE_BUILDER_H
> #define HIP_LIB_CORE_BUILDER_H
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> -#include <openssl/ec.h>
>
> -#include "config.h"
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> +#ifdef HAVE_EC_CRYPTO
> +#include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */

We have system headers before local headers for a reason.

> --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> @@ -26,12 +26,16 @@
> #ifndef HIP_LIB_CORE_CRYPTO_H
> #define HIP_LIB_CORE_CRYPTO_H
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <sys/types.h>
> #include <openssl/dsa.h>
> #include <openssl/rsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> +#endif /* HAVE_EC_CRYPTO */
> #include <openssl/dh.h>
> #include <openssl/pem.h>

.. like you did here ..

> --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> @@ -28,6 +28,8 @@
> * @brief Host identifier manipulation functions
> */
>
> +#include "config.h"
> +
> #include <errno.h>
> #include <stdint.h>
> #include <stdlib.h>
> @@ -40,7 +42,6 @@
> #include <openssl/pem.h>
> #include <openssl/rsa.h>
>
> -#include "config.h"
> #include "lib/tool/pk.h"
> #include "builder.h"
> #include "crypto.h"

unnecessary / unrelated

> @@ -689,6 +715,12 @@
> struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
>
> + if (ecdsa_nid < 0) {
> + err = -1;
> + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> + goto out_err;
> + }

?

> @@ -1059,41 +1101,58 @@
> if (rsa_filenamebase_pub != NULL) {
> change_key_file_perms(rsa_filenamebase_pub);
> }
> - if (ecdsa_filenamebase_pub != NULL) {
> - change_key_file_perms(ecdsa_filenamebase_pub);
> - }
> - if (ecdsa_filenamebase_pub != NULL) {
> - change_key_file...

Read more...

review: Needs Fixing
Revision history for this message
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal
Download full text (6.7 KiB)

> review needs-fixing
>
> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> lp:hipl.
> >
> > --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> > +++ firewall/rule_management.c 2011-10-30 07:48:24 +0000
> > @@ -81,8 +81,9 @@
> > /* filename needs to contain one of these to be valid HI file */
> > #define RSA_FILE "_rsa_"
> > #define DSA_FILE "_dsa_"
> > +#ifdef HAVE_EC_CRYPTO
> > #define ECDSA_FILE "_ecdsa_"
> > -
> > +#endif /* HAVE_EC_CRYPTO */
> > #define MAX_LINE_LENGTH 512
>
> unnecessary

Fixed.

> > @@ -444,6 +445,7 @@
> > return err;
> > }
> >
> > +#ifdef HAVE_EC_CRYPTO
> > /**
> > * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > *
> > @@ -479,6 +481,8 @@
> > return err;
> > }
> >
> > +#endif /* HAVE_EC_CRYPTO */
> > +
> > /**
> > * load a public key from a file and convert it to a hip_host_id structure
> > *
>
> Drop the empty line before the #endif, same below

Done.

> > --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> > +++ lib/core/builder.h 2011-10-30 07:48:24 +0000
> > @@ -26,18 +26,21 @@
> > #ifndef HIP_LIB_CORE_BUILDER_H
> > #define HIP_LIB_CORE_BUILDER_H
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <openssl/rsa.h>
> > #include <openssl/dsa.h>
> > -#include <openssl/ec.h>
> >
> > -#include "config.h"
> > #include "certtools.h"
> > #include "debug.h"
> > #include "icomm.h"
> > #include "state.h"
> >
> > +#ifdef HAVE_EC_CRYPTO
> > +#include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
>
> We have system headers before local headers for a reason.

Fixed.

> > --- lib/core/crypto.h 2011-07-18 13:10:26 +0000
> > +++ lib/core/crypto.h 2011-10-30 07:48:24 +0000
> > @@ -26,12 +26,16 @@
> > #ifndef HIP_LIB_CORE_CRYPTO_H
> > #define HIP_LIB_CORE_CRYPTO_H
> >
> > +#include "config.h"
> > +
> > #include <stdint.h>
> > #include <netinet/in.h>
> > #include <sys/types.h>
> > #include <openssl/dsa.h>
> > #include <openssl/rsa.h>
> > +#ifdef HAVE_EC_CRYPTO
> > #include <openssl/ec.h>
> > +#endif /* HAVE_EC_CRYPTO */
> > #include <openssl/dh.h>
> > #include <openssl/pem.h>
>
> .. like you did here ..
>
> > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > @@ -28,6 +28,8 @@
> > * @brief Host identifier manipulation functions
> > */
> >
> > +#include "config.h"
> > +
> > #include <errno.h>
> > #include <stdint.h>
> > #include <stdlib.h>
> > @@ -40,7 +42,6 @@
> > #include <openssl/pem.h>
> > #include <openssl/rsa.h>
> >
> > -#include "config.h"
> > #include "lib/tool/pk.h"
> > #include "builder.h"
> > #include "crypto.h"
>
> unnecessary / unrelated

Removed.

> > @@ -689,6 +715,12 @@
> > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
> >
> > + if (ecdsa_nid < 0) {
> > + err = -1;
> > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > + goto out_err;
> > + }
>
> ?

Does not compile otherwise when ECDSA is mi...

Read more...

Revision history for this message
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal

On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
> > lp:hipl.
> > >
> > > --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
> > > +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
> > > @@ -27,7 +27,9 @@
> > > #include <stdlib.h>
> > > #include <string.h>
> > > #include <stdio.h>
> > > +#ifdef HAVE_EC_CRYPTO
> > > #include <openssl/ec.h>
> > > +#endif /* HAVE_EC_CRYPTO */
> > > #include <openssl/pem.h>
> >
> > see above
>
> Did not get this.

missing config.h

Diego

Revision history for this message
Miika Komu (miika-iki) wrote : Posted in a previous version of this proposal

Hi,

On 11/03/2011 05:27 PM, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
>>> On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
>>>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into
>>> lp:hipl.
>>>>
>>>> --- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
>>>> +++ test/lib/tool/pk.c 2011-10-30 07:48:24 +0000
>>>> @@ -27,7 +27,9 @@
>>>> #include<stdlib.h>
>>>> #include<string.h>
>>>> #include<stdio.h>
>>>> +#ifdef HAVE_EC_CRYPTO
>>>> #include<openssl/ec.h>
>>>> +#endif /* HAVE_EC_CRYPTO */
>>>> #include<openssl/pem.h>
>>>
>>> see above
>>
>> Did not get this.
>
> missing config.h

thanks for the correction, committed.

lp:~hipl-core/hipl/ecdsa-redhat updated
6105. By Miika Komu

Added a missing include

File test/lib/tool/pk.c was missing a include for "config.h". It's
needed due to the conditional compilation of elliptic curves in
OpenSSL.

Revision history for this message
Diego Biurrun (diego-biurrun) wrote : Posted in a previous version of this proposal

On Thu, Nov 03, 2011 at 03:00:30PM +0000, Miika Komu wrote:
> > On Sun, Oct 30, 2011 at 07:49:28AM +0000, Miika Komu wrote:
> > > Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
> > >
> > > --- lib/core/hostid.c 2011-10-25 21:14:16 +0000
> > > +++ lib/core/hostid.c 2011-10-30 07:48:24 +0000
> > > @@ -689,6 +715,12 @@
> > > struct endpoint_hip *endpoint_ecdsa_hip = NULL;
> > > struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
> > >
> > > + if (ecdsa_nid < 0) {
> > > + err = -1;
> > > + HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
> > > + goto out_err;
> > > + }
> >
> > ?
>
> Does not compile otherwise when ECDSA is missing (gcc complains about
> missing variable). If you insist, I'll commit this separately to trunk
> or suggest a better fix.

You mean that gcc complains about unused parameter? This is badly designed.
The function should not need one extra parameter for each crypto algorithm
that is added.

Diego

Revision history for this message
Diego Biurrun (diego-biurrun) wrote :
Download full text (5.3 KiB)

 review needs-fixing

On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>
> NEW: I believe I have resolved the comments from Diego.

sort of :)

> --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> +++ firewall/rule_management.c 2011-11-03 15:00:34 +0000
> @@ -82,7 +82,6 @@
> #define RSA_FILE "_rsa_"
> #define DSA_FILE "_dsa_"
> #define ECDSA_FILE "_ecdsa_"
> -
> #define MAX_LINE_LENGTH 512

stray unrelated change

> @@ -444,6 +443,7 @@
> return err;
> }
>
> +#ifdef HAVE_EC_CRYPTO
> /**
> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> *
> @@ -479,6 +479,8 @@
> return err;
> }
>
> +#endif /* HAVE_EC_CRYPTO */
> +
> /**
> * load a public key from a file and convert it to a hip_host_id structure
> *

Please drop the empty line befor the #ifdef.

same elsewhere

> --- lib/core/builder.h 2011-08-15 14:11:56 +0000
> +++ lib/core/builder.h 2011-11-03 15:00:34 +0000
> @@ -26,19 +26,22 @@
> #ifndef HIP_LIB_CORE_BUILDER_H
> #define HIP_LIB_CORE_BUILDER_H
>
> +#include "config.h"
> +
> #include <stdint.h>
> #include <netinet/in.h>
> #include <openssl/rsa.h>
> #include <openssl/dsa.h>
> +#ifdef HAVE_EC_CRYPTO
> #include <openssl/ec.h>
> -
> -#include "config.h"
> +#endif /* HAVE_EC_CRYPTO */
> +
> +
> #include "certtools.h"
> #include "debug.h"
> #include "icomm.h"
> #include "state.h"
>
> -
> /* Removed in 2.6.11 - why ? */
> extern struct hip_cert_spki_info hip_cert_spki_info;

one stray empty line inserted, one removed

> --- lib/core/crypto.h 2011-10-30 11:54:44 +0000
> +++ lib/core/crypto.h 2011-11-03 15:00:34 +0000
> @@ -92,25 +96,33 @@
> uint16_t hip_get_dh_size(uint8_t hip_dh_group_type);
> DSA *create_dsa_key(const int bits);
> RSA *create_rsa_key(const int bits);
> +#ifdef HAVE_EC_CRYPTO
> EC_KEY *create_ecdsa_key(const int nid);
> +#endif /* HAVE_EC_CRYPTO */
> int save_dsa_private_key(const char *const filenamebase, DSA *const dsa);
> int save_rsa_private_key(const char *const filenamebase, RSA *const rsa);
> +#ifdef HAVE_EC_CRYPTO
> int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa);
> +#endif /* HAVE_EC_CRYPTO */
> int load_dsa_private_key(const char *const filenamebase, DSA **const dsa);
> int load_rsa_private_key(const char *const filename, RSA **const rsa);
> +#ifdef HAVE_EC_CRYPTO
> int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec);
> +#endif /* HAVE_EC_CRYPTO */
> int impl_dsa_sign(const unsigned char *const digest,
> DSA *const dsa,
> unsigned char *const signature);
> int impl_dsa_verify(const unsigned char *const digest,
> DSA *const dsa,
> const unsigned char *const signature);
> +#ifdef HAVE_EC_CRYPTO
> int impl_ecdsa_sign(const unsigned char *const digest,
> EC_KEY *const ecdsa,
> unsigned char *const signature);
> int impl_ecdsa_verify(const unsigned char *const digest,
> EC_KEY *const ecdsa,
> const unsigned char *const signa...

Read more...

review: Needs Fixing
lp:~hipl-core/hipl/ecdsa-redhat updated
6106. By Miika Komu

Cleaning up the ECDSA changes

As suggested by Diego:

* Removed unrelated changes and stray empty lines
* Reverted incorrectly deleted empty lines
* Regrouped ifdeffery
* Fixed one occurrence of config.h

Revision history for this message
Miika Komu (miika-iki) wrote :
Download full text (8.0 KiB)

On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> review needs-fixing
>
> On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
>> Miika Komu has proposed merging lp:~hipl-core/hipl/ecdsa-redhat into lp:hipl.
>>
>> NEW: I believe I have resolved the comments from Diego.
>
> sort of :)
>
>> --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
>> +++ firewall/rule_management.c 2011-11-03 15:00:34 +0000
>> @@ -82,7 +82,6 @@
>> #define RSA_FILE "_rsa_"
>> #define DSA_FILE "_dsa_"
>> #define ECDSA_FILE "_ecdsa_"
>> -
>> #define MAX_LINE_LENGTH 512
>
> stray unrelated change

Fixed.

>> @@ -444,6 +443,7 @@
>> return err;
>> }
>>
>> +#ifdef HAVE_EC_CRYPTO
>> /**
>> * Load an ECDSA public key from a file and convert it into a hip_host_id.
>> *
>> @@ -479,6 +479,8 @@
>> return err;
>> }
>>
>> +#endif /* HAVE_EC_CRYPTO */
>> +
>> /**
>> * load a public key from a file and convert it to a hip_host_id structure
>> *
>
> Please drop the empty line befor the #ifdef.
>
> same elsewhere

I thought this was the policy, observe bzr commit:

The following differences were found between the code to commit and the
rules in '.uncrustify-0.57.cfg':

---
/home/mkomu/projects/hipl-bzr/ecdsa-redhat/firewall/rule_management.c
2011-11-03 23:08:00.909848709 +0200
+++ - 2011-11-03 23:29:16.724968313 +0200
@@ -479,6 +479,7 @@
      free(ecdsa_key_rr);
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
--- /home/mkomu/projects/hipl-bzr/ecdsa-redhat/hipd/hidb.c 2011-11-03
23:11:13.994806140 +0200
+++ - 2011-11-03 23:29:16.747797056 +0200
@@ -103,6 +103,7 @@

      return 0;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
--- /home/mkomu/projects/hipl-bzr/ecdsa-redhat/lib/core/builder.c
2011-11-03 23:14:08.179669916 +0200
+++ - 2011-11-03 23:29:16.766928680 +0200
@@ -3505,6 +3505,7 @@
      *endpoint = NULL;
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
--- /home/mkomu/projects/hipl-bzr/ecdsa-redhat/lib/core/crypto.c
2011-11-03 23:16:09.272270365 +0200
+++ - 2011-11-03 23:29:16.831275760 +0200
@@ -495,6 +495,7 @@
      ECDSA_SIG_free(ecdsa_sig);
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -573,6 +574,7 @@
      ECDSA_SIG_free(ecdsa_sig);
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -823,6 +825,7 @@
      EC_GROUP_free(group);
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -1176,6 +1179,7 @@

      return 0;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
--- /home/mkomu/projects/hipl-bzr/ecdsa-redhat/lib/core/hostid.c
2011-11-03 23:21:15.901790851 +0200
+++ - 2011-11-03 23:29:16.870163381 +0200
@@ -291,6 +291,7 @@

      return 0;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -427,6 +428,7 @@

      return 0;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -638,6 +640,7 @@

      return ret;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@ -1202,6 +1205,7 @@
      free(buffer);
      return err;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
--- /home/mkomu/projects/hipl-bzr/ecdsa-redhat/lib/tool/pk.c 2011-11-03
23:22:35.954187819 +0200
+++ - 2011-11-03 23:29:16.912158459 +0200
@@ -132,6 +132,7 @@

      return 0;
  }
+
  #endif /* HAVE_EC_CRYPTO */

  /**
@@...

Read more...

Revision history for this message
Diego Biurrun (diego-biurrun) wrote :

On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
> On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> >On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> >>--- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> >>+++ firewall/rule_management.c 2011-11-03 15:00:34 +0000
> >>@@ -444,6 +443,7 @@
> >> return err;
> >> }
> >>
> >>+#ifdef HAVE_EC_CRYPTO
> >> /**
> >> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> >> *
> >>@@ -479,6 +479,8 @@
> >> return err;
> >> }
> >>
> >>+#endif /* HAVE_EC_CRYPTO */
> >>+
> >> /**
> >> * load a public key from a file and convert it to a hip_host_id structure
> >> *
> >
> >Please drop the empty line befor the #ifdef.
> >
> >same elsewhere
>
> I thought this was the policy, observe bzr commit:
>
> The following differences were found between the code to commit and
> the rules in '.uncrustify-0.57.cfg':
>
> ---
> /home/mkomu/projects/hipl-bzr/ecdsa-redhat/firewall/rule_management.c
> 2011-11-03 23:08:00.909848709 +0200
> +++ - 2011-11-03 23:29:16.724968313 +0200
> @@ -479,6 +479,7 @@
> free(ecdsa_key_rr);
> return err;
> }
> +
> #endif /* HAVE_EC_CRYPTO */
>
> /**
>
> The above changes are also available in the file /tmp/stylecheck-diff-L4x2dJ
>
> What to do about this... any help?

It seems our uncrustify configuration is in need of fixing.
I'll look into it next week - harass me if I don't.

Diego

Revision history for this message
René Hummen (rene-hummen) wrote :

Apart from Diego's comments, this looks good to me. Did you check "make doxygen", "make check", and "make alltests"? Especially, "make alltests" may through errors as you ifdef the ecdsa.h include but node code in test/lib/tool/pk.c.

review: Needs Information
Revision history for this message
René Hummen (rene-hummen) wrote :

Sorry, "make check" might be the trouble-maker.

Revision history for this message
Miika Komu (miika-iki) wrote :
Download full text (11.8 KiB)

Good catch. All tests work on Ubuntu but check and alltests fail on Fedora 15:

[mkomu@hipserver hipl-1.0.6]$ make check
make check-am
make[1]: Entering directory `/home/mkomu/temp/hipl-1.0.6'
make test/check_firewall test/check_lib_core test/check_lib_tool test/check_modules_midauth
make[2]: Entering directory `/home/mkomu/temp/hipl-1.0.6'
  CC test/check_firewall.o
  CC test/mocks.o
  CC test/firewall/conntrack.o
  CC test/firewall/file_buffer.o
  CC test/firewall/helpers.o
  CC test/firewall/line_parser.o
  CC test/firewall/port_bindings.o
  CCLD test/check_firewall
  CC test/check_lib_core.o
  CC test/lib/core/crypto.o
test/lib/core/crypto.c: In function ‘test_create_ecdsa_key_invalid_id’:
test/lib/core/crypto.c:40:5: error: implicit declaration of function ‘create_ecdsa_key’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c:40:5: error: comparison between pointer and integer [-Werror]
test/lib/core/crypto.c:41:5: error: comparison between pointer and integer [-Werror]
test/lib/core/crypto.c:42:5: error: comparison between pointer and integer [-Werror]
test/lib/core/crypto.c:43:5: error: comparison between pointer and integer [-Werror]
test/lib/core/crypto.c: In function ‘test_create_ecdsa_key’:
test/lib/core/crypto.c:53:5: error: unknown type name ‘EC_KEY’
test/lib/core/crypto.c:59:9: error: assignment makes pointer from integer without a cast [-Werror]
test/lib/core/crypto.c:64:9: error: implicit declaration of function ‘EC_KEY_check_key’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c:65:9: error: implicit declaration of function ‘EC_KEY_free’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c: In function ‘test_create_different_ecdsa_keys’:
test/lib/core/crypto.c:76:5: error: unknown type name ‘EC_KEY’
test/lib/core/crypto.c:83:20: error: assignment makes pointer from integer without a cast [-Werror]
test/lib/core/crypto.c:85:9: error: implicit declaration of function ‘EVP_PKEY_assign_EC_KEY’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c: In function ‘test_save_invalid_ecdsa_key’:
test/lib/core/crypto.c:98:5: error: unknown type name ‘EC_KEY’
test/lib/core/crypto.c:101:5: error: implicit declaration of function ‘save_ecdsa_private_key’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c:103:11: error: assignment makes pointer from integer without a cast [-Werror]
test/lib/core/crypto.c:107:5: error: implicit declaration of function ‘EC_KEY_new’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c:107:11: error: assignment makes pointer from integer without a cast [-Werror]
test/lib/core/crypto.c: In function ‘test_load_save_ecdsa_key’:
test/lib/core/crypto.c:123:5: error: unknown type name ‘EC_KEY’
test/lib/core/crypto.c:124:5: error: unknown type name ‘EC_KEY’
test/lib/core/crypto.c:132:24: error: assignment makes pointer from integer without a cast [-Werror]
test/lib/core/crypto.c:137:5: error: implicit declaration of function ‘EVP_PKEY_get1_EC_KEY’ [-Werror=implicit-function-declaration]
test/lib/core/crypto.c:140:5: error: implicit declaration of function ‘load_ecdsa_private_key’ [-Werror=implicit-function-declarat...

Revision history for this message
Diego Biurrun (diego-biurrun) wrote :

On Thu, Nov 03, 2011 at 10:07:31PM +0000, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
> > On 11/03/2011 07:38 PM, Diego Biurrun wrote:
> > >On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
> > >>--- firewall/rule_management.c 2011-08-15 14:11:56 +0000
> > >>+++ firewall/rule_management.c 2011-11-03 15:00:34 +0000
> > >>@@ -444,6 +443,7 @@
> > >>
> > >>+#ifdef HAVE_EC_CRYPTO
> > >> /**
> > >> * Load an ECDSA public key from a file and convert it into a hip_host_id.
> > >> *
> > >>@@ -479,6 +479,8 @@
> > >> return err;
> > >> }
> > >>
> > >>+#endif /* HAVE_EC_CRYPTO */
> > >>+
> > >> /**
> > >> * load a public key from a file and convert it to a hip_host_id structure
> > >> *
> > >
> > >Please drop the empty line befor the #ifdef.
> > >
> > >same elsewhere
> >
> > I thought this was the policy, observe bzr commit:
> >
> > The following differences were found between the code to commit and
> > the rules in '.uncrustify-0.57.cfg':
> >
> > ---
> > /home/mkomu/projects/hipl-bzr/ecdsa-redhat/firewall/rule_management.c
> > 2011-11-03 23:08:00.909848709 +0200
> > +++ - 2011-11-03 23:29:16.724968313 +0200
> > @@ -479,6 +479,7 @@
> > free(ecdsa_key_rr);
> > return err;
> > }
> > +
> > #endif /* HAVE_EC_CRYPTO */
> >
> > /**
> >
> > The above changes are also available in the file /tmp/stylecheck-diff-L4x2dJ
> >
> > What to do about this... any help?
>
> It seems our uncrustify configuration is in need of fixing.
> I'll look into it next week - harass me if I don't.

It's the following setting:

  # The number of newlines after '}' of a multi-line function body
  nl_after_func_body = 2 # number

This will force an empty line between functions. It does not take #endifs
into account, however. I don't much care how we handle this. We can
either live with the newline before the #endif or drop the setting.
Make your choice.

Diego

lp:~hipl-core/hipl/ecdsa-redhat updated
6107. By Miika Komu

Syncronized with trunk revision 6119

6108. By Miika Komu

Deleted some empty lines between function bodies and #endif statements

According to the new crustify policy, there is no need need to have an
empty line between the end of a function body (closing curly bracket)
and following #endif (if any present). Adjusted ECDSA-related code
according to the new policy.

Revision history for this message
Miika Komu (miika-iki) wrote :

Hi,

On 08/11/11 18:16, Diego Biurrun wrote:
> On Thu, Nov 03, 2011 at 10:07:31PM +0000, Diego Biurrun wrote:
>> On Thu, Nov 03, 2011 at 11:37:40PM +0200, Miika Komu wrote:
>>> On 11/03/2011 07:38 PM, Diego Biurrun wrote:
>>>> On Thu, Nov 03, 2011 at 03:01:41PM +0000, Miika Komu wrote:
>>>>> --- firewall/rule_management.c 2011-08-15 14:11:56 +0000
>>>>> +++ firewall/rule_management.c 2011-11-03 15:00:34 +0000
>>>>> @@ -444,6 +443,7 @@
>>>>>
>>>>> +#ifdef HAVE_EC_CRYPTO
>>>>> /**
>>>>> * Load an ECDSA public key from a file and convert it into a hip_host_id.
>>>>> *
>>>>> @@ -479,6 +479,8 @@
>>>>> return err;
>>>>> }
>>>>>
>>>>> +#endif /* HAVE_EC_CRYPTO */
>>>>> +
>>>>> /**
>>>>> * load a public key from a file and convert it to a hip_host_id structure
>>>>> *
>>>>
>>>> Please drop the empty line befor the #ifdef.
>>>>
>>>> same elsewhere
>>>
>>> I thought this was the policy, observe bzr commit:
>>>
>>> The following differences were found between the code to commit and
>>> the rules in '.uncrustify-0.57.cfg':
>>>
>>> ---
>>> /home/mkomu/projects/hipl-bzr/ecdsa-redhat/firewall/rule_management.c
>>> 2011-11-03 23:08:00.909848709 +0200
>>> +++ - 2011-11-03 23:29:16.724968313 +0200
>>> @@ -479,6 +479,7 @@
>>> free(ecdsa_key_rr);
>>> return err;
>>> }
>>> +
>>> #endif /* HAVE_EC_CRYPTO */
>>>
>>> /**
>>>
>>> The above changes are also available in the file /tmp/stylecheck-diff-L4x2dJ
>>>
>>> What to do about this... any help?
>>
>> It seems our uncrustify configuration is in need of fixing.
>> I'll look into it next week - harass me if I don't.
>
> It's the following setting:
>
> # The number of newlines after '}' of a multi-line function body
> nl_after_func_body = 2 # number
>
> This will force an empty line between functions. It does not take #endifs
> into account, however. I don't much care how we handle this. We can
> either live with the newline before the #endif or drop the setting.
> Make your choice.

done, changed this to "1" and adjusted trunk code to match this new policy.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'firewall/conntrack.c'
2--- firewall/conntrack.c 2011-11-08 18:22:33 +0000
3+++ firewall/conntrack.c 2011-11-09 06:56:25 +0000
4@@ -695,9 +695,11 @@
5 case HIP_HI_RSA:
6 RSA_free(hip_tuple->data->src_pub_key);
7 break;
8+#ifdef HAVE_EC_CRYPTO
9 case HIP_HI_ECDSA:
10 EC_KEY_free(hip_tuple->data->src_pub_key);
11 break;
12+#endif /* HAVE_EC_CRYPTO */
13 case HIP_HI_DSA:
14 DSA_free(hip_tuple->data->src_pub_key);
15 break;
16@@ -1070,10 +1072,12 @@
17 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_rsa((const struct hip_host_id_priv *) host_id, 0);
18 tuple->hip_tuple->data->verify = hip_rsa_verify;
19 break;
20+#ifdef HAVE_EC_CRYPTO
21 case HIP_HI_ECDSA:
22 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_ecdsa((const struct hip_host_id_priv *) host_id, 0);
23 tuple->hip_tuple->data->verify = hip_ecdsa_verify;
24 break;
25+#endif /* HAVE_EC_CRYPTO */
26 case HIP_HI_DSA:
27 tuple->hip_tuple->data->src_pub_key = hip_key_rr_to_dsa((const struct hip_host_id_priv *) host_id, 0);
28 tuple->hip_tuple->data->verify = hip_dsa_verify;
29
30=== modified file 'firewall/rule_management.c'
31--- firewall/rule_management.c 2011-08-15 14:11:56 +0000
32+++ firewall/rule_management.c 2011-11-09 06:56:25 +0000
33@@ -444,6 +444,7 @@
34 return err;
35 }
36
37+#ifdef HAVE_EC_CRYPTO
38 /**
39 * Load an ECDSA public key from a file and convert it into a hip_host_id.
40 *
41@@ -478,6 +479,7 @@
42 free(ecdsa_key_rr);
43 return err;
44 }
45+#endif /* HAVE_EC_CRYPTO */
46
47 /**
48 * load a public key from a file and convert it to a hip_host_id structure
49@@ -506,8 +508,10 @@
50 algo = HIP_HI_RSA;
51 } else if (strstr(token, DSA_FILE)) {
52 algo = HIP_HI_DSA;
53+#ifdef HAVE_EC_CRYPTO
54 } else if (strstr(token, ECDSA_FILE)) {
55 algo = HIP_HI_ECDSA;
56+#endif /* HAVE_EC_CRYPTO */
57 } else {
58 HIP_DEBUG("Invalid filename for HI: missing _rsa_ or _dsa_ \n");
59 return NULL;
60@@ -519,9 +523,11 @@
61 case HIP_HI_RSA:
62 HIP_IFEL(load_rsa_file(fp, hi), -1, "Failed to load RSA key\n");
63 break;
64+#ifdef HAVE_EC_CRYPTO
65 case HIP_HI_ECDSA:
66 HIP_IFEL(load_ecdsa_file(fp, hi), -1, "Failed to load ECDSA key\n")
67 break;
68+#endif /* HAVE_EC_CRYPTO */
69 case HIP_HI_DSA:
70 HIP_IFEL(load_dsa_file(fp, hi), -1, "Failed to load DSA key\n")
71 break;
72
73=== modified file 'hipd/cookie.c'
74--- hipd/cookie.c 2011-10-25 21:14:16 +0000
75+++ hipd/cookie.c 2011-11-09 06:56:25 +0000
76@@ -349,9 +349,11 @@
77 case HIP_HI_DSA:
78 signature_func = hip_dsa_sign;
79 break;
80+#ifdef HAVE_EC_CRYPTO
81 case HIP_HI_ECDSA:
82 signature_func = hip_ecdsa_sign;
83 break;
84+#endif /* HAVE_EC_CRYPTO */
85 default:
86 HIP_ERROR("Unkown algorithm");
87 return -1;
88
89=== modified file 'hipd/hadb.c'
90--- hipd/hadb.c 2011-11-09 06:32:02 +0000
91+++ hipd/hadb.c 2011-11-09 06:56:25 +0000
92@@ -818,9 +818,11 @@
93 case HIP_HI_RSA:
94 RSA_free(ha->peer_pub_key);
95 break;
96+#ifdef HAVE_EC_CRYPTO
97 case HIP_HI_ECDSA:
98 EC_KEY_free(ha->peer_pub_key);
99 break;
100+#endif /* HAVE_EC_CRYPTO */
101 case HIP_HI_DSA:
102 DSA_free(ha->peer_pub_key);
103 break;
104@@ -909,10 +911,12 @@
105 entry->verify = hip_dsa_verify;
106 entry->peer_pub_key = hip_key_rr_to_dsa((struct hip_host_id_priv *) entry->peer_pub, 0);
107 break;
108+#ifdef HAVE_EC_CRYPTO
109 case HIP_HI_ECDSA:
110 entry->verify = hip_ecdsa_verify;
111 entry->peer_pub_key = hip_key_rr_to_ecdsa((struct hip_host_id_priv *) entry->peer_pub, 0);
112 break;
113+#endif /* HAVE_EC_CRYPTO */
114 default:
115 HIP_OUT_ERR(-1, "Unkown algorithm");
116 }
117@@ -978,9 +982,11 @@
118 case HIP_HI_RSA:
119 entry->sign = hip_rsa_sign;
120 break;
121+#ifdef HAVE_EC_CRYPTO
122 case HIP_HI_ECDSA:
123 entry->sign = hip_ecdsa_sign;
124 break;
125+#endif /* HAVE_EC_CRYPTO */
126 default:
127 err = -1;
128 }
129
130=== modified file 'hipd/hidb.c'
131--- hipd/hidb.c 2011-10-25 21:14:16 +0000
132+++ hipd/hidb.c 2011-11-09 06:56:25 +0000
133@@ -63,6 +63,7 @@
134
135 static const char *lsi_addresses[] = { "1.0.0.1", "1.0.0.2", "1.0.0.3", "1.0.0.4" };
136
137+#ifdef HAVE_EC_CRYPTO
138 /**
139 * Strips the private key component from an ECDSA-based host id.
140 *
141@@ -102,6 +103,7 @@
142
143 return 0;
144 }
145+#endif /* HAVE_EC_CRYPTO */
146
147 /**
148 * Strips a DSA public key out of a host id with private key component
149@@ -192,8 +194,10 @@
150 return get_rsa_public_key(hid, ret);
151 case HIP_HI_DSA:
152 return get_dsa_public_key(hid, ret);
153+#ifdef HAVE_EC_CRYPTO
154 case HIP_HI_ECDSA:
155 return get_ecdsa_public_key(hid, ret);
156+#endif /* HAVE_EC_CRYPTO */
157 default:
158 HIP_ERROR("Unsupported HI algorithm\n");
159 return -1;
160@@ -284,9 +288,11 @@
161 case HIP_HI_RSA:
162 RSA_free(id->private_key);
163 break;
164+#ifdef HAVE_EC_CRYPTO
165 case HIP_HI_ECDSA:
166 EC_KEY_free(id->private_key);
167 break;
168+#endif /* HAVE_EC_CRYPTO */
169 case HIP_HI_DSA:
170 DSA_free(id->private_key);
171 break;
172@@ -510,9 +516,11 @@
173 case HIP_HI_RSA:
174 id_entry->private_key = hip_key_rr_to_rsa(host_id, 1);
175 break;
176+#ifdef HAVE_EC_CRYPTO
177 case HIP_HI_ECDSA:
178 id_entry->private_key = hip_key_rr_to_ecdsa(host_id, 1);
179 break;
180+#endif /* HAVE_EC_CRYPTO */
181 case HIP_HI_DSA:
182 id_entry->private_key = hip_key_rr_to_dsa(host_id, 1);
183 break;
184@@ -530,9 +538,11 @@
185 case HIP_HI_DSA:
186 signature_func = hip_dsa_sign;
187 break;
188+#ifdef HAVE_EC_CRYPTO
189 case HIP_HI_ECDSA:
190 signature_func = hip_ecdsa_sign;
191 break;
192+#endif /* HAVE_EC_CRYPTO */
193 default:
194 HIP_ERROR("Unsupported algorithms\n");
195 err = -1;
196@@ -558,9 +568,11 @@
197 case HIP_HI_RSA:
198 RSA_free(id_entry->private_key);
199 break;
200+#ifdef HAVE_EC_CRYPTO
201 case HIP_HI_ECDSA:
202 EC_KEY_free(id_entry->private_key);
203 break;
204+#endif /* HAVE_EC_CRYPTO */
205 case HIP_HI_DSA:
206 DSA_free(id_entry->private_key);
207 break;
208
209=== modified file 'lib/core/builder.c'
210--- lib/core/builder.c 2011-11-09 06:32:02 +0000
211+++ lib/core/builder.c 2011-11-09 06:56:25 +0000
212@@ -3459,6 +3459,7 @@
213 return hip_build_param(msg, &name_info);
214 }
215
216+#ifdef HAVE_EC_CRYPTO
217 /**
218 * Convert an EC structure from OpenSSL into an endpoint_hip structure
219 * used internally by the implementation.
220@@ -3503,6 +3504,7 @@
221 *endpoint = NULL;
222 return err;
223 }
224+#endif /* HAVE_EC_CRYPTO */
225
226 /**
227 * Convert a DSA structure from OpenSSL into an endpoint_hip structure
228@@ -3605,7 +3607,9 @@
229 struct hip_host_id *host_id_pub = NULL;
230 const RSA *const rsa_key = any_key;
231 const DSA *const dsa_key = any_key;
232- const EC_KEY *const ecdsa_key = any_key;
233+#ifdef HAVE_EC_CRYPTO
234+ const EC_KEY *const ecdsa_key = any_key;
235+#endif /* HAVE_EC_CRYPTO */
236
237 HIP_IFEL(gethostname(hostname, sizeof(hostname)), -1,
238 "gethostname failed\n");
239@@ -3615,10 +3619,12 @@
240 HIP_IFEL((key_rr_len = dsa_to_dns_key_rr(dsa_key, &key_rr)) <= 0, -1,
241 "key_rr_len\n");
242 break;
243+#ifdef HAVE_EC_CRYPTO
244 case HIP_HI_ECDSA:
245 HIP_IFEL(((key_rr_len = ecdsa_to_key_rr(ecdsa_key, &key_rr)) <= 0), -1,
246 "key_rr_len\n");
247 break;
248+#endif /* HAVE_EC_CRYPTO */
249 case HIP_HI_RSA:
250 HIP_IFEL((key_rr_len = rsa_to_dns_key_rr(rsa_key, &key_rr)) <= 0, -1,
251 "key_rr_len\n");
252
253=== modified file 'lib/core/builder.h'
254--- lib/core/builder.h 2011-08-15 14:11:56 +0000
255+++ lib/core/builder.h 2011-11-09 06:56:25 +0000
256@@ -26,13 +26,16 @@
257 #ifndef HIP_LIB_CORE_BUILDER_H
258 #define HIP_LIB_CORE_BUILDER_H
259
260+#include "config.h"
261+
262 #include <stdint.h>
263 #include <netinet/in.h>
264 #include <openssl/rsa.h>
265 #include <openssl/dsa.h>
266+#ifdef HAVE_EC_CRYPTO
267 #include <openssl/ec.h>
268+#endif /* HAVE_EC_CRYPTO */
269
270-#include "config.h"
271 #include "certtools.h"
272 #include "debug.h"
273 #include "icomm.h"
274@@ -219,10 +222,12 @@
275 struct endpoint_hip **endpoint,
276 se_hip_flags endpoint_flags,
277 const char *const hostname);
278+#ifdef HAVE_EC_CRYPTO
279 int ecdsa_to_hip_endpoint(const EC_KEY *const ecdsa,
280 struct endpoint_hip **const endpoint,
281 const se_hip_flags endpoint_flags,
282 const char *const hostname);
283+#endif /* HAVE_EC_CRYPTO */
284 int hip_any_key_to_hit(const void *const any_key,
285 hip_hit_t *const hit,
286 const int is_public,
287
288=== modified file 'lib/core/crypto.c'
289--- lib/core/crypto.c 2011-09-21 14:22:17 +0000
290+++ lib/core/crypto.c 2011-11-09 06:56:25 +0000
291@@ -459,6 +459,7 @@
292 return err;
293 }
294
295+#ifdef HAVE_EC_CRYPTO
296 /**
297 * Sign using ECDSA
298 *
299@@ -494,6 +495,7 @@
300 ECDSA_SIG_free(ecdsa_sig);
301 return err;
302 }
303+#endif /* HAVE_EC_CRYPTO */
304
305 /**
306 * Sign using DSA
307@@ -536,6 +538,7 @@
308 return err;
309 }
310
311+#ifdef HAVE_EC_CRYPTO
312 /**
313 * Verify an ECDSA signature
314 *
315@@ -570,6 +573,7 @@
316 ECDSA_SIG_free(ecdsa_sig);
317 return err;
318 }
319+#endif /* HAVE_EC_CRYPTO */
320
321 /**
322 * Verify a DSA signature
323@@ -780,6 +784,7 @@
324 return NULL;
325 }
326
327+#ifdef HAVE_EC_CRYPTO
328 /**
329 * Generate ECDSA parameters and a new key pair.
330 *
331@@ -818,6 +823,7 @@
332 EC_GROUP_free(group);
333 return err;
334 }
335+#endif /* HAVE_EC_CRYPTO */
336
337 /**
338 * Save host DSA keys to disk.
339@@ -1015,6 +1021,7 @@
340 return err;
341 }
342
343+#ifdef HAVE_EC_CRYPTO
344 /**
345 * Save the host's ECDSA keys to disk.
346 *
347@@ -1169,6 +1176,7 @@
348
349 return 0;
350 }
351+#endif /* HAVE_EC_CRYPTO */
352
353 /**
354 * Load host DSA private keys from disk.
355
356=== modified file 'lib/core/crypto.h'
357--- lib/core/crypto.h 2011-10-30 11:54:44 +0000
358+++ lib/core/crypto.h 2011-11-09 06:56:25 +0000
359@@ -26,12 +26,16 @@
360 #ifndef HIP_LIB_CORE_CRYPTO_H
361 #define HIP_LIB_CORE_CRYPTO_H
362
363+#include "config.h"
364+
365 #include <stdint.h>
366 #include <netinet/in.h>
367 #include <sys/types.h>
368 #include <openssl/dsa.h>
369 #include <openssl/rsa.h>
370+#ifdef HAVE_EC_CRYPTO
371 #include <openssl/ec.h>
372+#endif /* HAVE_EC_CRYPTO */
373 #include <openssl/dh.h>
374 #include <openssl/pem.h>
375
376@@ -92,28 +96,31 @@
377 uint16_t hip_get_dh_size(uint8_t hip_dh_group_type);
378 DSA *create_dsa_key(const int bits);
379 RSA *create_rsa_key(const int bits);
380-EC_KEY *create_ecdsa_key(const int nid);
381 int save_dsa_private_key(const char *const filenamebase, DSA *const dsa);
382 int save_rsa_private_key(const char *const filenamebase, RSA *const rsa);
383-int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa);
384 int load_dsa_private_key(const char *const filenamebase, DSA **const dsa);
385 int load_rsa_private_key(const char *const filename, RSA **const rsa);
386-int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec);
387 int impl_dsa_sign(const unsigned char *const digest,
388 DSA *const dsa,
389 unsigned char *const signature);
390 int impl_dsa_verify(const unsigned char *const digest,
391 DSA *const dsa,
392 const unsigned char *const signature);
393+int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out);
394+int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len,
395+ uint8_t *enc_key, int direction);
396+void get_random_bytes(void *buf, int n);
397+
398+#ifdef HAVE_EC_CRYPTO
399+EC_KEY *create_ecdsa_key(const int nid);
400+int save_ecdsa_private_key(const char *const filenamebase, EC_KEY *const ecdsa);
401+int load_ecdsa_private_key(const char *const filename, EC_KEY **const ec);
402 int impl_ecdsa_sign(const unsigned char *const digest,
403 EC_KEY *const ecdsa,
404 unsigned char *const signature);
405 int impl_ecdsa_verify(const unsigned char *const digest,
406 EC_KEY *const ecdsa,
407 const unsigned char *const signature);
408-int hip_write_hmac(int type, const void *key, void *in, int in_len, void *out);
409-int hip_crypto_encrypted(void *data, const void *iv, int enc_alg, int enc_len,
410- uint8_t *enc_key, int direction);
411-void get_random_bytes(void *buf, int n);
412+#endif /* HAVE_EC_CRYPTO */
413
414 #endif /* HIP_LIB_CORE_CRYPTO_H */
415
416=== modified file 'lib/core/hostid.c'
417--- lib/core/hostid.c 2011-10-25 21:14:16 +0000
418+++ lib/core/hostid.c 2011-11-09 06:56:25 +0000
419@@ -250,6 +250,7 @@
420 return err;
421 }
422
423+#ifdef HAVE_EC_CRYPTO
424 /**
425 * Convert ECDSA-based private host id to a HIT.
426 *
427@@ -290,6 +291,7 @@
428
429 return 0;
430 }
431+#endif /* HAVE_EC_CRYPTO */
432
433 /**
434 * Convert RSA, DSA, or ECDSA-based private host id to a HIT
435@@ -310,13 +312,16 @@
436 return private_dsa_host_id_to_hit(host_id, hit, hit_type);
437 case HIP_HI_RSA:
438 return private_rsa_host_id_to_hit(host_id, hit, hit_type);
439+#ifdef HAVE_EC_CRYPTO
440 case HIP_HI_ECDSA:
441 return private_ecdsa_host_id_to_hit(host_id, hit, hit_type);
442+#endif /* HAVE_EC_CRYPTO */
443 default:
444 return -ENOSYS;
445 }
446 }
447
448+#ifdef HAVE_EC_CRYPTO
449 /*
450 * Translate the openssl specific curve id into the coressponding HIP id.
451 *
452@@ -422,6 +427,7 @@
453
454 return 0;
455 }
456+#endif /* HAVE_EC_CRYPTO */
457
458 /**
459 * dig out RSA key length from an host id
460@@ -553,6 +559,7 @@
461 return dsa;
462 }
463
464+#ifdef HAVE_EC_CRYPTO
465 /**
466 * convert a ECDSA-based host id into an OpenSSL structure
467 *
468@@ -631,6 +638,7 @@
469
470 return ret;
471 }
472+#endif /* HAVE_EC_CRYPTO */
473
474 /**
475 * (Re)create new host identities or load existing ones, and append the
476@@ -664,30 +672,44 @@
477 const int dsa_key_bits,
478 const int ecdsa_nid)
479 {
480- int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0, ecdsa_key_rr_len = 0;
481- int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0, ecdsa_pub_key_rr_len = 0;
482+ int err = 0, dsa_key_rr_len = 0, rsa_key_rr_len = 0;
483+ int dsa_pub_key_rr_len = 0, rsa_pub_key_rr_len = 0;
484 hip_hdr numeric_action = 0;
485 char hostname[HIP_HOST_ID_HOSTNAME_LEN_MAX];
486- const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
487- const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
488- const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
489- const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
490- const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
491- const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
492- unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL, *ecdsa_key_rr = NULL;
493- unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL, *ecdsa_pub_key_rr = NULL;
494- DSA *dsa_key = NULL, *dsa_pub_key = NULL;
495- RSA *rsa_key = NULL, *rsa_pub_key = NULL;
496- EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL;
497- struct hip_host_id_local rsa_lhi, dsa_lhi, ecdsa_lhi, rsa_pub_lhi, dsa_pub_lhi, ecdsa_pub_lhi;
498- struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL, *ecdsa_host_id = NULL;
499- struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL, *ecdsa_pub_host_id = NULL;
500+ const char *rsa_filenamebase = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
501+ const char *dsa_filenamebase = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
502+ const char *rsa_filenamebase_pub = DEFAULT_HOST_RSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
503+ const char *dsa_filenamebase_pub = DEFAULT_HOST_DSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
504+ unsigned char *dsa_key_rr = NULL, *rsa_key_rr = NULL;
505+ unsigned char *dsa_pub_key_rr = NULL, *rsa_pub_key_rr = NULL;
506+ DSA *dsa_key = NULL, *dsa_pub_key = NULL;
507+ RSA *rsa_key = NULL, *rsa_pub_key = NULL;
508+ struct hip_host_id_local rsa_lhi, dsa_lhi, rsa_pub_lhi, dsa_pub_lhi;
509+ struct hip_host_id *dsa_host_id = NULL, *rsa_host_id = NULL;
510+ struct hip_host_id *dsa_pub_host_id = NULL, *rsa_pub_host_id = NULL;
511 struct endpoint_hip *endpoint_dsa_hip = NULL;
512 struct endpoint_hip *endpoint_dsa_pub_hip = NULL;
513 struct endpoint_hip *endpoint_rsa_hip = NULL;
514 struct endpoint_hip *endpoint_rsa_pub_hip = NULL;
515 struct endpoint_hip *endpoint_ecdsa_hip = NULL;
516 struct endpoint_hip *endpoint_ecdsa_pub_hip = NULL;
517+#ifdef HAVE_EC_CRYPTO
518+ int ecdsa_key_rr_len = 0, ecdsa_pub_key_rr_len = 0;
519+ const char *ecdsa_filenamebase = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_ANON_HI_FILE_NAME_SUFFIX;
520+ const char *ecdsa_filenamebase_pub = DEFAULT_HOST_ECDSA_KEY_FILE_BASE DEFAULT_PUB_HI_FILE_NAME_SUFFIX;
521+ unsigned char *ecdsa_key_rr = NULL;
522+ unsigned char *ecdsa_pub_key_rr = NULL;
523+ EC_KEY *ecdsa_key = NULL, *ecdsa_pub_key = NULL;
524+ struct hip_host_id_local ecdsa_lhi, ecdsa_pub_lhi;
525+ struct hip_host_id *ecdsa_host_id = NULL;
526+ struct hip_host_id *ecdsa_pub_host_id = NULL;
527+#endif /* HAVE_EC_CRYPTO */
528+
529+ if (ecdsa_nid < 0) {
530+ err = -1;
531+ HIP_ERROR("NID for ECDSA is strange %d\n", ecdsa_nid);
532+ goto out_err;
533+ }
534
535 if (action == ACTION_ADD) {
536 numeric_action = HIP_MSG_ADD_LOCAL_HI;
537@@ -726,6 +748,7 @@
538 HIP_ERROR("Saving of DSA key failed.\n");
539 goto out_err;
540 }
541+#ifdef HAVE_EC_CRYPTO
542 } else if (!strcmp(hi_fmt, "ecdsa")) {
543 ecdsa_key = create_ecdsa_key(ecdsa_nid);
544 HIP_IFEL(!ecdsa_key, -EINVAL,
545@@ -734,6 +757,7 @@
546 HIP_ERROR("Saving of ECDSA key failed.\n");
547 goto out_err;
548 }
549+#endif /* HAVE_EC_CRYPTO */
550 } else { /*RSA*/
551 rsa_key = create_rsa_key(rsa_key_bits);
552 HIP_IFEL(!rsa_key, -EINVAL,
553@@ -764,6 +788,7 @@
554 HIP_IFEL(!rsa_pub_key, -EINVAL,
555 "Creation of public RSA key failed.\n");
556
557+#ifdef HAVE_EC_CRYPTO
558 ecdsa_key = create_ecdsa_key(ecdsa_nid);
559 HIP_IFEL(!ecdsa_key, -EINVAL,
560 "Creation of ECDSA key failed.\n");
561@@ -772,6 +797,17 @@
562 HIP_IFEL(!ecdsa_pub_key, -EINVAL,
563 "Creation of public ECDSA key failed.\n");
564
565+ if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) {
566+ HIP_ERROR("Saving of ECDSA key failed.\n");
567+ goto out_err;
568+ }
569+
570+ if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) {
571+ HIP_ERROR("Saving of public ECDSA key failed.\n");
572+ goto out_err;
573+ }
574+#endif /* HAVE_EC_CRYPTO */
575+
576 if ((err = save_dsa_private_key(dsa_filenamebase, dsa_key))) {
577 HIP_ERROR("Saving of DSA key failed.\n");
578 goto out_err;
579@@ -792,16 +828,6 @@
580 goto out_err;
581 }
582
583- if ((err = save_ecdsa_private_key(ecdsa_filenamebase, ecdsa_key))) {
584- HIP_ERROR("Saving of ECDSA key failed.\n");
585- goto out_err;
586- }
587-
588- if ((err = save_ecdsa_private_key(ecdsa_filenamebase_pub, ecdsa_pub_key))) {
589- HIP_ERROR("Saving of public ECDSA key failed.\n");
590- goto out_err;
591- }
592-
593 break;
594
595 case ACTION_ADD:
596@@ -823,6 +849,7 @@
597 HIP_ERROR("Building of host id failed\n");
598 goto out_err;
599 }
600+#ifdef HAVE_EC_CRYPTO
601 } else if (!strcmp(hi_fmt, "ecdsa")) {
602 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {
603 HIP_ERROR("Loading of the ECDSA key failed\n");
604@@ -839,6 +866,7 @@
605 HIP_ERROR("Building of host id failed\n");
606 goto out_err;
607 }
608+#endif /* HAVE_EC_CRYPTO */
609 } else { /*RSA*/
610 if ((err = load_rsa_private_key(hi_file, &rsa_key))) {
611 HIP_ERROR("Failed to load RSA key from file %s\n", hi_file);
612@@ -910,6 +938,7 @@
613 goto out_err;
614 }
615 }
616+#ifdef HAVE_EC_CRYPTO
617 } else if (!strcmp(hi_fmt, "ecdsa")) {
618 if (anon) {
619 if ((err = load_ecdsa_private_key(ecdsa_filenamebase, &ecdsa_key))) {
620@@ -958,6 +987,7 @@
621 goto out_err;
622 }
623 }
624+#endif /* HAVE_EC_CRYPTO */
625 } else if (anon) { /* rsa anon */
626 if ((err = load_rsa_private_key(rsa_filenamebase, &rsa_key))) {
627 HIP_ERROR("Loading of the RSA key failed\n");
628@@ -1059,41 +1089,47 @@
629 if (rsa_filenamebase_pub != NULL) {
630 change_key_file_perms(rsa_filenamebase_pub);
631 }
632- if (ecdsa_filenamebase_pub != NULL) {
633- change_key_file_perms(ecdsa_filenamebase_pub);
634- }
635- if (ecdsa_filenamebase_pub != NULL) {
636- change_key_file_perms(ecdsa_filenamebase_pub);
637- }
638
639 free(dsa_host_id);
640 free(dsa_pub_host_id);
641- free(ecdsa_host_id);
642- free(ecdsa_pub_host_id);
643 free(rsa_host_id);
644 free(rsa_pub_host_id);
645 DSA_free(dsa_key);
646- EC_KEY_free(ecdsa_key);
647 RSA_free(rsa_key);
648 DSA_free(dsa_pub_key);
649- EC_KEY_free(ecdsa_pub_key);
650 RSA_free(rsa_pub_key);
651 free(dsa_key_rr);
652- free(ecdsa_key_rr);
653 free(rsa_key_rr);
654 free(dsa_pub_key_rr);
655- free(ecdsa_pub_key_rr);
656 free(rsa_pub_key_rr);
657 free(endpoint_dsa_hip);
658- free(endpoint_ecdsa_hip);
659 free(endpoint_rsa_hip);
660 free(endpoint_dsa_pub_hip);
661+ free(endpoint_rsa_pub_hip);
662+
663+#ifdef HAVE_EC_CRYPTO
664+ /* We make exeception to the common memory deallocation policy (LIFO)
665+ * here to group of all ECDSA deallocations between a single ifdef */
666+ if (ecdsa_filenamebase_pub != NULL) {
667+ change_key_file_perms(ecdsa_filenamebase_pub);
668+ }
669+ if (ecdsa_filenamebase_pub != NULL) {
670+ change_key_file_perms(ecdsa_filenamebase_pub);
671+ }
672+ free(ecdsa_host_id);
673+ free(ecdsa_pub_host_id);
674+ EC_KEY_free(ecdsa_key);
675+ EC_KEY_free(ecdsa_pub_key);
676+ free(ecdsa_key_rr);
677+ free(ecdsa_pub_key_rr);
678+ free(endpoint_ecdsa_hip);
679 free(endpoint_ecdsa_pub_hip);
680- free(endpoint_rsa_pub_hip);
681+#endif /* HAVE_EC_CRYPTO */
682
683 return err;
684 }
685
686+#ifdef HAVE_EC_CRYPTO
687 /**
688 * Serialize an ECDSA public key.
689 *
690@@ -1166,6 +1202,7 @@
691 free(buffer);
692 return err;
693 }
694+#endif /* HAVE_EC_CRYPTO */
695
696 /**
697 * create DNS KEY RR record from host DSA key
698
699=== modified file 'lib/core/hostid.h'
700--- lib/core/hostid.h 2011-07-18 13:10:26 +0000
701+++ lib/core/hostid.h 2011-11-09 06:56:25 +0000
702@@ -26,10 +26,14 @@
703 #ifndef HIP_LIB_CORE_HOSTID_H
704 #define HIP_LIB_CORE_HOSTID_H
705
706+#include "config.h"
707+
708 #include <netinet/in.h>
709 #include <openssl/dsa.h>
710 #include <openssl/rsa.h>
711+#ifdef HAVE_EC_CRYPTO
712 #include <openssl/ec.h>
713+#endif /* HAVE_EC_CRYPTO */
714
715 #include "protodefs.h"
716 #include "state.h"
717@@ -62,11 +66,14 @@
718 struct hip_ecdsa_keylen *const ret);
719 RSA *hip_key_rr_to_rsa(const struct hip_host_id_priv *const host_id, const int is_priv);
720 DSA *hip_key_rr_to_dsa(const struct hip_host_id_priv *const host_id, const int is_priv);
721-EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv);
722
723 int dsa_to_dns_key_rr(const DSA *const dsa, unsigned char **const buf);
724 int rsa_to_dns_key_rr(const RSA *const rsa, unsigned char **const rsa_key_rr);
725+
726+#ifdef HAVE_EC_CRYPTO
727+EC_KEY *hip_key_rr_to_ecdsa(const struct hip_host_id_priv *const host_id, const int is_priv);
728 int ecdsa_to_key_rr(const EC_KEY *const ecdsa, unsigned char **const ec_key_rr);
729+#endif /* HAVE_EC_CRYPTO */
730
731 int hip_serialize_host_id_action(struct hip_common *msg,
732 const int action,
733
734=== modified file 'lib/tool/pk.c'
735--- lib/tool/pk.c 2011-08-15 14:11:56 +0000
736+++ lib/tool/pk.c 2011-11-09 06:56:25 +0000
737@@ -8,6 +8,8 @@
738 * @brief HIPL wrappers for OpenSSL public key operations.
739 */
740
741+#include "config.h"
742+
743 #include <errno.h>
744 #include <stdint.h>
745 #include <stdlib.h>
746@@ -15,7 +17,9 @@
747 #include <netinet/in.h>
748 #include <openssl/bn.h>
749 #include <openssl/dsa.h>
750+#ifdef HAVE_EC_CRYPTO
751 #include <openssl/ecdsa.h>
752+#endif /* HAVE_EC_CRYPTO */
753 #include <openssl/objects.h>
754 #include <openssl/rsa.h>
755
756@@ -26,7 +30,6 @@
757 #include "lib/core/performance.h"
758 #include "lib/core/prefix.h"
759 #include "lib/core/protodefs.h"
760-#include "config.h"
761 #include "pk.h"
762
763 /**
764@@ -75,6 +78,7 @@
765 return err;
766 }
767
768+#ifdef HAVE_EC_CRYPTO
769 /**
770 * Sign a HIP control message with a private ECDSA key.
771 *
772@@ -128,6 +132,7 @@
773
774 return 0;
775 }
776+#endif /* HAVE_EC_CRYPTO */
777
778 /**
779 * sign a HIP control message with a private DSA key
780@@ -225,8 +230,10 @@
781 /* RSA_verify returns 0 on failure */
782 err = !RSA_verify(NID_sha1, sha1_digest, SHA_DIGEST_LENGTH,
783 sig->signature, RSA_size(peer_pub), peer_pub);
784+#ifdef HAVE_EC_CRYPTO
785 } else if (type == HIP_HI_ECDSA) {
786 err = impl_ecdsa_verify(sha1_digest, peer_pub, sig->signature);
787+#endif /* HAVE_EC_CRYPTO */
788 } else {
789 err = impl_dsa_verify(sha1_digest, peer_pub, sig->signature);
790 }
791@@ -259,6 +266,7 @@
792 return err;
793 }
794
795+#ifdef HAVE_EC_CRYPTO
796 /**
797 * Verify the ECDSA signature from a message.
798 *
799@@ -271,6 +279,7 @@
800 {
801 return verify(peer_pub, msg, HIP_HI_ECDSA);
802 }
803+#endif /* HAVE_EC_CRYPTO */
804
805 /**
806 * RSA signature verification function
807
808=== modified file 'test/lib/tool/pk.c'
809--- test/lib/tool/pk.c 2011-07-18 13:10:10 +0000
810+++ test/lib/tool/pk.c 2011-11-09 06:56:25 +0000
811@@ -23,17 +23,20 @@
812 * OTHER DEALINGS IN THE SOFTWARE.
813 */
814
815+#include "config.h"
816+
817 #include <check.h>
818 #include <stdlib.h>
819 #include <string.h>
820 #include <stdio.h>
821+#ifdef HAVE_EC_CRYPTO
822 #include <openssl/ec.h>
823+#endif /* HAVE_EC_CRYPTO */
824 #include <openssl/pem.h>
825
826 #include "lib/core/debug.h"
827 #include "lib/core/crypto.h"
828 #include "lib/tool/pk.h"
829-#include "config.h"
830 #include "test_suites.h"
831
832 START_TEST(test_ecdsa_sign_verify)

Subscribers

People subscribed via source and target branches

to all changes: