Merge lp:~stefan.goetz-deactivatedaccount/hipl/hidb-db into lp:hipl

Hi,
after having looked through this branch I have one question and only a single remark on your code:

In revision 5941:
> Remove the locking macros for the HIDB because they are not used.

What do you mean with "they are not used"? Because there are lots of calls to lock / unlock that
you remove and without looking deeper into it seems like it is used here. Or is it because all
access is done on our local hidb and we are neither multi-threaded nor does it get accessed from
beyond the file so no locking is necessary?

> -struct local_host_id *hip_get_hostid_entry_by_lhi_and_algo(HIP_HASHTABLE *db,
> - const struct in6_addr *hit,
> +struct local_host_id *hip_get_hostid_entry_by_lhi_and_algo(const struct in6_addr *hit,

"const struct in6_addr *const hit" would be more correct here?

> +/**
> + * A call-back function for finding a host association between a given peer HIT
> + * and any of the iteratively provided local HIs.
> + *
> + * @param lhi Points to a local_host_id object from which contains the
> + * local HIT of the HA to find.

"Points to a local_host_id object which contains"

> -int hip_hidb_match(const void *ptr1, const void *ptr2)
> +static int hip_hidb_match(const void *ptr1, const void *ptr2)

*const ptr1 and *const ptr2 would be more correct?

Other than that, as far as I'm able to judge it's looking good. Nice one! :)

PS: hipd crashes on shutdown after doing a base exchange. This has already been fixed in trunk revision 5948 and applying the change fixes it good.

Hi David!

Thanks for the review!

> In revision 5941:
>> Remove the locking macros for the HIDB because they are not used.
>
> What do you mean with "they are not used"? Because there are lots of calls to lock / unlock that
> you remove and without looking deeper into it seems like it is used here. Or is it because all
> access is done on our local hidb and we are neither multi-threaded nor does it get accessed from
> beyond the file so no locking is necessary?

I believe the locking is not used because:

- The code does not compile when enabling locking (note that locking is disabled
via a '#if 0')

- Locking was disabled by a commit in 2007 and I have no evidence that it was
ever enabled again

- The locking logic in trunk is badly broken. Exhibit 1: the core lookup
function hip_get_hostid_entry_by_lhi_and_algo() does not use locking. Exhibit 2:
hip_del_host_id() unlocks the database although the code path up to that point
never acquires a lock. Exhibit 3: Some code paths in hip_del_host_id() unlock
the database, some others do not. The list goes on...

- There is no multi-threading in HIPL (... for all I know. But given the above
reasons, I really really hope so, too)

Thus, I think it makes a lot of sense to remove the locking code because it
needs *major* re-working anyway.

>> -struct local_host_id *hip_get_hostid_entry_by_lhi_and_algo(HIP_HASHTABLE *db,
>> - const struct in6_addr *hit,
>> +struct local_host_id *hip_get_hostid_entry_by_lhi_and_algo(const struct in6_addr *hit,
>
> "const struct in6_addr *const hit" would be more correct here?

I wanted to address const correctness in one big commit, but anyway. Fixed in
rev. 5954

>> +/**
>> + * A call-back function for finding a host association between a given peer HIT
>> + * and any of the iteratively provided local HIs.
>> + *
>> + * @param lhi Points to a local_host_id object from which contains the
>> + * local HIT of the HA to find.
>
> "Points to a local_host_id object which contains"

Oops. Fixed in rev. 5953

>> -int hip_hidb_match(const void *ptr1, const void *ptr2)
>> +static int hip_hidb_match(const void *ptr1, const void *ptr2)
>
> *const ptr1 and *const ptr2 would be more correct?

Fixed in rev. 5954

> Other than that, as far as I'm able to judge it's looking good. Nice one! :)

Thanks! If this addresses all your concerns, please do not forget to change your
vote to 'accept'.

> PS: hipd crashes on shutdown after doing a base exchange. This has already been fixed in trunk revision 5948 and applying the change fixes it good.

Good to know, thanks!

Stefan

> Hi David!
>
> Thanks for the review!
>
> > In revision 5941:
> >> Remove the locking macros for the HIDB because they are not used.
> >
> > What do you mean with "they are not used"? Because there are lots of calls
> to lock / unlock that
> > you remove and without looking deeper into it seems like it is used here. Or
> is it because all
> > access is done on our local hidb and we are neither multi-threaded nor does
> it get accessed from
> > beyond the file so no locking is necessary?
>
> I believe the locking is not used because:
>
> - The code does not compile when enabling locking (note that locking is
> disabled
> via a '#if 0')
>
> - Locking was disabled by a commit in 2007 and I have no evidence that it was
> ever enabled again
>
> - The locking logic in trunk is badly broken. Exhibit 1: the core lookup
> function hip_get_hostid_entry_by_lhi_and_algo() does not use locking. Exhibit
> 2:
> hip_del_host_id() unlocks the database although the code path up to that point
> never acquires a lock. Exhibit 3: Some code paths in hip_del_host_id() unlock
> the database, some others do not. The list goes on...
>
> - There is no multi-threading in HIPL (... for all I know. But given the above
> reasons, I really really hope so, too)
>
> Thus, I think it makes a lot of sense to remove the locking code because it
> needs *major* re-working anyway.

Miika might be the person to judge this best, but to the best of my knowledge locking is not used in HIPL in the current implementation.

review needs-fixing

On 20.05.2011, at 23:26, Stefan Götz wrote:
> Stefan Götz has proposed merging lp:~stefan.goetz/hipl/hidb-db into lp:hipl.
>
> Requested reviews:
> HIPL core team (hipl-core)
>
> For more details, see:
> https://code.launchpad.net/~stefan.goetz/hipl/hidb-db/+merge/61832
>
> Cleans up the API of the HIDB. It removes all direct external accesses to the HIDB and ensures that the HIDB is only accessed through accessor functions.
>
> Reviewing the individual commits provides additional context.
[...]
> === modified file 'hipd/hadb.c'
> @@ -983,10 +1001,12 @@
> * Note, that hip_get_host_id() allocates a new buffer and this buffer
> * must be freed in out_err if an error occurs. */
>
> - if (hip_get_host_id_and_priv_key(HIP_DB_LOCAL_HID, hit_our, HIP_HI_RSA,
> + if (hip_get_host_id_and_priv_key(hit_our, HIP_HI_RSA,
> &entry->our_pub, &entry->our_priv_key)) {
> - HIP_IFEL(hip_get_host_id_and_priv_key(HIP_DB_LOCAL_HID, hit_our,
> - HIP_HI_DSA, &entry->our_pub, &entry->our_priv_key),
> + HIP_IFEL(hip_get_host_id_and_priv_key(hit_our,
> + HIP_HI_DSA,
> + &entry->our_pub,
> + &entry->our_priv_key),
> -1, "Local host identity not found\n");
> }

Would it be possible to further abstract from the HI algorithm here? Right now, we need to look for an RSA key first and then fall back to DSA. What happens when we add ECDSA? We will need to add that case to many if not all calls to hip_get_host_id_and_priv_key().

> === modified file 'hipd/hidb.c'
[...]
> - id = hip_get_hostid_entry_by_lhi_and_algo(db, &hit, HIP_ANY_ALGO, -1);
> + id = hip_get_hostid_entry_by_lhi_and_algo(&hit, HIP_ANY_ALGO, -1);

Is there any call to hip_get_hostid_entry_by_lhi_and_algo() with a parameter different from HIP_ANY_ALGO? Furthermore, is there any call with a parameter different from (anon=) -1? If not, these point to another possibility of cleaning up the API.

> === modified file 'hipd/hidb.h'
[...]
> void hip_uninit_host_id_dbs(void);

This function seems to introduce unnecessary call indirection seeing that hip_uninit_hostid_db() does exactly the same.

Otherwise, this merge proposal seems good to me. However, you made changes to core HI handling components of HIPL, so please test your changes extensively. I suggest running tests in your own VMs including BEX and UPDATE exchanges, running Valgrind and making a test deployment in our testbed before committing these changes to trunk.

Thanks for these changes to core components!

--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

We don't have yet threading support, hence there's no need for locking. I think (most of) the old locking code should have been removed by now.

> Is there any call to hip_get_hostid_entry_by_lhi_and_algo() with a parameter different from
> HIP_ANY_ALGO? Furthermore, is there any call with a parameter different from (anon=) -1? If not,
> these point to another possibility of cleaning up the API.

I would encourage to keep it. We need it for RFC5201-bis and crypto agility.

Hi René!

Thanks for reviewing!

>> -    if (hip_get_host_id_and_priv_key(HIP_DB_LOCAL_HID, hit_our, HIP_HI_RSA,
>> +    if (hip_get_host_id_and_priv_key(hit_our, HIP_HI_RSA,
>>                                      &entry->our_pub, &entry->our_priv_key)) {
>> -        HIP_IFEL(hip_get_host_id_and_priv_key(HIP_DB_LOCAL_HID, hit_our,
>> -                                              HIP_HI_DSA, &entry->our_pub, &entry->our_priv_key),
>> +        HIP_IFEL(hip_get_host_id_and_priv_key(hit_our,
>> +                                              HIP_HI_DSA,
>> +                                              &entry->our_pub,
>> +                                              &entry->our_priv_key),
>>                  -1, "Local host identity not found\n");
>>     }
>
> Would it be possible to further abstract from the HI algorithm here? Right now, we need to look for an RSA key first and then fall back to DSA. What happens when we add ECDSA? We will need to add that case to many if not all calls to hip_get_host_id_and_priv_key().

Further abstraction is certainly possible but right now not the focus
of this branch. I have a keys branch for toying around with an
algorithm-agnostic interface to crypto functionality but that is at an
infant's stage. Expect it to be ready anytime around 2020 :)

>> === modified file 'hipd/hidb.c'
> [...]
>> -    id = hip_get_hostid_entry_by_lhi_and_algo(db, &hit, HIP_ANY_ALGO, -1);
>> +    id = hip_get_hostid_entry_by_lhi_and_algo(&hit, HIP_ANY_ALGO, -1);
>
> Is there any call to hip_get_hostid_entry_by_lhi_and_algo() with a parameter different from HIP_ANY_ALGO? Furthermore, is there any call with a parameter different from (anon=) -1? If not, these point to another possibility of cleaning up the API.

We cannot get rid of this function altogether but similar cleanup will
be part of future merge proposals on the HIDB API.

>> void hip_uninit_host_id_dbs(void);
>
> This function seems to introduce unnecessary call indirection seeing that hip_uninit_hostid_db() does exactly the same.

You are correct in terms of functionality but these are two different
interfaces, one for the HIDB, one for the LSIDB, and they should not
be mixed. A user of the HIDB (who might want to uninitialize it at
some point via this function) should not be exposed to the LSIDB API.
Performance is obviously not an issue here.

> Otherwise, this merge proposal seems good to me. However, you made changes to core HI handling components of HIPL, so please test your changes extensively. I suggest running tests in your own VMs including BEX and UPDATE exchanges, running Valgrind and making a test deployment in our testbed before committing these changes to trunk.

Will do that once the regression test framework is in place and the
current bugs are fixed. That might be a while.

Stefan

Hi,

> Thanks for the review!

You are welcome!

> I believe the locking is not used because:
>
> - The code does not compile when enabling locking (note that locking is
> disabled
> via a '#if 0')

oh, I missed the if condition there.

> - Locking was disabled by a commit in 2007 and I have no evidence that it was
> ever enabled again
>
> - The locking logic in trunk is badly broken. Exhibit 1: the core lookup
> function hip_get_hostid_entry_by_lhi_and_algo() does not use locking. Exhibit
> 2:
> hip_del_host_id() unlocks the database although the code path up to that point
> never acquires a lock. Exhibit 3: Some code paths in hip_del_host_id() unlock
> the database, some others do not. The list goes on...
>
> - There is no multi-threading in HIPL (... for all I know. But given the above
> reasons, I really really hope so, too)
>
> Thus, I think it makes a lot of sense to remove the locking code because it
> needs *major* re-working anyway.

Ok, sounds reasonable, I'm convinced. Thanks for clarifying!

> I wanted to address const correctness in one big commit, but anyway. Fixed in
> rev. 5954

Thanks.

> >> +/**
> >> + * A call-back function for finding a host association between a given
> peer HIT
> >> + * and any of the iteratively provided local HIs.
> >> + *
> >> + * @param lhi Points to a local_host_id object from which contains the
> >> + * local HIT of the HA to find.
> >
> > "Points to a local_host_id object which contains"
>
> Oops. Fixed in rev. 5953

:)

> >> -int hip_hidb_match(const void *ptr1, const void *ptr2)
> >> +static int hip_hidb_match(const void *ptr1, const void *ptr2)
> >
> > *const ptr1 and *const ptr2 would be more correct?
>
> Fixed in rev. 5954

> Thanks! If this addresses all your concerns, please do not forget to change
> your
> vote to 'accept'.

My question has been answered and the minor issues fixed. All good by me! :)

David

 review needs-fixing

On Fri, May 20, 2011 at 09:26:05PM +0000, Stefan Götz wrote:
> Stefan Götz has proposed merging lp:~stefan.goetz/hipl/hidb-db into lp:hipl.
>
> --- firewall/user_ipsec_sadb.c 2011-04-05 16:44:22 +0000
> +++ firewall/user_ipsec_sadb.c 2011-05-20 21:25:59 +0000
> @@ -824,29 +823,38 @@
>
> +/**
> * flushes all entries in the sadb
> *
> - * @return -1, if error occurred, else 0
> + * @return 0
> */
> int hip_sadb_flush(void)
> {
> - int err = 0, i = 0;
> - LHASH_NODE *item = NULL, *tmp = NULL;
> - struct hip_sa_entry *entry = NULL;
> -
> - // iterating over all elements
> - list_for_each_safe(item, tmp, sadb, i)
> - {
> - HIP_IFEL(!(entry = list_entry(item)), -1,
> - "failed to get list entry\n");
> - HIP_IFEL(hip_sa_entry_delete(&entry->inner_src_addr, &entry->inner_dst_addr), -1,
> - "failed to delete sa entry\n");
> - }
> + hip_ht_doall(sadb, delete_sa_entry);
>
> HIP_DEBUG("sadb flushed\n");

This debug line is rather pointless IMO, I'd remove it.

> -out_err:
> - return err;
> + return 0;
> }

Why not make the function void instead of always returning the same value?

> --- hipd/cookie.c 2011-05-10 22:14:13 +0000
> +++ hipd/cookie.c 2011-05-20 21:25:59 +0000
> @@ -372,24 +367,10 @@
> /**
> * precreate all R1 packets
> *
> - * @return zero on success or negative on error
> + * @return 0
> */
> int hip_recreate_all_precreated_r1_packets(void)
> {
> - HIP_HASHTABLE *ht = hip_ht_init(hip_hidb_hash, hip_hidb_match);
> - LHASH_NODE *curr, *iter;
> - struct hip_host_id *tmp;
> - int c;
> -
> - hip_for_each_hi(hip_recreate_r1s_for_entry_move, ht);
> -
> - list_for_each_safe(curr, iter, ht, c)
> - {
> - tmp = list_entry(curr);
> - hip_ht_add(HIP_DB_LOCAL_HID, tmp);
> - list_del(tmp, ht);
> - }
> -
> - hip_ht_uninit(ht);
> + hip_for_each_hi(hip_recreate_r1s_for_entry_move, NULL);
> return 0;
> }

ditto

> --- hipd/init.c 2011-05-04 16:20:00 +0000
> +++ hipd/init.c 2011-05-20 21:25:59 +0000
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (c) 2010 Aalto University and RWTH Aachen University.
> + * Copyright (c) 2010-2011 Aalto University and RWTH Aachen University.
> *
> * Permission is hereby granted, free of charge, to any person
> * obtaining a copy of this software and associated documentation
> @@ -28,6 +28,7 @@
> * This file defines initialization functions for the HIP daemon.
> *
> * @note HIPU: BSD platform needs to be autodetected in hip_set_lowcapability
> + * @author Stefan G??tz <email address hidden>
> */

I'm sceptical that removing a function constitutes a real contribution.

There are more similar cases in this merge request, we need to come to
a conclusion what to do with these cases.

Diego

Hi,

On Mon, Aug 8, 2011 at 5:00 PM, Diego Biurrun <email address hidden> wrote:
> review needs-fixing
>
> On Fri, May 20, 2011 at 09:26:05PM +0000, Stefan Götz wrote:
>> Stefan Götz has proposed merging lp:~stefan.goetz/hipl/hidb-db into lp:hipl.
>>
>> HIP_DEBUG("sadb flushed\n");
>
> This debug line is rather pointless IMO, I'd remove it.
>
>> -out_err:
>> - return err;
>> + return 0;
>> }
>
> Why not make the function void instead of always returning the same value?
>
> There are more similar cases in this merge request, we need to come to
> a conclusion what to do with these cases.

well, shouldn't a merge review focus on the changes to be merged more than
on general problems with the code around it? Your points are valid but if I
see it right those parts of the code weren't touched by Stefan and in my
opinion unrelated to the goal of this branch.

There's the boyscout rule but you can only apply it so far else you never get
done with what you wanted to do in the first place or you needlessly bloat
the merge request, no?

On Wed, Aug 10, 2011 at 02:14:13PM +0000, David Martin wrote:
>
> On Mon, Aug 8, 2011 at 5:00 PM, Diego Biurrun <email address hidden> wrote:
> > review needs-fixing
> >
> > On Fri, May 20, 2011 at 09:26:05PM +0000, Stefan Götz wrote:
> >> Stefan Götz has proposed merging lp:~stefan.goetz/hipl/hidb-db into lp:hipl.
> >>
> >> HIP_DEBUG("sadb flushed\n");
> >
> > This debug line is rather pointless IMO, I'd remove it.
> >
> >> -out_err:
> >> - return err;
> >> + return 0;
> >> }
> >
> > Why not make the function void instead of always returning the same value?
> >
> > There are more similar cases in this merge request, we need to come to
> > a conclusion what to do with these cases.
>
> well, shouldn't a merge review focus on the changes to be merged more than
> on general problems with the code around it? Your points are valid but if I
> see it right those parts of the code weren't touched by Stefan and in my
> opinion unrelated to the goal of this branch.
>
> There's the boyscout rule but you can only apply it so far else you never get
> done with what you wanted to do in the first place or you needlessly bloat
> the merge request, no?

He is changing the whole function anyway, so this seemed relevant...

That said, yes, one has to focus, otherwise you never get finished.

Diego