Tidy crypto.c of old library compat. Now need libnettle 3.

94b68788 · Simon Kelley · 8b96552f · 94b68788 · 94b68788 · 94b68788
Commit 94b68788 authored Mar 17, 2018 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 32 deletions

CHANGELOG CHANGELOG +3 -0

src/config.h src/config.h +0 -3

src/crypto.c src/crypto.c +19 -29

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -60,6 +60,9 @@ version 2.79
 	internal-20.thekelleys.org.uk being 192.168.0.70
 	Thanks to Andy Hawkins for the suggestion.
+	Tidy up Crypto code, removing workarounds for ancient
+	versions of libnettle. We now require libnettle 3.
 version 2.78
        Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris

--- a/src/config.h
+++ b/src/config.h
@@ -137,9 +137,6 @@ NO_INOTIFY
   otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or 
   which are enabled  by default in the distributed source tree. Building dnsmasq
   with something like "make COPTS=-DNO_SCRIPT" will do the trick.
-NO_NETTLE_ECC
-   Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions.
 NO_GMP
   Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.

--- a/src/crypto.c
+++ b/src/crypto.c
@@ -20,20 +20,12 @@
 #include <nettle/rsa.h>
 #include <nettle/dsa.h>
-#ifndef NO_NETTLE_ECC
+#include <nettle/ecdsa.h>
-#  include <nettle/ecdsa.h>
+#include <nettle/ecc-curve.h>
-#  include <nettle/ecc-curve.h>
+#include <nettle/eddsa.h>
-#  include <nettle/eddsa.h>
-#endif
 #include <nettle/nettle-meta.h>
 #include <nettle/bignum.h>
-/* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API
-   to detect Nettle-3, and invoke the backwards compatibility mode. */
-#ifdef dsa_params_init
-#include <nettle/dsa-compat.h>
-#endif
 /* Implement a "hash-function" to the nettle API, which simply returns
   the input data, concatenated into a single, statically maintained, buffer.
@@ -118,9 +110,10 @@ const struct nettle_hash *hash_find(char *name)
  /* libnettle >= 3.4 provides nettle_lookup_hash() which avoids nasty ABI
     incompatibilities if sizeof(nettle_hashes) changes between library
-     versions. */
+     versions. It also #defines nettle_hashes, so use that to tell
+     if we have the new facilities. */
-#if (NETTLE_VERSION_MAJOR>3) || ((NETTLE_VERSION_MAJOR==3) && (NETTLE_VERSION_MINOR >=4))
+#ifdef nettle_hashes
  return nettle_lookup_hash(name);
 #else
  {
@@ -232,19 +225,21 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len,
 {
  unsigned char *p;
  unsigned int t;
-  static struct dsa_public_key *key = NULL;
+  static mpz_t y;
+  static struct dsa_params *params = NULL;
  static struct dsa_signature *sig_struct;
  (void)digest_len;
-  if (key == NULL)
+  if (params == NULL)
    {
      if (!(sig_struct = whine_malloc(sizeof(struct dsa_signature))) || 
-	  !(key = whine_malloc(sizeof(struct dsa_public_key)))) 
+	  !(params = whine_malloc(sizeof(struct dsa_params)))) 
 	return 0;
-      nettle_dsa_public_key_init(key);
+      mpz_init(y);
+      nettle_dsa_params_init(params);
      nettle_dsa_signature_init(sig_struct);
    }
@@ -256,20 +251,19 @@ static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len,
  if (key_len < (213 + (t * 24)))
    return 0;
-  mpz_import(key->q, 20, 1, 1, 0, 0, p); p += 20;
+  mpz_import(params->q, 20, 1, 1, 0, 0, p); p += 20;
-  mpz_import(key->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
+  mpz_import(params->p, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
-  mpz_import(key->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
+  mpz_import(params->g, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
-  mpz_import(key->y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
+  mpz_import(y, 64 + (t*8), 1, 1, 0, 0, p); p += 64 + (t*8);
  mpz_import(sig_struct->r, 20, 1, 1, 0, 0, sig+1);
  mpz_import(sig_struct->s, 20, 1, 1, 0, 0, sig+21);
  (void)algo;
-  return nettle_dsa_sha1_verify_digest(key, digest, sig_struct);
+  return nettle_dsa_verify(params, y, digest_len, digest, sig_struct);
 } 
-#ifndef NO_NETTLE_ECC
 static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len, 
 				unsigned char *sig, size_t sig_len,
 				unsigned char *digest, size_t digest_len, int algo)
@@ -371,8 +365,6 @@ static int dnsmasq_eddsa_verify(struct blockdata *key_data, unsigned int key_len
  return 0;
 }
-#endif 
 static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
 			     unsigned char *digest, size_t digest_len, int algo)
 {
@@ -389,14 +381,12 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
    case 3: case 6: 
      return dnsmasq_dsa_verify;
-#ifndef NO_NETTLE_ECC   
    case 13: case 14:
      return dnsmasq_ecdsa_verify;
    case 15: case 16:
      return dnsmasq_eddsa_verify;
-#endif
    }
  return NULL;