irmd: Add flow authentication

This adds initial implementation of peer authentication as part of
flow allocation. If credentials are not provided, this will be
accepted and logged as info that the flow is not authenticated.

Certificates and keys are passed as .pem files. The key file should
not be encrypted, else the IRMd will open a prompt for the password.
The default location for these .pem files is in
/etc/ouroboros/security. It is strongly recommended to make this
directory only accessible to root.

├── security
│   ├── cacert
│   │   └── ca.root.o7s.crt.pem
│   ├── client
│   │   ├── <name>
│   │   |   ├── crt.pem
│   │   |   └── key.pem
│   │   └── <name>
|   |       ├──...
|   |
│   ├── server
│   │   ├── <name>
│   │   |   ├── crt.pem
│   │   |   └── key.pem
│   │   └── <name>
|   |       ├── ...
|   |
│   └── untrusted
│       └── sign.root.o7s.crt.pem

Trusted root CA certificates go in the /cacert directory, untrusted
certificates for signature verification go in the /untrusted
directory. The IRMd will load these certificates at boot.  The IRMd
will look for certificates in the /client and /server directories. For
each name a subdirectory can be added and the credentials in that
directory are used to sign the OAP header for flows at flow_alloc() on
the client side and flow_accept() on the server side.

These defaults can be changed at build time using the following
variables (in alphabetical order):
 OUROBOROS_CA_CRT_DIR             /etc/ouroboros/security/cacert
 OUROBOROS_CLI_CRT_DIR            /etc/ouroboros/security/client
 OUROBOROS_SECURITY_DIR           /etc/ouroboros/security
 OUROBOROS_SRV_CRT_DIR            /etc/ouroboros/security/server
 OUROBOROS_UNTRUSTED_DIR          /etc/ouroboros/security/untrusted

The directories for the names can also be configured at IRMd boot
using the configuraton file and at runtime when a name is created
using the "irm name create" CLI tool. The user needs to have
permissions to access the keyfile and certificate when specifying the
paths with the "irm name create" CLI tool.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>

5 files changed, 21 insertions, 5 deletions

diff --git a/include/ouroboros/errno.h b/include/ouroboros/errno.h
index 25e776df..6b808241 100644
--- a/include/ouroboros/errno.h
+++ b/include/ouroboros/errno.h
@@ -32,7 +32,10 @@
 #define EIPCPSTATE   1004 /* Target in wrong state           */
 #define EFLOWDOWN    1005 /* Flow is down                    */
 #define EFLOWPEER    1006 /* Flow is down (peer timed out)   */
-#define ECRYPT       1007 /* Encryption error                */
-#define ENAME        1008 /* Naming error                    */
+#define ENAME        1007 /* Naming error                    */
+#define ECRYPT       1008 /* Encryption error                */
+#ifndef EAUTH /* Exists on BSD */
+#define EAUTH        1009 /* Authentication error            */
+#endif
 
 #endif /* OUROBOROS_ERRNO_H */
diff --git a/include/ouroboros/irm.h b/include/ouroboros/irm.h
index 0105f88e..70a21ed7 100644
--- a/include/ouroboros/irm.h
+++ b/include/ouroboros/irm.h
@@ -76,8 +76,7 @@ int     irm_bind_process(pid_t        pid,
 int     irm_unbind_process(pid_t        pid,
                            const char * name);
 
-int     irm_create_name(const char *     name,
-                        enum pol_balance pol);
+int     irm_create_name(struct name_info * info);
 
 int     irm_destroy_name(const char * name);
 
diff --git a/include/ouroboros/name.h b/include/ouroboros/name.h
index 9d77a90b..bb12fc0b 100644
--- a/include/ouroboros/name.h
+++ b/include/ouroboros/name.h
@@ -24,6 +24,7 @@
 #define OUROBOROS_NAME_H
 
 #define NAME_SIZE 255
+#define NAME_PATH_SIZE (NAME_SIZE + 256)
 #define BIND_AUTO 0x01
 
 enum pol_balance {
@@ -32,9 +33,17 @@ enum pol_balance {
         LB_INVALID
 };
 
+struct name_sec_paths {
+        char key[NAME_PATH_SIZE + 1]; /* path to key for this name */
+        char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */
+};
+
 struct name_info {
         char             name[NAME_SIZE + 1];
         enum pol_balance pol_lb;
+
+        struct name_sec_paths s; /* server */
+        struct name_sec_paths c; /* client */
 };
 
 #endif /* OUROBOROS_NAME_H */
diff --git a/include/ouroboros/protobuf.h b/include/ouroboros/protobuf.h
index 399cb36f..6cb24c2f 100644
--- a/include/ouroboros/protobuf.h
+++ b/include/ouroboros/protobuf.h
@@ -52,8 +52,8 @@ typedef IpcpListMsg     ipcp_list_msg_t;
 
 #include "model.pb-c.h"
 typedef FlowInfoMsg      flow_info_msg_t;
-typedef LayerInfoMsg     layer_info_msg_t;
 typedef NameInfoMsg      name_info_msg_t;
+typedef LayerInfoMsg     layer_info_msg_t;
 typedef QosspecMsg       qosspec_msg_t;
 
 #include "enroll.pb-c.h"
@@ -70,6 +70,10 @@ flow_info_msg_t *   flow_info_s_to_msg(const struct flow_info * s);
 
 struct flow_info    flow_info_msg_to_s(const flow_info_msg_t * msg);
 
+name_info_msg_t *   name_info_s_to_msg(const struct name_info * s);
+
+struct name_info    name_info_msg_to_s(const name_info_msg_t * msg);
+
 layer_info_msg_t *  layer_info_s_to_msg(const struct layer_info * s);
 
 struct layer_info   layer_info_msg_to_s(const layer_info_msg_t * msg);
diff --git a/include/ouroboros/utils.h b/include/ouroboros/utils.h
index acd27a8f..b93b345d 100644
--- a/include/ouroboros/utils.h
+++ b/include/ouroboros/utils.h
@@ -34,6 +34,7 @@
 #define clrbuf(buf) do { memset(&(buf), 0, sizeof(buf)); } while (0);
 #define freebuf(buf) do { free((buf).data); clrbuf(buf); } while (0);
 #define BUF_INIT { 0, NULL }
+#define BUF_IS_EMPTY(buf) ((buf)->data == NULL && (buf)->len == 0)
 
 typedef struct {
         size_t    len;