diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2025-09-02 18:23:41 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2025-09-10 08:21:58 +0200 |
| commit | 8de42096eb6e90d3ea9f5eacb95dc94222e5000b (patch) | |
| tree | bd965f0f9f76ef7234e1a01bc83b02e1e2eb18f4 /src/ipcpd/unicast | |
| parent | 5274cb3ce09c40cccd29ec771ad49a2069aa37c4 (diff) | |
| download | ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.tar.gz ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.zip | |
lib: Move encryption control from QoS to name
This removes the flow encryption option (cypher_s) from the qosspec.
The configuration file is configured in the security options (default
/etc/ouroboros/security/). For this poc, encryption can be disabled
client or server side by putting an enc.cfg file. If that file is
present in the client folder, the client will require encryption. If
that file is present on the server side, the server will require
encryption and reject non-encrypted flows.
Encryption is now configured outside of any application control.
Example: /etc/ouroboros/security/client/oping/enc.cfg exists:
irmd(II): Encryption enabled for oping.
irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd(DB): Generated ephemeral keys for 87474.
irmd/oap(PP): OAP_HDR [caf203681d997941 @ 2025-09-02 17:08:05 (UTC) ] -->
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: [91 bytes]
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
Example: /etc/ouroboros/security/client/oping/enc.cfg does not exist:
irmd(II): Allocating flow for 87506 to oping.
irmd(DB): File /etc/ouroboros/security/client/oping/enc.cfg does not exist.
irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd/oap(PP): OAP_HDR [e84bb9d7c3d9c002 @ 2025-09-02 17:08:30 (UTC) ] -->
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: <none>
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
Example: /etc/ouroboros/security/server/oping/enc.cfg exists:
irmd(II): Flow request arrived for oping.
irmd(DB): IPCP 88112 accepting flow 7 for oping.
irmd(II): Encryption enabled for oping.
irmd(DB): File /etc/ouroboros/security/server/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd/oap(PP): OAP_HDR [3c717b3f31dff8df @ 2025-09-02 17:13:06 (UTC) ] <--
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: <none>
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
irmd(WW): Encryption required but no key provided.
The server side will pass the ECRYPT to the client:
$ oping -l
Ouroboros ping server started.
Failed to accept flow: -1008
$ oping -n oping -c 1
Failed to allocate flow: -1008.
Encryption on flows can now be changed at runtime without needing to
touch/reconfigure/restart the process.
Note: The ECRYPT result is passed on via the flow allocator responses
through the IPCP (discovered/fixed some endianness issues), but the
reason for rejecting the flow can be considered N+1 information... We
may move that information up into the OAP header at some point.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/ipcpd/unicast')
| -rw-r--r-- | src/ipcpd/unicast/fa.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c index 69a9bbe6..ac168bd9 100644 --- a/src/ipcpd/unicast/fa.c +++ b/src/ipcpd/unicast/fa.c @@ -70,17 +70,15 @@ struct fa_msg { uint64_t s_addr; uint64_t r_eid; uint64_t s_eid; - uint8_t code; - int8_t response; - uint16_t ece; - /* QoS parameters from spec, aligned */ - uint32_t delay; uint64_t bandwidth; + int32_t response; + uint32_t delay; uint32_t loss; uint32_t ber; uint32_t max_gap; uint32_t timeout; - uint16_t cypher_s; + uint16_t ece; + uint8_t code; uint8_t availability; uint8_t in_order; } __attribute__((packed)); @@ -499,7 +497,6 @@ static int fa_handle_flow_req(struct fa_msg * msg, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); fd = ipcp_wait_flow_req_arr(dst, qs, IPCP_UNICAST_MPL, &data); @@ -528,6 +525,7 @@ static int fa_handle_flow_reply(struct fa_msg * msg, struct fa_flow * flow; buffer_t data; /* Piggbacked data on flow alloc request. */ time_t mpl = IPCP_UNICAST_MPL; + int response; assert(len >= sizeof(*msg)); @@ -547,15 +545,19 @@ static int fa_handle_flow_reply(struct fa_msg * msg, flow = &fa.flows[fd]; flow->r_eid = ntoh64(msg->s_eid); + response = ntoh32(msg->response); - if (msg->response < 0) + log_dbg("IPCP received msg response %d for flow on fd %d.", + response, fd); + + if (response < 0) fa_flow_fini(flow); else psched_add(fa.psched, fd); pthread_rwlock_unlock(&fa.flows_lock); - if (ipcp_flow_alloc_reply(fd, msg->response, mpl, &data) < 0) { + if (ipcp_flow_alloc_reply(fd, response, mpl, &data) < 0) { log_err("Failed to reply for flow allocation on fd %d.", fd); return -EIRMD; } @@ -776,7 +778,6 @@ int fa_alloc(int fd, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -828,7 +829,7 @@ int fa_alloc_resp(int fd, memset(msg, 0, sizeof(*msg)); msg->code = FLOW_REPLY; - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -845,7 +846,7 @@ int fa_alloc_resp(int fd, } if (response < 0) { - pthread_rwlock_rdlock(&fa.flows_lock); + pthread_rwlock_wrlock(&fa.flows_lock); fa_flow_fini(flow); pthread_rwlock_unlock(&fa.flows_lock); } else { |