lib: Move encryption control from QoS to name

This removes the flow encryption option (cypher_s) from the qosspec. The configuration file is configured in the security options (default /etc/ouroboros/security/). For this poc, encryption can be disabled client or server side by putting an enc.cfg file. If that file is present in the client folder, the client will require encryption. If that file is present on the server side, the server will require encryption and reject non-encrypted flows. Encryption is now configured outside of any application control. Example: /etc/ouroboros/security/client/oping/enc.cfg exists: irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd(DB): Generated ephemeral keys for 87474. irmd/oap(PP): OAP_HDR [caf203681d997941 @ 2025-09-02 17:08:05 (UTC) ] --> irmd/oap(PP): Certificate: <none> irmd/oap(PP): Ephemeral Public Key: [91 bytes] irmd/oap(PP): Data: <none> irmd/oap(PP): Signature: <none> Example: /etc/ouroboros/security/client/oping/enc.cfg does not exist: irmd(II): Allocating flow for 87506 to oping. irmd(DB): File /etc/ouroboros/security/client/oping/enc.cfg does not exist. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [e84bb9d7c3d9c002 @ 2025-09-02 17:08:30 (UTC) ] --> irmd/oap(PP): Certificate: <none> irmd/oap(PP): Ephemeral Public Key: <none> irmd/oap(PP): Data: <none> irmd/oap(PP): Signature: <none> Example: /etc/ouroboros/security/server/oping/enc.cfg exists: irmd(II): Flow request arrived for oping. irmd(DB): IPCP 88112 accepting flow 7 for oping. irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/server/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [3c717b3f31dff8df @ 2025-09-02 17:13:06 (UTC) ] <-- irmd/oap(PP): Certificate: <none> irmd/oap(PP): Ephemeral Public Key: <none> irmd/oap(PP): Data: <none> irmd/oap(PP): Signature: <none> irmd(WW): Encryption required but no key provided. The server side will pass the ECRYPT to the client: $ oping -l Ouroboros ping server started. Failed to accept flow: -1008 $ oping -n oping -c 1 Failed to allocate flow: -1008. Encryption on flows can now be changed at runtime without needing to touch/reconfigure/restart the process. Note: The ECRYPT result is passed on via the flow allocator responses through the IPCP (discovered/fixed some endianness issues), but the reason for rejecting the flow can be considered N+1 information... We may move that information up into the OAP header at some point. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
author: Dimitri Staessens <dimitri@ouroboros.rocks> 2025-09-02 18:23:41 +0200
committer: Sander Vrijders <sander@ouroboros.rocks> 2025-09-10 08:21:58 +0200
commit: 8de42096eb6e90d3ea9f5eacb95dc94222e5000b (patch)
tree: bd965f0f9f76ef7234e1a01bc83b02e1e2eb18f4 /src/lib/crypt.c
parent: 5274cb3ce09c40cccd29ec771ad49a2069aa37c4 (diff)
download: ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.tar.gz
ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.zip
1 files changed, 7 insertions, 12 deletions
diff --git a/src/lib/crypt.c b/src/lib/crypt.c
index b39a4a73..8b18140e 100644
--- a/src/lib/crypt.c
+++ b/src/lib/crypt.c
@@ -32,7 +32,6 @@
 #include <string.h>
 
 struct crypt_ctx {
-    uint16_t flags;
     void *   ctx;
     uint8_t  key[SYMMKEYSZ];
 };
@@ -91,14 +90,13 @@ int crypt_encrypt(struct crypt_ctx * ctx,
                   buffer_t           in,
                   buffer_t *         out)
 {
-        if (ctx->flags == 0) {
-                clrbuf(*out);
-                return 0;
-        }
+        assert(ctx != NULL);
+        assert(ctx->ctx != NULL);
 
 #ifdef HAVE_OPENSSL
         return openssl_encrypt(ctx->ctx, ctx->key, in, out);
 #else
+        (void) ctx;
         (void) in;
         (void) out;
 
@@ -110,14 +108,13 @@ int crypt_decrypt(struct crypt_ctx * ctx,
                   buffer_t           in,
                   buffer_t *         out)
 {
-        if (ctx->flags == 0) {
-                clrbuf(*out);
-                return 0;
-        }
+        assert(ctx != NULL);
+        assert(ctx->ctx != NULL);
 
 #ifdef HAVE_OPENSSL
         return openssl_decrypt(ctx->ctx, ctx->key, in, out);
 #else
+        (void) ctx;
         (void) in;
         (void) out;
 
@@ -125,8 +122,7 @@ int crypt_decrypt(struct crypt_ctx * ctx,
 #endif
 }
 
-struct crypt_ctx * crypt_create_ctx(uint16_t        flags,
-                                    const uint8_t * key)
+struct crypt_ctx * crypt_create_ctx(const uint8_t * key)
 {
         struct crypt_ctx * crypt;
 
@@ -136,7 +132,6 @@ struct crypt_ctx * crypt_create_ctx(uint16_t        flags,
 
         memset(crypt, 0, sizeof(*crypt));
 
-        crypt->flags = flags;
         if (key != NULL)
                 memcpy(crypt->key, key, SYMMKEYSZ);
 #ifdef HAVE_OPENSSL
author	Dimitri Staessens <dimitri@ouroboros.rocks>	2025-09-02 18:23:41 +0200
committer	Sander Vrijders <sander@ouroboros.rocks>	2025-09-10 08:21:58 +0200
commit	8de42096eb6e90d3ea9f5eacb95dc94222e5000b (patch)
tree	bd965f0f9f76ef7234e1a01bc83b02e1e2eb18f4 /src/lib/crypt.c
parent	5274cb3ce09c40cccd29ec771ad49a2069aa37c4 (diff)
download	ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.tar.gz ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.zip