diff options
| author | Dimitri Staessens <dmarc-noreply@freelists.org> | 2025-07-13 07:42:58 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2025-07-16 08:34:17 +0200 |
| commit | 2e505c2dc7a7e849fe7a327f9cbdfc587477a3d1 (patch) | |
| tree | c303098450a9a361d3d16738a78cbfdc452326f6 /src/lib/crypt/openssl.c | |
| parent | 589e273a446cdcec7e9c5e3a85256b7b8554e4f0 (diff) | |
| download | ouroboros-2e505c2dc7a7e849fe7a327f9cbdfc587477a3d1.tar.gz ouroboros-2e505c2dc7a7e849fe7a327f9cbdfc587477a3d1.zip | |
irmd: Initial Flow Allocation Protocol Header
This adds the initial version for the flow allocation protocol header
between IRMd instances. This is a step towards flow authentication.
The header supports secure and authenticated flow allocation,
supporting certificate-based authentication and ephemeral key
exchange for end-to-end encryption.
id: 128-bit identifier for the entity.
timestamp: 64-bit timestamp (replay protection).
certificate: Certificate for authentication.
public key: ECDHE public key for key exchange.
data: Application data.
signature: Signature for integrity/authenticity.
Authentication and encryption require OpenSSL to be installed.
The IRMd compares the allocation request delay with the MPL of the
Layer over which the flow allocation was sent. MPL is now reported by
the Layer in ms instead of seconds.
Time functions revised for consistency and adds some tests.
The TPM can now print thread running times in Debug builds
(TPM_DEBUG_REPORT_INTERVAL) and abort processes with hung threads
(TPM_DEBUG_ABORT_TIMEOUT). Long running threads waiting for input
should call tpm_wait_work() to avoid trigger a process abort.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/lib/crypt/openssl.c')
| -rw-r--r-- | src/lib/crypt/openssl.c | 50 |
1 files changed, 47 insertions, 3 deletions
diff --git a/src/lib/crypt/openssl.c b/src/lib/crypt/openssl.c index 6e7a5dab..1824d879 100644 --- a/src/lib/crypt/openssl.c +++ b/src/lib/crypt/openssl.c @@ -159,7 +159,7 @@ ssize_t openssl_ecdh_pkp_create(void ** pkp, if (__openssl_ecdh_gen_key(pkp) < 0) goto fail_key; - pos = pk; /* i2d_PUBKEY increments the pointer, don't use buf! */ + pos = pk; /* i2d_PUBKEY increments the pointer, don't use pk! */ len = i2d_PUBKEY(*pkp, &pos); if (len < 0) goto fail_pubkey; @@ -388,6 +388,28 @@ int openssl_load_crt_str(const char * str, return -1; } +int openssl_load_crt_der(buffer_t buf, + void ** crt) +{ + const uint8_t * p; + X509 * xcrt; + + assert(crt != NULL); + + p = buf.data; + + xcrt = d2i_X509(NULL, &p, buf.len); + if (xcrt == NULL) + goto fail_crt; + + *crt = (void *) xcrt; + + return 0; + fail_crt: + *crt = NULL; + return -1; +} + int openssl_get_pubkey_crt(void * crt, void ** key) { @@ -578,8 +600,8 @@ int openssl_check_crt_name(void * crt, return -1; } -int openssl_crt_str(void * crt, - char * str) +int openssl_crt_str(const void * crt, + char * str) { BIO * bio; X509 * xcrt; @@ -608,6 +630,28 @@ int openssl_crt_str(void * crt, return -1; } +int openssl_crt_der(const void * crt, + buffer_t * buf) +{ + int len; + + assert(crt != NULL); + assert(buf != NULL); + + len = i2d_X509((X509 *) crt, &buf->data); + if (len < 0) + goto fail_der; + + buf->len = (size_t) len; + + return 0; + + fail_der: + clrbuf(*buf); + return -1; +} + + void * openssl_auth_create_store(void) { return X509_STORE_new(); |