irmd: Add flow authentication

This adds initial implementation of peer authentication as part of flow allocation. If credentials are not provided, this will be accepted and logged as info that the flow is not authenticated. Certificates and keys are passed as .pem files. The key file should not be encrypted, else the IRMd will open a prompt for the password. The default location for these .pem files is in /etc/ouroboros/security. It is strongly recommended to make this directory only accessible to root. ├── security │ ├── cacert │ │ └── ca.root.o7s.crt.pem │ ├── client │ │ ├── <name> │ │ | ├── crt.pem │ │ | └── key.pem │ │ └── <name> | | ├──... | | │ ├── server │ │ ├── <name> │ │ | ├── crt.pem │ │ | └── key.pem │ │ └── <name> | | ├── ... | | │ └── untrusted │ └── sign.root.o7s.crt.pem Trusted root CA certificates go in the /cacert directory, untrusted certificates for signature verification go in the /untrusted directory. The IRMd will load these certificates at boot. The IRMd will look for certificates in the /client and /server directories. For each name a subdirectory can be added and the credentials in that directory are used to sign the OAP header for flows at flow_alloc() on the client side and flow_accept() on the server side. These defaults can be changed at build time using the following variables (in alphabetical order): OUROBOROS_CA_CRT_DIR /etc/ouroboros/security/cacert OUROBOROS_CLI_CRT_DIR /etc/ouroboros/security/client OUROBOROS_SECURITY_DIR /etc/ouroboros/security OUROBOROS_SRV_CRT_DIR /etc/ouroboros/security/server OUROBOROS_UNTRUSTED_DIR /etc/ouroboros/security/untrusted The directories for the names can also be configured at IRMd boot using the configuraton file and at runtime when a name is created using the "irm name create" CLI tool. The user needs to have permissions to access the keyfile and certificate when specifying the paths with the "irm name create" CLI tool. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
author: Dimitri Staessens <dimitri@ouroboros.rocks> 2025-08-13 09:03:20 +0200
committer: Dimitri Staessens <dimitri@ouroboros.rocks> 2025-08-18 20:57:23 +0200
commit: e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e (patch)
tree: 348711a66a585f982b19979f083e601fc85ed605 /src/lib/tests/auth_test.c
parent: f1fcec220c8454cb461bd1ac22621a1b64609051 (diff)
download: ouroboros-e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e.tar.gz
ouroboros-e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e.zip
1 files changed, 75 insertions, 0 deletions
diff --git a/src/lib/tests/auth_test.c b/src/lib/tests/auth_test.c
index a5bf931d..ede294b8 100644
--- a/src/lib/tests/auth_test.c
+++ b/src/lib/tests/auth_test.c
@@ -323,6 +323,45 @@ static int test_crypt_check_pubkey_crt(void)
         return TEST_RC_FAIL;
 }
 
+static int test_store_add(void)
+{
+        struct auth_ctx * ctx;
+        void *            _root_ca_crt;
+
+        TEST_START();
+
+        ctx = auth_create_ctx();
+        if (ctx == NULL) {
+                printf("Failed to create auth context.\n");
+                goto fail_create;
+        }
+
+        if (crypt_load_crt_str(root_ca_crt, &_root_ca_crt) < 0) {
+                printf("Failed to load root crt from string.\n");
+                goto fail_load;
+        }
+
+        if (auth_add_crt_to_store(ctx, _root_ca_crt) < 0) {
+                printf("Failed to add root crt to auth store.\n");
+                goto fail_add;
+        }
+
+        crypt_free_crt(_root_ca_crt);
+        auth_destroy_ctx(ctx);
+
+        TEST_SUCCESS();
+
+        return TEST_RC_SUCCESS;
+
+ fail_add:
+        crypt_free_crt(_root_ca_crt);
+ fail_load:
+        crypt_free_crt(_root_ca_crt);
+ fail_create:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 static int test_verify_crt(void)
 {
         struct auth_ctx * auth;
@@ -532,6 +571,38 @@ int test_auth_bad_signature(void)
         return TEST_RC_FAIL;
 }
 
+int test_crt_str(void)
+{
+        char str[2295];
+        void * crt;
+
+        TEST_START();
+
+        if (crypt_load_crt_str(signed_server_crt, &crt) < 0) {
+                printf("Failed to load certificate from string.\n");
+                goto fail_load;
+        }
+
+        if (crypt_crt_str(crt, str) < 0) {
+                printf("Failed to convert certificate to string.\n");
+                goto fail_to_str;
+        }
+
+        printf("Certificate string:\n%s\n", str);
+
+        crypt_free_crt(crt);
+
+        TEST_SUCCESS();
+
+        return TEST_RC_SUCCESS;
+
+ fail_to_str:
+        crypt_free_crt(crt);
+ fail_load:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 int auth_test(int     argc,
               char ** argv)
 {
@@ -548,9 +619,11 @@ int auth_test(int     argc,
         ret |= test_load_free_privkey();
         ret |= test_load_free_pubkey();
         ret |= test_crypt_check_pubkey_crt();
+        ret |= test_store_add();
         ret |= test_verify_crt();
         ret |= test_auth_sign();
         ret |= test_auth_bad_signature();
+        ret |= test_crt_str();
 #else
         (void) test_load_free_crt;
         (void) test_check_crt_name;
@@ -558,9 +631,11 @@ int auth_test(int     argc,
         (void) test_load_free_privkey;
         (void) test_load_free_pubkey;
         (void) test_crypt_check_pubkey_crt;
+        (void) test_store_add;
         (void) test_verify_crt;
         (void) test_auth_sign;
         (void) test_auth_bad_signature;
+        (void) test_crt_str;
 
         ret = TEST_RC_SKIP;
 #endif
author	Dimitri Staessens <dimitri@ouroboros.rocks>	2025-08-13 09:03:20 +0200
committer	Dimitri Staessens <dimitri@ouroboros.rocks>	2025-08-18 20:57:23 +0200
commit	e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e (patch)
tree	348711a66a585f982b19979f083e601fc85ed605 /src/lib/tests/auth_test.c
parent	f1fcec220c8454cb461bd1ac22621a1b64609051 (diff)
download	ouroboros-e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e.tar.gz ouroboros-e35302ca0ab64edd21b9d8e40d3aa74a3a4f4f7e.zip