diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2023-12-10 14:53:41 +0100 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2023-12-17 13:23:49 +0100 |
| commit | 676bd51161e7584175b97cfb7ec2bebd6d951acc (patch) | |
| tree | c2366c53bc477d4c74208b700cb0436539858181 /src/lib | |
| parent | 8e7321c82cf446579fe14c7c369a7779e43aeddf (diff) | |
| download | ouroboros-676bd51161e7584175b97cfb7ec2bebd6d951acc.tar.gz ouroboros-676bd51161e7584175b97cfb7ec2bebd6d951acc.zip | |
lib: Move public key handling from app to IRMd
The application was generating its public keypair for its ECDHE key
exchange. This is now done by the IRMd, which will check the requested
qosspec and then apply what is needed. The flow_alloc and flow_accept
calls will just return the symmetric key to the application.
This makes it easier when we add configurations with given public key
pairs and other encryption algorithms, which can then all be
configured globally in the IRMd instead of having all the options
replicated and implemented in each and every application.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/crypt.c | 4 | ||||
| -rw-r--r-- | src/lib/dev.c | 87 | ||||
| -rw-r--r-- | src/lib/pb/irm.proto | 3 |
3 files changed, 17 insertions, 77 deletions
diff --git a/src/lib/crypt.c b/src/lib/crypt.c index c5d6101a..2f0404a2 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -154,8 +154,8 @@ static int __openssl_ecdh_gen_key(void ** kp) static ssize_t openssl_ecdh_pkp_create(void ** pkp, uint8_t * pk) { - uint8_t * pos; - ssize_t len; + uint8_t * pos; + ssize_t len; assert(pkp != NULL); assert(*pkp == NULL); diff --git a/src/lib/dev.c b/src/lib/dev.c index 3d45f016..d1f827f3 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -759,13 +759,8 @@ int flow_accept(qosspec_t * qs, irm_msg_t msg = IRM_MSG__INIT; irm_msg_t * recv_msg; int fd; - void * pkp; /* public key pair */ - uint8_t s[SYMMKEYSZ]; /* secret key for flow */ - uint8_t buf[MSGBUFSZ]; int err = -EIRMD; - ssize_t key_len; - - memset(s, 0, SYMMKEYSZ); + uint8_t * symmkey; msg.code = IRM_MSG_CODE__IRM_FLOW_ACCEPT; msg.has_pid = true; @@ -778,23 +773,7 @@ int flow_accept(qosspec_t * qs, msg.timeo_nsec = timeo->tv_nsec; } - key_len = crypt_dh_pkp_create(&pkp, buf); - if (key_len < 0) { - err = -ECRYPT; - goto fail_crypt_pkp; - } - if (key_len > 0) { - msg.has_pk = true; - msg.pk.data = buf; - msg.pk.len = (uint32_t) key_len; - } - - pthread_cleanup_push(crypt_dh_pkp_destroy, pkp); - recv_msg = send_recv_irm_msg(&msg); - - pthread_cleanup_pop(false); - if (recv_msg == NULL) goto fail_recv; @@ -810,17 +789,11 @@ int flow_accept(qosspec_t * qs, !recv_msg->has_mpl || recv_msg->qosspec == NULL) goto fail_msg; - if (recv_msg->pk.len != 0 && - crypt_dh_derive(pkp, recv_msg->pk.data, - recv_msg->pk.len, s) < 0) { - err = -ECRYPT; - goto fail_msg; - } - - crypt_dh_pkp_destroy(pkp); + symmkey = recv_msg->has_symmkey ? recv_msg->symmkey.data : NULL; fd = flow_init(recv_msg->flow_id, recv_msg->pid, - qos_spec_msg_to_s(recv_msg->qosspec), s, + qos_spec_msg_to_s(recv_msg->qosspec), + symmkey, recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); @@ -828,7 +801,6 @@ int flow_accept(qosspec_t * qs, if (fd < 0) return fd; - pthread_rwlock_rdlock(&ai.lock); if (qs != NULL) @@ -841,8 +813,6 @@ int flow_accept(qosspec_t * qs, fail_msg: irm_msg__free_unpacked(recv_msg, NULL); fail_recv: - crypt_dh_pkp_destroy(pkp); - fail_crypt_pkp: return err; } @@ -850,15 +820,10 @@ int flow_alloc(const char * dst, qosspec_t * qs, const struct timespec * timeo) { - irm_msg_t msg = IRM_MSG__INIT; - irm_msg_t * recv_msg; - int fd; - void * pkp = NULL; /* public key pair */ - uint8_t s[SYMMKEYSZ]; /* secret key for flow */ - uint8_t buf[MSGBUFSZ]; - int err = -EIRMD; - - memset(s, 0, SYMMKEYSZ); + irm_msg_t msg = IRM_MSG__INIT; + irm_msg_t * recv_msg; + int fd; + int err = -EIRMD; #ifdef QOS_DISABLE_CRC if (qs != NULL) @@ -877,25 +842,10 @@ int flow_alloc(const char * dst, msg.timeo_nsec = timeo->tv_nsec; } - if (qs != NULL && qs->cypher_s != 0) { - ssize_t key_len; - - key_len = crypt_dh_pkp_create(&pkp, buf); - if (key_len < 0) { - err = -ECRYPT; - goto fail_crypt_pkp; - } - - msg.has_pk = true; - msg.pk.data = buf; - msg.pk.len = (uint32_t) key_len; - } - recv_msg = send_recv_irm_msg(&msg); qosspec_msg__free_unpacked(msg.qosspec, NULL); - if (recv_msg == NULL) - goto fail_send; + goto fail_send_recv; if (!recv_msg->has_result) goto fail_result; @@ -909,19 +859,10 @@ int flow_alloc(const char * dst, !recv_msg->has_mpl) goto fail_result; - if (qs != NULL && qs->cypher_s != 0) { - if (!recv_msg->has_pk || recv_msg->pk.len == 0) { - err = -ECRYPT; - goto fail_result; - } - - if (crypt_dh_derive(pkp, recv_msg->pk.data, - recv_msg->pk.len, s) < 0) { + if ((qs != NULL && qs->cypher_s != 0) && + (!recv_msg->has_symmkey || recv_msg->symmkey.len != SYMMKEYSZ)) { err = -ECRYPT; goto fail_result; - } - - crypt_dh_pkp_destroy(pkp); } /* TODO: Make sure qosspec is set in msg */ @@ -929,7 +870,7 @@ int flow_alloc(const char * dst, *qs = qos_spec_msg_to_s(recv_msg->qosspec); fd = flow_init(recv_msg->flow_id, recv_msg->pid, - qs == NULL ? qos_raw : *qs, s, + qs == NULL ? qos_raw : *qs, recv_msg->symmkey.data, recv_msg->mpl); irm_msg__free_unpacked(recv_msg, NULL); @@ -938,9 +879,7 @@ int flow_alloc(const char * dst, fail_result: irm_msg__free_unpacked(recv_msg, NULL); - fail_send: - crypt_dh_pkp_destroy(pkp); - fail_crypt_pkp: + fail_send_recv: return err; } diff --git a/src/lib/pb/irm.proto b/src/lib/pb/irm.proto index 94db28a4..366e462c 100644 --- a/src/lib/pb/irm.proto +++ b/src/lib/pb/irm.proto @@ -92,5 +92,6 @@ message irm_msg { optional sint32 mpl = 19; optional string comp = 20; optional bytes pk = 21; /* piggyback */ - optional sint32 result = 22; + optional bytes symmkey = 22; + optional sint32 result = 23; } |