irmd: Add flow authentication

This adds initial implementation of peer authentication as part of
flow allocation. If credentials are not provided, this will be
accepted and logged as info that the flow is not authenticated.

Certificates and keys are passed as .pem files. The key file should
not be encrypted, else the IRMd will open a prompt for the password.
The default location for these .pem files is in
/etc/ouroboros/security. It is strongly recommended to make this
directory only accessible to root.

├── security
│   ├── cacert
│   │   └── ca.root.o7s.crt.pem
│   ├── client
│   │   ├── <name>
│   │   |   ├── crt.pem
│   │   |   └── key.pem
│   │   └── <name>
|   |       ├──...
|   |
│   ├── server
│   │   ├── <name>
│   │   |   ├── crt.pem
│   │   |   └── key.pem
│   │   └── <name>
|   |       ├── ...
|   |
│   └── untrusted
│       └── sign.root.o7s.crt.pem

Trusted root CA certificates go in the /cacert directory, untrusted
certificates for signature verification go in the /untrusted
directory. The IRMd will load these certificates at boot.  The IRMd
will look for certificates in the /client and /server directories. For
each name a subdirectory can be added and the credentials in that
directory are used to sign the OAP header for flows at flow_alloc() on
the client side and flow_accept() on the server side.

These defaults can be changed at build time using the following
variables (in alphabetical order):
 OUROBOROS_CA_CRT_DIR             /etc/ouroboros/security/cacert
 OUROBOROS_CLI_CRT_DIR            /etc/ouroboros/security/client
 OUROBOROS_SECURITY_DIR           /etc/ouroboros/security
 OUROBOROS_SRV_CRT_DIR            /etc/ouroboros/security/server
 OUROBOROS_UNTRUSTED_DIR          /etc/ouroboros/security/untrusted

The directories for the names can also be configured at IRMd boot
using the configuraton file and at runtime when a name is created
using the "irm name create" CLI tool. The user needs to have
permissions to access the keyfile and certificate when specifying the
paths with the "irm name create" CLI tool.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>

7 files changed, 167 insertions, 33 deletions

diff --git a/src/lib/crypt.c b/src/lib/crypt.c
index e8c4d5ab..b39a4a73 100644
--- a/src/lib/crypt.c
+++ b/src/lib/crypt.c
@@ -393,7 +393,7 @@ int auth_add_crt_to_store(struct auth_ctx * ctx,
         (void) ctx;
         (void) crt;
 
-        return -1;
+        return 0;
 #endif
 }
 
diff --git a/src/lib/crypt/openssl.c b/src/lib/crypt/openssl.c
index 1824d879..03662914 100644
--- a/src/lib/crypt/openssl.c
+++ b/src/lib/crypt/openssl.c
@@ -29,8 +29,6 @@
 #include <ouroboros/random.h>
 #include <ouroboros/utils.h>
 
-#include <assert.h>
-
 #include <openssl/evp.h>
 #include <openssl/bio.h>
 #include <openssl/ec.h>
@@ -39,6 +37,8 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
+#include <assert.h>
+
 /*
  * Derive the common secret from
  * - your public key pair (kp)
diff --git a/src/lib/irm.c b/src/lib/irm.c
index d25101f3..8333d0d3 100644
--- a/src/lib/irm.c
+++ b/src/lib/irm.c
@@ -523,32 +523,23 @@ int irm_unbind_process(pid_t        pid,
         return ret;
 }
 
-int irm_create_name(const char *     name,
-                    enum pol_balance pol)
+int irm_create_name(struct name_info * info)
 {
         irm_msg_t       msg      = IRM_MSG__INIT;
-        name_info_msg_t ni_msg   = NAME_INFO_MSG__INIT;
         irm_msg_t *     recv_msg;
         int             ret;
 
-        if (name == NULL)
+        if (info == NULL)
                 return -EINVAL;
 
-        msg.code      = IRM_MSG_CODE__IRM_CREATE_NAME;
-        ni_msg.name   = (char *) name;
-        ni_msg.pol_lb = pol;
-        msg.n_names   = 1;
-
-        msg.names = malloc(sizeof(*msg.names));
-        if (msg.names == NULL) {
-                return -ENOMEM;
-        }
-
-        msg.names[0]  = &ni_msg;
+        msg.code = IRM_MSG_CODE__IRM_CREATE_NAME;
+        msg.name_info = name_info_s_to_msg(info);
+        if (msg.name_info == NULL)
+                goto fail_info_msg;
 
         recv_msg = send_recv_irm_msg(&msg);
 
-        free(msg.names);
+        name_info_msg__free_unpacked(msg.name_info, NULL);
 
         if (recv_msg == NULL)
                 return -EIRMD;
@@ -562,6 +553,9 @@ int irm_create_name(const char *     name,
         irm_msg__free_unpacked(recv_msg, NULL);
 
         return ret;
+
+ fail_info_msg:
+        return -ENOMEM;
 }
 
 int irm_destroy_name(const char * name)
diff --git a/src/lib/pb/irm.proto b/src/lib/pb/irm.proto
index da3bd982..75f5f350 100644
--- a/src/lib/pb/irm.proto
+++ b/src/lib/pb/irm.proto
@@ -75,18 +75,19 @@ message irm_msg {
         optional string name             =  4;
         optional flow_info_msg flow_info =  5;
         optional ipcp_info_msg ipcp_info =  6;
-        optional string layer            =  7;
-        repeated string exec             =  8;
-        optional sint32 response         =  9;
-        optional string dst              = 10;
-        optional bytes  hash             = 11;
-        optional sint32 flow_id          = 12;
-        optional qosspec_msg qosspec     = 13;
-        optional ipcp_config_msg conf    = 14;
-        optional uint32 opts             = 15;
-        repeated ipcp_list_msg ipcps     = 16;
-        repeated name_info_msg names     = 17;
-        optional timespec_msg timeo      = 18;
+        optional name_info_msg name_info =  7;
+        optional string layer            =  8;
+        repeated string exec             =  9;
+        optional sint32 response         = 10;
+        optional string dst              = 11;
+        optional bytes  hash             = 12;
+        optional sint32 flow_id          = 13;
+        optional qosspec_msg qosspec     = 14;
+        optional ipcp_config_msg conf    = 15;
+        optional uint32 opts             = 16;
+        repeated ipcp_list_msg ipcps     = 17;
+        repeated name_info_msg names     = 18;
+        optional timespec_msg timeo      = 19;
         optional sint32 mpl              = 20;
         optional string comp             = 21;
         optional bytes pk                = 22; /* piggyback */
diff --git a/src/lib/pb/model.proto b/src/lib/pb/model.proto
index f1e401f9..56337b5b 100644
--- a/src/lib/pb/model.proto
+++ b/src/lib/pb/model.proto
@@ -44,8 +44,12 @@ message flow_info_msg {
 }
 
 message name_info_msg {
-        required string name   = 1;
-        required uint32 pol_lb = 2;
+        required string name    = 1;
+        required uint32 pol_lb  = 2;
+        required string skey    = 3;
+        required string scrt    = 4;
+        required string ckey    = 5;
+        required string ccrt    = 6;
 }
 
 message layer_info_msg {
diff --git a/src/lib/protobuf.c b/src/lib/protobuf.c
index 43ef6ac6..b2a0cb3b 100644
--- a/src/lib/protobuf.c
+++ b/src/lib/protobuf.c
@@ -106,6 +106,66 @@ struct flow_info flow_info_msg_to_s(const flow_info_msg_t * msg)
         return s;
 }
 
+name_info_msg_t * name_info_s_to_msg(const struct name_info * info)
+{
+        name_info_msg_t * msg;
+
+        assert(info != NULL);
+
+        msg = malloc(sizeof(*msg));
+        if (msg == NULL)
+                goto fail_malloc;
+
+        name_info_msg__init(msg);
+
+        msg->name = strdup(info->name);
+        if (msg->name == NULL)
+                goto fail_msg;
+
+        msg->skey = strdup(info->s.key);
+        if (msg->skey == NULL)
+                goto fail_msg;
+
+        msg->scrt = strdup(info->s.crt);
+        if (msg->scrt == NULL)
+                goto fail_msg;
+
+        msg->ckey = strdup(info->c.key);
+        if (msg->skey == NULL)
+                goto fail_msg;
+
+        msg->ccrt = strdup(info->c.crt);
+        if (msg->ccrt == NULL)
+                goto fail_msg;
+
+        msg->pol_lb  = info->pol_lb;
+
+        return msg;
+
+ fail_msg:
+        name_info_msg__free_unpacked(msg, NULL);
+ fail_malloc:
+        return NULL;
+}
+
+struct name_info name_info_msg_to_s(const name_info_msg_t * msg)
+{
+        struct name_info s;
+
+        assert(msg != NULL);
+        assert(strlen(msg->name) <= NAME_SIZE);
+
+        strcpy(s.name, msg->name);
+        strcpy(s.s.key, msg->skey);
+        strcpy(s.s.crt, msg->scrt);
+        strcpy(s.c.key, msg->ckey);
+        strcpy(s.c.crt, msg->ccrt);
+
+        s.pol_lb = msg->pol_lb;
+
+        return s;
+}
+
 layer_info_msg_t * layer_info_s_to_msg(const struct layer_info * s)
 {
         layer_info_msg_t * msg;
diff --git a/src/lib/tests/auth_test.c b/src/lib/tests/auth_test.c
index a5bf931d..ede294b8 100644
--- a/src/lib/tests/auth_test.c
+++ b/src/lib/tests/auth_test.c
@@ -323,6 +323,45 @@ static int test_crypt_check_pubkey_crt(void)
         return TEST_RC_FAIL;
 }
 
+static int test_store_add(void)
+{
+        struct auth_ctx * ctx;
+        void *            _root_ca_crt;
+
+        TEST_START();
+
+        ctx = auth_create_ctx();
+        if (ctx == NULL) {
+                printf("Failed to create auth context.\n");
+                goto fail_create;
+        }
+
+        if (crypt_load_crt_str(root_ca_crt, &_root_ca_crt) < 0) {
+                printf("Failed to load root crt from string.\n");
+                goto fail_load;
+        }
+
+        if (auth_add_crt_to_store(ctx, _root_ca_crt) < 0) {
+                printf("Failed to add root crt to auth store.\n");
+                goto fail_add;
+        }
+
+        crypt_free_crt(_root_ca_crt);
+        auth_destroy_ctx(ctx);
+
+        TEST_SUCCESS();
+
+        return TEST_RC_SUCCESS;
+
+ fail_add:
+        crypt_free_crt(_root_ca_crt);
+ fail_load:
+        crypt_free_crt(_root_ca_crt);
+ fail_create:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 static int test_verify_crt(void)
 {
         struct auth_ctx * auth;
@@ -532,6 +571,38 @@ int test_auth_bad_signature(void)
         return TEST_RC_FAIL;
 }
 
+int test_crt_str(void)
+{
+        char str[2295];
+        void * crt;
+
+        TEST_START();
+
+        if (crypt_load_crt_str(signed_server_crt, &crt) < 0) {
+                printf("Failed to load certificate from string.\n");
+                goto fail_load;
+        }
+
+        if (crypt_crt_str(crt, str) < 0) {
+                printf("Failed to convert certificate to string.\n");
+                goto fail_to_str;
+        }
+
+        printf("Certificate string:\n%s\n", str);
+
+        crypt_free_crt(crt);
+
+        TEST_SUCCESS();
+
+        return TEST_RC_SUCCESS;
+
+ fail_to_str:
+        crypt_free_crt(crt);
+ fail_load:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 int auth_test(int     argc,
               char ** argv)
 {
@@ -548,9 +619,11 @@ int auth_test(int     argc,
         ret |= test_load_free_privkey();
         ret |= test_load_free_pubkey();
         ret |= test_crypt_check_pubkey_crt();
+        ret |= test_store_add();
         ret |= test_verify_crt();
         ret |= test_auth_sign();
         ret |= test_auth_bad_signature();
+        ret |= test_crt_str();
 #else
         (void) test_load_free_crt;
         (void) test_check_crt_name;
@@ -558,9 +631,11 @@ int auth_test(int     argc,
         (void) test_load_free_privkey;
         (void) test_load_free_pubkey;
         (void) test_crypt_check_pubkey_crt;
+        (void) test_store_add;
         (void) test_verify_crt;
         (void) test_auth_sign;
         (void) test_auth_bad_signature;
+        (void) test_crt_str;
 
         ret = TEST_RC_SKIP;
 #endif