diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2025-09-02 18:23:41 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2025-09-10 08:21:58 +0200 |
| commit | 8de42096eb6e90d3ea9f5eacb95dc94222e5000b (patch) | |
| tree | bd965f0f9f76ef7234e1a01bc83b02e1e2eb18f4 /src | |
| parent | 5274cb3ce09c40cccd29ec771ad49a2069aa37c4 (diff) | |
| download | ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.tar.gz ouroboros-8de42096eb6e90d3ea9f5eacb95dc94222e5000b.zip | |
lib: Move encryption control from QoS to name
This removes the flow encryption option (cypher_s) from the qosspec.
The configuration file is configured in the security options (default
/etc/ouroboros/security/). For this poc, encryption can be disabled
client or server side by putting an enc.cfg file. If that file is
present in the client folder, the client will require encryption. If
that file is present on the server side, the server will require
encryption and reject non-encrypted flows.
Encryption is now configured outside of any application control.
Example: /etc/ouroboros/security/client/oping/enc.cfg exists:
irmd(II): Encryption enabled for oping.
irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd(DB): Generated ephemeral keys for 87474.
irmd/oap(PP): OAP_HDR [caf203681d997941 @ 2025-09-02 17:08:05 (UTC) ] -->
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: [91 bytes]
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
Example: /etc/ouroboros/security/client/oping/enc.cfg does not exist:
irmd(II): Allocating flow for 87506 to oping.
irmd(DB): File /etc/ouroboros/security/client/oping/enc.cfg does not exist.
irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd/oap(PP): OAP_HDR [e84bb9d7c3d9c002 @ 2025-09-02 17:08:30 (UTC) ] -->
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: <none>
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
Example: /etc/ouroboros/security/server/oping/enc.cfg exists:
irmd(II): Flow request arrived for oping.
irmd(DB): IPCP 88112 accepting flow 7 for oping.
irmd(II): Encryption enabled for oping.
irmd(DB): File /etc/ouroboros/security/server/oping/crt.pem does not exist.
irmd(II): No security info for oping.
irmd/oap(PP): OAP_HDR [3c717b3f31dff8df @ 2025-09-02 17:13:06 (UTC) ] <--
irmd/oap(PP): Certificate: <none>
irmd/oap(PP): Ephemeral Public Key: <none>
irmd/oap(PP): Data: <none>
irmd/oap(PP): Signature: <none>
irmd(WW): Encryption required but no key provided.
The server side will pass the ECRYPT to the client:
$ oping -l
Ouroboros ping server started.
Failed to accept flow: -1008
$ oping -n oping -c 1
Failed to allocate flow: -1008.
Encryption on flows can now be changed at runtime without needing to
touch/reconfigure/restart the process.
Note: The ECRYPT result is passed on via the flow allocator responses
through the IPCP (discovered/fixed some endianness issues), but the
reason for rejecting the flow can be considered N+1 information... We
may move that information up into the OAP header at some point.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
| -rw-r--r-- | src/ipcpd/eth/eth.c | 9 | ||||
| -rw-r--r-- | src/ipcpd/ipcp.c | 16 | ||||
| -rw-r--r-- | src/ipcpd/udp/udp.c | 22 | ||||
| -rw-r--r-- | src/ipcpd/unicast/fa.c | 25 | ||||
| -rw-r--r-- | src/irmd/configfile.c | 9 | ||||
| -rw-r--r-- | src/irmd/ipcp.c | 2 | ||||
| -rw-r--r-- | src/irmd/main.c | 117 | ||||
| -rw-r--r-- | src/irmd/reg/flow.h | 1 | ||||
| -rw-r--r-- | src/irmd/reg/reg.c | 9 | ||||
| -rw-r--r-- | src/irmd/reg/reg.h | 3 | ||||
| -rw-r--r-- | src/irmd/reg/tests/reg_test.c | 7 | ||||
| -rw-r--r-- | src/lib/crypt.c | 19 | ||||
| -rw-r--r-- | src/lib/dev.c | 15 | ||||
| -rw-r--r-- | src/lib/pb/model.proto | 3 | ||||
| -rw-r--r-- | src/lib/protobuf.c | 2 | ||||
| -rw-r--r-- | src/lib/serdes-irm.c | 7 | ||||
| -rw-r--r-- | src/lib/tests/crypt_test.c | 6 | ||||
| -rw-r--r-- | src/tools/irm/irm_name_create.c | 16 | ||||
| -rw-r--r-- | src/tools/oping/oping.c | 4 | ||||
| -rw-r--r-- | src/tools/oping/oping_server.c | 4 | ||||
| -rw-r--r-- | src/tools/ovpn/ovpn.c | 5 |
21 files changed, 166 insertions, 135 deletions
diff --git a/src/ipcpd/eth/eth.c b/src/ipcpd/eth/eth.c index d39b478c..0b6a91fb 100644 --- a/src/ipcpd/eth/eth.c +++ b/src/ipcpd/eth/eth.c @@ -163,13 +163,12 @@ struct mgmt_msg { uint32_t max_gap; uint32_t delay; uint32_t timeout; - uint16_t cypher_s; + int32_t response; uint8_t in_order; #if defined (BUILD_ETH_DIX) uint8_t code; uint8_t availability; #endif - int8_t response; } __attribute__((packed)); struct eth_frame { @@ -490,7 +489,6 @@ static int eth_ipcp_alloc(const uint8_t * dst_addr, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, hash, ipcp_dir_hash_len()); @@ -538,7 +536,7 @@ static int eth_ipcp_alloc_resp(uint8_t * dst_addr, msg->ssap = ssap; msg->dsap = dsap; #endif - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -728,7 +726,6 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); data.data = (uint8_t *) buf + msg_len; @@ -761,7 +758,7 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf, msg->ssap, msg->dsap, #endif - msg->response, + ntoh32(msg->response), &data); break; case NAME_QUERY_REQ: diff --git a/src/ipcpd/ipcp.c b/src/ipcpd/ipcp.c index 62995727..774bfda4 100644 --- a/src/ipcpd/ipcp.c +++ b/src/ipcpd/ipcp.c @@ -398,8 +398,8 @@ int ipcp_wait_flow_req_arr(const uint8_t * dst, int ipcp_wait_flow_resp(const int fd) { - struct timespec ts = TIMESPEC_INIT_MS(ALLOC_TIMEOUT); - struct timespec abstime; + struct timespec ts = TIMESPEC_INIT_MS(ALLOC_TIMEOUT); + struct timespec abstime; clock_gettime(PTHREAD_COND_CLOCK, &abstime); @@ -722,13 +722,11 @@ static void do_flow_alloc_resp(int resp, return; } - if (resp == 0) { - fd = np1_flow_resp(flow_id); - if (fd < 0) { - log_warn("Flow_id %d is not known.", flow_id); - ret_msg->result = -1; - return; - } + fd = np1_flow_resp(flow_id, resp); + if (fd < 0) { + log_warn("Flow_id %d is not known.", flow_id); + ret_msg->result = -1; + return; } ret_msg->result = ipcpd.ops->ipcp_flow_alloc_resp(fd, resp, data); diff --git a/src/ipcpd/udp/udp.c b/src/ipcpd/udp/udp.c index d6d38362..be8069a4 100644 --- a/src/ipcpd/udp/udp.c +++ b/src/ipcpd/udp/udp.c @@ -76,19 +76,17 @@ struct mgmt_msg { uint32_t eid; uint32_t s_eid; uint32_t d_eid; - uint8_t code; - int8_t response; - /* QoS parameters from spec */ - uint8_t availability; - uint8_t in_order; + int32_t response; uint64_t bandwidth; uint32_t delay; uint32_t loss; uint32_t ber; uint32_t max_gap; uint32_t timeout; - uint16_t cypher_s; - + uint8_t code; + /* QoS parameters from spec */ + uint8_t availability; + uint8_t in_order; } __attribute__((packed)); struct mgmt_frame { @@ -221,7 +219,6 @@ static int udp_ipcp_port_alloc(const struct __SOCKADDR * r_saddr, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -245,7 +242,7 @@ static int udp_ipcp_port_alloc(const struct __SOCKADDR * r_saddr, static int udp_ipcp_port_alloc_resp(const struct __SOCKADDR * r_saddr, uint32_t s_eid, uint32_t d_eid, - int8_t response, + int32_t response, const buffer_t * data) { struct mgmt_msg * msg; @@ -258,7 +255,7 @@ static int udp_ipcp_port_alloc_resp(const struct __SOCKADDR * r_saddr, msg->code = FLOW_REPLY; msg->s_eid = hton32(s_eid); msg->d_eid = hton32(d_eid); - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -305,7 +302,7 @@ static int udp_ipcp_port_req(struct __SOCKADDR * c_saddr, static int udp_ipcp_port_alloc_reply(const struct __SOCKADDR * saddr, uint32_t s_eid, uint32_t d_eid, - int8_t response, + int32_t response, const buffer_t * data) { time_t mpl = IPCP_UDP_MPL; @@ -369,7 +366,6 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); return udp_ipcp_port_req(&c_saddr, ntoh32(msg->s_eid), @@ -384,7 +380,7 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, return udp_ipcp_port_alloc_reply(&c_saddr, ntoh32(msg->s_eid), ntoh32(msg->d_eid), - msg->response, + ntoh32(msg->response), &data); default: log_err("Unknown message received %d.", msg->code); diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c index 69a9bbe6..ac168bd9 100644 --- a/src/ipcpd/unicast/fa.c +++ b/src/ipcpd/unicast/fa.c @@ -70,17 +70,15 @@ struct fa_msg { uint64_t s_addr; uint64_t r_eid; uint64_t s_eid; - uint8_t code; - int8_t response; - uint16_t ece; - /* QoS parameters from spec, aligned */ - uint32_t delay; uint64_t bandwidth; + int32_t response; + uint32_t delay; uint32_t loss; uint32_t ber; uint32_t max_gap; uint32_t timeout; - uint16_t cypher_s; + uint16_t ece; + uint8_t code; uint8_t availability; uint8_t in_order; } __attribute__((packed)); @@ -499,7 +497,6 @@ static int fa_handle_flow_req(struct fa_msg * msg, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); fd = ipcp_wait_flow_req_arr(dst, qs, IPCP_UNICAST_MPL, &data); @@ -528,6 +525,7 @@ static int fa_handle_flow_reply(struct fa_msg * msg, struct fa_flow * flow; buffer_t data; /* Piggbacked data on flow alloc request. */ time_t mpl = IPCP_UNICAST_MPL; + int response; assert(len >= sizeof(*msg)); @@ -547,15 +545,19 @@ static int fa_handle_flow_reply(struct fa_msg * msg, flow = &fa.flows[fd]; flow->r_eid = ntoh64(msg->s_eid); + response = ntoh32(msg->response); - if (msg->response < 0) + log_dbg("IPCP received msg response %d for flow on fd %d.", + response, fd); + + if (response < 0) fa_flow_fini(flow); else psched_add(fa.psched, fd); pthread_rwlock_unlock(&fa.flows_lock); - if (ipcp_flow_alloc_reply(fd, msg->response, mpl, &data) < 0) { + if (ipcp_flow_alloc_reply(fd, response, mpl, &data) < 0) { log_err("Failed to reply for flow allocation on fd %d.", fd); return -EIRMD; } @@ -776,7 +778,6 @@ int fa_alloc(int fd, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -828,7 +829,7 @@ int fa_alloc_resp(int fd, memset(msg, 0, sizeof(*msg)); msg->code = FLOW_REPLY; - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -845,7 +846,7 @@ int fa_alloc_resp(int fd, } if (response < 0) { - pthread_rwlock_rdlock(&fa.flows_lock); + pthread_rwlock_wrlock(&fa.flows_lock); fa_flow_fini(flow); pthread_rwlock_unlock(&fa.flows_lock); } else { diff --git a/src/irmd/configfile.c b/src/irmd/configfile.c index 2dfb41a8..ce9fc8fc 100644 --- a/src/irmd/configfile.c +++ b/src/irmd/configfile.c @@ -922,8 +922,10 @@ static int toml_name(toml_table_t * table, toml_array_t * progs; toml_array_t * args; toml_datum_t lb; + toml_datum_t senc; toml_datum_t scrt; toml_datum_t skey; + toml_datum_t cenc; toml_datum_t ccrt; toml_datum_t ckey; @@ -955,6 +957,9 @@ static int toml_name(toml_table_t * table, log_err("Invalid load-balancing policy for %s.", name); return -1; } + senc = toml_string_in(table, "server_enc_file"); + if (senc.ok && cp_chk_path(info.s.enc, senc.u.s) < 0) + return -1; scrt = toml_string_in(table, "server_crt_file"); if (scrt.ok && cp_chk_path(info.s.crt, scrt.u.s) < 0) @@ -964,6 +969,10 @@ static int toml_name(toml_table_t * table, if (skey.ok && cp_chk_path(info.s.key, skey.u.s) < 0) return -1; + cenc = toml_string_in(table, "client_enc_file"); + if (cenc.ok && cp_chk_path(info.c.enc, cenc.u.s) < 0) + return -1; + ccrt = toml_string_in(table, "client_crt_file"); if (ccrt.ok && cp_chk_path(info.c.crt, ccrt.u.s) < 0) return -1; diff --git a/src/irmd/ipcp.c b/src/irmd/ipcp.c index fdee6a75..6226aeda 100644 --- a/src/irmd/ipcp.c +++ b/src/irmd/ipcp.c @@ -497,7 +497,7 @@ int ipcp_flow_alloc_resp(const struct flow_info * flow, msg.pid = flow->n_pid; msg.has_response = true; msg.response = response; - msg.has_pk = true; + msg.has_pk = response == 0; msg.pk.data = data.data; msg.pk.len = data.len; diff --git a/src/irmd/main.c b/src/irmd/main.c index 05f9236f..834a7a8c 100644 --- a/src/irmd/main.c +++ b/src/irmd/main.c @@ -455,12 +455,18 @@ static void name_update_sec_paths(struct name_info * info) assert(info != NULL); + if (strlen(info->s.enc) == 0) + sprintf(info->s.enc, "%s/%s/enc.cfg", srv_dir, info->name); + if (strlen(info->s.crt) == 0) sprintf(info->s.crt, "%s/%s/crt.pem", srv_dir, info->name); if (strlen(info->s.key) == 0) sprintf(info->s.key, "%s/%s/key.pem", srv_dir, info->name); + if (strlen(info->c.enc) == 0) + sprintf(info->c.enc, "%s/%s/enc.cfg", cli_dir, info->name); + if (strlen(info->c.crt) == 0) sprintf(info->c.crt, "%s/%s/crt.pem", cli_dir, info->name); @@ -816,7 +822,8 @@ static bool file_exists(const char * path) static int load_credentials(const char * name, const struct name_sec_paths * paths, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { assert(paths != NULL); assert(pkp != NULL); @@ -825,6 +832,11 @@ static int load_credentials(const char * name, *pkp = NULL; *crt = NULL; + /* TODO: Allow configuration. For now, encrypt if path exists */ + *crypt = file_exists(paths->enc); + if (*crypt) + log_info("Encryption enabled for %s.", name); + if (!file_exists(paths->crt) || !file_exists(paths->key)) { log_info("No security info for %s.", name); return 0; @@ -853,7 +865,8 @@ static int load_credentials(const char * name, static int load_srv_credentials(const char * name, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { struct name_info info; @@ -866,12 +879,13 @@ static int load_srv_credentials(const char * name, return -ENAME; } - return load_credentials(name, &info.s, pkp, crt); + return load_credentials(name, &info.s, pkp, crt, crypt); } static int load_cli_credentials(const char * name, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { struct name_info info; @@ -884,7 +898,7 @@ static int load_cli_credentials(const char * name, return -ENAME; } - return load_credentials(name, &info.c, pkp, crt); + return load_credentials(name, &info.c, pkp, crt, crypt); } #define ID_IS_EQUAL(id1, id2) (memcmp(id1, id2, OAP_ID_SIZE) == 0) @@ -1029,14 +1043,15 @@ static int flow_accept(struct flow_info * flow, buffer_t * data, struct timespec * abstime) { - struct oap_hdr oap_hdr; /* incoming request */ - struct oap_hdr r_oap_hdr; /* outgoing response */ - uint8_t buf[MSGBUFSZ]; /* buffer for local ephkey */ - buffer_t lpk = BUF_INIT; /* local ephemeral pubkey */ - char name[NAME_SIZE + 1]; /* name for flow */ - void * pkp = NULL; /* signing private key */ - void * crt = NULL; /* signing certificate */ - int err; + struct oap_hdr oap_hdr; /* incoming request */ + struct oap_hdr r_oap_hdr; /* outgoing response */ + uint8_t buf[MSGBUFSZ]; /* buffer for local ephkey */ + buffer_t lpk = BUF_INIT; /* local ephemeral pubkey */ + char name[NAME_SIZE + 1]; /* name for flow */ + void * pkp = NULL; /* signing private key */ + void * crt = NULL; /* signing certificate */ + int err; + bool crypt; /* piggyback of user data not yet implemented */ assert(data != NULL && BUF_IS_EMPTY(data)); @@ -1082,12 +1097,18 @@ static int flow_accept(struct flow_info * flow, if (reg_get_name_for_flow_id(name, flow->id) < 0) { log_err("Failed to get name for flow %d.", flow->id); err = -EIPCP; - goto fail_oap_hdr; + goto fail_cred; } log_dbg("IPCP %d accepting flow %d for %s.", flow->n_pid, flow->id, name); + if (load_srv_credentials(name, &pkp, &crt, &crypt) < 0) { + log_err("Failed to load security keys for %s.", name); + err = -EAUTH; + goto fail_cred; + } + if (oap_hdr_decode(oap_hdr.hdr, &oap_hdr) < 0) { log_err("Failed to decode OAP header from %s.", name); err = -EIPCP; @@ -1101,10 +1122,16 @@ static int flow_accept(struct flow_info * flow, goto fail_oap_hdr; } - if (flow->qs.cypher_s != 0) { /* crypto requested */ - uint8_t * s; /* symmetric encryption key */ - ssize_t key_len; /* length of local pubkey */ - void * pkp = NULL; /* ephemeral private key pair */ + if (crypt && oap_hdr.eph.len == 0) { + log_warn("Encryption required but no key provided."); + err = -ECRYPT; + goto fail_oap_hdr; + } + + if (oap_hdr.eph.len > 0) { /* crypto requested */ + uint8_t * s; /* symmetric encryption key */ + ssize_t key_len; /* length of local pubkey */ + void * pkp = NULL; /* ephemeral private key pair */ s = malloc(SYMMKEYSZ); if (s == NULL) { @@ -1140,12 +1167,6 @@ static int flow_accept(struct flow_info * flow, crypt_dh_pkp_destroy(pkp); } - if (load_srv_credentials(name, &pkp, &crt) < 0) { - log_err("Failed to load security keys for %s.", name); - err = -EAUTH; - goto fail_cred; - } - if (oap_hdr_init(oap_hdr.id, pkp, crt, lpk, *data, &r_oap_hdr) < 0) { log_err("Failed to create OAP header."); err = -ENOMEM; @@ -1178,15 +1199,15 @@ static int flow_accept(struct flow_info * flow, return 0; fail_r_oap_hdr: - crypt_free_crt(crt); - crypt_free_key(pkp); - fail_cred: freebuf(*symmkey); fail_derive: clrbuf(lpk); fail_keys: oap_hdr_fini(&oap_hdr); fail_oap_hdr: + crypt_free_crt(crt); + crypt_free_key(pkp); + fail_cred: assert(lpk.data == NULL && lpk.len == 0); ipcp_flow_alloc_resp(flow, err, lpk); fail_wait: @@ -1354,11 +1375,14 @@ static int flow_alloc(struct flow_info * flow, uint8_t idbuf[OAP_ID_SIZE]; buffer_t id; int err; + bool crypt; /* piggyback of user data not yet implemented */ assert(data != NULL && BUF_IS_EMPTY(data)); assert(symmkey != NULL && BUF_IS_EMPTY(symmkey)); + log_info("Allocating flow for %d to %s.", flow->n_pid, dst); + if (random_buffer(idbuf, OAP_ID_SIZE) < 0) { log_err("Failed to generate ID."); err = -EIRMD; @@ -1368,7 +1392,13 @@ static int flow_alloc(struct flow_info * flow, id.data = idbuf; id.len = OAP_ID_SIZE; - if (flow->qs.cypher_s > 0) { + if (load_cli_credentials(dst, &cpkp, &ccrt, &crypt) < 0) { + log_err("Failed to load security keys for %s.", dst); + err = -EAUTH; + goto fail_cred; + } + + if (crypt > 0) { ssize_t key_len; s = malloc(SYMMKEYSZ); @@ -1391,12 +1421,6 @@ static int flow_alloc(struct flow_info * flow, log_dbg("Generated ephemeral keys for %d.", flow->n_pid); } - if (load_cli_credentials(dst, &cpkp, &ccrt) < 0) { - log_err("Failed to load security keys for %s.", dst); - err = -EAUTH; - goto fail_cred; - } - if (oap_hdr_init(id, cpkp, ccrt, lpk, *data, &oap_hdr) < 0) { log_err("Failed to create OAP header."); err = -ENOMEM; @@ -1405,9 +1429,6 @@ static int flow_alloc(struct flow_info * flow, #ifdef DEBUG_PROTO_OAP debug_oap_hdr_snd(&oap_hdr); #endif - - log_info("Allocating flow for %d to %s.", flow->n_pid, dst); - if (reg_create_flow(flow) < 0) { log_err("Failed to create flow."); err = -EBADF; @@ -1447,11 +1468,16 @@ static int flow_alloc(struct flow_info * flow, if (err == -1) { log_dbg("Flow allocation terminated."); - err = -EPIPE; + err = -EIPCP; goto fail_alloc; } - assert(err == 0); + log_dbg("Response received for flow %d to %s.", flow->id, dst); + + if (err < 0) { + log_warn("Flow allocation rejected for %s: %d.", dst, err); + goto fail_alloc; + } if (oap_hdr_decode(r_oap_hdr.hdr, &r_oap_hdr) < 0) { log_err("Failed to decode OAP header."); @@ -1463,6 +1489,7 @@ static int flow_alloc(struct flow_info * flow, #endif if (irm_check_oap_hdr(&r_oap_hdr, flow->mpl) < 0) { log_err("OAP header failed replay check."); + err = -EAUTH; goto fail_r_oap_hdr; } @@ -1472,7 +1499,7 @@ static int flow_alloc(struct flow_info * flow, goto fail_r_oap_hdr; } - if (flow->qs.cypher_s != 0) { /* crypto requested */ + if (lpk.len > 0) { /* crypto requested */ if (crypt_dh_derive(pkp, r_oap_hdr.eph, s) < 0) { log_err("Failed to derive secret for %d.", flow->id); err = -ECRYPT; @@ -1508,13 +1535,13 @@ static int flow_alloc(struct flow_info * flow, fail_flow: oap_hdr_fini(&oap_hdr); fail_oap_hdr: - crypt_free_crt(ccrt); - crypt_free_key(cpkp); - fail_cred: crypt_dh_pkp_destroy(pkp); fail_pkp: free(s); fail_malloc: + crypt_free_crt(ccrt); + crypt_free_key(cpkp); + fail_cred: clrbuf(id); fail_id: return err; @@ -1616,9 +1643,9 @@ static int flow_alloc_reply(struct flow_info * flow, int response, buffer_t * data) { - flow->state = response ? FLOW_DEALLOCATED : FLOW_ALLOCATED; + flow->state = response != 0 ? FLOW_DEALLOCATED : FLOW_ALLOCATED; - if (reg_respond_alloc(flow, data) < 0) { + if (reg_respond_alloc(flow, data, response) < 0) { log_err("Failed to reply to flow %d.", flow->id); flow->state = FLOW_DEALLOCATED; return -EBADF; diff --git a/src/irmd/reg/flow.h b/src/irmd/reg/flow.h index aba0d7a4..d1e4811c 100644 --- a/src/irmd/reg/flow.h +++ b/src/irmd/reg/flow.h @@ -38,6 +38,7 @@ struct reg_flow { struct list_head next; struct flow_info info; + int response; buffer_t data; struct timespec t0; diff --git a/src/irmd/reg/reg.c b/src/irmd/reg/reg.c index 91385260..a24a9d1d 100644 --- a/src/irmd/reg/reg.c +++ b/src/irmd/reg/reg.c @@ -1714,7 +1714,7 @@ int reg_wait_flow_allocated(struct flow_info * info, stop = true; break; case FLOW_DEALLOCATED: - ret = -1; + ret = flow->response; stop = true; break; default: @@ -1746,7 +1746,8 @@ int reg_wait_flow_allocated(struct flow_info * info, } int reg_respond_alloc(struct flow_info * info, - buffer_t * pbuf) + buffer_t * pbuf, + int response) { struct reg_flow * flow; @@ -1779,7 +1780,9 @@ int reg_respond_alloc(struct flow_info * info, if (reg_flow_update(flow, info) < 0) { log_err("Failed to create flow structs."); goto fail_flow; - }; + } + + flow->response = response; if (info->state == FLOW_ALLOCATED) reg_flow_set_data(flow, pbuf); diff --git a/src/irmd/reg/reg.h b/src/irmd/reg/reg.h index 57257dd5..7728c80f 100644 --- a/src/irmd/reg/reg.h +++ b/src/irmd/reg/reg.h @@ -126,7 +126,8 @@ int reg_wait_flow_allocated(struct flow_info * info, const struct timespec * abstime); int reg_respond_alloc(struct flow_info * info, - buffer_t * pbuf); + buffer_t * pbuf, + int response); int reg_prepare_flow_accept(struct flow_info * info); diff --git a/src/irmd/reg/tests/reg_test.c b/src/irmd/reg/tests/reg_test.c index d18f5733..4699beab 100644 --- a/src/irmd/reg/tests/reg_test.c +++ b/src/irmd/reg/tests/reg_test.c @@ -174,6 +174,9 @@ static void * test_flow_respond_alloc(void * o) { struct flow_info * info = (struct flow_info *) o; buffer_t pbuf = BUF_INIT; + int response; + + response = (info->state == FLOW_ALLOCATED) ? 0 : -1; if (info->state == FLOW_ALLOCATED) { pbuf.data = (uint8_t *) strdup(TEST_DATA2); @@ -184,7 +187,7 @@ static void * test_flow_respond_alloc(void * o) pbuf.len = strlen((char *) pbuf.data) + 1; } - reg_respond_alloc(info, &pbuf); + reg_respond_alloc(info, &pbuf, response); return (void *) 0; fail: @@ -224,7 +227,7 @@ static int test_reg_accept_flow_success(void) struct flow_info n_1_info = { .n_1_pid = TEST_N_1_PID, - .qs = qos_data_crypt, + .qs = qos_data, .state = FLOW_ALLOCATED /* RESPONSE SUCCESS */ }; diff --git a/src/lib/crypt.c b/src/lib/crypt.c index b39a4a73..8b18140e 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -32,7 +32,6 @@ #include <string.h> struct crypt_ctx { - uint16_t flags; void * ctx; uint8_t key[SYMMKEYSZ]; }; @@ -91,14 +90,13 @@ int crypt_encrypt(struct crypt_ctx * ctx, buffer_t in, buffer_t * out) { - if (ctx->flags == 0) { - clrbuf(*out); - return 0; - } + assert(ctx != NULL); + assert(ctx->ctx != NULL); #ifdef HAVE_OPENSSL return openssl_encrypt(ctx->ctx, ctx->key, in, out); #else + (void) ctx; (void) in; (void) out; @@ -110,14 +108,13 @@ int crypt_decrypt(struct crypt_ctx * ctx, buffer_t in, buffer_t * out) { - if (ctx->flags == 0) { - clrbuf(*out); - return 0; - } + assert(ctx != NULL); + assert(ctx->ctx != NULL); #ifdef HAVE_OPENSSL return openssl_decrypt(ctx->ctx, ctx->key, in, out); #else + (void) ctx; (void) in; (void) out; @@ -125,8 +122,7 @@ int crypt_decrypt(struct crypt_ctx * ctx, #endif } -struct crypt_ctx * crypt_create_ctx(uint16_t flags, - const uint8_t * key) +struct crypt_ctx * crypt_create_ctx(const uint8_t * key) { struct crypt_ctx * crypt; @@ -136,7 +132,6 @@ struct crypt_ctx * crypt_create_ctx(uint16_t flags, memset(crypt, 0, sizeof(*crypt)); - crypt->flags = flags; if (key != NULL) memcpy(crypt->key, key, SYMMKEYSZ); #ifdef HAVE_OPENSSL diff --git a/src/lib/dev.c b/src/lib/dev.c index 6c8fdbc1..c0cd11a3 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -544,8 +544,7 @@ static int flow_init(struct flow_info * info, if (sk!= NULL && sk->data != NULL) { assert(sk->len == SYMMKEYSZ); - /* TODO: remove cypher_s from QoS */ - flow->crypt = crypt_create_ctx(info->qs.cypher_s, sk->data); + flow->crypt = crypt_create_ctx(sk->data); if (flow->crypt == NULL) goto fail_crypt; } @@ -886,8 +885,10 @@ int flow_alloc(const char * dst, return -ENOMEM; err = send_recv_msg(&msg); - if (err < 0) + if (err < 0) { + printf("send_recv_msg error %d\n", err); return err; + } err = flow__irm_result_des(&msg, &flow, &sk); if (err < 0) @@ -917,9 +918,6 @@ int flow_join(const char * dst, if (qs != NULL) qs->ber = 1; #endif - if (qs != NULL && qs->cypher_s > 0) - return -ENOTSUP; /* TODO: Encrypted broadcast */ - memset(&flow, 0, sizeof(flow)); flow.n_pid = getpid(); @@ -1830,11 +1828,12 @@ int np1_flow_dealloc(int flow_id, return fd; } -int np1_flow_resp(int flow_id) +int np1_flow_resp(int flow_id, + int resp) { int fd; - if (flow_wait_assign(flow_id) != FLOW_ALLOCATED) + if (resp == 0 && flow_wait_assign(flow_id) != FLOW_ALLOCATED) return -1; pthread_rwlock_rdlock(&ai.lock); diff --git a/src/lib/pb/model.proto b/src/lib/pb/model.proto index 56337b5b..7b06e434 100644 --- a/src/lib/pb/model.proto +++ b/src/lib/pb/model.proto @@ -30,8 +30,7 @@ message qosspec_msg { required uint32 ber = 5; /* Bit error rate, ppb. */ required uint32 in_order = 6; /* In-order delivery. */ required uint32 max_gap = 7; /* In ms. */ - required uint32 cypher_s = 8; /* Crypto strength in bits. */ - required uint32 timeout = 9; /* Timeout in ms. */ + required uint32 timeout = 8; /* Timeout in ms. */ } message flow_info_msg { diff --git a/src/lib/protobuf.c b/src/lib/protobuf.c index b5ec8778..6df4e810 100644 --- a/src/lib/protobuf.c +++ b/src/lib/protobuf.c @@ -751,7 +751,6 @@ qosspec_msg_t * qos_spec_s_to_msg(const struct qos_spec * s) msg->ber = s->ber; msg->in_order = s->in_order; msg->max_gap = s->max_gap; - msg->cypher_s = s->cypher_s; msg->timeout = s->timeout; return msg; @@ -770,7 +769,6 @@ struct qos_spec qos_spec_msg_to_s(const qosspec_msg_t * msg) s.ber = msg->ber; s.in_order = msg->in_order; s.max_gap = msg->max_gap; - s.cypher_s = msg->cypher_s; s.timeout = msg->timeout; return s; diff --git a/src/lib/serdes-irm.c b/src/lib/serdes-irm.c index c4ba3053..3aea0617 100644 --- a/src/lib/serdes-irm.c +++ b/src/lib/serdes-irm.c @@ -166,12 +166,7 @@ int flow__irm_result_des(buffer_t * buf, *flow = flow_info_msg_to_s(msg->flow_info); - if (flow->qs.cypher_s > 0 && sk != NULL) { - if (msg->symmkey.data == NULL || msg->symmkey.len == 0) { - err = -ECRYPT; - goto fail; - } - + if (sk != NULL) { sk->len = msg->symmkey.len; sk->data = msg->symmkey.data; diff --git a/src/lib/tests/crypt_test.c b/src/lib/tests/crypt_test.c index 7489d5b3..e7a09e8f 100644 --- a/src/lib/tests/crypt_test.c +++ b/src/lib/tests/crypt_test.c @@ -35,7 +35,7 @@ static int test_crypt_create_destroy(void) TEST_START(); - ctx = crypt_create_ctx(0, NULL); + ctx = crypt_create_ctx(NULL); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail; @@ -60,7 +60,7 @@ static int test_crypt_create_destroy_with_key(void) memset(key, 0, sizeof(key)); - ctx = crypt_create_ctx(1, key); + ctx = crypt_create_ctx(key); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail; @@ -181,7 +181,7 @@ int test_crypt_encrypt_decrypt(void) goto fail_init; } - ctx = crypt_create_ctx(1, key); + ctx = crypt_create_ctx(key); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail_init; diff --git a/src/tools/irm/irm_name_create.c b/src/tools/irm/irm_name_create.c index f363ac3e..22341d2e 100644 --- a/src/tools/irm/irm_name_create.c +++ b/src/tools/irm/irm_name_create.c @@ -51,8 +51,10 @@ #define RR "round-robin" #define SPILL "spillover" +#define SENC "<security_dir>/server/<name>/enc.cfg" #define SCRT "<security_dir>/server/<name>/crt.pem" #define SKEY "<security_dir>/server/<name>/key.pem" +#define CENC "<security_dir>/client/<name>/enc.cfg" #define CCRT "<security_dir>/client/<name>/crt.pem" #define CKEY "<security_dir>/client/<name>/key.pem" @@ -61,8 +63,10 @@ static void usage(void) printf("Usage: irm name create\n" " <name>. max %d chars.\n" " [lb LB_POLICY], default: %s\n" + " [sencpath <path>, default: " SENC "]\n" " [scrtpath <path>, default: " SCRT "]\n" " [skeypath <path>, default: " SKEY "]\n" + " [cencpath <path>, default: " CENC "]\n" " [ccrtpath <path>, default: " CCRT "]\n" " [ckeypath <path>, default: " CKEY "]\n" "\n" @@ -101,8 +105,10 @@ int do_create_name(int argc, { struct name_info info = {}; char * name = NULL; + char * sencpath = NULL; char * scrtpath = NULL; char * skeypath = NULL; + char * cencpath = NULL; char * ccrtpath = NULL; char * ckeypath = NULL; char * lb_pol = RR; @@ -113,10 +119,14 @@ int do_create_name(int argc, while (argc > 0) { if (matches(*argv, "lb") == 0) { lb_pol = *(argv + 1); + } else if (matches(*argv, "sencpath") == 0) { + sencpath = *(argv + 1); } else if (matches(*argv, "scrtpath") == 0) { scrtpath = *(argv + 1); } else if (matches(*argv, "skeypath") == 0) { skeypath = *(argv + 1); + } else if (matches(*argv, "cencpath") == 0) { + cencpath = *(argv + 1); } else if (matches(*argv, "ccrtpath") == 0) { ccrtpath = *(argv + 1); } else if (matches(*argv, "ckeypath") == 0) { @@ -141,12 +151,18 @@ int do_create_name(int argc, strcpy(info.name, name); + if (sencpath != NULL && cp_chk_path(info.s.enc, sencpath) < 0) + goto fail; + if (scrtpath != NULL && cp_chk_path(info.s.crt, scrtpath) < 0) goto fail; if (skeypath != NULL && cp_chk_path(info.s.key, skeypath) < 0) goto fail; + if (cencpath != NULL && cp_chk_path(info.c.enc, cencpath) < 0) + goto fail; + if (ccrtpath != NULL && cp_chk_path(info.c.crt, ccrtpath) < 0) goto fail; diff --git a/src/tools/oping/oping.c b/src/tools/oping/oping.c index ed3529e5..87c1ee18 100644 --- a/src/tools/oping/oping.c +++ b/src/tools/oping/oping.c @@ -77,7 +77,7 @@ " -d, --duration Duration of the test (default 1s)\n" \ " -i, --interval Interval (default 1000ms)\n" \ " -n, --server-name Name of the oping server\n" \ -" -q, --qos QoS (raw, raw_crypt, best, video, voice, data)\n" \ +" -q, --qos QoS (raw, best, video, voice, data)\n" \ " -s, --size Payload size (B, default 64)\n" \ " -Q, --quiet Only print final statistics\n" \ " -D, --timeofday Print time of day before each line\n" \ @@ -244,8 +244,6 @@ int main(int argc, client.qs = qos_voice; else if (strcmp(qos, "data") == 0) client.qs = qos_data; - else if (strcmp(qos, "raw_crypt") == 0) - client.qs = qos_raw_crypt; else printf("Unknown QoS cube, defaulting to raw.\n"); } diff --git a/src/tools/oping/oping_server.c b/src/tools/oping/oping_server.c index 3adce244..c1d5e6e5 100644 --- a/src/tools/oping/oping_server.c +++ b/src/tools/oping/oping_server.c @@ -140,8 +140,8 @@ void * accept_thread(void * o) while (true) { fd = flow_accept(&qs, NULL); if (fd < 0) { - printf("Failed to accept flow.\n"); - break; + printf("Failed to accept flow: %d \n", fd); + continue; } printf("New flow %d.\n", fd); diff --git a/src/tools/ovpn/ovpn.c b/src/tools/ovpn/ovpn.c index 5333ff40..b25e3ea2 100644 --- a/src/tools/ovpn/ovpn.c +++ b/src/tools/ovpn/ovpn.c @@ -68,7 +68,6 @@ static void usage(void) "server to connect to\n" " -i, --ip IP address to give to TUN device\n" " -m, --mask Subnet mask to give to TUN device\n" - " -C, --crypt AES encryption (default: off)\n" "\n" " --help Display this help text and exit\n"); } @@ -194,7 +193,6 @@ int main(int argc, {{"ip", required_argument, NULL, 'i'}, {"mask", required_argument, NULL, 'm'}, {"name", required_argument, NULL, 'n'}, - {"crypt", no_argument, NULL, 'C'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; @@ -231,9 +229,6 @@ int main(int argc, case 'n': name = optarg; break; - case 'C': - qs = qos_raw_crypt; - break; case 'h': usage(); exit(EXIT_SUCCESS); |