diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ipcpd/eth/eth.c | 9 | ||||
| -rw-r--r-- | src/ipcpd/ipcp.c | 16 | ||||
| -rw-r--r-- | src/ipcpd/udp/udp.c | 22 | ||||
| -rw-r--r-- | src/ipcpd/unicast/fa.c | 25 | ||||
| -rw-r--r-- | src/irmd/configfile.c | 9 | ||||
| -rw-r--r-- | src/irmd/ipcp.c | 2 | ||||
| -rw-r--r-- | src/irmd/main.c | 117 | ||||
| -rw-r--r-- | src/irmd/reg/flow.h | 1 | ||||
| -rw-r--r-- | src/irmd/reg/reg.c | 9 | ||||
| -rw-r--r-- | src/irmd/reg/reg.h | 3 | ||||
| -rw-r--r-- | src/irmd/reg/tests/reg_test.c | 7 | ||||
| -rw-r--r-- | src/lib/crypt.c | 19 | ||||
| -rw-r--r-- | src/lib/dev.c | 15 | ||||
| -rw-r--r-- | src/lib/pb/model.proto | 3 | ||||
| -rw-r--r-- | src/lib/protobuf.c | 2 | ||||
| -rw-r--r-- | src/lib/serdes-irm.c | 7 | ||||
| -rw-r--r-- | src/lib/tests/crypt_test.c | 6 | ||||
| -rw-r--r-- | src/tools/irm/irm_name_create.c | 16 | ||||
| -rw-r--r-- | src/tools/oping/oping.c | 4 | ||||
| -rw-r--r-- | src/tools/oping/oping_server.c | 4 | ||||
| -rw-r--r-- | src/tools/ovpn/ovpn.c | 5 |
21 files changed, 166 insertions, 135 deletions
diff --git a/src/ipcpd/eth/eth.c b/src/ipcpd/eth/eth.c index d39b478c..0b6a91fb 100644 --- a/src/ipcpd/eth/eth.c +++ b/src/ipcpd/eth/eth.c @@ -163,13 +163,12 @@ struct mgmt_msg { uint32_t max_gap; uint32_t delay; uint32_t timeout; - uint16_t cypher_s; + int32_t response; uint8_t in_order; #if defined (BUILD_ETH_DIX) uint8_t code; uint8_t availability; #endif - int8_t response; } __attribute__((packed)); struct eth_frame { @@ -490,7 +489,6 @@ static int eth_ipcp_alloc(const uint8_t * dst_addr, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, hash, ipcp_dir_hash_len()); @@ -538,7 +536,7 @@ static int eth_ipcp_alloc_resp(uint8_t * dst_addr, msg->ssap = ssap; msg->dsap = dsap; #endif - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -728,7 +726,6 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); data.data = (uint8_t *) buf + msg_len; @@ -761,7 +758,7 @@ static int eth_ipcp_mgmt_frame(const uint8_t * buf, msg->ssap, msg->dsap, #endif - msg->response, + ntoh32(msg->response), &data); break; case NAME_QUERY_REQ: diff --git a/src/ipcpd/ipcp.c b/src/ipcpd/ipcp.c index 62995727..774bfda4 100644 --- a/src/ipcpd/ipcp.c +++ b/src/ipcpd/ipcp.c @@ -398,8 +398,8 @@ int ipcp_wait_flow_req_arr(const uint8_t * dst, int ipcp_wait_flow_resp(const int fd) { - struct timespec ts = TIMESPEC_INIT_MS(ALLOC_TIMEOUT); - struct timespec abstime; + struct timespec ts = TIMESPEC_INIT_MS(ALLOC_TIMEOUT); + struct timespec abstime; clock_gettime(PTHREAD_COND_CLOCK, &abstime); @@ -722,13 +722,11 @@ static void do_flow_alloc_resp(int resp, return; } - if (resp == 0) { - fd = np1_flow_resp(flow_id); - if (fd < 0) { - log_warn("Flow_id %d is not known.", flow_id); - ret_msg->result = -1; - return; - } + fd = np1_flow_resp(flow_id, resp); + if (fd < 0) { + log_warn("Flow_id %d is not known.", flow_id); + ret_msg->result = -1; + return; } ret_msg->result = ipcpd.ops->ipcp_flow_alloc_resp(fd, resp, data); diff --git a/src/ipcpd/udp/udp.c b/src/ipcpd/udp/udp.c index d6d38362..be8069a4 100644 --- a/src/ipcpd/udp/udp.c +++ b/src/ipcpd/udp/udp.c @@ -76,19 +76,17 @@ struct mgmt_msg { uint32_t eid; uint32_t s_eid; uint32_t d_eid; - uint8_t code; - int8_t response; - /* QoS parameters from spec */ - uint8_t availability; - uint8_t in_order; + int32_t response; uint64_t bandwidth; uint32_t delay; uint32_t loss; uint32_t ber; uint32_t max_gap; uint32_t timeout; - uint16_t cypher_s; - + uint8_t code; + /* QoS parameters from spec */ + uint8_t availability; + uint8_t in_order; } __attribute__((packed)); struct mgmt_frame { @@ -221,7 +219,6 @@ static int udp_ipcp_port_alloc(const struct __SOCKADDR * r_saddr, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -245,7 +242,7 @@ static int udp_ipcp_port_alloc(const struct __SOCKADDR * r_saddr, static int udp_ipcp_port_alloc_resp(const struct __SOCKADDR * r_saddr, uint32_t s_eid, uint32_t d_eid, - int8_t response, + int32_t response, const buffer_t * data) { struct mgmt_msg * msg; @@ -258,7 +255,7 @@ static int udp_ipcp_port_alloc_resp(const struct __SOCKADDR * r_saddr, msg->code = FLOW_REPLY; msg->s_eid = hton32(s_eid); msg->d_eid = hton32(d_eid); - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -305,7 +302,7 @@ static int udp_ipcp_port_req(struct __SOCKADDR * c_saddr, static int udp_ipcp_port_alloc_reply(const struct __SOCKADDR * saddr, uint32_t s_eid, uint32_t d_eid, - int8_t response, + int32_t response, const buffer_t * data) { time_t mpl = IPCP_UDP_MPL; @@ -369,7 +366,6 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); return udp_ipcp_port_req(&c_saddr, ntoh32(msg->s_eid), @@ -384,7 +380,7 @@ static int udp_ipcp_mgmt_frame(struct __SOCKADDR c_saddr, return udp_ipcp_port_alloc_reply(&c_saddr, ntoh32(msg->s_eid), ntoh32(msg->d_eid), - msg->response, + ntoh32(msg->response), &data); default: log_err("Unknown message received %d.", msg->code); diff --git a/src/ipcpd/unicast/fa.c b/src/ipcpd/unicast/fa.c index 69a9bbe6..ac168bd9 100644 --- a/src/ipcpd/unicast/fa.c +++ b/src/ipcpd/unicast/fa.c @@ -70,17 +70,15 @@ struct fa_msg { uint64_t s_addr; uint64_t r_eid; uint64_t s_eid; - uint8_t code; - int8_t response; - uint16_t ece; - /* QoS parameters from spec, aligned */ - uint32_t delay; uint64_t bandwidth; + int32_t response; + uint32_t delay; uint32_t loss; uint32_t ber; uint32_t max_gap; uint32_t timeout; - uint16_t cypher_s; + uint16_t ece; + uint8_t code; uint8_t availability; uint8_t in_order; } __attribute__((packed)); @@ -499,7 +497,6 @@ static int fa_handle_flow_req(struct fa_msg * msg, qs.ber = ntoh32(msg->ber); qs.in_order = msg->in_order; qs.max_gap = ntoh32(msg->max_gap); - qs.cypher_s = ntoh16(msg->cypher_s); qs.timeout = ntoh32(msg->timeout); fd = ipcp_wait_flow_req_arr(dst, qs, IPCP_UNICAST_MPL, &data); @@ -528,6 +525,7 @@ static int fa_handle_flow_reply(struct fa_msg * msg, struct fa_flow * flow; buffer_t data; /* Piggbacked data on flow alloc request. */ time_t mpl = IPCP_UNICAST_MPL; + int response; assert(len >= sizeof(*msg)); @@ -547,15 +545,19 @@ static int fa_handle_flow_reply(struct fa_msg * msg, flow = &fa.flows[fd]; flow->r_eid = ntoh64(msg->s_eid); + response = ntoh32(msg->response); - if (msg->response < 0) + log_dbg("IPCP received msg response %d for flow on fd %d.", + response, fd); + + if (response < 0) fa_flow_fini(flow); else psched_add(fa.psched, fd); pthread_rwlock_unlock(&fa.flows_lock); - if (ipcp_flow_alloc_reply(fd, msg->response, mpl, &data) < 0) { + if (ipcp_flow_alloc_reply(fd, response, mpl, &data) < 0) { log_err("Failed to reply for flow allocation on fd %d.", fd); return -EIRMD; } @@ -776,7 +778,6 @@ int fa_alloc(int fd, msg->ber = hton32(qs.ber); msg->in_order = qs.in_order; msg->max_gap = hton32(qs.max_gap); - msg->cypher_s = hton16(qs.cypher_s); msg->timeout = hton32(qs.timeout); memcpy(msg + 1, dst, ipcp_dir_hash_len()); @@ -828,7 +829,7 @@ int fa_alloc_resp(int fd, memset(msg, 0, sizeof(*msg)); msg->code = FLOW_REPLY; - msg->response = response; + msg->response = hton32(response); if (data->len > 0) memcpy(msg + 1, data->data, data->len); @@ -845,7 +846,7 @@ int fa_alloc_resp(int fd, } if (response < 0) { - pthread_rwlock_rdlock(&fa.flows_lock); + pthread_rwlock_wrlock(&fa.flows_lock); fa_flow_fini(flow); pthread_rwlock_unlock(&fa.flows_lock); } else { diff --git a/src/irmd/configfile.c b/src/irmd/configfile.c index 2dfb41a8..ce9fc8fc 100644 --- a/src/irmd/configfile.c +++ b/src/irmd/configfile.c @@ -922,8 +922,10 @@ static int toml_name(toml_table_t * table, toml_array_t * progs; toml_array_t * args; toml_datum_t lb; + toml_datum_t senc; toml_datum_t scrt; toml_datum_t skey; + toml_datum_t cenc; toml_datum_t ccrt; toml_datum_t ckey; @@ -955,6 +957,9 @@ static int toml_name(toml_table_t * table, log_err("Invalid load-balancing policy for %s.", name); return -1; } + senc = toml_string_in(table, "server_enc_file"); + if (senc.ok && cp_chk_path(info.s.enc, senc.u.s) < 0) + return -1; scrt = toml_string_in(table, "server_crt_file"); if (scrt.ok && cp_chk_path(info.s.crt, scrt.u.s) < 0) @@ -964,6 +969,10 @@ static int toml_name(toml_table_t * table, if (skey.ok && cp_chk_path(info.s.key, skey.u.s) < 0) return -1; + cenc = toml_string_in(table, "client_enc_file"); + if (cenc.ok && cp_chk_path(info.c.enc, cenc.u.s) < 0) + return -1; + ccrt = toml_string_in(table, "client_crt_file"); if (ccrt.ok && cp_chk_path(info.c.crt, ccrt.u.s) < 0) return -1; diff --git a/src/irmd/ipcp.c b/src/irmd/ipcp.c index fdee6a75..6226aeda 100644 --- a/src/irmd/ipcp.c +++ b/src/irmd/ipcp.c @@ -497,7 +497,7 @@ int ipcp_flow_alloc_resp(const struct flow_info * flow, msg.pid = flow->n_pid; msg.has_response = true; msg.response = response; - msg.has_pk = true; + msg.has_pk = response == 0; msg.pk.data = data.data; msg.pk.len = data.len; diff --git a/src/irmd/main.c b/src/irmd/main.c index 05f9236f..834a7a8c 100644 --- a/src/irmd/main.c +++ b/src/irmd/main.c @@ -455,12 +455,18 @@ static void name_update_sec_paths(struct name_info * info) assert(info != NULL); + if (strlen(info->s.enc) == 0) + sprintf(info->s.enc, "%s/%s/enc.cfg", srv_dir, info->name); + if (strlen(info->s.crt) == 0) sprintf(info->s.crt, "%s/%s/crt.pem", srv_dir, info->name); if (strlen(info->s.key) == 0) sprintf(info->s.key, "%s/%s/key.pem", srv_dir, info->name); + if (strlen(info->c.enc) == 0) + sprintf(info->c.enc, "%s/%s/enc.cfg", cli_dir, info->name); + if (strlen(info->c.crt) == 0) sprintf(info->c.crt, "%s/%s/crt.pem", cli_dir, info->name); @@ -816,7 +822,8 @@ static bool file_exists(const char * path) static int load_credentials(const char * name, const struct name_sec_paths * paths, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { assert(paths != NULL); assert(pkp != NULL); @@ -825,6 +832,11 @@ static int load_credentials(const char * name, *pkp = NULL; *crt = NULL; + /* TODO: Allow configuration. For now, encrypt if path exists */ + *crypt = file_exists(paths->enc); + if (*crypt) + log_info("Encryption enabled for %s.", name); + if (!file_exists(paths->crt) || !file_exists(paths->key)) { log_info("No security info for %s.", name); return 0; @@ -853,7 +865,8 @@ static int load_credentials(const char * name, static int load_srv_credentials(const char * name, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { struct name_info info; @@ -866,12 +879,13 @@ static int load_srv_credentials(const char * name, return -ENAME; } - return load_credentials(name, &info.s, pkp, crt); + return load_credentials(name, &info.s, pkp, crt, crypt); } static int load_cli_credentials(const char * name, void ** pkp, - void ** crt) + void ** crt, + bool * crypt) { struct name_info info; @@ -884,7 +898,7 @@ static int load_cli_credentials(const char * name, return -ENAME; } - return load_credentials(name, &info.c, pkp, crt); + return load_credentials(name, &info.c, pkp, crt, crypt); } #define ID_IS_EQUAL(id1, id2) (memcmp(id1, id2, OAP_ID_SIZE) == 0) @@ -1029,14 +1043,15 @@ static int flow_accept(struct flow_info * flow, buffer_t * data, struct timespec * abstime) { - struct oap_hdr oap_hdr; /* incoming request */ - struct oap_hdr r_oap_hdr; /* outgoing response */ - uint8_t buf[MSGBUFSZ]; /* buffer for local ephkey */ - buffer_t lpk = BUF_INIT; /* local ephemeral pubkey */ - char name[NAME_SIZE + 1]; /* name for flow */ - void * pkp = NULL; /* signing private key */ - void * crt = NULL; /* signing certificate */ - int err; + struct oap_hdr oap_hdr; /* incoming request */ + struct oap_hdr r_oap_hdr; /* outgoing response */ + uint8_t buf[MSGBUFSZ]; /* buffer for local ephkey */ + buffer_t lpk = BUF_INIT; /* local ephemeral pubkey */ + char name[NAME_SIZE + 1]; /* name for flow */ + void * pkp = NULL; /* signing private key */ + void * crt = NULL; /* signing certificate */ + int err; + bool crypt; /* piggyback of user data not yet implemented */ assert(data != NULL && BUF_IS_EMPTY(data)); @@ -1082,12 +1097,18 @@ static int flow_accept(struct flow_info * flow, if (reg_get_name_for_flow_id(name, flow->id) < 0) { log_err("Failed to get name for flow %d.", flow->id); err = -EIPCP; - goto fail_oap_hdr; + goto fail_cred; } log_dbg("IPCP %d accepting flow %d for %s.", flow->n_pid, flow->id, name); + if (load_srv_credentials(name, &pkp, &crt, &crypt) < 0) { + log_err("Failed to load security keys for %s.", name); + err = -EAUTH; + goto fail_cred; + } + if (oap_hdr_decode(oap_hdr.hdr, &oap_hdr) < 0) { log_err("Failed to decode OAP header from %s.", name); err = -EIPCP; @@ -1101,10 +1122,16 @@ static int flow_accept(struct flow_info * flow, goto fail_oap_hdr; } - if (flow->qs.cypher_s != 0) { /* crypto requested */ - uint8_t * s; /* symmetric encryption key */ - ssize_t key_len; /* length of local pubkey */ - void * pkp = NULL; /* ephemeral private key pair */ + if (crypt && oap_hdr.eph.len == 0) { + log_warn("Encryption required but no key provided."); + err = -ECRYPT; + goto fail_oap_hdr; + } + + if (oap_hdr.eph.len > 0) { /* crypto requested */ + uint8_t * s; /* symmetric encryption key */ + ssize_t key_len; /* length of local pubkey */ + void * pkp = NULL; /* ephemeral private key pair */ s = malloc(SYMMKEYSZ); if (s == NULL) { @@ -1140,12 +1167,6 @@ static int flow_accept(struct flow_info * flow, crypt_dh_pkp_destroy(pkp); } - if (load_srv_credentials(name, &pkp, &crt) < 0) { - log_err("Failed to load security keys for %s.", name); - err = -EAUTH; - goto fail_cred; - } - if (oap_hdr_init(oap_hdr.id, pkp, crt, lpk, *data, &r_oap_hdr) < 0) { log_err("Failed to create OAP header."); err = -ENOMEM; @@ -1178,15 +1199,15 @@ static int flow_accept(struct flow_info * flow, return 0; fail_r_oap_hdr: - crypt_free_crt(crt); - crypt_free_key(pkp); - fail_cred: freebuf(*symmkey); fail_derive: clrbuf(lpk); fail_keys: oap_hdr_fini(&oap_hdr); fail_oap_hdr: + crypt_free_crt(crt); + crypt_free_key(pkp); + fail_cred: assert(lpk.data == NULL && lpk.len == 0); ipcp_flow_alloc_resp(flow, err, lpk); fail_wait: @@ -1354,11 +1375,14 @@ static int flow_alloc(struct flow_info * flow, uint8_t idbuf[OAP_ID_SIZE]; buffer_t id; int err; + bool crypt; /* piggyback of user data not yet implemented */ assert(data != NULL && BUF_IS_EMPTY(data)); assert(symmkey != NULL && BUF_IS_EMPTY(symmkey)); + log_info("Allocating flow for %d to %s.", flow->n_pid, dst); + if (random_buffer(idbuf, OAP_ID_SIZE) < 0) { log_err("Failed to generate ID."); err = -EIRMD; @@ -1368,7 +1392,13 @@ static int flow_alloc(struct flow_info * flow, id.data = idbuf; id.len = OAP_ID_SIZE; - if (flow->qs.cypher_s > 0) { + if (load_cli_credentials(dst, &cpkp, &ccrt, &crypt) < 0) { + log_err("Failed to load security keys for %s.", dst); + err = -EAUTH; + goto fail_cred; + } + + if (crypt > 0) { ssize_t key_len; s = malloc(SYMMKEYSZ); @@ -1391,12 +1421,6 @@ static int flow_alloc(struct flow_info * flow, log_dbg("Generated ephemeral keys for %d.", flow->n_pid); } - if (load_cli_credentials(dst, &cpkp, &ccrt) < 0) { - log_err("Failed to load security keys for %s.", dst); - err = -EAUTH; - goto fail_cred; - } - if (oap_hdr_init(id, cpkp, ccrt, lpk, *data, &oap_hdr) < 0) { log_err("Failed to create OAP header."); err = -ENOMEM; @@ -1405,9 +1429,6 @@ static int flow_alloc(struct flow_info * flow, #ifdef DEBUG_PROTO_OAP debug_oap_hdr_snd(&oap_hdr); #endif - - log_info("Allocating flow for %d to %s.", flow->n_pid, dst); - if (reg_create_flow(flow) < 0) { log_err("Failed to create flow."); err = -EBADF; @@ -1447,11 +1468,16 @@ static int flow_alloc(struct flow_info * flow, if (err == -1) { log_dbg("Flow allocation terminated."); - err = -EPIPE; + err = -EIPCP; goto fail_alloc; } - assert(err == 0); + log_dbg("Response received for flow %d to %s.", flow->id, dst); + + if (err < 0) { + log_warn("Flow allocation rejected for %s: %d.", dst, err); + goto fail_alloc; + } if (oap_hdr_decode(r_oap_hdr.hdr, &r_oap_hdr) < 0) { log_err("Failed to decode OAP header."); @@ -1463,6 +1489,7 @@ static int flow_alloc(struct flow_info * flow, #endif if (irm_check_oap_hdr(&r_oap_hdr, flow->mpl) < 0) { log_err("OAP header failed replay check."); + err = -EAUTH; goto fail_r_oap_hdr; } @@ -1472,7 +1499,7 @@ static int flow_alloc(struct flow_info * flow, goto fail_r_oap_hdr; } - if (flow->qs.cypher_s != 0) { /* crypto requested */ + if (lpk.len > 0) { /* crypto requested */ if (crypt_dh_derive(pkp, r_oap_hdr.eph, s) < 0) { log_err("Failed to derive secret for %d.", flow->id); err = -ECRYPT; @@ -1508,13 +1535,13 @@ static int flow_alloc(struct flow_info * flow, fail_flow: oap_hdr_fini(&oap_hdr); fail_oap_hdr: - crypt_free_crt(ccrt); - crypt_free_key(cpkp); - fail_cred: crypt_dh_pkp_destroy(pkp); fail_pkp: free(s); fail_malloc: + crypt_free_crt(ccrt); + crypt_free_key(cpkp); + fail_cred: clrbuf(id); fail_id: return err; @@ -1616,9 +1643,9 @@ static int flow_alloc_reply(struct flow_info * flow, int response, buffer_t * data) { - flow->state = response ? FLOW_DEALLOCATED : FLOW_ALLOCATED; + flow->state = response != 0 ? FLOW_DEALLOCATED : FLOW_ALLOCATED; - if (reg_respond_alloc(flow, data) < 0) { + if (reg_respond_alloc(flow, data, response) < 0) { log_err("Failed to reply to flow %d.", flow->id); flow->state = FLOW_DEALLOCATED; return -EBADF; diff --git a/src/irmd/reg/flow.h b/src/irmd/reg/flow.h index aba0d7a4..d1e4811c 100644 --- a/src/irmd/reg/flow.h +++ b/src/irmd/reg/flow.h @@ -38,6 +38,7 @@ struct reg_flow { struct list_head next; struct flow_info info; + int response; buffer_t data; struct timespec t0; diff --git a/src/irmd/reg/reg.c b/src/irmd/reg/reg.c index 91385260..a24a9d1d 100644 --- a/src/irmd/reg/reg.c +++ b/src/irmd/reg/reg.c @@ -1714,7 +1714,7 @@ int reg_wait_flow_allocated(struct flow_info * info, stop = true; break; case FLOW_DEALLOCATED: - ret = -1; + ret = flow->response; stop = true; break; default: @@ -1746,7 +1746,8 @@ int reg_wait_flow_allocated(struct flow_info * info, } int reg_respond_alloc(struct flow_info * info, - buffer_t * pbuf) + buffer_t * pbuf, + int response) { struct reg_flow * flow; @@ -1779,7 +1780,9 @@ int reg_respond_alloc(struct flow_info * info, if (reg_flow_update(flow, info) < 0) { log_err("Failed to create flow structs."); goto fail_flow; - }; + } + + flow->response = response; if (info->state == FLOW_ALLOCATED) reg_flow_set_data(flow, pbuf); diff --git a/src/irmd/reg/reg.h b/src/irmd/reg/reg.h index 57257dd5..7728c80f 100644 --- a/src/irmd/reg/reg.h +++ b/src/irmd/reg/reg.h @@ -126,7 +126,8 @@ int reg_wait_flow_allocated(struct flow_info * info, const struct timespec * abstime); int reg_respond_alloc(struct flow_info * info, - buffer_t * pbuf); + buffer_t * pbuf, + int response); int reg_prepare_flow_accept(struct flow_info * info); diff --git a/src/irmd/reg/tests/reg_test.c b/src/irmd/reg/tests/reg_test.c index d18f5733..4699beab 100644 --- a/src/irmd/reg/tests/reg_test.c +++ b/src/irmd/reg/tests/reg_test.c @@ -174,6 +174,9 @@ static void * test_flow_respond_alloc(void * o) { struct flow_info * info = (struct flow_info *) o; buffer_t pbuf = BUF_INIT; + int response; + + response = (info->state == FLOW_ALLOCATED) ? 0 : -1; if (info->state == FLOW_ALLOCATED) { pbuf.data = (uint8_t *) strdup(TEST_DATA2); @@ -184,7 +187,7 @@ static void * test_flow_respond_alloc(void * o) pbuf.len = strlen((char *) pbuf.data) + 1; } - reg_respond_alloc(info, &pbuf); + reg_respond_alloc(info, &pbuf, response); return (void *) 0; fail: @@ -224,7 +227,7 @@ static int test_reg_accept_flow_success(void) struct flow_info n_1_info = { .n_1_pid = TEST_N_1_PID, - .qs = qos_data_crypt, + .qs = qos_data, .state = FLOW_ALLOCATED /* RESPONSE SUCCESS */ }; diff --git a/src/lib/crypt.c b/src/lib/crypt.c index b39a4a73..8b18140e 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -32,7 +32,6 @@ #include <string.h> struct crypt_ctx { - uint16_t flags; void * ctx; uint8_t key[SYMMKEYSZ]; }; @@ -91,14 +90,13 @@ int crypt_encrypt(struct crypt_ctx * ctx, buffer_t in, buffer_t * out) { - if (ctx->flags == 0) { - clrbuf(*out); - return 0; - } + assert(ctx != NULL); + assert(ctx->ctx != NULL); #ifdef HAVE_OPENSSL return openssl_encrypt(ctx->ctx, ctx->key, in, out); #else + (void) ctx; (void) in; (void) out; @@ -110,14 +108,13 @@ int crypt_decrypt(struct crypt_ctx * ctx, buffer_t in, buffer_t * out) { - if (ctx->flags == 0) { - clrbuf(*out); - return 0; - } + assert(ctx != NULL); + assert(ctx->ctx != NULL); #ifdef HAVE_OPENSSL return openssl_decrypt(ctx->ctx, ctx->key, in, out); #else + (void) ctx; (void) in; (void) out; @@ -125,8 +122,7 @@ int crypt_decrypt(struct crypt_ctx * ctx, #endif } -struct crypt_ctx * crypt_create_ctx(uint16_t flags, - const uint8_t * key) +struct crypt_ctx * crypt_create_ctx(const uint8_t * key) { struct crypt_ctx * crypt; @@ -136,7 +132,6 @@ struct crypt_ctx * crypt_create_ctx(uint16_t flags, memset(crypt, 0, sizeof(*crypt)); - crypt->flags = flags; if (key != NULL) memcpy(crypt->key, key, SYMMKEYSZ); #ifdef HAVE_OPENSSL diff --git a/src/lib/dev.c b/src/lib/dev.c index 6c8fdbc1..c0cd11a3 100644 --- a/src/lib/dev.c +++ b/src/lib/dev.c @@ -544,8 +544,7 @@ static int flow_init(struct flow_info * info, if (sk!= NULL && sk->data != NULL) { assert(sk->len == SYMMKEYSZ); - /* TODO: remove cypher_s from QoS */ - flow->crypt = crypt_create_ctx(info->qs.cypher_s, sk->data); + flow->crypt = crypt_create_ctx(sk->data); if (flow->crypt == NULL) goto fail_crypt; } @@ -886,8 +885,10 @@ int flow_alloc(const char * dst, return -ENOMEM; err = send_recv_msg(&msg); - if (err < 0) + if (err < 0) { + printf("send_recv_msg error %d\n", err); return err; + } err = flow__irm_result_des(&msg, &flow, &sk); if (err < 0) @@ -917,9 +918,6 @@ int flow_join(const char * dst, if (qs != NULL) qs->ber = 1; #endif - if (qs != NULL && qs->cypher_s > 0) - return -ENOTSUP; /* TODO: Encrypted broadcast */ - memset(&flow, 0, sizeof(flow)); flow.n_pid = getpid(); @@ -1830,11 +1828,12 @@ int np1_flow_dealloc(int flow_id, return fd; } -int np1_flow_resp(int flow_id) +int np1_flow_resp(int flow_id, + int resp) { int fd; - if (flow_wait_assign(flow_id) != FLOW_ALLOCATED) + if (resp == 0 && flow_wait_assign(flow_id) != FLOW_ALLOCATED) return -1; pthread_rwlock_rdlock(&ai.lock); diff --git a/src/lib/pb/model.proto b/src/lib/pb/model.proto index 56337b5b..7b06e434 100644 --- a/src/lib/pb/model.proto +++ b/src/lib/pb/model.proto @@ -30,8 +30,7 @@ message qosspec_msg { required uint32 ber = 5; /* Bit error rate, ppb. */ required uint32 in_order = 6; /* In-order delivery. */ required uint32 max_gap = 7; /* In ms. */ - required uint32 cypher_s = 8; /* Crypto strength in bits. */ - required uint32 timeout = 9; /* Timeout in ms. */ + required uint32 timeout = 8; /* Timeout in ms. */ } message flow_info_msg { diff --git a/src/lib/protobuf.c b/src/lib/protobuf.c index b5ec8778..6df4e810 100644 --- a/src/lib/protobuf.c +++ b/src/lib/protobuf.c @@ -751,7 +751,6 @@ qosspec_msg_t * qos_spec_s_to_msg(const struct qos_spec * s) msg->ber = s->ber; msg->in_order = s->in_order; msg->max_gap = s->max_gap; - msg->cypher_s = s->cypher_s; msg->timeout = s->timeout; return msg; @@ -770,7 +769,6 @@ struct qos_spec qos_spec_msg_to_s(const qosspec_msg_t * msg) s.ber = msg->ber; s.in_order = msg->in_order; s.max_gap = msg->max_gap; - s.cypher_s = msg->cypher_s; s.timeout = msg->timeout; return s; diff --git a/src/lib/serdes-irm.c b/src/lib/serdes-irm.c index c4ba3053..3aea0617 100644 --- a/src/lib/serdes-irm.c +++ b/src/lib/serdes-irm.c @@ -166,12 +166,7 @@ int flow__irm_result_des(buffer_t * buf, *flow = flow_info_msg_to_s(msg->flow_info); - if (flow->qs.cypher_s > 0 && sk != NULL) { - if (msg->symmkey.data == NULL || msg->symmkey.len == 0) { - err = -ECRYPT; - goto fail; - } - + if (sk != NULL) { sk->len = msg->symmkey.len; sk->data = msg->symmkey.data; diff --git a/src/lib/tests/crypt_test.c b/src/lib/tests/crypt_test.c index 7489d5b3..e7a09e8f 100644 --- a/src/lib/tests/crypt_test.c +++ b/src/lib/tests/crypt_test.c @@ -35,7 +35,7 @@ static int test_crypt_create_destroy(void) TEST_START(); - ctx = crypt_create_ctx(0, NULL); + ctx = crypt_create_ctx(NULL); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail; @@ -60,7 +60,7 @@ static int test_crypt_create_destroy_with_key(void) memset(key, 0, sizeof(key)); - ctx = crypt_create_ctx(1, key); + ctx = crypt_create_ctx(key); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail; @@ -181,7 +181,7 @@ int test_crypt_encrypt_decrypt(void) goto fail_init; } - ctx = crypt_create_ctx(1, key); + ctx = crypt_create_ctx(key); if (ctx == NULL) { printf("Failed to initialize cryptography.\n"); goto fail_init; diff --git a/src/tools/irm/irm_name_create.c b/src/tools/irm/irm_name_create.c index f363ac3e..22341d2e 100644 --- a/src/tools/irm/irm_name_create.c +++ b/src/tools/irm/irm_name_create.c @@ -51,8 +51,10 @@ #define RR "round-robin" #define SPILL "spillover" +#define SENC "<security_dir>/server/<name>/enc.cfg" #define SCRT "<security_dir>/server/<name>/crt.pem" #define SKEY "<security_dir>/server/<name>/key.pem" +#define CENC "<security_dir>/client/<name>/enc.cfg" #define CCRT "<security_dir>/client/<name>/crt.pem" #define CKEY "<security_dir>/client/<name>/key.pem" @@ -61,8 +63,10 @@ static void usage(void) printf("Usage: irm name create\n" " <name>. max %d chars.\n" " [lb LB_POLICY], default: %s\n" + " [sencpath <path>, default: " SENC "]\n" " [scrtpath <path>, default: " SCRT "]\n" " [skeypath <path>, default: " SKEY "]\n" + " [cencpath <path>, default: " CENC "]\n" " [ccrtpath <path>, default: " CCRT "]\n" " [ckeypath <path>, default: " CKEY "]\n" "\n" @@ -101,8 +105,10 @@ int do_create_name(int argc, { struct name_info info = {}; char * name = NULL; + char * sencpath = NULL; char * scrtpath = NULL; char * skeypath = NULL; + char * cencpath = NULL; char * ccrtpath = NULL; char * ckeypath = NULL; char * lb_pol = RR; @@ -113,10 +119,14 @@ int do_create_name(int argc, while (argc > 0) { if (matches(*argv, "lb") == 0) { lb_pol = *(argv + 1); + } else if (matches(*argv, "sencpath") == 0) { + sencpath = *(argv + 1); } else if (matches(*argv, "scrtpath") == 0) { scrtpath = *(argv + 1); } else if (matches(*argv, "skeypath") == 0) { skeypath = *(argv + 1); + } else if (matches(*argv, "cencpath") == 0) { + cencpath = *(argv + 1); } else if (matches(*argv, "ccrtpath") == 0) { ccrtpath = *(argv + 1); } else if (matches(*argv, "ckeypath") == 0) { @@ -141,12 +151,18 @@ int do_create_name(int argc, strcpy(info.name, name); + if (sencpath != NULL && cp_chk_path(info.s.enc, sencpath) < 0) + goto fail; + if (scrtpath != NULL && cp_chk_path(info.s.crt, scrtpath) < 0) goto fail; if (skeypath != NULL && cp_chk_path(info.s.key, skeypath) < 0) goto fail; + if (cencpath != NULL && cp_chk_path(info.c.enc, cencpath) < 0) + goto fail; + if (ccrtpath != NULL && cp_chk_path(info.c.crt, ccrtpath) < 0) goto fail; diff --git a/src/tools/oping/oping.c b/src/tools/oping/oping.c index ed3529e5..87c1ee18 100644 --- a/src/tools/oping/oping.c +++ b/src/tools/oping/oping.c @@ -77,7 +77,7 @@ " -d, --duration Duration of the test (default 1s)\n" \ " -i, --interval Interval (default 1000ms)\n" \ " -n, --server-name Name of the oping server\n" \ -" -q, --qos QoS (raw, raw_crypt, best, video, voice, data)\n" \ +" -q, --qos QoS (raw, best, video, voice, data)\n" \ " -s, --size Payload size (B, default 64)\n" \ " -Q, --quiet Only print final statistics\n" \ " -D, --timeofday Print time of day before each line\n" \ @@ -244,8 +244,6 @@ int main(int argc, client.qs = qos_voice; else if (strcmp(qos, "data") == 0) client.qs = qos_data; - else if (strcmp(qos, "raw_crypt") == 0) - client.qs = qos_raw_crypt; else printf("Unknown QoS cube, defaulting to raw.\n"); } diff --git a/src/tools/oping/oping_server.c b/src/tools/oping/oping_server.c index 3adce244..c1d5e6e5 100644 --- a/src/tools/oping/oping_server.c +++ b/src/tools/oping/oping_server.c @@ -140,8 +140,8 @@ void * accept_thread(void * o) while (true) { fd = flow_accept(&qs, NULL); if (fd < 0) { - printf("Failed to accept flow.\n"); - break; + printf("Failed to accept flow: %d \n", fd); + continue; } printf("New flow %d.\n", fd); diff --git a/src/tools/ovpn/ovpn.c b/src/tools/ovpn/ovpn.c index 5333ff40..b25e3ea2 100644 --- a/src/tools/ovpn/ovpn.c +++ b/src/tools/ovpn/ovpn.c @@ -68,7 +68,6 @@ static void usage(void) "server to connect to\n" " -i, --ip IP address to give to TUN device\n" " -m, --mask Subnet mask to give to TUN device\n" - " -C, --crypt AES encryption (default: off)\n" "\n" " --help Display this help text and exit\n"); } @@ -194,7 +193,6 @@ int main(int argc, {{"ip", required_argument, NULL, 'i'}, {"mask", required_argument, NULL, 'm'}, {"name", required_argument, NULL, 'n'}, - {"crypt", no_argument, NULL, 'C'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; @@ -231,9 +229,6 @@ int main(int argc, case 'n': name = optarg; break; - case 'C': - qs = qos_raw_crypt; - break; case 'h': usage(); exit(EXIT_SUCCESS); |