| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The build will now detect presence of ctags, and allows generating a
tags file with 'make tags' for convenience.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds an IPCP_ETH_FLOW_STATS cmake option (gated on HAVE_FUSE; default
off) exposing per-flow and aggregate frame counters at
/<ipcp>/eth/{summary,<fd>}.
Counters use RELAXED atomics; the macros expand to ((void) 0) when the
option is off. Per-flow and global counters live in nested stat
structs.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The test was not correctly taking the correct size class. Moved the
select_size_class to the common header so tests can use it.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tools will now use the following convention:
0 — success
1 — runtime/I/O failure or packet loss
2 — setup failure
oping now uses a SIGALRM to exit on duration tests.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ssm_rbuff_close used to unmap the SHM page immediately, leaving any
in-flight peer-process thread that was inside pthread_mutex_lock or
pthread_cond_wait on the SHM-resident sync primitives reading freed
memory. Adds an n_users counter, bumped on entry and dropped on exit
of every function that touches the mutex / cond vars (write, write_b,
read, read_b, fini), and have ssm_rbuff_close poll-spin until the
counter drains before tearing down.
ssm_rbuff_read now re-checks IS_EMPTY after taking the mutex, plugging
a TOCTOU where two readers could both pass a lock-free fast path and
the loser would read a stale TAIL.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The RIB lock only needs to protect operations on the components
list. This avoids holding the lock on longer RIB reads.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
Asserting frame lengths coming from the wire was a severe flaw. Fixed
by gracefully dropping runt frames.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
The shared memory pool is now offset based instead of block
index-based like the old shm_rdrbuff allocator. This renames the API
more consistently. Also changes variables names to off instead of idx
for consistency.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The pool_copy_spb function was consuming the packet buffer on error,
causing double free errors.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
Fixes detection of PMULL on aarch64 without crypto extensions. Adds a
crc64_nvme_step helper function in CRC64 to avoid code
duplication and cleans up the comments.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
| |
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
The internal flow allocator header had no checksum protection. While
it is protected by the Ethernet FCS, lacking a header checksum fails
netem corruption tests. It adds protection against in-memory bitflips.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
| |
These checksum will be handy for header checksums.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add CRC-64/NVMe implementation with compile-time hardware backend
selection:
x86 PCLMUL+SSE4.1 fold-by-16 (HAVE_PCLMUL)
aarch64 PMULL fold-by-16 when (HAVE_PMULL)
and a byte-table fallback.
It's added as HASH_CRC64 to enum hash_algo (in the internal-use-only
section after HASH_MD5). Both mem_hash() and hash_len() early-return
for HASH_CRC64 because libgcrypt has no CRC-64/NVMe.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add cmake/utils/CPUUtils.cmake providing detect_cpu_feature() plus
detect_pclmul() and detect_pmull() that compile-test for x86
PCLMULQDQ+SSE4.1 and aarch64 FEAT_PMULL respectively.
This will be useful for hardware accelerated CRC64/NVMe integrity
checks.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The oap.c source code was split into separate modules in the oap/
folder but some of it was never correctly removed.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
i2d_X509() allocated buf->data via OPENSSL_malloc(), but callers free
it with freebuf() which uses free(). Fix by allocating with malloc()
and encoding directly into the buffer. Also replaces MSGBUFSZ with
CRYPT_KEY_BUFSZ (4096) for key material buffers and removes leftover
debug logging.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
Now uses calloc to zero the previously uninitialized security path
fields. Also fixes a check in protobuf.c
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The reg_test still had false-positive failures on slow machines /
woodpecker.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The order of the 'comp' and 'dst' char * parameters were reversed in
the header compared to the implementation.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
When the server rejects the flow, the local didn't send the flow_alloc
response back to the IRMd, causing the irmd and client to time out
instead of being notified of the failed allocation immediately.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When auth_verify_crt fails (e.g., missing root CA),
crypt_get_pubkey_crt has already allocated pk but only crt was freed.
Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL
lazily initializes a global decoder/provider registry the first time
PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this
leaves some memory owned by OpenSSL that triggers the leak sanitizer.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
This adds authentication tests to verify flows are rejected with a
missing root CA certificate in the store. Also adds one for the OAP
protocol.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The Global Shared Packet Pool (GSPP) was not correctly chowned to the
ouroboros group.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With DISABLE_TESTS_CORE_DUMPS, setrlimit(RLIMIT_CORE, 0) only prevents
core dump files from being written, but when systemd-coredump is
configured as a piped handler (via core_pattern), the kernel still
invokes it regardless of RLIMIT_CORE, so entries appear in
coredumpctl. Adding prctl(PR_SET_DUMPABLE, 0) marks the process as
non-dumpable, which prevents the kernel from invoking the core dump
handler entirely — including piped ones.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
| |
A merge conflict was left unresolved, resulting in compilation errors.
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
Call freebuf(pbuf) before returning from each test thread
function. Since clrbuf zeroes pbuf.data to NULL on the success path,
free(NULL) is safe. On the failure path of reg_respond_*, it now
properly frees the still-allocated data.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes ECMP routing table to skip unreachable vertices with empty
forwarding lists, avoiding uninitialized nhop access. Replace inner
vertex list walk with bounded index loop instead of using a
list_for_each to track indices (which confuses the static analyzer as
it seems it can't prove the index remains valid). Remove spurious
free(*dist) on ECMP success path (caller frees).
Extract edge cleanup into free_edges helper in del_vertex to avoid a
static analyzer false positive.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
Remove double-free in ssm_pool_destroy — ssm_pool_close already frees
the pool. The pool sharding test had a free spbs/ptrs on partial
malloc failure. Now initializes children array to -1 to prevent
reading uninitialized values.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
| |
The static analyzer complained about the struct in6_addr malloc being
converted to uint8_t *. Fixed by casting IN6_LEN to a size_t numeric
value instead of the direct sizeof.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the key in the store operation in the DHT, to avoid static
analyzer seeing it as being set without being used in release builds.
The length of the packet buffer is only used when tracking DT stats,
so should be set within the IPCP_FLOW_STATS guard.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows bypassing the IPCP for local processes that share the same
packet pool, lowering latency between processes to comparable levels
as Unix sockets (RTT in the order of a microsecond).
For local processes, no IPCPs are needed:
$ irm b prog oping n oping
$ oping -l
Ouroboros ping server started.
New flow 64.
Received 64 bytes on fd 64.
The direct IPC can be disabled with the DISABLE_DIRECT_IPC build
flag. Note that this is needed for rumba 'local' experiments to
emulate network topologies. Without this flag all processes will just
communicate directly.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Split 01-build.yaml into 10-build.yaml and 20-sanitizer.yaml.
Each pipeline uses a minimal IMAGE x COMPILER matrix (4 containers)
and loops over build configurations inside a single container,
reducing total containers to 8.
Both pipelines depend on 00-check-version and run in parallel.
Adds missing CI coverage for IPCP_FLOW_STATS, DISABLE_CONFIGFILE,
DISABLE_DDNS, RXM_BUFFER_ON_HEAP and RXM_BLOCKING.
The testing branch is dropped since we deprecated it.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
This adds a check that the VERSION file is the correct format so we
detect accidental editing or overwrites.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The build will now parse tags so the git tag is now the single source
of truth for a version. We do not need to manually maintain the
version header.
The VERSION file uses git's export-subst feature. When git archive
creates a snapshot (e.g. cgit), git substitutes the $Format:...$
placeholder with the output of git describe, embedding the version
string directly in the archive. This requires the export-subst
attribute to be set for the VERSION file in the repository's
.gitattributes.
The version is resolved in the following order:
- git describe (inside a git repository with tags)
- the VERSION file (archives/snapshots)
- 0.0.0 (fallback)
The build system will warn when it can't set a correct version, such
as in a git repo without tags, or an archive without VERSION.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a make version target, that will print the version from the
build directory without having to compile and run irmd --version.
[100%] Updating git hash in version.h
[100%] Built target version_header
Ouroboros 0.22.0-37-ga3a5da14-dirty
[100%] Built target version
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Embed git commit hash into version.h and irmd --version output using
git describe. Regenerated at build time to stay current across
commits.
Ouroboros version MAJOR.MINOR.PATCH (TAG-COMMITS-GHASH-dirty)
Example for dirty work tree (uncommitted changes):
$ irmd --version
Ouroboros version 0.22.0 (0.22.0-36-g86dba544-dirty)
Example after commit:
$ sudo irmd --version
Ouroboros version 0.22.0-37-g55fa9445
Officical release (on tag):
Ouroboros version 0.22.0
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
A recent bulk rename of sdb -> spb (shm du buff to shm pkt buff)
unintentionally renamed the lsdb.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The DHT uses a struct {struct list_head, size_t len} pattern, which is
also useful in the registry and other places. Having a struct llist
(defined in list.h) with consistent macros for addition/deletion etc
removes a lot of duplication and boilerplate and reduces the risk of
inconsistent updates.
The list management is now a macro-only implementation.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The FUSE_PREFIX was set in global.cmake, but before HAVE_FUSE was
defined. The FUSE_PREFIX should be set in fuse.cmake.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
| |
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with
per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the
OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5.
SLH-DSA was already working, but now added explicit authentication
tests for it with a full certificate chain (root CA, intermediate CA,
server) to show full support.
Rename PQC test files and cert headers to use algorithm-specific names
(ml_kem, ml_dsa, slh_dsa) and move cert headers to
include/test/certs/.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
The IRMd will now report a PQC algorithm in the enc.conf file if it is
not supported, instead of failing on KEM key generation.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When the server had no cipher configured, sk->nid was set to NID_undef
before negotiation and never updated, causing the response header to
encode NID_undef as the cipher — even though negotiate_kex() correctly
populated kcfg.c.nid from the client's request.
Adds a test for the KEM case where the client request encryption with
nothing specified server-side.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
| |
This cleans up a few debug logs related to encryption to not show KEM
info for non-KEM algorithms. Also removes refcount logs for the PUP.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Each side's configured cipher, KDF, and KEX algorithm now
represents a minimum security floor ("at least this strong").
Cipher and KDF use strongest-wins: the server compares ranks
and selects the stronger of client vs server config. The
negotiated values are sent in the response header. The client
verifies the server's response meets its own minimum, which
prevents downgrade attacks on the wire.
KEX uses a minimum-floor check: the server extracts the
client's algorithm from its public key and rejects if it
ranks below the server's configured algorithm. A server
configured with ML-KEM will reject all classical algorithms.
Special case: for client-encap KEM, the client has already
derived its key using its KDF, so the server must use the
same KDF and can only reject if it is too weak.
The supported_nids arrays are ordered weakest to strongest
and serve as the single source of truth for ranking.
Cipher ranking (weakest to strongest):
aes-128-ctr, aes-192-ctr, aes-256-ctr,
aes-128-gcm, aes-192-gcm, aes-256-gcm,
chacha20-poly1305
KDF ranking (weakest to strongest):
blake2s256, sha256, sha3-256, sha384,
sha3-384, blake2b512, sha512, sha3-512
KEX ranking (weakest to strongest):
ffdhe2048, prime256v1, X25519, ffdhe3072,
secp384r1, ffdhe4096, X448, secp521r1,
ML-KEM-512, ML-KEM-768, ML-KEM-1024,
X25519MLKEM768, X448MLKEM1024
Negotiation outcomes:
strong srv cipher + weak cli cipher -> use strongest
weak srv cipher + strong cli cipher -> use strongest
srv encryption + cli none -> server rejects
srv none + cli encryption -> use client's
strong srv KEX + weak cli KEX -> server rejects
weak srv KEX + strong cli KEX -> succeeds
wire tamper to weaker cipher -> client rejects
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
OS X doesn't support chmod on shm files after creation. Since we
already set the mode at creation, that call was redundant. Fixed the
getpeereid() function was not accessible because of the guards. Fixed
some differences between macOS and Linux with gid_t vs int usage.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move CMAKE_INSTALL_PREFIX override before GNUInstallDirs so that
CMAKE_INSTALL_FULL_SYSCONFDIR is computed with the correct prefix
(/usr on Linux, /usr/local on macOS). This ensures
OUROBOROS_CONFIG_DIR defaults to /etc/ouroboros for /usr installs and
/usr/local/etc/ouroboros for /usr/local installs on first cmake run.
Also move config/global before dependencies so OUROBOROS_CONFIG_DIR is
set when libtoml.cmake displays the configuration directory message.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
| |
The result of fchown and fchmod weren't checked, causing some
compilers to complain. Updated the test to create a PUP instead of
"non-root" version of the GSPP. Removed the environment variable for
the test suffix as this is not needed.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The IPCP_*_TARGET variables (e.g., set(IPCP_LOCAL_TARGET ipcpd-local))
were defined locally in each IPCP's CMakeLists.txt (e.g.,
CMakeLists.txt), but the configure_file() that substitutes
@IPCP_LOCAL_TARGET@ into config.h.in runs in a sibling scope that is
processed before ipcpd. Since CMake variables don't propagate between
sibling directory scopes, all @IPCP_*_TARGET@ substituted to empty
strings, resulting in IPCP_LOCAL_EXEC "".
Moved the IPCP_*_TARGET definitions into the cmake/config/ipcp/*.cmake
files so they are known when generating config.h.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
|
