From 8de42096eb6e90d3ea9f5eacb95dc94222e5000b Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Tue, 2 Sep 2025 18:23:41 +0200 Subject: lib: Move encryption control from QoS to name This removes the flow encryption option (cypher_s) from the qosspec. The configuration file is configured in the security options (default /etc/ouroboros/security/). For this poc, encryption can be disabled client or server side by putting an enc.cfg file. If that file is present in the client folder, the client will require encryption. If that file is present on the server side, the server will require encryption and reject non-encrypted flows. Encryption is now configured outside of any application control. Example: /etc/ouroboros/security/client/oping/enc.cfg exists: irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd(DB): Generated ephemeral keys for 87474. irmd/oap(PP): OAP_HDR [caf203681d997941 @ 2025-09-02 17:08:05 (UTC) ] --> irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: [91 bytes] irmd/oap(PP): Data: irmd/oap(PP): Signature: Example: /etc/ouroboros/security/client/oping/enc.cfg does not exist: irmd(II): Allocating flow for 87506 to oping. irmd(DB): File /etc/ouroboros/security/client/oping/enc.cfg does not exist. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [e84bb9d7c3d9c002 @ 2025-09-02 17:08:30 (UTC) ] --> irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: irmd/oap(PP): Data: irmd/oap(PP): Signature: Example: /etc/ouroboros/security/server/oping/enc.cfg exists: irmd(II): Flow request arrived for oping. irmd(DB): IPCP 88112 accepting flow 7 for oping. irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/server/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [3c717b3f31dff8df @ 2025-09-02 17:13:06 (UTC) ] <-- irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: irmd/oap(PP): Data: irmd/oap(PP): Signature: irmd(WW): Encryption required but no key provided. The server side will pass the ECRYPT to the client: $ oping -l Ouroboros ping server started. Failed to accept flow: -1008 $ oping -n oping -c 1 Failed to allocate flow: -1008. Encryption on flows can now be changed at runtime without needing to touch/reconfigure/restart the process. Note: The ECRYPT result is passed on via the flow allocator responses through the IPCP (discovered/fixed some endianness issues), but the reason for rejecting the flow can be considered N+1 information... We may move that information up into the OAP header at some point. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- include/ouroboros/crypt.h | 3 +- include/ouroboros/ipcp-dev.h | 10 +++---- include/ouroboros/name.h | 1 + include/ouroboros/np1_flow.h | 4 +-- include/ouroboros/qos.h | 67 -------------------------------------------- 5 files changed, 9 insertions(+), 76 deletions(-) (limited to 'include') diff --git a/include/ouroboros/crypt.h b/include/ouroboros/crypt.h index a1339330..2d7cda6d 100644 --- a/include/ouroboros/crypt.h +++ b/include/ouroboros/crypt.h @@ -33,8 +33,7 @@ struct auth_ctx; struct crypt_ctx; -struct crypt_ctx * crypt_create_ctx(uint16_t flags, - const uint8_t * key); +struct crypt_ctx * crypt_create_ctx(const uint8_t * key); void crypt_destroy_ctx(struct crypt_ctx * ctx); diff --git a/include/ouroboros/ipcp-dev.h b/include/ouroboros/ipcp-dev.h index 378d724a..35e07414 100644 --- a/include/ouroboros/ipcp-dev.h +++ b/include/ouroboros/ipcp-dev.h @@ -28,12 +28,12 @@ #include #include -int ipcp_create_r(const struct ipcp_info * info); +int ipcp_create_r(const struct ipcp_info * info); -int ipcp_flow_req_arr(const buffer_t * dst, - qosspec_t qs, - time_t mpl, - const buffer_t * data); +int ipcp_flow_req_arr(const buffer_t * dst, + qosspec_t qs, + time_t mpl, + const buffer_t * data); int ipcp_flow_alloc_reply(int fd, int response, diff --git a/include/ouroboros/name.h b/include/ouroboros/name.h index bb12fc0b..14fdd504 100644 --- a/include/ouroboros/name.h +++ b/include/ouroboros/name.h @@ -34,6 +34,7 @@ enum pol_balance { }; struct name_sec_paths { + char enc[NAME_PATH_SIZE + 1]; /* path to crypt for this name */ char key[NAME_PATH_SIZE + 1]; /* path to key for this name */ char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */ }; diff --git a/include/ouroboros/np1_flow.h b/include/ouroboros/np1_flow.h index 31720eea..4110ab6a 100644 --- a/include/ouroboros/np1_flow.h +++ b/include/ouroboros/np1_flow.h @@ -30,7 +30,8 @@ int np1_flow_alloc(pid_t n_pid, int flow_id); -int np1_flow_resp(int flow_id); +int np1_flow_resp(int flow_id, + int resp); int np1_flow_dealloc(int flow_id, time_t timeo); @@ -43,7 +44,6 @@ static const qosspec_t qos_np1 = { .ber = UINT32_MAX, .in_order = 0, .max_gap = UINT32_MAX, - .cypher_s = 0, .timeout = 0 }; diff --git a/include/ouroboros/qos.h b/include/ouroboros/qos.h index a45e8135..2be31305 100644 --- a/include/ouroboros/qos.h +++ b/include/ouroboros/qos.h @@ -36,7 +36,6 @@ typedef struct qos_spec { uint32_t ber; /* Bit error rate, errors per billion bits. */ uint8_t in_order; /* In-order delivery, enables FRCT. */ uint32_t max_gap; /* In ms. */ - uint16_t cypher_s; /* Cypher strength (bits), 0 = no encryption. */ uint32_t timeout; /* Peer timeout time, in ms, 0 = no timeout. */ } qosspec_t; @@ -48,7 +47,6 @@ static const qosspec_t qos_raw = { .ber = 1, .in_order = 0, .max_gap = UINT32_MAX, - .cypher_s = 0, .timeout = DEFAULT_PEER_TIMEOUT }; @@ -60,19 +58,6 @@ static const qosspec_t qos_raw_no_errors = { .ber = 0, .in_order = 0, .max_gap = UINT32_MAX, - .cypher_s = 0, - .timeout = DEFAULT_PEER_TIMEOUT -}; - -static const qosspec_t qos_raw_crypt = { - .delay = UINT32_MAX, - .bandwidth = 0, - .availability = 0, - .loss = 1, - .ber = 0, - .in_order = 0, - .max_gap = UINT32_MAX, - .cypher_s = 256, .timeout = DEFAULT_PEER_TIMEOUT }; @@ -84,19 +69,6 @@ static const qosspec_t qos_best_effort = { .ber = 0, .in_order = 1, .max_gap = UINT32_MAX, - .cypher_s = 0, - .timeout = DEFAULT_PEER_TIMEOUT -}; - -static const qosspec_t qos_best_effort_crypt = { - .delay = UINT32_MAX, - .bandwidth = 0, - .availability = 0, - .loss = 1, - .ber = 0, - .in_order = 1, - .max_gap = UINT32_MAX, - .cypher_s = 256, .timeout = DEFAULT_PEER_TIMEOUT }; @@ -108,19 +80,6 @@ static const qosspec_t qos_video = { .ber = 0, .in_order = 1, .max_gap = 100, - .cypher_s = 0, - .timeout = DEFAULT_PEER_TIMEOUT -}; - -static const qosspec_t qos_video_crypt = { - .delay = 100, - .bandwidth = UINT64_MAX, - .availability = 3, - .loss = 1, - .ber = 0, - .in_order = 1, - .max_gap = 100, - .cypher_s = 256, .timeout = DEFAULT_PEER_TIMEOUT }; @@ -132,19 +91,6 @@ static const qosspec_t qos_voice = { .ber = 0, .in_order = 1, .max_gap = 50, - .cypher_s = 0, - .timeout = DEFAULT_PEER_TIMEOUT -}; - -static const qosspec_t qos_voice_crypt = { - .delay = 50, - .bandwidth = 100000, - .availability = 5, - .loss = 1, - .ber = 0, - .in_order = 1, - .max_gap = 50, - .cypher_s = 256, .timeout = DEFAULT_PEER_TIMEOUT }; @@ -156,19 +102,6 @@ static const qosspec_t qos_data = { .ber = 0, .in_order = 1, .max_gap = 2000, - .cypher_s = 0, - .timeout = DEFAULT_PEER_TIMEOUT -}; - -static const qosspec_t qos_data_crypt = { - .delay = 1000, - .bandwidth = 0, - .availability = 0, - .loss = 0, - .ber = 0, - .in_order = 1, - .max_gap = 2000, - .cypher_s = 256, .timeout = DEFAULT_PEER_TIMEOUT }; -- cgit v1.2.3