diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 13:03:36 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:32:59 +0200 |
| commit | 47034834790e778f28b082842b3ed1c7bd44f29a (patch) | |
| tree | 4c7aa9ecd4f87aa9ffeeca6432ac3d061b7edc3a | |
| parent | 8499436b4673ac2e2026879a95d97162ba2e8cbc (diff) | |
| download | ouroboros-47034834790e778f28b082842b3ed1c7bd44f29a.tar.gz ouroboros-47034834790e778f28b082842b3ed1c7bd44f29a.zip | |
config: Rename enc.conf to sec.conf
The per-name config file holds more than encryption settings (KEX,
cipher, KDF, peer authentication), so renamed it from enc.conf to
sec.conf and the code internals to match.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
| -rw-r--r-- | include/ouroboros/name.h | 6 | ||||
| -rw-r--r-- | irmd.conf.in | 4 | ||||
| -rw-r--r-- | sec.conf.in (renamed from enc.conf.in) | 17 | ||||
| -rw-r--r-- | src/irmd/CMakeLists.txt | 6 | ||||
| -rw-r--r-- | src/irmd/configfile.c | 12 | ||||
| -rw-r--r-- | src/irmd/main.c | 8 | ||||
| -rw-r--r-- | src/irmd/oap/cli.c | 2 | ||||
| -rw-r--r-- | src/irmd/oap/srv.c | 2 | ||||
| -rw-r--r-- | src/tools/irm/irm_name_create.c | 24 |
9 files changed, 38 insertions, 43 deletions
diff --git a/include/ouroboros/name.h b/include/ouroboros/name.h index a9393820..a3aac8c4 100644 --- a/include/ouroboros/name.h +++ b/include/ouroboros/name.h @@ -34,9 +34,9 @@ enum pol_balance { }; struct name_sec_paths { - char enc[NAME_PATH_SIZE + 1]; /* path to crypt for this name */ - char key[NAME_PATH_SIZE + 1]; /* path to key for this name */ - char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */ + char sec[NAME_PATH_SIZE + 1]; /* path to sec.conf for this name */ + char key[NAME_PATH_SIZE + 1]; /* path to key for this name */ + char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */ }; struct name_info { diff --git a/irmd.conf.in b/irmd.conf.in index dee88392..b9b79782 100644 --- a/irmd.conf.in +++ b/irmd.conf.in @@ -56,10 +56,10 @@ prog=["@INSTALL_DIR@/ovpn"] # Defaults to []. prog=["@INSTALL_DIR@/oping"] # Defaults to []. args=["--listen"] # Defaults to disabled. Autostart server with these args. lb="round-robin" # Defaults to spill (load-balancing options: spill, round-robin). -# server_enc_file=/path/to/enc.conf Default: @OUROBOROS_SRV_CRT_DIR@/<name>/enc.conf +# server_sec_file=/path/to/sec.conf Default: @OUROBOROS_SRV_CRT_DIR@/<name>/sec.conf # server_crt_file=/path/to/crt.pem Default: @OUROBOROS_SRV_CRT_DIR@/<name>/crt.pem # server_key_file=/path/to/key.pem Default: @OUROBOROS_SRV_CRT_DIR@/<name>/key.pem -# client_enc_file=/path/to/enc.conf Default: @OUROBOROS_CLI_CRT_DIR@/<name>/enc.conf +# client_sec_file=/path/to/sec.conf Default: @OUROBOROS_CLI_CRT_DIR@/<name>/sec.conf # client_crt_file=/path/to/crt.pem Default: @OUROBOROS_CLI_CRT_DIR@/<name>/crt.pem # client_key_file=/path/to/key.pem Default: @OUROBOROS_CLI_CRT_DIR@/<name>/key.pem diff --git a/enc.conf.in b/sec.conf.in index 980cfb2e..4796b72d 100644 --- a/enc.conf.in +++ b/sec.conf.in @@ -1,19 +1,19 @@ -### Example Ouroboros encryption configuration file +### Example Ouroboros security configuration file # -# This file specifies the key exchange (KEX) algorithm and cipher to use -# for encrypted flows. +# This file specifies the security parameters for a service: the key +# exchange (KEX) algorithm, cipher, key derivation, and peer authentication. # # File Locations: # --------------- # # This file should be placed at one of: -# @OUROBOROS_CONFIG_DIR@/security/server/<name>/enc.conf (server-side config) -# @OUROBOROS_CONFIG_DIR@/security/client/<name>/enc.conf (client-side config) +# @OUROBOROS_CONFIG_DIR@/security/server/<name>/sec.conf (server-side config) +# @OUROBOROS_CONFIG_DIR@/security/client/<name>/sec.conf (client-side config) # # Where <name> is the service name registered with 'irm name create'. # # You can override the default paths using: -# irm name create <name> sencpath <server-enc-path> cencpath <client-enc-path> +# irm name create <name> ssecpath <server-sec-path> csecpath <client-sec-path> # # Configuration Options: # ---------------------- @@ -58,11 +58,6 @@ # aes-256-gcm AES-256 in GCM mode (default) # chacha20-poly1305 ChaCha20-Poly1305 # -# Stream ciphers (not recommended): -# aes-128-ctr AES-128 in CTR mode -# aes-192-ctr AES-192 in CTR mode -# aes-256-ctr AES-256 in CTR mode -# # Key Derivation Functions (kdf=): # --------------------------------- # diff --git a/src/irmd/CMakeLists.txt b/src/irmd/CMakeLists.txt index 9aa747ca..5aa457ff 100644 --- a/src/irmd/CMakeLists.txt +++ b/src/irmd/CMakeLists.txt @@ -7,11 +7,11 @@ if(HAVE_TOML) set(INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}") configure_file("${CMAKE_SOURCE_DIR}/irmd.conf.in" "${CMAKE_BINARY_DIR}/${OUROBOROS_CONFIG_FILE}.example" @ONLY) - configure_file("${CMAKE_SOURCE_DIR}/enc.conf.in" - "${CMAKE_BINARY_DIR}/enc.conf.example" @ONLY) + configure_file("${CMAKE_SOURCE_DIR}/sec.conf.in" + "${CMAKE_BINARY_DIR}/sec.conf.example" @ONLY) install(FILES "${CMAKE_BINARY_DIR}/${OUROBOROS_CONFIG_FILE}.example" DESTINATION "${OUROBOROS_CONFIG_DIR}") - install(FILES "${CMAKE_BINARY_DIR}/enc.conf.example" + install(FILES "${CMAKE_BINARY_DIR}/sec.conf.example" DESTINATION "${OUROBOROS_CONFIG_DIR}") install(CODE " if(NOT EXISTS \"${OUROBOROS_CONFIG_DIR}/${OUROBOROS_CONFIG_FILE}\") diff --git a/src/irmd/configfile.c b/src/irmd/configfile.c index 53608eee..35cf4292 100644 --- a/src/irmd/configfile.c +++ b/src/irmd/configfile.c @@ -922,10 +922,10 @@ static int toml_name(toml_table_t * table, toml_array_t * progs; toml_array_t * args; toml_datum_t lb; - toml_datum_t senc; + toml_datum_t ssec; toml_datum_t scrt; toml_datum_t skey; - toml_datum_t cenc; + toml_datum_t csec; toml_datum_t ccrt; toml_datum_t ckey; @@ -957,8 +957,8 @@ static int toml_name(toml_table_t * table, log_err("Invalid load-balancing policy for %s.", name); return -1; } - senc = toml_string_in(table, "server_enc_file"); - if (senc.ok && cp_chk_path(info.s.enc, senc.u.s) < 0) + ssec = toml_string_in(table, "server_sec_file"); + if (ssec.ok && cp_chk_path(info.s.sec, ssec.u.s) < 0) return -1; scrt = toml_string_in(table, "server_crt_file"); @@ -969,8 +969,8 @@ static int toml_name(toml_table_t * table, if (skey.ok && cp_chk_path(info.s.key, skey.u.s) < 0) return -1; - cenc = toml_string_in(table, "client_enc_file"); - if (cenc.ok && cp_chk_path(info.c.enc, cenc.u.s) < 0) + csec = toml_string_in(table, "client_sec_file"); + if (csec.ok && cp_chk_path(info.c.sec, csec.u.s) < 0) return -1; ccrt = toml_string_in(table, "client_crt_file"); diff --git a/src/irmd/main.c b/src/irmd/main.c index 3519e079..c77355e7 100644 --- a/src/irmd/main.c +++ b/src/irmd/main.c @@ -488,8 +488,8 @@ static void name_update_sec_paths(struct name_info * info) assert(info != NULL); - if (strlen(info->s.enc) == 0) - sprintf(info->s.enc, "%s/%s/enc.conf", srv_dir, info->name); + if (strlen(info->s.sec) == 0) + sprintf(info->s.sec, "%s/%s/sec.conf", srv_dir, info->name); if (strlen(info->s.crt) == 0) sprintf(info->s.crt, "%s/%s/crt.pem", srv_dir, info->name); @@ -497,8 +497,8 @@ static void name_update_sec_paths(struct name_info * info) if (strlen(info->s.key) == 0) sprintf(info->s.key, "%s/%s/key.pem", srv_dir, info->name); - if (strlen(info->c.enc) == 0) - sprintf(info->c.enc, "%s/%s/enc.conf", cli_dir, info->name); + if (strlen(info->c.sec) == 0) + sprintf(info->c.sec, "%s/%s/sec.conf", cli_dir, info->name); if (strlen(info->c.crt) == 0) sprintf(info->c.crt, "%s/%s/crt.pem", cli_dir, info->name); diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c index 113abc4c..b3d6d586 100644 --- a/src/irmd/oap/cli.c +++ b/src/irmd/oap/cli.c @@ -98,7 +98,7 @@ int load_cli_kex_config(const struct name_info * info, /* A client authenticates the server by default, like an https client */ cfg->req_auth = OAP_CLIENT_AUTH_DEFAULT; - return load_kex_config(info->name, info->c.enc, cfg); + return load_kex_config(info->name, info->c.sec, cfg); } int load_server_kem_pk(const char * name, diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c index b92c1946..9ace8ed1 100644 --- a/src/irmd/oap/srv.c +++ b/src/irmd/oap/srv.c @@ -76,7 +76,7 @@ int load_srv_kex_config(const struct name_info * info, memset(cfg, 0, sizeof(*cfg)); /* Client auth stays opt-in (mTLS); enable with auth=required */ - return load_kex_config(info->name, info->s.enc, cfg); + return load_kex_config(info->name, info->s.sec, cfg); } int load_server_kem_keypair(const char * name, diff --git a/src/tools/irm/irm_name_create.c b/src/tools/irm/irm_name_create.c index 1055700c..40a51193 100644 --- a/src/tools/irm/irm_name_create.c +++ b/src/tools/irm/irm_name_create.c @@ -51,10 +51,10 @@ #define RR "round-robin" #define SPILL "spillover" -#define SENC "<security_dir>/server/<name>/enc.conf" +#define SSEC "<security_dir>/server/<name>/sec.conf" #define SCRT "<security_dir>/server/<name>/crt.pem" #define SKEY "<security_dir>/server/<name>/key.pem" -#define CENC "<security_dir>/client/<name>/enc.conf" +#define CSEC "<security_dir>/client/<name>/sec.conf" #define CCRT "<security_dir>/client/<name>/crt.pem" #define CKEY "<security_dir>/client/<name>/key.pem" @@ -63,10 +63,10 @@ static void usage(void) printf("Usage: irm name create\n" " <name>. max %d chars.\n" " [lb LB_POLICY], default: %s\n" - " [sencpath <path>, default: " SENC "]\n" + " [ssecpath <path>, default: " SSEC "]\n" " [scrtpath <path>, default: " SCRT "]\n" " [skeypath <path>, default: " SKEY "]\n" - " [cencpath <path>, default: " CENC "]\n" + " [csecpath <path>, default: " CSEC "]\n" " [ccrtpath <path>, default: " CCRT "]\n" " [ckeypath <path>, default: " CKEY "]\n" "\n" @@ -105,10 +105,10 @@ int do_create_name(int argc, { struct name_info info = {}; char * name = NULL; - char * sencpath = NULL; + char * ssecpath = NULL; char * scrtpath = NULL; char * skeypath = NULL; - char * cencpath = NULL; + char * csecpath = NULL; char * ccrtpath = NULL; char * ckeypath = NULL; char * lb_pol = RR; @@ -119,14 +119,14 @@ int do_create_name(int argc, while (argc > 0) { if (matches(*argv, "lb") == 0) { lb_pol = *(argv + 1); - } else if (matches(*argv, "sencpath") == 0) { - sencpath = *(argv + 1); + } else if (matches(*argv, "ssecpath") == 0) { + ssecpath = *(argv + 1); } else if (matches(*argv, "scrtpath") == 0) { scrtpath = *(argv + 1); } else if (matches(*argv, "skeypath") == 0) { skeypath = *(argv + 1); - } else if (matches(*argv, "cencpath") == 0) { - cencpath = *(argv + 1); + } else if (matches(*argv, "csecpath") == 0) { + csecpath = *(argv + 1); } else if (matches(*argv, "ccrtpath") == 0) { ccrtpath = *(argv + 1); } else if (matches(*argv, "ckeypath") == 0) { @@ -151,7 +151,7 @@ int do_create_name(int argc, strcpy(info.name, name); - if (sencpath != NULL && cp_chk_path(info.s.enc, sencpath) < 0) + if (ssecpath != NULL && cp_chk_path(info.s.sec, ssecpath) < 0) goto fail; if (scrtpath != NULL && cp_chk_path(info.s.crt, scrtpath) < 0) @@ -160,7 +160,7 @@ int do_create_name(int argc, if (skeypath != NULL && cp_chk_path(info.s.key, skeypath) < 0) goto fail; - if (cencpath != NULL && cp_chk_path(info.c.enc, cencpath) < 0) + if (csecpath != NULL && cp_chk_path(info.c.sec, csecpath) < 0) goto fail; if (ccrtpath != NULL && cp_chk_path(info.c.crt, ccrtpath) < 0) |
