summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 13:03:36 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:32:59 +0200
commit47034834790e778f28b082842b3ed1c7bd44f29a (patch)
tree4c7aa9ecd4f87aa9ffeeca6432ac3d061b7edc3a
parent8499436b4673ac2e2026879a95d97162ba2e8cbc (diff)
downloadouroboros-47034834790e778f28b082842b3ed1c7bd44f29a.tar.gz
ouroboros-47034834790e778f28b082842b3ed1c7bd44f29a.zip
config: Rename enc.conf to sec.conf
The per-name config file holds more than encryption settings (KEX, cipher, KDF, peer authentication), so renamed it from enc.conf to sec.conf and the code internals to match. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
-rw-r--r--include/ouroboros/name.h6
-rw-r--r--irmd.conf.in4
-rw-r--r--sec.conf.in (renamed from enc.conf.in)17
-rw-r--r--src/irmd/CMakeLists.txt6
-rw-r--r--src/irmd/configfile.c12
-rw-r--r--src/irmd/main.c8
-rw-r--r--src/irmd/oap/cli.c2
-rw-r--r--src/irmd/oap/srv.c2
-rw-r--r--src/tools/irm/irm_name_create.c24
9 files changed, 38 insertions, 43 deletions
diff --git a/include/ouroboros/name.h b/include/ouroboros/name.h
index a9393820..a3aac8c4 100644
--- a/include/ouroboros/name.h
+++ b/include/ouroboros/name.h
@@ -34,9 +34,9 @@ enum pol_balance {
};
struct name_sec_paths {
- char enc[NAME_PATH_SIZE + 1]; /* path to crypt for this name */
- char key[NAME_PATH_SIZE + 1]; /* path to key for this name */
- char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */
+ char sec[NAME_PATH_SIZE + 1]; /* path to sec.conf for this name */
+ char key[NAME_PATH_SIZE + 1]; /* path to key for this name */
+ char crt[NAME_PATH_SIZE + 1]; /* path to crt for this name */
};
struct name_info {
diff --git a/irmd.conf.in b/irmd.conf.in
index dee88392..b9b79782 100644
--- a/irmd.conf.in
+++ b/irmd.conf.in
@@ -56,10 +56,10 @@ prog=["@INSTALL_DIR@/ovpn"] # Defaults to [].
prog=["@INSTALL_DIR@/oping"] # Defaults to [].
args=["--listen"] # Defaults to disabled. Autostart server with these args.
lb="round-robin" # Defaults to spill (load-balancing options: spill, round-robin).
-# server_enc_file=/path/to/enc.conf Default: @OUROBOROS_SRV_CRT_DIR@/<name>/enc.conf
+# server_sec_file=/path/to/sec.conf Default: @OUROBOROS_SRV_CRT_DIR@/<name>/sec.conf
# server_crt_file=/path/to/crt.pem Default: @OUROBOROS_SRV_CRT_DIR@/<name>/crt.pem
# server_key_file=/path/to/key.pem Default: @OUROBOROS_SRV_CRT_DIR@/<name>/key.pem
-# client_enc_file=/path/to/enc.conf Default: @OUROBOROS_CLI_CRT_DIR@/<name>/enc.conf
+# client_sec_file=/path/to/sec.conf Default: @OUROBOROS_CLI_CRT_DIR@/<name>/sec.conf
# client_crt_file=/path/to/crt.pem Default: @OUROBOROS_CLI_CRT_DIR@/<name>/crt.pem
# client_key_file=/path/to/key.pem Default: @OUROBOROS_CLI_CRT_DIR@/<name>/key.pem
diff --git a/enc.conf.in b/sec.conf.in
index 980cfb2e..4796b72d 100644
--- a/enc.conf.in
+++ b/sec.conf.in
@@ -1,19 +1,19 @@
-### Example Ouroboros encryption configuration file
+### Example Ouroboros security configuration file
#
-# This file specifies the key exchange (KEX) algorithm and cipher to use
-# for encrypted flows.
+# This file specifies the security parameters for a service: the key
+# exchange (KEX) algorithm, cipher, key derivation, and peer authentication.
#
# File Locations:
# ---------------
#
# This file should be placed at one of:
-# @OUROBOROS_CONFIG_DIR@/security/server/<name>/enc.conf (server-side config)
-# @OUROBOROS_CONFIG_DIR@/security/client/<name>/enc.conf (client-side config)
+# @OUROBOROS_CONFIG_DIR@/security/server/<name>/sec.conf (server-side config)
+# @OUROBOROS_CONFIG_DIR@/security/client/<name>/sec.conf (client-side config)
#
# Where <name> is the service name registered with 'irm name create'.
#
# You can override the default paths using:
-# irm name create <name> sencpath <server-enc-path> cencpath <client-enc-path>
+# irm name create <name> ssecpath <server-sec-path> csecpath <client-sec-path>
#
# Configuration Options:
# ----------------------
@@ -58,11 +58,6 @@
# aes-256-gcm AES-256 in GCM mode (default)
# chacha20-poly1305 ChaCha20-Poly1305
#
-# Stream ciphers (not recommended):
-# aes-128-ctr AES-128 in CTR mode
-# aes-192-ctr AES-192 in CTR mode
-# aes-256-ctr AES-256 in CTR mode
-#
# Key Derivation Functions (kdf=):
# ---------------------------------
#
diff --git a/src/irmd/CMakeLists.txt b/src/irmd/CMakeLists.txt
index 9aa747ca..5aa457ff 100644
--- a/src/irmd/CMakeLists.txt
+++ b/src/irmd/CMakeLists.txt
@@ -7,11 +7,11 @@ if(HAVE_TOML)
set(INSTALL_DIR "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}")
configure_file("${CMAKE_SOURCE_DIR}/irmd.conf.in"
"${CMAKE_BINARY_DIR}/${OUROBOROS_CONFIG_FILE}.example" @ONLY)
- configure_file("${CMAKE_SOURCE_DIR}/enc.conf.in"
- "${CMAKE_BINARY_DIR}/enc.conf.example" @ONLY)
+ configure_file("${CMAKE_SOURCE_DIR}/sec.conf.in"
+ "${CMAKE_BINARY_DIR}/sec.conf.example" @ONLY)
install(FILES "${CMAKE_BINARY_DIR}/${OUROBOROS_CONFIG_FILE}.example"
DESTINATION "${OUROBOROS_CONFIG_DIR}")
- install(FILES "${CMAKE_BINARY_DIR}/enc.conf.example"
+ install(FILES "${CMAKE_BINARY_DIR}/sec.conf.example"
DESTINATION "${OUROBOROS_CONFIG_DIR}")
install(CODE "
if(NOT EXISTS \"${OUROBOROS_CONFIG_DIR}/${OUROBOROS_CONFIG_FILE}\")
diff --git a/src/irmd/configfile.c b/src/irmd/configfile.c
index 53608eee..35cf4292 100644
--- a/src/irmd/configfile.c
+++ b/src/irmd/configfile.c
@@ -922,10 +922,10 @@ static int toml_name(toml_table_t * table,
toml_array_t * progs;
toml_array_t * args;
toml_datum_t lb;
- toml_datum_t senc;
+ toml_datum_t ssec;
toml_datum_t scrt;
toml_datum_t skey;
- toml_datum_t cenc;
+ toml_datum_t csec;
toml_datum_t ccrt;
toml_datum_t ckey;
@@ -957,8 +957,8 @@ static int toml_name(toml_table_t * table,
log_err("Invalid load-balancing policy for %s.", name);
return -1;
}
- senc = toml_string_in(table, "server_enc_file");
- if (senc.ok && cp_chk_path(info.s.enc, senc.u.s) < 0)
+ ssec = toml_string_in(table, "server_sec_file");
+ if (ssec.ok && cp_chk_path(info.s.sec, ssec.u.s) < 0)
return -1;
scrt = toml_string_in(table, "server_crt_file");
@@ -969,8 +969,8 @@ static int toml_name(toml_table_t * table,
if (skey.ok && cp_chk_path(info.s.key, skey.u.s) < 0)
return -1;
- cenc = toml_string_in(table, "client_enc_file");
- if (cenc.ok && cp_chk_path(info.c.enc, cenc.u.s) < 0)
+ csec = toml_string_in(table, "client_sec_file");
+ if (csec.ok && cp_chk_path(info.c.sec, csec.u.s) < 0)
return -1;
ccrt = toml_string_in(table, "client_crt_file");
diff --git a/src/irmd/main.c b/src/irmd/main.c
index 3519e079..c77355e7 100644
--- a/src/irmd/main.c
+++ b/src/irmd/main.c
@@ -488,8 +488,8 @@ static void name_update_sec_paths(struct name_info * info)
assert(info != NULL);
- if (strlen(info->s.enc) == 0)
- sprintf(info->s.enc, "%s/%s/enc.conf", srv_dir, info->name);
+ if (strlen(info->s.sec) == 0)
+ sprintf(info->s.sec, "%s/%s/sec.conf", srv_dir, info->name);
if (strlen(info->s.crt) == 0)
sprintf(info->s.crt, "%s/%s/crt.pem", srv_dir, info->name);
@@ -497,8 +497,8 @@ static void name_update_sec_paths(struct name_info * info)
if (strlen(info->s.key) == 0)
sprintf(info->s.key, "%s/%s/key.pem", srv_dir, info->name);
- if (strlen(info->c.enc) == 0)
- sprintf(info->c.enc, "%s/%s/enc.conf", cli_dir, info->name);
+ if (strlen(info->c.sec) == 0)
+ sprintf(info->c.sec, "%s/%s/sec.conf", cli_dir, info->name);
if (strlen(info->c.crt) == 0)
sprintf(info->c.crt, "%s/%s/crt.pem", cli_dir, info->name);
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 113abc4c..b3d6d586 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -98,7 +98,7 @@ int load_cli_kex_config(const struct name_info * info,
/* A client authenticates the server by default, like an https client */
cfg->req_auth = OAP_CLIENT_AUTH_DEFAULT;
- return load_kex_config(info->name, info->c.enc, cfg);
+ return load_kex_config(info->name, info->c.sec, cfg);
}
int load_server_kem_pk(const char * name,
diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c
index b92c1946..9ace8ed1 100644
--- a/src/irmd/oap/srv.c
+++ b/src/irmd/oap/srv.c
@@ -76,7 +76,7 @@ int load_srv_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
/* Client auth stays opt-in (mTLS); enable with auth=required */
- return load_kex_config(info->name, info->s.enc, cfg);
+ return load_kex_config(info->name, info->s.sec, cfg);
}
int load_server_kem_keypair(const char * name,
diff --git a/src/tools/irm/irm_name_create.c b/src/tools/irm/irm_name_create.c
index 1055700c..40a51193 100644
--- a/src/tools/irm/irm_name_create.c
+++ b/src/tools/irm/irm_name_create.c
@@ -51,10 +51,10 @@
#define RR "round-robin"
#define SPILL "spillover"
-#define SENC "<security_dir>/server/<name>/enc.conf"
+#define SSEC "<security_dir>/server/<name>/sec.conf"
#define SCRT "<security_dir>/server/<name>/crt.pem"
#define SKEY "<security_dir>/server/<name>/key.pem"
-#define CENC "<security_dir>/client/<name>/enc.conf"
+#define CSEC "<security_dir>/client/<name>/sec.conf"
#define CCRT "<security_dir>/client/<name>/crt.pem"
#define CKEY "<security_dir>/client/<name>/key.pem"
@@ -63,10 +63,10 @@ static void usage(void)
printf("Usage: irm name create\n"
" <name>. max %d chars.\n"
" [lb LB_POLICY], default: %s\n"
- " [sencpath <path>, default: " SENC "]\n"
+ " [ssecpath <path>, default: " SSEC "]\n"
" [scrtpath <path>, default: " SCRT "]\n"
" [skeypath <path>, default: " SKEY "]\n"
- " [cencpath <path>, default: " CENC "]\n"
+ " [csecpath <path>, default: " CSEC "]\n"
" [ccrtpath <path>, default: " CCRT "]\n"
" [ckeypath <path>, default: " CKEY "]\n"
"\n"
@@ -105,10 +105,10 @@ int do_create_name(int argc,
{
struct name_info info = {};
char * name = NULL;
- char * sencpath = NULL;
+ char * ssecpath = NULL;
char * scrtpath = NULL;
char * skeypath = NULL;
- char * cencpath = NULL;
+ char * csecpath = NULL;
char * ccrtpath = NULL;
char * ckeypath = NULL;
char * lb_pol = RR;
@@ -119,14 +119,14 @@ int do_create_name(int argc,
while (argc > 0) {
if (matches(*argv, "lb") == 0) {
lb_pol = *(argv + 1);
- } else if (matches(*argv, "sencpath") == 0) {
- sencpath = *(argv + 1);
+ } else if (matches(*argv, "ssecpath") == 0) {
+ ssecpath = *(argv + 1);
} else if (matches(*argv, "scrtpath") == 0) {
scrtpath = *(argv + 1);
} else if (matches(*argv, "skeypath") == 0) {
skeypath = *(argv + 1);
- } else if (matches(*argv, "cencpath") == 0) {
- cencpath = *(argv + 1);
+ } else if (matches(*argv, "csecpath") == 0) {
+ csecpath = *(argv + 1);
} else if (matches(*argv, "ccrtpath") == 0) {
ccrtpath = *(argv + 1);
} else if (matches(*argv, "ckeypath") == 0) {
@@ -151,7 +151,7 @@ int do_create_name(int argc,
strcpy(info.name, name);
- if (sencpath != NULL && cp_chk_path(info.s.enc, sencpath) < 0)
+ if (ssecpath != NULL && cp_chk_path(info.s.sec, ssecpath) < 0)
goto fail;
if (scrtpath != NULL && cp_chk_path(info.s.crt, scrtpath) < 0)
@@ -160,7 +160,7 @@ int do_create_name(int argc,
if (skeypath != NULL && cp_chk_path(info.s.key, skeypath) < 0)
goto fail;
- if (cencpath != NULL && cp_chk_path(info.c.enc, cencpath) < 0)
+ if (csecpath != NULL && cp_chk_path(info.c.sec, csecpath) < 0)
goto fail;
if (ccrtpath != NULL && cp_chk_path(info.c.crt, ccrtpath) < 0)