diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 14:18:38 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:33:00 +0200 |
| commit | 4b16f7b9ba95f7e24ff443e5b215c2823c1387f7 (patch) | |
| tree | d52f169067ab7b8faca90ef2b97b624803e61a68 /src | |
| parent | 55a8136859d82d9bdb8f85abb25290177ca7e561 (diff) | |
| download | ouroboros-4b16f7b9ba95f7e24ff443e5b215c2823c1387f7.tar.gz ouroboros-4b16f7b9ba95f7e24ff443e5b215c2823c1387f7.zip | |
oap: Rename kex_config loaders to sec_config
Leftover from the kex_config->enc_config->sec_config rename. Finished
by renames load_kex_config and the cli/srv variants to
load_sec_config, the kcfg variables to scfg, and fixes the "KEX
config"/"encryption config" comments.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
| -rw-r--r-- | src/irmd/oap/cli.c | 106 | ||||
| -rw-r--r-- | src/irmd/oap/hdr.c | 28 | ||||
| -rw-r--r-- | src/irmd/oap/hdr.h | 2 | ||||
| -rw-r--r-- | src/irmd/oap/internal.h | 18 | ||||
| -rw-r--r-- | src/irmd/oap/io.c | 4 | ||||
| -rw-r--r-- | src/irmd/oap/io.h | 2 | ||||
| -rw-r--r-- | src/irmd/oap/srv.c | 96 | ||||
| -rw-r--r-- | src/irmd/oap/tests/common.c | 4 |
8 files changed, 130 insertions, 130 deletions
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c index 2db56792..689d67ca 100644 --- a/src/irmd/oap/cli.c +++ b/src/irmd/oap/cli.c @@ -54,7 +54,7 @@ struct oap_cli_ctx { uint8_t req_hash[MAX_HASH_SIZE]; size_t req_hash_len; int req_md_nid; - struct sec_config kcfg; + struct sec_config scfg; struct oap_hdr local_hdr; void * pkp; /* Ephemeral keypair */ uint8_t * key; /* For client-encap KEM */ @@ -69,7 +69,7 @@ struct oap_cli_ctx { extern int load_cli_credentials(const struct name_info * info, void ** pkp, void ** crt); -extern int load_cli_kex_config(const struct name_info * info, +extern int load_cli_sec_config(const struct name_info * info, struct sec_config * cfg); extern int load_server_kem_pk(const char * name, struct sec_config * cfg, @@ -87,7 +87,7 @@ int load_cli_credentials(const struct name_info * info, return load_credentials(info->name, &info->c, pkp, crt); } -int load_cli_kex_config(const struct name_info * info, +int load_cli_sec_config(const struct name_info * info, struct sec_config * cfg) { assert(info != NULL); @@ -98,7 +98,7 @@ int load_cli_kex_config(const struct name_info * info, /* A client authenticates the server by default, like an https client */ cfg->a.req = OAP_CLIENT_AUTH_DEFAULT; - return load_kex_config(info->name, info->c.sec, cfg); + return load_sec_config(info->name, info->c.sec, cfg); } int load_server_kem_pk(const char * name, @@ -138,13 +138,13 @@ int load_server_kem_pk(const char * name, static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; buffer_t * kex = &s->local_hdr.kex; uint8_t * id = s->id.data; ssize_t len; /* Generate ephemeral keypair, send PK */ - len = kex_pkp_create(kcfg, &s->pkp, kex->data); + len = kex_pkp_create(scfg, &s->pkp, kex->data); if (len < 0) { log_err_id(id, "Failed to generate DHE keypair."); return -ECRYPT; @@ -152,7 +152,7 @@ static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s) kex->len = (size_t) len; log_dbg_id(id, "Generated ephemeral %s keys (%zd bytes).", - kcfg->x.str, len); + scfg->x.str, len); return 0; } @@ -160,24 +160,24 @@ static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s) static int do_client_kex_prepare_kem_encap(const char * server_name, struct oap_cli_ctx * s) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; buffer_t * kex = &s->local_hdr.kex; uint8_t * id = s->id.data; buffer_t server_pk = BUF_INIT; uint8_t key_buf[SYMMKEYSZ]; ssize_t len; - if (load_server_kem_pk(server_name, kcfg, &server_pk) < 0) { + if (load_server_kem_pk(server_name, scfg, &server_pk) < 0) { log_err_id(id, "Failed to load server KEM pk."); return -ECRYPT; } - if (IS_HYBRID_KEM(kcfg->x.str)) + if (IS_HYBRID_KEM(scfg->x.str)) len = kex_kem_encap_raw(server_pk, kex->data, - kcfg->k.nid, key_buf); + scfg->k.nid, key_buf); else len = kex_kem_encap(server_pk, kex->data, - kcfg->k.nid, key_buf); + scfg->k.nid, key_buf); freebuf(server_pk); @@ -203,13 +203,13 @@ static int do_client_kex_prepare_kem_encap(const char * server_name, static int do_client_kex_prepare_kem_decap(struct oap_cli_ctx * s) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; buffer_t * kex = &s->local_hdr.kex; uint8_t * id = s->id.data; ssize_t len; /* Server encaps: generate keypair, send PK */ - len = kex_pkp_create(kcfg, &s->pkp, kex->data); + len = kex_pkp_create(scfg, &s->pkp, kex->data); if (len < 0) { log_err_id(id, "Failed to generate KEM keypair."); return -ECRYPT; @@ -224,13 +224,13 @@ static int do_client_kex_prepare_kem_decap(struct oap_cli_ctx * s) static int do_client_kex_prepare(const char * server_name, struct oap_cli_ctx * s) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; - if (!IS_KEX_ALGO_SET(kcfg)) + if (!IS_KEX_ALGO_SET(scfg)) return 0; - if (IS_KEM_ALGORITHM(kcfg->x.str)) { - if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) + if (IS_KEM_ALGORITHM(scfg->x.str)) { + if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) return do_client_kex_prepare_kem_encap(server_name, s); else return do_client_kex_prepare_kem_decap(s); @@ -283,16 +283,16 @@ int oap_cli_prepare(void ** ctx, goto fail_id; } - /* Load KEX config */ - if (load_cli_kex_config(info, &s->kcfg) < 0) { - log_err_id(s->id.data, "Failed to load KEX config for %s.", + /* Load security config */ + if (load_cli_sec_config(info, &s->scfg) < 0) { + log_err_id(s->id.data, "Failed to load security config for %s.", info->name); goto fail_kex; } /* Re-key forces server-encap: client-encap forfeits FS/PCS. */ - if (rekey && s->kcfg.x.mode == KEM_MODE_CLIENT_ENCAP) { - s->kcfg.x.mode = KEM_MODE_SERVER_ENCAP; + if (rekey && s->scfg.x.mode == KEM_MODE_CLIENT_ENCAP) { + s->scfg.x.mode = KEM_MODE_SERVER_ENCAP; log_dbg_id(s->id.data, "Re-key forcing ephemeral server KEX."); } @@ -302,14 +302,14 @@ int oap_cli_prepare(void ** ctx, crt = NULL; } - oap_hdr_init(&s->local_hdr, s->id, s->kex_buf, data, s->kcfg.c.nid); + oap_hdr_init(&s->local_hdr, s->id, s->kex_buf, data, s->scfg.c.nid); if (do_client_kex_prepare(info->name, s) < 0) { log_err_id(s->id.data, "Failed to prepare client KEX."); goto fail_kex; } - if (oap_hdr_encode(&s->local_hdr, pkp, crt, &s->kcfg, + if (oap_hdr_encode(&s->local_hdr, pkp, crt, &s->scfg, no_tag, NID_undef, NULL)) { log_err_id(s->id.data, "Failed to create OAP request header."); goto fail_hdr; @@ -318,7 +318,7 @@ int oap_cli_prepare(void ** ctx, debug_oap_hdr_snd(&s->local_hdr); /* Compute and store hash of request for verification in complete */ - s->req_md_nid = s->kcfg.d.nid != NID_undef ? s->kcfg.d.nid : NID_sha384; + s->req_md_nid = s->scfg.d.nid != NID_undef ? s->scfg.d.nid : NID_sha384; ret = md_digest(s->req_md_nid, s->local_hdr.hdr, s->req_hash); if (ret < 0) { log_err_id(s->id.data, "Failed to hash request."); @@ -378,11 +378,11 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx * s, const struct oap_hdr * peer_hdr, struct crypt_sk * sk) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; uint8_t * id = s->id.data; uint8_t key_buf[SYMMKEYSZ]; - if (kcfg->x.mode == KEM_MODE_SERVER_ENCAP) { + if (scfg->x.mode == KEM_MODE_SERVER_ENCAP) { buffer_t ct; if (peer_hdr->kex.len == 0) { @@ -393,27 +393,27 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx * s, ct.data = peer_hdr->kex.data; ct.len = peer_hdr->kex.len; - if (kex_kem_decap(s->pkp, ct, kcfg->k.nid, key_buf) < 0) { + if (kex_kem_decap(s->pkp, ct, scfg->k.nid, key_buf) < 0) { log_err_id(id, "Failed to decapsulate KEM."); return -ECRYPT; } log_dbg_id(id, "Client decapsulated server CT."); - } else if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) { + } else if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) { /* Key already derived during prepare */ memcpy(sk->key, s->key, SYMMKEYSZ); - sk->nid = kcfg->c.nid; - log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, - kcfg->c.str); + sk->nid = scfg->c.nid; + log_info_id(id, "Negotiated %s + %s.", scfg->x.str, + scfg->c.str); return 0; } memcpy(sk->key, key_buf, SYMMKEYSZ); - sk->nid = kcfg->c.nid; + sk->nid = scfg->c.nid; crypt_secure_clear(key_buf, SYMMKEYSZ); - log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str); + log_info_id(id, "Negotiated %s + %s.", scfg->x.str, scfg->c.str); return 0; } @@ -422,7 +422,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s, const struct oap_hdr * peer_hdr, struct crypt_sk * sk) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; uint8_t * id = s->id.data; uint8_t key_buf[SYMMKEYSZ]; @@ -432,7 +432,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s, return -ECRYPT; } - if (kex_dhe_derive(kcfg, s->pkp, peer_hdr->kex, key_buf) < 0) { + if (kex_dhe_derive(scfg, s->pkp, peer_hdr->kex, key_buf) < 0) { log_err_id(id, "Failed to derive DHE secret."); return -ECRYPT; } @@ -440,10 +440,10 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s, log_dbg_id(id, "DHE: derived shared secret."); memcpy(sk->key, key_buf, SYMMKEYSZ); - sk->nid = kcfg->c.nid; + sk->nid = scfg->c.nid; crypt_secure_clear(key_buf, SYMMKEYSZ); - log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str); + log_info_id(id, "Negotiated %s + %s.", scfg->x.str, scfg->c.str); return 0; } @@ -453,17 +453,17 @@ static int do_client_kex_complete(struct oap_cli_ctx * s, const struct oap_hdr * peer_hdr, struct crypt_sk * sk) { - struct sec_config * kcfg = &s->kcfg; + struct sec_config * scfg = &s->scfg; uint8_t * id = s->id.data; int cipher_nid; int kdf_nid; - if (!IS_KEX_ALGO_SET(kcfg)) + if (!IS_KEX_ALGO_SET(scfg)) return 0; /* Save client's configured minimums */ - cipher_nid = kcfg->c.nid; - kdf_nid = kcfg->k.nid; + cipher_nid = scfg->c.nid; + kdf_nid = scfg->k.nid; /* Accept server's cipher choice */ if (peer_hdr->cipher_str == NULL) { @@ -471,15 +471,15 @@ static int do_client_kex_complete(struct oap_cli_ctx * s, return -ECRYPT; } - SET_KEX_CIPHER(kcfg, peer_hdr->cipher_str); - if (crypt_validate_nid(kcfg->c.nid) < 0) { + SET_KEX_CIPHER(scfg, peer_hdr->cipher_str); + if (crypt_validate_nid(scfg->c.nid) < 0) { log_err_id(id, "Server cipher '%s' not supported.", peer_hdr->cipher_str); return -ENOTSUP; } /* Verify server cipher >= client's minimum */ - if (crypt_cipher_rank(kcfg->c.nid) < crypt_cipher_rank(cipher_nid)) { + if (crypt_cipher_rank(scfg->c.nid) < crypt_cipher_rank(cipher_nid)) { log_err_id(id, "Server cipher %s too weak.", peer_hdr->cipher_str); return -ECRYPT; @@ -489,20 +489,20 @@ static int do_client_kex_complete(struct oap_cli_ctx * s, peer_hdr->cipher_str); /* Accept server's KDF for non-client-encap modes */ - if (kcfg->x.mode != KEM_MODE_CLIENT_ENCAP + if (scfg->x.mode != KEM_MODE_CLIENT_ENCAP && peer_hdr->kdf_nid != NID_undef) { if (crypt_kdf_rank(peer_hdr->kdf_nid) < crypt_kdf_rank(kdf_nid)) { log_err_id(id, "Server KDF too weak."); return -ECRYPT; } - SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid); + SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid); log_dbg_id(id, "Accepted server KDF %s.", - md_nid_to_str(kcfg->k.nid)); + md_nid_to_str(scfg->k.nid)); } /* Derive shared secret */ - if (IS_KEM_ALGORITHM(kcfg->x.str)) + if (IS_KEM_ALGORITHM(scfg->x.str)) return do_client_kex_complete_kem(s, peer_hdr, sk); return do_client_kex_complete_dhe(s, peer_hdr, sk); @@ -583,7 +583,7 @@ int oap_cli_complete(void * ctx, } /* Authenticate server (cert + signature now in cleartext) */ - if (oap_auth_peer(peer, &s->kcfg, &s->local_hdr, &peer_hdr, + if (oap_auth_peer(peer, &s->scfg, &s->local_hdr, &peer_hdr, cached_crt) < 0) { log_err_id(id, "Failed to authenticate server."); goto fail_oap; @@ -624,7 +624,7 @@ int oap_cli_complete(void * ctx, } if (oap_bind_session_key(sk, req_hash, resp_hash, - s->kcfg.k.nid) < 0) { + s->scfg.k.nid) < 0) { log_err_id(id, "Failed to bind session key."); goto fail_oap; } @@ -642,7 +642,7 @@ int oap_cli_complete(void * ctx, } } else { /* Cleartext path is config-driven, never a wire downgrade */ - assert(!IS_KEX_ALGO_SET(&s->kcfg)); + assert(!IS_KEX_ALGO_SET(&s->scfg)); /* Unencrypted: verify request-echo integrity */ if (crypt_ct_cmp(peer_hdr.rsp_tag.data, s->req_hash, s->req_hash_len) != 0) { diff --git a/src/irmd/oap/hdr.c b/src/irmd/oap/hdr.c index f0411f64..f8400b46 100644 --- a/src/irmd/oap/hdr.c +++ b/src/irmd/oap/hdr.c @@ -253,7 +253,7 @@ void oap_hdr_init(struct oap_hdr * hdr, /* Write the 36-byte fixed header; stamp is already in network order. */ static void write_oap_fixed(uint8_t * buf, const struct oap_hdr * hdr, - const struct sec_config * kcfg, + const struct sec_config * scfg, size_t crt_len, size_t data_len, uint64_t stamp) @@ -272,11 +272,11 @@ static void write_oap_fixed(uint8_t * buf, memcpy(buf + offset, &v, sizeof(v)); offset += sizeof(v); - v = hton16(kcfg->k.nid); + v = hton16(scfg->k.nid); memcpy(buf + offset, &v, sizeof(v)); offset += sizeof(v); - v = hton16(kcfg->d.nid); + v = hton16(scfg->d.nid); memcpy(buf + offset, &v, sizeof(v)); offset += sizeof(v); @@ -285,10 +285,10 @@ static void write_oap_fixed(uint8_t * buf, offset += sizeof(v); kex_len = (uint16_t) hdr->kex.len; - if (hdr->kex.len > 0 && IS_KEM_ALGORITHM(kcfg->x.str)) { - if (IS_HYBRID_KEM(kcfg->x.str)) + if (hdr->kex.len > 0 && IS_KEM_ALGORITHM(scfg->x.str)) { + if (IS_HYBRID_KEM(scfg->x.str)) kex_len |= OAP_KEX_FMT_BIT; - if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) + if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) kex_len |= OAP_KEX_ROLE_BIT; } @@ -394,7 +394,7 @@ static int oap_seal_body(int nid, static int oap_hdr_encode_sealed(struct oap_hdr * hdr, void * pkp, void * crt, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t rsp_tag, int req_md_nid, const uint8_t * seal_key) @@ -418,7 +418,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr, goto fail_der; /* Cleartext crt_len/data_len are 0; real lengths prefix the seal. */ - write_oap_fixed(prefix.data, hdr, kcfg, 0, 0, stamp); + write_oap_fixed(prefix.data, hdr, scfg, 0, 0, stamp); offset = OAP_HDR_MIN_SIZE; if (hdr->kex.len != 0) @@ -433,7 +433,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr, assert((size_t) offset == prefix.len); - if (oap_seal_body(hdr->nid, seal_key, pkp, kcfg->d.nid, + if (oap_seal_body(hdr->nid, seal_key, pkp, scfg->d.nid, prefix, hdr->data, der, &sealed) < 0) goto fail_prefix; @@ -469,7 +469,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr, int oap_hdr_encode(struct oap_hdr * hdr, void * pkp, void * crt, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t rsp_tag, int req_md_nid, const uint8_t * seal_key) @@ -484,10 +484,10 @@ int oap_hdr_encode(struct oap_hdr * hdr, assert(hdr != NULL); assert(hdr->id.data != NULL && hdr->id.len == OAP_ID_SIZE); - assert(kcfg != NULL); + assert(scfg != NULL); if (seal_key != NULL) - return oap_hdr_encode_sealed(hdr, pkp, crt, kcfg, rsp_tag, + return oap_hdr_encode_sealed(hdr, pkp, crt, scfg, rsp_tag, req_md_nid, seal_key); clock_gettime(CLOCK_REALTIME, &now); @@ -504,7 +504,7 @@ int oap_hdr_encode(struct oap_hdr * hdr, if (out.data == NULL) goto fail_out; - write_oap_fixed(out.data, hdr, kcfg, der.len, hdr->data.len, stamp); + write_oap_fixed(out.data, hdr, scfg, der.len, hdr->data.len, stamp); offset = OAP_HDR_MIN_SIZE; /* certificate (variable) */ @@ -537,7 +537,7 @@ int oap_hdr_encode(struct oap_hdr * hdr, sign.data = out.data; sign.len = out.len; - if (pkp != NULL && auth_sign(pkp, kcfg->d.nid, sign, &sig) < 0) + if (pkp != NULL && auth_sign(pkp, scfg->d.nid, sign, &sig) < 0) goto fail_sig; hdr->hdr = out; diff --git a/src/irmd/oap/hdr.h b/src/irmd/oap/hdr.h index e6c5fffc..1a599727 100644 --- a/src/irmd/oap/hdr.h +++ b/src/irmd/oap/hdr.h @@ -171,7 +171,7 @@ void oap_hdr_fini(struct oap_hdr * oap_hdr); int oap_hdr_encode(struct oap_hdr * hdr, void * pkp, void * crt, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t rsp_tag, int req_md_nid, const uint8_t * seal_key); diff --git a/src/irmd/oap/internal.h b/src/irmd/oap/internal.h index 12d93bcd..4a156723 100644 --- a/src/irmd/oap/internal.h +++ b/src/irmd/oap/internal.h @@ -42,7 +42,7 @@ int oap_auth_peer(char * name, const struct oap_hdr * peer_hdr); int oap_negotiate_cipher(const struct oap_hdr * peer_hdr, - struct sec_config * kcfg); + struct sec_config * scfg); #ifndef OAP_TEST_MODE int load_credentials(const char * name, @@ -50,7 +50,7 @@ int load_credentials(const char * name, void ** pkp, void ** crt); -int load_kex_config(const char * name, +int load_sec_config(const char * name, const char * path, struct sec_config * cfg); #endif @@ -60,7 +60,7 @@ int load_srv_credentials(const struct name_info * info, void ** pkp, void ** crt); -int load_srv_kex_config(const struct name_info * info, +int load_srv_sec_config(const struct name_info * info, struct sec_config * cfg); int load_server_kem_keypair(const char * name, @@ -70,7 +70,7 @@ int load_server_kem_keypair(const char * name, extern int load_srv_credentials(const struct name_info * info, void ** pkp, void ** crt); -extern int load_srv_kex_config(const struct name_info * info, +extern int load_srv_sec_config(const struct name_info * info, struct sec_config * cfg); extern int load_server_kem_keypair(const char * name, struct sec_config * cfg, @@ -79,7 +79,7 @@ extern int load_server_kem_keypair(const char * name, int do_server_kex(const struct name_info * info, struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t * kex, struct crypt_sk * sk); @@ -88,7 +88,7 @@ int load_cli_credentials(const struct name_info * info, void ** pkp, void ** crt); -int load_cli_kex_config(const struct name_info * info, +int load_cli_sec_config(const struct name_info * info, struct sec_config * cfg); int load_server_kem_pk(const char * name, @@ -98,21 +98,21 @@ int load_server_kem_pk(const char * name, extern int load_cli_credentials(const struct name_info * info, void ** pkp, void ** crt); -extern int load_cli_kex_config(const struct name_info * info, +extern int load_cli_sec_config(const struct name_info * info, struct sec_config * cfg); extern int load_server_kem_pk(const char * name, struct sec_config * cfg, buffer_t * pk); #endif -int oap_client_kex_prepare(struct sec_config * kcfg, +int oap_client_kex_prepare(struct sec_config * scfg, buffer_t server_pk, buffer_t * kex, uint8_t * key, void ** ephemeral_pkp); int oap_client_kex_complete(const struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, void * pkp, uint8_t * key); diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c index 143ae65e..b5daa432 100644 --- a/src/irmd/oap/io.c +++ b/src/irmd/oap/io.c @@ -102,7 +102,7 @@ int load_credentials(const char * name, return -EAUTH; } -int load_kex_config(const char * name, +int load_sec_config(const char * name, const char * path, struct sec_config * cfg) { @@ -111,7 +111,7 @@ int load_kex_config(const char * name, assert(name != NULL); assert(cfg != NULL); - /* Load encryption config */ + /* Load security config */ if (!file_exists(path)) log_dbg("No encryption %s for %s.", path, name); diff --git a/src/irmd/oap/io.h b/src/irmd/oap/io.h index 2d47c62f..953e3898 100644 --- a/src/irmd/oap/io.h +++ b/src/irmd/oap/io.h @@ -32,7 +32,7 @@ int load_credentials(const char * name, void ** pkp, void ** crt); -int load_kex_config(const char * name, +int load_sec_config(const char * name, const char * path, struct sec_config * cfg); #endif diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c index aef987eb..5d631618 100644 --- a/src/irmd/oap/srv.c +++ b/src/irmd/oap/srv.c @@ -49,7 +49,7 @@ extern int load_srv_credentials(const struct name_info * info, void ** pkp, void ** crt); -extern int load_srv_kex_config(const struct name_info * info, +extern int load_srv_sec_config(const struct name_info * info, struct sec_config * cfg); extern int load_server_kem_keypair(const char * name, bool raw_fmt, @@ -67,7 +67,7 @@ int load_srv_credentials(const struct name_info * info, return load_credentials(info->name, &info->s, pkp, crt); } -int load_srv_kex_config(const struct name_info * info, +int load_srv_sec_config(const struct name_info * info, struct sec_config * cfg) { assert(info != NULL); @@ -76,7 +76,7 @@ int load_srv_kex_config(const struct name_info * info, memset(cfg, 0, sizeof(*cfg)); /* Client auth stays opt-in (mTLS); enable with auth=required */ - return load_kex_config(info->name, info->s.sec, cfg); + return load_sec_config(info->name, info->s.sec, cfg); } int load_server_kem_keypair(const char * name, @@ -138,7 +138,7 @@ static int get_algo_from_peer_key(const struct oap_hdr * peer_hdr, } static int negotiate_cipher(const struct oap_hdr * peer_hdr, - struct sec_config * kcfg) + struct sec_config * scfg) { uint8_t * id = peer_hdr->id.data; int cli_nid; @@ -158,13 +158,13 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr, } cli_rank = crypt_cipher_rank(cli_nid); - srv_rank = crypt_cipher_rank(kcfg->c.nid); + srv_rank = crypt_cipher_rank(scfg->c.nid); if (cli_rank > srv_rank) { - SET_KEX_CIPHER_NID(kcfg, cli_nid); - log_dbg_id(id, "Selected client cipher %s.", kcfg->c.str); + SET_KEX_CIPHER_NID(scfg, cli_nid); + log_dbg_id(id, "Selected client cipher %s.", scfg->c.str); } else if (srv_rank > 0) { - log_dbg_id(id, "Selected server cipher %s.", kcfg->c.str); + log_dbg_id(id, "Selected server cipher %s.", scfg->c.str); } else { log_err_id(id, "Encryption requested, no cipher."); return -ECRYPT; @@ -179,7 +179,7 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr, } cli_rank = crypt_kdf_rank(peer_hdr->kdf_nid); - srv_rank = crypt_kdf_rank(kcfg->k.nid); + srv_rank = crypt_kdf_rank(scfg->k.nid); /* Client-encap KEM bakes KDF into ciphertext; verify min. */ if (OAP_KEX_ROLE(peer_hdr) == KEM_MODE_CLIENT_ENCAP) { @@ -187,19 +187,19 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr, log_err_id(id, "Client KDF too weak."); return -ECRYPT; } - SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid); + SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid); } else if (cli_rank > srv_rank) { - SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid); + SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid); log_dbg_id(id, "Selected client KDF %s.", - md_nid_to_str(kcfg->k.nid)); + md_nid_to_str(scfg->k.nid)); } else if (srv_rank > 0) { log_dbg_id(id, "Selected server KDF %s.", - md_nid_to_str(kcfg->k.nid)); + md_nid_to_str(scfg->k.nid)); } - if (IS_KEX_ALGO_SET(kcfg)) + if (IS_KEX_ALGO_SET(scfg)) log_info_id(id, "Negotiated %s + %s.", - kcfg->x.str, kcfg->c.str); + scfg->x.str, scfg->c.str); else log_info_id(id, "No key exchange."); @@ -208,7 +208,7 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr, static int do_server_kem_decap(const struct name_info * info, const struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, struct crypt_sk * sk) { buffer_t ct; @@ -225,7 +225,7 @@ static int do_server_kem_decap(const struct name_info * info, ct.data = peer_hdr->kex.data; ct.len = peer_hdr->kex.len; - ret = kex_kem_decap(server_pkp, ct, kcfg->k.nid, sk->key); + ret = kex_kem_decap(server_pkp, ct, scfg->k.nid, sk->key); crypt_free_key(server_pkp); @@ -240,7 +240,7 @@ static int do_server_kem_decap(const struct name_info * info, } static int do_server_kem_encap(const struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t * kex, struct crypt_sk * sk) { @@ -251,12 +251,12 @@ static int do_server_kem_encap(const struct oap_hdr * peer_hdr, client_pk.data = peer_hdr->kex.data; client_pk.len = peer_hdr->kex.len; - if (IS_HYBRID_KEM(kcfg->x.str)) + if (IS_HYBRID_KEM(scfg->x.str)) ct_len = kex_kem_encap_raw(client_pk, kex->data, - kcfg->k.nid, sk->key); + scfg->k.nid, sk->key); else ct_len = kex_kem_encap(client_pk, kex->data, - kcfg->k.nid, sk->key); + scfg->k.nid, sk->key); if (ct_len < 0) { log_err_id(id, "Failed to encapsulate KEM."); @@ -272,26 +272,26 @@ static int do_server_kem_encap(const struct oap_hdr * peer_hdr, static int do_server_kex_kem(const struct name_info * info, struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t * kex, struct crypt_sk * sk) { int ret; - kcfg->x.mode = peer_hdr->kex_flags.role; + scfg->x.mode = peer_hdr->kex_flags.role; - if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) { - ret = do_server_kem_decap(info, peer_hdr, kcfg, sk); + if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) { + ret = do_server_kem_decap(info, peer_hdr, scfg, sk); kex->len = 0; } else { - ret = do_server_kem_encap(peer_hdr, kcfg, kex, sk); + ret = do_server_kem_encap(peer_hdr, scfg, kex, sk); } return ret; } static int do_server_kex_dhe(const struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t * kex, struct crypt_sk * sk) { @@ -300,7 +300,7 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr, int ret; uint8_t * id = peer_hdr->id.data; - key_len = kex_pkp_create(kcfg, &epkp, kex->data); + key_len = kex_pkp_create(scfg, &epkp, kex->data); if (key_len < 0) { log_err_id(id, "Failed to generate key pair."); return -ECRYPT; @@ -308,9 +308,9 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr, kex->len = (size_t) key_len; - log_dbg_id(id, "Generated %s ephemeral keys.", kcfg->x.str); + log_dbg_id(id, "Generated %s ephemeral keys.", scfg->x.str); - ret = kex_dhe_derive(kcfg, epkp, peer_hdr->kex, sk->key); + ret = kex_dhe_derive(scfg, epkp, peer_hdr->kex, sk->key); if (ret < 0) { log_err_id(id, "Failed to derive secret."); kex_pkp_destroy(epkp); @@ -324,7 +324,7 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr, int do_server_kex(const struct name_info * info, struct oap_hdr * peer_hdr, - struct sec_config * kcfg, + struct sec_config * scfg, buffer_t * kex, struct crypt_sk * sk) { @@ -336,40 +336,40 @@ int do_server_kex(const struct name_info * info, /* No KEX data from client */ if (peer_hdr->kex.len == 0) { - if (IS_KEX_ALGO_SET(kcfg)) { + if (IS_KEX_ALGO_SET(scfg)) { log_warn_id(id, "KEX requested without info."); return -ECRYPT; } return 0; } - if (negotiate_cipher(peer_hdr, kcfg) < 0) + if (negotiate_cipher(peer_hdr, scfg) < 0) return -ECRYPT; /* Save server's configured KEX before overwriting */ - srv_kex_nid = kcfg->x.nid; + srv_kex_nid = scfg->x.nid; if (OAP_KEX_ROLE(peer_hdr) != KEM_MODE_CLIENT_ENCAP) { /* Server encapsulation or DHE: extract algo from DER PK */ if (get_algo_from_peer_key(peer_hdr, algo_buf) < 0) return -ECRYPT; - SET_KEX_ALGO(kcfg, algo_buf); + SET_KEX_ALGO(scfg, algo_buf); /* Reject if client KEX is weaker than server's */ - if (crypt_kex_rank(kcfg->x.nid) + if (crypt_kex_rank(scfg->x.nid) < crypt_kex_rank(srv_kex_nid)) { log_err_id(id, "Client KEX %s too weak.", - kcfg->x.str); + scfg->x.str); return -ECRYPT; } } /* Dispatch based on algorithm type */ - if (IS_KEM_ALGORITHM(kcfg->x.str)) - return do_server_kex_kem(info, peer_hdr, kcfg, kex, sk); + if (IS_KEM_ALGORITHM(scfg->x.str)) + return do_server_kex_kem(info, peer_hdr, scfg, kex, sk); else - return do_server_kex_dhe(peer_hdr, kcfg, kex, sk); + return do_server_kex_dhe(peer_hdr, scfg, kex, sk); } int oap_srv_process(const struct name_info * info, @@ -383,7 +383,7 @@ int oap_srv_process(const struct name_info * info, { struct oap_hdr peer_hdr; struct oap_hdr local_hdr; - struct sec_config kcfg; + struct sec_config scfg; uint8_t kex_buf[CRYPT_KEY_BUFSZ]; uint8_t hash_buf[MAX_HASH_SIZE]; uint8_t kc_buf[MAX_HASH_SIZE]; @@ -426,8 +426,8 @@ int oap_srv_process(const struct name_info * info, crt = NULL; } - if (load_srv_kex_config(info, &kcfg) < 0) { - log_err("Failed to load KEX config for %s.", info->name); + if (load_srv_sec_config(info, &scfg) < 0) { + log_err("Failed to load security config for %s.", info->name); goto fail_kex; } @@ -453,7 +453,7 @@ int oap_srv_process(const struct name_info * info, oap_hdr_init(&local_hdr, peer_hdr.id, kex_buf, *data, NID_undef); - if (oap_auth_peer(cli_name, &kcfg, &local_hdr, &peer_hdr, + if (oap_auth_peer(cli_name, &scfg, &local_hdr, &peer_hdr, cached_crt) < 0) { log_err_id(id, "Failed to authenticate client."); goto fail_auth; @@ -469,10 +469,10 @@ int oap_srv_process(const struct name_info * info, peer_crt->len = peer_hdr.crt.len; } - if (do_server_kex(info, &peer_hdr, &kcfg, &local_hdr.kex, sk) < 0) + if (do_server_kex(info, &peer_hdr, &scfg, &local_hdr.kex, sk) < 0) goto fail_kex; - sk->nid = kcfg.c.nid; + sk->nid = scfg.c.nid; /* Build response header with hash of client request */ local_hdr.nid = sk->nid; @@ -520,7 +520,7 @@ int oap_srv_process(const struct name_info * info, seal_key = hs_key; if (oap_bind_session_key(sk, req_hash, resp_hash, - kcfg.k.nid) < 0) { + scfg.k.nid) < 0) { log_err_id(id, "Failed to bind session key."); goto fail_auth; } @@ -534,7 +534,7 @@ int oap_srv_process(const struct name_info * info, rsp_tag.data = kc_buf; } - ret = oap_hdr_encode(&local_hdr, pkp, crt, &kcfg, + ret = oap_hdr_encode(&local_hdr, pkp, crt, &scfg, rsp_tag, req_md_nid, seal_key); crypt_secure_clear(hs_key, SYMMKEYSZ); diff --git a/src/irmd/oap/tests/common.c b/src/irmd/oap/tests/common.c index e9ac82ed..49ea9187 100644 --- a/src/irmd/oap/tests/common.c +++ b/src/irmd/oap/tests/common.c @@ -29,7 +29,7 @@ #include <string.h> #include <stdio.h> -int load_srv_kex_config(const struct name_info * info, +int load_srv_sec_config(const struct name_info * info, struct sec_config * cfg) { (void) info; @@ -54,7 +54,7 @@ int load_srv_kex_config(const struct name_info * info, return 0; } -int load_cli_kex_config(const struct name_info * info, +int load_cli_sec_config(const struct name_info * info, struct sec_config * cfg) { (void) info; |
