summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 14:18:38 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:33:00 +0200
commit4b16f7b9ba95f7e24ff443e5b215c2823c1387f7 (patch)
treed52f169067ab7b8faca90ef2b97b624803e61a68 /src
parent55a8136859d82d9bdb8f85abb25290177ca7e561 (diff)
downloadouroboros-4b16f7b9ba95f7e24ff443e5b215c2823c1387f7.tar.gz
ouroboros-4b16f7b9ba95f7e24ff443e5b215c2823c1387f7.zip
oap: Rename kex_config loaders to sec_config
Leftover from the kex_config->enc_config->sec_config rename. Finished by renames load_kex_config and the cli/srv variants to load_sec_config, the kcfg variables to scfg, and fixes the "KEX config"/"encryption config" comments. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
-rw-r--r--src/irmd/oap/cli.c106
-rw-r--r--src/irmd/oap/hdr.c28
-rw-r--r--src/irmd/oap/hdr.h2
-rw-r--r--src/irmd/oap/internal.h18
-rw-r--r--src/irmd/oap/io.c4
-rw-r--r--src/irmd/oap/io.h2
-rw-r--r--src/irmd/oap/srv.c96
-rw-r--r--src/irmd/oap/tests/common.c4
8 files changed, 130 insertions, 130 deletions
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 2db56792..689d67ca 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -54,7 +54,7 @@ struct oap_cli_ctx {
uint8_t req_hash[MAX_HASH_SIZE];
size_t req_hash_len;
int req_md_nid;
- struct sec_config kcfg;
+ struct sec_config scfg;
struct oap_hdr local_hdr;
void * pkp; /* Ephemeral keypair */
uint8_t * key; /* For client-encap KEM */
@@ -69,7 +69,7 @@ struct oap_cli_ctx {
extern int load_cli_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-extern int load_cli_kex_config(const struct name_info * info,
+extern int load_cli_sec_config(const struct name_info * info,
struct sec_config * cfg);
extern int load_server_kem_pk(const char * name,
struct sec_config * cfg,
@@ -87,7 +87,7 @@ int load_cli_credentials(const struct name_info * info,
return load_credentials(info->name, &info->c, pkp, crt);
}
-int load_cli_kex_config(const struct name_info * info,
+int load_cli_sec_config(const struct name_info * info,
struct sec_config * cfg)
{
assert(info != NULL);
@@ -98,7 +98,7 @@ int load_cli_kex_config(const struct name_info * info,
/* A client authenticates the server by default, like an https client */
cfg->a.req = OAP_CLIENT_AUTH_DEFAULT;
- return load_kex_config(info->name, info->c.sec, cfg);
+ return load_sec_config(info->name, info->c.sec, cfg);
}
int load_server_kem_pk(const char * name,
@@ -138,13 +138,13 @@ int load_server_kem_pk(const char * name,
static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
buffer_t * kex = &s->local_hdr.kex;
uint8_t * id = s->id.data;
ssize_t len;
/* Generate ephemeral keypair, send PK */
- len = kex_pkp_create(kcfg, &s->pkp, kex->data);
+ len = kex_pkp_create(scfg, &s->pkp, kex->data);
if (len < 0) {
log_err_id(id, "Failed to generate DHE keypair.");
return -ECRYPT;
@@ -152,7 +152,7 @@ static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s)
kex->len = (size_t) len;
log_dbg_id(id, "Generated ephemeral %s keys (%zd bytes).",
- kcfg->x.str, len);
+ scfg->x.str, len);
return 0;
}
@@ -160,24 +160,24 @@ static int do_client_kex_prepare_dhe(struct oap_cli_ctx * s)
static int do_client_kex_prepare_kem_encap(const char * server_name,
struct oap_cli_ctx * s)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
buffer_t * kex = &s->local_hdr.kex;
uint8_t * id = s->id.data;
buffer_t server_pk = BUF_INIT;
uint8_t key_buf[SYMMKEYSZ];
ssize_t len;
- if (load_server_kem_pk(server_name, kcfg, &server_pk) < 0) {
+ if (load_server_kem_pk(server_name, scfg, &server_pk) < 0) {
log_err_id(id, "Failed to load server KEM pk.");
return -ECRYPT;
}
- if (IS_HYBRID_KEM(kcfg->x.str))
+ if (IS_HYBRID_KEM(scfg->x.str))
len = kex_kem_encap_raw(server_pk, kex->data,
- kcfg->k.nid, key_buf);
+ scfg->k.nid, key_buf);
else
len = kex_kem_encap(server_pk, kex->data,
- kcfg->k.nid, key_buf);
+ scfg->k.nid, key_buf);
freebuf(server_pk);
@@ -203,13 +203,13 @@ static int do_client_kex_prepare_kem_encap(const char * server_name,
static int do_client_kex_prepare_kem_decap(struct oap_cli_ctx * s)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
buffer_t * kex = &s->local_hdr.kex;
uint8_t * id = s->id.data;
ssize_t len;
/* Server encaps: generate keypair, send PK */
- len = kex_pkp_create(kcfg, &s->pkp, kex->data);
+ len = kex_pkp_create(scfg, &s->pkp, kex->data);
if (len < 0) {
log_err_id(id, "Failed to generate KEM keypair.");
return -ECRYPT;
@@ -224,13 +224,13 @@ static int do_client_kex_prepare_kem_decap(struct oap_cli_ctx * s)
static int do_client_kex_prepare(const char * server_name,
struct oap_cli_ctx * s)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
- if (!IS_KEX_ALGO_SET(kcfg))
+ if (!IS_KEX_ALGO_SET(scfg))
return 0;
- if (IS_KEM_ALGORITHM(kcfg->x.str)) {
- if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP)
+ if (IS_KEM_ALGORITHM(scfg->x.str)) {
+ if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP)
return do_client_kex_prepare_kem_encap(server_name, s);
else
return do_client_kex_prepare_kem_decap(s);
@@ -283,16 +283,16 @@ int oap_cli_prepare(void ** ctx,
goto fail_id;
}
- /* Load KEX config */
- if (load_cli_kex_config(info, &s->kcfg) < 0) {
- log_err_id(s->id.data, "Failed to load KEX config for %s.",
+ /* Load security config */
+ if (load_cli_sec_config(info, &s->scfg) < 0) {
+ log_err_id(s->id.data, "Failed to load security config for %s.",
info->name);
goto fail_kex;
}
/* Re-key forces server-encap: client-encap forfeits FS/PCS. */
- if (rekey && s->kcfg.x.mode == KEM_MODE_CLIENT_ENCAP) {
- s->kcfg.x.mode = KEM_MODE_SERVER_ENCAP;
+ if (rekey && s->scfg.x.mode == KEM_MODE_CLIENT_ENCAP) {
+ s->scfg.x.mode = KEM_MODE_SERVER_ENCAP;
log_dbg_id(s->id.data, "Re-key forcing ephemeral server KEX.");
}
@@ -302,14 +302,14 @@ int oap_cli_prepare(void ** ctx,
crt = NULL;
}
- oap_hdr_init(&s->local_hdr, s->id, s->kex_buf, data, s->kcfg.c.nid);
+ oap_hdr_init(&s->local_hdr, s->id, s->kex_buf, data, s->scfg.c.nid);
if (do_client_kex_prepare(info->name, s) < 0) {
log_err_id(s->id.data, "Failed to prepare client KEX.");
goto fail_kex;
}
- if (oap_hdr_encode(&s->local_hdr, pkp, crt, &s->kcfg,
+ if (oap_hdr_encode(&s->local_hdr, pkp, crt, &s->scfg,
no_tag, NID_undef, NULL)) {
log_err_id(s->id.data, "Failed to create OAP request header.");
goto fail_hdr;
@@ -318,7 +318,7 @@ int oap_cli_prepare(void ** ctx,
debug_oap_hdr_snd(&s->local_hdr);
/* Compute and store hash of request for verification in complete */
- s->req_md_nid = s->kcfg.d.nid != NID_undef ? s->kcfg.d.nid : NID_sha384;
+ s->req_md_nid = s->scfg.d.nid != NID_undef ? s->scfg.d.nid : NID_sha384;
ret = md_digest(s->req_md_nid, s->local_hdr.hdr, s->req_hash);
if (ret < 0) {
log_err_id(s->id.data, "Failed to hash request.");
@@ -378,11 +378,11 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx * s,
const struct oap_hdr * peer_hdr,
struct crypt_sk * sk)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
uint8_t * id = s->id.data;
uint8_t key_buf[SYMMKEYSZ];
- if (kcfg->x.mode == KEM_MODE_SERVER_ENCAP) {
+ if (scfg->x.mode == KEM_MODE_SERVER_ENCAP) {
buffer_t ct;
if (peer_hdr->kex.len == 0) {
@@ -393,27 +393,27 @@ static int do_client_kex_complete_kem(struct oap_cli_ctx * s,
ct.data = peer_hdr->kex.data;
ct.len = peer_hdr->kex.len;
- if (kex_kem_decap(s->pkp, ct, kcfg->k.nid, key_buf) < 0) {
+ if (kex_kem_decap(s->pkp, ct, scfg->k.nid, key_buf) < 0) {
log_err_id(id, "Failed to decapsulate KEM.");
return -ECRYPT;
}
log_dbg_id(id, "Client decapsulated server CT.");
- } else if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) {
+ } else if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) {
/* Key already derived during prepare */
memcpy(sk->key, s->key, SYMMKEYSZ);
- sk->nid = kcfg->c.nid;
- log_info_id(id, "Negotiated %s + %s.", kcfg->x.str,
- kcfg->c.str);
+ sk->nid = scfg->c.nid;
+ log_info_id(id, "Negotiated %s + %s.", scfg->x.str,
+ scfg->c.str);
return 0;
}
memcpy(sk->key, key_buf, SYMMKEYSZ);
- sk->nid = kcfg->c.nid;
+ sk->nid = scfg->c.nid;
crypt_secure_clear(key_buf, SYMMKEYSZ);
- log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);
+ log_info_id(id, "Negotiated %s + %s.", scfg->x.str, scfg->c.str);
return 0;
}
@@ -422,7 +422,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s,
const struct oap_hdr * peer_hdr,
struct crypt_sk * sk)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
uint8_t * id = s->id.data;
uint8_t key_buf[SYMMKEYSZ];
@@ -432,7 +432,7 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s,
return -ECRYPT;
}
- if (kex_dhe_derive(kcfg, s->pkp, peer_hdr->kex, key_buf) < 0) {
+ if (kex_dhe_derive(scfg, s->pkp, peer_hdr->kex, key_buf) < 0) {
log_err_id(id, "Failed to derive DHE secret.");
return -ECRYPT;
}
@@ -440,10 +440,10 @@ static int do_client_kex_complete_dhe(struct oap_cli_ctx * s,
log_dbg_id(id, "DHE: derived shared secret.");
memcpy(sk->key, key_buf, SYMMKEYSZ);
- sk->nid = kcfg->c.nid;
+ sk->nid = scfg->c.nid;
crypt_secure_clear(key_buf, SYMMKEYSZ);
- log_info_id(id, "Negotiated %s + %s.", kcfg->x.str, kcfg->c.str);
+ log_info_id(id, "Negotiated %s + %s.", scfg->x.str, scfg->c.str);
return 0;
}
@@ -453,17 +453,17 @@ static int do_client_kex_complete(struct oap_cli_ctx * s,
const struct oap_hdr * peer_hdr,
struct crypt_sk * sk)
{
- struct sec_config * kcfg = &s->kcfg;
+ struct sec_config * scfg = &s->scfg;
uint8_t * id = s->id.data;
int cipher_nid;
int kdf_nid;
- if (!IS_KEX_ALGO_SET(kcfg))
+ if (!IS_KEX_ALGO_SET(scfg))
return 0;
/* Save client's configured minimums */
- cipher_nid = kcfg->c.nid;
- kdf_nid = kcfg->k.nid;
+ cipher_nid = scfg->c.nid;
+ kdf_nid = scfg->k.nid;
/* Accept server's cipher choice */
if (peer_hdr->cipher_str == NULL) {
@@ -471,15 +471,15 @@ static int do_client_kex_complete(struct oap_cli_ctx * s,
return -ECRYPT;
}
- SET_KEX_CIPHER(kcfg, peer_hdr->cipher_str);
- if (crypt_validate_nid(kcfg->c.nid) < 0) {
+ SET_KEX_CIPHER(scfg, peer_hdr->cipher_str);
+ if (crypt_validate_nid(scfg->c.nid) < 0) {
log_err_id(id, "Server cipher '%s' not supported.",
peer_hdr->cipher_str);
return -ENOTSUP;
}
/* Verify server cipher >= client's minimum */
- if (crypt_cipher_rank(kcfg->c.nid) < crypt_cipher_rank(cipher_nid)) {
+ if (crypt_cipher_rank(scfg->c.nid) < crypt_cipher_rank(cipher_nid)) {
log_err_id(id, "Server cipher %s too weak.",
peer_hdr->cipher_str);
return -ECRYPT;
@@ -489,20 +489,20 @@ static int do_client_kex_complete(struct oap_cli_ctx * s,
peer_hdr->cipher_str);
/* Accept server's KDF for non-client-encap modes */
- if (kcfg->x.mode != KEM_MODE_CLIENT_ENCAP
+ if (scfg->x.mode != KEM_MODE_CLIENT_ENCAP
&& peer_hdr->kdf_nid != NID_undef) {
if (crypt_kdf_rank(peer_hdr->kdf_nid)
< crypt_kdf_rank(kdf_nid)) {
log_err_id(id, "Server KDF too weak.");
return -ECRYPT;
}
- SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid);
+ SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid);
log_dbg_id(id, "Accepted server KDF %s.",
- md_nid_to_str(kcfg->k.nid));
+ md_nid_to_str(scfg->k.nid));
}
/* Derive shared secret */
- if (IS_KEM_ALGORITHM(kcfg->x.str))
+ if (IS_KEM_ALGORITHM(scfg->x.str))
return do_client_kex_complete_kem(s, peer_hdr, sk);
return do_client_kex_complete_dhe(s, peer_hdr, sk);
@@ -583,7 +583,7 @@ int oap_cli_complete(void * ctx,
}
/* Authenticate server (cert + signature now in cleartext) */
- if (oap_auth_peer(peer, &s->kcfg, &s->local_hdr, &peer_hdr,
+ if (oap_auth_peer(peer, &s->scfg, &s->local_hdr, &peer_hdr,
cached_crt) < 0) {
log_err_id(id, "Failed to authenticate server.");
goto fail_oap;
@@ -624,7 +624,7 @@ int oap_cli_complete(void * ctx,
}
if (oap_bind_session_key(sk, req_hash, resp_hash,
- s->kcfg.k.nid) < 0) {
+ s->scfg.k.nid) < 0) {
log_err_id(id, "Failed to bind session key.");
goto fail_oap;
}
@@ -642,7 +642,7 @@ int oap_cli_complete(void * ctx,
}
} else {
/* Cleartext path is config-driven, never a wire downgrade */
- assert(!IS_KEX_ALGO_SET(&s->kcfg));
+ assert(!IS_KEX_ALGO_SET(&s->scfg));
/* Unencrypted: verify request-echo integrity */
if (crypt_ct_cmp(peer_hdr.rsp_tag.data, s->req_hash,
s->req_hash_len) != 0) {
diff --git a/src/irmd/oap/hdr.c b/src/irmd/oap/hdr.c
index f0411f64..f8400b46 100644
--- a/src/irmd/oap/hdr.c
+++ b/src/irmd/oap/hdr.c
@@ -253,7 +253,7 @@ void oap_hdr_init(struct oap_hdr * hdr,
/* Write the 36-byte fixed header; stamp is already in network order. */
static void write_oap_fixed(uint8_t * buf,
const struct oap_hdr * hdr,
- const struct sec_config * kcfg,
+ const struct sec_config * scfg,
size_t crt_len,
size_t data_len,
uint64_t stamp)
@@ -272,11 +272,11 @@ static void write_oap_fixed(uint8_t * buf,
memcpy(buf + offset, &v, sizeof(v));
offset += sizeof(v);
- v = hton16(kcfg->k.nid);
+ v = hton16(scfg->k.nid);
memcpy(buf + offset, &v, sizeof(v));
offset += sizeof(v);
- v = hton16(kcfg->d.nid);
+ v = hton16(scfg->d.nid);
memcpy(buf + offset, &v, sizeof(v));
offset += sizeof(v);
@@ -285,10 +285,10 @@ static void write_oap_fixed(uint8_t * buf,
offset += sizeof(v);
kex_len = (uint16_t) hdr->kex.len;
- if (hdr->kex.len > 0 && IS_KEM_ALGORITHM(kcfg->x.str)) {
- if (IS_HYBRID_KEM(kcfg->x.str))
+ if (hdr->kex.len > 0 && IS_KEM_ALGORITHM(scfg->x.str)) {
+ if (IS_HYBRID_KEM(scfg->x.str))
kex_len |= OAP_KEX_FMT_BIT;
- if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP)
+ if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP)
kex_len |= OAP_KEX_ROLE_BIT;
}
@@ -394,7 +394,7 @@ static int oap_seal_body(int nid,
static int oap_hdr_encode_sealed(struct oap_hdr * hdr,
void * pkp,
void * crt,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t rsp_tag,
int req_md_nid,
const uint8_t * seal_key)
@@ -418,7 +418,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr,
goto fail_der;
/* Cleartext crt_len/data_len are 0; real lengths prefix the seal. */
- write_oap_fixed(prefix.data, hdr, kcfg, 0, 0, stamp);
+ write_oap_fixed(prefix.data, hdr, scfg, 0, 0, stamp);
offset = OAP_HDR_MIN_SIZE;
if (hdr->kex.len != 0)
@@ -433,7 +433,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr,
assert((size_t) offset == prefix.len);
- if (oap_seal_body(hdr->nid, seal_key, pkp, kcfg->d.nid,
+ if (oap_seal_body(hdr->nid, seal_key, pkp, scfg->d.nid,
prefix, hdr->data, der, &sealed) < 0)
goto fail_prefix;
@@ -469,7 +469,7 @@ static int oap_hdr_encode_sealed(struct oap_hdr * hdr,
int oap_hdr_encode(struct oap_hdr * hdr,
void * pkp,
void * crt,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t rsp_tag,
int req_md_nid,
const uint8_t * seal_key)
@@ -484,10 +484,10 @@ int oap_hdr_encode(struct oap_hdr * hdr,
assert(hdr != NULL);
assert(hdr->id.data != NULL && hdr->id.len == OAP_ID_SIZE);
- assert(kcfg != NULL);
+ assert(scfg != NULL);
if (seal_key != NULL)
- return oap_hdr_encode_sealed(hdr, pkp, crt, kcfg, rsp_tag,
+ return oap_hdr_encode_sealed(hdr, pkp, crt, scfg, rsp_tag,
req_md_nid, seal_key);
clock_gettime(CLOCK_REALTIME, &now);
@@ -504,7 +504,7 @@ int oap_hdr_encode(struct oap_hdr * hdr,
if (out.data == NULL)
goto fail_out;
- write_oap_fixed(out.data, hdr, kcfg, der.len, hdr->data.len, stamp);
+ write_oap_fixed(out.data, hdr, scfg, der.len, hdr->data.len, stamp);
offset = OAP_HDR_MIN_SIZE;
/* certificate (variable) */
@@ -537,7 +537,7 @@ int oap_hdr_encode(struct oap_hdr * hdr,
sign.data = out.data;
sign.len = out.len;
- if (pkp != NULL && auth_sign(pkp, kcfg->d.nid, sign, &sig) < 0)
+ if (pkp != NULL && auth_sign(pkp, scfg->d.nid, sign, &sig) < 0)
goto fail_sig;
hdr->hdr = out;
diff --git a/src/irmd/oap/hdr.h b/src/irmd/oap/hdr.h
index e6c5fffc..1a599727 100644
--- a/src/irmd/oap/hdr.h
+++ b/src/irmd/oap/hdr.h
@@ -171,7 +171,7 @@ void oap_hdr_fini(struct oap_hdr * oap_hdr);
int oap_hdr_encode(struct oap_hdr * hdr,
void * pkp,
void * crt,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t rsp_tag,
int req_md_nid,
const uint8_t * seal_key);
diff --git a/src/irmd/oap/internal.h b/src/irmd/oap/internal.h
index 12d93bcd..4a156723 100644
--- a/src/irmd/oap/internal.h
+++ b/src/irmd/oap/internal.h
@@ -42,7 +42,7 @@ int oap_auth_peer(char * name,
const struct oap_hdr * peer_hdr);
int oap_negotiate_cipher(const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg);
+ struct sec_config * scfg);
#ifndef OAP_TEST_MODE
int load_credentials(const char * name,
@@ -50,7 +50,7 @@ int load_credentials(const char * name,
void ** pkp,
void ** crt);
-int load_kex_config(const char * name,
+int load_sec_config(const char * name,
const char * path,
struct sec_config * cfg);
#endif
@@ -60,7 +60,7 @@ int load_srv_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-int load_srv_kex_config(const struct name_info * info,
+int load_srv_sec_config(const struct name_info * info,
struct sec_config * cfg);
int load_server_kem_keypair(const char * name,
@@ -70,7 +70,7 @@ int load_server_kem_keypair(const char * name,
extern int load_srv_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-extern int load_srv_kex_config(const struct name_info * info,
+extern int load_srv_sec_config(const struct name_info * info,
struct sec_config * cfg);
extern int load_server_kem_keypair(const char * name,
struct sec_config * cfg,
@@ -79,7 +79,7 @@ extern int load_server_kem_keypair(const char * name,
int do_server_kex(const struct name_info * info,
struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t * kex,
struct crypt_sk * sk);
@@ -88,7 +88,7 @@ int load_cli_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-int load_cli_kex_config(const struct name_info * info,
+int load_cli_sec_config(const struct name_info * info,
struct sec_config * cfg);
int load_server_kem_pk(const char * name,
@@ -98,21 +98,21 @@ int load_server_kem_pk(const char * name,
extern int load_cli_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-extern int load_cli_kex_config(const struct name_info * info,
+extern int load_cli_sec_config(const struct name_info * info,
struct sec_config * cfg);
extern int load_server_kem_pk(const char * name,
struct sec_config * cfg,
buffer_t * pk);
#endif
-int oap_client_kex_prepare(struct sec_config * kcfg,
+int oap_client_kex_prepare(struct sec_config * scfg,
buffer_t server_pk,
buffer_t * kex,
uint8_t * key,
void ** ephemeral_pkp);
int oap_client_kex_complete(const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
void * pkp,
uint8_t * key);
diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
index 143ae65e..b5daa432 100644
--- a/src/irmd/oap/io.c
+++ b/src/irmd/oap/io.c
@@ -102,7 +102,7 @@ int load_credentials(const char * name,
return -EAUTH;
}
-int load_kex_config(const char * name,
+int load_sec_config(const char * name,
const char * path,
struct sec_config * cfg)
{
@@ -111,7 +111,7 @@ int load_kex_config(const char * name,
assert(name != NULL);
assert(cfg != NULL);
- /* Load encryption config */
+ /* Load security config */
if (!file_exists(path))
log_dbg("No encryption %s for %s.", path, name);
diff --git a/src/irmd/oap/io.h b/src/irmd/oap/io.h
index 2d47c62f..953e3898 100644
--- a/src/irmd/oap/io.h
+++ b/src/irmd/oap/io.h
@@ -32,7 +32,7 @@ int load_credentials(const char * name,
void ** pkp,
void ** crt);
-int load_kex_config(const char * name,
+int load_sec_config(const char * name,
const char * path,
struct sec_config * cfg);
#endif
diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c
index aef987eb..5d631618 100644
--- a/src/irmd/oap/srv.c
+++ b/src/irmd/oap/srv.c
@@ -49,7 +49,7 @@
extern int load_srv_credentials(const struct name_info * info,
void ** pkp,
void ** crt);
-extern int load_srv_kex_config(const struct name_info * info,
+extern int load_srv_sec_config(const struct name_info * info,
struct sec_config * cfg);
extern int load_server_kem_keypair(const char * name,
bool raw_fmt,
@@ -67,7 +67,7 @@ int load_srv_credentials(const struct name_info * info,
return load_credentials(info->name, &info->s, pkp, crt);
}
-int load_srv_kex_config(const struct name_info * info,
+int load_srv_sec_config(const struct name_info * info,
struct sec_config * cfg)
{
assert(info != NULL);
@@ -76,7 +76,7 @@ int load_srv_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
/* Client auth stays opt-in (mTLS); enable with auth=required */
- return load_kex_config(info->name, info->s.sec, cfg);
+ return load_sec_config(info->name, info->s.sec, cfg);
}
int load_server_kem_keypair(const char * name,
@@ -138,7 +138,7 @@ static int get_algo_from_peer_key(const struct oap_hdr * peer_hdr,
}
static int negotiate_cipher(const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg)
+ struct sec_config * scfg)
{
uint8_t * id = peer_hdr->id.data;
int cli_nid;
@@ -158,13 +158,13 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr,
}
cli_rank = crypt_cipher_rank(cli_nid);
- srv_rank = crypt_cipher_rank(kcfg->c.nid);
+ srv_rank = crypt_cipher_rank(scfg->c.nid);
if (cli_rank > srv_rank) {
- SET_KEX_CIPHER_NID(kcfg, cli_nid);
- log_dbg_id(id, "Selected client cipher %s.", kcfg->c.str);
+ SET_KEX_CIPHER_NID(scfg, cli_nid);
+ log_dbg_id(id, "Selected client cipher %s.", scfg->c.str);
} else if (srv_rank > 0) {
- log_dbg_id(id, "Selected server cipher %s.", kcfg->c.str);
+ log_dbg_id(id, "Selected server cipher %s.", scfg->c.str);
} else {
log_err_id(id, "Encryption requested, no cipher.");
return -ECRYPT;
@@ -179,7 +179,7 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr,
}
cli_rank = crypt_kdf_rank(peer_hdr->kdf_nid);
- srv_rank = crypt_kdf_rank(kcfg->k.nid);
+ srv_rank = crypt_kdf_rank(scfg->k.nid);
/* Client-encap KEM bakes KDF into ciphertext; verify min. */
if (OAP_KEX_ROLE(peer_hdr) == KEM_MODE_CLIENT_ENCAP) {
@@ -187,19 +187,19 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr,
log_err_id(id, "Client KDF too weak.");
return -ECRYPT;
}
- SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid);
+ SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid);
} else if (cli_rank > srv_rank) {
- SET_KEX_KDF_NID(kcfg, peer_hdr->kdf_nid);
+ SET_KEX_KDF_NID(scfg, peer_hdr->kdf_nid);
log_dbg_id(id, "Selected client KDF %s.",
- md_nid_to_str(kcfg->k.nid));
+ md_nid_to_str(scfg->k.nid));
} else if (srv_rank > 0) {
log_dbg_id(id, "Selected server KDF %s.",
- md_nid_to_str(kcfg->k.nid));
+ md_nid_to_str(scfg->k.nid));
}
- if (IS_KEX_ALGO_SET(kcfg))
+ if (IS_KEX_ALGO_SET(scfg))
log_info_id(id, "Negotiated %s + %s.",
- kcfg->x.str, kcfg->c.str);
+ scfg->x.str, scfg->c.str);
else
log_info_id(id, "No key exchange.");
@@ -208,7 +208,7 @@ static int negotiate_cipher(const struct oap_hdr * peer_hdr,
static int do_server_kem_decap(const struct name_info * info,
const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
struct crypt_sk * sk)
{
buffer_t ct;
@@ -225,7 +225,7 @@ static int do_server_kem_decap(const struct name_info * info,
ct.data = peer_hdr->kex.data;
ct.len = peer_hdr->kex.len;
- ret = kex_kem_decap(server_pkp, ct, kcfg->k.nid, sk->key);
+ ret = kex_kem_decap(server_pkp, ct, scfg->k.nid, sk->key);
crypt_free_key(server_pkp);
@@ -240,7 +240,7 @@ static int do_server_kem_decap(const struct name_info * info,
}
static int do_server_kem_encap(const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t * kex,
struct crypt_sk * sk)
{
@@ -251,12 +251,12 @@ static int do_server_kem_encap(const struct oap_hdr * peer_hdr,
client_pk.data = peer_hdr->kex.data;
client_pk.len = peer_hdr->kex.len;
- if (IS_HYBRID_KEM(kcfg->x.str))
+ if (IS_HYBRID_KEM(scfg->x.str))
ct_len = kex_kem_encap_raw(client_pk, kex->data,
- kcfg->k.nid, sk->key);
+ scfg->k.nid, sk->key);
else
ct_len = kex_kem_encap(client_pk, kex->data,
- kcfg->k.nid, sk->key);
+ scfg->k.nid, sk->key);
if (ct_len < 0) {
log_err_id(id, "Failed to encapsulate KEM.");
@@ -272,26 +272,26 @@ static int do_server_kem_encap(const struct oap_hdr * peer_hdr,
static int do_server_kex_kem(const struct name_info * info,
struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t * kex,
struct crypt_sk * sk)
{
int ret;
- kcfg->x.mode = peer_hdr->kex_flags.role;
+ scfg->x.mode = peer_hdr->kex_flags.role;
- if (kcfg->x.mode == KEM_MODE_CLIENT_ENCAP) {
- ret = do_server_kem_decap(info, peer_hdr, kcfg, sk);
+ if (scfg->x.mode == KEM_MODE_CLIENT_ENCAP) {
+ ret = do_server_kem_decap(info, peer_hdr, scfg, sk);
kex->len = 0;
} else {
- ret = do_server_kem_encap(peer_hdr, kcfg, kex, sk);
+ ret = do_server_kem_encap(peer_hdr, scfg, kex, sk);
}
return ret;
}
static int do_server_kex_dhe(const struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t * kex,
struct crypt_sk * sk)
{
@@ -300,7 +300,7 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr,
int ret;
uint8_t * id = peer_hdr->id.data;
- key_len = kex_pkp_create(kcfg, &epkp, kex->data);
+ key_len = kex_pkp_create(scfg, &epkp, kex->data);
if (key_len < 0) {
log_err_id(id, "Failed to generate key pair.");
return -ECRYPT;
@@ -308,9 +308,9 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr,
kex->len = (size_t) key_len;
- log_dbg_id(id, "Generated %s ephemeral keys.", kcfg->x.str);
+ log_dbg_id(id, "Generated %s ephemeral keys.", scfg->x.str);
- ret = kex_dhe_derive(kcfg, epkp, peer_hdr->kex, sk->key);
+ ret = kex_dhe_derive(scfg, epkp, peer_hdr->kex, sk->key);
if (ret < 0) {
log_err_id(id, "Failed to derive secret.");
kex_pkp_destroy(epkp);
@@ -324,7 +324,7 @@ static int do_server_kex_dhe(const struct oap_hdr * peer_hdr,
int do_server_kex(const struct name_info * info,
struct oap_hdr * peer_hdr,
- struct sec_config * kcfg,
+ struct sec_config * scfg,
buffer_t * kex,
struct crypt_sk * sk)
{
@@ -336,40 +336,40 @@ int do_server_kex(const struct name_info * info,
/* No KEX data from client */
if (peer_hdr->kex.len == 0) {
- if (IS_KEX_ALGO_SET(kcfg)) {
+ if (IS_KEX_ALGO_SET(scfg)) {
log_warn_id(id, "KEX requested without info.");
return -ECRYPT;
}
return 0;
}
- if (negotiate_cipher(peer_hdr, kcfg) < 0)
+ if (negotiate_cipher(peer_hdr, scfg) < 0)
return -ECRYPT;
/* Save server's configured KEX before overwriting */
- srv_kex_nid = kcfg->x.nid;
+ srv_kex_nid = scfg->x.nid;
if (OAP_KEX_ROLE(peer_hdr) != KEM_MODE_CLIENT_ENCAP) {
/* Server encapsulation or DHE: extract algo from DER PK */
if (get_algo_from_peer_key(peer_hdr, algo_buf) < 0)
return -ECRYPT;
- SET_KEX_ALGO(kcfg, algo_buf);
+ SET_KEX_ALGO(scfg, algo_buf);
/* Reject if client KEX is weaker than server's */
- if (crypt_kex_rank(kcfg->x.nid)
+ if (crypt_kex_rank(scfg->x.nid)
< crypt_kex_rank(srv_kex_nid)) {
log_err_id(id, "Client KEX %s too weak.",
- kcfg->x.str);
+ scfg->x.str);
return -ECRYPT;
}
}
/* Dispatch based on algorithm type */
- if (IS_KEM_ALGORITHM(kcfg->x.str))
- return do_server_kex_kem(info, peer_hdr, kcfg, kex, sk);
+ if (IS_KEM_ALGORITHM(scfg->x.str))
+ return do_server_kex_kem(info, peer_hdr, scfg, kex, sk);
else
- return do_server_kex_dhe(peer_hdr, kcfg, kex, sk);
+ return do_server_kex_dhe(peer_hdr, scfg, kex, sk);
}
int oap_srv_process(const struct name_info * info,
@@ -383,7 +383,7 @@ int oap_srv_process(const struct name_info * info,
{
struct oap_hdr peer_hdr;
struct oap_hdr local_hdr;
- struct sec_config kcfg;
+ struct sec_config scfg;
uint8_t kex_buf[CRYPT_KEY_BUFSZ];
uint8_t hash_buf[MAX_HASH_SIZE];
uint8_t kc_buf[MAX_HASH_SIZE];
@@ -426,8 +426,8 @@ int oap_srv_process(const struct name_info * info,
crt = NULL;
}
- if (load_srv_kex_config(info, &kcfg) < 0) {
- log_err("Failed to load KEX config for %s.", info->name);
+ if (load_srv_sec_config(info, &scfg) < 0) {
+ log_err("Failed to load security config for %s.", info->name);
goto fail_kex;
}
@@ -453,7 +453,7 @@ int oap_srv_process(const struct name_info * info,
oap_hdr_init(&local_hdr, peer_hdr.id, kex_buf, *data, NID_undef);
- if (oap_auth_peer(cli_name, &kcfg, &local_hdr, &peer_hdr,
+ if (oap_auth_peer(cli_name, &scfg, &local_hdr, &peer_hdr,
cached_crt) < 0) {
log_err_id(id, "Failed to authenticate client.");
goto fail_auth;
@@ -469,10 +469,10 @@ int oap_srv_process(const struct name_info * info,
peer_crt->len = peer_hdr.crt.len;
}
- if (do_server_kex(info, &peer_hdr, &kcfg, &local_hdr.kex, sk) < 0)
+ if (do_server_kex(info, &peer_hdr, &scfg, &local_hdr.kex, sk) < 0)
goto fail_kex;
- sk->nid = kcfg.c.nid;
+ sk->nid = scfg.c.nid;
/* Build response header with hash of client request */
local_hdr.nid = sk->nid;
@@ -520,7 +520,7 @@ int oap_srv_process(const struct name_info * info,
seal_key = hs_key;
if (oap_bind_session_key(sk, req_hash, resp_hash,
- kcfg.k.nid) < 0) {
+ scfg.k.nid) < 0) {
log_err_id(id, "Failed to bind session key.");
goto fail_auth;
}
@@ -534,7 +534,7 @@ int oap_srv_process(const struct name_info * info,
rsp_tag.data = kc_buf;
}
- ret = oap_hdr_encode(&local_hdr, pkp, crt, &kcfg,
+ ret = oap_hdr_encode(&local_hdr, pkp, crt, &scfg,
rsp_tag, req_md_nid, seal_key);
crypt_secure_clear(hs_key, SYMMKEYSZ);
diff --git a/src/irmd/oap/tests/common.c b/src/irmd/oap/tests/common.c
index e9ac82ed..49ea9187 100644
--- a/src/irmd/oap/tests/common.c
+++ b/src/irmd/oap/tests/common.c
@@ -29,7 +29,7 @@
#include <string.h>
#include <stdio.h>
-int load_srv_kex_config(const struct name_info * info,
+int load_srv_sec_config(const struct name_info * info,
struct sec_config * cfg)
{
(void) info;
@@ -54,7 +54,7 @@ int load_srv_kex_config(const struct name_info * info,
return 0;
}
-int load_cli_kex_config(const struct name_info * info,
+int load_cli_sec_config(const struct name_info * info,
struct sec_config * cfg)
{
(void) info;