diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 13:18:35 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:32:59 +0200 |
| commit | a169a1cef5332a409efc2db07bcc1ae9b72f217e (patch) | |
| tree | 73475b759b22db778527ef4d7ae016bc12398670 /src | |
| parent | 47034834790e778f28b082842b3ed1c7bd44f29a (diff) | |
| download | ouroboros-a169a1cef5332a409efc2db07bcc1ae9b72f217e.tar.gz ouroboros-a169a1cef5332a409efc2db07bcc1ae9b72f217e.zip | |
lib: Group sec_config authentication fields
Nest the flat req_auth and cacert members of struct sec_config into a
sub-struct a { req; cacert; }, keeping the authentication settings
together.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
| -rw-r--r-- | src/irmd/oap/auth.c | 10 | ||||
| -rw-r--r-- | src/irmd/oap/cli.c | 2 | ||||
| -rw-r--r-- | src/irmd/oap/io.c | 6 | ||||
| -rw-r--r-- | src/irmd/oap/tests/common.c | 8 | ||||
| -rw-r--r-- | src/lib/crypt.c | 10 | ||||
| -rw-r--r-- | src/lib/tests/kex_test.c | 16 |
6 files changed, 26 insertions, 26 deletions
diff --git a/src/irmd/oap/auth.c b/src/irmd/oap/auth.c index 1e39cae6..29e8b4d6 100644 --- a/src/irmd/oap/auth.c +++ b/src/irmd/oap/auth.c @@ -268,7 +268,7 @@ int oap_auth_peer(char * name, } if (peer_hdr->crt.len == 0) { - if (cfg->req_auth) { + if (cfg->a.req) { log_err_id(id, "Peer did not provide a certificate."); goto fail_check; } @@ -291,16 +291,16 @@ int oap_auth_peer(char * name, log_dbg_id(id, "Got public key from crt."); - if (cfg->cacert[0] != '\0' && - crypt_load_crt_file(cfg->cacert, &pin) < 0) { - log_err_id(id, "Failed to load pinned CA %s.", cfg->cacert); + if (cfg->a.cacert[0] != '\0' && + crypt_load_crt_file(cfg->a.cacert, &pin) < 0) { + log_err_id(id, "Failed to load pinned CA %s.", cfg->a.cacert); goto fail_crt; } ret = auth_verify_crt_pin(oap_auth.ca_ctx, crt, pin); if (ret == -ENOENT) { log_err_id(id, "Peer crt not issued by pinned CA %s.", - cfg->cacert); + cfg->a.cacert); goto fail_pin; } diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c index b3d6d586..2a57d12e 100644 --- a/src/irmd/oap/cli.c +++ b/src/irmd/oap/cli.c @@ -96,7 +96,7 @@ int load_cli_kex_config(const struct name_info * info, memset(cfg, 0, sizeof(*cfg)); /* A client authenticates the server by default, like an https client */ - cfg->req_auth = OAP_CLIENT_AUTH_DEFAULT; + cfg->a.req = OAP_CLIENT_AUTH_DEFAULT; return load_kex_config(info->name, info->c.sec, cfg); } diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c index 7b661435..dc71fe9e 100644 --- a/src/irmd/oap/io.c +++ b/src/irmd/oap/io.c @@ -120,10 +120,10 @@ int load_kex_config(const char * name, return -1; } - if (cfg->cacert[0] != '\0') { - if (crypt_load_crt_file(cfg->cacert, &pin) < 0) { + if (cfg->a.cacert[0] != '\0') { + if (crypt_load_crt_file(cfg->a.cacert, &pin) < 0) { log_err("Failed to load pinned CA %s for %s.", - cfg->cacert, name); + cfg->a.cacert, name); return -EAUTH; } crypt_free_crt(pin); diff --git a/src/irmd/oap/tests/common.c b/src/irmd/oap/tests/common.c index af815fd4..8c271b2e 100644 --- a/src/irmd/oap/tests/common.c +++ b/src/irmd/oap/tests/common.c @@ -36,9 +36,9 @@ int load_srv_kex_config(const struct name_info * info, memset(cfg, 0, sizeof(*cfg)); - cfg->req_auth = test_cfg.srv.req_auth; + cfg->a.req = test_cfg.srv.req_auth; if (test_cfg.srv.cacert != NULL) - strcpy(cfg->cacert, test_cfg.srv.cacert); + strcpy(cfg->a.cacert, test_cfg.srv.cacert); /* Digest is kept without kex, as in parse_sec_config */ SET_KEX_DIGEST_NID(cfg, test_cfg.srv.md); @@ -61,9 +61,9 @@ int load_cli_kex_config(const struct name_info * info, memset(cfg, 0, sizeof(*cfg)); - cfg->req_auth = test_cfg.cli.req_auth; + cfg->a.req = test_cfg.cli.req_auth; if (test_cfg.cli.cacert != NULL) - strcpy(cfg->cacert, test_cfg.cli.cacert); + strcpy(cfg->a.cacert, test_cfg.cli.cacert); /* Digest is kept without kex, as in parse_sec_config */ SET_KEX_DIGEST_NID(cfg, test_cfg.cli.md); diff --git a/src/lib/crypt.c b/src/lib/crypt.c index e4b65cf0..a34e7298 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -173,7 +173,7 @@ int parse_sec_config(struct sec_config * cfg, SET_KEX_KDF_NID(cfg, NID_sha256); SET_KEX_CIPHER_NID(cfg, NID_aes_256_gcm); SET_KEX_DIGEST_NID(cfg, NID_sha256); - /* req_auth is seeded per-role by the caller; only auth= overrides it */ + /* a.req is seeded per-role by the caller; only auth= overrides it */ while (fgets(line, sizeof(line), fp) != NULL) { char * trimmed; @@ -223,16 +223,16 @@ int parse_sec_config(struct sec_config * cfg, } } else if (strcmp(key, "auth") == 0) { if (strcmp(value, "required") == 0) { - cfg->req_auth = true; + cfg->a.req = true; } else if (strcmp(value, "optional") == 0) { - cfg->req_auth = false; + cfg->a.req = false; } else { return -EINVAL; } } else if (strcmp(key, "cacert") == 0) { - if (strlen(value) >= sizeof(cfg->cacert)) + if (strlen(value) >= sizeof(cfg->a.cacert)) return -EINVAL; - strcpy(cfg->cacert, value); + strcpy(cfg->a.cacert, value); } else if (strcmp(key, "encryption") == 0) { if (strcmp(value, "none") != 0) return -EINVAL; diff --git a/src/lib/tests/kex_test.c b/src/lib/tests/kex_test.c index 786e1977..0a00ccab 100644 --- a/src/lib/tests/kex_test.c +++ b/src/lib/tests/kex_test.c @@ -890,7 +890,7 @@ static int test_kex_parse_config_auth(void) goto fail; } - if (!kex.req_auth) { + if (!kex.a.req) { printf("auth=required not parsed correctly.\n"); fclose(fp); goto fail; @@ -946,7 +946,7 @@ static int test_kex_parse_config_auth_seed(void) TEST_START(); memset(&kex, 0, sizeof(kex)); - kex.req_auth = true; + kex.a.req = true; fp = FMEMOPEN_STR(KEX_CONFIG_NO_ENC); if (fp == NULL) { @@ -960,7 +960,7 @@ static int test_kex_parse_config_auth_seed(void) goto fail; } - if (!kex.req_auth) { + if (!kex.a.req) { printf("Seeded req_auth should survive parsing.\n"); fclose(fp); goto fail; @@ -985,7 +985,7 @@ static int test_kex_parse_config_auth_optional(void) TEST_START(); memset(&kex, 0, sizeof(kex)); - kex.req_auth = true; + kex.a.req = true; fp = FMEMOPEN_STR(KEX_CONFIG_AUTH_OPTIONAL); if (fp == NULL) { @@ -999,7 +999,7 @@ static int test_kex_parse_config_auth_optional(void) goto fail; } - if (kex.req_auth) { + if (kex.a.req) { printf("auth=optional should clear req_auth.\n"); fclose(fp); goto fail; @@ -1037,7 +1037,7 @@ static int test_kex_parse_config_auth_no_enc(const char * config) goto fail; } - if (!kex.req_auth) { + if (!kex.a.req) { printf("encryption=none should not drop required auth.\n"); fclose(fp); goto fail; @@ -1086,14 +1086,14 @@ static int test_kex_parse_config_cacert(void) goto fail; } - if (strcmp(kex.cacert, + if (strcmp(kex.a.cacert, "/etc/ouroboros/security/cacert/ca.crt") != 0) { printf("cacert not parsed correctly.\n"); fclose(fp); goto fail; } - if (kex.req_auth) { + if (kex.a.req) { printf("cacert must not imply req_auth.\n"); fclose(fp); goto fail; |
