summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--include/ouroboros/crypt.h6
-rw-r--r--src/irmd/oap/auth.c10
-rw-r--r--src/irmd/oap/cli.c2
-rw-r--r--src/irmd/oap/io.c6
-rw-r--r--src/irmd/oap/tests/common.c8
-rw-r--r--src/lib/crypt.c10
-rw-r--r--src/lib/tests/kex_test.c16
7 files changed, 30 insertions, 28 deletions
diff --git a/include/ouroboros/crypt.h b/include/ouroboros/crypt.h
index ce765158..41e44cee 100644
--- a/include/ouroboros/crypt.h
+++ b/include/ouroboros/crypt.h
@@ -135,8 +135,10 @@ struct sec_config {
int nid;
} d; /* digest */
- bool req_auth; /* require peer authentication */
- char cacert[CACERT_PATH_BUFSZ]; /* pinned issuing CA, "" = any */
+ struct {
+ bool req; /* require peer auth */
+ char cacert[CACERT_PATH_BUFSZ]; /* pinned CA, "" = any */
+ } a; /* authentication */
};
/* Helper macros to set sec_config fields consistently */
diff --git a/src/irmd/oap/auth.c b/src/irmd/oap/auth.c
index 1e39cae6..29e8b4d6 100644
--- a/src/irmd/oap/auth.c
+++ b/src/irmd/oap/auth.c
@@ -268,7 +268,7 @@ int oap_auth_peer(char * name,
}
if (peer_hdr->crt.len == 0) {
- if (cfg->req_auth) {
+ if (cfg->a.req) {
log_err_id(id, "Peer did not provide a certificate.");
goto fail_check;
}
@@ -291,16 +291,16 @@ int oap_auth_peer(char * name,
log_dbg_id(id, "Got public key from crt.");
- if (cfg->cacert[0] != '\0' &&
- crypt_load_crt_file(cfg->cacert, &pin) < 0) {
- log_err_id(id, "Failed to load pinned CA %s.", cfg->cacert);
+ if (cfg->a.cacert[0] != '\0' &&
+ crypt_load_crt_file(cfg->a.cacert, &pin) < 0) {
+ log_err_id(id, "Failed to load pinned CA %s.", cfg->a.cacert);
goto fail_crt;
}
ret = auth_verify_crt_pin(oap_auth.ca_ctx, crt, pin);
if (ret == -ENOENT) {
log_err_id(id, "Peer crt not issued by pinned CA %s.",
- cfg->cacert);
+ cfg->a.cacert);
goto fail_pin;
}
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index b3d6d586..2a57d12e 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -96,7 +96,7 @@ int load_cli_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
/* A client authenticates the server by default, like an https client */
- cfg->req_auth = OAP_CLIENT_AUTH_DEFAULT;
+ cfg->a.req = OAP_CLIENT_AUTH_DEFAULT;
return load_kex_config(info->name, info->c.sec, cfg);
}
diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
index 7b661435..dc71fe9e 100644
--- a/src/irmd/oap/io.c
+++ b/src/irmd/oap/io.c
@@ -120,10 +120,10 @@ int load_kex_config(const char * name,
return -1;
}
- if (cfg->cacert[0] != '\0') {
- if (crypt_load_crt_file(cfg->cacert, &pin) < 0) {
+ if (cfg->a.cacert[0] != '\0') {
+ if (crypt_load_crt_file(cfg->a.cacert, &pin) < 0) {
log_err("Failed to load pinned CA %s for %s.",
- cfg->cacert, name);
+ cfg->a.cacert, name);
return -EAUTH;
}
crypt_free_crt(pin);
diff --git a/src/irmd/oap/tests/common.c b/src/irmd/oap/tests/common.c
index af815fd4..8c271b2e 100644
--- a/src/irmd/oap/tests/common.c
+++ b/src/irmd/oap/tests/common.c
@@ -36,9 +36,9 @@ int load_srv_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
- cfg->req_auth = test_cfg.srv.req_auth;
+ cfg->a.req = test_cfg.srv.req_auth;
if (test_cfg.srv.cacert != NULL)
- strcpy(cfg->cacert, test_cfg.srv.cacert);
+ strcpy(cfg->a.cacert, test_cfg.srv.cacert);
/* Digest is kept without kex, as in parse_sec_config */
SET_KEX_DIGEST_NID(cfg, test_cfg.srv.md);
@@ -61,9 +61,9 @@ int load_cli_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
- cfg->req_auth = test_cfg.cli.req_auth;
+ cfg->a.req = test_cfg.cli.req_auth;
if (test_cfg.cli.cacert != NULL)
- strcpy(cfg->cacert, test_cfg.cli.cacert);
+ strcpy(cfg->a.cacert, test_cfg.cli.cacert);
/* Digest is kept without kex, as in parse_sec_config */
SET_KEX_DIGEST_NID(cfg, test_cfg.cli.md);
diff --git a/src/lib/crypt.c b/src/lib/crypt.c
index e4b65cf0..a34e7298 100644
--- a/src/lib/crypt.c
+++ b/src/lib/crypt.c
@@ -173,7 +173,7 @@ int parse_sec_config(struct sec_config * cfg,
SET_KEX_KDF_NID(cfg, NID_sha256);
SET_KEX_CIPHER_NID(cfg, NID_aes_256_gcm);
SET_KEX_DIGEST_NID(cfg, NID_sha256);
- /* req_auth is seeded per-role by the caller; only auth= overrides it */
+ /* a.req is seeded per-role by the caller; only auth= overrides it */
while (fgets(line, sizeof(line), fp) != NULL) {
char * trimmed;
@@ -223,16 +223,16 @@ int parse_sec_config(struct sec_config * cfg,
}
} else if (strcmp(key, "auth") == 0) {
if (strcmp(value, "required") == 0) {
- cfg->req_auth = true;
+ cfg->a.req = true;
} else if (strcmp(value, "optional") == 0) {
- cfg->req_auth = false;
+ cfg->a.req = false;
} else {
return -EINVAL;
}
} else if (strcmp(key, "cacert") == 0) {
- if (strlen(value) >= sizeof(cfg->cacert))
+ if (strlen(value) >= sizeof(cfg->a.cacert))
return -EINVAL;
- strcpy(cfg->cacert, value);
+ strcpy(cfg->a.cacert, value);
} else if (strcmp(key, "encryption") == 0) {
if (strcmp(value, "none") != 0)
return -EINVAL;
diff --git a/src/lib/tests/kex_test.c b/src/lib/tests/kex_test.c
index 786e1977..0a00ccab 100644
--- a/src/lib/tests/kex_test.c
+++ b/src/lib/tests/kex_test.c
@@ -890,7 +890,7 @@ static int test_kex_parse_config_auth(void)
goto fail;
}
- if (!kex.req_auth) {
+ if (!kex.a.req) {
printf("auth=required not parsed correctly.\n");
fclose(fp);
goto fail;
@@ -946,7 +946,7 @@ static int test_kex_parse_config_auth_seed(void)
TEST_START();
memset(&kex, 0, sizeof(kex));
- kex.req_auth = true;
+ kex.a.req = true;
fp = FMEMOPEN_STR(KEX_CONFIG_NO_ENC);
if (fp == NULL) {
@@ -960,7 +960,7 @@ static int test_kex_parse_config_auth_seed(void)
goto fail;
}
- if (!kex.req_auth) {
+ if (!kex.a.req) {
printf("Seeded req_auth should survive parsing.\n");
fclose(fp);
goto fail;
@@ -985,7 +985,7 @@ static int test_kex_parse_config_auth_optional(void)
TEST_START();
memset(&kex, 0, sizeof(kex));
- kex.req_auth = true;
+ kex.a.req = true;
fp = FMEMOPEN_STR(KEX_CONFIG_AUTH_OPTIONAL);
if (fp == NULL) {
@@ -999,7 +999,7 @@ static int test_kex_parse_config_auth_optional(void)
goto fail;
}
- if (kex.req_auth) {
+ if (kex.a.req) {
printf("auth=optional should clear req_auth.\n");
fclose(fp);
goto fail;
@@ -1037,7 +1037,7 @@ static int test_kex_parse_config_auth_no_enc(const char * config)
goto fail;
}
- if (!kex.req_auth) {
+ if (!kex.a.req) {
printf("encryption=none should not drop required auth.\n");
fclose(fp);
goto fail;
@@ -1086,14 +1086,14 @@ static int test_kex_parse_config_cacert(void)
goto fail;
}
- if (strcmp(kex.cacert,
+ if (strcmp(kex.a.cacert,
"/etc/ouroboros/security/cacert/ca.crt") != 0) {
printf("cacert not parsed correctly.\n");
fclose(fp);
goto fail;
}
- if (kex.req_auth) {
+ if (kex.a.req) {
printf("cacert must not imply req_auth.\n");
fclose(fp);
goto fail;