ouroboros/src/irmd/ipcp.c, branch master

build: Update copyright to 2026

2026-02-18T06:54:56+00:00

Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Add per-user packet pools

2026-02-13T08:22:28+00:00

The IRMd will now check the user UID and GID for privileged access, avoiding unprivileged users being able to disrupt all IPC (e.g. by shm_open the single pool and corrupting its metadata). Non-privileged users are now limited to a PUP (per-user pool) for sending/receiving packets. It is still created by the IRMd, but owned by the user (uid) with 600 permissions. It does not add additional copies for local IPC between their own processes (i.e. over the local IPCP), but packets between processes owned by a different user or destined over the network (other IPCPs) will incur a copy when crossing the PUP / PUP or the PUP / GSPP boundary. Privileged users and users in the ouroboros group still have direct access to the GSPP (globally shared private pool) for packet transfer that will avoid additional copies when processing packets between processes owned by different users and to the network. This aligns the security model with UNIX trust domains defined by UID and GID by leveraging file permission on the pools in shared memory. ┌─────────────────────────────────────────────────────────────┐ │ Source Pool │ Dest Pool │ Operation │ Copies │ ├─────────────────────────────────────────────────────────────┤ │ GSPP │ GSPP │ Zero-copy │ 0 │ │ PUP.uid │ PUP.uid │ Zero-copy │ 0 │ │ PUP.uid1 │ PUP.uid2 │ memcpy() │ 1 │ │ PUP.uid │ GSPP │ memcpy() │ 1 │ │ GSPP │ PUP.uid │ memcpy() │ 1 │ └─────────────────────────────────────────────────────────────┘ This also renames the struct ai ("application instance") in dev.c to struct proc (process). Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Move encryption control from QoS to name

2025-09-10T06:21:58+00:00

This removes the flow encryption option (cypher_s) from the qosspec. The configuration file is configured in the security options (default /etc/ouroboros/security/). For this poc, encryption can be disabled client or server side by putting an enc.cfg file. If that file is present in the client folder, the client will require encryption. If that file is present on the server side, the server will require encryption and reject non-encrypted flows. Encryption is now configured outside of any application control. Example: /etc/ouroboros/security/client/oping/enc.cfg exists: irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd(DB): Generated ephemeral keys for 87474. irmd/oap(PP): OAP_HDR [caf203681d997941 @ 2025-09-02 17:08:05 (UTC) ] --> irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: [91 bytes] irmd/oap(PP): Data: irmd/oap(PP): Signature: Example: /etc/ouroboros/security/client/oping/enc.cfg does not exist: irmd(II): Allocating flow for 87506 to oping. irmd(DB): File /etc/ouroboros/security/client/oping/enc.cfg does not exist. irmd(DB): File /etc/ouroboros/security/client/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [e84bb9d7c3d9c002 @ 2025-09-02 17:08:30 (UTC) ] --> irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: irmd/oap(PP): Data: irmd/oap(PP): Signature: Example: /etc/ouroboros/security/server/oping/enc.cfg exists: irmd(II): Flow request arrived for oping. irmd(DB): IPCP 88112 accepting flow 7 for oping. irmd(II): Encryption enabled for oping. irmd(DB): File /etc/ouroboros/security/server/oping/crt.pem does not exist. irmd(II): No security info for oping. irmd/oap(PP): OAP_HDR [3c717b3f31dff8df @ 2025-09-02 17:13:06 (UTC) ] <-- irmd/oap(PP): Certificate: irmd/oap(PP): Ephemeral Public Key: irmd/oap(PP): Data: irmd/oap(PP): Signature: irmd(WW): Encryption required but no key provided. The server side will pass the ECRYPT to the client: $ oping -l Ouroboros ping server started. Failed to accept flow: -1008 $ oping -n oping -c 1 Failed to allocate flow: -1008. Encryption on flows can now be changed at runtime without needing to touch/reconfigure/restart the process. Note: The ECRYPT result is passed on via the flow allocator responses through the IPCP (discovered/fixed some endianness issues), but the reason for rejecting the flow can be considered N+1 information... We may move that information up into the OAP header at some point. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

ipcpd: Fix request handling at shutdown

2025-08-23T08:13:33+00:00

The IPCP states were not entirely correct causing some operations to be serviced during shutdown. This caused some use-after-free in the pff. States in the IPCP are now correctly set. IRMd states updated to the same strategy. The IRMd registry tracks if the IPCP was ENROLLED or BOOTSTRAPPED, the IPCP just goes to OPERATIONAL. IPCP state diagram:: NULL -> init() -> INIT -> start() -> BOOT -> bootstrap/enroll() -> OPERATIONAL -> shutdown() -> SHUTDOWN -> stop_components() -> BOOT -> stop() -> INIT -> fini() -> NULL Signed-off-by: Dimitri Staessens

ipcpd: Remove old IPCP_CONN_WAIT_DIR build option

2025-08-11T08:15:32+00:00

The IPCP_CONN_WAIT_DIR build option is not needed anymore with the recent update to the DHT. Also cleans up some logging in the IPCP. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

irmd: Initial Flow Allocation Protocol Header

2025-07-23T13:07:52+00:00

This adds the initial version for the flow allocation protocol header between IRMd instances. This is a step towards flow authentication. The header supports secure and authenticated flow allocation, supporting certificate-based authentication and ephemeral key exchange for end-to-end encryption. id: 128-bit identifier for the entity. timestamp: 64-bit timestamp (replay protection). certificate: Certificate for authentication. public key: ECDHE public key for key exchange. data: Application data. signature: Signature for integrity/authenticity. Authentication and encryption require OpenSSL to be installed. The IRMd compares the allocation request delay with the MPL of the Layer over which the flow allocation was sent. MPL is now reported by the Layer in ms instead of seconds. Time functions revised for consistency and adds some tests. The TPM can now print thread running times in Debug builds (TPM_DEBUG_REPORT_INTERVAL) and abort processes with hung threads (TPM_DEBUG_ABORT_TIMEOUT). Long running threads waiting for input should call tpm_wait_work() to avoid trigger a process abort. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Add authentication functions

2025-07-04T08:12:15+00:00

Adds functions needed for authentication using X509 certificates, implemented using OpenSSL. Refactors some library internals, and adds some unit tests for them. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

irmd: Fix wrong hash length when getting ipcpd

2024-02-26T07:59:15+00:00

The get_ipcpd_by_dst function was returning the hash length of the last IPCP in the list instead of the length of the actual hash. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

irmd: Always use reg_destroy_proc

2024-02-23T15:41:38+00:00

Destroying a process will now always be done with reg_destroy_proc, regardless of whether it was an IPCP or spawned. This makes it easier to keep the registry consistent and avoid races. Also improves some logs and updates some default settings. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Revise app flow allocation

2024-02-23T15:41:37+00:00

This revises the application flow allocator to use the flow_info struct/message between the components. Revises the messaging to move the use protocol buffers to its own source (serdes-irm). Adds a timeout to the IRMd flow allocator to make sure flow allocations don't hang forever (this was previously taken care of by the sanitize thread). Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders