<feed xmlns='http://www.w3.org/2005/Atom'>
<title>ouroboros/src/irmd/oap, branch be</title>
<subtitle>Ouroboros main repository</subtitle>
<id>http://133.ip-51-38-114.eu/cgit/ouroboros/atom?h=be</id>
<link rel='self' href='http://133.ip-51-38-114.eu/cgit/ouroboros/atom?h=be'/>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/'/>
<updated>2026-07-08T09:02:24+00:00</updated>
<entry>
<title>irmd: Move AUTH test macros to OAP common.h</title>
<updated>2026-07-08T09:02:24+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-07-02T06:09:16+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=fca717aba18850d2e32a069905f03314cd836c17'/>
<id>urn:sha1:fca717aba18850d2e32a069905f03314cd836c17</id>
<content type='text'>
The ML-DSA OAP test defined CLI_AUTH/NO_CLI_AUTH and passed them for
the srv_auth parameters of the re-key tests. Rename to the neutral
AUTH/NO_AUTH already used by oap_test.c and move the pair to the
shared common.h.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Test OAP KEM re-key floor</title>
<updated>2026-07-08T09:02:23+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-07-01T23:25:40+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=08a3828af7416326e8deb84c44da030b64fc5464'/>
<id>urn:sha1:08a3828af7416326e8deb84c44da030b64fc5464</id>
<content type='text'>
Add tests for two client-encap KEM properties the server enforces:
reject a client KDF below the server floor, and confirm a re-key
forces ephemeral server-encap.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Expand and parametrize OAP tests</title>
<updated>2026-07-08T09:02:23+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-07-01T23:18:03+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=02cc763dd69568b832516cf408b95dad47b4d9ff'/>
<id>urn:sha1:02cc763dd69568b832516cf408b95dad47b4d9ff</id>
<content type='text'>
Parametrize the re-key roundtrips over the full (srv_auth, cli_auth)
matrix. Add a KEM re-key axis, request-ID and cleartext-echo tamper
tests, and an unsupported cipher/kdf/digest NID cluster guarded by an
assertion.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Fix OAP re-key header encode</title>
<updated>2026-07-08T09:02:23+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-07-01T23:06:33+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=4c836008dcac27e0a8258b07270a8a529b2d9167'/>
<id>urn:sha1:4c836008dcac27e0a8258b07270a8a529b2d9167</id>
<content type='text'>
The oap_hdr_encode() function validated its own output by re-decoding
with rekey hardcoded false. The case where the client signs a re-key
failed its own self-check because the cert is not sent again. Now uses
a flag on the encode() to signal the signed re-key without
certificate.

Also fixes a double free after a failed self-decode check.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>build: Fix OpenSSL version check for PQC</title>
<updated>2026-07-08T09:02:12+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-07-01T22:57:58+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=2f9fdfa5ae2749f10d9ebc805e388ab9962d9faa'/>
<id>urn:sha1:2f9fdfa5ae2749f10d9ebc805e388ab9962d9faa</id>
<content type='text'>
ML-KEM, ML-DSA and SLH-DSA all landed in OpenSSL 3.5.0, not 3.4.0.

ML-KEM+ML-DSA and SLH-DSA can be disabled by DISABLE_ML / DISABLE_SLH.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>oap: Rename kex_config loaders to sec_config</title>
<updated>2026-06-29T06:33:00+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T12:18:38+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=4b16f7b9ba95f7e24ff443e5b215c2823c1387f7'/>
<id>urn:sha1:4b16f7b9ba95f7e24ff443e5b215c2823c1387f7</id>
<content type='text'>
Leftover from the kex_config-&gt;enc_config-&gt;sec_config rename. Finished
by renames load_kex_config and the cli/srv variants to
load_sec_config, the kcfg variables to scfg, and fixes the "KEX
config"/"encryption config" comments.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Harden OAP handshake and add cert-less re-key</title>
<updated>2026-06-29T06:33:00+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T12:07:00+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=55a8136859d82d9bdb8f85abb25290177ca7e561'/>
<id>urn:sha1:55a8136859d82d9bdb8f85abb25290177ca7e561</id>
<content type='text'>
Adds support for:

Server key confirmation: the session key is bound to the
negotiated algorithm via the HKDF info. The server returns a
key-confirmation tag (rsp_tag, replacing the bare request-hash echo),
so a cipher downgrade or key desync is detected. The cleartext path
keeps a request echo, compared in constant time.

Sealed server identity: AEAD-seal the certificate, signature and
piggybacked data in the encrypted response (kex and rsp_tag move
ahead as AAD), hiding the server identity and response sizes.

Cert-less re-key: let the client omit its certificate, verifying the
peer against the cached certificate. On PQC flows, ephemeral
server-encap KEX (preserving forward secrecy) is used, even if the
original flow allocation was client-encap.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Reject unsupported OAP kex and cipher</title>
<updated>2026-06-29T06:33:00+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T11:58:39+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=552a4c4469db1cedacc02eb4f9969afe73e0fb42'/>
<id>urn:sha1:552a4c4469db1cedacc02eb4f9969afe73e0fb42</id>
<content type='text'>
Validate the configured key exchange and cipher against the supported
ranks (returning ENOTSUP) instead of only rejecting an undefined
cipher NID, so an unsupported algorithm is caught at config load.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Group sec_config authentication fields</title>
<updated>2026-06-29T06:32:59+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T11:18:35+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=a169a1cef5332a409efc2db07bcc1ae9b72f217e'/>
<id>urn:sha1:a169a1cef5332a409efc2db07bcc1ae9b72f217e</id>
<content type='text'>
Nest the flat req_auth and cacert members of struct sec_config into a
sub-struct a { req; cacert; }, keeping the authentication settings
together.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>config: Rename enc.conf to sec.conf</title>
<updated>2026-06-29T06:32:59+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T11:03:36+00:00</published>
<link rel='alternate' type='text/html' href='http://133.ip-51-38-114.eu/cgit/ouroboros/commit/?id=47034834790e778f28b082842b3ed1c7bd44f29a'/>
<id>urn:sha1:47034834790e778f28b082842b3ed1c7bd44f29a</id>
<content type='text'>
The per-name config file holds more than encryption settings (KEX,
cipher, KDF, peer authentication), so renamed it from enc.conf to
sec.conf and the code internals to match.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
</feed>
