diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 14:07:00 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:33:00 +0200 |
| commit | 55a8136859d82d9bdb8f85abb25290177ca7e561 (patch) | |
| tree | e3b87e09322867245a49fe11c51b621efcff2730 /src/irmd/oap.h | |
| parent | 552a4c4469db1cedacc02eb4f9969afe73e0fb42 (diff) | |
| download | ouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.tar.gz ouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.zip | |
irmd: Harden OAP handshake and add cert-less re-key
Adds support for:
Server key confirmation: the session key is bound to the
negotiated algorithm via the HKDF info. The server returns a
key-confirmation tag (rsp_tag, replacing the bare request-hash echo),
so a cipher downgrade or key desync is detected. The cleartext path
keeps a request echo, compared in constant time.
Sealed server identity: AEAD-seal the certificate, signature and
piggybacked data in the encrypted response (kex and rsp_tag move
ahead as AAD), hiding the server identity and response sizes.
Cert-less re-key: let the client omit its certificate, verifying the
peer against the cached certificate. On PQC flows, ephemeral
server-encap KEX (preserving forward secrecy) is used, even if the
original flow allocation was client-encap.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/irmd/oap.h')
| -rw-r--r-- | src/irmd/oap.h | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/src/irmd/oap.h b/src/irmd/oap.h index d6d8dfe2..86f11e21 100644 --- a/src/irmd/oap.h +++ b/src/irmd/oap.h @@ -28,6 +28,8 @@ #include <ouroboros/name.h> #include <ouroboros/utils.h> +#include <stdbool.h> + /* OAP authentication state (in oap/auth.c) */ int oap_auth_init(void); @@ -35,31 +37,46 @@ void oap_auth_fini(void); int oap_auth_add_ca_crt(void * crt); +int oap_auth_add_chain_crt(void * crt); + /* * Prepare OAP request header for server, returns context * Passes client data for srv, returns srv data for client +* rekey forces ephemeral server-encap KEX (no client-encap; preserves FS/PCS) */ int oap_cli_prepare(void ** ctx, const struct name_info * info, buffer_t * req_buf, - buffer_t data); + buffer_t data, + bool rekey); /* * Server processes header, creates response header, returns secret key. * data is in/out: input=srv data to send, output=cli data received. + * rekey drops the cert and verifies against cached_crt; peer_crt (or NULL) + * receives a copy of the peer cert to cache at the initial handshake. */ int oap_srv_process(const struct name_info * info, buffer_t req_buf, buffer_t * rsp_buf, buffer_t * data, - struct crypt_sk * sk); + struct crypt_sk * sk, + bool rekey, + const buffer_t * cached_crt, + buffer_t * peer_crt); -/* Complete OAP, returns secret key and server data, frees ctx */ +/* + * Complete OAP, returns secret key and server data, frees ctx. + * cached_crt verifies a cert-less re-key; peer_crt (or NULL) receives a + * copy of the peer cert to cache at the initial handshake. + */ int oap_cli_complete(void * ctx, const struct name_info * info, buffer_t rsp_buf, buffer_t * data, - struct crypt_sk * sk); + struct crypt_sk * sk, + const buffer_t * cached_crt, + buffer_t * peer_crt); /* Free OAP state (on failure before complete) */ void oap_ctx_free(void * ctx); |
