summaryrefslogtreecommitdiff
path: root/src/irmd/oap.h
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 14:07:00 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:33:00 +0200
commit55a8136859d82d9bdb8f85abb25290177ca7e561 (patch)
treee3b87e09322867245a49fe11c51b621efcff2730 /src/irmd/oap.h
parent552a4c4469db1cedacc02eb4f9969afe73e0fb42 (diff)
downloadouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.tar.gz
ouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.zip
irmd: Harden OAP handshake and add cert-less re-key
Adds support for: Server key confirmation: the session key is bound to the negotiated algorithm via the HKDF info. The server returns a key-confirmation tag (rsp_tag, replacing the bare request-hash echo), so a cipher downgrade or key desync is detected. The cleartext path keeps a request echo, compared in constant time. Sealed server identity: AEAD-seal the certificate, signature and piggybacked data in the encrypted response (kex and rsp_tag move ahead as AAD), hiding the server identity and response sizes. Cert-less re-key: let the client omit its certificate, verifying the peer against the cached certificate. On PQC flows, ephemeral server-encap KEX (preserving forward secrecy) is used, even if the original flow allocation was client-encap. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/irmd/oap.h')
-rw-r--r--src/irmd/oap.h25
1 files changed, 21 insertions, 4 deletions
diff --git a/src/irmd/oap.h b/src/irmd/oap.h
index d6d8dfe2..86f11e21 100644
--- a/src/irmd/oap.h
+++ b/src/irmd/oap.h
@@ -28,6 +28,8 @@
#include <ouroboros/name.h>
#include <ouroboros/utils.h>
+#include <stdbool.h>
+
/* OAP authentication state (in oap/auth.c) */
int oap_auth_init(void);
@@ -35,31 +37,46 @@ void oap_auth_fini(void);
int oap_auth_add_ca_crt(void * crt);
+int oap_auth_add_chain_crt(void * crt);
+
/*
* Prepare OAP request header for server, returns context
* Passes client data for srv, returns srv data for client
+* rekey forces ephemeral server-encap KEX (no client-encap; preserves FS/PCS)
*/
int oap_cli_prepare(void ** ctx,
const struct name_info * info,
buffer_t * req_buf,
- buffer_t data);
+ buffer_t data,
+ bool rekey);
/*
* Server processes header, creates response header, returns secret key.
* data is in/out: input=srv data to send, output=cli data received.
+ * rekey drops the cert and verifies against cached_crt; peer_crt (or NULL)
+ * receives a copy of the peer cert to cache at the initial handshake.
*/
int oap_srv_process(const struct name_info * info,
buffer_t req_buf,
buffer_t * rsp_buf,
buffer_t * data,
- struct crypt_sk * sk);
+ struct crypt_sk * sk,
+ bool rekey,
+ const buffer_t * cached_crt,
+ buffer_t * peer_crt);
-/* Complete OAP, returns secret key and server data, frees ctx */
+/*
+ * Complete OAP, returns secret key and server data, frees ctx.
+ * cached_crt verifies a cert-less re-key; peer_crt (or NULL) receives a
+ * copy of the peer cert to cache at the initial handshake.
+ */
int oap_cli_complete(void * ctx,
const struct name_info * info,
buffer_t rsp_buf,
buffer_t * data,
- struct crypt_sk * sk);
+ struct crypt_sk * sk,
+ const buffer_t * cached_crt,
+ buffer_t * peer_crt);
/* Free OAP state (on failure before complete) */
void oap_ctx_free(void * ctx);