summaryrefslogtreecommitdiff
path: root/src/irmd/oap/tests/common.h
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 14:07:00 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:33:00 +0200
commit55a8136859d82d9bdb8f85abb25290177ca7e561 (patch)
treee3b87e09322867245a49fe11c51b621efcff2730 /src/irmd/oap/tests/common.h
parent552a4c4469db1cedacc02eb4f9969afe73e0fb42 (diff)
downloadouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.tar.gz
ouroboros-55a8136859d82d9bdb8f85abb25290177ca7e561.zip
irmd: Harden OAP handshake and add cert-less re-key
Adds support for: Server key confirmation: the session key is bound to the negotiated algorithm via the HKDF info. The server returns a key-confirmation tag (rsp_tag, replacing the bare request-hash echo), so a cipher downgrade or key desync is detected. The cleartext path keeps a request echo, compared in constant time. Sealed server identity: AEAD-seal the certificate, signature and piggybacked data in the encrypted response (kex and rsp_tag move ahead as AAD), hiding the server identity and response sizes. Cert-less re-key: let the client omit its certificate, verifying the peer against the cached certificate. On PQC flows, ephemeral server-encap KEX (preserving forward secrecy) is used, even if the original flow allocation was client-encap. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/irmd/oap/tests/common.h')
-rw-r--r--src/irmd/oap/tests/common.h11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/irmd/oap/tests/common.h b/src/irmd/oap/tests/common.h
index 4fe2f779..c47096fb 100644
--- a/src/irmd/oap/tests/common.h
+++ b/src/irmd/oap/tests/common.h
@@ -71,6 +71,11 @@ struct oap_test_ctx {
buffer_t data;
void * root_ca;
void * im_ca;
+
+ /* Re-key (tier iii): drop the cert, verify against the cache. */
+ bool rekey;
+ buffer_t srv_crt; /* client cert cached by server */
+ buffer_t cli_crt; /* server cert cached by client */
};
int oap_test_setup(struct oap_test_ctx * ctx,
@@ -88,6 +93,12 @@ int oap_cli_complete_ctx(struct oap_test_ctx * ctx);
int roundtrip_auth_only(const char * root_ca,
const char * im_ca_str);
+int roundtrip_rekey(const char * root_ca,
+ const char * im_ca_str);
+
+int roundtrip_rekey_badcache(const char * root_ca,
+ const char * im_ca_str);
+
int roundtrip_kex_only(void);
int corrupted_request(const char * root_ca,