From 110d3ed8526197bd866e02199bfeae7569d73d8d Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Sun, 21 Jun 2026 13:35:45 +0200 Subject: irmd: Complete bidirectional flow re-keying Extend re-key delivery beyond the locally-initiated watermark path: Handle peer-initiated re-key requests, allowing one request and one response per flow at a time. The client side wins if both ends try to re-key at the same time. Caches the peer certificate to support cert-less authenticated/signed re-keys. After a rekey, the initiator promotes first (timer) and starts sending under the new key. The responder observes the new key (peer_synced) and then the responder promotes. The responder will self-decide to use the new keys if it exhausted the older set in the case where it never sees the peer (unidirectional flow). Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- include/ouroboros/serdes-irm.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/ouroboros/serdes-irm.h b/include/ouroboros/serdes-irm.h index 01c4153c..a5854d5b 100644 --- a/include/ouroboros/serdes-irm.h +++ b/include/ouroboros/serdes-irm.h @@ -75,7 +75,8 @@ int flow_update__irm_req_ser(buffer_t * buf, int flow_rekey__irm_result_des(buffer_t * buf, struct crypt_sk * sk, - bool * has_key); + bool * has_key, + bool * initiator); int ipcp_flow_dealloc__irm_req_ser(buffer_t * buf, const struct flow_info * info); -- cgit v1.2.3