Ouroboros main repository https://ouroboros.rocks/cgit/ouroboros/atom?h=be 2026-03-14T10:23:59+00:00 2026-03-14T10:23:59+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-03-07T19:54:31+00:00 urn:sha1:044da08973957b32703fe338eb95c5171ce471ba i2d_X509() allocated buf->data via OPENSSL_malloc(), but callers free it with freebuf() which uses free(). Fix by allocating with malloc() and encoding directly into the buffer. Also replaces MSGBUFSZ with CRYPT_KEY_BUFSZ (4096) for key material buffers and removes leftover debug logging. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-03-14T10:23:24+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-03-03T08:00:18+00:00 urn:sha1:369d1c90453be23270a30229cbf4f731e4080407 When auth_verify_crt fails (e.g., missing root CA), crypt_get_pubkey_crt has already allocated pk but only crt was freed. Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL lazily initializes a global decoder/provider registry the first time PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this leaves some memory owned by OpenSSL that triggers the leak sanitizer. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-02-18T06:54:56+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-02-15T09:21:02+00:00 urn:sha1:0d72b59c2964208ea34ce2322978344d7ff1a223 Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-02-18T06:52:56+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-02-14T13:33:50+00:00 urn:sha1:d85326a119c34789055c388fcd18bb0161fbfd21 Each side's configured cipher, KDF, and KEX algorithm now represents a minimum security floor ("at least this strong"). Cipher and KDF use strongest-wins: the server compares ranks and selects the stronger of client vs server config. The negotiated values are sent in the response header. The client verifies the server's response meets its own minimum, which prevents downgrade attacks on the wire. KEX uses a minimum-floor check: the server extracts the client's algorithm from its public key and rejects if it ranks below the server's configured algorithm. A server configured with ML-KEM will reject all classical algorithms. Special case: for client-encap KEM, the client has already derived its key using its KDF, so the server must use the same KDF and can only reject if it is too weak. The supported_nids arrays are ordered weakest to strongest and serve as the single source of truth for ranking. Cipher ranking (weakest to strongest): aes-128-ctr, aes-192-ctr, aes-256-ctr, aes-128-gcm, aes-192-gcm, aes-256-gcm, chacha20-poly1305 KDF ranking (weakest to strongest): blake2s256, sha256, sha3-256, sha384, sha3-384, blake2b512, sha512, sha3-512 KEX ranking (weakest to strongest): ffdhe2048, prime256v1, X25519, ffdhe3072, secp384r1, ffdhe4096, X448, secp521r1, ML-KEM-512, ML-KEM-768, ML-KEM-1024, X25519MLKEM768, X448MLKEM1024 Negotiation outcomes: strong srv cipher + weak cli cipher -> use strongest weak srv cipher + strong cli cipher -> use strongest srv encryption + cli none -> server rejects srv none + cli encryption -> use client's strong srv KEX + weak cli KEX -> server rejects weak srv KEX + strong cli KEX -> succeeds wire tamper to weaker cipher -> client rejects Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-02-13T08:22:06+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-27T23:35:28+00:00 urn:sha1:52051f12b80abb7f7e07149a6624d8ca9e756d24 The include headers and NIDs are different on macOS X. It also doesn't have explicit_bzero. The crypt.h includes are now guarded to work on OS X (trying to avoid the includes by defining the OpenSSL mac header guard led to a whole list of other issues). The explicit zero'ing of buffers temporarily holding secrets has now been abstracted in a crypt_secure_clear() function defaulting to OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option using a volatile pointer. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-01-26T06:47:51+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-23T17:45:34+00:00 urn:sha1:f60b67a6fcbed7329f7d27511e8c572dc252934e The tests were not correct as the library was compiled with the default 1 << 20 epoch. Added a parametere to the sk configuration that specifies the epoch size. Set to 1 << KEY_ROTATION_BIT in dev.c, but lowered to 7 in unit tests. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-01-23T07:30:11+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-22T22:11:58+00:00 urn:sha1:a5d9c04f821b72e27f196ff2015078f87d4d9a5e Implement forward-secret key rotation using HKDF key derivation. The operation is based on QUIC RFC 9001 and wireguard. Keys rotate every 2^KEY_ROTATION_BIT packets, with the current phase (P) signaled via controlling a bit in the IV (bit 7, first bit on the wire). Default 20 (1M packets). The wire format, after the DT header is: [ P | random IV ][ encrypted blob ][ AEAD tag ] Works with and without retransmission, and the FRCT header is fully contained in the encrypted blob if used. The receiver detects phase changes and rotates accordingly, keeping the previous key valid during a grace period. This handles packet reordering in unreliable flows: the 3/4 period protection window prevents premature rotation when late packets arrive, while the 1/2 period grace window ensures the old key remains available for decryption. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-01-23T07:29:30+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-22T20:34:42+00:00 urn:sha1:fb1aeb3ffff2948edeb710e65aef261b589c7403 The packet buffer was allocating a fixed header for the IV, but did not account for the tag at all (remnant of the old hardcoded CBC mode-only proof-of-concept). Never ran into issues because we always reserved ample space. But it now properly reserves the correct space for IV and tag. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-01-23T07:24:42+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-18T15:48:37+00:00 urn:sha1:ea52d52754d58edac81bfb10fc4c59fcc8b59935 The openssl_crt_str function was using BIO_get_mem_data() but this is not guaranteed to be NULL-terminated, causing buffer overruns. This was the root cause of ASan tests with certificates running for minutes and eventually getting killed on the CI/CD pipeline: Start 1: lib/auth_test 1/26 Test #1: lib/auth_test ......................***Skipped 312.75 sec Start 16: irmd/oap/oap_test 16/26 Test #16: irmd/oap/oap_test ..................***Skipped 345.87 sec Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks> 2026-01-23T07:20:27+00:00 Dimitri Staessens dimitri@ouroboros.rocks 2026-01-19T18:31:58+00:00 urn:sha1:9f2e078c694d375ff7a633e629d05554c873c8dc The test_oap_piggyback_data was not cleaning up the passed data correctly. Also, a FILE * was not properly closed in the openssl load_pubkey_raw_file_to_der() wrapper. Refactored some fail paths to make them easier to read. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>