<feed xmlns='http://www.w3.org/2005/Atom'>
<title>ouroboros/src/lib/crypt, branch be</title>
<subtitle>Ouroboros main repository</subtitle>
<id>https://ouroboros.rocks/cgit/ouroboros/atom?h=be</id>
<link rel='self' href='https://ouroboros.rocks/cgit/ouroboros/atom?h=be'/>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/'/>
<updated>2026-06-29T06:32:59+00:00</updated>
<entry>
<title>lib: Harden OpenSSL crypto backend</title>
<updated>2026-06-29T06:32:59+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-21T10:55:17+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=8499436b4673ac2e2026879a95d97162ba2e8cbc'/>
<id>urn:sha1:8499436b4673ac2e2026879a95d97162ba2e8cbc</id>
<content type='text'>
This contains a few improvements and fixes in the OpenSSL backed. We
now zeroize shared secrets with OPENSSL_clear_free. The i2d_PUBKEY
output is bound against CRYPT_KEY_BUFSZ. We now return NULL rather
than silently falling back to SHA-256 when a digest is unknown. FILE
handles are now closed via pthread cleanup so a cancelled thread
cannot leak them. The DHE kex tests now set the KDF NID explicitly,
since the SHA-256 fallback is gone.

Also refactors the PEM string loaders to clean up some code duplication.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Harden symmetric-key rotation</title>
<updated>2026-06-29T06:32:58+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-13T08:18:17+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=22e2380b09730a2f18deefd688585edb430d3299'/>
<id>urn:sha1:22e2380b09730a2f18deefd688585edb430d3299</id>
<content type='text'>
Flow crypto signalled rotation with a single phase-parity bit, so a
loss burst that hid an even number of rotations went unnoticed and
wedged the flow for good.

Each packet now carries a small cleartext selector naming its key
directly, so a receiver that falls behind recovers on the next packet
instead of getting stuck.

The selector also serves as the AEAD nonce and is authenticated as
associated data (AAD). Key rotation moves into a new backend-agnostic
keyrot module that rotates sub-keys to bound AEAD usage while
preserving forward secrecy.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Reject OAP peer crt with unusable CN</title>
<updated>2026-06-29T06:32:58+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-12T18:26:27+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=dce27129b74f906e0d1c086858f360228d5cbc83'/>
<id>urn:sha1:dce27129b74f906e0d1c086858f360228d5cbc83</id>
<content type='text'>
Added checks for CN &gt; NAME_SIZE.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Add issuer and digest pinning to OAP</title>
<updated>2026-06-29T06:32:58+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-12T17:34:27+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=977bcac2d56a8793ed93b4aac7016ef36b51a07f'/>
<id>urn:sha1:977bcac2d56a8793ed93b4aac7016ef36b51a07f</id>
<content type='text'>
A peer certificate that verifies against the CA store could have
been issued by any trusted CA, and a peer could pick any supported
digest for its signature. Tighten the authentication contract with
two local policies.

cacert= pins the issuing CA: a peer certificate, if presented, must
chain through the pinned CA. Whether a certificate is mandatory at
all remains controlled by auth= alone.

digest= now also pins the signature digest: a classical peer must sign
with the locally configured digest, and may not omit the digest NID to
fall back to the key's default digest. PQC signatures (ML-DSA,
SLH-DSA) have an intrinsic digest and may be NID_undef.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Fix certificate DER encoding and key buffers</title>
<updated>2026-03-14T10:23:59+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-03-07T19:54:31+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=044da08973957b32703fe338eb95c5171ce471ba'/>
<id>urn:sha1:044da08973957b32703fe338eb95c5171ce471ba</id>
<content type='text'>
i2d_X509() allocated buf-&gt;data via OPENSSL_malloc(), but callers free
it with freebuf() which uses free(). Fix by allocating with malloc()
and encoding directly into the buffer. Also replaces MSGBUFSZ with
CRYPT_KEY_BUFSZ (4096) for key material buffers and removes leftover
debug logging.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Fix missing cleanup in authentication path</title>
<updated>2026-03-14T10:23:24+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-03-03T08:00:18+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=369d1c90453be23270a30229cbf4f731e4080407'/>
<id>urn:sha1:369d1c90453be23270a30229cbf4f731e4080407</id>
<content type='text'>
When auth_verify_crt fails (e.g., missing root CA),
crypt_get_pubkey_crt has already allocated pk but only crt was freed.

Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL
lazily initializes a global decoder/provider registry the first time
PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this
leaves some memory owned by OpenSSL that triggers the leak sanitizer.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>build: Update copyright to 2026</title>
<updated>2026-02-18T06:54:56+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-02-15T09:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=0d72b59c2964208ea34ce2322978344d7ff1a223'/>
<id>urn:sha1:0d72b59c2964208ea34ce2322978344d7ff1a223</id>
<content type='text'>
Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Add strength-based crypto negotiation</title>
<updated>2026-02-18T06:52:56+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-02-14T13:33:50+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=d85326a119c34789055c388fcd18bb0161fbfd21'/>
<id>urn:sha1:d85326a119c34789055c388fcd18bb0161fbfd21</id>
<content type='text'>
Each side's configured cipher, KDF, and KEX algorithm now
represents a minimum security floor ("at least this strong").

Cipher and KDF use strongest-wins: the server compares ranks
and selects the stronger of client vs server config. The
negotiated values are sent in the response header. The client
verifies the server's response meets its own minimum, which
prevents downgrade attacks on the wire.

KEX uses a minimum-floor check: the server extracts the
client's algorithm from its public key and rejects if it
ranks below the server's configured algorithm. A server
configured with ML-KEM will reject all classical algorithms.

Special case: for client-encap KEM, the client has already
derived its key using its KDF, so the server must use the
same KDF and can only reject if it is too weak.

The supported_nids arrays are ordered weakest to strongest
and serve as the single source of truth for ranking.

Cipher ranking (weakest to strongest):
  aes-128-ctr, aes-192-ctr, aes-256-ctr,
  aes-128-gcm, aes-192-gcm, aes-256-gcm,
  chacha20-poly1305

KDF ranking (weakest to strongest):
  blake2s256, sha256, sha3-256, sha384,
  sha3-384, blake2b512, sha512, sha3-512

KEX ranking (weakest to strongest):
  ffdhe2048, prime256v1, X25519, ffdhe3072,
  secp384r1, ffdhe4096, X448, secp521r1,
  ML-KEM-512, ML-KEM-768, ML-KEM-1024,
  X25519MLKEM768, X448MLKEM1024

Negotiation outcomes:
  strong srv cipher + weak cli cipher  -&gt; use strongest
  weak srv cipher + strong cli cipher  -&gt; use strongest
  srv encryption + cli none            -&gt; server rejects
  srv none + cli encryption            -&gt; use client's
  strong srv KEX + weak cli KEX        -&gt; server rejects
  weak srv KEX + strong cli KEX        -&gt; succeeds
  wire tamper to weaker cipher         -&gt; client rejects

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Fix OpenSSL includes and explicit_bzero on OSX</title>
<updated>2026-02-13T08:22:06+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-01-27T23:35:28+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=52051f12b80abb7f7e07149a6624d8ca9e756d24'/>
<id>urn:sha1:52051f12b80abb7f7e07149a6624d8ca9e756d24</id>
<content type='text'>
The include headers and NIDs are different on macOS X. It also doesn't
have explicit_bzero.

The crypt.h includes are now guarded to work on OS X (trying to avoid
the includes by defining the OpenSSL mac header guard led to a whole
list of other issues).

The explicit zero'ing of buffers temporarily holding secrets has now
been abstracted in a crypt_secure_clear() function defaulting to
OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option
using a volatile pointer.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Speed up key rotation tests</title>
<updated>2026-01-26T06:47:51+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-01-23T17:45:34+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=f60b67a6fcbed7329f7d27511e8c572dc252934e'/>
<id>urn:sha1:f60b67a6fcbed7329f7d27511e8c572dc252934e</id>
<content type='text'>
The tests were not correct as the library was compiled with the
default 1 &lt;&lt; 20 epoch. Added a parametere to the sk configuration that
specifies the epoch size. Set to 1 &lt;&lt; KEY_ROTATION_BIT in dev.c, but
lowered to 7 in unit tests.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
</feed>
