lib: Add post-quantum cryptography support

This adds initial support for runtime-configurable encryption and
post-quantum Key Encapsulation Mechanisms (KEMs) and authentication
(ML-DSA).

Supported key exchange algorithms:

  ECDH: prime256v1, secp384r1, secp521r1, X25519, X448
  Finite Field DH: ffdhe2048, ffdhe3072, ffdhe4096
  ML-KEM (FIPS 203): ML-KEM-512, ML-KEM-768, ML-KEM-1024
  Hybrid KEMs: X25519MLKEM768, X448MLKEM1024

Supported ciphers:
  AEAD: aes-128-gcm, aes-192-gcm, aes-256-gcm, chacha20-poly1305
  CTR: aes-128-ctr, aes-192-ctr, aes-256-ctr

Supported HKDFs:
  sha256, sha384, sha512, sha3-256, sha3-384, sha3-512,
  blake2b512, blake2s256

Supported Digests for DSA:
  sha256, sha384, sha512, sha3-256, sha3-384, sha3-512,
  blake2b512, blake2s256

PQC support requires OpenSSL 3.4.0+ and is detected automatically via
CMake. A DISABLE_PQC option allows building without PQC even when
available.

KEMs differ from traditional DH in that they require asymmetric roles:
one party encapsulates to the other's public key. This creates a
coordination problem during simultaneous reconnection attempts. The
kem_mode configuration parameter resolves this by pre-assigning roles:

  kem_mode=server  # Server encapsulates (1-RTT, full forward secrecy)
  kem_mode=client  # Client encapsulates (0-RTT, cached server key)

The enc.conf file format supports:

  kex=<algorithm>      # Key exchange algorithm
  cipher=<algorithm>   # Symmetric cipher
  kdf=<KDF>            # Key derivation function
  digest=<digest>      # Digest for DSA
  kem_mode=<mode>      # Server (default) or client
  none                 # Disable encryption

The OAP protocol is extended to negotiate algorithms and exchange KEX
data. All KEX messages are signed using existing authentication
infrastructure for integrity and replay protection.

Tests are split into base and _pqc variants to handle conditional PQC
compilation (kex_test.c/kex_test_pqc.c, oap_test.c/oap_test_pqc.c).

Bumped minimum required OpenSSL version for encryption to 3.0
(required for HKDF API). 1.1.1 is long time EOL.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>

1 files changed, 132 insertions, 0 deletions

diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
new file mode 100644
index 00000000..e4189d4d
--- /dev/null
+++ b/src/irmd/oap/io.c
@@ -0,0 +1,132 @@
+/*
+ * Ouroboros - Copyright (C) 2016 - 2024
+ *
+ * OAP - File I/O for credentials and configuration
+ *
+ *    Dimitri Staessens <dimitri@ouroboros.rocks>
+ *    Sander Vrijders   <sander@ouroboros.rocks>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., http://www.fsf.org/about/contact/.
+ */
+
+#if defined(__linux__) || defined(__CYGWIN__)
+ #define _DEFAULT_SOURCE
+#else
+ #define _POSIX_C_SOURCE 200809L
+#endif
+
+#define OUROBOROS_PREFIX "irmd/oap"
+
+#include <ouroboros/crypt.h>
+#include <ouroboros/errno.h>
+#include <ouroboros/logs.h>
+
+#include "config.h"
+
+#include "io.h"
+
+#include <assert.h>
+#include <string.h>
+#include <sys/stat.h>
+
+/*
+ * Shared credential and configuration loading helpers
+ */
+
+#ifndef OAP_TEST_MODE
+
+static bool file_exists(const char * path)
+{
+        struct stat s;
+
+        if (stat(path, &s) < 0 && errno == ENOENT) {
+                log_dbg("File %s does not exist.", path);
+                return false;
+        }
+
+        return true;
+}
+
+int load_credentials(const char *                  name,
+                     const struct name_sec_paths * paths,
+                     void **                       pkp,
+                     void **                       crt)
+{
+        assert(paths != NULL);
+        assert(pkp != NULL);
+        assert(crt != NULL);
+
+        *pkp = NULL;
+        *crt = NULL;
+
+        if (!file_exists(paths->crt) || !file_exists(paths->key)) {
+                log_info("No authentication certificates for %s.", name);
+                return 0;
+        }
+
+        if (crypt_load_crt_file(paths->crt, crt) < 0) {
+                log_err("Failed to load %s for %s.", paths->crt, name);
+                goto fail_crt;
+        }
+
+        if (crypt_load_privkey_file(paths->key, pkp) < 0) {
+                log_err("Failed to load %s for %s.", paths->key, name);
+                goto fail_key;
+        }
+
+        log_info("Loaded authentication certificates for %s.", name);
+
+        return 0;
+
+ fail_key:
+        crypt_free_crt(*crt);
+        *crt = NULL;
+ fail_crt:
+        return -EAUTH;
+}
+
+int load_kex_config(const char *        name,
+                    const char *        path,
+                    struct sec_config * cfg)
+{
+        assert(name != NULL);
+        assert(cfg != NULL);
+
+        memset(cfg, 0, sizeof(*cfg));
+
+        /* Load encryption config */
+        if (!file_exists(path))
+                log_dbg("No encryption %s for %s.", path, name);
+
+        if (load_sec_config_file(cfg, path) < 0) {
+                log_warn("Failed to load %s for %s.", path, name);
+                return -1;
+        }
+
+        if (!IS_KEX_ALGO_SET(cfg)) {
+                log_info("Key exchange not configured for %s.", name);
+                return 0;
+        }
+
+        if (cfg->c.nid == NID_undef || crypt_nid_to_str(cfg->c.nid) == NULL) {
+                log_err("Invalid cipher NID %d for %s.", cfg->c.nid, name);
+                return -ECRYPT;
+        }
+
+        log_info("Encryption enabled for %s.", name);
+
+        return 0;
+}
+
+#endif /* OAP_TEST_MODE */