summaryrefslogtreecommitdiff
path: root/src/irmd/oap/tests/common.c
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-11 10:03:14 +0000
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:32:58 +0200
commit67c55d5869d5473e5139614637f31ea37746181d (patch)
treeacc2ace032eca6eaac1110d323d6f809bb8eb364 /src/irmd/oap/tests/common.c
parentf5b15630d20acc893e3000f248f03185763f24b0 (diff)
downloadouroboros-67c55d5869d5473e5139614637f31ea37746181d.tar.gz
ouroboros-67c55d5869d5473e5139614637f31ea37746181d.zip
irmd: Specify peer authentication contract
OAP accepted requests and responses without a certificate even when the peer was expected to authenticate. An on-path attacker could strip the certificate and signature from a flow allocation response and substitute its own key exchange, silently downgrading the handshake to unauthenticated. Add an auth=required|optional policy to enc.conf, enforced per role: a client config requires the server to present a valid certificate, a server config requires the same from the client. Default is required for client side (https), optional server side. The client side default can be changed via OAP_CLIENT_AUTH_DEFAULT for testing. Replace the bare 'none' keyword with encryption=none, which disables encryption only: the digest and the authentication policy are kept, so authenticated but unencrypted flows can be configured. Configs using bare 'none' are now rejected. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/irmd/oap/tests/common.c')
-rw-r--r--src/irmd/oap/tests/common.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/irmd/oap/tests/common.c b/src/irmd/oap/tests/common.c
index 0a1af100..c5000e48 100644
--- a/src/irmd/oap/tests/common.c
+++ b/src/irmd/oap/tests/common.c
@@ -36,6 +36,8 @@ int load_srv_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
+ cfg->req_auth = test_cfg.srv.req_auth;
+
if (test_cfg.srv.kex == NID_undef)
return 0;
@@ -55,6 +57,8 @@ int load_cli_kex_config(const struct name_info * info,
memset(cfg, 0, sizeof(*cfg));
+ cfg->req_auth = test_cfg.cli.req_auth;
+
if (test_cfg.cli.kex == NID_undef)
return 0;