summaryrefslogtreecommitdiff
path: root/src/ipcpd/unicast/pff
Commit message (Collapse)AuthorAgeFilesLines
* lib: Add post-quantum cryptography supportDimitri Staessens11 days1-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds initial support for runtime-configurable encryption and post-quantum Key Encapsulation Mechanisms (KEMs) and authentication (ML-DSA). Supported key exchange algorithms: ECDH: prime256v1, secp384r1, secp521r1, X25519, X448 Finite Field DH: ffdhe2048, ffdhe3072, ffdhe4096 ML-KEM (FIPS 203): ML-KEM-512, ML-KEM-768, ML-KEM-1024 Hybrid KEMs: X25519MLKEM768, X448MLKEM1024 Supported ciphers: AEAD: aes-128-gcm, aes-192-gcm, aes-256-gcm, chacha20-poly1305 CTR: aes-128-ctr, aes-192-ctr, aes-256-ctr Supported HKDFs: sha256, sha384, sha512, sha3-256, sha3-384, sha3-512, blake2b512, blake2s256 Supported Digests for DSA: sha256, sha384, sha512, sha3-256, sha3-384, sha3-512, blake2b512, blake2s256 PQC support requires OpenSSL 3.4.0+ and is detected automatically via CMake. A DISABLE_PQC option allows building without PQC even when available. KEMs differ from traditional DH in that they require asymmetric roles: one party encapsulates to the other's public key. This creates a coordination problem during simultaneous reconnection attempts. The kem_mode configuration parameter resolves this by pre-assigning roles: kem_mode=server # Server encapsulates (1-RTT, full forward secrecy) kem_mode=client # Client encapsulates (0-RTT, cached server key) The enc.conf file format supports: kex=<algorithm> # Key exchange algorithm cipher=<algorithm> # Symmetric cipher kdf=<KDF> # Key derivation function digest=<digest> # Digest for DSA kem_mode=<mode> # Server (default) or client none # Disable encryption The OAP protocol is extended to negotiate algorithms and exchange KEX data. All KEX messages are signed using existing authentication infrastructure for integrity and replay protection. Tests are split into base and _pqc variants to handle conditional PQC compilation (kex_test.c/kex_test_pqc.c, oap_test.c/oap_test_pqc.c). Bumped minimum required OpenSSL version for encryption to 3.0 (required for HKDF API). 1.1.1 is long time EOL. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Add option to toggle Ouroboros logging in testsDimitri Staessens11 days1-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The test output is a bit polluted with logs originating fomr the logging system, e.g.: 23: test_bind_prog started. 23: ==16636== reg/name(DB): Add prog reg_test to name testname. 23: ==16636== reg(EE): Removing from names. 23: test_bind_prog succeeded. This adds a flag DISABLE_TEST_LOGGING that suppresses log_* output in tests to keep them clean: 23: test_bind_prog started. 23: test_bind_prog succeeded. The status is printed in CMake output: -- Ouroboros logging in test output disabled -- Ouroboros logging in test output enabled By default the flag is ON (clean test output). Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Refactor CMake modulesDimitri Staessens2026-01-071-1/+5
| | | | | | | | | This moves the CMake build logic out of the source tree and splits it up into a more modular form. The tests now have a CMakeLists.txt file in their respective source directory. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Add build_tests targetThijs Paelman2025-11-211-1/+1
| | | | | | | | | This intermediate target only builds all the tests, it doesn't run them. It is added for clarifying the different steps involved in testing. The 'check' target still builds AND runs the tests as before. Signed-off-by: Thijs Paelman <thijs@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Include tests in 'all' targetThijs Paelman2025-11-071-1/+1
| | | | | | | | | | | | When BUILD_TESTING=ON, then the default 'all' target will now build also the tests. This behaviour could be controlled by an extra variable (see https://stackoverflow.com/a/42235335), but this increases complexity without many benefits. Signed-off-by: Thijs Paelman <thijs@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Fix tests with CMake >= 3.29Dimitri Staessens2024-04-161-1/+5
| | | | | | | | | | | | | | | | | | Removing the testdriver source by the driver name doesn't work anymore in CMake 3.29 because of the following (breaking) change: Changed in version 3.29: The test driver source is listed by absolute path in the build tree. Previously it was listed only as <driverName>. https://cmake.org/cmake/help/latest/command/create_test_sourcelist.html When using CMake 3.29 or above, Ouroboros will use the list POP_FRONT function (introduced in CMake 3.15) to get rid of it. https://cmake.org/cmake/help/latest/command/list.html#pop-front Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Update licenses to 2024Dimitri Staessens2024-01-1311-11/+11
| | | | | | | Slow but steady. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Update copyright to 2023Dimitri Staessens2023-02-1311-11/+11
| | | | | | | 2022 was a rather slow year... Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* build: Update copyright to 2022Dimitri Staessens2022-04-0311-11/+11
| | | | | | | Growing pains. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* ipcpd: Fix hashing and overlapping memcpy in pffDimitri Staessens2022-02-182-12/+4
| | | | | | | | | The pft hash function assumed mem_hash allocates memory, but it does not. There was also a memcpy with potentially overlapping memory regions, which is undefined behaviour. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* ipcpd: Use wrlock for rotating multipath pff entryDimitri Staessens2021-12-291-12/+14
| | | | | | | | The multipath pff entry was modified (rotated) under a read lock, which is now changed to a write lock. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* ipcpd: Consolidate policies within folderDimitri Staessens2021-12-061-0/+25
| | | | | | | | Each policy folder will now have a pol.h file, so that (in most cases) adding a new policy only requires changes inside the policy folder. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
* ipcpd: Restructure policy codeDimitri Staessens2021-12-0611-0/+1465
The policies were all in a single folder pol/, and have been moved to a folder per component/mechanism to keep things a bit more orderly. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
generated by cgit v1.2.3 (git 2.39.1) at 2026-01-29 23:43:52 +0000