From 67c55d5869d5473e5139614637f31ea37746181d Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Thu, 11 Jun 2026 10:03:14 +0000 Subject: irmd: Specify peer authentication contract OAP accepted requests and responses without a certificate even when the peer was expected to authenticate. An on-path attacker could strip the certificate and signature from a flow allocation response and substitute its own key exchange, silently downgrading the handshake to unauthenticated. Add an auth=required|optional policy to enc.conf, enforced per role: a client config requires the server to present a valid certificate, a server config requires the same from the client. Default is required for client side (https), optional server side. The client side default can be changed via OAP_CLIENT_AUTH_DEFAULT for testing. Replace the bare 'none' keyword with encryption=none, which disables encryption only: the digest and the authentication policy are kept, so authenticated but unencrypted flows can be configured. Configs using bare 'none' are now rejected. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- cmake/config/irmd.cmake | 2 ++ 1 file changed, 2 insertions(+) (limited to 'cmake/config/irmd.cmake') diff --git a/cmake/config/irmd.cmake b/cmake/config/irmd.cmake index 45d9e73d..72463458 100644 --- a/cmake/config/irmd.cmake +++ b/cmake/config/irmd.cmake @@ -20,6 +20,8 @@ set(FLOW_ALLOC_TIMEOUT 20000 CACHE STRING # OAP (Ouroboros Authentication Protocol) set(OAP_REPLAY_TIMER 20 CACHE STRING "OAP replay protection window (s)") +set(OAP_CLIENT_AUTH_DEFAULT TRUE CACHE BOOL + "Client requires the server to authenticate by default (FALSE for testing)") set(DEBUG_PROTO_OAP FALSE CACHE BOOL "Add Flow allocation protocol message output to IRMd debug logging") -- cgit v1.2.3