From 044da08973957b32703fe338eb95c5171ce471ba Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Sat, 7 Mar 2026 20:54:31 +0100
Subject: lib: Fix certificate DER encoding and key buffers

i2d_X509() allocated buf->data via OPENSSL_malloc(), but callers free
it with freebuf() which uses free(). Fix by allocating with malloc()
and encoding directly into the buffer. Also replaces MSGBUFSZ with
CRYPT_KEY_BUFSZ (4096) for key material buffers and removes leftover
debug logging.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 include/ouroboros/crypt.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'include')

diff --git a/include/ouroboros/crypt.h b/include/ouroboros/crypt.h
index c0b001d1..5e082bb9 100644
--- a/include/ouroboros/crypt.h
+++ b/include/ouroboros/crypt.h
@@ -33,7 +33,6 @@
 #define MAX_HASH_SIZE    64 /* SHA-512/BLAKE2b max */
 #define KEX_ALGO_BUFSZ   32
 #define KEX_CIPHER_BUFSZ 32
-#define MSGBUFSZ         2048
 
 /*
  * On OSX the OpenSSL NIDs are automatically loaded with evp.h.
@@ -95,6 +94,8 @@
 #define X448MLKEM1024_PKSZ    1624  /* 56 + 1568 */
 #define X448MLKEM1024_SKSZ    3224  /* 56 + 3168 */
 
+#define CRYPT_KEY_BUFSZ       4096  /* Safe buffer for key material */
+
 #define KEM_MODE_SERVER_ENCAP 0     /* Server encapsulates (default) */
 #define KEM_MODE_CLIENT_ENCAP 1     /* Client encapsulates           */
 #define IS_KEX_ALGO_SET(cfg)   ((cfg)->x.nid != NID_undef)
-- 
cgit v1.2.3