From 4c836008dcac27e0a8258b07270a8a529b2d9167 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Thu, 2 Jul 2026 01:06:33 +0200 Subject: irmd: Fix OAP re-key header encode The oap_hdr_encode() function validated its own output by re-decoding with rekey hardcoded false. The case where the client signs a re-key failed its own self-check because the cert is not sent again. Now uses a flag on the encode() to signal the signed re-key without certificate. Also fixes a double free after a failed self-decode check. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/irmd/oap/hdr.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/irmd/oap/hdr.h') diff --git a/src/irmd/oap/hdr.h b/src/irmd/oap/hdr.h index 1a599727..66fbac9a 100644 --- a/src/irmd/oap/hdr.h +++ b/src/irmd/oap/hdr.h @@ -168,13 +168,17 @@ void oap_hdr_init(struct oap_hdr * hdr, void oap_hdr_fini(struct oap_hdr * oap_hdr); +/* oap_hdr_encode option flags */ +#define OAP_ENC_REKEY (1U << 0) /* signed, cert-less re-key packet */ + int oap_hdr_encode(struct oap_hdr * hdr, void * pkp, void * crt, struct sec_config * scfg, buffer_t rsp_tag, int req_md_nid, - const uint8_t * seal_key); + const uint8_t * seal_key, + int flags); int oap_hdr_decode(struct oap_hdr * hdr, buffer_t buf, -- cgit v1.2.3