From 46cc58fe1a89903f4ef928caeee1bec96ab5967b Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Sun, 15 Feb 2026 22:31:33 +0100
Subject: irmd: Fix client-side encryption request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the server had no cipher configured, sk->nid was set to NID_undef
before negotiation and never updated, causing the response header to
encode NID_undef as the cipher — even though negotiate_kex() correctly
populated kcfg.c.nid from the client's request.

Adds a test for the KEM case where the client request encryption with
nothing specified server-side.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/oap/srv.c | 3 ---
 1 file changed, 3 deletions(-)

(limited to 'src/irmd/oap/srv.c')

diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c
index 93270c48..a356c62e 100644
--- a/src/irmd/oap/srv.c
+++ b/src/irmd/oap/srv.c
@@ -417,8 +417,6 @@ int oap_srv_process(const struct name_info * info,
                 goto fail_kex;
         }
 
-        sk->nid = kcfg.c.nid;
-
         /* Decode incoming header (NID_undef = request, no hash) */
         if (oap_hdr_decode(&peer_hdr, req_buf, NID_undef) < 0) {
                 log_err("Failed to decode OAP header.");
@@ -444,7 +442,6 @@ int oap_srv_process(const struct name_info * info,
         if (do_server_kex(info, &peer_hdr, &kcfg, &local_hdr.kex, sk) < 0)
                 goto fail_kex;
 
-        /* Update cipher NID after negotiation */
         sk->nid = kcfg.c.nid;
 
         /* Build response header with hash of client request */
-- 
cgit v1.2.3