From 4c836008dcac27e0a8258b07270a8a529b2d9167 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Thu, 2 Jul 2026 01:06:33 +0200 Subject: irmd: Fix OAP re-key header encode The oap_hdr_encode() function validated its own output by re-decoding with rekey hardcoded false. The case where the client signs a re-key failed its own self-check because the cert is not sent again. Now uses a flag on the encode() to signal the signed re-key without certificate. Also fixes a double free after a failed self-decode check. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/irmd/oap/srv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/irmd/oap/srv.c') diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c index 5d631618..cc3dec5b 100644 --- a/src/irmd/oap/srv.c +++ b/src/irmd/oap/srv.c @@ -400,6 +400,7 @@ int oap_srv_process(const struct name_info * info, void * pkp = NULL; void * crt = NULL; int req_md_nid; + int enc_flags = 0; int ret; assert(info != NULL); @@ -426,6 +427,9 @@ int oap_srv_process(const struct name_info * info, crt = NULL; } + if (rekey) + enc_flags = OAP_ENC_REKEY; + if (load_srv_sec_config(info, &scfg) < 0) { log_err("Failed to load security config for %s.", info->name); goto fail_kex; @@ -535,7 +539,7 @@ int oap_srv_process(const struct name_info * info, } ret = oap_hdr_encode(&local_hdr, pkp, crt, &scfg, - rsp_tag, req_md_nid, seal_key); + rsp_tag, req_md_nid, seal_key, enc_flags); crypt_secure_clear(hs_key, SYMMKEYSZ); -- cgit v1.2.3