From 2c717b2fc9773a74d6c9df01a2f873deea163918 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <dimitri@ouroboros.rocks>
Date: Sun, 15 Feb 2026 22:39:52 +0100
Subject: irmd: Check for PQC support when loading config

The IRMd will now report a PQC algorithm in the enc.conf file if it is
not supported, instead of failing on KEM key generation.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 src/irmd/oap/io.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/irmd')

diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c
index e4189d4d..8f75a8d8 100644
--- a/src/irmd/oap/io.c
+++ b/src/irmd/oap/io.c
@@ -118,9 +118,15 @@ int load_kex_config(const char *        name,
                 log_info("Key exchange not configured for %s.", name);
                 return 0;
         }
-
-        if (cfg->c.nid == NID_undef || crypt_nid_to_str(cfg->c.nid) == NULL) {
-                log_err("Invalid cipher NID %d for %s.", cfg->c.nid, name);
+#ifndef HAVE_OPENSSL_PQC
+        if (IS_KEM_ALGORITHM(cfg->x.str)) {
+                log_err("PQC not available, can't use %s for %s.",
+                        cfg->x.str, name);
+                return -ENOTSUP;
+        }
+#endif
+        if (cfg->c.nid == NID_undef) {
+                log_err("Invalid cipher for %s.", name);
                 return -ECRYPT;
         }
 
-- 
cgit v1.2.3