diff options
| author | Dimitri Staessens <dimitri@ouroboros.rocks> | 2026-06-21 13:58:39 +0200 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-06-29 08:33:00 +0200 |
| commit | 552a4c4469db1cedacc02eb4f9969afe73e0fb42 (patch) | |
| tree | 446e417dab488917bca33e38d009271961d794f0 /src | |
| parent | a4cb64c2dea5d1dc4d0f915c160513d0d751a8c4 (diff) | |
| download | ouroboros-552a4c4469db1cedacc02eb4f9969afe73e0fb42.tar.gz ouroboros-552a4c4469db1cedacc02eb4f9969afe73e0fb42.zip | |
irmd: Reject unsupported OAP kex and cipher
Validate the configured key exchange and cipher against the supported
ranks (returning ENOTSUP) instead of only rejecting an undefined
cipher NID, so an unsupported algorithm is caught at config load.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src')
| -rw-r--r-- | src/irmd/oap/io.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c index dc71fe9e..143ae65e 100644 --- a/src/irmd/oap/io.c +++ b/src/irmd/oap/io.c @@ -140,8 +140,13 @@ int load_kex_config(const char * name, return -ENOTSUP; } #endif - if (cfg->c.nid == NID_undef) { - log_err("Invalid cipher for %s.", name); + if (crypt_kex_rank(cfg->x.nid) < 1) { + log_err("Key exchange not supported for %s.", name); + return -ENOTSUP; + } + + if (crypt_cipher_rank(cfg->c.nid) < 1) { + log_err("Cipher not supported for %s.", name); return -ECRYPT; } |
