5 files changed, 80 insertions, 4 deletions

diff --git a/src/irmd/oap/auth.c b/src/irmd/oap/auth.c
index a11ab158..4b86f055 100644
--- a/src/irmd/oap/auth.c
+++ b/src/irmd/oap/auth.c
@@ -183,7 +183,7 @@ int oap_auth_peer(char *                 name,
                   const struct oap_hdr * peer_hdr)
 {
         void *     crt;
-        void *     pk;
+        void *     pk  = NULL;
         buffer_t   sign; /* Signed region */
         uint8_t *  id = peer_hdr->id.data;
 
@@ -244,8 +244,8 @@ int oap_auth_peer(char *                 name,
         return 0;
 
  fail_check_sig:
-        crypt_free_key(pk);
  fail_crt:
+        crypt_free_key(pk);
         crypt_free_crt(crt);
  fail_check:
         return -EAUTH;
diff --git a/src/irmd/oap/cli.c b/src/irmd/oap/cli.c
index 507f3f81..7a202da7 100644
--- a/src/irmd/oap/cli.c
+++ b/src/irmd/oap/cli.c
@@ -50,7 +50,7 @@
 struct oap_cli_ctx {
         uint8_t           __id[OAP_ID_SIZE];
         buffer_t          id;
-        uint8_t           kex_buf[MSGBUFSZ];
+        uint8_t           kex_buf[CRYPT_KEY_BUFSZ];
         uint8_t           req_hash[MAX_HASH_SIZE];
         size_t            req_hash_len;
         int               req_md_nid;
@@ -311,6 +311,9 @@ int oap_cli_prepare(void **                  ctx,
         *req_buf = s->local_hdr.hdr;
         clrbuf(s->local_hdr.hdr);
 
+        /* oap_hdr_encode repoints id into hdr; restore to __id */
+        s->local_hdr.id = s->id;
+
         crypt_free_crt(crt);
         crypt_free_key(pkp);
 
diff --git a/src/irmd/oap/srv.c b/src/irmd/oap/srv.c
index 36391e50..afc54acc 100644
--- a/src/irmd/oap/srv.c
+++ b/src/irmd/oap/srv.c
@@ -384,7 +384,7 @@ int oap_srv_process(const struct name_info * info,
         struct oap_hdr        peer_hdr;
         struct oap_hdr        local_hdr;
         struct sec_config     kcfg;
-        uint8_t               kex_buf[MSGBUFSZ];
+        uint8_t               kex_buf[CRYPT_KEY_BUFSZ];
         uint8_t               hash_buf[MAX_HASH_SIZE];
         buffer_t              req_hash = BUF_INIT;
         ssize_t               hash_ret;
diff --git a/src/irmd/oap/tests/oap_test.c b/src/irmd/oap/tests/oap_test.c
index 2f0f0b4d..a324b586 100644
--- a/src/irmd/oap/tests/oap_test.c
+++ b/src/irmd/oap/tests/oap_test.c
@@ -1071,6 +1071,74 @@ static int test_oap_replay_packet(void)
         return TEST_RC_FAIL;
 }
 
+/* Server rejects client certificate when root CA is missing from store */
+static int test_oap_missing_root_ca(void)
+{
+        struct oap_test_ctx ctx;
+        void *              im_ca = NULL;
+
+        test_default_cfg();
+
+        TEST_START();
+
+        memset(&ctx, 0, sizeof(ctx));
+
+        strcpy(ctx.srv.info.name, "test-1.unittest.o7s");
+        strcpy(ctx.cli.info.name, "test-1.unittest.o7s");
+
+        if (oap_auth_init() < 0) {
+                printf("Failed to init OAP.\n");
+                goto fail;
+        }
+
+        /* Load intermediate CA but intentionally omit the root CA */
+        if (crypt_load_crt_str(im_ca_crt_ec, &im_ca) < 0) {
+                printf("Failed to load intermediate CA cert.\n");
+                goto fail_fini;
+        }
+
+        ctx.im_ca = im_ca;
+
+        if (oap_auth_add_ca_crt(im_ca) < 0) {
+                printf("Failed to add intermediate CA cert to store.\n");
+                goto fail_fini;
+        }
+
+        if (oap_cli_prepare_ctx(&ctx) < 0) {
+                printf("Client prepare failed.\n");
+                goto fail_fini;
+        }
+
+        /* Server processes and signs response - succeeds without root CA */
+        if (oap_srv_process_ctx(&ctx) < 0) {
+                printf("Server process failed.\n");
+                goto fail_teardown;
+        }
+
+        /* Client verifies server certificate against trust store:
+         * should reject because root CA is not in the store */
+        if (oap_cli_complete_ctx(&ctx) == 0) {
+                printf("Client should reject without root CA.\n");
+                goto fail_teardown;
+        }
+
+        oap_test_teardown(&ctx);
+
+        TEST_SUCCESS();
+        return TEST_RC_SUCCESS;
+
+ fail_teardown:
+        oap_test_teardown(&ctx);
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+ fail_fini:
+        crypt_free_crt(im_ca);
+        oap_auth_fini();
+ fail:
+        TEST_FAIL();
+        return TEST_RC_FAIL;
+}
+
 /* Test that client rejects server with wrong certificate name */
 static int test_oap_server_name_mismatch(void)
 {
@@ -1149,6 +1217,7 @@ int oap_test(int    argc,
         ret |= test_oap_outdated_packet();
         ret |= test_oap_future_packet();
         ret |= test_oap_replay_packet();
+        ret |= test_oap_missing_root_ca();
         ret |= test_oap_server_name_mismatch();
 #else
         (void) test_oap_roundtrip_auth_only;
@@ -1173,9 +1242,12 @@ int oap_test(int    argc,
         (void) test_oap_outdated_packet;
         (void) test_oap_future_packet;
         (void) test_oap_replay_packet;
+        (void) test_oap_missing_root_ca;
         (void) test_oap_server_name_mismatch;
 
         ret = TEST_RC_SKIP;
 #endif
+        crypt_cleanup();
+
         return ret;
 }
diff --git a/src/irmd/oap/tests/oap_test_ml_dsa.c b/src/irmd/oap/tests/oap_test_ml_dsa.c
index f9e6bdb2..81b307ab 100644
--- a/src/irmd/oap/tests/oap_test_ml_dsa.c
+++ b/src/irmd/oap/tests/oap_test_ml_dsa.c
@@ -442,6 +442,7 @@ int oap_test_ml_dsa(int    argc,
 
         ret = TEST_RC_SKIP;
 #endif
+        crypt_cleanup();
 
         return ret;
 }