From 552a4c4469db1cedacc02eb4f9969afe73e0fb42 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Sun, 21 Jun 2026 13:58:39 +0200 Subject: irmd: Reject unsupported OAP kex and cipher Validate the configured key exchange and cipher against the supported ranks (returning ENOTSUP) instead of only rejecting an undefined cipher NID, so an unsupported algorithm is caught at config load. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/irmd/oap/io.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c index dc71fe9e..143ae65e 100644 --- a/src/irmd/oap/io.c +++ b/src/irmd/oap/io.c @@ -140,8 +140,13 @@ int load_kex_config(const char * name, return -ENOTSUP; } #endif - if (cfg->c.nid == NID_undef) { - log_err("Invalid cipher for %s.", name); + if (crypt_kex_rank(cfg->x.nid) < 1) { + log_err("Key exchange not supported for %s.", name); + return -ENOTSUP; + } + + if (crypt_cipher_rank(cfg->c.nid) < 1) { + log_err("Cipher not supported for %s.", name); return -ECRYPT; } -- cgit v1.2.3