ouroboros/src/lib, branch be

lib: Fix certificate DER encoding and key buffers

2026-03-14T10:23:59+00:00

i2d_X509() allocated buf->data via OPENSSL_malloc(), but callers free it with freebuf() which uses free(). Fix by allocating with malloc() and encoding directly into the buffer. Also replaces MSGBUFSZ with CRYPT_KEY_BUFSZ (4096) for key material buffers and removes leftover debug logging. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Fix initialization when listing names

2026-03-14T10:23:52+00:00

Now uses calloc to zero the previously uninitialized security path fields. Also fixes a check in protobuf.c Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Fix missing cleanup in authentication path

2026-03-14T10:23:24+00:00

When auth_verify_crt fails (e.g., missing root CA), crypt_get_pubkey_crt has already allocated pk but only crt was freed. Adds a crypt_cleanup() function to wrap OpenSSL_cleanup(), as OpenSSL lazily initializes a global decoder/provider registry the first time PEM_read_bio or OSSL_DECODER_CTX_new_for_pkey is called, and this leaves some memory owned by OpenSSL that triggers the leak sanitizer. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Add tests for missing root CA

2026-03-14T10:23:18+00:00

This adds authentication tests to verify flows are rejected with a missing root CA certificate in the store. Also adds one for the OAP protocol. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Fix chown of GSPP to ouroboros group

2026-03-14T10:23:02+00:00

The Global Shared Packet Pool (GSPP) was not correctly chowned to the ouroboros group. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Fix ssm pool double free

2026-02-22T15:04:31+00:00

Remove double-free in ssm_pool_destroy — ssm_pool_close already frees the pool. The pool sharding test had a free spbs/ptrs on partial malloc failure. Now initializes children array to -1 to prevent reading uninitialized values. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Fix invalid malloc pointer type

2026-02-22T15:04:24+00:00

The static analyzer complained about the struct in6_addr malloc being converted to uint8_t *. Fixed by casting IN6_LEN to a size_t numeric value instead of the direct sizeof. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Add struct llist for lists tracking len

2026-02-18T06:58:21+00:00

The DHT uses a struct {struct list_head, size_t len} pattern, which is also useful in the registry and other places. Having a struct llist (defined in list.h) with consistent macros for addition/deletion etc removes a lot of duplication and boilerplate and reduces the risk of inconsistent updates. The list management is now a macro-only implementation. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

2026-02-18T06:54:56+00:00

Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders

lib: Add SLH-DSA tests and per-algorithm PQC gating

2026-02-18T06:53:35+00:00

This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the OpenSSL versions: ML-KEM and ML-DSA require >= 3.4, SLH-DSA >= 3.5. SLH-DSA was already working, but now added explicit authentication tests for it with a full certificate chain (root CA, intermediate CA, server) to show full support. Rename PQC test files and cert headers to use algorithm-specific names (ml_kem, ml_dsa, slh_dsa) and move cert headers to include/test/certs/. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders