From patchwork Tue Dec 13 22:54:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2905 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id cd13csp3026123qtb; Tue, 13 Dec 2022 14:55:28 -0800 (PST) X-Google-Smtp-Source: AA0mqf56jBRSrRYCLeSUt5RvWdYr0too89Lxxp5DRtiKSYsp4Onxe23S74UVj3hRJ/Mvav4v3sMB X-Received: by 2002:a05:6a20:94c8:b0:a7:9f6:b7a3 with SMTP id ht8-20020a056a2094c800b000a709f6b7a3mr29242215pzb.12.1670972128284; Tue, 13 Dec 2022 14:55:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670972128; cv=none; d=google.com; s=arc-20160816; b=wPB9hfKbGvL5CfrmOT9VFhmuQqGP29rzBAwGykVc8RTfiJVQtRonbDhMocuRea3v/N lOAZ2XPNcSrN+aAP26i8pY2PEKvZ5AZPC77Y4hkWRJE5tCtwEIrlOgf63fZ81kyNZu1+ D19Zr81g+T/TVjhBQF5zCwVV/pV5rcLsgrwVtfZOSEIkE1MpzrRheb2nEWCb1Vz0iq6m rgn5I+JfmuSbJ00mqta/bVXjps96+87ZC3FAmcV6pAWZ7/+0vkvb7ZshVHMlmOAlrl8p KLeRsyaSbEqerC8Rorqhcpk3SXOed7roBYj7Fx7ox8qOlWCbNfy1vqrZoxcYKrfh+n4G PxzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=B0fRQLfE6TIjF6eYioDmauvLivs3bgRGMA6hGm1NuaA=; b=soe9MwDYkYJg7edUYz2WMQ6Vp/XNPeSDD1wPKWe0EbAeNpfxmx7K82eSTdN4i6I0kw dDU051y2uu1WXYNJ0DdOEvRNCncTEXfAHuwf+KzJoK4j2TTRqbFH8toMp6/JMLxif6Pw IlEXKYQUGGpJGJ2B3zf5WIXqZi/zSqEj7lnpqPcmq7ASTOaRQRKiyN57ahL85ZoYXLMv Q3UPD3Gf80uuFB80szAq2gzkkkEYWrDtbndxVK2pUrICqszmBjNURPNVKpFkYYVYyLLY sKprlF8E4kFlb3+OidMIw3LLZ/elETmjBL6HhZ1GzrGqopptkeGbU9wJC+GVHAXQIprb b5VA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=beLS8Brd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AUIKJtsP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s7-20020a639247000000b00477b371dc7bsi12248781pgn.536.2022.12.13.14.55.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Dec 2022 14:55:28 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=beLS8Brd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=AUIKJtsP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p5EAb-0005Ze-02; Tue, 13 Dec 2022 22:54:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p5EAY-0005ZN-G5 for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 22:54:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iYm5QLApqT/8g3mjLv8KStl04h0rikBRArlOPFG4/g8=; b=beLS8Brdi07PDo1RNts9f2Izoa FtQvaDkby+TwfdZahCl+h4mDFo5ARaILE9n87Glyg1nBT1+We8U3kkoOdcUHRtE8K/Bhtyf2NVWgK buQr42Ti3EmS95ctd71Xs8Rezs0i1hfvsvUzyfWRjsbYAGbDSGeJBIege+LQkn27E3HQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iYm5QLApqT/8g3mjLv8KStl04h0rikBRArlOPFG4/g8=; b=AUIKJtsPGZ54rvhZFdIEDNH9BK zY50Xr+xV4FBUU7reMaz5w4qpB5E6PwBq2gc0HHLxzQ7q248RJIR/ieJTk1FJZTSrzwZAejqIPAYc HyCETXqSAVuJQlEuzwUVyhvaTO0Ntj4GW/GecET0b/9N3a7Pptm/fN/2DtLpCHlApAfE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p5EAX-00GILv-TJ for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 22:54:38 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p5EAQ-0009m2-GT for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 23:54:30 +0100 Received: (nullmailer pid 1892993 invoked by uid 10006); Tue, 13 Dec 2022 22:54:30 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 13 Dec 2022 23:54:30 +0100 Message-Id: <20221213225430.1892940-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221213225430.1892940-1-arne@rfc2549.org> References: <20221213225430.1892940-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We have 6 key slots but normally only consider 3 of them to be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in rare corner cases have a key that is still installed in the kernel [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1p5EAX-00GILv-TJ Subject: [Openvpn-devel] [PATCH 3/3] Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1752141270618033569?= X-GMAIL-MSGID: =?utf-8?q?1752141270618033569?= We have 6 key slots but normally only consider 3 of them to be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in rare corner cases have a key that is still installed in the kernel. While this should not cause any issues since I do not see way for this key to become active ever again, it is better to keep the state correctly. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/dco.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 36bfbf10a..20196fe5d 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -221,13 +221,17 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) multi->dco_keys_installed = 1; } - /* all keys that are not installed are set to NOT installed */ - for (int i = 0; i < KEY_SCAN_SIZE; ++i) + /* all keys that are not installed are set to NOT installed. Include also + * keys that might even be considered as active keys to be sure*/ + for (int i = 0; i < TM_SIZE; ++i) { - struct key_state *ks = get_key_scan(multi, i); - if (ks != primary && ks != secondary) + for (int j = 0; j < KS_SIZE; j++) { - ks->dco_status = DCO_NOT_INSTALLED; + struct key_state *ks = &multi->session[i].key[j]; + if (ks != primary && ks != secondary) + { + ks->dco_status = DCO_NOT_INSTALLED; + } } } return true;