From patchwork Tue May 16 16:34:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3219 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp598909dyk; Tue, 16 May 2023 09:35:07 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7+h+wI7gZysK76MojUV8+QpMLavTySbz1+eLPAwZES+zKU/gMQ3FabC0vB0DoNB3i7MeHA X-Received: by 2002:a92:c8c5:0:b0:335:3568:dc67 with SMTP id c5-20020a92c8c5000000b003353568dc67mr24788555ilq.15.1684254907676; Tue, 16 May 2023 09:35:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684254907; cv=none; d=google.com; s=arc-20160816; b=bbs5uVqrpcrRiKSDkGfeoJjPn8CP1ShJ7H6VY87mLsHz4Wyy72u/KGEzPNU2LedzCz yPFQ72WzD7Gdc+zvrB9dX2cQJAxOsT8dMtKmx2WM0DCbuuEOZNUVvhq7FroGPAAvdFn1 OkSkG045Ofj8wmsL9/GUh5GCvKPwlw4xCbpqbQYpYds5nnnZVMBNFTG74wrMEQt3YDvO j59JVCPJRAYomMOYaN8pK5BMBnc44ESb2rpZC17CHdOQD/XdSh/rrYtTtjYHNDlRIwNJ EwScgjtIhHiwvJzAF5Dn5COfXONzuhjhFaA144Rj33Z3JdolfQz9CH/3vUI41JYIVcC9 rjmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=zzQEM4r8Bu4MYcMZ243g2ZxAtenMT+5eqxSVvWODims=; b=U4o87XwSghKAEaImbAURjQAgqt4HPc2+gpfIhPJGOMwEJyRBoy3RZMeOxenJaYbEQr TktQIJ3TZbooXKbqmHl19PdMZLvn4pr14IrlQ7o+6RclHYQOI0SNeij3BnOvUs9IDcgC 97zbt5+Ktr4BxWahffnuXQzx6GCsWiXEbXTLi1jP5hdoMPrAhgM8p+jTMImR5Iwx6saA fRG+t9jOAJKtg4V3f6IXdhpAOf3kB1LD6dTqNnSBVcBKxuejyrXqWQ8O29A4CjYbybGd wbA3iY3pVnc3PeJOx3wUx7g3t/4IzOK2jTEXqNuxYwSYqX+XHS82jQN0Xg1KMh3o89R2 1U1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RsOdWVxr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kgIcw0tW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h30-20020a022b1e000000b00411bed79c8fsi12402602jaa.92.2023.05.16.09.35.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 May 2023 09:35:07 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RsOdWVxr; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=kgIcw0tW; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pyxcz-0002kl-HS; Tue, 16 May 2023 16:34:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pyxcw-0002kf-Si for openvpn-devel@lists.sourceforge.net; Tue, 16 May 2023 16:34:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GStdFqYdeAtIcEd2b67rHHJDxdcFZ/9HRaY+hM3wgKw=; b=RsOdWVxr9ef9lDykXf0odNJcW0 xy4EQUKcjTG9iHH0MEbvB2pnnMYZtTzp2Ew2zi9GwndFh+LGv/r1cX2KlYCYTSX5eQ1+1CVVA7lc7 cRP0VjESnKZEagVWLuHm1F1tvwD2HGedV5w/dd7pYLuLNZ1d0R2uL6BokA1nqoW4JTfk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=GStdFqYdeAtIcEd2b67rHHJDxdcFZ/9HRaY+hM3wgKw=; b=k gIcw0tWB/4zmyr+QrBpHUJG27YaDFbx4ZUYDDHWmwRDEURltb0hhLHhRbWY2vZ5gGSxd/3wPB00yb 2LFugJ8N5T6v75Ixk/AOKELa2etu4xQzj8UhfKqwudNxUXZ9lHVYNW3ViUEyd/Yi4TjbXHAIydtdI O4s1g0LQcAYCULVQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pyxct-009pDP-H4 for openvpn-devel@lists.sourceforge.net; Tue, 16 May 2023 16:34:18 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pyxcf-000Mnn-53 for openvpn-devel@lists.sourceforge.net; Tue, 16 May 2023 18:34:01 +0200 Received: (nullmailer pid 2101324 invoked by uid 10006); Tue, 16 May 2023 16:34:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 16 May 2023 18:34:01 +0200 Message-Id: <20230516163401.2101274-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: the management interface expects the management key id instead of the openvpn key id. In the past they often were the same for low ids which hid the bug quite well. Also do not pick uninitialised keystates (management key_id is not valid in these) and provide better logging when a key state is not found. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1pyxct-009pDP-H4 Subject: [Openvpn-devel] [PATCH] Fix CR_RESPONSE mangaement message using wrong key_id X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766069273976200376?= X-GMAIL-MSGID: =?utf-8?q?1766069273976200376?= the management interface expects the management key id instead of the openvpn key id. In the past they often were the same for low ids which hid the bug quite well. Also do not pick uninitialised keystates (management key_id is not valid in these) and provide better logging when a key state is not found. Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe Signed-off-by: Arne Schwabe --- src/openvpn/push.c | 4 ++-- src/openvpn/ssl_common.h | 2 +- src/openvpn/ssl_verify.c | 5 +++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 54e53f6aa..99abe5440 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -267,9 +267,9 @@ receive_cr_response(struct context *c, const struct buffer *buffer) struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; struct man_def_auth_context *mda = session->opt->mda_context; struct env_set *es = session->opt->es; - int key_id = get_primary_key(c->c2.tls_multi)->key_id; + unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id; - management_notify_client_cr_response(key_id, mda, es, m); + management_notify_client_cr_response(mda_key_id, mda, es, m); #endif #if ENABLE_PLUGIN verify_crresponse_plugin(c->c2.tls_multi, m); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index ebfd25432..be0f18746 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -733,7 +733,7 @@ get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - if (ks->mda_key_id == mda_key_id) + if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF) { return ks; } diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4c78c2b2c..567f55ea3 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1279,6 +1279,11 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con { ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; } + else + { + msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id " + "%d", __func__, mda_key_id); + } } return (bool) ks; }