From patchwork Wed May 17 11:02:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 3223
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp1094163dyk;
        Wed, 17 May 2023 04:03:14 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ62JY+wg3TjKmncZ8bx0i6aYdr4kfHgc5RaER4epw0pzyTBmPv19a6kctJ3NPd41QBoD4j6
X-Received: by 2002:a05:6602:cb:b0:760:b591:e651 with SMTP id
 z11-20020a05660200cb00b00760b591e651mr4048398ioe.13.1684321394333;
        Wed, 17 May 2023 04:03:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684321394; cv=none;
        d=google.com; s=arc-20160816;
        b=nmbaYM1FshfzoMeg9TSHx1dma4z/x+2D19sfCAz9foSeeU13y2UfbugZO32G4JapdQ
         oyHZA+MmH9Wt18CjoJcRPFWiofXtQIB3aLEfVNnQUBBHiK5okFiHbk4LU+7EdPkQLOG9
         1PEEJ3d8+JWxfCNgf2nEVGQw4of1hGZfVf1JDJXbPYTzX+cVfHPxXyejvDPEhdPRCkiu
         3Ue4PSviZrnC5YZpJAVe6CTo68EhQHonFEfSYbGKOmO1COEnJGsPkG6y2APA7sd/LFr3
         1snIN5eBWcgHO1O0CSyEJ+VTPfzvbEhkUzsFXUwawnIXSUZB750GBv++6im7jv3uaTYY
         SqCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=WfZza3DgOUo/PDT8fEMmox78A7a1R8jSjJ2xcOgeGIE=;
        b=Qi6SKmrtSPOqcFv10fVFscO4SSQ1gXtvHYWZ3KzbuvirO0S8I/w1jDZc0HqzdcAcNW
         4nSgS/q596tcmxK0lyypr7W01QxSBgqQwUs9wzFW+ytpS+rl//wd4U7Cdt59cC3Z1KHu
         71PqkVu/aFpBPEJ6WNSpHONtgkIxYdNMua3PKNBNdYyOmKfbVUOdj3OYmj6svdW5yM3h
         GfyYEpUc8VLMfAvK3ZsVc++1do1Pi51Ts8mg1tizK/HlHWxfBO/fMAkcrD/nU8fyjRI9
         YNZqfvCbyJo2z177KzdDJFG5WoO3R80lkzpNP6QGKHYYx6Z5E29+2HPipW8EwPvKwEtd
         s3gA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=AB+TnwjO;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="OC/C9Jt4";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 k8-20020a5d8b08000000b00766688b506fsi15027773ion.29.2023.05.17.04.03.14
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 May 2023 04:03:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=AB+TnwjO;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="OC/C9Jt4";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1pzEvY-0005nN-G0;
	Wed, 17 May 2023 11:02:40 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1pzEvX-0005nH-9B
 for openvpn-devel@lists.sourceforge.net;
 Wed, 17 May 2023 11:02:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=2pmU7uZFXzGp4AO0Pcel8G7858Wf28DMtRhnETY0bdw=; b=AB+TnwjOeyFsYJHk5KCHQVwPtE
 z6cetRlEhoqoP12vksKz30Ts4bSW0SmedtexNerfvkvsvUdrCMYZ9HxXL7E+xBVyceJVqsptWVmO9
 +i4+lzxvVobk4NZGmudsN61BchEC221ISaieOEOdtTuodLPjaY3QbU+Q9tPyI3yctt6Q=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=2pmU7uZFXzGp4AO0Pcel8G7858Wf28DMtRhnETY0bdw=; b=OC/C9Jt4w30zzVUmvxkyz4yPZs
 fYXK3MrBo5WEM5H0qpbXqjDvwOFD5g/Hqx+wehqsN0Pj1FM1fpOQ6BVTHOb0o6AQKl9vq3bvp60wi
 bmxL6wrNZOGWpVeupJaQjDmwtZplH42w5wjLJvFWel1jRiNKCt08ppD9ae6xN2/dqenY=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1pzEvV-0008Sc-IV for openvpn-devel@lists.sourceforge.net;
 Wed, 17 May 2023 11:02:39 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1pzEvO-0003qH-5d
 for openvpn-devel@lists.sourceforge.net;
 Wed, 17 May 2023 13:02:30 +0200
Received: (nullmailer pid 2234315 invoked by uid 10006);
 Wed, 17 May 2023 11:02:30 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 17 May 2023 13:02:30 +0200
Message-Id: <20230517110230.2234266-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20230517110230.2234266-1-arne@rfc2549.org>
References: <20230517110230.2234266-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: the management interface expects the management key id
 instead
 of the openvpn key id. In the past they often were the same for low ids which
 hid the bug quite well. Also do not pick uninitialised keystates (management
 key_id is not valid in these) and provide better logging when a key state
 is not found.
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
X-Headers-End: 1pzEvV-0008Sc-IV
Subject: [Openvpn-devel] [PATCH 2/2] Fix CR_RESPONSE mangaement message
 using wrong key_id
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1766138990735137506?=
X-GMAIL-MSGID: =?utf-8?q?1766138990735137506?=

the management interface expects the management key id instead
of the openvpn key id. In the past they often were the same for low ids
which hid the bug quite well.

Also do not pick uninitialised keystates (management key_id is not valid
in these) and provide better logging when a key state is not found.

Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/push.c       | 4 ++--
 src/openvpn/ssl_common.h | 2 +-
 src/openvpn/ssl_verify.c | 5 +++++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 8e9627199..8f0a534ac 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -267,9 +267,9 @@ receive_cr_response(struct context *c, const struct buffer *buffer)
     struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
     struct man_def_auth_context *mda = session->opt->mda_context;
     struct env_set *es = session->opt->es;
-    int key_id = get_primary_key(c->c2.tls_multi)->key_id;
+    unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
 
-    management_notify_client_cr_response(key_id, mda, es, m);
+    management_notify_client_cr_response(mda_key_id, mda, es, m);
 #endif
 #if ENABLE_PLUGIN
     verify_crresponse_plugin(c->c2.tls_multi, m);
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index ebfd25432..be0f18746 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -733,7 +733,7 @@ get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id)
     for (int i = 0; i < KEY_SCAN_SIZE; ++i)
     {
         struct key_state *ks = get_key_scan(multi, i);
-        if (ks->mda_key_id == mda_key_id)
+        if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF)
         {
             return ks;
         }
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 4c78c2b2c..567f55ea3 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1279,6 +1279,11 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con
         {
             ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
         }
+        else
+        {
+            msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id "
+                "%d", __func__, mda_key_id);
+        }
     }
     return (bool) ks;
 }