[Openvpn-devel,v2,1/2] Introduce get_key_by_management_key_id helper function

Message ID 20230522101138.2842378-1-arne@rfc2549.org
State Superseded
Headers show
Series [Openvpn-devel,v2,1/2] Introduce get_key_by_management_key_id helper function | expand

Commit Message

Arne Schwabe May 22, 2023, 10:11 a.m. UTC
This function allows us to map from a management key id to a key structure
and also allows this function to be reused.

Patch v2: add message when key is not found.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_common.h | 20 ++++++++++++++++++++
 src/openvpn/ssl_verify.c | 23 +++++++++++++----------
 2 files changed, 33 insertions(+), 10 deletions(-)

Patch

diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 27b029479..ebfd25432 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -722,4 +722,24 @@  get_primary_key(const struct tls_multi *multi)
     return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
 }
 
+#ifdef ENABLE_MANAGEMENT
+/**
+ * Gets the \c key_state  object that belong to the management key id or
+ * return NULL if not found.
+ */
+static inline struct key_state *
+get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id)
+{
+    for (int i = 0; i < KEY_SCAN_SIZE; ++i)
+    {
+        struct key_state *ks = get_key_scan(multi, i);
+        if (ks->mda_key_id == mda_key_id)
+        {
+            return ks;
+        }
+    }
+    return NULL;
+}
+#endif
+
 #endif /* SSL_COMMON_H_ */
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 1b589f1a6..d4d291098 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1268,22 +1268,25 @@  tls_authentication_status(struct tls_multi *multi)
 bool
 tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
 {
-    bool ret = false;
+    struct key_state *ks = NULL;
     if (multi)
     {
-        int i;
+
         auth_set_client_reason(multi, client_reason);
-        for (i = 0; i < KEY_SCAN_SIZE; ++i)
+        ks = get_key_by_management_key_id(multi, mda_key_id);
+
+        if (ks)
         {
-            struct key_state *ks = get_key_scan(multi, i);
-            if (ks->mda_key_id == mda_key_id)
-            {
-                ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
-                ret = true;
-            }
+            ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
         }
+        else
+        {
+            msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id "
+                "%d", __func__, mda_key_id);
+        }
+
     }
-    return ret;
+    return (bool) ks;
 }
 #endif /* ifdef ENABLE_MANAGEMENT */