@@ -722,4 +722,24 @@ get_primary_key(const struct tls_multi *multi)
return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
}
+#ifdef ENABLE_MANAGEMENT
+/**
+ * Gets the \c key_state object that belong to the management key id or
+ * return NULL if not found.
+ */
+static inline struct key_state *
+get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id)
+{
+ for (int i = 0; i < KEY_SCAN_SIZE; ++i)
+ {
+ struct key_state *ks = get_key_scan(multi, i);
+ if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF)
+ {
+ return ks;
+ }
+ }
+ return NULL;
+}
+#endif
+
#endif /* SSL_COMMON_H_ */
@@ -1266,22 +1266,25 @@ tls_authentication_status(struct tls_multi *multi)
bool
tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
{
- bool ret = false;
+ struct key_state *ks = NULL;
if (multi)
{
- int i;
+
auth_set_client_reason(multi, client_reason);
- for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ ks = get_key_by_management_key_id(multi, mda_key_id);
+
+ if (ks)
{
- struct key_state *ks = get_key_scan(multi, i);
- if (ks->mda_key_id == mda_key_id)
- {
- ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
- ret = true;
- }
+ ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;
}
+ else
+ {
+ msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id "
+ "%d", __func__, mda_key_id);
+ }
+
}
- return ret;
+ return (bool) ks;
}
#endif /* ifdef ENABLE_MANAGEMENT */
This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_common.h | 20 ++++++++++++++++++++ src/openvpn/ssl_verify.c | 23 +++++++++++++---------- 2 files changed, 33 insertions(+), 10 deletions(-)