From patchwork Mon Jul 10 11:37:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3281 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:1496:b0:d7:3b0f:3938 with SMTP id b22csp2911247dyh; Mon, 10 Jul 2023 04:38:21 -0700 (PDT) X-Google-Smtp-Source: APBJJlG2cFtRmdlOwc7H12ysGnvtlNQMXPe+oMqvXhrw+xo/yrLhzS3k0fkAb4cq0W63DK+XhT7d X-Received: by 2002:a17:903:11ce:b0:1b3:c4c1:ec4f with SMTP id q14-20020a17090311ce00b001b3c4c1ec4fmr19181156plh.37.1688989101403; Mon, 10 Jul 2023 04:38:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688989101; cv=none; d=google.com; s=arc-20160816; b=osVrI2jVerO8lYHLYxbgmIDfAeI0dnKa8MN4Ky4oFA7G0X78TiFyuItRnV0+VclysV wu1jO1lql55eXgr4p/T7E8fnmHHxzAxsnhW2xiTUaDGWhs7OdL/XgNPlVSgNeJF70Nwh SVtJYbPEILfl6ce3OExxHZ9r42WcnlHr7yYinNJn+/5YnBMl273Tv3gigCZbvE85Zu2m RE7stol44CN4ZAeXhLDDzHUCwGDc1icMWe1TemBVcDYDC22MHVfSogCZ1xq3pFVIp3Vq 43fTcpwWzbxMv0FHzBAfmU1CtNlEAvVCK46ZeMjw4i0FMa+wG0F23Jdt+UskINZTTJxZ m4+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=OrnxOe1YlE28VXhvtLNoV3sKBJKSnYrUJKZy9YUldF8=; fh=upowIstEaPvyXBxHFaCeSfbprOF7d6h3Rt41IfheAVg=; b=Opw+tmjC43u6F5i3BVjhqKvZFllFfuJ3W48AkP9EIx41VRMLYdxKIDfu3M2lBUkhL8 DZPiYpeJ0sGkdRmweohT5WMqofm7/ZR1GKllGI2YGc4AnkkSKKSkHdP7/1U26T+1TFjw F5RcaO7Byeuw7O+oA3GsTp5vC5IvKM0cwOcRftlq6+AGYYRbSJUrxSgp641TnML847oR cRnrdtgpwi+aPAHlLjxHiEE03+aJbWDgi9OUh3t+40bZKaAw6wGd/xKPUpG+p5+JO3kh av1b/+opCfYfCMYcZyiHgvDPWrHXwOrvbUU8291HYVHFQRVBJjVcJEX/JgyNxLxyQWz+ gCFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KmSthDGB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JXPfzCsd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s19-20020a170903215300b001b83767e879si3417670ple.266.2023.07.10.04.38.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2023 04:38:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KmSthDGB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JXPfzCsd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qIpCq-0003DW-KY; Mon, 10 Jul 2023 11:37:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qIpCi-0003DP-VB for openvpn-devel@lists.sourceforge.net; Mon, 10 Jul 2023 11:37:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yr/oluQs8SFcuoe3PIZimzYGivclk+lQ+T4I1DxnRH0=; b=KmSthDGBmvQC6lEv4ZzuG50ftN DqD0JYaXBl2MWdUFjq+FU9elf4/hdMAEYf6XlTN9NcZoUtsCVGJUKrrUTUOAT/xo5Z/t2xaKXAxKB lpgo8SZAcPbk1Gf6ltmcyFtKYNKKeyafvxZqHf4Q9riLwm1caf8S9tssvXxosEc+PbF8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yr/oluQs8SFcuoe3PIZimzYGivclk+lQ+T4I1DxnRH0=; b=JXPfzCsdbbubnqQa3i5BZAZamj CnL/1jW2WggDD7NhD2/sD/HVGxuLJG59Thfs3pjTJHeAp9ImtN5PrQoUcAk0ZvZpsUPOTVbb5GCgg XUCaJLx41QwGHrrLJ1Ln904Fka97tzC4waSEppw/Pz1tn43ZRoHdz9rPaVMxiexIiZDI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qIpCj-0000si-9M for openvpn-devel@lists.sourceforge.net; Mon, 10 Jul 2023 11:37:21 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qIpCS-0000oK-K8 for openvpn-devel@lists.sourceforge.net; Mon, 10 Jul 2023 13:37:04 +0200 Received: (nullmailer pid 344407 invoked by uid 10006); Mon, 10 Jul 2023 11:37:04 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Jul 2023 13:37:04 +0200 Message-Id: <20230710113704.344360-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230517110230.2234266-1-arne@rfc2549.org> References: <20230517110230.2234266-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_common.h | 20 ++++++++++++++++++++ src/openvpn/ssl_verify.c | 23 +++++++++++++-- [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1qIpCj-0000si-9M Subject: [Openvpn-devel] [PATCH v3] Introduce get_key_by_management_key_id helper function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766138989755727710?= X-GMAIL-MSGID: =?utf-8?q?1771033436094543156?= This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_common.h | 20 ++++++++++++++++++++ src/openvpn/ssl_verify.c | 23 +++++++++++++---------- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..be0f18746 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -722,4 +722,24 @@ get_primary_key(const struct tls_multi *multi) return &multi->session[TM_ACTIVE].key[KS_PRIMARY]; } +#ifdef ENABLE_MANAGEMENT +/** + * Gets the \c key_state object that belong to the management key id or + * return NULL if not found. + */ +static inline struct key_state * +get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id) +{ + for (int i = 0; i < KEY_SCAN_SIZE; ++i) + { + struct key_state *ks = get_key_scan(multi, i); + if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF) + { + return ks; + } + } + return NULL; +} +#endif + #endif /* SSL_COMMON_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 90416b69e..2395e55c8 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1266,22 +1266,25 @@ tls_authentication_status(struct tls_multi *multi) bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) { - bool ret = false; + struct key_state *ks = NULL; if (multi) { - int i; + auth_set_client_reason(multi, client_reason); - for (i = 0; i < KEY_SCAN_SIZE; ++i) + ks = get_key_by_management_key_id(multi, mda_key_id); + + if (ks) { - struct key_state *ks = get_key_scan(multi, i); - if (ks->mda_key_id == mda_key_id) - { - ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; - ret = true; - } + ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; } + else + { + msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id " + "%d", __func__, mda_key_id); + } + } - return ret; + return (bool) ks; } #endif /* ifdef ENABLE_MANAGEMENT */