From patchwork Tue Jul 11 07:36:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3282 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:1496:b0:d7:3b0f:3938 with SMTP id b22csp3486395dyh; Tue, 11 Jul 2023 00:38:06 -0700 (PDT) X-Google-Smtp-Source: APBJJlFbJpxKINLXV4H8TmGM4AkK5D9dhyZeRTLTqpdIw0GNp2OHlkSULNJuHAbZZS8S2y1qNf1M X-Received: by 2002:a17:90a:bc82:b0:263:70d1:ba84 with SMTP id x2-20020a17090abc8200b0026370d1ba84mr22061790pjr.18.1689061086055; Tue, 11 Jul 2023 00:38:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689061086; cv=none; d=google.com; s=arc-20160816; b=Mrb1K2TursHoqd2wng/ffLv9P1Qp8kf6ac0kuglme6fFlvikUloDOTM8zJYtjB2Y7U e6mMo8h+mJED+4mc5J09oehhG9hOkP2FiIcNbGWR83w47qAyQziQkzLdtPUI7ADc/tdY AO1yqNdtamxGvHg8Jre0HR7qXuINAHGHOLUgQUeYWkzOMkb1lVrL0+yzEFFDyWdYnpyv DGkFESoI/zXcoq4Gm5Jh1NDXjGoxrWpr1pitTOJ/2j0WWAhfjE5v6CajEWFwV8vUbo+y 6vmQDuyD+jX9YahHAqLE2Jsljop5JU/osUne6NtyIG0znqg1sjO21XZ4pgFFyzlzuq8H uX8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=OrnxOe1YlE28VXhvtLNoV3sKBJKSnYrUJKZy9YUldF8=; fh=upowIstEaPvyXBxHFaCeSfbprOF7d6h3Rt41IfheAVg=; b=AwKvWtzG/btGVI/5j3p4E22v9Hh0UWJ71f4vMDL/qnd6NCtxNtxef2Ig6L3kYZ2pTV D+4ER2OHw5DnDXi3/ewOvc2K4GlDkBW13ZIZOaiZrdu5yrb2sUWg/8iJF+mi7zZpdCYx g/neBowLd6+r5rKZ1JN3udrQ7XG/yPR68Hc3ODKtP0AO8TCo0QcLZDLqulmLmpfA0P11 tLSEcrIipz4SdP6tU9Q+DMquE+dKwCafdgMPSTbe1epbHs1jasrjPCczaC5slyHoOz1B j+0sYuiY1X/OEIbDm/pPTbbqVUkHiYCvfzL53rtXRVpPGfdkNhzgYoF9tDW9ES0JbcZO hsWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hHPB8mmV; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fQEBfI1B; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ls11-20020a17090b350b00b00263fc986e28si9176105pjb.24.2023.07.11.00.38.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2023 00:38:06 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=hHPB8mmV; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fQEBfI1B; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qJ7vp-00081n-Sw; Tue, 11 Jul 2023 07:37:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qJ7vo-00081g-QP for openvpn-devel@lists.sourceforge.net; Tue, 11 Jul 2023 07:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yr/oluQs8SFcuoe3PIZimzYGivclk+lQ+T4I1DxnRH0=; b=hHPB8mmVVkMggscckhCQqW2IP1 Sn5rwbVKXhffRMn5lE2YkwoCuu+fEEh8UVtW8DBeBfO9M5zX1Y4xQWfr2f9wu1GBnvtDuC+RjjYu1 sAipUs0msMkiqhSlLJMzP36vP5Q23Nv8bA9Hmr4Ag2Zq+EopR94+VMlzJiqsapC6DDqc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yr/oluQs8SFcuoe3PIZimzYGivclk+lQ+T4I1DxnRH0=; b=fQEBfI1BhraznJN6rqlpOdXqXq v9E+RrYIjbteM8uK+3Hrn46M9InFZ/q1iXSCsJH3UR1uxQeZCdp7SBrgdPKIs9zyftZHBGt9IOMIN Pl2528QBpThfbQlqXO3RkC+UKv6sCdAnAVl9T/DH7dROGK+FXp6ggtOquK8wnfXez54Q=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qJ7vl-0046i9-SV for openvpn-devel@lists.sourceforge.net; Tue, 11 Jul 2023 07:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1qJ7va-000CHq-Ew for openvpn-devel@lists.sourceforge.net; Tue, 11 Jul 2023 09:36:54 +0200 Received: (nullmailer pid 442171 invoked by uid 10006); Tue, 11 Jul 2023 07:36:54 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 11 Jul 2023 09:36:54 +0200 Message-Id: <20230711073654.442125-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230517110230.2234266-1-arne@rfc2549.org> References: <20230517110230.2234266-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_common.h | 20 ++++++++++++++++++++ src/openvpn/ssl_verify.c | 23 +++++++++++++-- [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1qJ7vl-0046i9-SV Subject: [Openvpn-devel] [PATCH v3] Introduce get_key_by_management_key_id helper function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766138989755727710?= X-GMAIL-MSGID: =?utf-8?q?1771108917131247582?= This function allows us to map from a management key id to a key structure and also allows this function to be reused. Patch v2: add message when key is not found. Patch v3: only consider valid keys Change-Id: I42d8785959c24bf688190965e58b9b98251b8557 Signed-off-by: Arne Schwabe --- src/openvpn/ssl_common.h | 20 ++++++++++++++++++++ src/openvpn/ssl_verify.c | 23 +++++++++++++---------- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..be0f18746 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -722,4 +722,24 @@ get_primary_key(const struct tls_multi *multi) return &multi->session[TM_ACTIVE].key[KS_PRIMARY]; } +#ifdef ENABLE_MANAGEMENT +/** + * Gets the \c key_state object that belong to the management key id or + * return NULL if not found. + */ +static inline struct key_state * +get_key_by_management_key_id(struct tls_multi *multi, unsigned int mda_key_id) +{ + for (int i = 0; i < KEY_SCAN_SIZE; ++i) + { + struct key_state *ks = get_key_scan(multi, i); + if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF) + { + return ks; + } + } + return NULL; +} +#endif + #endif /* SSL_COMMON_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 90416b69e..2395e55c8 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1266,22 +1266,25 @@ tls_authentication_status(struct tls_multi *multi) bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason) { - bool ret = false; + struct key_state *ks = NULL; if (multi) { - int i; + auth_set_client_reason(multi, client_reason); - for (i = 0; i < KEY_SCAN_SIZE; ++i) + ks = get_key_by_management_key_id(multi, mda_key_id); + + if (ks) { - struct key_state *ks = get_key_scan(multi, i); - if (ks->mda_key_id == mda_key_id) - { - ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; - ret = true; - } + ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED; } + else + { + msg(D_TLS_DEBUG_LOW, "%s: no key state found for management key id " + "%d", __func__, mda_key_id); + } + } - return ret; + return (bool) ks; } #endif /* ifdef ENABLE_MANAGEMENT */