Re: [Openvpn-devel] [PATCH v2 2/2] Fix CR_RESPONSE mangaement message using wrong key_id

[Frank Lichtenheld]

On Mon, May 22, 2023 at 12:11:38PM +0200, Arne Schwabe wrote:
> the management interface expects the management key id instead
> of the openvpn key id. In the past they often were the same for low ids
> which hid the bug quite well.
> 
> Also do not pick uninitialised keystates (management key_id is not valid
> in these).
> 
> Patch v2: do not add logging

Similar patch was sent in via https://github.com/OpenVPN/openvpn/pull/359,
so kinda sorta acked?

> Change-Id: If9fa1165a0e886b570b3738546ed810a32367cbe
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
>  src/openvpn/push.c       | 4 ++--
>  src/openvpn/ssl_common.h | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/src/openvpn/push.c b/src/openvpn/push.c
> index 8e9627199..8f0a534ac 100644
> --- a/src/openvpn/push.c
> +++ b/src/openvpn/push.c
> @@ -267,9 +267,9 @@ receive_cr_response(struct context *c, const struct 
> buffer *buffer)
>      struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
>      struct man_def_auth_context *mda = session->opt->mda_context;
>      struct env_set *es = session->opt->es;
> -    int key_id = get_primary_key(c->c2.tls_multi)->key_id;
> +    unsigned int mda_key_id = get_primary_key(c->c2.tls_multi)->mda_key_id;
>  
> -    management_notify_client_cr_response(key_id, mda, es, m);
> +    management_notify_client_cr_response(mda_key_id, mda, es, m);
>  #endif
>  #if ENABLE_PLUGIN
>      verify_crresponse_plugin(c->c2.tls_multi, m);
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index ebfd25432..be0f18746 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -733,7 +733,7 @@ get_key_by_management_key_id(struct tls_multi *multi, 
> unsigned int mda_key_id)
>      for (int i = 0; i < KEY_SCAN_SIZE; ++i)
>      {
>          struct key_state *ks = get_key_scan(multi, i);
> -        if (ks->mda_key_id == mda_key_id)
> +        if (ks->mda_key_id == mda_key_id && ks->state > S_UNDEF)
>          {
>              return ks;
>          }

Regards,
-- 
  Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel