From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Sun, 5 Oct 2025 14:45:53 +0000 (+0100)
Subject: [Fix] Fix duplicate key filtering in reply decryption
X-Git-Tag: 3.13.2~1^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e88c726245fb277af850b0593070c555b2c7784;p=thirdparty%2Frspamd.git

[Fix] Fix duplicate key filtering in reply decryption

When read/write encryption keys fall back to common encryption_key,
rspamd_pubkey_ref() returns pointer to the same object. Previous duplicate
checks using pointer comparison incorrectly filtered out these keys,
causing decryption failures. Now properly checks if key was already added
to the decryption attempt list before adding it.
---

diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c
index a1dd709675..f924ac8716 100644
--- a/src/plugins/fuzzy_check.c
+++ b/src/plugins/fuzzy_check.c
@@ -2476,20 +2476,35 @@ fuzzy_process_reply(unsigned char **pos, int *r, GPtrArray *req,
 			peer_keys[nkeys] = rule->read_peer_key;
 			nkeys++;
 		}
-		/* Then try write keys */
-		if (rule->write_peer_key && rule->write_local_key &&
-			(rule->write_peer_key != rule->read_peer_key)) {
-			local_keys[nkeys] = rule->write_local_key;
-			peer_keys[nkeys] = rule->write_peer_key;
-			nkeys++;
+		/* Then try write keys if not already added */
+		if (rule->write_peer_key && rule->write_local_key) {
+			gboolean already_added = FALSE;
+			for (int j = 0; j < nkeys; j++) {
+				if (peer_keys[j] == rule->write_peer_key) {
+					already_added = TRUE;
+					break;
+				}
+			}
+			if (!already_added) {
+				local_keys[nkeys] = rule->write_local_key;
+				peer_keys[nkeys] = rule->write_peer_key;
+				nkeys++;
+			}
 		}
-		/* Finally try common keys if they differ from specific ones */
-		if (rule->peer_key && rule->local_key &&
-			(rule->peer_key != rule->read_peer_key) &&
-			(rule->peer_key != rule->write_peer_key)) {
-			local_keys[nkeys] = rule->local_key;
-			peer_keys[nkeys] = rule->peer_key;
-			nkeys++;
+		/* Finally try common keys if not already added */
+		if (rule->peer_key && rule->local_key) {
+			gboolean already_added = FALSE;
+			for (int j = 0; j < nkeys; j++) {
+				if (peer_keys[j] == rule->peer_key) {
+					already_added = TRUE;
+					break;
+				}
+			}
+			if (!already_added) {
+				local_keys[nkeys] = rule->local_key;
+				peer_keys[nkeys] = rule->peer_key;
+				nkeys++;
+			}
 		}
 
 		/* Try decryption with each key pair */