From: Arne Schwabe Date: Tue, 13 Dec 2022 22:54:30 +0000 (+0100) Subject: Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range X-Git-Tag: v2.7_alpha1~652 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4cf7409e82580f2890c391372d60ed713ba4650c;p=thirdparty%2Fopenvpn.git Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range We have 6 key slots but normally only consider 3 of them to be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in rare corner cases have a key that is still installed in the kernel. While this should not cause any issues since I do not see way for this key to become active ever again, it is better to keep the state correctly. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20221213225430.1892940-3-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25681.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 5804ce73e..993265188 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -221,13 +221,17 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) multi->dco_keys_installed = 1; } - /* all keys that are not installed are set to NOT installed */ - for (int i = 0; i < KEY_SCAN_SIZE; ++i) + /* all keys that are not installed are set to NOT installed. Include also + * keys that might even be considered as active keys to be sure*/ + for (int i = 0; i < TM_SIZE; ++i) { - struct key_state *ks = get_key_scan(multi, i); - if (ks != primary && ks != secondary) + for (int j = 0; j < KS_SIZE; j++) { - ks->dco_status = DCO_NOT_INSTALLED; + struct key_state *ks = &multi->session[i].key[j]; + if (ks != primary && ks != secondary) + { + ks->dco_status = DCO_NOT_INSTALLED; + } } } return true;