| Message ID | 20221219140405.1221341-1-selva.nair@gmail.com |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp3033341dyk;
Mon, 19 Dec 2022 06:05:53 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf7eywLpyf1i8EpX+ic2VqkB+/H0EcKToT+UOmDERrcs8tJDB/1BTqiBYdzJIqIfuYJOh6NM
X-Received: by 2002:a17:90a:31c5:b0:221:11b4:d5b7 with SMTP id
j5-20020a17090a31c500b0022111b4d5b7mr36173956pjf.21.1671458752866;
Mon, 19 Dec 2022 06:05:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671458752; cv=none;
d=google.com; s=arc-20160816;
b=DnKl70FJGGC2iHvDNjhta504DKWX/ttNHrXfkSnh5mzVFIJ+jakuumtlQq7ZR0HVZt
SptqEo7oe07GKS9EBp3uKkN4gpkFJD4g4geYYQduYE4qAS/zmPjtvDsydZSvskdDCHK2
AIE79+ugInN5CYGC0h4NAYjLl7uu/tVp3W0jcSI4fGR3enL3i9XGF5OlU3G/bOi5S1zR
+VgDYQzgbfNmpq5dgyPk90kD1+YKAvxNIetMlNG3cmTPxnyt8e+GpEnVr9VBrOGwdpGT
/vVMpBenMHyG9hun5Iklh+sYWVar5030Ll7bTc9iYjJGe+dq5y69+YR3xwNbcVmSQjuG
uZcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=LYhStPjeHJIIgFWfekKKS/J7iGsroyVqifF3kQ5t/tM=;
b=AYxYStcWEoPfTknuUAEEcCytQMTdlJn89/E4xorLDgqAak9kZqJnK2Kz9Qv8NXcB1L
dg3LC7asoRxoWrUJPndW86RYsyulqSC33ULKG9tnrbHPprMQGTL4ad7W3330CKkSin7+
k6mLFlxzqS2H4yqiS4Tz5IgB8Tgp+E3YtcmudlFSzxLj1Jce2a9lZr9LMtTCewcP/ZzM
CxOePxeqCRB7B5vdBBAH86lHHykeJkWXdXz/TL384q8zy57T9E26T3MUXymZKs2TcSDI
zgwLNLfgSKGSylAWAN32gxM+7GdbAiHc8DEaZ5tMoLgSbQIiK307s5pi4Q/xAjx4zcx5
reJw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=VIZrpES4;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=OwuKcFSM;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20210112 header.b=mn56Ovpq;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
lb9-20020a17090b4a4900b0021929c63260si11489203pjb.8.2022.12.19.06.05.52
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 19 Dec 2022 06:05:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=VIZrpES4;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=OwuKcFSM;
dkim=neutral (body hash did not verify) header.i=@gmail.com
header.s=20210112 header.b=mn56Ovpq;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1p7GlG-0001lQ-Tl;
Mon, 19 Dec 2022 14:04:58 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <selva.nair@gmail.com>) id 1p7GlA-0001kx-R8
for openvpn-devel@lists.sourceforge.net;
Mon, 19 Dec 2022 14:04:52 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=VIZrpES4BtXw5LOiDfFqHan9HJ
dlfVa037cvxt8g3tS75Z65A47O8q1yDi20LWMH8WMfKSkN4LCRSiqoCMeSMg9ZVs747p2byowisr2
KPLZLYyW6S+SYssaB4vxWBbFDfxCsMglXffoP7YyxKLESKZq3b38L+gU0WCVylSaUraw=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=OwuKcFSMnb2rjojG3hppo2xSOC
qY/vDGos34HJecgouI/zKRMQ5sRLHCNmHHsNnNIRhc7tKXIAhV2NaIUHcvJh2F9rvOpsbUgUyEkzr
/w3dYZIck2AoaMu4GsxCHTcwIS3Z5hDX357vSU5P4qMxIbxgKTIxvsodK43s46+VOCsA=;
Received: from mail-io1-f44.google.com ([209.85.166.44])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1p7Gkt-0001db-70 for openvpn-devel@lists.sourceforge.net;
Mon, 19 Dec 2022 14:04:38 +0000
Received: by mail-io1-f44.google.com with SMTP id v2so4709657ioe.4
for <openvpn-devel@lists.sourceforge.net>;
Mon, 19 Dec 2022 06:04:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=;
b=mn56Ovpquxr7Cnm9cEU075lrwKPUUpwquJW1f3bICoSXVfvrNT4s6Yb1aP+zAEyN3e
ZMD4KH9X+NtB6OID/sp8KHu8JTZvYcWZydS64PFN1gqiNkP2yWJzeau2wfZjTuYdmuCX
V5/G4j9SNcXJ92qBX+MCiKJheK6Fr8XnWM1Wqm//g0C2nLs8rh4K2qpoCCOz1InMIYxl
iMtkrCW3iRKE7D0ixqxwkSDzuZ8622gE4sMnwcQbcBFaIHgYXB9O6z+e47HPB81N/Ddj
UQCYYDINieqk+s2DrqZZ+a0QPrdT0H1C4pGjdy8SUJa/43ufsJBgVyL5oQ99fzzA+gs/
vG4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=;
b=fl/9RCIeRFBMZaNlMUNYA5KD1Xcyd66/qkiPww54KxVZxxnrJSqO5w5D4iC6nujUqM
GXdwzWYHcLbVRrUd4wSk30dAtAa4swkcSafr2YcpSrvMXjyXIjeXxEc3G2AccrD19RfH
ri3uUMQmwRt4WAmu35u2l0h+vbqxSg02jAvhYORbnpy5alq7rFy0ZDO8qasS5DJHjF24
QymZoc5vRyiCH41suFRWQ0PPkTv2IeW66L2/YQQB5HZN3KK2p86kmOFvhC9A1X8LI7yy
KFwA3TZ1WsZTM4zvO3or/kkVffrj4umHPGameavP6Gib1jva6AmpH3MXFJkQKL6nsrnD
GoOQ==
X-Gm-Message-State: ANoB5plaJCZgWuqRP7XHDnWSGG5/VMvBTjA8leBsFMerlOd0DKZJewoc
Ea9TiQhUWnQkDDz+ZrAZaRPFpjqpZ/EdRg==
X-Received: by 2002:a6b:c415:0:b0:6cc:8b29:9a73 with SMTP id
y21-20020a6bc415000000b006cc8b299a73mr4772119ioa.1.1671458669271;
Mon, 19 Dec 2022 06:04:29 -0800 (PST)
Received: from uranus.sansel.ca
(bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66])
by smtp.gmail.com with ESMTPSA id
t24-20020a02b198000000b0038a41eb1ba3sm3509429jah.177.2022.12.19.06.04.28
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 19 Dec 2022 06:04:28 -0800 (PST)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 19 Dec 2022 09:04:05 -0500
Message-Id: <20221219140405.1221341-1-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221218192203.1214943-1-selva.nair@gmail.com>
References: <20221218192203.1214943-1-selva.nair@gmail.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-1.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Selva Nair As change in auth-token is common on
restart
and does not require tun-reopen, exclude it from the "pulled options digest"
calculation. Without this tun is always re-opened on SIGUSR1 if auth-token
is [...]
Content analysis details: (-0.2 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
provider [selva.nair[at]gmail.com]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.166.44 listed in wl.mailspike.net]
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [209.85.166.44 listed in list.dnswl.org]
X-Headers-End: 1p7Gkt-0001db-70
Subject: [Openvpn-devel] [PATCH v2] Do not include auth-token in pulled
option digest
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1752580877071274137?=
X-GMAIL-MSGID: =?utf-8?q?1752651533020724596?=
|
| Series |
[Openvpn-devel,v2] Do not include auth-token in pulled option digest
|
|
Commit Message
Selva Nair
Dec. 19, 2022, 2:04 p.m. UTC
From: Selva Nair <selva.nair@gmail.com> As change in auth-token is common on restart and does not require tun-reopen, exclude it from the "pulled options digest" calculation. Without this tun is always re-opened on SIGUSR1 if auth-token is in use which breaks persist-tun. Fixes #200 v2: explcitly filter auth-token and auth-token-user Signed-off-by: Selva Nair <selva.nair@gmail.com> --- src/openvpn/push.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Acked-by: Gert Doering <gert@greenie.muc.de> (v2 is sufficiently different from v1 that I'm not taking Arne's ACK but adding my own) Only very lightly client-side tested, not doing actual SIGUSR1 restarts with --persist-tun - but I'm fairly sure that this does what it attempts to do, as it just extends the existing exception. Your patch has been applied to the master, release/2.6 and release/2.5 branch (bugfix, same code, auth-token + auth-token-user both exist in 2.5). commit f778f4f88e56851c0a68205e95110c021f3032b3 commit f922298ca5784577a1309334dafeb16f738ae46a (release/2.6) commit 1d81df042eae416a4e83e6a433ae2b937c5a10a4 (release/2.5) Author: Selva Nair Date: Mon Dec 19 09:04:05 2022 -0500 Do not include auth-token in pulled option digest Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20221219140405.1221341-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25768.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/push.c b/src/openvpn/push.c index ad2f3c65..e765d2a9 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -989,8 +989,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id might change on restart and this should not trigger reopening tun */ - if (strprefix(line, "peer-id ")) + /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ + if (strprefix(line, "peer-id ") + || strprefix(line, "auth-token ") + || strprefix(line, "auth-token-user ")) { continue; }