[Openvpn-devel] Add daemon_pid to --tls-crypt-v2-verify environment

Message ID 20210429171504.1081888-1-tincantech@protonmail.com
State New
Headers show
Series
  • [Openvpn-devel] Add daemon_pid to --tls-crypt-v2-verify environment
Related show

Commit Message

Richard T Bonhomme April 29, 2021, 5:15 p.m.
From: string vest <stringvest88@gmail.com>

Under Windows, programmatically retrieving the parent process ID of
the openvpn instance which called a script is practically impossible.
The only sensible way, currently available, is to write a PID file.

This patch adds a single integer variable, named daemon_pid, to the
script environment. The value of which is set to the openvpn process
ID that called the script.

Providing this variable via the running openvpn process is more secure,
faster and far less prone to user-error than using a PID file.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 src/openvpn/tls_crypt.c | 1 +
 1 file changed, 1 insertion(+)

Comments

tincantech via Openvpn-devel May 3, 2021, 5:22 p.m. | #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, 29 April 2021 18:15, Richard T Bonhomme <stringvest88@gmail.com> wrote:

> From: string vest stringvest88@gmail.com
>
> Under Windows, programmatically retrieving the parent process ID of
> the openvpn instance which called a script is practically impossible.
> The only sensible way, currently available, is to write a PID file.
>
> This patch adds a single integer variable, named daemon_pid, to the
> script environment. The value of which is set to the openvpn process
> ID that called the script.
>
> Providing this variable via the running openvpn process is more secure,
> faster and far less prone to user-error than using a PID file.
>
> Signed-off-by: Richard T Bonhomme tincantech@protonmail.com
>
> src/openvpn/tls_crypt.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index 7b5016d3..23d93a6c 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
> setenv_str(es, "script_type", "tls-crypt-v2-verify");
> setenv_str(es, "metadata_type", metadata_type_str);
> setenv_str(es, "metadata_file", tmp_file);
>
> -   setenv_int(es, "daemon_pid", platform_getpid());
>
>     struct argv argv = argv_new();
>     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
>
>
> --
> 2.25.1

Bump.
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkDFOACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1Wywf/bDBG1X2K9a5NfjvSb5X2npD8VOq4d66Dy8uwDnhCkJoT5exm
MFRhaLYhQXXK22GVSqX/n7aNDly6HveyMRkuUzoDnKNMhxJ9NUfgwCpgc+Ap
5nJtYfss13mcaHQzwP1CPuQWpjupKQ4nAi+OWT3tPBhc0zkKq8O/VXOjff8g
KSE3WMlwCHrrXqZ5XV4Y8FqyeN0mqkVnhKfJy0UxKR1zh+E+a70cCT1mUR0x
mlBAXMDoS/p+EoIW6PqJNt+4qgzSQbH8b77XmAkR1eR9LS4GoZG1OHYkwQiW
e8SRm6tKLpjTIw9Ob9HTIoIt9kSjFfRVgBVyM37s2KSyeYG0YjPTAg==
=DN5K
-----END PGP SIGNATURE-----
Gert Doering May 3, 2021, 6:09 p.m. | #2
Hi,

On Mon, May 03, 2021 at 05:22:26PM +0000, tincantech via Openvpn-devel wrote:
> Bump.

This is auto-deprioritizing review of the patch.

We have patchwork to remind us what is open.  Submitters that ask
multiple times a day about their patch needlessly eat up reviewer 
brain time, and this is not causing positive feelings.

gert
Arne Schwabe May 3, 2021, 6:15 p.m. | #3
Am 03.05.21 um 19:22 schrieb tincantech via Openvpn-devel:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, 29 April 2021 18:15, Richard T Bonhomme <stringvest88@gmail.com> wrote:
> 
>> From: string vest stringvest88@gmail.com
> 
>> Under Windows, programmatically retrieving the parent process ID of
>> the openvpn instance which called a script is practically impossible.
>> The only sensible way, currently available, is to write a PID file.
> 
>> This patch adds a single integer variable, named daemon_pid, to the
>> script environment. The value of which is set to the openvpn process
>> ID that called the script.
> 
>> Providing this variable via the running openvpn process is more secure,
>> faster and far less prone to user-error than using a PID file.
> 
>> Signed-off-by: Richard T Bonhomme tincantech@protonmail.com
> 
>> src/openvpn/tls_crypt.c | 1 +
>> 1 file changed, 1 insertion(+)
> 
>> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
>> index 7b5016d3..23d93a6c 100644
>> --- a/src/openvpn/tls_crypt.c
>> +++ b/src/openvpn/tls_crypt.c
>> @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
>> setenv_str(es, "script_type", "tls-crypt-v2-verify");
>> setenv_str(es, "metadata_type", metadata_type_str);
>> setenv_str(es, "metadata_file", tmp_file);
> 
>> -   setenv_int(es, "daemon_pid", platform_getpid());
> 
>>     struct argv argv = argv_new();
>>     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
> 
> 
>> --
>> 2.25.1
> 
> Bump.

Are you trying to annoy the people that review patches? You should be
long enough on the mailing list to understand that reviews in under a
week are not often.

Bumping things with replying "bump" feel like a bad forum etiquette.

Arne
Arne Schwabe May 4, 2021, 10:50 a.m. | #4
Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> From: string vest <stringvest88@gmail.com>
> 
> Under Windows, programmatically retrieving the parent process ID of
> the openvpn instance which called a script is practically impossible.
> The only sensible way, currently available, is to write a PID file.
> 
> This patch adds a single integer variable, named daemon_pid, to the
> script environment. The value of which is set to the openvpn process
> ID that called the script.
> 
> Providing this variable via the running openvpn process is more secure,
> faster and far less prone to user-error than using a PID file.

Could you explain why you need the process ID of the daemon? I am trying
to figure out why that is needed. I also don't understand the secure in
this context. What are you protecting yourself against? You are not
protecting your script being called from a malicious program as that
could lookup the PID of openvpn and just set the daemon_id variable.

Arne
tincantech via Openvpn-devel May 4, 2021, 12:43 p.m. | #5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, 4 May 2021 11:50, Arne Schwabe <arne@rfc2549.org> wrote:

> Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
>
> > From: string vest stringvest88@gmail.com
> > Under Windows, programmatically retrieving the parent process ID of
> > the openvpn instance which called a script is practically impossible.
> > The only sensible way, currently available, is to write a PID file.
> > This patch adds a single integer variable, named daemon_pid, to the
> > script environment. The value of which is set to the openvpn process
> > ID that called the script.
> > Providing this variable via the running openvpn process is more secure,
> > faster and far less prone to user-error than using a PID file.
>
> Could you explain why you need the process ID of the daemon? I am trying
> to figure out why that is needed. I also don't understand the secure in
> this context. What are you protecting yourself against? You are not
> protecting your script being called from a malicious program as that
> could lookup the PID of openvpn and just set the daemon_id variable.
>

The reason I am using the process ID is as follows:

When --tls-crypt-v2-verify is executed, it saves a file named:
$(certificate_serial_number}.${daemon_pid}
with data from the TLS-Crypt-V2 key metadata field, which can then
be read by the following scripts: --tls-verify and --client-connect.

The --tls-verify and --client-connect script have:
$(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
in their environment and can guarantee to pick-up the correct data file.

This is OK for one running server but when there are more than one server
instance running, using a PID file becomes messy and cumbersome.

The "secure" in this sense is that, having openvpn provide the PID is much
more reliable than relying on multiple PID files.

Also, while it is "trivial" for *nix to retrieve the Parent PID, under
Windows, programmatically doing this is not "trivial" at all:

PID:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
PPID:
https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows

Therefore, barring any known security reasons for not providing the openvpn PID
to all scripts which it executes, it makes more sense to have openvpn provide
daemon_pid.  The only script currently missing this data is --tls-crypt-v2-verify
(And probably --learn-address but I have not tested that).

Thanks
R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkUFuACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0Zcgf+MpbxgsNS/eKpPsbafA5Qmdotc1HoQuxp+4mlw+Fr7uGxJT1y
cIAf5akt6ox+y/c0tOdFAPvczNirZh0j598TISFXbQtdEFG+budjBXK6peTc
ZKTlxvUSzZNterBcnjmCYYsQBxUdWrsH65cb23nvJ6G9m3dgkAPnt8w8NLe/
Z4/xHAElwU1kOoyGcpG4DMVQM55ikvXSmdDQx6BU8ksUueBHR4m3mMtkjFgq
krvjr+ycEZNcOX5601dOgNZS0AIT8TFvdFPEvMIXrSKJsmXtFLIXhLckM+3v
cUoV65+V3nQpdkJGumWHvCA1HB9nCSh75R8MdlD4mc0efaM2IiElog==
=KHtU
-----END PGP SIGNATURE-----
tincantech via Openvpn-devel May 4, 2021, 7:02 p.m. | #6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel <openvpn-devel@lists.sourceforge.net> wrote:

> Hi,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, 4 May 2021 11:50, Arne Schwabe arne@rfc2549.org wrote:
>
> > Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> >
> > > From: string vest stringvest88@gmail.com
> > > Under Windows, programmatically retrieving the parent process ID of
> > > the openvpn instance which called a script is practically impossible.
> > > The only sensible way, currently available, is to write a PID file.
> > > This patch adds a single integer variable, named daemon_pid, to the
> > > script environment. The value of which is set to the openvpn process
> > > ID that called the script.
> > > Providing this variable via the running openvpn process is more secure,
> > > faster and far less prone to user-error than using a PID file.
> >
> > Could you explain why you need the process ID of the daemon? I am trying
> > to figure out why that is needed. I also don't understand the secure in
> > this context. What are you protecting yourself against? You are not
> > protecting your script being called from a malicious program as that
> > could lookup the PID of openvpn and just set the daemon_id variable.
>
> The reason I am using the process ID is as follows:
>
> When --tls-crypt-v2-verify is executed, it saves a file named:
> $(certificate_serial_number}.${daemon_pid}
> with data from the TLS-Crypt-V2 key metadata field, which can then
> be read by the following scripts: --tls-verify and --client-connect.
>
> The --tls-verify and --client-connect script have:
> $(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
> in their environment and can guarantee to pick-up the correct data file.
>
> This is OK for one running server but when there are more than one server
> instance running, using a PID file becomes messy and cumbersome.
>
> The "secure" in this sense is that, having openvpn provide the PID is much
> more reliable than relying on multiple PID files.
>
> Also, while it is "trivial" for *nix to retrieve the Parent PID, under
> Windows, programmatically doing this is not "trivial" at all:
>
> PID:
> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
> PPID:
> https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
>
> Therefore, barring any known security reasons for not providing the openvpn PID
> to all scripts which it executes, it makes more sense to have openvpn provide
> daemon_pid. The only script currently missing this data is --tls-crypt-v2-verify
> (And probably --learn-address but I have not tested that).
>

Due to the inordinate resistance this patch has received, consider this my official
withdrawal.  I hereby NACK.

Thanks
R

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkZoxACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1HTQf7BSnvVR9LHZTcPyn+1oHv71TOxIMuFqckmxmQk/PZDSU+yq0h
OdjDWjSLLW/ZbQwS3Zcs09h50GEWBtUM5xoghAsBtUpGLCDMtvbU37JI/mMu
IfSI04+afMqi3xSsu1N4NMlAhVJTg2u0wfB6i46/Ltf/gLr9a0w3IAR7z1l4
Ykaxl5pBkNTZjuT6AtSVuVv8VUmr5+xQGWaUAxfPLIHeNeZGfCR7iJWd2L6L
zcnM8j3lLfzz1Tx2Ry3asVU40G6kp826F2LvuBH2mSZQeFENR/74HtAG0yY9
GcZg17oMkgBUmOZJzYupgrRwU1LFRGUIgk9ygS3Ew96M13C4lV90Sw==
=9B+C
-----END PGP SIGNATURE-----
Selva Nair May 4, 2021, 7:41 p.m. | #7
On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel
<openvpn-devel@lists.sourceforge.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel <openvpn-devel@lists.sourceforge.net> wrote:
>
> > Hi,
> >
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Tuesday, 4 May 2021 11:50, Arne Schwabe arne@rfc2549.org wrote:
> >
> > > Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> > >
> > > > From: string vest stringvest88@gmail.com
> > > > Under Windows, programmatically retrieving the parent process ID of
> > > > the openvpn instance which called a script is practically impossible.
> > > > The only sensible way, currently available, is to write a PID file.
> > > > This patch adds a single integer variable, named daemon_pid, to the
> > > > script environment. The value of which is set to the openvpn process
> > > > ID that called the script.
> > > > Providing this variable via the running openvpn process is more secure,
> > > > faster and far less prone to user-error than using a PID file.
> > >
> > > Could you explain why you need the process ID of the daemon? I am trying
> > > to figure out why that is needed. I also don't understand the secure in
> > > this context. What are you protecting yourself against? You are not
> > > protecting your script being called from a malicious program as that
> > > could lookup the PID of openvpn and just set the daemon_id variable.
> >
> > The reason I am using the process ID is as follows:
> >
> > When --tls-crypt-v2-verify is executed, it saves a file named:
> > $(certificate_serial_number}.${daemon_pid}
> > with data from the TLS-Crypt-V2 key metadata field, which can then
> > be read by the following scripts: --tls-verify and --client-connect.
> >
> > The --tls-verify and --client-connect script have:
> > $(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
> > in their environment and can guarantee to pick-up the correct data file.
> >
> > This is OK for one running server but when there are more than one server
> > instance running, using a PID file becomes messy and cumbersome.
> >
> > The "secure" in this sense is that, having openvpn provide the PID is much
> > more reliable than relying on multiple PID files.
> >
> > Also, while it is "trivial" for *nix to retrieve the Parent PID, under
> > Windows, programmatically doing this is not "trivial" at all:
> >
> > PID:
> > https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
> > PPID:
> > https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
> >
> > Therefore, barring any known security reasons for not providing the openvpn PID
> > to all scripts which it executes, it makes more sense to have openvpn provide
> > daemon_pid. The only script currently missing this data is --tls-crypt-v2-verify
> > (And probably --learn-address but I have not tested that).
> >
>
> Due to the inordinate resistance this patch has received, consider this my official
> withdrawal.  I hereby NACK.

Resistance is a good thing -- it means people are considering your
patch seriously and are asking questions in earnest.

I've had patches that languished for  years and finally merged,
without batting an eye.. Except for an occasional gentle nudge (say
once a year), and some patience.


Selva
tincantech via Openvpn-devel May 4, 2021, 8:36 p.m. | #8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, 4 May 2021 20:41, Selva Nair <selva.nair@gmail.com> wrote:

> On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel
> openvpn-devel@lists.sourceforge.net wrote:
>

<snip>

> > Due to the inordinate resistance this patch has received, consider this my official
> > withdrawal. I hereby NACK.
>
> Resistance is a good thing -- it means people are considering your
> patch seriously and are asking questions in earnest.
>
> I've had patches that languished for years and finally merged,
> without batting an eye.. Except for an occasional gentle nudge (say
> once a year), and some patience.

Selva, thanks for your guidance.

On this occasion I have been pushed to find a better way.
Thanks to Gert for reminding me about PPID and pushing my code a little further,
I now realise that I don't need daemon_pid from openvpn directly.

Withdrawing this patch seems the most appropriate way to minimize the time wasted.

Sometimes it's difficult to see your own mistakes but realisation is satisfying
if and when you do "break on through" ;-)

R


-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkbBPACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0MYwgAuFchojIT/cnf0yppB9o/WxJRZHdFaEn9jyRO+PgMYNrAJeet
QUqaCbUPZ0N5UdXnwuf5DTMYcStQpDyKnQyeB/dw0r23fmlSV69U1Vdx64+x
kjfbxl3h3miJ5yRu62YnmSCtqtiC/ErrJ1bz68RglI/aeGD4g6nPkpoHhZ/O
ix1zPxOpV+fnjEZtZfRCzNah+wa1vWyxF/UFpbIUe/pME6Y1pCGf4ZWGPFG8
qVdxSU/GwMMIaQn+Kz+iwoZDzhbkkprHGwS/yvJkEBIXOf8SspnlOOH0gJ6J
yFvxCBmaLeFUDoHhOy9JdL5toUN6hCtwu1wKPnUC3xN0IypeGdHtrQ==
=a9Jn
-----END PGP SIGNATURE-----
tincantech via Openvpn-devel May 4, 2021, 9:49 p.m. | #9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256




Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, 4 May 2021 21:36, tincantech via Openvpn-devel <openvpn-devel@lists.sourceforge.net> wrote:

> Hi,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, 4 May 2021 20:41, Selva Nair selva.nair@gmail.com wrote:
>
> > On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel
> > openvpn-devel@lists.sourceforge.net wrote:
>
> <snip>
>
> > > Due to the inordinate resistance this patch has received, consider this my official
> > > withdrawal. I hereby NACK.
> >
> > Resistance is a good thing -- it means people are considering your
> > patch seriously and are asking questions in earnest.

<s>

And this resistance was indeed not futile.

I have discovered a flaw in my logic, which is so insidious, that it may
bring my entire house of cards down .. I just F000M'^~,.ed myself .. arse!

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkcFnACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3msAgAsoR4DghKD6z/et3JYXabmsGny+5/hu48E1FMXGUH5cB/cWpM
5P+KL3Kr3D7MkemqbHvvapQQKn0DCA+Kt056fqQI8h9fc8vhJKLYAxFD4M8E
b60H8+/K5bSwUxVkH4X6jW8m/HJ16q8fBrTSRDbZeJ4x1u1u0uxTk84WVhW2
gjued3xLGhPlkBlufYayr6LytUXN5wDEJSKLgjeROl04NlvTlDc1VCu+QREw
KnqXh1JBg9Lqo5ctmNtV6QZ8R5nx9G3cNqJ0joRQfN329H1Bp30S6iyvkBMV
/7pgCyKQ1X38D5rXNcRL/4qP0YfcSkQ43zb2dur9LtQ/wFqepKwr4Q==
=IcL9
-----END PGP SIGNATURE-----
Arne Schwabe May 5, 2021, 7:51 a.m. | #10
>> Could you explain why you need the process ID of the daemon? I am trying
>> to figure out why that is needed. I also don't understand the secure in
>> this context. What are you protecting yourself against? You are not
>> protecting your script being called from a malicious program as that
>> could lookup the PID of openvpn and just set the daemon_id variable.
> 
> 
> The reason I am using the process ID is as follows:
> 
> When --tls-crypt-v2-verify is executed, it saves a file named:
> $(certificate_serial_number}.${daemon_pid}
> with data from the TLS-Crypt-V2 key metadata field, which can then
> be read by the following scripts: --tls-verify and --client-connect.
>

I can get behind the need of needing something daemon specific when
running multiple daemon that scripts/plugins need something simple to
identify a specific daemon. With management and a persistent connection
that is easier to implicitly assign an ID but for scripts daemon_pid
seems to be a good fit.

So if we make that a bit clear in the commit message this gets an ACK
from me.

Arne
tincantech via Openvpn-devel May 5, 2021, 10 p.m. | #11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 5 May 2021 08:51, Arne Schwabe <arne@rfc2549.org> wrote:

> > > Could you explain why you need the process ID of the daemon? I am trying
> > > to figure out why that is needed. I also don't understand the secure in
> > > this context. What are you protecting yourself against? You are not
> > > protecting your script being called from a malicious program as that
> > > could lookup the PID of openvpn and just set the daemon_id variable.
> >
> > The reason I am using the process ID is as follows:
> > When --tls-crypt-v2-verify is executed, it saves a file named:
> > $(certificate_serial_number}.${daemon_pid}
> > with data from the TLS-Crypt-V2 key metadata field, which can then
> > be read by the following scripts: --tls-verify and --client-connect.
>
> I can get behind the need of needing something daemon specific when
> running multiple daemon that scripts/plugins need something simple to
> identify a specific daemon. With management and a persistent connection
> that is easier to implicitly assign an ID but for scripts daemon_pid
> seems to be a good fit.
>
> So if we make that a bit clear in the commit message this gets an ACK
> from me.
>

Arne,

thanks for the feedback, I can resubmit with an improved commit message
and corrected email if required.

Thanks
R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgkxVyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0PGggAtMnaL8kv8Z2xGvqMkSr+TO7kHLWl2OoYP+o+S18NpUpQrLn1
1Yr0t2ZHjdho30l24iMsKGYAgtPwXfmNgNI+tjhb2p7URRNgkfaDDDUiTePL
hfnZnjLdmjlCIurKNnCqFsVKj92C2jQbicLcCH+504a0TeTLGmWaCYQ3/QiE
2I5CUJErNmjXrBRTeS5hB7FLSbYzbAs1AC5dU7uGSxjnhPrT1tx7An/GNAc6
HJMMBhF1if98jvPRntG6zXLTC4nIFPEM73m9oyWyrwXPql0lD8hZJ08OnpxI
YyfsH3KEFc3f6st2pmAen8o31zuDxARpYdhusqiLzqWW0WbCj1lt7A==
=ClM7
-----END PGP SIGNATURE-----

Patch

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 7b5016d3..23d93a6c 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -537,6 +537,7 @@  tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
     setenv_str(es, "script_type", "tls-crypt-v2-verify");
     setenv_str(es, "metadata_type", metadata_type_str);
     setenv_str(es, "metadata_file", tmp_file);
+    setenv_int(es, "daemon_pid", platform_getpid());
 
     struct argv argv = argv_new();
     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);