Message ID | 20190119103400.12887-1-steffan@karger.me |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,v2] Fix tls-auth/crypt in connection blocks with --persist-key | expand |
Am 19.01.19 um 11:34 schrieb Steffan Karger: > If --persist-key was used, we would always try to pre-load the 'global' > tls-auth/crypt file. That would result in using the wrong key (leading > to a failed connection) or en error is there was to 'global' key: > > Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null)) > Sat Jan 19 11:09:01 2019 Exiting due to fatal error > > Fix that by loading loading the key from the current connection entry. > Acked-By: Arne Schabe <arne@rfc2549.org> This also changes the logic to be similar with the other logic used in the function. The bug is pretty obvious by just looking at the code. Arne
Your patch has been applied to the master branch. (I had a look at the patch as well, and second the ACK :) ) commit dcfc51457789d8a62ff8bd266dd3a3bf0a0c9763 Author: Steffan Karger Date: Sat Jan 19 11:34:00 2019 +0100 Fix tls-auth/crypt in connection blocks with --persist-key Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20190119103400.12887-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18123.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0cf8db767..bebd30059 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2863,11 +2863,11 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) { if (ce->tls_auth_file && !ce->tls_auth_file_inline) { - struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc); + struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc); if (!buf_valid(&in)) { msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", - o->tls_auth_file); + ce->tls_auth_file); } ce->tls_auth_file = INLINE_FILE_TAG; @@ -2876,11 +2876,11 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) if (ce->tls_crypt_file && !ce->tls_crypt_inline) { - struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc); + struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc); if (!buf_valid(&in)) { msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", - o->tls_auth_file); + ce->tls_crypt_file); } ce->tls_crypt_file = INLINE_FILE_TAG;
If --persist-key was used, we would always try to pre-load the 'global' tls-auth/crypt file. That would result in using the wrong key (leading to a failed connection) or en error is there was to 'global' key: Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null)) Sat Jan 19 11:09:01 2019 Exiting due to fatal error Fix that by loading loading the key from the current connection entry. Signed-off-by: Steffan Karger <steffan@karger.me> --- v2: Also fix tls-crypt, not just tls-auth. src/openvpn/options.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)