[Openvpn-devel,v2] Fix tls-auth/crypt in connection blocks with --persist-key

Message ID 20190119103400.12887-1-steffan@karger.me
State Accepted
Headers show
Series [Openvpn-devel,v2] Fix tls-auth/crypt in connection blocks with --persist-key | expand

Commit Message

Steffan Karger Jan. 18, 2019, 11:34 p.m. UTC
If --persist-key was used, we would always try to pre-load the 'global'
tls-auth/crypt file. That would result in using the wrong key (leading
to a failed connection) or en error is there was to 'global' key:

  Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null))
  Sat Jan 19 11:09:01 2019 Exiting due to fatal error

Fix that by loading loading the key from the current connection entry.

Signed-off-by: Steffan Karger <steffan@karger.me>
---
v2: Also fix tls-crypt, not just tls-auth.

 src/openvpn/options.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Arne Schwabe Jan. 22, 2019, 4:32 a.m. UTC | #1
Am 19.01.19 um 11:34 schrieb Steffan Karger:
> If --persist-key was used, we would always try to pre-load the 'global'
> tls-auth/crypt file. That would result in using the wrong key (leading
> to a failed connection) or en error is there was to 'global' key:
> 
>   Sat Jan 19 11:09:01 2019 Cannot pre-load tls-auth keyfile ((null))
>   Sat Jan 19 11:09:01 2019 Exiting due to fatal error
> 
> Fix that by loading loading the key from the current connection entry.
> 

Acked-By: Arne Schabe <arne@rfc2549.org>

This also changes the logic to be similar with the other logic used in
the function. The bug is pretty obvious by just looking at the code.

Arne
Gert Doering Jan. 22, 2019, 5:32 a.m. UTC | #2
Your patch has been applied to the master branch.

(I had a look at the patch as well, and second the ACK :) )

commit dcfc51457789d8a62ff8bd266dd3a3bf0a0c9763
Author: Steffan Karger
Date:   Sat Jan 19 11:34:00 2019 +0100

     Fix tls-auth/crypt in connection blocks with --persist-key

     Signed-off-by: Steffan Karger <steffan@karger.me>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20190119103400.12887-1-steffan@karger.me>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18123.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0cf8db767..bebd30059 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2863,11 +2863,11 @@  options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
     {
         if (ce->tls_auth_file && !ce->tls_auth_file_inline)
         {
-            struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
+            struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc);
             if (!buf_valid(&in))
             {
                 msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
-                    o->tls_auth_file);
+                    ce->tls_auth_file);
             }
 
             ce->tls_auth_file = INLINE_FILE_TAG;
@@ -2876,11 +2876,11 @@  options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
 
         if (ce->tls_crypt_file && !ce->tls_crypt_inline)
         {
-            struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
+            struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc);
             if (!buf_valid(&in))
             {
                 msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
-                    o->tls_auth_file);
+                    ce->tls_crypt_file);
             }
 
             ce->tls_crypt_file = INLINE_FILE_TAG;