Message ID | 20200508114243.15532-1-davids@openvpn.net |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/2] options: Fix failing inline tls-auth/crypt with persist-key | expand |
Hi, On 08/05/2020 13:42, David Sommerseth wrote: > A configuration file using --persist-key and with inlined --tls-auth or > --tls-crypt files was failing in check_file_access(). The file argument > to check_file_access() contained the key file and not the file name. > > This was because check_file_access_inline() which calls > check_file_access() if the file is not inlined was told the file was not > an inline file. > > The reason the check_file_access_inline() was misled was due to a prior > option_postprocess_mutate() call puts these key files into a connection > block entry in option_postprocess_mutate_ce(). OpenVPN was modified a > long while ago to always use connection blocks in the option structure > for simplicity. So the "root" key files would be transferred into a > connection entry in this method. > > When --persist-key is used, option_postprocess_mutate_ce() will load the > key file and "convert" the option into an inline option. But in > commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The > result was that the connection entry had the key file content stored in > the object but was "tagged" as a normal file (name) not an inline file. > > Signed-off-by: David Sommerseth <davids@openvpn.net> Thanks for fixing my bugs :-) Unfortunately the code has changed a bit since the issue of v1 until v11...so these nasty errors sneaked in. Acked-by: Antonio Quartulli <a@unstable.cc>
Your patch has been applied to the master branch. Have not done any testing, but the code change looks very reasonable and exactly like it would fix the bug :-) commit e8e410fdc6fb91451d8119b129bac7be00ff81df Author: David Sommerseth Date: Fri May 8 13:42:43 2020 +0200 options: Fix failing inline tls-auth/crypt with persist-key Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <20200508114243.15532-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19858.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 611652fd..a37106ce 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2936,6 +2936,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_auth_file = (char *)in.data; + ce->tls_auth_file_inline = true; } if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) @@ -2948,6 +2949,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_crypt_file = (char *)in.data; + ce->tls_crypt_file_inline = true; } } }
A configuration file using --persist-key and with inlined --tls-auth or --tls-crypt files was failing in check_file_access(). The file argument to check_file_access() contained the key file and not the file name. This was because check_file_access_inline() which calls check_file_access() if the file is not inlined was told the file was not an inline file. The reason the check_file_access_inline() was misled was due to a prior option_postprocess_mutate() call puts these key files into a connection block entry in option_postprocess_mutate_ce(). OpenVPN was modified a long while ago to always use connection blocks in the option structure for simplicity. So the "root" key files would be transferred into a connection entry in this method. When --persist-key is used, option_postprocess_mutate_ce() will load the key file and "convert" the option into an inline option. But in commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The result was that the connection entry had the key file content stored in the object but was "tagged" as a normal file (name) not an inline file. Signed-off-by: David Sommerseth <davids@openvpn.net> --- src/openvpn/options.c | 2 ++ 1 file changed, 2 insertions(+)