From patchwork Fri May 8 01:42:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1105 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id 0MDoKxNGtV7TJAAAIUCqbw for ; Fri, 08 May 2020 07:44:19 -0400 Received: from proxy16.mail.iad3a.rsapps.net ([172.27.255.58]) by director11.mail.ord1d.rsapps.net with LMTP id 0En5KBNGtV7eRwAAvGGmqA ; Fri, 08 May 2020 07:44:19 -0400 Received: from smtp6.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3a.rsapps.net with LMTP id QKgsIhNGtV7xUAAADc5QwQ ; Fri, 08 May 2020 07:44:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 4019f4fe-9121-11ea-a735-5254002f0085-1-1 Received: from [216.105.38.7] ([216.105.38.7:56898] helo=lists.sourceforge.net) by smtp6.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F2/18-12399-21645BE5; Fri, 08 May 2020 07:44:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jX1PQ-0008JS-EZ; Fri, 08 May 2020 11:43:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jX1PP-0008J8-Ci for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:43:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OINj8R8Jh5glNvedW77AEgf0JPVriBB87KFGWYuKpzs=; b=NRW8AxuY5GEB66opzpmKGNsvpN S2GSEaQAdc9rxOkdkJYjSlWoZCmueH8kRKp8jhn8F/OlJyLvA4BIrX6vTBh8iY6v6fC4nFNcYF5uC onqtLLwx01Ma01oauwRtZlPkjsJQfUchdOfZg+9zjC5MBy7swbkrMM14TC76dWOn3e8w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=OINj8R8Jh5glNvedW77AEgf0JPVriBB87KFGWYuKpzs=; b=U yAezUH/SDiSicZuw0BKsNAxd28hWlCqEyJBEYstQWQAXBa+/sEgnAAB9xVlQyMK0FWzXhFKTWlKPN clReeW8GAzAfZ460/MOh/KpGXeiLmyfN3+C0uMUiWLx/LjO7srMNkpeacyJq7DT8hRGxHiKJLPUd8 eeRnARuhe7G3Qjsw=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jX1PN-00CRjh-56 for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:43:15 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id E52FB82B8DE for ; Fri, 8 May 2020 11:42:50 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id EtvTnR3V0NGc for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 9A38281A3A7 for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 1C155418A775 for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Tok2GRJIlFrF for ; Fri, 8 May 2020 13:42:48 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id A49B5418A76D for ; Fri, 8 May 2020 13:42:48 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Fri, 8 May 2020 13:42:43 +0200 Message-Id: <20200508114243.15532-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jX1PN-00CRjh-56 Subject: [Openvpn-devel] [PATCH 1/2] options: Fix failing inline tls-auth/crypt with persist-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A configuration file using --persist-key and with inlined --tls-auth or --tls-crypt files was failing in check_file_access(). The file argument to check_file_access() contained the key file and not the file name. This was because check_file_access_inline() which calls check_file_access() if the file is not inlined was told the file was not an inline file. The reason the check_file_access_inline() was misled was due to a prior option_postprocess_mutate() call puts these key files into a connection block entry in option_postprocess_mutate_ce(). OpenVPN was modified a long while ago to always use connection blocks in the option structure for simplicity. So the "root" key files would be transferred into a connection entry in this method. When --persist-key is used, option_postprocess_mutate_ce() will load the key file and "convert" the option into an inline option. But in commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The result was that the connection entry had the key file content stored in the object but was "tagged" as a normal file (name) not an inline file. Signed-off-by: David Sommerseth Acked-by: Antonio Quartulli --- src/openvpn/options.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 611652fd..a37106ce 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2936,6 +2936,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_auth_file = (char *)in.data; + ce->tls_auth_file_inline = true; } if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) @@ -2948,6 +2949,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_crypt_file = (char *)in.data; + ce->tls_crypt_file_inline = true; } } }