From patchwork Thu Dec 3 04:49:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1537 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.59]) by backend41.mail.ord1d.rsapps.net with LMTP id ACQREVYKyV+1BQAAqwncew (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.59]) by director10.mail.ord1d.rsapps.net with LMTP id 8DnyEFYKyV8pMQAApN4f7A (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 Received: from smtp12.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTPS id SJCqCVYKyV+aAwAA8Zvu4w (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: e66cfb00-357f-11eb-9700-525400068c1c-1-1 Received: from [216.105.38.7] ([216.105.38.7:55468] helo=lists.sourceforge.net) by smtp12.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 69/DD-15990-55A09CF5; Thu, 03 Dec 2020 10:55:01 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kkqw3-0003IF-Lw; Thu, 03 Dec 2020 15:54:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkqs8-00039F-43 for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=UCPQc3cXdqEG+Y9DPUwYIajuB0 Rdw9vVLDgfKw7rl6eHnTx4ukHkOEI0KmeKEHWPCIUevvDG2P+3oviM+KA1BHyDBHkU+U5Kwhb1LwS wxuh85ePrz1oeLgL0PCVpcIZCflNpmFPuG/JGmkP6h7ZjmbzG7kfoaF4GzFIlMl+Oe7I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=fJgOTT/SWGH607DUZJmwESyI5d 1NaACxvZebkZSFSU4rqsgFCheeuzhbrn2NblURKyrWxMsMW5oNAeyRjNDEIaEj60507h8X4X5PGi0 Uuk7rGU96ENCwjeUrgGvsOZocmOKi6IdE/LJEO63HKGqxkRrGX3ReRNgvbvJhP6NwwNQ=; Received: from mail-ed1-f67.google.com ([209.85.208.67]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kkqrz-00Ddrc-NN for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:20 +0000 Received: by mail-ed1-f67.google.com with SMTP id cw27so2598660edb.5 for ; Thu, 03 Dec 2020 07:50:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=zu3QTwXzJ/0l0SfOMRyautwPQP2XcDSY940xL2Q9NQbeAnA2zLI+ZRYhevGcn9pLum IkO7ynW2c6johwYKAXgRLgnKszdv4/+0WuZT7AcTcPkkvjb7qkgzMmzFg7MbUCgIhErv Y7CvV87M2twdk+J+DXOPr/nOmDBWHMimK1qrQah9mu+z7dpwKL+zfa3UD3lbU+K1rwRi dl0u6UBztHF+XV68/r3A73A9Ykh5ql00z01mdNk1bEQDzBruq7ryK3/diXgQdsDh9WHg kK2OgNz66Co8XgEF+jSfv0XzzJ7dao2T7CHc0unmOPbr1qFyWW0yzHq9FVNJKG/Ke2Ar MK2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=Pn2KI86zns0+u99SxOFHXTnms23QJH8GGm6wsd2wz8gtKDM27dxWniDxxjRkbStud/ D3K7bqsbvE2dUFnowSV2UybegQWlw0MZFfswcJ92p/ppX3V8lMhSE6R5sCXaE7LxXSPn Y3tGm8vPjusffVyAqr6kGl2VU6iFMufQt4+xf16pwNAoi8rugwqpdv6AX7MNI/blQLRI ppFP+Sc5mlJvGH+A4H5gYOK+hHFmQb3qrIBOnSnPREimMyh1pJHE+D1DRqRYpkGXMfeH YxzMKwPTdQ3fyf/WfuK4yCqkcMrnlmg/Vw80FxcGgA8bszbooNavwGAGUDS2LqVIYFbM eAOQ== X-Gm-Message-State: AOAM532gu7Zti+7ZUGX7zOkuc6p5HtwwbB0b3zsUUjwTltPrf9pUSmrL /cPJrAyV/748YknyFfydnVo3SqZeiJK2kg== X-Google-Smtp-Source: ABdhPJxxWgGqQKmlaWYI3L7JsCt36tJA7LI6gWmvnvPrczJt/eU9CYGjPbssTLvIqWYsRAg/a5eN2Q== X-Received: by 2002:a05:6402:17d6:: with SMTP id s22mr3525316edy.20.1607010605120; Thu, 03 Dec 2020 07:50:05 -0800 (PST) Received: from luna.fritz.box ([2001:985:e54:1:addf:3ca8:fb50:a5dc]) by smtp.gmail.com with ESMTPSA id k21sm325056ejv.80.2020.12.03.07.50.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 07:50:04 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Dec 2020 16:49:51 +0100 Message-Id: <20201203154951.29382-2-steffan@karger.me> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201203154951.29382-1-steffan@karger.me> References: <20201203154951.29382-1-steffan@karger.me> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.67 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1kkqrz-00Ddrc-NN Subject: [Openvpn-devel] [PATCH 2/2] tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows tls-crypt-v2 servers to drop privileges after reading the keys. Without it, the server would try to read the key file for each connecting client. (And clients for each reconnect.) As with the previous patch, the pre-loading was developed in parallel with tls-crypt-v2, and the tls-crypt-v2 patches were never amended to implement the pre-loading. Also as with the previous patch, it would be nicer if servers would not reload the tls-crypt-v2 server key for each connecting client. But let's first fix the issue, and see if we can improve later. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- src/openvpn/options.c | 52 +++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 21f8d494..599f534c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1980,6 +1980,23 @@ connection_entry_load_re(struct connection_entry *ce, const struct remote_entry } } +static void +connection_entry_preload_key(const char **key_file, bool *key_inline, + struct gc_arena *gc) +{ + if (key_file && *key_file && !(*key_inline)) + { + struct buffer in = buffer_read_from_file(*key_file, gc); + if (!buf_valid(&in)) + { + msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file); + } + + *key_file = (const char *) in.data; + *key_inline = true; + } +} + static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) @@ -2931,36 +2948,17 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* pre-cache tls-auth/crypt key file if persist-key was specified and keys - * were not already embedded in the config file + /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + * keys were not already embedded in the config file. */ if (o->persist_key) { - if (ce->tls_auth_file && !ce->tls_auth_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", - ce->tls_auth_file); - } - - ce->tls_auth_file = (char *)in.data; - ce->tls_auth_file_inline = true; - } - - if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", - ce->tls_crypt_file); - } - - ce->tls_crypt_file = (char *)in.data; - ce->tls_crypt_file_inline = true; - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); } }