From patchwork Tue May 9 15:46:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gianmarco De Gregori X-Patchwork-Id: 3205 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp3025944dyk; Tue, 9 May 2023 08:50:05 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4GktzfdnAReCL7fFgO/umDwL/uJgU8qeH73ji2kZwnBQUuKpcqKiQSfVO7ktJ44qGMdAk7 X-Received: by 2002:a92:604:0:b0:335:47f3:bd19 with SMTP id x4-20020a920604000000b0033547f3bd19mr5185171ilg.3.1683647404861; Tue, 09 May 2023 08:50:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683647404; cv=none; d=google.com; s=arc-20160816; b=CevpVlpck8WbNnCOal/1kJyA2a5JnB2TZp90jqaKw438abpXvqsbbAsxaq0cHIX9G4 rsEww3S/ngK1j9xuTXwEokDuDeV+9lWLWve04UyGUSFaHO1fTM3AJs0mixmEeRCtnT2c kPx2A5888pMCcYguiaLNE5AJzOPUDHWkNnfGrjNfX24yVAylJCncX+wAYfs14Ri17q2N s4EdbG8wO6tAOsyCgJIrwDu9cVINDT1wTIQvCSm9NIRDbuVYz1swCR0hDRenbivM5VKO Fak/ol31iONibYUqxAY+/MWNrgQNCBqoyHUoVE1fRsFs7qnLR54XpWG0L1Ze5IpJm8uq P7WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=t2N0mwLaWyBuj2NzOrocbZeqvOmTlwJ4ZFf0otDBnvY=; b=goNU17VV8y+qeJtbWklpALJ+9YfhXecCDkzS20iAaLvsLvOa89Ziyhr6ocZLM03eRb +z6+qpYtKTqk+xtWCFSdy+IgCeCHXBIlmkANPrEDtfK0Be2kL26YtkkwF1d9gz7i99an Hehz17Evvbs8blHifAvUsGFh/iDjzb/09KOtbi2lrJNZSDXmMP5KyemnbUWttW3NDe7G Ya++btV9l9vI81E821sf9cvJ/dPCQ6VhKrX4Rh8VhULekkNdhj4pMhsnfKm/9FX97j6h PkTmfeQXCWC/mUExM8u8TPd5eJQyivCh3pOG9Oq+vRxhxBK2I72DL7Y8gWkm91A4nudT 596g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MEJgwZhw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=m7+KPZPF; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector2 header.b=CKT4Ykf5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g5-20020a0566380c4500b0040bd3b054a6si4533968jal.108.2023.05.09.08.50.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 May 2023 08:50:04 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MEJgwZhw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=m7+KPZPF; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector2 header.b=CKT4Ykf5; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pwPag-0007GM-Cu; Tue, 09 May 2023 15:49:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pwPaf-0007GF-4n for openvpn-devel@lists.sourceforge.net; Tue, 09 May 2023 15:49:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UM9WxB6tEC2rOH61D17biAqEd21m4Dkq/A89r+nQoco=; b=MEJgwZhw7pQ3H/DzgknFHiY28w d8fXCGDdcKZf4OVDTf+Q7BoHlhPhlorBUAsQVKQjMzfr01N/FjIZcMN+c+F99jezW/Y/2TeBvw69C 2rZn8wn6LgIqv4v6XYeFkoN9nL6IxieQmhspWpZZLdSKQ9kLmf1QzSQqOQcGpDc+NZDw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=UM9WxB6tEC2rOH61D17biAqEd21m4Dkq/A89r+nQoco=; b=m 7+KPZPFbKSuXfKVkv5TsYtw3IN9G6iHUaWSJDLr4irlRRHZ0pFJIPxinmsdnackTDtkmaBxUAiSJN CW5zw9g8CB2bVBwTS4BH8K9BpS/XDj4yOVQI7ZDGGUA5s+pxteNHb9gyhh24ZdQc3mvGGbOEqt+e0 QT8V+FZDFjZLcjvk=; Received: from mailtransmit04.runbox.com ([185.226.149.37]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pwPaU-0007wd-9D for openvpn-devel@lists.sourceforge.net; Tue, 09 May 2023 15:49:25 +0000 Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1pwPaF-00E8Gc-0F for openvpn-devel@lists.sourceforge.net; Tue, 09 May 2023 17:48:59 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mandelbit.com; s=selector2; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From; bh=UM9WxB6tEC2rOH61D17biAqEd21m4Dkq/A89r+nQoco=; b=CKT4Ykf5v+SnB2caUSFnRX8gS8 CFc0FS2yR3KXUjRoT6GZpY/H/TA9pju4/NCgUo1p3fTzRCQMZzQB/f7KJzjq6GTs5+ajFB6yxgKQz UL1aBtLlMz6d0zE+vkwu7QezrYs6/dPm2e7YNc535yTToFcFpuN4w0m78YYG+gaiW1ZdeK9ejcqgQ 8EoEhwpRZLeLmPOE861ytXlzqcNeM6WTqF8fvY72uGMBwrdr0mfBF7g4jclIEcI1FTOYAb9W1gua4 nx6YWngIasaEsmkUdH7upq3dwegN4JdwcmyRjNZ7vDpz/Ju7NOWxVjRPTZVLpqZlwqnZunVZhIj0H naqtDrSg==; Received: from [10.9.9.74] (helo=submission03.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1pwPaE-0004lb-Ct for openvpn-devel@lists.sourceforge.net; Tue, 09 May 2023 17:48:58 +0200 Received: by submission03.runbox with esmtpsa [Authenticated ID (1146050)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1pwPa4-0002MD-EU; Tue, 09 May 2023 17:48:48 +0200 From: Gianmarco De Gregori To: openvpn-devel@lists.sourceforge.net Date: Tue, 9 May 2023 17:46:58 +0200 Message-Id: <20230509154657.2756-1-gianmarco@mandelbit.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [185.226.149.37 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1pwPaU-0007wd-9D Subject: [Openvpn-devel] [PATCH] Persist-key: enable persist-key option by default. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1765432260873183850?= X-GMAIL-MSGID: =?utf-8?q?1765432260873183850?= This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Signed-off-by: Gianmarco De Gregori --- doc/man-sections/generic-options.rst | 2 ++ src/openvpn/init.c | 12 ++---------- src/openvpn/options.c | 23 +++++++++++------------ src/openvpn/options.h | 1 - 4 files changed, 15 insertions(+), 23 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 97e1b5aa..5f74ab67 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -303,6 +303,8 @@ which mode OpenVPN is configured as. lower priority, ``n`` less than zero is higher priority). --persist-key + DEPRECATED OPTION, corresponding behavior is now always enabled. + Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. This option can be combined with ``--user`` to allow restarts diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..654d8645 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } - if (!o->persist_key -#ifdef ENABLE_PKCS11 - && !o->pkcs11_id -#endif - ) - { - msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); - } } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3901,7 +3893,7 @@ static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); @@ -3910,7 +3902,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) buf_clear(&c->c1.ks.tls_crypt_v2_wkc); free_buf(&c->c1.ks.tls_crypt_v2_wkc); - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) + if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(&c->c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2680f268..9ef21bc9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1860,7 +1860,6 @@ show_settings(const struct options *o) SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); - SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3239,18 +3238,15 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + /* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ - if (o->persist_key) - { - connection_entry_preload_key(&ce->tls_auth_file, - &ce->tls_auth_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_file, - &ce->tls_crypt_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_v2_file, - &ce->tls_crypt_v2_file_inline, &o->gc); - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { @@ -6938,7 +6934,10 @@ add_option(struct options *options, else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); - options->persist_key = true; + msg(M_WARN, "DEPRECATED OPTION: --persist-key option ignored." + "The corresponding behavior is now always activated." + "This option will be removed in a future version, " + "please remove it from your configuration."); } else if (streq(p[0], "persist-local-ip") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90..cf9613b2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -344,7 +344,6 @@ struct options bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ - bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos;