From patchwork Thu May 25 14:40:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gianmarco De Gregori X-Patchwork-Id: 3239 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp586795dyk; Thu, 25 May 2023 07:44:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5M2WgDGVdP0Wh5e3vGHM/HVnijCA5HTV3h71ud5fH8/xB05xmsvuNdq7ehDr4pMyJVO62j X-Received: by 2002:a6b:e503:0:b0:763:8746:a966 with SMTP id y3-20020a6be503000000b007638746a966mr2090549ioc.0.1685025883902; Thu, 25 May 2023 07:44:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685025883; cv=none; d=google.com; s=arc-20160816; b=VU7CVVkmTPHp26jKHiDSjJpze517866oIqYWdbT4ZBDhDGdhUoztySumM1h18RGdsb n7HY7xPq5iOjvrSJ6Chzgjmf86Sc/FsJEtD0BHe5nFJBRd3cvxjSy+6i+hfJlfWfeGUr XEXsqXOn/HJDd7Ize6S+EPmECdgjyOAkP8fvZqrKGezYudz1nMLOedjGtsdHBxE30e+4 xiZVzsSAuKr2Xgl1OGjNKRcC1IVXtW5uSRwdHrPAhOyKg0iy1VEAd4NMYRGH0XaEeuap 9e+dQ4xcrNWvsC0+pEvpRU+Lx6QIeTPreC9ILJh8X8xtQVElAAXh+iqzINShMn/TaGKT EsWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=zmuQXj/U2an89LMMqlhrXUfX8ZwhtsPfTZIeIcz+gvc=; b=af5WjzopXPJ12efJ2nXAmXPULhkgTUIBap9DGkLQTrN7fL5T30gGA9njKrGH8oaFr2 9dQw1tKkWFO64YUYVH502wgMzBvO7ZHU/vpq8tL5d0ALN+hey03sn7tY2VWgTTrhW8pk E3p91u5/w5m0F/qt0oM5VDpIVEWJ1hs2RZoXOalaE5OXwSZwAdvCxtMTkHLz+MIP8Fps Z6P4C88Jxy2P86ojb9+9lhJhKpWy/8RBTsXL8Iu0YWkN46p6dhHy0aFq4z6BLYDx6Oiy aQDAbXRrcq59TzJ/mjUNbV/CAp++8BY6n5v2IojtDv7ZdIkG0vqN6wOJ5E51LVMsJREu RJOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PkpM2QG8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SxSU33yt; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector2 header.b=n0bRHX7m; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id f18-20020a6bdd12000000b00776e3b6844dsi62252ioc.111.2023.05.25.07.44.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 May 2023 07:44:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PkpM2QG8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SxSU33yt; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector2 header.b=n0bRHX7m; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q2CC8-0001ce-RH; Thu, 25 May 2023 14:44:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q2CC6-0001cY-7N for openvpn-devel@lists.sourceforge.net; Thu, 25 May 2023 14:43:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nLm2rgPI70e6W5iM2zyVpNKCPrfPQznEIOLGt+aiBxA=; b=PkpM2QG8wXAjjtuybTtljouHEu Y3ucdVprFg6ej458yl4DOAHPCROtYLTMwUrwUrTm8+H3iTGjUyICMbst6gRq/+Bm0p6is3dHIzd4r aUevzuXMndNj2J4y8MQa8znnDLnJiV5dWbf72TPsLm71GWFv0l91WP32Qbl9BJ7LM1e8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nLm2rgPI70e6W5iM2zyVpNKCPrfPQznEIOLGt+aiBxA=; b=SxSU33ytURQQRt0+tijX3qOz30 SERgYTrkdjhv5CVvbfstgV14ltTreueCwywjSiYoBFI1Fx16GeTKYYyVy46jyrDmQPN8Gj4d8BA6f 4kmeYz6y9nPEvpJgs96ZJcoPpgVp5fHmSC6JBq/Nkd5P9wuCnm7SJB4r9s4iafPpIHJ8=; Received: from mailtransmit05.runbox.com ([185.226.149.38]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q2CBZ-00045e-Np for openvpn-devel@lists.sourceforge.net; Thu, 25 May 2023 14:43:58 +0000 Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1q2CBN-0042Ag-H7 for openvpn-devel@lists.sourceforge.net; Thu, 25 May 2023 16:43:13 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mandelbit.com; s=selector2; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=nLm2rgPI70e6W5iM2zyVpNKCPrfPQznEIOLGt+aiBxA=; b=n0bRHX7mLR5nxFxNZvUx6i77aD 5gKqJGoWqlaitKNcVbWt27boOxUgE3G9w+OjXt8kgxj007MW4NRpHuh1j7UxVMqwRzWLMW93/zhYz DL2lSpwqMKlddpaAwSEMLn/w+uo663jVlsJ2EAxcM9Yv3lYwXgfhKNj1WC7ewNg4dWdfPWeZdzUVd NxTyJX85/Y05SFfjfjNDtQgvOU3FbhvJld4WrlKuzXwS/k8cK3GkNe3Ad0dmY2PS+Ug6zmKY7k03w +ulOu2GXZAjBr1Ojq6+8p8Nh2ZHRaK/6IakzclM/3y1d5YneVCjQP0iqk7EqUW65uWOaG8QbM6Uip EFXD9RkA==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1q2CBN-00024v-6h for openvpn-devel@lists.sourceforge.net; Thu, 25 May 2023 16:43:13 +0200 Received: by submission02.runbox with esmtpsa [Authenticated ID (1146050)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1q2CBF-0000hh-Pu; Thu, 25 May 2023 16:43:05 +0200 From: Gianmarco De Gregori To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 May 2023 16:40:46 +0200 Message-Id: <20230525144045.5484-1-gianmarco@mandelbit.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230509154657.2756-1-gianmarco@mandelbit.com> References: MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1q2CBZ-00045e-Np Subject: [Openvpn-devel] [PATCH v2] Persist-key: enable persist-key option by default. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1765432260873183850?= X-GMAIL-MSGID: =?utf-8?q?1766877701092234392?= This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Signed-off-by: Gianmarco De Gregori --- Changes from v1: * changed "DEPRECATED OPTION" with "**DEPRECATED**" in the documentation and with "(DEPRECATED)" in usage_message(). doc/man-sections/generic-options.rst | 2 ++ src/openvpn/init.c | 13 +++---------- src/openvpn/options.c | 26 +++++++++++++------------- src/openvpn/options.h | 1 - 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 97e1b5aa..6c23aafc 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -303,6 +303,8 @@ which mode OpenVPN is configured as. lower priority, ``n`` less than zero is higher priority). --persist-key + **DEPRECATED**, corresponding behavior is now always enabled. + Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. This option can be combined with ``--user`` to allow restarts diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..36d4395c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } - if (!o->persist_key -#ifdef ENABLE_PKCS11 - && !o->pkcs11_id -#endif - ) - { - msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); - } } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3687,6 +3679,7 @@ do_option_warnings(struct context *c) } } + struct context_buffers * init_context_buffers(const struct frame *frame) { @@ -3901,7 +3894,7 @@ static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); @@ -3910,7 +3903,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) buf_clear(&c->c1.ks.tls_crypt_v2_wkc); free_buf(&c->c1.ks.tls_crypt_v2_wkc); - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) + if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(&c->c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e4c596b8..caf45b7e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -275,7 +275,7 @@ static const char usage_message[] = "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" - "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" + "--persist-key : (DEPRECATED) Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif @@ -1860,7 +1860,6 @@ show_settings(const struct options *o) SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); - SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3239,18 +3238,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + /* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ - if (o->persist_key) - { - connection_entry_preload_key(&ce->tls_auth_file, - &ce->tls_auth_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_file, - &ce->tls_crypt_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_v2_file, - &ce->tls_crypt_v2_file_inline, &o->gc); - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); + if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { @@ -6938,7 +6935,10 @@ add_option(struct options *options, else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); - options->persist_key = true; + msg(M_WARN, "DEPRECATED: --persist-key option ignored." + "The corresponding behavior will now always be done automatically." + "This option will be removed in a future version, " + "please remove it from your configuration."); } else if (streq(p[0], "persist-local-ip") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90..cf9613b2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -344,7 +344,6 @@ struct options bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ - bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos;