From patchwork Wed Mar 6 10:41:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3637 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:5897:b0:559:d8ef:cc57 with SMTP id h23csp839345max; Wed, 6 Mar 2024 02:42:39 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWBEgeg8hKd0zKU6S24/oGIR0fOeKk+KS3OJKzF6kRCvrpdqIJAdFRb7voaotmC1GsBBzXiENvJlNXFdiukIhawUV/84z8= X-Google-Smtp-Source: AGHT+IGawH3Jn+ribyQvGn+JClssFWH7Unbo6JjxGGsaXJogyIbssVwlTUXBia8SKB+NSg6/OPOy X-Received: by 2002:a17:90a:d78d:b0:29b:4dab:efaf with SMTP id z13-20020a17090ad78d00b0029b4dabefafmr3078778pju.4.1709721758830; Wed, 06 Mar 2024 02:42:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1709721758; cv=none; d=google.com; s=arc-20160816; b=IIKYqjmtgG1LjaziaHjuJT4K6mvgHksULjRC1x5QnKh93ksdz7aGGuInDzgmyLexQ7 FahhB4oI1435MN7QTo59f6yTS9K63u9icQMKWcjO6tI4yxey69VvLxdcpGum7k5Xme1A AVbiJ+s+FLAAUajDmGiJbZNjqHBMbrdSx+MdZ4rgTnfSRy+ZsxtDJj1IvzUMDWx4zFV9 9nBV+oAM4CqdH0Uqbp9s7ylj6KPq7cc+HYUJ2YDuZGQJTO9+xgDXyRXbZJFoV6z61CuM GFiAXyz8S4jkrX/O6Iy7/r6d9KERAUyZHGaCIPTxRu/Tg8fjgQibZG1ZuNb4tONXz4af tGWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=XStDjSw0flbSEKO0nveO+09HLc5RgXk1Ea9va1kTplY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=MGt97xEfTRKRggqlQN2eP5JdX+2iIbN3qO46DaHG0USSlu04I90k833rV4EgWumNAr h2GpVNdyGmpRO8i+ZrptHo5tOOwc1oUA4hv9tExiAZycOmnQHmK6Svlf3JmzHmm9ZEcr eEefuDW51zhobrh+loYvMl2Ij7q9dqwFoEh/6yjtT2+Sjwn3aaSGalHesR0bZUQcToaP uShk5eg/zwRwKgp26s8iKSeU80Ao+Eb+zyu+m7INGY6hkLwtCDzEtUd0hYJpF4pOL3Rd PoFW2ECd/N8J71HRhTlXKcYyZX6DWEw5M2Nepii+X8Th/5RrX2MWKdQua56YFi09hnci c8Kg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OVfrVZP8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b87gv+q7; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id c17-20020a17090a8d1100b0029af479aac9si13541868pjo.2.2024.03.06.02.42.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Mar 2024 02:42:38 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OVfrVZP8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=b87gv+q7; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rhoit-00042V-3m; Wed, 06 Mar 2024 10:42:07 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rhois-00042G-78 for openvpn-devel@lists.sourceforge.net; Wed, 06 Mar 2024 10:42:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XACYTLKF3q2J5aOgVDx7zb7Tz5u/QoOdGad8UIIhAzQ=; b=OVfrVZP8QutY4VCminSmhMdi6u z2yq/z4qGd5NVpiVM3X6ctQUAvvSSARrkAW8GTL+v/hi7/YQ1cGDhBeiNJux2hgGKhk7pYlg85yKE v5ZFrgZJBGwn+NbcFY+KDCjEQqQW0DL0Mtp6Ufq9E44VSeauY3mGXf6wt8ZfoNewnVGM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XACYTLKF3q2J5aOgVDx7zb7Tz5u/QoOdGad8UIIhAzQ=; b=b87gv+q7AdXHbh1Pa/FewvQQh0 9ActNCLlz7O53qJeN87tVoFTIoE07McHSMYovB3Rn+A3anMDBmT13RXtQyJCwtQvM80lJkCIdQfzl MyGjJAgS+useinCUqCbqwmDRCrzExb1l/Chnmn+yNgjDeduNlio8TJM0TRf4ixKRWJqw=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rhoij-00026i-Dv for openvpn-devel@lists.sourceforge.net; Wed, 06 Mar 2024 10:42:05 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 426AfpZ0024015 for ; Wed, 6 Mar 2024 11:41:51 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 426AfpOm024014 for openvpn-devel@lists.sourceforge.net; Wed, 6 Mar 2024 11:41:51 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 6 Mar 2024 11:41:50 +0100 Message-ID: <20240306104150.23951-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: itsGiaan Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rhoij-00026i-Dv Subject: [Openvpn-devel] [PATCH v3] Persist-key: enable persist-key option by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1792773202943345068?= X-GMAIL-MSGID: =?utf-8?q?1792773202943345068?= From: itsGiaan Change the default behavior of the OpenVPN configuration by enabling the persist-key option by default. This means that all the keys will be kept in memory across restart. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/529 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/Changes.rst b/Changes.rst index 58cb3db..4cded98 100644 --- a/Changes.rst +++ b/Changes.rst @@ -20,6 +20,8 @@ When configured to authenticate with NTLMv1 (``ntlm`` keyword in ``--http-proxy``) OpenVPN will try NTLMv2 instead. +``persist-key`` option has been enabled by default. + All the keys will be kept in memory across restart. Overview of changes in 2.6 ========================== diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 95e4ca2..4e2029a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..01e8e5b 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated - remote IP address/port based on ``--persist-tun``, ``--persist-key``, - ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively - (see above). + remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` + and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..11467ca 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -42,3 +42,6 @@ --prng Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. + +--persist-key + Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. \ No newline at end of file diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..f51e017 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -62,7 +62,6 @@ ;group openvpn # Try to preserve some state across restarts. -persist-key persist-tun # If you are connecting through an diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..009fe56 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -274,11 +274,10 @@ ;user openvpn ;group openvpn -# The persist options will try to avoid +# The persist option will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. -persist-key persist-tun # Output a short status file showing diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf index ff19d50..0e5c6eb 100644 --- a/sample/sample-config-files/tls-home.conf +++ b/sample/sample-config-files/tls-home.conf @@ -73,7 +73,6 @@ ; ping-restart 45 ; ping-timer-rem ; persist-tun -; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf index 152e58a..2f306f6 100644 --- a/sample/sample-config-files/tls-office.conf +++ b/sample/sample-config-files/tls-office.conf @@ -76,7 +76,6 @@ ; ping-restart 45 ; ping-timer-rem ; persist-tun -; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. diff --git a/sample/sample-windows/sample.ovpn b/sample/sample-windows/sample.ovpn index 51e3274..be24faa 100755 --- a/sample/sample-windows/sample.ovpn +++ b/sample/sample-windows/sample.ovpn @@ -89,7 +89,6 @@ ; ping-restart 60 ; ping-timer-rem ; persist-tun -; persist-key ; resolv-retry 86400 # keep-alive ping diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52b4308..52b3931 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3559,14 +3559,6 @@ { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } - if (!o->persist_key -#ifdef ENABLE_PKCS11 - && !o->pkcs11_id -#endif - ) - { - msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); - } } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3857,7 +3849,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); @@ -3866,7 +3858,7 @@ buf_clear(&c->c1.ks.tls_crypt_v2_wkc); free_buf(&c->c1.ks.tls_crypt_v2_wkc); - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) + if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(&c->c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index dabc5be..df93b0e 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -48,7 +48,7 @@ /* * Our global key schedules, packaged thusly - * to facilitate --persist-key. + * to facilitate key persistence. */ struct key_schedule diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1e..94a88f9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -273,7 +273,6 @@ "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" - "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif @@ -1857,7 +1856,6 @@ SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); - SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3240,18 +3238,16 @@ ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + /* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ - if (o->persist_key) - { - connection_entry_preload_key(&ce->tls_auth_file, - &ce->tls_auth_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_file, - &ce->tls_crypt_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_v2_file, - &ce->tls_crypt_v2_file_inline, &o->gc); - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); + if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { @@ -6963,7 +6959,8 @@ else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); - options->persist_key = true; + msg(M_WARN, "DEPRECATED: --persist-key option ignored. " + "Keys are now always persisted across restarts. "); } else if (streq(p[0], "persist-local-ip") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 85de887..2b37d1f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -344,7 +344,6 @@ bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ - bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos;