From patchwork Mon Feb 19 13:57:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3624 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:a416:b0:559:d8ef:cc57 with SMTP id vo22csp1230660mab; Mon, 19 Feb 2024 05:58:06 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUXk7ejz5Dl2YmuJOVRgVi/R42CDbNloG3rFMA6rLPifhLpMrQS1FD4KjgQGWPOkDWVwWx2xniq7KMmdK4ebKGkUCDxBLU= X-Google-Smtp-Source: AGHT+IFDF4UgD1u6NMC+oUAJvbMwuVnv0+bnosxHpZxStFVMSYiMrPENRrQWW5LNALsCxYKYPKZ6 X-Received: by 2002:a05:6a20:da9d:b0:19e:c795:c349 with SMTP id iy29-20020a056a20da9d00b0019ec795c349mr14223008pzb.0.1708351086543; Mon, 19 Feb 2024 05:58:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1708351086; cv=none; d=google.com; s=arc-20160816; b=lRGak1nGgVa7ThrQDHXdiuUyg8x1pRBdI3/8I8J4SS1TFrGSWZd8/0fBIuf6S4jVw1 F1PKSt4mlukPYd2xV6pn4bGHg01fdzB85sXa42IT8CqbelKHrBpcx9dWIkrCx4NtH6BA tNtgrYKcZoWq8XNYTWOUreWugGqq6RvvloNEF5sheyJlA5c7vgaSDyyzkmlDKaSPlEu2 qn9mbTib1MkeAGYN2sV4ueLUP5AeCSJ8dbp4HMTpItOBsAWsJopfX7Bx+CGnjXpCTrQ3 jZD/e0vMUL1icSzFFepLUZGP5UzNXT4PglI5Ohc3TANYONMoVQi81o48g28FY54XTOJz Fabg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=O0Xne+DIjhRGbMq34OYndSx6E3GNdc9ofv89EhIJbc0=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=oXCoBHvZNHt37C+MWKEl9Of3s4RpWivIOQ1n4yvT1f7EGcoIrGEO+aKy+zodC9d3VE wZUf9dKriAwdeze5A6cEmUuaayv4N5pJEPgfVGhWWQOK94Gd3ZM0MqeYA5Bgph0OA55A t3Q2eFmJcs6Z0y4LEX8pcBT0VHQc+WbckAShPah4tD7TksHKmnN4kSDKrY0DFzQs3ced hTvmJQZ95snfDP/38T2F60sYgmLJYlgya3CqZPlEX6948oGu2GwE3BfsSY2xEpJWssC7 aW2oFV0fWMTUeRe8NxR7fL0KEOxB5qnW0VkX0fnAwr9S5QFq3igF6owqv+uGQBCoGYY4 Z5Pg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="CBdUMW/R"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l3XnUBku; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=T19riOgl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id jb19-20020a170903259300b001d8e7df68d9si4364599plb.465.2024.02.19.05.58.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Feb 2024 05:58:06 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="CBdUMW/R"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=l3XnUBku; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=T19riOgl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rc49R-0000LI-0T; Mon, 19 Feb 2024 13:57:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rc49Q-0000LC-Dy for openvpn-devel@lists.sourceforge.net; Mon, 19 Feb 2024 13:57:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=5fi2F7+IX8NS9jUMRRHVm95nrbCXamtTRW7iqvHkuM8=; b=CBdUMW/RI2v40+K4+Kjf9RwZNL wsf07k+QbJpfp5FOTjrQf4S/rvB0z54RlZmUmHoiReCvFmf1vS8CzZcTwyM1884/US7iLZf0ktkVb XwW4TIeKWAqen6fXI2bsBBHdZarIIeOKnGrGG1HtgqkdE0zwjFHhk/uqsL+EvdNEk0Tw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=5fi2F7+IX8NS9jUMRRHVm95nrbCXamtTRW7iqvHkuM8=; b=l 3XnUBkuoATVSFpn9M5EKLYLvKGXiliasySCD63K+JKTEg5ttmN2Oa23eXboeHUWhar9KjA9yGzFsA UojBjHcdUaoUvPyE0ywPlHGUDX4nLi/VE9cu/mX5TX2qNBG75dsc3qakLK8S04S8ySxzk6xm9hzmG 0QO8sS5decdgQXv8=; Received: from mail-lj1-f182.google.com ([209.85.208.182]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rc49K-0005hn-O2 for openvpn-devel@lists.sourceforge.net; Mon, 19 Feb 2024 13:57:42 +0000 Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-2d21a68dd3bso38473741fa.1 for ; Mon, 19 Feb 2024 05:57:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1708351048; x=1708955848; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=5fi2F7+IX8NS9jUMRRHVm95nrbCXamtTRW7iqvHkuM8=; b=T19riOglhEtnWLS9qKbAcbgVQCUrWNvMv+ybq2IIrsDWqCWEGxBMj6DqLaoXRjLjHO mxphGRQ0tgu0MB2n4pvSKC3yTI5DOxh90fY60TdTWQwT6u/5eSoOFL+NWVD3zeheR4jX G2j+31NL8yg15ZSCSElLrq3mBnaOtJB1WsaWdxMu4lBcQvZL+QBM89rQ4ZuyD0D3V02x +Pqhg1unvGLylmrUq3nI64PTEJq0lhvK0HTtyRTwp1mTlEWyzbDtGz+HPQvK1xTnJWOu lNeMSXoEAVuID7v5LQaNbXOiGpRN/wU29vFeY0uPysozisNE6KFb5E3wOTic6DRmE2VS IPUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708351048; x=1708955848; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5fi2F7+IX8NS9jUMRRHVm95nrbCXamtTRW7iqvHkuM8=; b=pZ3M4E2xWqhfIjwnX05pdSQuHpSB1FsphDRNNX/y8K03ghQihpAfAqzo+6socaG1Mw W0kbKvJNg4gjfVK5RDwGfQPeoox8tLlg6kOoWZFvBTtQAP4UuuBdAAFus+IhmIMHCGF4 6j+m2I4MHaheoh0NCkcWNcR4RqCU35ut8WpWqRJWxmvQrZEveAh3gjjM1g8yjKhi18Wc Z1oC27Bwvw48Aao5wWAcimLlP3dpAHc1GDaWhsl+HaPyJdnmXK6jd73qaW6zadW9t7dv +wSDyW5kAVEsWYWXMxowrdZcS9TADbkJweZbeLSsVEjfwN0RoW7toxqsSuDCjxsF5eLN Aa6g== X-Gm-Message-State: AOJu0YyU/LqexHC7uGKV1UAlBab7vsrrTM/FlQA0lX677wR9P1hADaqy krxCkcAu4whVagxakhAuBHg6gY+qjo5z1C8hiceUVYO1Sccqxx1M4Nxw89C91uQ= X-Received: by 2002:a2e:be8c:0:b0:2d2:2442:27cb with SMTP id a12-20020a2ebe8c000000b002d2244227cbmr5366333ljr.33.1708351048080; Mon, 19 Feb 2024 05:57:28 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id j25-20020a05600c1c1900b004117e45f12esm11628840wms.22.2024.02.19.05.57.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Feb 2024 05:57:27 -0800 (PST) From: "its_Giaan (Code Review)" X-Google-Original-From: "its_Giaan (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 19 Feb 2024 13:57:27 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff X-Gerrit-Change-Number: 529 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: a0acb6539b20a43f38e48162674f0d238a207085 References: Message-ID: <46b2358a8beaeb2a89f97af549af48b6d1dafd2d-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.182 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.182 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rc49K-0005hn-O2 Subject: [Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: gianmarco@mandelbit.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1791335948496972963?= X-GMAIL-MSGID: =?utf-8?q?1791335948496972963?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email to review the following change. Change subject: Persist-key: enable persist-key option by default ...................................................................... Persist-key: enable persist-key option by default This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Signed-off-by: Gianmarco De Gregori --- M doc/man-sections/connection-profiles.rst M doc/man-sections/generic-options.rst M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/signals.rst M doc/man-sections/unsupported-options.rst M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf M sample/sample-config-files/tls-home.conf M sample/sample-config-files/tls-office.conf M sample/sample-windows/sample.ovpn M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/options.c M src/openvpn/options.h 15 files changed, 24 insertions(+), 48 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/29/529/1 diff --git a/doc/man-sections/connection-profiles.rst b/doc/man-sections/connection-profiles.rst index c8816e1..520bbef 100644 --- a/doc/man-sections/connection-profiles.rst +++ b/doc/man-sections/connection-profiles.rst @@ -39,7 +39,6 @@ http-proxy 192.168.0.8 8080 - persist-key persist-tun pkcs12 client.p12 remote-cert-tls server diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 95e4ca2..4e2029a 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -302,17 +302,6 @@ Change process priority after initialization (``n`` greater than 0 is lower priority, ``n`` less than zero is higher priority). ---persist-key - Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. - - This option can be combined with ``--user`` to allow restarts - triggered by the :code:`SIGUSR1` signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files. - - This option solves the problem by persisting keys across :code:`SIGUSR1` - resets, so they don't need to be re-read. - --providers providers Load the list of (OpenSSL) providers. This is mainly useful for using an external provider for key management like tpm2-openssl or to load the @@ -402,7 +391,7 @@ Like with chroot, complications can result when scripts or restarts are executed after the setcon operation, which is why you should really - consider using the ``--persist-key`` and ``--persist-tun`` options. + consider using the ``--persist-tun`` option. --status args Write operational status to ``file`` every ``n`` seconds. ``n`` defaults diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index ca26bfe..ca192c3 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -283,7 +283,7 @@ See the signals section below for more information on :code:`SIGUSR1`. Note that the behavior of ``SIGUSR1`` can be modified by the - ``--persist-tun``, ``--persist-key``, ``--persist-local-ip`` and + ``--persist-tun``, ``--persist-local-ip`` and ``--persist-remote-ip`` options. Also note that ``--ping-exit`` and ``--ping-restart`` are mutually diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 98f5340..0632e31 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -452,7 +452,7 @@ ``--route``, ``--route-gateway``, ``--route-delay``, ``--redirect-gateway``, ``--ip-win32``, ``--dhcp-option``, ``--dns``, ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, - ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, + ``--setenv``, ``--auth-token``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, ``--rcvbuf``, ``--session-timeout`` diff --git a/doc/man-sections/signals.rst b/doc/man-sections/signals.rst index 63611b3..c9d4fb2 100644 --- a/doc/man-sections/signals.rst +++ b/doc/man-sections/signals.rst @@ -10,9 +10,8 @@ Like :code:`SIGHUP``, except don't re-read configuration file, and possibly don't close and reopen TUN/TAP device, re-read key files, preserve local IP address/port, or preserve most recently authenticated - remote IP address/port based on ``--persist-tun``, ``--persist-key``, - ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively - (see above). + remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` + and ``--persist-remote-ip`` options respectively (see above). This signal may also be internally generated by a timeout condition, governed by the ``--ping-restart`` option. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index a0c1232..0a5b863 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -42,3 +42,6 @@ --prng Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. + +--persist-key + Removed in OpenVPN 2.7. Corresponding behavior is now always enabled. \ No newline at end of file diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..f51e017 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -62,7 +62,6 @@ ;group openvpn # Try to preserve some state across restarts. -persist-key persist-tun # If you are connecting through an diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..043659d 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -278,7 +278,6 @@ # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. -persist-key persist-tun # Output a short status file showing diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf index ff19d50..0e5c6eb 100644 --- a/sample/sample-config-files/tls-home.conf +++ b/sample/sample-config-files/tls-home.conf @@ -73,7 +73,6 @@ ; ping-restart 45 ; ping-timer-rem ; persist-tun -; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf index 152e58a..2f306f6 100644 --- a/sample/sample-config-files/tls-office.conf +++ b/sample/sample-config-files/tls-office.conf @@ -76,7 +76,6 @@ ; ping-restart 45 ; ping-timer-rem ; persist-tun -; persist-key # Verbosity level. # 0 -- quiet except for fatal errors. diff --git a/sample/sample-windows/sample.ovpn b/sample/sample-windows/sample.ovpn index 51e3274..be24faa 100755 --- a/sample/sample-windows/sample.ovpn +++ b/sample/sample-windows/sample.ovpn @@ -89,7 +89,6 @@ ; ping-restart 60 ; ping-timer-rem ; persist-tun -; persist-key ; resolv-retry 86400 # keep-alive ping diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52b4308..7319677 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3559,14 +3559,6 @@ { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } - if (!o->persist_key -#ifdef ENABLE_PKCS11 - && !o->pkcs11_id -#endif - ) - { - msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); - } } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3635,6 +3627,7 @@ } } + struct context_buffers * init_context_buffers(const struct frame *frame) { @@ -3857,7 +3850,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); @@ -3866,7 +3859,7 @@ buf_clear(&c->c1.ks.tls_crypt_v2_wkc); free_buf(&c->c1.ks.tls_crypt_v2_wkc); - if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) + if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(&c->c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index dabc5be..df93b0e 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -48,7 +48,7 @@ /* * Our global key schedules, packaged thusly - * to facilitate --persist-key. + * to facilitate key persistence. */ struct key_schedule diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1e..2042bda 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -273,7 +273,6 @@ "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" - "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif @@ -1857,7 +1856,6 @@ SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); - SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3240,18 +3238,16 @@ ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + /* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ - if (o->persist_key) - { - connection_entry_preload_key(&ce->tls_auth_file, - &ce->tls_auth_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_file, - &ce->tls_crypt_file_inline, &o->gc); - connection_entry_preload_key(&ce->tls_crypt_v2_file, - &ce->tls_crypt_v2_file_inline, &o->gc); - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); + if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { @@ -6963,7 +6959,10 @@ else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); - options->persist_key = true; + msg(M_WARN, "DEPRECATED: --persist-key option ignored." + "The corresponding behavior is now always enabled." + "This option will be removed in a future version, " + "please remove it from your configuration."); } else if (streq(p[0], "persist-local-ip") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 85de887..2b37d1f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -344,7 +344,6 @@ bool persist_tun; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */ bool persist_local_ip; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */ bool persist_remote_ip; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */ - bool persist_key; /* Don't re-read key files on SIGUSR1 or PING_RESTART */ #if PASSTOS_CAPABILITY bool passtos;