[Openvpn-devel] Add daemon_pid to --tls-crypt-v2-verify script environment

Message ID faqABVK6MPd-XEqegwOnFrNPTR3Fts0q4aM_qBeygqdHuxVevbtQdjKUlX6VzMp5CxoOpeT_a2pqS4c7oEts2M_6TpGh1vcb7z7sc6BktlM=@protonmail.com
State Superseded
Headers show
Series [Openvpn-devel] Add daemon_pid to --tls-crypt-v2-verify script environment | expand

Commit Message

Kristof Provost via Openvpn-devel April 28, 2021, 7:44 a.m. UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Openvpn process ID (daemon_pid) provides the most secure way for
scripts to verify which process they were called by.

This patch adds daemon_poid to --tls-crypt-v2-verify environment.

Tested on Linux and Windows.




--
git version 2.25.1


I hope my MTA has not mangled this patch but I don't currently have access
to an SMTP server port. If it is borken then please ignore this and I'll find
another way.  Feel free to send other feedback.  eg: NAK + Reason.

Thanks
R

#


-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgiZ8TACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3KTAf+OfRyvNNBqDTulTPHsULxhehPve6mgqsoovqlYomkFnIu20CJ
497Yiqno7Nz49Wy2Ka5nu88sTptp0CdFg6QE2yytol1H8D0vFYwNwyIIS9eq
d8pPa/sI0ga8DHSF5QjbvsTJusPolIjR4H7yXPFjrqMXlXYdRgof6IT+P3+G
b/ev08nhPSjS0ZlciAPymW1wL5zsttDxSWU8vy/T6NYoq+QTaNfYgqNjlW8M
BR48OSAc1aTPBzHeYW8MxOkm3Si9u2qS+hSSMgT0yS8EnvpCZn0vw+tOQ2Ey
WR7RmdyoQRsJYANnlY4Pqe+c3h4tuWBK9UCJRnpgz/ytIog8V1VBjg==
=iX52
-----END PGP SIGNATURE-----

Comments

Kristof Provost via Openvpn-devel April 28, 2021, 7:48 a.m. UTC | #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Yeah, I forgot to apply and commit -- sorry.

I guess I'll send again if this is an acceptable patch and my MTA didn't screw it up ?
Please let me know .. thanks



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 28 April 2021 18:44, tincantech <tincantech@protonmail.com> wrote:

> Openvpn process ID (daemon_pid) provides the most secure way for
> scripts to verify which process they were called by.
>
> This patch adds daemon_poid to --tls-crypt-v2-verify environment.
>
> Tested on Linux and Windows.
>
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index 7b5016d3..23d93a6c 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
> setenv_str(es, "script_type", "tls-crypt-v2-verify");
> setenv_str(es, "metadata_type", metadata_type_str);
> setenv_str(es, "metadata_file", tmp_file);
>
> -   setenv_int(es, "daemon_pid", platform_getpid());
>
>     struct argv argv = argv_new();
>     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
>
>
> --
>
> git version 2.25.1
>
> I hope my MTA has not mangled this patch but I don't currently have access
> to an SMTP server port. If it is borken then please ignore this and I'll find
> another way. Feel free to send other feedback. eg: NAK + Reason.
>
> Thanks
> R
>
> ==


-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgiZ/PACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3hPwgAk3GKzcr76rPTac1/6NMQyP3wnWpXgsmbGCvr5zVcQRbAaSbL
FwN+qB01aXx8ic7u1t9xoBA83WA5BOy/Nmecg/MmTK2hWapL954b2dEHubFt
j9b1wqXX46Mcg55VSvSC2gc35bZB2wXLiKIAOGFgvmH84m18CCDSePaKywrf
izC5B+Ew+M6zacf1IZU64DKJdLX8yzyQt9U3zI1egFj9mK7qzm3lY79zier0
jkDQlijZrp6krAeBqlGmm1sMLERyQrCrJrCdbuEbrMbVPxbJOhYFpT8EWolE
ta/OTF94IK2T8ErmNZsA3oSdXSuYriZM6gSxKqiMpSXuNjo3wKzrkg==
=57ff
-----END PGP SIGNATURE-----
Kristof Provost via Openvpn-devel April 28, 2021, 8:03 a.m. UTC | #2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Looking closer, I can see that it was damaged in transit ..

Please let me know if you would be willing to accept my proposed patch and then I will persist to find a way.

If you will not accept the addition then please let me know.

Thanks
R


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel <openvpn-devel@lists.sourceforge.net> wrote:

> Yeah, I forgot to apply and commit -- sorry.
>
> I guess I'll send again if this is an acceptable patch and my MTA didn't screw it up ?
> Please let me know .. thanks
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, 28 April 2021 18:44, tincantech tincantech@protonmail.com wrote:
>
> > Openvpn process ID (daemon_pid) provides the most secure way for
> > scripts to verify which process they were called by.
> > This patch adds daemon_poid to --tls-crypt-v2-verify environment.
> > Tested on Linux and Windows.
> > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> > index 7b5016d3..23d93a6c 100644
> > --- a/src/openvpn/tls_crypt.c
> > +++ b/src/openvpn/tls_crypt.c
> > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
> > setenv_str(es, "script_type", "tls-crypt-v2-verify");
> > setenv_str(es, "metadata_type", metadata_type_str);
> > setenv_str(es, "metadata_file", tmp_file);
> >
> > -   setenv_int(es, "daemon_pid", platform_getpid());
> >     struct argv argv = argv_new();
> >     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
> >
> >
> > --
> > git version 2.25.1
> > I hope my MTA has not mangled this patch but I don't currently have access
> > to an SMTP server port. If it is borken then please ignore this and I'll find
> > another way. Feel free to send other feedback. eg: NAK + Reason.
> > Thanks
> > R
> > ==


-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgiaNiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2FZwf/VduCykdRxUIXhDX1+owQ1wKB02tuhj/0ABu0GpK9VvyZCOx4
0BKCaZB6VPWhV4sop4AAfm24LeyT80aST/W+PQ2N5bnfHvC5/Lm6anB+ck38
K/6JkehHkyvuVdR1K2LiKdgtW9gAggdPYSn4WbKSlv+Q2HthmVZlg7/ADrZk
RsRE6HYO/mNkTaLsuzkWczyH1z6ncAqg8ivZxcnOBfrjSRNJJMHsAzWzT7J7
eitX50FT387SSbiBgP2PiVUnm5XIO/rT/yJhHTM9p8wISzzOfW/5hUovMnvx
wP4er/eYwp1/JbErVDbzlpT0r33MQADbVQAxKJpg4l9m0GIzmlHGIw==
=0azE
-----END PGP SIGNATURE-----
Kristof Provost via Openvpn-devel April 29, 2021, 1 a.m. UTC | #3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Not a single comment ?


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 28 April 2021 19:03, tincantech <tincantech@protonmail.com> wrote:

> Looking closer, I can see that it was damaged in transit ..
>
> Please let me know if you would be willing to accept my proposed patch and then I will persist to find a way.
>
> If you will not accept the addition then please let me know.
>
> Thanks
> R
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel openvpn-devel@lists.sourceforge.net wrote:
>
> > Yeah, I forgot to apply and commit -- sorry.
> > I guess I'll send again if this is an acceptable patch and my MTA didn't screw it up ?
> > Please let me know .. thanks
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Wednesday, 28 April 2021 18:44, tincantech tincantech@protonmail.com wrote:
> >
> > > Openvpn process ID (daemon_pid) provides the most secure way for
> > > scripts to verify which process they were called by.
> > > This patch adds daemon_poid to --tls-crypt-v2-verify environment.
> > > Tested on Linux and Windows.
> > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> > > index 7b5016d3..23d93a6c 100644
> > > --- a/src/openvpn/tls_crypt.c
> > > +++ b/src/openvpn/tls_crypt.c
> > > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
> > > setenv_str(es, "script_type", "tls-crypt-v2-verify");
> > > setenv_str(es, "metadata_type", metadata_type_str);
> > > setenv_str(es, "metadata_file", tmp_file);
> > >
> > > -   setenv_int(es, "daemon_pid", platform_getpid());
> > >     struct argv argv = argv_new();
> > >     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
> > >
> > >
> > > --
> > > git version 2.25.1
> > > I hope my MTA has not mangled this patch but I don't currently have access
> > > to an SMTP server port. If it is borken then please ignore this and I'll find
> > > another way. Feel free to send other feedback. eg: NAK + Reason.
> > > Thanks
> > > R
> > >
> > > =========================================================================================================================================================================================================================================================


-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgipHgACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ064ggAifsuMtavQAW7fBTiMjr/587lEwrO7CMFJOEhIexbeJN2tl1G
tbDG5NSIRxM9Vle2rvpybaStga3Fst9Q6Gi7EDIwVFBfSNWjSeogwA30N35f
T0KRWCbveSjiKRsyTS7p9zEv1Dvms0iRX0G+NClsbIJr7Fn7gUtSS2ztvj60
KfXeH1dkv1Q7EJPLC0H7zKcoEagFrYb0bNtG3g7uca5Yb7sEyetA3rKX02Z/
JpqeZN3nZe4Fvx19YOnrc+dZPtKpshws7swg7KQOz07GEEXMXe5BBjgWqQlz
RTcHefU8fLaMklprpLsuOvMnOgVwQ0fwbV22IBAT4g7d5++CxCvBSQ==
=ReR6
-----END PGP SIGNATURE-----

Patch

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 7b5016d3..23d93a6c 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -537,6 +537,7 @@  tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
     setenv_str(es, "script_type", "tls-crypt-v2-verify");
     setenv_str(es, "metadata_type", metadata_type_str);
     setenv_str(es, "metadata_file", tmp_file);
+    setenv_int(es, "daemon_pid", platform_getpid());

     struct argv argv = argv_new();
     argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);