From patchwork Fri Apr 23 11:16:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kristof Provost via Openvpn-devel X-Patchwork-Id: 1772 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4MXWKA05hWBWEgAAIUCqbw (envelope-from ) for ; Sun, 25 Apr 2021 05:40:29 -0400 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id eLCQKA05hWBHfgAAfY0hYg (envelope-from ) for ; Sun, 25 Apr 2021 05:40:29 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTPS id aPdUKA05hWDRdgAAiYrejw (envelope-from ) for ; Sun, 25 Apr 2021 05:40:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=pass header.d=lists.sourceforge.net; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=protonmail.com; dmarc=pass (p=none; dis=none) header.from=lists.sourceforge.net X-Suspicious-Flag: NO X-Classification-ID: 45102a7a-a5aa-11eb-acf7-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:41652] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 07/FF-04109-D0935806; Sun, 25 Apr 2021 05:40:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Reply-To:From:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Content-Type: MIME-Version:Message-ID:To:Date:Sender:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=Eyhnvleg5OPzZa7I5SfT9zPCR90BsCGDCePtj032svI=; b=PuCqrsX1UNU8cNPxdYsqMHUSTn lkbXF5TDusJINWcbFpSOahljekfLXdvn9AQW2OrPip4lBQ//E9tOuQ1kyv/UWn7fWVGBroT5e19oV A9S9eyXG2ULNOICvWn1qd/QyybefcjxSIqzeYJRSwIfQpX66jxdBP8KU9mrmv/uKnRG8=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1labEm-0008Fu-EX; Sun, 25 Apr 2021 09:39:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1labCX-00087S-UU for openvpn-devel@lists.sourceforge.net; Sun, 25 Apr 2021 09:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Message-ID:Subject: Reply-To:From:To:Date:Sender:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mpkoVM0YpLKNgAuHXM/XlgyJfXgV99UNcItIHhSanNI=; b=QOOHurFZTms8YVHunVL+NqDE+z KdlToNlccPFT8jK4J5JjcSMoW7jSVkUW9iyD3wuNQ1Z0YUaltAyOuVxeVZQxjAnt8dcCRbVUo8kza e0BSGjN6WBnsCARwgIvPwa5tnaY1V38uS7qYNQvtc2nR+UkjPpzx1zBs8DHJeTq1RjUs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Message-ID:Subject:Reply-To:From:To:Date:Sender :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=mpkoVM0YpLKNgAuHXM/XlgyJfXgV99UNcItIHhSanNI=; b=O vsfXEiNfHg+hDKDT35pR9H7LHcYobQ8rweYw6mNtXvzyRsp0k1hcDESPCp7mMaJU/AP9hyIKuzFPL 5ScPC7VbwNMvP8UCa2l6bo2nxGFtuvGE4aZp5wdYRhOJTlbczcPXJRUPNJ5K4KDjzpfhZ8K0jQ5Vb FmGQLY/YPJKn0d6k=; Received: from mail-41104.protonmail.ch ([185.70.41.104]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1labCP-0063Cf-UP for openvpn-devel@lists.sourceforge.net; Sun, 25 Apr 2021 09:37:18 +0000 Received: from mail-03.mail-europe.com (mail-0301.mail-europe.com [188.165.51.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by mail-41104.protonmail.ch (Postfix) with ESMTPS id 4FRnG25cDXz4wxg0 for ; Fri, 23 Apr 2021 21:18:34 +0000 (UTC) Date: Fri, 23 Apr 2021 21:16:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1619212593; bh=mpkoVM0YpLKNgAuHXM/XlgyJfXgV99UNcItIHhSanNI=; h=Date:To:From:Reply-To:Subject:From; b=daJnKudAObDfymo7pJm99/79NOC5mD66/ti2A6HIcz9O9OSqpQONBcEPCyIu8lH5B c1JK7UEXLmBcvndulwYjY36+Cqfjc3r4ljPLA+5rfJ1oQAm3KOn/08g9ktXFdHdwal FiidiZ0QkEt8c2WFmm9M05qff7WhD3NjbQeWhuAU= To: "openvpn-devel@lists.sourceforge.net" Message-ID: MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (tincantech[at]protonmail.com) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1labCP-0063Cf-UP Subject: [Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: tincantech via Openvpn-devel From: Kristof Provost via Openvpn-devel Reply-To: tincantech Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. Version 2 Justification: With the notable exception of --tls-crypt-v2-verify .. daemon_pid provides a verified process ID to All scripts. This ensures that scripts which are intended to pass data along to the following scripts have an index to which they can link that data. Example: An example is presented in Easy-TLS: https://github.com/TinCanTech/easy-tls This script passes hardware address from --tls-crypt-v2 key metadata along to --client-connect, where the pushed client variable IV_HWADDR can be matched against the fixed hardware address encrypted in the TLS Crypt V2 key metadata. Security: There are no known security concerns with regard to including the openvpn process ID (daemon_pid) in the --tls-crypt-v2-verify environment. Complexity: Ongoing support of the required code would be minimal to zero. Code: This patch is included for review purposes only. Conclusion: Due to the OS in use and other environmental factors, the *nix built-in variable PPID may not always be available. Without including $daemon_pid in the --tls-crypt-v2-verify environment, openvpn is forcing the user to unnecessarily configure --writepid.  The purpose of --writepid is to advertise the openvpn process ID to external processes which do not have access to the internals of openvpn. By including daemon_pid in the --tls-crypt-v2-verify environment all processes launched by openvpn have access to this very useful identifier. Provided there are no genuine reasons to NAK this request, I will send a correctly formatted patch. Addendum: I know this is something which helps me in the short term and I already have a working alternative but I would like you to reconsider your previous decision. In my opinion All scripts launched by openvpn should have immediate access to daemon_pid. Thank you for your time and consideration, R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJggzkmACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0nVggAkf9tcCo7onTYoZ4WetX/6uePD2QzEYd8rHYbn1q6R8JvOqMi JrDIRIYZw06v/r4pyzq8tYUvS+1VBY9cPIm+v3uudOhZ/WUlyGw180u2tA+w eX+bx/AwA5FC4QGqgJlTEx9G5s0H5Ge2vSd1ChA52VjC5QZeorI/42nZpG2I Gg7vC0JH9rr9LqAzVNH9YfWff7vNKvXAPdmL9/itf3Eq6uFytGsD77KjZaq7 RESDSO2cOnCyoVyktPhw64d77q6bCgFtl08CVQYJOTwg07cY+ZEWa3wRCEAb bcDj6eDNDHy8e9iMzie3yrIgZsRDCbGiXCyaLk2abZtpFsqX7rP6jA== =z4PC -----END PGP SIGNATURE----- diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,      setenv_str(es, "script_type", "tls-crypt-v2-verify");      setenv_str(es, "metadata_type", metadata_type_str);      setenv_str(es, "metadata_file", tmp_file); +    setenv_int(es, "daemon_pid", platform_getpid());      struct argv argv = argv_new();      argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);