From patchwork Mon Dec 19 14:04:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2926 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp3033341dyk; Mon, 19 Dec 2022 06:05:53 -0800 (PST) X-Google-Smtp-Source: AA0mqf7eywLpyf1i8EpX+ic2VqkB+/H0EcKToT+UOmDERrcs8tJDB/1BTqiBYdzJIqIfuYJOh6NM X-Received: by 2002:a17:90a:31c5:b0:221:11b4:d5b7 with SMTP id j5-20020a17090a31c500b0022111b4d5b7mr36173956pjf.21.1671458752866; Mon, 19 Dec 2022 06:05:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671458752; cv=none; d=google.com; s=arc-20160816; b=DnKl70FJGGC2iHvDNjhta504DKWX/ttNHrXfkSnh5mzVFIJ+jakuumtlQq7ZR0HVZt SptqEo7oe07GKS9EBp3uKkN4gpkFJD4g4geYYQduYE4qAS/zmPjtvDsydZSvskdDCHK2 AIE79+ugInN5CYGC0h4NAYjLl7uu/tVp3W0jcSI4fGR3enL3i9XGF5OlU3G/bOi5S1zR +VgDYQzgbfNmpq5dgyPk90kD1+YKAvxNIetMlNG3cmTPxnyt8e+GpEnVr9VBrOGwdpGT /vVMpBenMHyG9hun5Iklh+sYWVar5030Ll7bTc9iYjJGe+dq5y69+YR3xwNbcVmSQjuG uZcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=LYhStPjeHJIIgFWfekKKS/J7iGsroyVqifF3kQ5t/tM=; b=AYxYStcWEoPfTknuUAEEcCytQMTdlJn89/E4xorLDgqAak9kZqJnK2Kz9Qv8NXcB1L dg3LC7asoRxoWrUJPndW86RYsyulqSC33ULKG9tnrbHPprMQGTL4ad7W3330CKkSin7+ k6mLFlxzqS2H4yqiS4Tz5IgB8Tgp+E3YtcmudlFSzxLj1Jce2a9lZr9LMtTCewcP/ZzM CxOePxeqCRB7B5vdBBAH86lHHykeJkWXdXz/TL384q8zy57T9E26T3MUXymZKs2TcSDI zgwLNLfgSKGSylAWAN32gxM+7GdbAiHc8DEaZ5tMoLgSbQIiK307s5pi4Q/xAjx4zcx5 reJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VIZrpES4; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OwuKcFSM; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=mn56Ovpq; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id lb9-20020a17090b4a4900b0021929c63260si11489203pjb.8.2022.12.19.06.05.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Dec 2022 06:05:52 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=VIZrpES4; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OwuKcFSM; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=mn56Ovpq; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p7GlG-0001lQ-Tl; Mon, 19 Dec 2022 14:04:58 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p7GlA-0001kx-R8 for openvpn-devel@lists.sourceforge.net; Mon, 19 Dec 2022 14:04:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=VIZrpES4BtXw5LOiDfFqHan9HJ dlfVa037cvxt8g3tS75Z65A47O8q1yDi20LWMH8WMfKSkN4LCRSiqoCMeSMg9ZVs747p2byowisr2 KPLZLYyW6S+SYssaB4vxWBbFDfxCsMglXffoP7YyxKLESKZq3b38L+gU0WCVylSaUraw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=OwuKcFSMnb2rjojG3hppo2xSOC qY/vDGos34HJecgouI/zKRMQ5sRLHCNmHHsNnNIRhc7tKXIAhV2NaIUHcvJh2F9rvOpsbUgUyEkzr /w3dYZIck2AoaMu4GsxCHTcwIS3Z5hDX357vSU5P4qMxIbxgKTIxvsodK43s46+VOCsA=; Received: from mail-io1-f44.google.com ([209.85.166.44]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1p7Gkt-0001db-70 for openvpn-devel@lists.sourceforge.net; Mon, 19 Dec 2022 14:04:38 +0000 Received: by mail-io1-f44.google.com with SMTP id v2so4709657ioe.4 for ; Mon, 19 Dec 2022 06:04:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=mn56Ovpquxr7Cnm9cEU075lrwKPUUpwquJW1f3bICoSXVfvrNT4s6Yb1aP+zAEyN3e ZMD4KH9X+NtB6OID/sp8KHu8JTZvYcWZydS64PFN1gqiNkP2yWJzeau2wfZjTuYdmuCX V5/G4j9SNcXJ92qBX+MCiKJheK6Fr8XnWM1Wqm//g0C2nLs8rh4K2qpoCCOz1InMIYxl iMtkrCW3iRKE7D0ixqxwkSDzuZ8622gE4sMnwcQbcBFaIHgYXB9O6z+e47HPB81N/Ddj UQCYYDINieqk+s2DrqZZ+a0QPrdT0H1C4pGjdy8SUJa/43ufsJBgVyL5oQ99fzzA+gs/ vG4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CyMoBUqFWXO8m0TNHf8DQZb5DHl1BVZSDmVth+RQLIk=; b=fl/9RCIeRFBMZaNlMUNYA5KD1Xcyd66/qkiPww54KxVZxxnrJSqO5w5D4iC6nujUqM GXdwzWYHcLbVRrUd4wSk30dAtAa4swkcSafr2YcpSrvMXjyXIjeXxEc3G2AccrD19RfH ri3uUMQmwRt4WAmu35u2l0h+vbqxSg02jAvhYORbnpy5alq7rFy0ZDO8qasS5DJHjF24 QymZoc5vRyiCH41suFRWQ0PPkTv2IeW66L2/YQQB5HZN3KK2p86kmOFvhC9A1X8LI7yy KFwA3TZ1WsZTM4zvO3or/kkVffrj4umHPGameavP6Gib1jva6AmpH3MXFJkQKL6nsrnD GoOQ== X-Gm-Message-State: ANoB5plaJCZgWuqRP7XHDnWSGG5/VMvBTjA8leBsFMerlOd0DKZJewoc Ea9TiQhUWnQkDDz+ZrAZaRPFpjqpZ/EdRg== X-Received: by 2002:a6b:c415:0:b0:6cc:8b29:9a73 with SMTP id y21-20020a6bc415000000b006cc8b299a73mr4772119ioa.1.1671458669271; Mon, 19 Dec 2022 06:04:29 -0800 (PST) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id t24-20020a02b198000000b0038a41eb1ba3sm3509429jah.177.2022.12.19.06.04.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Dec 2022 06:04:28 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Dec 2022 09:04:05 -0500 Message-Id: <20221219140405.1221341-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221218192203.1214943-1-selva.nair@gmail.com> References: <20221218192203.1214943-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair As change in auth-token is common on restart and does not require tun-reopen, exclude it from the "pulled options digest" calculation. Without this tun is always re-opened on SIGUSR1 if auth-token is [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.44 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.44 listed in list.dnswl.org] X-Headers-End: 1p7Gkt-0001db-70 Subject: [Openvpn-devel] [PATCH v2] Do not include auth-token in pulled option digest X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1752580877071274137?= X-GMAIL-MSGID: =?utf-8?q?1752651533020724596?= From: Selva Nair As change in auth-token is common on restart and does not require tun-reopen, exclude it from the "pulled options digest" calculation. Without this tun is always re-opened on SIGUSR1 if auth-token is in use which breaks persist-tun. Fixes #200 v2: explcitly filter auth-token and auth-token-user Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/push.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index ad2f3c65..e765d2a9 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -989,8 +989,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id might change on restart and this should not trigger reopening tun */ - if (strprefix(line, "peer-id ")) + /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ + if (strprefix(line, "peer-id ") + || strprefix(line, "auth-token ") + || strprefix(line, "auth-token-user ")) { continue; }