From patchwork Fri Jun 1 17:42:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 338 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id 85dfGL8UE1vULwAAIUCqbw for ; Sat, 02 Jun 2018 18:05:51 -0400 Received: from director3.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id 9ZBqBb8UE1spPwAAfY0hYg ; Sat, 02 Jun 2018 18:05:51 -0400 Received: from smtp4.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director3.mail.ord1c.rsapps.net with LMTP id wBv4F78UE1t8FAAAdSFV8w ; Sat, 02 Jun 2018 18:05:51 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 1c1e5f1e-66b1-11e8-9345-0024e87f2f2c-1-1 Received: from [216.105.38.7] ([216.105.38.7:41801] helo=lists.sourceforge.net) by smtp4.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AD/5A-17429-EB4131B5; Sat, 02 Jun 2018 18:05:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fPEdq-0000cU-Vf; Sat, 02 Jun 2018 22:04:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fOxRG-0005x8-T7 for openvpn-devel@lists.sourceforge.net; Sat, 02 Jun 2018 03:42:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vX1dhN/45rPGoX9q5kt3ghRSvqAvNhJrJFfWC7CdOkw=; b=GJx5+Redic+voSN47Af2G/I2S3 0maL8ixku6CTmJKQfAn/+OVyLcUeSlAr9dkxgHZ0TremUVbTBAVVQxRnAK8/ylNT+ae+/9tVSI1iN zcVD2TeH3jorstRHZhZd9Acd3uggauyOgEL2+Lhbj9t3jArZLnhZVeEWYmU+To/+wteY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vX1dhN/45rPGoX9q5kt3ghRSvqAvNhJrJFfWC7CdOkw=; b=AtM96+D1T+U00SQfLZz2osTRAt LTYiMD1e4pUybbswHjBJYOmDzufmNQC/mo9jFBeObPGFUsbuLA7sKxdV7xNYl4AYPX6ljmYSOkeLm S/gfyB+aVpiXLuIvG+JsoJ2AIxIC3mfgZolLF+a9QqFQ4uJC8sTgUBsQcLNfcD/p+aac=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fOxRE-001meb-Db for openvpn-devel@lists.sourceforge.net; Sat, 02 Jun 2018 03:42:46 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 2 Jun 2018 11:42:05 +0800 Message-Id: <20180602034206.9459-1-a@unstable.cc> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1fOxRE-001meb-Db Subject: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Different VPN servers may use different tls-auth keys. For this reason it is convenient to make tls-auth a per-connection-block option so that the user is allowed to specify one key per remote. If no tls-auth option is specified in a given connection block, the global one, if any, is used. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- doc/openvpn.8 | 1 + src/openvpn/init.c | 10 +++--- src/openvpn/options.c | 82 ++++++++++++++++++++++++++++++++++--------- src/openvpn/options.h | 5 +++ 4 files changed, 77 insertions(+), 21 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 4114f408..e7bc3f4f 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -372,6 +372,7 @@ block: .B remote, .B rport, .B socks\-proxy, +.B tls\-auth, .B tun\-mtu and .B tun\-mtu\-extra. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 36c1a4c4..1c43c495 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2546,7 +2546,7 @@ do_init_crypto_tls_c1(struct context *c) prng_init(options->prng_hash, options->prng_nonce_secret_len); /* TLS handshake authentication (--tls-auth) */ - if (options->tls_auth_file) + if (options->ce.tls_auth_file) { /* Initialize key_type for tls-auth with auth only */ CLEAR(c->c1.ks.tls_auth_key_type); @@ -2563,8 +2563,10 @@ do_init_crypto_tls_c1(struct context *c) } crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type, - &c->c1.ks.tls_wrap_key, options->tls_auth_file, - options->tls_auth_file_inline, options->key_direction, + &c->c1.ks.tls_wrap_key, + options->ce.tls_auth_file, + options->ce.tls_auth_file_inline, + options->ce.key_direction, "Control Channel Authentication", "tls-auth"); } @@ -2783,7 +2785,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) #endif /* TLS handshake authentication (--tls-auth) */ - if (options->tls_auth_file) + if (options->ce.tls_auth_file) { to.tls_wrap.mode = TLS_WRAP_AUTH; to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 426057ab..a9dbcb83 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1506,6 +1506,10 @@ show_connection_entry(const struct connection_entry *o) #ifdef ENABLE_OCC SHOW_INT(explicit_exit_notification); #endif + + SHOW_STR(tls_auth_file); + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), + "%s"); } @@ -1786,7 +1790,6 @@ show_settings(const struct options *o) SHOW_BOOL(push_peer_info); SHOW_BOOL(tls_exit); - SHOW_STR(tls_auth_file); SHOW_STR(tls_crypt_file); #ifdef ENABLE_PKCS11 @@ -2869,6 +2872,15 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * Set per-connection block tls-auth fields if no other method was defined + */ + if (!ce->tls_auth_file) + { + ce->tls_auth_file = o->tls_auth_file; + ce->tls_auth_file_inline = o->tls_auth_file_inline; + ce->key_direction = o->key_direction; + } } #ifdef _WIN32 @@ -3285,12 +3297,20 @@ options_postprocess_filechecks(struct options *options) options->crl_file, R_OK, "--crl-verify"); } - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->tls_auth_file, R_OK, "--tls-auth"); + ASSERT(options->connection_list); + for (int i = 0; i < options->connection_list->len; ++i) + { + struct connection_entry *ce = options->connection_list->array[i]; + + errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + ce->tls_auth_file, R_OK, "--tls-auth"); + } + errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->tls_crypt_file, R_OK, "--tls-crypt"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->shared_secret_file, R_OK, "--secret"); + errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->packet_id_file, R_OK|W_OK, "--replay-persist"); @@ -3647,7 +3667,7 @@ options_string(const struct options *o, { if (TLS_CLIENT || TLS_SERVER) { - if (o->tls_auth_file) + if (o->ce.tls_auth_file) { buf_printf(&out, ",tls-auth"); } @@ -7420,10 +7440,19 @@ add_option(struct options *options, { int key_direction; + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + key_direction = ascii2keydirection(msglevel, p[1]); if (key_direction >= 0) { - options->key_direction = key_direction; + if (permission_mask & OPT_P_GENERAL) + { + options->key_direction = key_direction; + } + else if (permission_mask & OPT_P_CONNECTION) + { + options->ce.key_direction = key_direction; + } } else { @@ -7992,26 +8021,45 @@ add_option(struct options *options, } else if (streq(p[0], "tls-auth") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) + int key_direction = -1; + + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + + if (permission_mask & OPT_P_GENERAL) { - options->tls_auth_file_inline = p[2]; + if (streq(p[1], INLINE_FILE_TAG) && p[2]) + { + options->tls_auth_file_inline = p[2]; + } + else if (p[2]) + { + key_direction = ascii2keydirection(msglevel, p[2]); + if (key_direction < 0) + { + goto err; + } + options->key_direction = key_direction; + } + options->tls_auth_file = p[1]; } - else if (p[2]) + else if (permission_mask & OPT_P_CONNECTION) { - int key_direction; - - key_direction = ascii2keydirection(msglevel, p[2]); - if (key_direction >= 0) + options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL; + if (streq(p[1], INLINE_FILE_TAG) && p[2]) { - options->key_direction = key_direction; + options->ce.tls_auth_file_inline = p[2]; } - else + else if (p[2]) { - goto err; + key_direction = ascii2keydirection(msglevel, p[2]); + if (key_direction < 0) + { + goto err; + } + options->ce.key_direction = key_direction; } + options->ce.tls_auth_file = p[1]; } - options->tls_auth_file = p[1]; } else if (streq(p[0], "tls-crypt") && p[1] && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f7d0145a..77c963d2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -130,6 +130,11 @@ struct connection_entry #define CE_MAN_QUERY_REMOTE_MASK (0x07) #define CE_MAN_QUERY_REMOTE_SHIFT (2) unsigned int flags; + + /* Shared secret used for TLS control channel authentication */ + const char *tls_auth_file; + const char *tls_auth_file_inline; + int key_direction; }; struct remote_entry From patchwork Fri Jun 1 17:42:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 337 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id E9mkOqoSElv6HgAAIUCqbw for ; Fri, 01 Jun 2018 23:44:43 -0400 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net (Dovecot) with LMTP id v2jlEKoSElu7HQAAfY0hYg ; Fri, 01 Jun 2018 23:44:43 -0400 Received: from smtp22.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTP id iLo+M6oSEltmDwAAEsW3lA ; Fri, 01 Jun 2018 23:44:42 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 485ad250-6617-11e8-ac08-52540041dff8-1-1 Received: from [216.105.38.7] ([216.105.38.7:14651] helo=lists.sourceforge.net) by smtp22.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1B/23-08556-AA2121B5; Fri, 01 Jun 2018 23:44:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fOxRI-0006mv-Qj; Sat, 02 Jun 2018 03:42:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fOxRH-0006mp-Eb for openvpn-devel@lists.sourceforge.net; Sat, 02 Jun 2018 03:42:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PjT+cTK4lCVoy791WjaWd2RnlWCC4hyplkKwFUhGzfg=; b=N6ML8s3is2wd+Nnqh1qbjWsl1L idLSwHOtk7xKQuXLBEiCP6qx/YHXXOE9L/pMZFOsJPlCtb5jNFpwtlgPhjEJonzd6ZPj/mUB96Sdl o5jVzBwJpNG6F1D8O47bvtsVlTHNatz3uKsB6PMA5tr0jFG5Bm/aGvOs8Xs01zwA2/a4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PjT+cTK4lCVoy791WjaWd2RnlWCC4hyplkKwFUhGzfg=; b=Xayyz/aYju5lNNjgZtczq9fm0y ZKPLh8mXSbvXvKsZ1lYNCiVh5eaeVVgwiJ7dF7Y0jGizgmY/nlgLDjpvqWfspbOuM8bXq+iUG0vX5 bUBskt8hqwnikkg6V3jA+/25doqzQ9aYE6Tq3Osi/bTes99teJ+MvX2bUM3GJWsLXPuw=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fOxRF-001l7O-GX for openvpn-devel@lists.sourceforge.net; Sat, 02 Jun 2018 03:42:47 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 2 Jun 2018 11:42:06 +0800 Message-Id: <20180602034206.9459-2-a@unstable.cc> In-Reply-To: <20180602034206.9459-1-a@unstable.cc> References: <20180602034206.9459-1-a@unstable.cc> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [5.148.176.60 listed in list.dnswl.org] 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1fOxRF-001l7O-GX Subject: [Openvpn-devel] [PATCH 2/2] make tls-crypt a per-connection-block option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Similarly to tls-auth, different remotes may use different tls-crypt keys. Allow the user to define a different key in each connection block. If no tls-crypt option is specified in a given connection block, the global one, if any, is used. Trac: #720 Cc: Steffan Karger Signed-off-by: Antonio Quartulli --- doc/openvpn.8 | 1 + src/openvpn/init.c | 7 ++++--- src/openvpn/options.c | 48 ++++++++++++++++++++++++++++++++++--------- src/openvpn/options.h | 4 ++++ 4 files changed, 47 insertions(+), 13 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index e7bc3f4f..ce21518b 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -373,6 +373,7 @@ block: .B rport, .B socks\-proxy, .B tls\-auth, +.B tls\-crypt, .B tun\-mtu and .B tun\-mtu\-extra. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1c43c495..6d5dd9aa 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2571,9 +2571,10 @@ do_init_crypto_tls_c1(struct context *c) } /* TLS handshake encryption+authentication (--tls-crypt) */ - if (options->tls_crypt_file) + if (options->ce.tls_crypt_file) { - tls_crypt_init_key(&c->c1.ks.tls_wrap_key, options->tls_crypt_file, + tls_crypt_init_key(&c->c1.ks.tls_wrap_key, + options->ce.tls_crypt_file, options->tls_crypt_inline, options->tls_server); } @@ -2796,7 +2797,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } /* TLS handshake encryption (--tls-crypt) */ - if (options->tls_crypt_file) + if (options->ce.tls_crypt_file) { to.tls_wrap.mode = TLS_WRAP_CRYPT; to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a9dbcb83..36324ce5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1510,6 +1510,7 @@ show_connection_entry(const struct connection_entry *o) SHOW_STR(tls_auth_file); SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s"); + SHOW_STR(tls_crypt_file); } @@ -1790,8 +1791,6 @@ show_settings(const struct options *o) SHOW_BOOL(push_peer_info); SHOW_BOOL(tls_exit); - SHOW_STR(tls_crypt_file); - #ifdef ENABLE_PKCS11 { int i; @@ -2726,7 +2725,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } } - if (options->tls_auth_file && options->tls_crypt_file) + if (ce->tls_auth_file && ce->tls_crypt_file) { msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive"); } @@ -2875,12 +2874,27 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) /* * Set per-connection block tls-auth fields if no other method was defined */ - if (!ce->tls_auth_file) + if (!ce->tls_auth_file && !ce->tls_crypt_file) { ce->tls_auth_file = o->tls_auth_file; ce->tls_auth_file_inline = o->tls_auth_file_inline; ce->key_direction = o->key_direction; } + + /* + * Set per-connection block tls-crypt fields if no other method was defined + */ + if (!ce->tls_crypt_file && !ce->tls_auth_file) + { + ce->tls_crypt_file = o->tls_crypt_file; + ce->tls_crypt_inline = o->tls_crypt_inline; + } + + /* + * NOTE: after the two blocks above, only one among tls-crypt and tls-auth + * will be set, because it is not allowed by the config parser to have both + * globally assigned. + */ } #ifdef _WIN32 @@ -3304,10 +3318,12 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, ce->tls_auth_file, R_OK, "--tls-auth"); + + errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, + ce->tls_crypt_file, R_OK, "--tls-crypt"); + } - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->tls_crypt_file, R_OK, "--tls-crypt"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, options->shared_secret_file, R_OK, "--secret"); @@ -8063,12 +8079,24 @@ add_option(struct options *options, } else if (streq(p[0], "tls-crypt") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + if (permission_mask & OPT_P_GENERAL) + { + if (streq(p[1], INLINE_FILE_TAG) && p[2]) + { + options->tls_crypt_inline = p[2]; + } + options->tls_crypt_file = p[1]; + } + else if (permission_mask & OPT_P_CONNECTION) { - options->tls_crypt_inline = p[2]; + if (streq(p[1], INLINE_FILE_TAG) && p[2]) + { + options->ce.tls_crypt_inline = p[2]; + } + options->ce.tls_crypt_file = p[1]; + } - options->tls_crypt_file = p[1]; } else if (streq(p[0], "key-method") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 77c963d2..fcde90af 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -135,6 +135,10 @@ struct connection_entry const char *tls_auth_file; const char *tls_auth_file_inline; int key_direction; + + /* Shared secret used for TLS control channel authenticated encryption */ + const char *tls_crypt_file; + bool tls_crypt_inline; }; struct remote_entry