From patchwork Fri May 8 01:42:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1105 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id 0MDoKxNGtV7TJAAAIUCqbw for ; Fri, 08 May 2020 07:44:19 -0400 Received: from proxy16.mail.iad3a.rsapps.net ([172.27.255.58]) by director11.mail.ord1d.rsapps.net with LMTP id 0En5KBNGtV7eRwAAvGGmqA ; Fri, 08 May 2020 07:44:19 -0400 Received: from smtp6.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3a.rsapps.net with LMTP id QKgsIhNGtV7xUAAADc5QwQ ; Fri, 08 May 2020 07:44:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 4019f4fe-9121-11ea-a735-5254002f0085-1-1 Received: from [216.105.38.7] ([216.105.38.7:56898] helo=lists.sourceforge.net) by smtp6.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F2/18-12399-21645BE5; Fri, 08 May 2020 07:44:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jX1PQ-0008JS-EZ; Fri, 08 May 2020 11:43:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jX1PP-0008J8-Ci for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:43:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OINj8R8Jh5glNvedW77AEgf0JPVriBB87KFGWYuKpzs=; b=NRW8AxuY5GEB66opzpmKGNsvpN S2GSEaQAdc9rxOkdkJYjSlWoZCmueH8kRKp8jhn8F/OlJyLvA4BIrX6vTBh8iY6v6fC4nFNcYF5uC onqtLLwx01Ma01oauwRtZlPkjsJQfUchdOfZg+9zjC5MBy7swbkrMM14TC76dWOn3e8w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=OINj8R8Jh5glNvedW77AEgf0JPVriBB87KFGWYuKpzs=; b=U yAezUH/SDiSicZuw0BKsNAxd28hWlCqEyJBEYstQWQAXBa+/sEgnAAB9xVlQyMK0FWzXhFKTWlKPN clReeW8GAzAfZ460/MOh/KpGXeiLmyfN3+C0uMUiWLx/LjO7srMNkpeacyJq7DT8hRGxHiKJLPUd8 eeRnARuhe7G3Qjsw=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jX1PN-00CRjh-56 for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:43:15 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id E52FB82B8DE for ; Fri, 8 May 2020 11:42:50 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id EtvTnR3V0NGc for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 9A38281A3A7 for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 1C155418A775 for ; Fri, 8 May 2020 13:42:49 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Tok2GRJIlFrF for ; Fri, 8 May 2020 13:42:48 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id A49B5418A76D for ; Fri, 8 May 2020 13:42:48 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Fri, 8 May 2020 13:42:43 +0200 Message-Id: <20200508114243.15532-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jX1PN-00CRjh-56 Subject: [Openvpn-devel] [PATCH 1/2] options: Fix failing inline tls-auth/crypt with persist-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A configuration file using --persist-key and with inlined --tls-auth or --tls-crypt files was failing in check_file_access(). The file argument to check_file_access() contained the key file and not the file name. This was because check_file_access_inline() which calls check_file_access() if the file is not inlined was told the file was not an inline file. The reason the check_file_access_inline() was misled was due to a prior option_postprocess_mutate() call puts these key files into a connection block entry in option_postprocess_mutate_ce(). OpenVPN was modified a long while ago to always use connection blocks in the option structure for simplicity. So the "root" key files would be transferred into a connection entry in this method. When --persist-key is used, option_postprocess_mutate_ce() will load the key file and "convert" the option into an inline option. But in commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The result was that the connection entry had the key file content stored in the object but was "tagged" as a normal file (name) not an inline file. Signed-off-by: David Sommerseth Acked-by: Antonio Quartulli --- src/openvpn/options.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 611652fd..a37106ce 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2936,6 +2936,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_auth_file = (char *)in.data; + ce->tls_auth_file_inline = true; } if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) @@ -2948,6 +2949,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } ce->tls_crypt_file = (char *)in.data; + ce->tls_crypt_file_inline = true; } } } From patchwork Fri May 8 01:44:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1106 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id sPtvKklGtV5ERwAAIUCqbw for ; Fri, 08 May 2020 07:45:13 -0400 Received: from proxy15.mail.iad3a.rsapps.net ([172.27.255.55]) by director7.mail.ord1d.rsapps.net with LMTP id 4ProJ0lGtV6lNwAAovjBpQ ; Fri, 08 May 2020 07:45:13 -0400 Received: from smtp3.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3a.rsapps.net with LMTP id oNz3IUlGtV6vGAAAHi9b9g ; Fri, 08 May 2020 07:45:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 605ffd80-9121-11ea-b5ae-525400af4d07-1-1 Received: from [216.105.38.7] ([216.105.38.7:58164] helo=lists.sourceforge.net) by smtp3.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D2/B1-19635-94645BE5; Fri, 08 May 2020 07:45:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jX1QW-0000AI-Mv; Fri, 08 May 2020 11:44:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jX1QV-00009i-Ei for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:44:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=koJYTmDHjRmmtoU3Vh3Bjsxv4tmGSE6dW91CSAW+ZjM=; b=biMe4UeED48qVNuKadYdKlTAtO N7uHo3iLkq3H9HP7UQyGWP2hlLGFkpQ2jXlnS1OSSqh1Yc/S/49/zE2CuVbk1ZzF7jAlJN91DfjE6 WBoi4V2C9gQ/JxMsT27yHooOmtBXNaxkP2xEaEl7ffNschksYEHM2AtglB/hFhetQs5c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=koJYTmDHjRmmtoU3Vh3Bjsxv4tmGSE6dW91CSAW+ZjM=; b=O qiBdfcueDfGJf3QL3R2kqpx+sQv7yce2MG/NCCEqvWJ0tJubxjJrGG30p0uXTQPVKkXE1aIDzGtse NW+Kq0eM5Dh2RT6DbYRt0b6CgiiBJPGOaDO8H3HabqxL5CdvbpGTbv0J28dw9I+04mkKHnOVnGQlc KtDr2k+YOMjYQCTA=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jX1QU-00CRsY-24 for openvpn-devel@lists.sourceforge.net; Fri, 08 May 2020 11:44:23 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id AB1AD82B8DE for ; Fri, 8 May 2020 11:44:15 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id AXr11gir9wWc for ; Fri, 8 May 2020 13:44:14 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 93A6281A3A7 for ; Fri, 8 May 2020 13:44:14 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 01219418A775 for ; Fri, 8 May 2020 13:44:14 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6n6aeH8WBMdc for ; Fri, 8 May 2020 13:44:13 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id B4DFC418A76D for ; Fri, 8 May 2020 13:44:13 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Fri, 8 May 2020 13:44:11 +0200 Message-Id: <20200508114411.15762-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jX1QU-00CRsY-24 Subject: [Openvpn-devel] [PATCH 2/2] options: Restore --tls-crypt-v2 inline file capability X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Commit cb2e9218f2bc73f re-factored the internal file handling, but somehow overlooked the --tls-crypt-v2 option processing. It was no longer possible to load a configuration file with this key file inlined. There where two issues here. First was that the OPT_P_INLINE flag was not set, so the option parser rejected --tls-crypt-v2 as inline capable. Second issue was that the 'streq(p[1], INLINE_FILE_TAG)' check makes no longer sense, as at this point p[1] contains the file contents. Instead use the is_inline flag. Signed-off-by: David Sommerseth Acked-by: Antonio Quartulli --- src/openvpn/options.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a37106ce..56c9e411 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8324,22 +8324,16 @@ add_option(struct options *options, } else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); if (permission_mask & OPT_P_GENERAL) { - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->tls_crypt_v2_file_inline = p[2]; - } options->tls_crypt_v2_file = p[1]; + options->tls_crypt_v2_file_inline = is_inline; } else if (permission_mask & OPT_P_CONNECTION) { - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->ce.tls_crypt_v2_file_inline = p[2]; - } options->ce.tls_crypt_v2_file = p[1]; + options->ce.tls_crypt_v2_file_inline = is_inline; } } else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])