From patchwork Thu Dec 3 04:49:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1536 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id YMYAAXMJyV/CfwAAqwncew (envelope-from ) for ; Thu, 03 Dec 2020 10:51:15 -0500 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director13.mail.ord1d.rsapps.net with LMTP id wAveAHMJyV/cdAAA91zNiA (envelope-from ) for ; Thu, 03 Dec 2020 10:51:15 -0500 Received: from smtp6.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id OIyrNXIJyV+XMgAAvUvv+w (envelope-from ) for ; Thu, 03 Dec 2020 10:51:14 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: 5edb32b0-357f-11eb-b226-5254000d607e-1-1 Received: from [216.105.38.7] ([216.105.38.7:46398] helo=lists.sourceforge.net) by smtp6.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0A/67-20288-17909CF5; Thu, 03 Dec 2020 10:51:14 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kkqsI-0006OC-TW; Thu, 03 Dec 2020 15:50:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkqs5-0006KA-Mh for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=JW0wwNFHlSId6TGEA0Dd26DtTV mK97j6NcSvZYtV5NNFxfdPoWsGTRdMAA9kvon643uv7y0CBJTBMj59cCPexE+yicYmcA+cUiTR355 WCQ53ek4rRCxTQusl4gQdUneUUhEdU6tE3ftz9lxMcCwxIANBVcqp3hzgmzSvdbOrvK8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=T 4l2bV0BIC9lcevK+8T7p4gKzg/ud2hOYGTSuNGAdJ2SCzJxUyu9RF8osH9qx+HEbmzAP0uARmpe97 XrSPfuFV+GEYPoYgjqcwDRkWE4YmsCj7MZJ+5ALXyPcvQr02BSn5neP/jaPCJhFQLaaAdbvgYplxu xJnYisFIjhUK9dp0=; Received: from mail-ed1-f68.google.com ([209.85.208.68]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kkqry-000OKf-VC for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:16 +0000 Received: by mail-ed1-f68.google.com with SMTP id b2so2600231edm.3 for ; Thu, 03 Dec 2020 07:50:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=A6uIyM57+BM9irxktHStfGngDbeJJdu+Jw5E+I1+i8Zq2wBQvTw8ZBz6m4meXVvNX8 M8jfkcAA7nHmnwWQuD6GUILyYNpjoWH2GWgOkbozw+S8P136kzsK+5WzA6WHVWxudEVF kTq4zYeCj4jdNIbRFfjNCSw7o9Bs700JFW7ZHq/AB8x+KYbMME5ym7gpvvEaRyco+2RC RKDi3+DxrWDF8/leSYVVJ5J9m+UENadnm/KZoJJ99bxNuK9YrfmLv96yIXq7M9zgT7IB fJjN7dUvni1b1nfdSN8GKWRDUI0XPMbyqp8AY8XwP7f1+q/njeopbn3w2qvx9wKl2yFf IoeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RxZDtl5rva95SDFcXKo+TVHUrawW5mK4aokXVR8+Vnc=; b=Py9EucUYnueeg8JwrIZTevdMGogFhfKtiX56XupbPKcOy21JIRT/xsQlGJSUKhtxpR rQNBhPbM24WOvOojVhTbc17MtXKqVfUzN2YOmmIT0YUpSyu2x0ZNIjYZv+FivR7VA6Ls 3vO1QWHTqdWsMwDuN14HaMsOK+KYS1d5egOSbP2WVaUfYlwiyDXkehf/v4SCmTIw0dIV 3jjv7ifxuXM5gEH0lj3WL5+ab5r2ZXkE5mB1LswIEygjgs4nkbKrcAkOIVnLDy3taSDT GqgK/r4aSCKQenlRLn0+ZlcFNExkodFcoInDwbT74nzoq+yV4FmFAWsZEsBWsjqq7pLM wd4A== X-Gm-Message-State: AOAM530viQFrKl5EvBCrs0Y+ws/GQWlC3THvtr2w6snHRclqMUGMQudC HtLJMefnHDbMGmZquc2yK3d2DVzM3bntyw== X-Google-Smtp-Source: ABdhPJyrPpYXcQGO9agtYOm1mqVlJ/ZKcZv+axd+F6hXmMrkBsTMYQ91FN8ZEtwYgy+p90gFQnN1aQ== X-Received: by 2002:aa7:d711:: with SMTP id t17mr3306823edq.83.1607010604248; Thu, 03 Dec 2020 07:50:04 -0800 (PST) Received: from luna.fritz.box ([2001:985:e54:1:addf:3ca8:fb50:a5dc]) by smtp.gmail.com with ESMTPSA id k21sm325056ejv.80.2020.12.03.07.50.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 07:50:03 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Dec 2020 16:49:50 +0100 Message-Id: <20201203154951.29382-1-steffan@karger.me> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.68 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.68 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1kkqry-000OKf-VC Subject: [Openvpn-devel] [PATCH 1/2] tls-crypt-v2: fix server memory leak X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox tls-crypt-v2 was developed in parallel with the changes that allowed to use tls-auth/tls-crypt in connection blocks. The tls-crypt-v2 patch set was never updated to the new reality after commit 5817b49b, causing a memory leak of about 600 bytes for each connecting client. It would be nicer to not reload the tls-crypt-v2 server key for each connecting client, but that requires more refactoring (and thus more time to get right). So for now just plug the leak by free'ing the memory when we close a client connection. To test this easily, compile openvpn with -fsanity=address, run a server with tls-crypt-v2, connect a client, stop the server. Signed-off-by: Steffan Karger --- src/openvpn/init.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 27a4170d..5cde8a4b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3619,6 +3619,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) * always free the tls_auth/crypt key. If persist_key is true, the key will * be reloaded from memory (pre-cached) */ + free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); free_key_ctx_bi(&c->c1.ks.tls_wrap_key); CLEAR(c->c1.ks.tls_wrap_key); buf_clear(&c->c1.ks.tls_crypt_v2_wkc); From patchwork Thu Dec 3 04:49:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1537 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.59]) by backend41.mail.ord1d.rsapps.net with LMTP id ACQREVYKyV+1BQAAqwncew (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.59]) by director10.mail.ord1d.rsapps.net with LMTP id 8DnyEFYKyV8pMQAApN4f7A (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 Received: from smtp12.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTPS id SJCqCVYKyV+aAwAA8Zvu4w (envelope-from ) for ; Thu, 03 Dec 2020 10:55:02 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: e66cfb00-357f-11eb-9700-525400068c1c-1-1 Received: from [216.105.38.7] ([216.105.38.7:55468] helo=lists.sourceforge.net) by smtp12.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 69/DD-15990-55A09CF5; Thu, 03 Dec 2020 10:55:01 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kkqw3-0003IF-Lw; Thu, 03 Dec 2020 15:54:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kkqs8-00039F-43 for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=UCPQc3cXdqEG+Y9DPUwYIajuB0 Rdw9vVLDgfKw7rl6eHnTx4ukHkOEI0KmeKEHWPCIUevvDG2P+3oviM+KA1BHyDBHkU+U5Kwhb1LwS wxuh85ePrz1oeLgL0PCVpcIZCflNpmFPuG/JGmkP6h7ZjmbzG7kfoaF4GzFIlMl+Oe7I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=fJgOTT/SWGH607DUZJmwESyI5d 1NaACxvZebkZSFSU4rqsgFCheeuzhbrn2NblURKyrWxMsMW5oNAeyRjNDEIaEj60507h8X4X5PGi0 Uuk7rGU96ENCwjeUrgGvsOZocmOKi6IdE/LJEO63HKGqxkRrGX3ReRNgvbvJhP6NwwNQ=; Received: from mail-ed1-f67.google.com ([209.85.208.67]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kkqrz-00Ddrc-NN for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 15:50:20 +0000 Received: by mail-ed1-f67.google.com with SMTP id cw27so2598660edb.5 for ; Thu, 03 Dec 2020 07:50:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=zu3QTwXzJ/0l0SfOMRyautwPQP2XcDSY940xL2Q9NQbeAnA2zLI+ZRYhevGcn9pLum IkO7ynW2c6johwYKAXgRLgnKszdv4/+0WuZT7AcTcPkkvjb7qkgzMmzFg7MbUCgIhErv Y7CvV87M2twdk+J+DXOPr/nOmDBWHMimK1qrQah9mu+z7dpwKL+zfa3UD3lbU+K1rwRi dl0u6UBztHF+XV68/r3A73A9Ykh5ql00z01mdNk1bEQDzBruq7ryK3/diXgQdsDh9WHg kK2OgNz66Co8XgEF+jSfv0XzzJ7dao2T7CHc0unmOPbr1qFyWW0yzHq9FVNJKG/Ke2Ar MK2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3FyiCaGxqibwqgW0vW8oUSaLA1tZHsaBqxXS4SohUYU=; b=Pn2KI86zns0+u99SxOFHXTnms23QJH8GGm6wsd2wz8gtKDM27dxWniDxxjRkbStud/ D3K7bqsbvE2dUFnowSV2UybegQWlw0MZFfswcJ92p/ppX3V8lMhSE6R5sCXaE7LxXSPn Y3tGm8vPjusffVyAqr6kGl2VU6iFMufQt4+xf16pwNAoi8rugwqpdv6AX7MNI/blQLRI ppFP+Sc5mlJvGH+A4H5gYOK+hHFmQb3qrIBOnSnPREimMyh1pJHE+D1DRqRYpkGXMfeH YxzMKwPTdQ3fyf/WfuK4yCqkcMrnlmg/Vw80FxcGgA8bszbooNavwGAGUDS2LqVIYFbM eAOQ== X-Gm-Message-State: AOAM532gu7Zti+7ZUGX7zOkuc6p5HtwwbB0b3zsUUjwTltPrf9pUSmrL /cPJrAyV/748YknyFfydnVo3SqZeiJK2kg== X-Google-Smtp-Source: ABdhPJxxWgGqQKmlaWYI3L7JsCt36tJA7LI6gWmvnvPrczJt/eU9CYGjPbssTLvIqWYsRAg/a5eN2Q== X-Received: by 2002:a05:6402:17d6:: with SMTP id s22mr3525316edy.20.1607010605120; Thu, 03 Dec 2020 07:50:05 -0800 (PST) Received: from luna.fritz.box ([2001:985:e54:1:addf:3ca8:fb50:a5dc]) by smtp.gmail.com with ESMTPSA id k21sm325056ejv.80.2020.12.03.07.50.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 07:50:04 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Dec 2020 16:49:51 +0100 Message-Id: <20201203154951.29382-2-steffan@karger.me> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201203154951.29382-1-steffan@karger.me> References: <20201203154951.29382-1-steffan@karger.me> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.67 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.67 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1kkqrz-00Ddrc-NN Subject: [Openvpn-devel] [PATCH 2/2] tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows tls-crypt-v2 servers to drop privileges after reading the keys. Without it, the server would try to read the key file for each connecting client. (And clients for each reconnect.) As with the previous patch, the pre-loading was developed in parallel with tls-crypt-v2, and the tls-crypt-v2 patches were never amended to implement the pre-loading. Also as with the previous patch, it would be nicer if servers would not reload the tls-crypt-v2 server key for each connecting client. But let's first fix the issue, and see if we can improve later. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- src/openvpn/options.c | 52 +++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 21f8d494..599f534c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1980,6 +1980,23 @@ connection_entry_load_re(struct connection_entry *ce, const struct remote_entry } } +static void +connection_entry_preload_key(const char **key_file, bool *key_inline, + struct gc_arena *gc) +{ + if (key_file && *key_file && !(*key_inline)) + { + struct buffer in = buffer_read_from_file(*key_file, gc); + if (!buf_valid(&in)) + { + msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file); + } + + *key_file = (const char *) in.data; + *key_inline = true; + } +} + static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) @@ -2931,36 +2948,17 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } - /* pre-cache tls-auth/crypt key file if persist-key was specified and keys - * were not already embedded in the config file + /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and + * keys were not already embedded in the config file. */ if (o->persist_key) { - if (ce->tls_auth_file && !ce->tls_auth_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", - ce->tls_auth_file); - } - - ce->tls_auth_file = (char *)in.data; - ce->tls_auth_file_inline = true; - } - - if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) - { - struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc); - if (!buf_valid(&in)) - { - msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", - ce->tls_crypt_file); - } - - ce->tls_crypt_file = (char *)in.data; - ce->tls_crypt_file_inline = true; - } + connection_entry_preload_key(&ce->tls_auth_file, + &ce->tls_auth_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_file, + &ce->tls_crypt_file_inline, &o->gc); + connection_entry_preload_key(&ce->tls_crypt_v2_file, + &ce->tls_crypt_v2_file_inline, &o->gc); } }