git.ipfire.org Git - thirdparty/openvpn.git/commit

author	David Sommerseth <davids@openvpn.net>
	Fri, 8 May 2020 11:42:43 +0000 (13:42 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 8 May 2020 21:47:40 +0000 (23:47 +0200)
commit	e8e410fdc6fb91451d8119b129bac7be00ff81df
tree	4b7e4f3d7866485627aa20fa4d779c01c6e631f0	tree \| snapshot
parent	042429d3454ca57564e932a727a27c7d6bfeb2d6	commit \| diff

options: Fix failing inline tls-auth/crypt with persist-key

A configuration file using --persist-key and with inlined --tls-auth or
--tls-crypt files was failing in check_file_access().  The file argument
to check_file_access() contained the key file and not the file name.

This was because check_file_access_inline() which calls
check_file_access() if the file is not inlined was told the file was not
an inline file.

The reason the check_file_access_inline() was misled was due to a prior
option_postprocess_mutate() call puts these key files into a connection
block entry in option_postprocess_mutate_ce().  OpenVPN was modified a
long while ago to always use connection blocks in the option structure
for simplicity.  So the "root" key files would be transferred into a
connection entry in this method.

When --persist-key is used, option_postprocess_mutate_ce() will load the
key file and "convert" the option into an inline option.  But in
commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator".  The
result was that the connection entry had the key file content stored in
the object but was "tagged" as a normal file (name) not an inline file.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200508114243.15532-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19858.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>