A configuration file using --persist-key and with inlined --tls-auth or
--tls-crypt files was failing in check_file_access(). The file argument
to check_file_access() contained the key file and not the file name.
This was because check_file_access_inline() which calls
check_file_access() if the file is not inlined was told the file was not
an inline file.
The reason the check_file_access_inline() was misled was due to a prior
option_postprocess_mutate() call puts these key files into a connection
block entry in option_postprocess_mutate_ce(). OpenVPN was modified a
long while ago to always use connection blocks in the option structure
for simplicity. So the "root" key files would be transferred into a
connection entry in this method.
When --persist-key is used, option_postprocess_mutate_ce() will load the
key file and "convert" the option into an inline option. But in
commit cb2e9218f2bc73fa2 this logic had lost the "inline indicator". The
result was that the connection entry had the key file content stored in
the object but was "tagged" as a normal file (name) not an inline file.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
src/openvpn/options.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 611652fd..a37106ce 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2936,6 +2936,7 @@ options_postprocess_mutate_ce(struct options *o, struct
connection_entry *ce)
}
ce->tls_auth_file = (char *)in.data;
+ ce->tls_auth_file_inline = true;
}
if (ce->tls_crypt_file && !ce->tls_crypt_file_inline)
@@ -2948,6 +2949,7 @@ options_postprocess_mutate_ce(struct options *o, struct
connection_entry *ce)
}
ce->tls_crypt_file = (char *)in.data;
+ ce->tls_crypt_file_inline = true;
}
}
}
--
2.26.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
