-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
no complaints yet ? Sent with ProtonMail Secure Email. ProtonMail, as crap as googlemail. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 23 April 2021 22:16, tincantech via Openvpn-devel <openvpn-devel@lists.sourceforge.net> wrote: > Hi, > > I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. > Version 2 > > Justification: > > With the notable exception of --tls-crypt-v2-verify .. > daemon_pid provides a verified process ID to All scripts. This ensures > that scripts which are intended to pass data along to the following scripts > have an index to which they can link that data. > > Example: > > An example is presented in Easy-TLS: > https://github.com/TinCanTech/easy-tls > > This script passes hardware address from --tls-crypt-v2 key metadata along > to --client-connect, where the pushed client variable IV_HWADDR can be > matched against the fixed hardware address encrypted in the TLS Crypt V2 > key metadata. > > Security: > > There are no known security concerns with regard to including the openvpn > process ID (daemon_pid) in the --tls-crypt-v2-verify environment. > > Complexity: > > Ongoing support of the required code would be minimal to zero. > > Code: > > This patch is included for review purposes only. > > <git-formatted-patch> > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > + setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > </git-formatted-patch> > > Conclusion: > > Due to the OS in use and other environmental factors, the *nix built-in > variable PPID > may not always be available. Without including $daemon_pid in the > --tls-crypt-v2-verify > environment, openvpn is forcing the user to unnecessarily configure > --writepid. > > The purpose of --writepid is to advertise the openvpn process ID to external > processes > which do not have access to the internals of openvpn. By including daemon_pid > in the --tls-crypt-v2-verify environment all processes launched by openvpn > have access > to this very useful identifier. > > Provided there are no genuine reasons to NAK this request, I will send a > correctly > formatted patch. > > Addendum: > > I know this is something which helps me in the short term and I already have > a working > alternative but I would like you to reconsider your previous decision. In my > opinion All > scripts launched by openvpn should have immediate access to daemon_pid. > > Thank you for your time and consideration, > R -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJgiMIMACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2yHAf/VwSjdR6F5GQy7rfJLKkP+sbGgL1kgKPsB7bgiiSV47+GTg0J lftyAS6lxyKhJ+7Xt+xm45janjMxnsxXrzIYjJdlfQSPMEfFOn9Uw17ohW0x bO52oTqCqoR5Y/UhqlLQ+lpgUMJJalfWZtJ3uiQ1GfloJk9oKjJ1thmdnmQ+ 048pGsBf2iRnvPJEDqJ/JxoKttvEAHQhVp3wI2aO70JzYujsuq5E6gnQsAT+ roDB8W2HRt5Ycbl+Y9lnzPM4HUk+W67j0+Af6Jf0mrfuK2IC2EFRBTkaVM5C F9QICvlZ/wB9oaH4/OXfp1DXAHBHh2wf0Bw6Rxcsyg3ni8Ro0ARdsw== =TmRk -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
