From patchwork Fri Aug 14 07:12:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Grishenko X-Patchwork-Id: 1389 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id CIVXOTPGNl9jUwAAIUCqbw for ; Fri, 14 Aug 2020 13:13:23 -0400 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id aEggOTPGNl8RdAAAalYnBA (envelope-from ) for ; Fri, 14 Aug 2020 13:13:23 -0400 Received: from smtp10.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTP id OFTMODPGNl9VEAAAfSg8FQ ; Fri, 14 Aug 2020 13:13:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=yandex-team.ru; dmarc=fail (p=none; dis=none) header.from=yandex-team.ru X-Suspicious-Flag: YES X-Classification-ID: 74ac9686-de51-11ea-bf09-52540013bccb-1-1 Received: from [216.105.38.7] ([216.105.38.7:34146] helo=lists.sourceforge.net) by smtp10.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2D/51-03579-236C63F5; Fri, 14 Aug 2020 13:13:22 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k6dFj-0007HY-S9; Fri, 14 Aug 2020 17:12:27 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6dFi-0007HQ-J0 for openvpn-devel@lists.sourceforge.net; Fri, 14 Aug 2020 17:12:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1A72xmZIqEe6v6dy3PIKm4mi3M1y/Mc5lCcU8lTH5Y8=; b=bT79lAoUSdYZeDHdatR9flaQQF EEcj0vZkrFVjQc5wN2cMGqtLJtiQB/f75bksY3zdkq/asYmWr50GLVUQndrIkynIcYFmeohx+1v6m b7H078oKfEafUnwS9HgC6OSSZPTUcsZSe/psqhlb7cIClaSFviyz2/N3Lh2WxJHPyMbA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1A72xmZIqEe6v6dy3PIKm4mi3M1y/Mc5lCcU8lTH5Y8=; b=d//ZUWJxTzO5Ja66NKkO3M6i1I AXtXZk5Gesn8p7f52tyCWWH8z/lDXVhFU8zVvsCz3NgTgEvhE1jINURQGaTRA1RP+vwu1zMXEAWcD I5Y2Au71lH/r7kqMDeIhIuj6YKo3xDpzSIKILEW2PCfp7Zu1ofgMs7v5mYW997tsfPC8=; Received: from forwardcorp1j.mail.yandex.net ([5.45.199.163]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k6dFc-00ETrd-TS for openvpn-devel@lists.sourceforge.net; Fri, 14 Aug 2020 17:12:26 +0000 Received: from vla1-fdfb804fb3f3.qloud-c.yandex.net (vla1-fdfb804fb3f3.qloud-c.yandex.net [IPv6:2a02:6b8:c0d:3199:0:640:fdfb:804f]) by forwardcorp1j.mail.yandex.net (Yandex) with ESMTP id 671172E0DD8 for ; Fri, 14 Aug 2020 20:12:11 +0300 (MSK) Received: from vla1-81430ab5870b.qloud-c.yandex.net (vla1-81430ab5870b.qloud-c.yandex.net [2a02:6b8:c0d:35a1:0:640:8143:ab5]) by vla1-fdfb804fb3f3.qloud-c.yandex.net (mxbackcorp/Yandex) with ESMTP id kCqhGmRKXs-CBvW7uHa; Fri, 14 Aug 2020 20:12:11 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1597425131; bh=1A72xmZIqEe6v6dy3PIKm4mi3M1y/Mc5lCcU8lTH5Y8=; h=In-Reply-To:Message-Id:References:Date:Subject:To:From; b=rT+vW1IFAHrRq/eW9l/1dhvyBDcXfRGNdCqbr9KZLS0pkNY+JDGjEaLj3c9/FhYf0 BoC75ERYowc9phMvpmTpb3BDRaxELxEK3CpDLD4Cn5HPZbprM4cTHj7sM/3P8jajA2 r5waKYO/wXEATZAWH8TysaxsxbT/euJgCUL3uKVM= Received: from 178.154.189.9-vpn.dhcp.yndx.net (178.154.189.9-vpn.dhcp.yndx.net [178.154.189.9]) by vla1-81430ab5870b.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id jBuPZOC2dq-CAlavovL; Fri, 14 Aug 2020 20:12:11 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) From: Vladislav Grishenko To: openvpn-devel@lists.sourceforge.net Date: Fri, 14 Aug 2020 22:12:04 +0500 Message-Id: <20200814171204.22289-1-themiron@yandex-team.ru> X-Mailer: git-send-email 2.17.1 In-Reply-To: <98f65e22-a66c-aeea-f705-ad5a0f7a2e28@rfc2549.org> References: <98f65e22-a66c-aeea-f705-ad5a0f7a2e28@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: yandex-team.ru] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1k6dFc-00ETrd-TS Subject: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In case of some permanent part of common name (ex. domain) and/or long complex common name consisting of multiple x509 fields, it's handly to kill client instances via management interface with just prefix of common name, not by exact match only. Patch allows to use asterisk as wildcard placeholder in the last trailing symbol of kill command parameter. Single asterisk - empty prefix would be too greedy and can be too harmful, therefore not allowed. Wildcards in the middle of parameter string are not supported to keep the the things simple at the moment. v2: fine tune comments Signed-off-by: Vladislav Grishenko --- doc/management-notes.txt | 2 ++ src/openvpn/multi.c | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 61daaf07..91073693 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -195,6 +195,8 @@ Command examples: kill Test-Client -- kill the client instance having a common name of "Test-Client". + kill Test-Cli* -- kill the client instances having a + common name starting with "Test-Cli". kill 1.2.3.4:4000 -- kill the client instance having a source address and port of 1.2.3.4:4000 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 13738180..36be5de2 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3820,6 +3820,19 @@ management_callback_kill_by_cn(void *arg, const char *del_cn) struct hash_element *he; int count = 0; + /* Check passed string for non-empty prefix with trailing asterisk */ + size_t len = strlen(del_cn); + if (len > 1 && del_cn[len - 1] == '*') + { + /* Exclude trailing asterisk from string comparison */ + len--; + } + else + { + /* Include terminating NUL char to perform exact string comparison */ + len++; + } + hash_iterator_init(m->iter, &hi); while ((he = hash_iterator_next(&hi))) { @@ -3827,7 +3840,7 @@ management_callback_kill_by_cn(void *arg, const char *del_cn) if (!mi->halt) { const char *cn = tls_common_name(mi->context.c2.tls_multi, false); - if (cn && !strcmp(cn, del_cn)) + if (cn && !strncmp(cn, del_cn, len)) { multi_signal_instance(m, mi, SIGTERM); ++count;