[Openvpn-devel,v4,4/9] Make waiting on auth an explicit state in the context state machine

Message ID 20210604143938.779193-1-arne@rfc2549.org
State New
Delegated to: Antonio Quartulli
Headers show
Series
  • Untitled series #1190
Related show

Commit Message

Arne Schwabe June 4, 2021, 2:39 p.m.
Previously we relied on checking tls_authentication_status to check
wether to determine if the context auth state is actually valid or not.
This patch eliminates that check by introducing waiting on the
authentication as extra state in the context auth, state machine.

Patch v3: Fix ccd config from management being ignored
Patch v4: Fix race condition, we need to accept the config from
          management if we are in CAS_WAITING_AUTH or earlier states 
	  and not just in CAS_WAITING_AUTH state

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/multi.c      | 7 +------
 src/openvpn/ssl.c        | 9 ++++++++-
 src/openvpn/ssl_common.h | 1 +
 3 files changed, 10 insertions(+), 7 deletions(-)

Comments

Antonio Quartulli June 14, 2021, 12:29 a.m. | #1
Hi,

On 04/06/2021 16:39, Arne Schwabe wrote:
> Previously we relied on checking tls_authentication_status to check
> wether to determine if the context auth state is actually valid or not.
> This patch eliminates that check by introducing waiting on the
> authentication as extra state in the context auth, state machine.
> 
> Patch v3: Fix ccd config from management being ignored
> Patch v4: Fix race condition, we need to accept the config from
>           management if we are in CAS_WAITING_AUTH or earlier states 
> 	  and not just in CAS_WAITING_AUTH state
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

This patch gets an ACK from me because all my tests have passed and I
find the code reasonable.

My compile zoo was happy too.

My tests included client/server, with auth, with deferred auth, p2p.

I have not tested this patch using the mgmt interface.


Acked-by: Antonio Quartulli <antonio@openvpn.net>

From now on, when Acking a patch I will imply that:
* my GitLab CI is all green with this patch applied;
* the patch compiled against mbedtls (various versions), openssl
(various versions), libressl (various versions), wolfssl (master branch).

This way I don't have to talk about my compile zoo every time :-)

Patch

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 3f9710134..eada7e155 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2596,11 +2596,6 @@  static const multi_client_connect_handler client_connect_handlers[] = {
 static void
 multi_connection_established(struct multi_context *m, struct multi_instance *mi)
 {
-    if (tls_authentication_status(mi->context.c2.tls_multi) != TLS_AUTHENTICATION_SUCCEEDED)
-    {
-        return;
-    }
-
     /* We are only called for the CAS_PENDING_x states, so we
      * can ignore other states here */
     bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING);
@@ -3970,7 +3965,7 @@  management_client_auth(void *arg,
         {
             if (auth)
             {
-                if (is_cas_pending(mi->context.c2.tls_multi->multi_state))
+                if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH)
                 {
                     set_cc_config(mi, cc_config);
                     cc_config_owned = false;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9f3f83f16..fd64b8d4e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2810,7 +2810,7 @@  tls_process(struct tls_multi *multi,
                     if (session->opt->mode == MODE_SERVER)
                     {
                         /* On a server we continue with running connect scripts next */
-                        multi->multi_state = CAS_PENDING;
+                        multi->multi_state = CAS_WAITING_AUTH;
                     }
                     else
                     {
@@ -3136,6 +3136,13 @@  tls_multi_process(struct tls_multi *multi,
 
     enum tls_auth_status tas = tls_authentication_status(multi);
 
+    /* If we have successfully authenticated and are still waiting for the authentication to finish
+     * move the state machine for the multi context forward */
+    if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED)
+    {
+        multi->multi_state = CAS_PENDING;
+    }
+
     /*
      * If lame duck session expires, kill it.
      */
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 8a65ab984..66700bf68 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -511,6 +511,7 @@  struct tls_session
  * connect scripts/plugins */
 enum multi_status {
     CAS_NOT_CONNECTED,
+    CAS_WAITING_AUTH,               /**< TLS connection established but deferred auth not finished */
     CAS_PENDING,
     CAS_PENDING_DEFERRED,
     CAS_PENDING_DEFERRED_PARTIAL,   /**< at least handler succeeded, no result yet*/