From patchwork Tue May 17 23:32:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2470 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id mPV3InW9hGKJbQAAqwncew (envelope-from ) for ; Wed, 18 May 2022 05:33:41 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id 6MckOnW9hGLDZwAAIcMcQg (envelope-from ) for ; Wed, 18 May 2022 05:33:41 -0400 Received: from smtp35.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id qEX2OXW9hGKqOQAA8Zzt7w (envelope-from ) for ; Wed, 18 May 2022 05:33:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 9a4fc5c6-d68d-11ec-a9be-525400a7b7b4-1-1 Received: from [216.105.38.7] ([216.105.38.7:60700] helo=lists.sourceforge.net) by smtp35.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B6/99-19503-57DB4826; Wed, 18 May 2022 05:33:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nrG2k-0000Nu-IR; Wed, 18 May 2022 09:32:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nrG2f-0000Ni-U4 for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=70ETfbfNMR4NF8laBuiHkGyBSjXgIE9+hE4Oz7XCFy8=; b=ZxW3k+5cLOnV804FaOzwbF0hzR bhVPSkF8T8jtBMAx2dH7Met6Kn6ajHzf0Yn1lktNHoYuk88POpiLl4CgmwkZU6ydL4E4zc78fCgYo sP/B6cP8PiUQAcD0hT1BFl5V46ye+xN2IjETWPwz3vRZDtXO+Wq0D9yPmFDAOOkiavq8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=70ETfbfNMR4NF8laBuiHkGyBSjXgIE9+hE4Oz7XCFy8=; b=AaXAebULXfN79asNocswe4C1zq hDo4n6/xqtMMMqSzH7gqEKsI70FMO5D95ynDREzTUysK6d1ZyVZiZ/ONVfa090gs1yyA9tV6H9nIM b5DLSCTSLwX9MF6NiNDAqgQ9ezMs1r2fudLCWdUsQ7b3nYgDYuQvaar3yCBKvQR4i1b0=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nrG2f-006S6H-Cf for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 09:32:29 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nrG2O-000GUE-Uz for openvpn-devel@lists.sourceforge.net; Wed, 18 May 2022 11:32:12 +0200 Received: (nullmailer pid 2802549 invoked by uid 10006); Wed, 18 May 2022 09:32:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 18 May 2022 11:32:10 +0200 Message-Id: <20220518093212.2802495-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220518093212.2802495-1-arne@rfc2549.org> References: <20220518093212.2802495-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This simplifies the buffer handling in the method and adds a quick return instead of wrapping the whole method in a if (pull) block --- src/openvpn/push.c | 96 ++++++++++++++++++++++++ [...] Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1nrG2f-006S6H-Cf Subject: [Openvpn-devel] [PATCH 2/4] Cleanup receive_auth_failed and simplify method X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This simplifies the buffer handling in the method and adds a quick return instead of wrapping the whole method in a if (pull) block --- src/openvpn/push.c | 96 ++++++++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 45 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 51b8bd521..be118831d 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -53,63 +53,69 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); c->options.no_advance = true; - if (c->options.pull) + if (!c->options.pull) { - /* Before checking how to react on AUTH_FAILED, first check if the - * failed auth might be the result of an expired auth-token. - * Note that a server restart will trigger a generic AUTH_FAILED - * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message - * identical for this scenario */ - if (ssl_clean_auth_token()) - { - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ - c->sig->signal_text = "auth-failure (auth-token)"; - } - else + return; + } + + struct buffer buf = *buffer; + + /* If the AUTH_FAIL message ends with a , it is an extended message that + * contains further flags */ + bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,"); + + /* Before checking how to react on AUTH_FAILED, first check if the + * failed auth might be the result of an expired auth-token. + * Note that a server restart will trigger a generic AUTH_FAILED + * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message + * identical for this scenario */ + if (ssl_clean_auth_token()) + { + c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ + c->sig->signal_text = "auth-failure (auth-token)"; + } + else + { + switch (auth_retry_get()) { - switch (auth_retry_get()) - { - case AR_NONE: - c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */ - break; + case AR_NONE: + c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */ + break; - case AR_INTERACT: - ssl_purge_auth(false); + case AR_INTERACT: + ssl_purge_auth(false); - case AR_NOINTERACT: - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ - break; + case AR_NOINTERACT: + c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ + break; - default: - ASSERT(0); - } - c->sig->signal_text = "auth-failure"; + default: + ASSERT(0); } + c->sig->signal_text = "auth-failure"; + } #ifdef ENABLE_MANAGEMENT - if (management) + if (management) + { + const char *reason = NULL; + if (authfail_extended && BLEN(&buf)) { - const char *reason = NULL; - struct buffer buf = *buffer; - if (buf_string_compare_advance(&buf, "AUTH_FAILED,") && BLEN(&buf)) - { - reason = BSTR(&buf); - } - management_auth_failure(management, UP_TYPE_AUTH, reason); + reason = BSTR(&buf); } + management_auth_failure(management, UP_TYPE_AUTH, reason); + } #endif - /* - * Save the dynamic-challenge text even when management is defined - */ - { + /* + * Save the dynamic-challenge text even when management is defined + */ + { #ifdef ENABLE_MANAGEMENT - struct buffer buf = *buffer; - if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) - { - buf_advance(&buf, 12); /* Length of "AUTH_FAILED," substring */ - ssl_put_auth_challenge(BSTR(&buf)); - } -#endif + if (authfail_extended + && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf)) + { + ssl_put_auth_challenge(BSTR(&buf)); } +#endif } }