From patchwork Thu Jan 30 01:43:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 969 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id yH1OJdHPMl5qDwAAIUCqbw for ; Thu, 30 Jan 2020 07:45:05 -0500 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id cAUfJdHPMl5kfAAAvGGmqA ; Thu, 30 Jan 2020 07:45:05 -0500 Received: from smtp1.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTP id mPr8JNHPMl6tPAAATCaURg ; Thu, 30 Jan 2020 07:45:05 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp1.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 5677f176-435e-11ea-bbd2-5254002d775b-1-1 Received: from [216.105.38.7] ([216.105.38.7:48386] helo=lists.sourceforge.net) by smtp1.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 03/12-23684-0DFC23E5; Thu, 30 Jan 2020 07:45:05 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1ix9Ad-0006hb-TC; Thu, 30 Jan 2020 12:43:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ix9Ab-0006hS-TJ for openvpn-devel@lists.sourceforge.net; Thu, 30 Jan 2020 12:43:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DIHhiGKZmvJ2qksvnwj1dihdD9e51MPpi+e/2mJylJk=; b=B4a8O9rsVnmZN6OZWyl25beUP2 4xbmfeTTGOrqAV2x/FYgXIKNK2zbywOgzb78nf3PICkqiRd6m8CP3UkSNdF+RgOWRd2DL9UcPzyDr e1LqKEnmn/pYir7Ca835e18OQzE1mlZCHeRLQmX9iNC1Ay52XHuqiWQoTGf3ahWksul4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DIHhiGKZmvJ2qksvnwj1dihdD9e51MPpi+e/2mJylJk=; b=gaD4DQymmyFFAql7N/D0QzALeC aSay4/IeTeoeaeqczbBw1oymBq6Uf/hUohdDq7LCqelcitrbfJXFpgio4mVk4JVxQTU7By368fT2E fSRSqXvAcvMctsX0Y8txiSqNIWN5jpL9UeNnTBhNUxbMku0VLitsV0i2Xn2Ixh+plCGo=; Received: from mail-qt1-f179.google.com ([209.85.160.179]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1ix9Aa-0051XA-In for openvpn-devel@lists.sourceforge.net; Thu, 30 Jan 2020 12:43:41 +0000 Received: by mail-qt1-f179.google.com with SMTP id v25so2297367qto.7 for ; Thu, 30 Jan 2020 04:43:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=DIHhiGKZmvJ2qksvnwj1dihdD9e51MPpi+e/2mJylJk=; b=BsBeD23fNqvm+zFFeQF4zn/R3IYL348fIJzv2wvuS0s1fKE48U4fmeqV+bic+HUlWF vNLT9bATfTCftO0XFBPAKdS77yxppiNyXEnoc9gw53xsGQeuRZsIOwh0mQn1MTPQ4rJo CKPq/tFBPQlkU7EaLz2P/jOF6q5KYJmSe2+rwDPk3jCcDTgno5Nqz54/3No1w7uOpadl tEjcwQqDfWiWS1KJU5NkuaEJnszL0VEa3Mh06zx/NdQ1KRPRghz3M8ADfFpmufGI1KS5 coHXsQPtg25cPH7enjtRdK0MlUqURsF3WuTldPvaHgtRx//pW2umvHDMmLTjTNvaU0rB /WbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=DIHhiGKZmvJ2qksvnwj1dihdD9e51MPpi+e/2mJylJk=; b=nedamyTdzEK4R53JcoV8zX34/jJEG559dGBPFKd//DZbFti9MTjpM2+wq/sMJTppov 7+9yirqFyQKMzRFkX6ObD/0VXwuMpjRzh2olH5rEA2VP6Pg7xKslfcsrc085gZGrkrSp xfOoZyIq6QRZR8F1cjHJDcsLwkTtPhyc4+7h4kShMDVA8Z5Equqy+uIU67xh0KxJhrDx GvwVuu7UXcB2kjFJqUvFRBwMfnfbKZmMDeCvnf97RpbARH6nF3ILj5eto/WYUsAaFdZH Y7E7j/R3Tkj4ayiuJSiNJQHlbk+DVio73xrvAlXNx9nvi/Rq16a5URwOK9/fGYGqszkt 6gAg== X-Gm-Message-State: APjAAAWvcewyUXA5/NyA1c4+qpPkeEwkQA/0GobBU6rJroTARPuPdigA lUqbwFQTcDF1XMvlk20zsPAud7zw0oA= X-Google-Smtp-Source: APXvYqyhcsE3KEjTjTdUAdRBH38X8q8Gn5AxOpkzyoJJrJ9/AZaKV15Rb5u7npfEj52curwkCFSusw== X-Received: by 2002:ac8:405a:: with SMTP id j26mr4494102qtl.88.1580388214331; Thu, 30 Jan 2020 04:43:34 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.216.21]) by smtp.gmail.com with ESMTPSA id r5sm3021263qta.36.2020.01.30.04.43.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Jan 2020 04:43:33 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 30 Jan 2020 07:43:28 -0500 Message-Id: <1580388208-26594-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.160.179 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.160.179 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1ix9Aa-0051XA-In Subject: [Openvpn-devel] [PATCH] Swap the order of checks for validating interactive service user X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership is slow and causes timeouts in the GUI (Trac 1051). However, in cases where the config is in the global directory, no group membership check should be required. The re-ordering here avoids the redundant check in such cases. In addition to this, its also proposed to improve the timeout handling in the GUI, but this change is still useful as it should completely eliminate the timeout issue for many users. Also see: https://github.com/OpenVPN/openvpn-gui/issues/332 Signed-off-by: Selva Nair --- src/openvpnserv/interactive.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 6e72a14..dafd5c6 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -1581,8 +1581,8 @@ RunOpenvpn(LPVOID p) } /* Check user is authorized or options are white-listed */ - if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) - && !ValidateOptions(pipe, sud.directory, sud.options)) + if (!ValidateOptions(pipe, sud.directory, sud.options) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) { goto out; }