From patchwork Wed Jul 15 04:16:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1248 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id IDpcDdsPD1/sGQAAIUCqbw for ; Wed, 15 Jul 2020 10:16:59 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id IKIhDdsPD18MUwAAIasKDg ; Wed, 15 Jul 2020 10:16:59 -0400 Received: from smtp15.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTP id mHCpDNsPD1+TNgAAAY1PeQ ; Wed, 15 Jul 2020 10:16:59 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: d7c2cc5e-c6a5-11ea-9580-5254007ab6c8-1-1 Received: from [216.105.38.7] ([216.105.38.7:53058] helo=lists.sourceforge.net) by smtp15.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F6/72-24851-ADF0F0F5; Wed, 15 Jul 2020 10:16:58 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jviCn-0003C5-BI; Wed, 15 Jul 2020 14:16:17 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jviCm-0003By-Iz for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 14:16:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=REEMM8VpHoFOOz9xRhpssVf3x8Snoce0Vs8o1EjvEIk=; b=bnWe7y6LbKFFb1ReeQhIIs0ESU OUUbpzPT+hYXrLKcNb6yfD97Qg/SUb8Iwd9NoehIRbwh/IsEw4WUiF/crWCn3TVBsN0kJwO4fBK0Q H/TYRQ3nosd/yAyXkyPEnP2ttfqg6Nc3i7xmdqoU1zuiJPgF8xLNMV3PpllwMNWYB0dg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=REEMM8VpHoFOOz9xRhpssVf3x8Snoce0Vs8o1EjvEIk=; b=XUQL4Al1BAbnyrGwtTes0sPovV bpRSGlH3cqeWMEH/RKDof4LXDWiHKuMO6kecss5dbbJVpeebkb9v2HOxt2Y/7kMZ1j6loRWZb6iPi jRxXYXgd+CgXctp6dHTUEgfF6x6CUwlkS8gUXJ1kSYYVNKC56XNRVeas403pOIgcvLhM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jviCk-004XnX-Pn for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 14:16:16 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jviCW-0005Mj-6C; Wed, 15 Jul 2020 16:16:00 +0200 Received: (nullmailer pid 26657 invoked by uid 10006); Wed, 15 Jul 2020 14:16:00 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 Jul 2020 16:16:00 +0200 Message-Id: <20200715141600.26610-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: lettink.de] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jviCk-004XnX-Pn Subject: [Openvpn-devel] [PATCH v6 8/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - without losing the client-connect handling state. The patch also adds the new return value CC_RET_DEFERRED which indicates that the handler couldn't complete immediately, and needs to be called later. At that point multi_connection_established() will exit without indicating completion. Each client-connect handler now has an (optional) additional call-back: The call-back for handling the deferred case. If the main call-back returns CC_RET_DEFERRED, the next call to the handler will be through the deferred call-back. Signed-off-by: Fabian Knittel Patch V3: Use a static struct in multi_instance instead of using malloc/free and use two states (deffered with and without result) instead of one to eliminate the counter that was only tested for > 0. Patch V5: Use new states in context_auth instead of the extra state that the patch series previously used. Patch V6: Restructure code to make it a bit more readable, rebase on master. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 168 +++++++++++++++++++++++++++++++----------- src/openvpn/multi.h | 15 +++- src/openvpn/openvpn.h | 9 +++ 3 files changed, 147 insertions(+), 45 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 97b7df16..331891bc 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2225,32 +2225,50 @@ multi_client_connect_source_ccd(struct multi_context *m, return ret; } -static inline bool -cc_check_return(int *cc_succeeded_count, - enum client_connect_return ret) +typedef enum client_connect_return (*multi_client_connect_handler) + (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found); + +struct client_connect_handlers +{ + multi_client_connect_handler main; + multi_client_connect_handler deferred; +}; + +static enum client_connect_return +multi_client_connect_fail(struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found) { - if (ret == CC_RET_SUCCEEDED) + /* Called null call-back. This should never happen. */ + return CC_RET_FAILED; +} + +static const struct client_connect_handlers client_connect_handlers[] = { { - (*cc_succeeded_count)++; - return true; - } - else if (ret == CC_RET_FAILED) + .main = multi_client_connect_source_ccd, + .deferred = multi_client_connect_fail + }, { - return false; - } - else if (ret == CC_RET_SKIPPED) + .main = multi_client_connect_call_plugin_v1, + .deferred = multi_client_connect_fail + }, { - return true; - } - else + .main = multi_client_connect_call_plugin_v2, + .deferred = multi_client_connect_fail + }, + { + .main = multi_client_connect_call_script, + .deferred = multi_client_connect_fail + }, { - ASSERT(0); + .main = multi_client_connect_mda, + .deferred = multi_client_connect_fail + }, + { + .main = NULL, + .deferred = NULL } -} - -typedef enum client_connect_return (*multi_client_connect_handler) - (struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found); +}; /* * Called as soon as the SSL/TLS connection is authenticated. @@ -2280,27 +2298,81 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) return; } - multi_client_connect_handler handlers[] = { - multi_client_connect_source_ccd, - multi_client_connect_call_plugin_v1, - multi_client_connect_call_plugin_v2, - multi_client_connect_call_script, - multi_client_connect_mda, - NULL - }; + /* We are only called for the CAS_PENDING_x states, so we + * can ignore other states here */ + bool from_deferred = (mi->context.c2.context_auth != CAS_PENDING); - unsigned int option_types_found = 0; + struct client_connect_defer_state *defer_state = + &(mi->client_connect_defer_state); - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; - enum client_connect_return ret; + /* We are called for the first time */ + if (!from_deferred) + { + defer_state->cur_handler_index = 0; + defer_state->option_types_found = 0; + /* Initially we have no handler that has returned a result */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED; + + multi_client_connect_early_setup(m, mi); + } + + const struct client_connect_handlers *handler; + bool cc_succeeded = true; - multi_client_connect_early_setup(m, mi); + handler = &client_connect_handlers[defer_state->cur_handler_index]; - for (int i = 0; cc_succeeded && handlers[i]; i++) + while (cc_succeeded && handler->main != NULL) { - ret = handlers[i](m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + enum client_connect_return ret; + if (from_deferred) + { + ret = handler->deferred(m, mi, &(defer_state->option_types_found)); + from_deferred = false; + } + else + { + ret = handler->main(m, mi, &(defer_state->option_types_found)); + } + + if (ret == CC_RET_SUCCEEDED) + { + /* + * Remember that we already had at least one handler + * returning a result should go to into deferred state + */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED_PARTIAL; + } + else if (ret == CC_RET_SKIPPED) + { + /* + * Move on with the next handler without modifying any + * other state + */ + } + else if (ret == CC_RET_DEFERRED) + { + /* + * we already set client_connect_status to DEFERRED_RESULT or + * DEFERRED_NO_RESULT and increased index. We just return + * from the function as having client_connect_status + */ + return; + } + else if (ret == CC_RET_FAILED) + { + /* + * One handler failed. We abort the chain and set the final + * result to failed + */ + cc_succeeded = false; + } + else + { + ASSERT(0); + } + + handler = &client_connect_handlers[defer_state->cur_handler_index]; + (defer_state->cur_handler_index)++; } /* @@ -2312,18 +2384,26 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " "'disable' directive"); cc_succeeded = false; - cc_succeeded_count = 0; } if (cc_succeeded) { - multi_client_connect_late_setup(m, mi, option_types_found); + multi_client_connect_late_setup(m, mi, + defer_state->option_types_found); } else { - /* set context-level authentication flag */ - mi->context.c2.context_auth = - cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + /* set context-level authentication flag to failed but remember + * if had a handler succeed (for cleanup) */ + if (mi->context.c2.context_auth == CAS_PENDING_DEFERRED_PARTIAL) + { + mi->context.c2.context_auth = CAS_PARTIAL; + } + else + { + mi->context.c2.context_auth = CAS_FAILED; + } + } /* increment number of current authenticated clients */ @@ -2624,7 +2704,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { /* connection is "established" when SSL/TLS key negotiation succeeds * and (if specified) auth user/pass succeeds */ - if (mi->context.c2.context_auth == CAS_PENDING + if (is_cas_pending(mi->context.c2.context_auth) && CONNECTION_ESTABLISHED(&mi->context)) { multi_connection_established(m, mi); @@ -3579,7 +3659,7 @@ management_client_auth(void *arg, { if (auth) { - if (mi->context.c2.context_auth == CAS_PENDING) + if (is_cas_pending(mi->context.c2.context_auth)) { set_cc_config(mi, cc_config); cc_config_owned = false; @@ -3591,7 +3671,7 @@ management_client_auth(void *arg, { msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); } - if (mi->context.c2.context_auth != CAS_PENDING) + if (!is_cas_pending(mi->context.c2.context_auth)) { send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */ multi_schedule_context_wakeup(m, mi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 1d30dcc6..11da0209 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -62,6 +62,18 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; +/** + * Detached client connection state. This is the state that is tracked while + * the client connect hooks are executed. + */ +struct client_connect_defer_state +{ + /* Index of currently executed handler. */ + int cur_handler_index; + /* Remember which option classes where processed for delayed option + * handling. */ + unsigned int option_types_found; +}; /** * Server-mode state structure for one single VPN tunnel. @@ -108,7 +120,7 @@ struct multi_instance { struct context context; /**< The context structure storing state * for this VPN tunnel. */ - + struct client_connect_defer_state client_connect_defer_state; #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ #endif @@ -195,6 +207,7 @@ enum client_connect_return { CC_RET_FAILED, CC_RET_SUCCEEDED, + CC_RET_DEFERRED, CC_RET_SKIPPED }; diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 7c469b01..ccc7f118 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -217,6 +217,8 @@ struct context_1 enum client_connect_status { CAS_SUCCEEDED=0, CAS_PENDING, + CAS_PENDING_DEFERRED, + CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded, no result yet*/ CAS_FAILED, CAS_PARTIAL, /**< Variant of CAS_FAILED: at least one * client-connect script/plugin succeeded @@ -225,6 +227,13 @@ enum client_connect_status { */ }; +static inline bool +is_cas_pending(enum client_connect_status cas) +{ + return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED + || cas == CAS_PENDING_DEFERRED_PARTIAL; +} + /** * Level 2 %context containing state that is reset on both \c SIGHUP and * \c SIGUSR1 restarts.