From patchwork Fri Jun 4 04:39:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1847 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id QEoFOV87umDbYgAAIUCqbw (envelope-from ) for ; Fri, 04 Jun 2021 10:40:31 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director13.mail.ord1d.rsapps.net with LMTP id sPjXOF87umD2YwAA91zNiA (envelope-from ) for ; Fri, 04 Jun 2021 10:40:31 -0400 Received: from smtp37.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id oLeIOF87umCwBgAAHz/atg (envelope-from ) for ; Fri, 04 Jun 2021 10:40:31 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: cf7e2d58-c542-11eb-b96d-525400e8d833-1-1 Received: from [216.105.38.7] ([216.105.38.7:57300] helo=lists.sourceforge.net) by smtp37.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C2/0D-07295-E5B3AB06; Fri, 04 Jun 2021 10:40:31 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lpAzH-0006uk-AK; Fri, 04 Jun 2021 14:39:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lpAzG-0006uZ-76 for openvpn-devel@lists.sourceforge.net; Fri, 04 Jun 2021 14:39:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GCLPVQYEsE4USWDQ13EmwLFN2PZJ8w5+rf9f/p93R1Q=; b=Y2jawBGItRZy05GoAHh9DtGlKr gWuovR3uFf9vtOwJz6DfmtGI99O1a1Qr/OylJ5dIO9iYJUpDIDTvnh7fFSZsMlsth2Osvk0m1+o65 vPUZo8USNeE7Q8Ne/qcECSfJ9xn1UWLf7j49LugkSbrxQkWRZGjj1MCTPLuGLO68anAA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GCLPVQYEsE4USWDQ13EmwLFN2PZJ8w5+rf9f/p93R1Q=; b=QCMLRz3St2MnNEXO8mxb5r5P6H 8wIFScf7k3EuZ5syxLvOVYfiMfGiZZDd+cZAEW3awyXvbPdIN8qdb8KOXPoQQvG1PFrSXd1O9boci ynRWXGkEgjaXfyzrHS8y5wgDaBs6HwYMcWKJp9i7Ny+aFkJoP1HUrbGCJ/Zgx/EY2Dfc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lpAzB-0005Sg-8V for openvpn-devel@lists.sourceforge.net; Fri, 04 Jun 2021 14:39:52 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lpAz4-0000TD-BR for openvpn-devel@lists.sourceforge.net; Fri, 04 Jun 2021 16:39:38 +0200 Received: (nullmailer pid 779239 invoked by uid 10006); Fri, 04 Jun 2021 14:39:38 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 4 Jun 2021 16:39:38 +0200 Message-Id: <20210604143938.779193-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210520151148.2565578-4-arne@rfc2549.org> References: <20210520151148.2565578-4-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lpAzB-0005Sg-8V Subject: [Openvpn-devel] [PATCH v4 4/9] Make waiting on auth an explicit state in the context state machine X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Previously we relied on checking tls_authentication_status to check wether to determine if the context auth state is actually valid or not. This patch eliminates that check by introducing waiting on the authentication as extra state in the context auth, state machine. Patch v3: Fix ccd config from management being ignored Patch v4: Fix race condition, we need to accept the config from management if we are in CAS_WAITING_AUTH or earlier states and not just in CAS_WAITING_AUTH state Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 7 +------ src/openvpn/ssl.c | 9 ++++++++- src/openvpn/ssl_common.h | 1 + 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 3f9710134..eada7e155 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2596,11 +2596,6 @@ static const multi_client_connect_handler client_connect_handlers[] = { static void multi_connection_established(struct multi_context *m, struct multi_instance *mi) { - if (tls_authentication_status(mi->context.c2.tls_multi) != TLS_AUTHENTICATION_SUCCEEDED) - { - return; - } - /* We are only called for the CAS_PENDING_x states, so we * can ignore other states here */ bool from_deferred = (mi->context.c2.tls_multi->multi_state != CAS_PENDING); @@ -3970,7 +3965,7 @@ management_client_auth(void *arg, { if (auth) { - if (is_cas_pending(mi->context.c2.tls_multi->multi_state)) + if (mi->context.c2.tls_multi->multi_state <= CAS_WAITING_AUTH) { set_cc_config(mi, cc_config); cc_config_owned = false; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9f3f83f16..fd64b8d4e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2810,7 +2810,7 @@ tls_process(struct tls_multi *multi, if (session->opt->mode == MODE_SERVER) { /* On a server we continue with running connect scripts next */ - multi->multi_state = CAS_PENDING; + multi->multi_state = CAS_WAITING_AUTH; } else { @@ -3136,6 +3136,13 @@ tls_multi_process(struct tls_multi *multi, enum tls_auth_status tas = tls_authentication_status(multi); + /* If we have successfully authenticated and are still waiting for the authentication to finish + * move the state machine for the multi context forward */ + if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED) + { + multi->multi_state = CAS_PENDING; + } + /* * If lame duck session expires, kill it. */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 8a65ab984..66700bf68 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -511,6 +511,7 @@ struct tls_session * connect scripts/plugins */ enum multi_status { CAS_NOT_CONNECTED, + CAS_WAITING_AUTH, /**< TLS connection established but deferred auth not finished */ CAS_PENDING, CAS_PENDING_DEFERRED, CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded, no result yet*/