[Openvpn-devel,v4,0/3] Disable multiple deferred authentication

Message ID 20220313193154.9350-1-openvpn@sf.lists.topphemmelig.net
Headers show


David Sommerseth March 13, 2022, 7:31 p.m. UTC
From: David Sommerseth <davids@openvpn.net>

It was discovered an issue with OpenVPN 2.x when multiple --plugin
modules were loaded and more than one of them used deferred
authentication.  To fix this properly will require a larger refactoring
of the plug-in code, so it was decided in the mean time to disable the
possibility to run an OpenVPN server with such a setup.  This issue
affects the OpenVPN server mode only.

This patch set adds a new test plug-in and adds some test documentation
on how to test various combinations of authentication plug-ins.  Since
this new plug-in (multi-auth.c) is fairly close to the simple.c plug-in,
just more flexible for test setups, we remove the old one.  The fix
itself is isolated in a separate patch in this set.

The order of patches are insignificant; there are no inter-dependencies
between them.

kind regards,

David Sommerseth
OpenVPN Inc


David Sommerseth (3):
  sample-plugin: New plugin for testing multiple auth plugins
  plug-ins: Disallow multiple deferred authentication plug-ins
  plugins: Remove defer/simple.c sample plugin

 doc/man-sections/plugin-options.rst           |   9 +
 doc/tests/authentication-plugins.md           | 153 +++++++++++
 include/openvpn-plugin.h.in                   |   4 +-
 sample/sample-plugins/Makefile.plugins        |   2 +-
 sample/sample-plugins/README                  |   6 +-
 .../defer/{simple.c => multi-auth.c}          | 248 ++++++++++--------
 sample/sample-plugins/defer/simple.def        |   6 -
 src/openvpn/plugin.c                          |  33 ++-
 8 files changed, 333 insertions(+), 128 deletions(-)
 create mode 100644 doc/tests/authentication-plugins.md
 rename sample/sample-plugins/defer/{simple.c => multi-auth.c} (61%)
 delete mode 100755 sample/sample-plugins/defer/simple.def