From patchwork Fri May 20 11:32:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2484 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id kDJAFlQJiGKdSQAAqwncew (envelope-from ) for ; Fri, 20 May 2022 17:34:12 -0400 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id uIvuNlQJiGJYEgAAovjBpQ (envelope-from ) for ; Fri, 20 May 2022 17:34:12 -0400 Received: from smtp37.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTPS id ADeSNlQJiGK5TAAAfSg8FQ (envelope-from ) for ; Fri, 20 May 2022 17:34:12 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 96ae3bac-d884-11ec-b19c-525400e8d833-1-1 Received: from [216.105.38.7] ([216.105.38.7:41344] helo=lists.sourceforge.net) by smtp37.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D4/4F-25020-45908826; Fri, 20 May 2022 17:34:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nsAFD-0008Ke-IN; Fri, 20 May 2022 21:33:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nsAFA-0008KM-2s for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 21:33:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ONmnP87/lvB/vAq7Sb9HdK9w48vMJuXO3GscrwUFAEY=; b=gakKd5ZmRKu5/Ijgiw8R4973cd KBbymViuBb6+kcfPO1m3fEoIPLzb4qSlicl9ObRMAAxtvBPIkJZbSwrXfIueeaahkc2c8jawBMt3q rCiuUnvkntk4ZZ2EGc8TNqEkFInms8uw6wlY6TUTh4vO075KF6b6qK0VfdnYE2zFkCN4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ONmnP87/lvB/vAq7Sb9HdK9w48vMJuXO3GscrwUFAEY=; b=iF+xTyL74NJY2QtgG0NwJw+CTz e9LbwVgLw1wORP/XE/X+vyvedvoCECM16djLH+hEYWo0hBDqTD1xopFOQTuaiS2XgMjxFNZVcL3nS bKqK5pHJcrXP6KONZ1Mpo6ulOe1O9cbKJaIUkYLXds33Z/J9hDTSevGOufFtKaz/dZ9I=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nsAF9-0005EQ-Ob for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 21:33:08 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nsAEt-0005Sj-Ih for openvpn-devel@lists.sourceforge.net; Fri, 20 May 2022 23:32:51 +0200 Received: (nullmailer pid 3126428 invoked by uid 10006); Fri, 20 May 2022 21:32:51 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 20 May 2022 23:32:48 +0200 Message-Id: <20220520213250.3126372-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220520213250.3126372-1-arne@rfc2549.org> References: <20220520213250.3126372-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This simplifies the buffer handling in the method and adds a quick return instead of wrapping the whole method in a if (pull) block Patch V2: remove uncessary ifdef/endif and unnecassary block --- src/openvpn/push.c | 99 ++++++++++++++++++++++++ 1 file changed, 51 insertions(+), 48 deletions(-) Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nsAF9-0005EQ-Ob Subject: [Openvpn-devel] [PATCH v2 2/4] Cleanup receive_auth_failed and simplify method X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This simplifies the buffer handling in the method and adds a quick return instead of wrapping the whole method in a if (pull) block Patch V2: remove uncessary ifdef/endif and unnecassary block Acked-By: Frank Lichtenheld Acked-by: Heiko Hund --- src/openvpn/push.c | 99 ++++++++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 48 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index fa0def7f8..1c4e637e4 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -53,64 +53,67 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) msg(M_VERB0, "AUTH: Received control message: %s", BSTR(buffer)); c->options.no_advance = true; - if (c->options.pull) + if (!c->options.pull) { - /* Before checking how to react on AUTH_FAILED, first check if the - * failed auth might be the result of an expired auth-token. - * Note that a server restart will trigger a generic AUTH_FAILED - * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message - * identical for this scenario */ - if (ssl_clean_auth_token()) - { - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ - c->sig->signal_text = "auth-failure (auth-token)"; - } - else + return; + } + + struct buffer buf = *buffer; + + /* If the AUTH_FAIL message ends with a , it is an extended message that + * contains further flags */ + bool authfail_extended = buf_string_compare_advance(&buf, "AUTH_FAILED,"); + + /* Before checking how to react on AUTH_FAILED, first check if the + * failed auth might be the result of an expired auth-token. + * Note that a server restart will trigger a generic AUTH_FAILED + * instead an AUTH_FAILED,SESSION so handle all AUTH_FAILED message + * identical for this scenario */ + if (ssl_clean_auth_token()) + { + c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ + c->sig->signal_text = "auth-failure (auth-token)"; + } + else + { + switch (auth_retry_get()) { - switch (auth_retry_get()) - { - case AR_NONE: - c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */ - break; + case AR_NONE: + c->sig->signal_received = SIGTERM; /* SOFT-SIGTERM -- Auth failure error */ + break; - case AR_INTERACT: - ssl_purge_auth(false); + case AR_INTERACT: + ssl_purge_auth(false); - case AR_NOINTERACT: - c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ - break; + case AR_NOINTERACT: + c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- Auth failure error */ + break; - default: - ASSERT(0); - } - c->sig->signal_text = "auth-failure"; + default: + ASSERT(0); } + c->sig->signal_text = "auth-failure"; + } #ifdef ENABLE_MANAGEMENT - if (management) - { - const char *reason = NULL; - struct buffer buf = *buffer; - if (buf_string_compare_advance(&buf, "AUTH_FAILED,") && BLEN(&buf)) - { - reason = BSTR(&buf); - } - management_auth_failure(management, UP_TYPE_AUTH, reason); - } -#endif - /* - * Save the dynamic-challenge text even when management is defined - */ + if (management) + { + const char *reason = NULL; + if (authfail_extended && BLEN(&buf)) { -#ifdef ENABLE_MANAGEMENT - struct buffer buf = *buffer; - if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) - { - buf_advance(&buf, 12); /* Length of "AUTH_FAILED," substring */ - ssl_put_auth_challenge(BSTR(&buf)); - } -#endif + reason = BSTR(&buf); } + management_auth_failure(management, UP_TYPE_AUTH, reason); + } + /* + * Save the dynamic-challenge text even when management is defined + */ + if (authfail_extended + && buf_string_match_head_str(&buf, "CRV1:") && BLEN(&buf)) + { + ssl_put_auth_challenge(BSTR(&buf)); } +#endif + } /*