From patchwork Mon Nov 12 00:56:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 593 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id uHcEJtZq6VsbZQAAIUCqbw for ; Mon, 12 Nov 2018 06:58:14 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id SLDNJdZq6VtQZgAAovjBpQ ; Mon, 12 Nov 2018 06:58:14 -0500 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTP id QNl6JdZq6Vv+HQAAGdz6CA ; Mon, 12 Nov 2018 06:58:14 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3bad5dd0-e672-11e8-a0cf-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:32899] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 53/7C-05889-6DA69EB5; Mon, 12 Nov 2018 06:58:14 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq7-00037r-Ll; Mon, 12 Nov 2018 11:57:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAq4-00036t-FS for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=o8VtFXUK5RMcbIeqZPo8vigQBy12RvxzndCD062KUkc=; b=gjbAH84/v2NRT6x9VUZjpi9eqN v2ecx5hSgdgBLD/L4uHWOEMovXd6nlS1++o+0QSf7brpVyQvJO42F13Z8L+MKgpc3+PIbBe3v2ssX 1h/KGgp2BcSQMjexI9TSpMaT5QnCklQHQghd9yECgEtzQQIW5HcTxaqk6rWf7jrddx4s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=o8VtFXUK5RMcbIeqZPo8vigQBy12RvxzndCD062KUkc=; b=VsfFRZuAB1sQDo9MWoLOKF0r0f LOZOf9wfy/5zGo3LxHg9dDUkNVarwjMTyzATcv+SJvUU2AjdEG2lwikSBEctLZqEZpJ3DN3p66PTQ EBIgNVeSze1LULYdG+m3vYpvYUQauQ8UltMiAysWukGrZKs5dJe6tEjCakfI4vxS7d1g=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApq-006af5-Cn for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:08 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000J9p-1z; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5144 invoked by uid 10006); Mon, 12 Nov 2018 11:56:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:15 +0100 Message-Id: <20181112115627.5096-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1gMApq-006af5-Cn Subject: [Openvpn-devel] [PATCH v3 01/13] client-connect: Split multi_connection_established into separate functions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch splits up the multi_connection_established() function. Each new helper function does a specific job. Functions that do a similar job receive a similar calling interface. The patch tries not to reindent code, so that the real changes are as clearly visible as possible. (A follow-up patch will only do indentation changes.) Signed-off-by: Fabian Knittel PATCH v3: Since the code has changed enough from the time the original patch to the current master, the splitting has been redone from the current code. Also some style and minor code changes have been added doing this patch. This elimininates and the big reformatting done before eliminates the follow up patch with indentation changes. The original patch already replaces some instances of option_permission_mask with CLIENT_CONNECT_OPT_MASK. The V3 version does this more consequently. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 598 +++++++++++++++++++++++++------------------- src/openvpn/multi.h | 4 +- 2 files changed, 347 insertions(+), 255 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 8440f311..13106fcc 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1638,7 +1638,6 @@ static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, - unsigned int option_permissions_mask, unsigned int *option_types_found) { /* Did script generate a dynamic config file? */ @@ -1647,7 +1646,7 @@ multi_client_connect_post(struct multi_context *m, options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); @@ -1671,7 +1670,6 @@ static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, - unsigned int option_permissions_mask, unsigned int *option_types_found) { struct plugin_return config; @@ -1689,7 +1687,7 @@ multi_client_connect_post_plugin(struct multi_context *m, options_string_import(&mi->context.options, config.list[i]->value, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); } @@ -1716,21 +1714,19 @@ multi_client_connect_post_plugin(struct multi_context *m, static void multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, - const struct buffer_list *config, - unsigned int option_permissions_mask, unsigned int *option_types_found) { - if (config) + if (mi->cc_config) { struct buffer_entry *be; - for (be = config->head; be != NULL; be = be->next) + for (be = mi->cc_config->head; be != NULL; be = be->next) { const char *opt = BSTR(&be->buf); options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); } @@ -1773,215 +1769,387 @@ multi_client_connect_setenv(struct multi_context *m, gc_free(&gc); } -/* - * Called as soon as the SSL/TLS connection authenticates. - * - * Instance-specific directives to be processed: - * - * iroute start-ip end-ip - * ifconfig-push local remote-netmask - * push - */ static void -multi_connection_established(struct multi_context *m, struct multi_instance *mi) +multi_client_connect_call_plugin_v1(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) { - if (tls_authentication_status(mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED) +#ifdef ENABLE_PLUGIN + ASSERT(m); + ASSERT(mi); + ASSERT(option_types_found); + ASSERT(cc_succeeded); + ASSERT(cc_succeeded_count); + + /* deprecated callback, use a file for passing back return info */ + if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { + struct argv argv = argv_new(); struct gc_arena gc = gc_new(); - unsigned int option_types_found = 0; + const char *dc_file = + platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); - const unsigned int option_permissions_mask = - OPT_P_INSTANCE - | OPT_P_INHERIT - | OPT_P_PUSH - | OPT_P_TIMER - | OPT_P_CONFIG - | OPT_P_ECHO - | OPT_P_COMP - | OPT_P_SOCKFLAGS; + if (!dc_file) + { + cc_succeeded = false; + goto cleanup; + } - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; + argv_printf(&argv, "%s", dc_file); + if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, + &argv, NULL, mi->context.c2.es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) + { + msg(M_WARN, "WARNING: client-connect plugin call failed"); + *cc_succeeded = false; + } + else + { + multi_client_connect_post(m, mi, dc_file, option_types_found); + (*cc_succeeded_count)++; + } + + if (!platform_unlink(dc_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + dc_file); + } + + cleanup: + argv_reset(&argv); + gc_free(&gc); + } +#endif /* ifdef ENABLE_PLUGIN */ +} - ASSERT(mi->context.c1.tuntap); +static void +multi_client_connect_call_plugin_v2(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) +{ +#ifdef ENABLE_PLUGIN + ASSERT(m); + ASSERT(mi); + ASSERT(option_types_found); + ASSERT(cc_succeeded); + ASSERT(cc_succeeded_count); - /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */ - tls_lock_common_name(mi->context.c2.tls_multi); - tls_lock_cert_hash_set(mi->context.c2.tls_multi); + /* V2 callback, use a plugin_return struct for passing back return info */ + if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) + { + struct plugin_return pr; - /* generate a msg() prefix for this client instance */ - generate_prefix(mi); + plugin_return_init(&pr); - /* delete instances of previous clients with same common-name */ - if (!mi->context.options.duplicate_cn) + if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, + NULL, &pr, mi->context.c2.es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { - multi_delete_dup(m, mi); + msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); + *cc_succeeded = false; + } + else + { + multi_client_connect_post_plugin(m, mi, &pr, option_types_found); + (*cc_succeeded_count)++; } - /* reset pool handle to null */ - mi->vaddr_handle = -1; + plugin_return_free(&pr); + } +#endif /* ifdef ENABLE_PLUGIN */ +} - /* - * Try to source a dynamic config file from the - * --client-config-dir directory. - */ - if (mi->context.options.client_config_dir) + + +/** + * Runs the --client-connect script if one is defined. + */ +static void +multi_client_connect_call_script(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) +{ + if (mi->context.options.client_connect_script) + { + struct argv argv = argv_new(); + struct gc_arena gc = gc_new(); + const char *dc_file = NULL; + + setenv_str(mi->context.c2.es, "script_type", "client-connect"); + + dc_file = platform_create_temp_file(mi->context.options.tmp_dir, + "cc", &gc); + if (!dc_file) { - const char *ccd_file; + *cc_succeeded = false; + goto cleanup; + } - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - tls_common_name(mi->context.c2.tls_multi, - false), - &gc); + argv_parse_cmd(&argv, mi->context.options.client_connect_script); + argv_printf_cat(&argv, "%s", dc_file); - /* try common-name file */ - if (platform_test_file(ccd_file)) - { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, - &option_types_found, - mi->context.c2.es); - } - else /* try default file */ - { - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - CCD_DEFAULT, - &gc); + if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) + { + multi_client_connect_post(m, mi, dc_file, option_types_found); + (*cc_succeeded_count)++; + } + else + { + *cc_succeeded = false; + } - if (platform_test_file(ccd_file)) - { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, - &option_types_found, - mi->context.c2.es); - } - } + if (!platform_unlink(dc_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + dc_file); } + cleanup: + argv_reset(&argv); + gc_free(&gc); + } +} - /* - * Select a virtual address from either --ifconfig-push in --client-config-dir file - * or --ifconfig-pool. - */ - multi_select_virtual_addr(m, mi); +static void +multi_client_connect_late_setup(struct multi_context *m, + struct multi_instance *mi, + const unsigned int option_types_found) +{ + struct gc_arena gc = gc_new(); + /* + * Process sourced options. + */ + do_deferred_options(&mi->context, option_types_found); - /* do --client-connect setenvs */ - multi_client_connect_setenv(m, mi); + /* + * make sure we got ifconfig settings from somewhere + */ + if (!mi->context.c2.push_ifconfig_defined) + { + msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote" + "--ifconfig address is available for %s", + multi_instance_string(mi, false, &gc)); + } + + /* + * make sure that ifconfig settings comply with constraints + */ + if (!ifconfig_push_constraint_satisfied(&mi->context)) + { + const char* ifconfig_constraint_network = + print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc); + const char* ifconfig_constraint_netmask = + print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); + + /* JYFIXME -- this should cause the connection to fail */ + msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)" + "violates tunnel network/netmask constraint (%s/%s)", + multi_instance_string(mi, false, &gc), + print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), + ifconfig_constraint_network, ifconfig_constraint_netmask); + } + + /* + * For routed tunnels, set up internal route to endpoint + * plus add all iroute routes. + */ + if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) + { + if (mi->context.c2.push_ifconfig_defined) + { + multi_learn_in_addr_t(m, mi, + mi->context.c2.push_ifconfig_local, + -1, true); + msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", + multi_instance_string(mi, false, &gc), + print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); + } + + if (mi->context.c2.push_ifconfig_ipv6_defined) + { + multi_learn_in6_addr(m, mi, + mi->context.c2.push_ifconfig_ipv6_local, + -1, true); + /* TODO: find out where addresses are "unlearned"!! */ + const char* ifconfig_local_ipv6 = + print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc); + msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", + multi_instance_string(mi, false, &gc), + ifconfig_local_ipv6); + } + + /* add routes locally, pointing to new client, if + * --iroute options have been specified */ + multi_add_iroutes(m, mi); -#ifdef ENABLE_PLUGIN /* - * Call client-connect plug-in. + * iroutes represent subnets which are "owned" by a particular + * client. Therefore, do not actually push a route to a client + * if it matches one of the client's iroutes. */ + remove_iroutes_from_push_route_list(&mi->context.options); + } + else if (mi->context.options.iroutes) + { + msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute" + "only works with tun-style tunnels", + multi_instance_string(mi, false, &gc)); + } - /* deprecated callback, use a file for passing back return info */ - if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) - { - struct argv argv = argv_new(); - const char *dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); + /* set our client's VPN endpoint for status reporting purposes */ + mi->reporting_addr = mi->context.c2.push_ifconfig_local; + mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; - if (!dc_file) - { - cc_succeeded = false; - goto script_depr_failed; - } + /* set context-level authentication flag */ + mi->context.c2.context_auth = CAS_SUCCEEDED; - argv_printf(&argv, "%s", dc_file); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) - { - msg(M_WARN, "WARNING: client-connect plugin call failed"); - cc_succeeded = false; - } - else - { - multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; - } +#ifdef ENABLE_ASYNC_PUSH + /* authentication complete, send push reply */ + if (mi->context.c2.push_request_received) + { + process_incoming_push_request(&mi->context); + } +#endif + gc_free(&gc); +} - if (!platform_unlink(dc_file)) - { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); - } -script_depr_failed: - argv_reset(&argv); - } +static void +multi_client_connect_early_setup(struct multi_context *m, + struct multi_instance *mi) +{ + ASSERT(mi->context.c1.tuntap); + /* + * lock down the common name and cert hashes so they can't change + * during future TLS renegotiations + */ + tls_lock_common_name(mi->context.c2.tls_multi); + tls_lock_cert_hash_set(mi->context.c2.tls_multi); - /* V2 callback, use a plugin_return struct for passing back return info */ - if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) - { - struct plugin_return pr; + /* generate a msg() prefix for this client instance */ + generate_prefix(mi); - plugin_return_init(&pr); + /* delete instances of previous clients with same common-name */ + if (!mi->context.options.duplicate_cn) + { + multi_delete_dup(m, mi); + } - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) - { - msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - cc_succeeded = false; - } - else - { - multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; - } + /* reset pool handle to null */ + mi->vaddr_handle = -1; +} - plugin_return_free(&pr); - } -#endif /* ifdef ENABLE_PLUGIN */ +/** + * Try to source a dynamic config file from the + * --client-config-dir directory. + */ +static void +multi_client_connect_source_ccd(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + if (mi->context.options.client_config_dir) + { + struct gc_arena gc = gc_new(); + const char *ccd_file; - /* - * Run --client-connect script. - */ - if (mi->context.options.client_connect_script && cc_succeeded) - { - struct argv argv = argv_new(); - const char *dc_file = NULL; + ccd_file = platform_gen_path(mi->context.options.client_config_dir, + tls_common_name(mi->context.c2.tls_multi, + false), + &gc); - setenv_str(mi->context.c2.es, "script_type", "client-connect"); + /* try common-name file */ + if (platform_test_file(ccd_file)) + { + options_server_import(&mi->context.options, + ccd_file, + D_IMPORT_ERRORS|M_OPTERR, + CLIENT_CONNECT_OPT_MASK, + option_types_found, + mi->context.c2.es); + } + else /* try default file */ + { + ccd_file = platform_gen_path(mi->context.options.client_config_dir, + CCD_DEFAULT, + &gc); - dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); - if (!dc_file) + if (platform_test_file(ccd_file)) { - cc_succeeded = false; - goto script_failed; + options_server_import(&mi->context.options, + ccd_file, + D_IMPORT_ERRORS|M_OPTERR, + CLIENT_CONNECT_OPT_MASK, + option_types_found, + mi->context.c2.es); } + } + gc_free(&gc); + } +} + +/* + * Called as soon as the SSL/TLS connection authenticates. + * + * Instance-specific directives to be processed: + * + * iroute start-ip end-ip + * ifconfig-push local remote-netmask + * push + */ +static void +multi_connection_established(struct multi_context *m, struct multi_instance *mi) +{ + if (tls_authentication_status(mi->context.c2.tls_multi, 0) + == TLS_AUTHENTICATION_SUCCEEDED) + { + unsigned int option_types_found = 0; - argv_parse_cmd(&argv, mi->context.options.client_connect_script); - argv_printf_cat(&argv, "%s", dc_file); + int cc_succeeded = true; /* client connect script status */ + int cc_succeeded_count = 0; - if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) - { - multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; - } - else - { - cc_succeeded = false; - } + multi_client_connect_early_setup (m, mi); - if (!platform_unlink(dc_file)) - { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); - } + multi_client_connect_source_ccd (m, mi, &option_types_found); -script_failed: - argv_reset(&argv); - } + /* + * Select a virtual address from either --ifconfig-push in + * --client-config-dir file or --ifconfig-pool. + */ + multi_select_virtual_addr(m, mi); + + /* do --client-connect setenvs */ + multi_client_connect_setenv(m, mi); + + multi_client_connect_call_plugin_v1 (m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); + + multi_client_connect_call_plugin_v2 (m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); /* * Check for client-connect script left by management interface client */ + + if (cc_succeeded) + { + multi_client_connect_call_script (m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); + + } #ifdef MANAGEMENT_DEF_AUTH if (cc_succeeded && mi->cc_config) { - multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; + multi_client_connect_mda(m, mi, &option_types_found); + cc_succeeded_count++; } #endif @@ -1991,99 +2159,21 @@ script_failed: */ if (mi->context.options.disable) { - msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive"); + msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to" + "'disable' directive"); cc_succeeded = false; cc_succeeded_count = 0; } if (cc_succeeded) { - /* - * Process sourced options. - */ - do_deferred_options(&mi->context, option_types_found); - - /* - * make sure we got ifconfig settings from somewhere - */ - if (!mi->context.c2.push_ifconfig_defined) - { - msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s", - multi_instance_string(mi, false, &gc)); - } - - /* - * make sure that ifconfig settings comply with constraints - */ - if (!ifconfig_push_constraint_satisfied(&mi->context)) - { - /* JYFIXME -- this should cause the connection to fail */ - msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)", - multi_instance_string(mi, false, &gc), - print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), - print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc), - print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc)); - } - - /* - * For routed tunnels, set up internal route to endpoint - * plus add all iroute routes. - */ - if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) - { - if (mi->context.c2.push_ifconfig_defined) - { - multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true); - msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", - multi_instance_string(mi, false, &gc), - print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); - } - - if (mi->context.c2.push_ifconfig_ipv6_defined) - { - multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true); - /* TODO: find out where addresses are "unlearned"!! */ - msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", - multi_instance_string(mi, false, &gc), - print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc)); - } - - /* add routes locally, pointing to new client, if - * --iroute options have been specified */ - multi_add_iroutes(m, mi); - - /* - * iroutes represent subnets which are "owned" by a particular - * client. Therefore, do not actually push a route to a client - * if it matches one of the client's iroutes. - */ - remove_iroutes_from_push_route_list(&mi->context.options); - } - else if (mi->context.options.iroutes) - { - msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels", - multi_instance_string(mi, false, &gc)); - } - - /* set our client's VPN endpoint for status reporting purposes */ - mi->reporting_addr = mi->context.c2.push_ifconfig_local; - mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; - - /* set context-level authentication flag */ - mi->context.c2.context_auth = CAS_SUCCEEDED; - -#ifdef ENABLE_ASYNC_PUSH - /* authentication complete, send push reply */ - if (mi->context.c2.push_request_received) - { - process_incoming_push_request(&mi->context); - } -#endif + multi_client_connect_late_setup (m, mi, option_types_found); } else { /* set context-level authentication flag */ - mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + mi->context.c2.context_auth = + cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; } /* set flag so we don't get called again */ @@ -2097,11 +2187,11 @@ script_failed: #ifdef MANAGEMENT_DEF_AUTH if (management) { - management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es); + management_connection_established + (management, &mi->context.c2.mda_context, mi->context.c2.es); } #endif - gc_free(&gc); } /* diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 3d3d6875..2e20d152 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -628,7 +628,9 @@ multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags return ret; } - +#define CLIENT_CONNECT_OPT_MASK (OPT_P_INSTANCE | OPT_P_INHERIT | \ + OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG | \ + OPT_P_ECHO | OPT_P_COMP | OPT_P_SOCKFLAGS) static inline bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) From patchwork Mon Nov 12 00:56:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 595 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id AP74HNtq6VsbZQAAIUCqbw for ; Mon, 12 Nov 2018 06:58:19 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id GFvUHNtq6VszDgAAalYnBA ; Mon, 12 Nov 2018 06:58:19 -0500 Received: from smtp39.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTP id iEJfHNtq6Vt9RAAAgKDEHA ; Mon, 12 Nov 2018 06:58:19 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3e7e91e6-e672-11e8-9e7b-525400a97bbc-1-1 Received: from [216.105.38.7] ([216.105.38.7:64139] helo=lists.sourceforge.net) by smtp39.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0B/BD-01783-ADA69EB5; Mon, 12 Nov 2018 06:58:18 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq7-00037P-Ea; Mon, 12 Nov 2018 11:57:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApu-00035o-Bl for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9FiiORSyXKBvzfwOVCdrPiwcMc0eMBTyvLcK12kgXTg=; b=WkYgoJftNZeqCzRe/39tPuhfe4 NGunmQ+A9FVg/Sj0BOmOqKJS9g/ychSee0576lOGLLLC12CehbIJbk2A2cViXGXwlWYuX9sOVu7zJ gzXI+syRFEfK8b+sMrRuEBNSs0huZnxkEJWsXymZh6qldEeH6biZwwm5rjHVa3SlMQl4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9FiiORSyXKBvzfwOVCdrPiwcMc0eMBTyvLcK12kgXTg=; b=RZEE42uiLzJakSVxL5JvJVRDSy hjpdqrliPSzdIlkjXsyrSv4GojmEdNynDJCXxb3Qyfiba8njp19SOUIyFMDQ9sGt1ypbxCuZHrh3d 1r4ViWDJRp8oMpTjCHA+VWusOLX7vQe1+imOPA5inHC6Eg9r8rMs1wL6utF2MO+uWIhc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApf-00ExNQ-56 for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000J9t-3x; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5147 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:16 +0100 Message-Id: <20181112115627.5096-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApf-00ExNQ-56 Subject: [Openvpn-devel] [PATCH v3 02/13] client-connect: Refactor multi_client_connect_source_ccd X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel Refactor multi_client_connect_source_ccd(), so that options_server_import() (or the success path in general) is only entered in one place within the function. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 13106fcc..282464fb 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2064,31 +2064,30 @@ multi_client_connect_source_ccd(struct multi_context *m, &gc); /* try common-name file */ - if (platform_test_file(ccd_file)) + if (!platform_test_file(ccd_file)) { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + ccd_file = NULL; } - else /* try default file */ + /* try default file */ { ccd_file = platform_gen_path(mi->context.options.client_config_dir, CCD_DEFAULT, &gc); - - if (platform_test_file(ccd_file)) + if (!platform_test_file(ccd_file)) { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); + ccd_file = NULL; } } + + if (ccd_file) + { + options_server_import(&mi->context.options, + ccd_file, + D_IMPORT_ERRORS|M_OPTERR, + CLIENT_CONNECT_OPT_MASK, + option_types_found, + mi->context.c2.es); + } gc_free(&gc); } } From patchwork Mon Nov 12 00:56:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 599 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id cJnXHvNq6VuoGQAAIUCqbw for ; Mon, 12 Nov 2018 06:58:43 -0500 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id gI2hHvNq6VsBDwAAalYnBA ; Mon, 12 Nov 2018 06:58:43 -0500 Received: from smtp7.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTP id aH1RHvNq6VuyNgAAgjf6aA ; Mon, 12 Nov 2018 06:58:43 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4d0de414-e672-11e8-9317-525400d28ed9-1-1 Received: from [216.105.38.7] ([216.105.38.7:10524] helo=lists.sourceforge.net) by smtp7.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6D/A0-19774-3FA69EB5; Mon, 12 Nov 2018 06:58:43 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq7-000375-9F; Mon, 12 Nov 2018 11:57:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApu-00035c-93 for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QnpvceNOPh8+Xzz+ZlowToxxlkITE19x7VpGHqsNxJk=; b=WUk+5U4F3uLk4H3s8v2XpEgmYu 4bwX0mAWnrPb7Kc2c7ElfZa1tlWfaf2nO6SJDJJczgTuCyw7r69Dy/3n/f5+MlKfMt7P2WP4afPQF Ir9MjB38ICwxTBeLCLvhMM2Bk0SXrTZBkB4+3fpZP36OPpxOKrKJxolsC2RcjuL8YWjs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QnpvceNOPh8+Xzz+ZlowToxxlkITE19x7VpGHqsNxJk=; b=TNAAhq9Is91XP7TVIcmPdaLreZ /jGoQEzjwIcK+whPQi6bKDWQ6GTFkIWNTtJmA6YI7boTQ8H/YOf3Fi2w2kxdM8XQgd3sbLKPR7BO9 QG747YV2HTvvcZXRscRvvxT+1FwCtmnxU08osz0SrJwgpkiFkjVQcTu5Ucg9RNa09XS0=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApf-00ExNP-1t for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000J9w-5u; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5150 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:17 +0100 Message-Id: <20181112115627.5096-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApf-00ExNP-1t Subject: [Openvpn-devel] [PATCH v3 03/13] client-connect: Move multi_client_connect_setenv into early_setup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch moves multi_client_connect_setenv into multi_client_connect_early_setup and makes sure that every client-connect handling function updates the virtual address selection. Background: This unifies how the client-connect handling functions work. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 282464fb..a9925160 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2042,6 +2042,12 @@ multi_client_connect_early_setup(struct multi_context *m, /* reset pool handle to null */ mi->vaddr_handle = -1; + + /* do --client-connect setenvs */ + multi_select_virtual_addr(m, mi); + + multi_client_connect_setenv(m, mi); + } /** @@ -2087,6 +2093,13 @@ multi_client_connect_source_ccd(struct multi_context *m, CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); + /* + * Select a virtual address from either --ifconfig-push in + * --client-config-dir file or --ifconfig-pool. + */ + multi_select_virtual_addr(m, mi); + + multi_client_connect_setenv(m, mi); } gc_free(&gc); } @@ -2116,15 +2129,6 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) multi_client_connect_source_ccd (m, mi, &option_types_found); - /* - * Select a virtual address from either --ifconfig-push in - * --client-config-dir file or --ifconfig-pool. - */ - multi_select_virtual_addr(m, mi); - - /* do --client-connect setenvs */ - multi_client_connect_setenv(m, mi); - multi_client_connect_call_plugin_v1 (m, mi, &option_types_found, &cc_succeeded, &cc_succeeded_count); From patchwork Mon Nov 12 00:56:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 602 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 0CJREQ9r6VtYCQAAIUCqbw for ; Mon, 12 Nov 2018 06:59:11 -0500 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id YPUqEQ9r6VsUegAApN4f7A ; Mon, 12 Nov 2018 06:59:11 -0500 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id GEv1EA9r6VvfLQAA7PHxkg ; Mon, 12 Nov 2018 06:59:11 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5d7fe5fe-e672-11e8-baf4-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:33131] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A9/5D-29036-E0B69EB5; Mon, 12 Nov 2018 06:59:10 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq9-0002Sr-An; Mon, 12 Nov 2018 11:57:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAq6-0002Rg-QP for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZxttywUSlTxzwBY3a3H2SeK7pI5LS3u5GFOkWokVPoc=; b=lyUhWxDEpakf1KjcwjI7tj9mu4 k05/QZcxKMhXQ3rUjznSHXU5+7xD/bvjNaRlcMKU5MJ31+YrCvo4rNLCYo82pe90xafai/M/AGxpK 0/WZ0Pnyx0A37DHE17SYHvb2uPco8mZ3jhME3IMdMumidgRxSmuHijonGvdJKp/IOXsc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZxttywUSlTxzwBY3a3H2SeK7pI5LS3u5GFOkWokVPoc=; b=D2PsOLnkL2NgV+oImQ/MiA7hF+ th0B8+ZVzFBh5qV5r5tCdwDdCk1kU4uhVqDISO4ZaKue4Z4XN36HkwqnkYiQjDzdKNNNO4XDaSAOB KeKZGDieDaDQrb3Z+KwvhtHpgcZ9TtDTbuotK0yX8xK+DMiUAy68jRGjVM1q5GBNRRfU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApo-000iof-QH for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000J9z-8A; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5153 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:18 +0100 Message-Id: <20181112115627.5096-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApo-000iof-QH Subject: [Openvpn-devel] [PATCH v3 04/13] client-connect: Refactor to use return values instead of modifying a passed-in flag X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch changes the way the client-connect helper functions communicate with the main function. Instead of updating cc_succeeded and cc_succeeded_count, they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED. In addition, the client-connect helpers are now called in completely identical ways. This is in preparation of handling the helpers as simple call-backs. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 138 +++++++++++++++++++++++++++----------------- src/openvpn/multi.h | 10 ++++ 2 files changed, 94 insertions(+), 54 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a9925160..1cd629c4 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1706,20 +1706,21 @@ multi_client_connect_post_plugin(struct multi_context *m, #endif /* ifdef ENABLE_PLUGIN */ -#ifdef MANAGEMENT_DEF_AUTH + /* * Called to load management-derived client-connect config */ -static void +enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; +#ifdef MANAGEMENT_DEF_AUTH if (mi->cc_config) { struct buffer_entry *be; - for (be = mi->cc_config->head; be != NULL; be = be->next) { const char *opt = BSTR(&be->buf); @@ -1739,10 +1740,12 @@ multi_client_connect_mda(struct multi_context *m, */ multi_select_virtual_addr(m, mi); multi_set_virtual_addr_env(m, mi); - } -} + ret = CC_RET_SUCCEEDED; + } #endif /* ifdef MANAGEMENT_DEF_AUTH */ + return ret; +} static void multi_client_connect_setenv(struct multi_context *m, @@ -1769,19 +1772,16 @@ multi_client_connect_setenv(struct multi_context *m, gc_free(&gc); } -static void +static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN - ASSERT(m); - ASSERT(mi); - ASSERT(option_types_found); - ASSERT(cc_succeeded); - ASSERT(cc_succeeded_count); + ASSERT (m); + ASSERT (mi); + ASSERT (option_types_found); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) @@ -1793,7 +1793,7 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, if (!dc_file) { - cc_succeeded = false; + ret = CC_RET_FAILED; goto cleanup; } @@ -1803,12 +1803,12 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect plugin call failed"); - *cc_succeeded = false; + ret=CC_RET_FAILED; } else { multi_client_connect_post(m, mi, dc_file, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } if (!platform_unlink(dc_file)) @@ -1822,21 +1822,19 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, gc_free(&gc); } #endif /* ifdef ENABLE_PLUGIN */ + return ret; } -static void +static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN - ASSERT(m); - ASSERT(mi); - ASSERT(option_types_found); - ASSERT(cc_succeeded); - ASSERT(cc_succeeded_count); + ASSERT (m); + ASSERT (mi); + ASSERT (option_types_found); /* V2 callback, use a plugin_return struct for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) @@ -1850,17 +1848,18 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - *cc_succeeded = false; + ret = CC_RET_FAILED; } else { multi_client_connect_post_plugin(m, mi, &pr, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ + return ret; } @@ -1868,13 +1867,12 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, /** * Runs the --client-connect script if one is defined. */ -static void +static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); @@ -1887,7 +1885,7 @@ multi_client_connect_call_script(struct multi_context *m, "cc", &gc); if (!dc_file) { - *cc_succeeded = false; + ret = CC_RET_FAILED; goto cleanup; } @@ -1897,11 +1895,11 @@ multi_client_connect_call_script(struct multi_context *m, if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { multi_client_connect_post(m, mi, dc_file, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } else { - *cc_succeeded = false; + ret = CC_RET_FAILED; } if (!platform_unlink(dc_file)) @@ -1913,6 +1911,7 @@ multi_client_connect_call_script(struct multi_context *m, argv_reset(&argv); gc_free(&gc); } + return ret; } static void @@ -2047,18 +2046,18 @@ multi_client_connect_early_setup(struct multi_context *m, multi_select_virtual_addr(m, mi); multi_client_connect_setenv(m, mi); - } /** * Try to source a dynamic config file from the * --client-config-dir directory. */ -static void +enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; if (mi->context.options.client_config_dir) { struct gc_arena gc = gc_new(); @@ -2100,9 +2099,35 @@ multi_client_connect_source_ccd(struct multi_context *m, multi_select_virtual_addr(m, mi); multi_client_connect_setenv(m, mi); + + ret = CC_RET_SUCCEEDED; } gc_free(&gc); } + return ret; +} + +static inline bool +cc_check_return(int* cc_succeeded_count, + enum client_connect_return ret) +{ + if (ret == CC_RET_SUCCEEDED) + { + (*cc_succeeded_count)++; + return true; + } + else if (ret == CC_RET_FAILED) + { + return false; + } + else if (ret == CC_RET_SKIPPED) + { + return true; + } + else + { + ASSERT(0); + } } /* @@ -2124,37 +2149,42 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) int cc_succeeded = true; /* client connect script status */ int cc_succeeded_count = 0; + enum client_connect_return ret; multi_client_connect_early_setup (m, mi); - multi_client_connect_source_ccd (m, mi, &option_types_found); + ret = multi_client_connect_source_ccd (m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - multi_client_connect_call_plugin_v1 (m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); + if (cc_succeeded) + { + ret = multi_client_connect_call_plugin_v1(m, mi, + &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + } + + if (cc_succeeded) + { + ret = multi_client_connect_call_plugin_v2(m, mi, + &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + } - multi_client_connect_call_plugin_v2 (m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); /* * Check for client-connect script left by management interface client */ - if (cc_succeeded) { - multi_client_connect_call_script (m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); - + ret = multi_client_connect_call_script (m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } -#ifdef MANAGEMENT_DEF_AUTH - if (cc_succeeded && mi->cc_config) + + if (cc_succeeded) { - multi_client_connect_mda(m, mi, &option_types_found); - cc_succeeded_count++; + ret = multi_client_connect_mda(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } -#endif /* * Check for "disable" directive in client-config-dir file diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 2e20d152..7f8d4f99 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -191,6 +191,16 @@ struct multi_context { struct deferred_signal_schedule_entry deferred_shutdown_signal; }; +/** + * Return values used by the client connect call-back functions. + */ +enum client_connect_return +{ + CC_RET_FAILED, + CC_RET_SUCCEEDED, + CC_RET_SKIPPED +}; + /* * Host route */ From patchwork Mon Nov 12 00:56:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 600 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sKPpJgBr6VsnXAAAIUCqbw for ; Mon, 12 Nov 2018 06:58:56 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id +GPIJgBr6VszDgAAalYnBA ; Mon, 12 Nov 2018 06:58:56 -0500 Received: from smtp18.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTP id 2AaMJgBr6VuPRAAAgKDEHA ; Mon, 12 Nov 2018 06:58:56 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 54a3c216-e672-11e8-b555-5254005167a7-1-1 Received: from [216.105.38.7] ([216.105.38.7:24310] helo=lists.sourceforge.net) by smtp18.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DB/3F-09494-FFA69EB5; Mon, 12 Nov 2018 06:58:56 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMApz-000152-3u; Mon, 12 Nov 2018 11:57:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAps-000148-ON for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ls5wzFOUJ99mEicqG5JugCEmFsCbq4aEgbtLTUYAlh0=; b=m/YLXscagBe+gp3+GK7TYmTyei 4nOhkU8f6SL5fZeykOYJVy8JjWrztnjb/UqlqmY982L+tFzaakjHjjs8poR+EIxG5PVk9pKyW8MXE 2CLqeuFck5bGy26D/afltVSC1nS9HmMB0uFYTacGUCDrkHSXTQ2zBo99/gDAD6EmLXvs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ls5wzFOUJ99mEicqG5JugCEmFsCbq4aEgbtLTUYAlh0=; b=XG8vrJoVXwJ2eBnyX2R96NulH5 yxBOrv632xASLqUXP+e9u6dLgozBBrBf47S1Xw7OYCPylKDoYB86HTep7KKNAV146v5W3kGMc55gV 3EUfgmGgoDkeeCFOgjN+AEyvcSa0km0hwaAN9sgIUEJfey2DmPbYsGDjSDIo+Hp27Zec=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApd-006cU0-EN for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JA2-AN; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5156 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:19 +0100 Message-Id: <20181112115627.5096-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApd-006cU0-EN Subject: [Openvpn-devel] [PATCH v3 05/13] client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch changes the calling of the client-connect functions into an array of hooks and a block of code that calls them in a loop. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 45 ++++++++++++++++----------------------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 1cd629c4..10a5af9a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2145,6 +2145,20 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) if (tls_authentication_status(mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED) { + typedef enum client_connect_return + (*multi_client_connect_handler) + (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found); + + multi_client_connect_handler handlers[] = { + multi_client_connect_source_ccd, + multi_client_connect_call_plugin_v1, + multi_client_connect_call_plugin_v2, + multi_client_connect_call_script, + multi_client_connect_mda, + NULL + }; + unsigned int option_types_found = 0; int cc_succeeded = true; /* client connect script status */ @@ -2153,36 +2167,9 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) multi_client_connect_early_setup (m, mi); - ret = multi_client_connect_source_ccd (m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - - if (cc_succeeded) - { - ret = multi_client_connect_call_plugin_v1(m, mi, - &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - if (cc_succeeded) - { - ret = multi_client_connect_call_plugin_v2(m, mi, - &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - - /* - * Check for client-connect script left by management interface client - */ - if (cc_succeeded) - { - ret = multi_client_connect_call_script (m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - if (cc_succeeded) + for (int i = 0;cc_succeeded && handlers[i];i++) { - ret = multi_client_connect_mda(m, mi, &option_types_found); + ret = handlers[i](m, mi, &option_types_found); cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } From patchwork Mon Nov 12 00:56:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 594 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sDe6HNpq6Vu5CgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:18 -0500 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id mKKUHNpq6VszDgAAalYnBA ; Mon, 12 Nov 2018 06:58:18 -0500 Received: from smtp8.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id CJRHHNpq6VuYcwAAtEH5vw ; Mon, 12 Nov 2018 06:58:18 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3d8c08fe-e672-11e8-949e-5254001e5a60-1-1 Received: from [216.105.38.7] ([216.105.38.7:20903] helo=lists.sourceforge.net) by smtp8.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1E/7B-15592-9DA69EB5; Mon, 12 Nov 2018 06:58:17 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq9-0002Sh-6z; Mon, 12 Nov 2018 11:57:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAq3-0002RI-TF for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vY9b9i6krtdpYYbWU/c8sPxq+7D1V+jqW9dU2ErBBlY=; b=F/I12Fe4TSVT4KnfJlRM1LlOFb 3joKbLBMYZNgOosymVhfsaSrFh29mAlp47dkE3mL47Y5IUlzkIqGAm7QdL4l9SwM/VRLWsjWIsk6g LxdNrOsJZhHTDBx2UAYyrOci7u0kRFSOrhiTfILVkFUgGT5fdWVAwb7fnj8/sJrNZbuU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vY9b9i6krtdpYYbWU/c8sPxq+7D1V+jqW9dU2ErBBlY=; b=IjrYH4pREkGQPHlCLcKAiqiG0s wKAVoR5pFv0FNBLcTbhTbgA1vrFCtHzVzjHpyQvbXkHDlB1Q/zUmm49alnEystupxVmGle8woxUvT bK+rJSsg/KAU0GUqRFhpB69giOyGrLKJpMeMsdT2XRd1KJvfWIMMl4+B/jk4ofrqBI6g=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApo-000iol-Pa for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:04 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JA5-DA for openvpn-devel@lists.sourceforge.net; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5159 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:20 +0100 Message-Id: <20181112115627.5096-7-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1gMApo-000iol-Pa Subject: [Openvpn-devel] [PATCH v3 06/13] client-connect: Change connection_established_flag from bool to enum X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This prepares from the yes/no logic to a tristate logic with defered being the third state. This deviates from Fabian's original patch that that used a pointer being NULL or non NULL as implicit third state. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 14 ++++++++------ src/openvpn/multi.h | 8 +++++++- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 10a5af9a..3dbfb63f 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -574,7 +574,8 @@ static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi) { - if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag) + if ((mi->context.c2.context_auth == CAS_SUCCEEDED && + mi->client_connect_status == CC_STATUS_ESTABLISHED) || mi->context.c2.context_auth == CAS_PARTIAL) { multi_client_disconnect_setenv(m, mi); @@ -2052,7 +2053,7 @@ multi_client_connect_early_setup(struct multi_context *m, * Try to source a dynamic config file from the * --client-config-dir directory. */ -enum client_connect_return +static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) @@ -2197,7 +2198,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) } /* set flag so we don't get called again */ - mi->connection_established_flag = true; + mi->client_connect_status = CC_STATUS_ESTABLISHED; /* increment number of current authenticated clients */ ++m->n_clients; @@ -2480,7 +2481,8 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { /* connection is "established" when SSL/TLS key negotiation succeeds * and (if specified) auth user/pass succeeds */ - if (!mi->connection_established_flag && CONNECTION_ESTABLISHED(&mi->context)) + if (mi->client_connect_status != CC_STATUS_ESTABLISHED + && CONNECTION_ESTABLISHED(&mi->context)) { multi_connection_established(m, mi); } @@ -3386,7 +3388,7 @@ management_client_auth(void *arg, { if (auth) { - if (!mi->connection_established_flag) + if (mi->client_connect_status == CC_STATUS_NOT_ESTABLISHED) { set_cc_config(mi, cc_config); cc_config_owned = false; @@ -3398,7 +3400,7 @@ management_client_auth(void *arg, { msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); } - if (mi->connection_established_flag) + if (mi->client_connect_status == CC_STATUS_ESTABLISHED) { send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */ multi_schedule_context_wakeup(m, mi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 7f8d4f99..c476a67e 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -63,6 +63,12 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; +enum client_connect_status +{ + CC_STATUS_NOT_ESTABLISHED, + CC_STATUS_ESTABLISHED +}; + /** * Server-mode state structure for one single VPN tunnel. * @@ -105,7 +111,7 @@ struct multi_instance { bool did_cid_hash; struct buffer_list *cc_config; #endif - bool connection_established_flag; + enum client_connect_status client_connect_status; bool did_iroutes; int n_clients_delta; /* added to multi_context.n_clients when instance is closed */ From patchwork Mon Nov 12 00:56:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 590 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WPhCHM9q6Vu5CgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:07 -0500 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id eJYMHM9q6Vu5dQAApN4f7A ; Mon, 12 Nov 2018 06:58:07 -0500 Received: from smtp11.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id 0AfVG89q6VuYcwAAtEH5vw ; Mon, 12 Nov 2018 06:58:07 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 378b9b18-e672-11e8-8b80-5254005f837b-1-1 Received: from [216.105.38.7] ([216.105.38.7:62905] helo=lists.sourceforge.net) by smtp11.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AB/07-31248-FCA69EB5; Mon, 12 Nov 2018 06:58:07 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq8-0002SL-VX; Mon, 12 Nov 2018 11:57:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAps-0002Qq-V1 for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=KFuspGxTlRbRnRteqL/EKPWRLuL4fmNwlJnB8FV+QDU=; b=Bk9TLZB6sndH9MWb1r4JbK7UC3 J76HIe0NUCufowXKNzTeeCeRP8L23Z9arW4hkyBWxleALfK3GEM9A1hdN9YQ/2ervW2f5R2NZ3iM6 mzIXjN55SgehuGO5L2Tvy+jjv1pKapmKccxYVNGYwiC1BsrN8sSvlppG7z7ZSyr6qHgg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KFuspGxTlRbRnRteqL/EKPWRLuL4fmNwlJnB8FV+QDU=; b=WpV6S687Xnf3IsMlwi5nV63IH1 pSJhm/g85kFdVsO8DniGecHnDn/FUW0Uta23gt57UKDhOaH3uf9zYzEQJ76vRjzsdXdCPEgRFN7I5 g/j7+6x+zfFDYB9TquRDyIGaDby2baan1k6m4sLQUoD+jhX5HmP4wazl/+d0J0hCXrNk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApd-006cU1-EU for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAJ-FO; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5162 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:21 +0100 Message-Id: <20181112115627.5096-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApd-006cU1-EU Subject: [Openvpn-devel] [PATCH v3 07/13] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - without losing the client-connect handling state. The patch also adds the new return value CC_RET_DEFERRED which indicates that the handler couldn't complete immediately, and needs to be called later. At that point multi_connection_established() will exit without indicating completion. Each client-connect handler now has an (optional) additional call-back: The call-back for handling the deferred case. If the main call-back returns CC_RET_DEFERRED, the next call to the handler will be through the deferred call-back. Signed-off-by: Fabian Knittel Patch V3: Use a static struct in multi_instance instead of using malloc/free and use two states (deffered with and without result) instead of one to eliminate the counter that was only tested for > 0. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 158 +++++++++++++++++++++++++++++++++----------- src/openvpn/multi.h | 18 ++++- 2 files changed, 136 insertions(+), 40 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 3dbfb63f..263525a7 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2108,28 +2108,51 @@ multi_client_connect_source_ccd(struct multi_context *m, return ret; } -static inline bool -cc_check_return(int* cc_succeeded_count, - enum client_connect_return ret) +typedef enum client_connect_return (*client_connect_handler) + (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found); + +struct client_connect_handlers +{ + client_connect_handler main; + client_connect_handler deferred; +}; + +static enum client_connect_return +multi_client_connect_fail (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found) { - if (ret == CC_RET_SUCCEEDED) + /* Called null call-back. This should never happen. */ + return CC_RET_FAILED; +} + +static const struct client_connect_handlers client_connect_handlers[] = { { - (*cc_succeeded_count)++; - return true; - } - else if (ret == CC_RET_FAILED) + .main = multi_client_connect_source_ccd, + .deferred = multi_client_connect_fail + }, { - return false; - } - else if (ret == CC_RET_SKIPPED) + .main = multi_client_connect_call_plugin_v1, + .deferred = multi_client_connect_fail + }, { - return true; - } - else + .main = multi_client_connect_call_plugin_v2, + .deferred = multi_client_connect_fail + }, + { + .main = multi_client_connect_call_script, + .deferred = multi_client_connect_fail + }, { - ASSERT(0); + .main = multi_client_connect_mda, + .deferred = multi_client_connect_fail + }, + { + .main = NULL, + .deferred = NULL + /* End of list sentinel. */ } -} +}; /* * Called as soon as the SSL/TLS connection authenticates. @@ -2146,32 +2169,86 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) if (tls_authentication_status(mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED) { - typedef enum client_connect_return - (*multi_client_connect_handler) - (struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found); + bool from_deferred; - multi_client_connect_handler handlers[] = { - multi_client_connect_source_ccd, - multi_client_connect_call_plugin_v1, - multi_client_connect_call_plugin_v2, - multi_client_connect_call_script, - multi_client_connect_mda, - NULL - }; + enum client_connect_return ret; - unsigned int option_types_found = 0; + struct client_connect_defer_state* defer_state = + &(mi->client_connect_defer_state); - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; - enum client_connect_return ret; + /* We are called for the first time */ + if (mi->client_connect_status == CC_STATUS_NOT_ESTABLISHED) + { + defer_state->cur_handler_index = 0; + defer_state->option_types_found = 0; + /* Initially we have no handler that has returned a result */ + mi->client_connect_status = CC_STATUS_DEFERRED_NO_RESULT; + from_deferred = false; + } + else + { + from_deferred = true; + } multi_client_connect_early_setup (m, mi); - for (int i = 0;cc_succeeded && handlers[i];i++) + bool cc_succeeded=true; + + while (cc_succeeded && + client_connect_handlers[defer_state->cur_handler_index] + .main != NULL) { - ret = handlers[i](m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + client_connect_handler handler; + if (from_deferred) + { + handler = client_connect_handlers + [defer_state->cur_handler_index].deferred; + from_deferred = false; + } + else + { + handler = client_connect_handlers + [defer_state->cur_handler_index].main; + } + + ret = handler(m, mi, &(defer_state->option_types_found)); + if (ret == CC_RET_SUCCEEDED) + { + /* + * Remember that we already had at least one handler + * returning a result should go to into defered state + */ + mi->client_connect_status = CC_STATUS_DEFERRED_RESULT; + } + else if (ret == CC_RET_SKIPPED) + { + /* + * Move on with the next handler without modifying any + * other state + */ + } + else if (ret == CC_RET_DEFERRED) + { + /* + * we already set client_connect_status to DEFERRED_RESULT or + * DEFERRED_NO_RESULT and increased index. We just return + * from the function as having client_connect_status + */ + return; + } + else if (ret == CC_RET_FAILED) + { + /* + * One handler failed. We abort the chain and set the final + * result to failed + */ + cc_succeeded = false; + } + else + { + ASSERT(0); + } + (defer_state->cur_handler_index)++; } /* @@ -2183,21 +2260,24 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to" "'disable' directive"); cc_succeeded = false; - cc_succeeded_count = 0; } if (cc_succeeded) { - multi_client_connect_late_setup (m, mi, option_types_found); + multi_client_connect_late_setup (m, mi, + mi->client_connect_defer_state. + option_types_found); } else { + bool at_least_one_cc_succeeded = + (mi->client_connect_status == CC_STATUS_DEFERRED_RESULT); /* set context-level authentication flag */ mi->context.c2.context_auth = - cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + at_least_one_cc_succeeded ? CAS_PARTIAL : CAS_FAILED; } - /* set flag so we don't get called again */ + /* set flag so we do not get called again */ mi->client_connect_status = CC_STATUS_ESTABLISHED; /* increment number of current authenticated clients */ diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index c476a67e..ebfda357 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -63,9 +63,24 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; +/** + * Detached client connection state. This is the state that is tracked while + * the client connect hooks are executed. + */ +struct client_connect_defer_state +{ + /* Index of currently executed handler. */ + int cur_handler_index; + /* Remember which option classes where processed for delayed option + handling. */ + unsigned int option_types_found; +}; + enum client_connect_status { CC_STATUS_NOT_ESTABLISHED, + CC_STATUS_DEFERRED_NO_RESULT, + CC_STATUS_DEFERRED_RESULT, CC_STATUS_ESTABLISHED }; @@ -117,7 +132,7 @@ struct multi_instance { struct context context; /**< The context structure storing state * for this VPN tunnel. */ - + struct client_connect_defer_state client_connect_defer_state; #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ #endif @@ -204,6 +219,7 @@ enum client_connect_return { CC_RET_FAILED, CC_RET_SUCCEEDED, + CC_RET_DEFERRED, CC_RET_SKIPPED }; From patchwork Mon Nov 12 00:56:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 591 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id OK4HA9Zq6VvjJgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:14 -0500 Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id WNelAtZq6VtdcQAAvGGmqA ; Mon, 12 Nov 2018 06:58:14 -0500 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1d.rsapps.net with LMTP id IHyTAtZq6VtgDAAAasrz9Q ; Mon, 12 Nov 2018 06:58:14 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3b2e1246-e672-11e8-9549-52540099eaf5-1-1 Received: from [216.105.38.7] ([216.105.38.7:8770] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1B/E5-01552-5DA69EB5; Mon, 12 Nov 2018 06:58:13 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq9-0002SV-2T; Mon, 12 Nov 2018 11:57:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApx-0002R8-Nk for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=U4s89vf9yzm5Q2/ZHjLsDbkh4JrgHKefSyfJ2ELAwXk=; b=iLIge7jsNL4icF9G8IqIC5lvGz fxYrzUdb2z0HH+KW5PrIqKoWmnADnGWk4MeuiZRLogcioQhMxR7JNW7uMwLkw8/jgt25UBFPCDTvC ZvyOx2oQ684Xdlh4cWU69Jzic7LcHcOYQ/C6Ec0ZvqziEDgKHNxro49cesTK6X1ZAAg4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=U4s89vf9yzm5Q2/ZHjLsDbkh4JrgHKefSyfJ2ELAwXk=; b=NwuAaF7oGXi8Mk+xyzMTMXu93/ wL0cDLl0E4va7XAitOxqO4wRxUDxPP41erFd0zJETc3KcVHeN8fMiDNYoFkphi0flnp+AlZ+tQTQf RQtZF9Xlt2K79XcCot/iRPE19n9SwCe9J5Di2A51nkX0Wj10A3U5H2CLTbn5mEeXVgrg=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApq-006aez-Co for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:01 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAO-Hr; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5165 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:22 +0100 Message-Id: <20181112115627.5096-9-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1gMApq-006aez-Co Subject: [Openvpn-devel] [PATCH v3 08/13] client-connect: Add deferred support to the client-connect script handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_connect_state struct. In addition, the patch also allows the storage of the client config file name in struct client_connect_state. Both changes are used by the client-connect script handler to support deferred client-connection handling. The deferred return value file (deferred_ret_file) is passed to the actual script via the environment. If the script succeeds and writes the value for deferral into the deferred_ret_file, the handler knows to indicate deferral. Later on, the deferred handler checks whether the value of the deferred_ret_file has been updated to success or failure. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 218 +++++++++++++++++++++++++++++++++++++++++--- src/openvpn/multi.h | 12 +++ 2 files changed, 215 insertions(+), 15 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 263525a7..c8546238 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1773,6 +1773,156 @@ multi_client_connect_setenv(struct multi_context *m, gc_free(&gc); } +/** + * Delete the temporary file for the return value of client connect + * It also removes it from it from client_connect_defer_state and + * environment + */ +static void +ccs_delete_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->deferred_ret_file) + { + setenv_del(mi->context.c2.es, "client_connect_deferred_file"); + if(!platform_unlink(ccs->deferred_ret_file)) + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->deferred_ret_file); + free(ccs->deferred_ret_file); + ccs->deferred_ret_file = NULL; + } +} + +/** + * Create a temporary file for the return value of client connect + * and puts it into the client_connect_defer_state and environment + * as "client_connect_deferred_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new(); + const char *fn; + + if (ccs->deferred_ret_file) + ccs_delete_deferred_ret_file(mi); + + fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc); + if (!fn) + { + gc_free(&gc); + return false; + } + ccs->deferred_ret_file = string_alloc(fn, NULL); + + setenv_str(mi->context.c2.es, "client_connect_deferred_file", + ccs->deferred_ret_file); + + gc_free(&gc); + return true; +} + +/** + * Tests whether the deferred return value file exists and returns the + * contained return value. + * + * @return CC_RET_SKIPPED if the file does not exist or is empty. + * CC_RET_DEFERRED, CC_RET_SUCCEEDED or CC_RET_FAILED depending on + * the value stored in the file. + */ +static enum client_connect_return +ccs_test_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + FILE *fp = fopen(ccs->deferred_ret_file, "r"); + if (fp) + { + const int c = fgetc (fp); + switch (c) + { + case '0': + ret = CC_RET_FAILED; + break; + case '1': + ret = CC_RET_SUCCEEDED; + break; + case '2': + ret = CC_RET_DEFERRED; + break; + case EOF: + if (feof(fp)) + { + ret = CC_RET_SKIPPED; + break; + } + /* Not EOF, but other error fall through to error state */ + default: + /* We received an unknown/unexpected value. Assume failure. */ + msg(M_WARN, "WARNING: Unknown/unexcepted value in deferred" + "client-connect resultfile"); + ret = CC_RET_FAILED; + } + fclose(fp); + } + return ret; +} + +/** + * Deletes the temporary file for the config directives of the client connect + * script and removes it into the client_connect_defer_state and environment + * + */ +static void +ccs_delete_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->config_file) + { + setenv_del(mi->context.c2.es, "client_connect_config_file"); + if (!platform_unlink (ccs->config_file)) + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->config_file); + free(ccs->config_file); + ccs->config_file = NULL; + } +} + +/** + * Create a temporary file for the config directives of the client connect + * script and puts it into the client_connect_defer_state and environment + * as "client_connect_config_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new (); + const char *fn; + + if (ccs->config_file) + ccs_delete_config_file (mi); + + fn = platform_create_temp_file (mi->context.options.tmp_dir, "cc", &gc); + if (!fn) + { + gc_free (&gc); + return false; + } + ccs->config_file = string_alloc (fn, NULL); + + setenv_str (mi->context.c2.es, "client_connect_config_file", + ccs->config_file); + + gc_free (&gc); + return true; +} + static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, @@ -1863,8 +2013,6 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, return ret; } - - /** * Runs the --client-connect script if one is defined. */ @@ -1874,47 +2022,87 @@ multi_client_connect_call_script(struct multi_context *m, unsigned int *option_types_found) { enum client_connect_return ret = CC_RET_SKIPPED; + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); struct gc_arena gc = gc_new(); - const char *dc_file = NULL; setenv_str(mi->context.c2.es, "script_type", "client-connect"); - dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); - if (!dc_file) + if (!ccs_gen_config_file (mi) || + !ccs_gen_deferred_ret_file (mi)) { ret = CC_RET_FAILED; goto cleanup; } argv_parse_cmd(&argv, mi->context.options.client_connect_script); - argv_printf_cat(&argv, "%s", dc_file); + argv_printf_cat(&argv, "%s", ccs->config_file); if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { - multi_client_connect_post(m, mi, dc_file, option_types_found); - ret = CC_RET_SUCCEEDED; + if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED) + { + ret = CC_RET_DEFERRED; + } + else + { + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ret = CC_RET_SUCCEEDED; + } } else { ret = CC_RET_FAILED; } - - if (!platform_unlink(dc_file)) + cleanup: + if (ret != CC_RET_DEFERRED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ccs_delete_config_file(mi); + ccs_delete_deferred_ret_file(mi); } - cleanup: argv_reset(&argv); gc_free(&gc); } return ret; } +static enum client_connect_return +multi_client_handle_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + ASSERT (mi); + ASSERT (option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + + ret = ccs_test_deferred_ret_file(mi); + + if (ret == CC_RET_SKIPPED) + /* + * Skipped and deferred are equivalent in this context. + * skipped means that the called program has not yet + * written a return status implicitly needing more time + * while deferred is the explicit notifcation that it + * needs more time + */ + ret = CC_RET_DEFERRED; + + if (ret != CC_RET_DEFERRED) + { + ccs_delete_deferred_ret_file (mi); + multi_client_connect_post (m, mi, ccs->config_file, + option_types_found); + ccs_delete_config_file (mi); + } + return ret; +} + + static void multi_client_connect_late_setup(struct multi_context *m, struct multi_instance *mi, @@ -2141,7 +2329,7 @@ static const struct client_connect_handlers client_connect_handlers[] = { }, { .main = multi_client_connect_call_script, - .deferred = multi_client_connect_fail + .deferred = multi_client_handle_deferred }, { .main = multi_client_connect_mda, diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index ebfda357..02203610 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -74,6 +74,18 @@ struct client_connect_defer_state /* Remember which option classes where processed for delayed option handling. */ unsigned int option_types_found; + + /** + *The temporrary file name that contains the return status of the + * client-connect script if it exits with defer as status + */ + char *deferred_ret_file; + + /** + * The temporary file name that contains the config directives + * returned by the client-connect script + */ + char *config_file; }; enum client_connect_status From patchwork Mon Nov 12 00:56:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 597 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wJz3Htxq6VsbZQAAIUCqbw for ; Mon, 12 Nov 2018 06:58:20 -0500 Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id iPGeHtxq6VsUYgAAfY0hYg ; Mon, 12 Nov 2018 06:58:20 -0500 Received: from smtp34.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1d.rsapps.net with LMTP id +P52Htxq6VvGCwAAasrz9Q ; Mon, 12 Nov 2018 06:58:20 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3e8841fa-e672-11e8-aae6-5254008bd48f-1-1 Received: from [216.105.38.7] ([216.105.38.7:1954] helo=lists.sourceforge.net) by smtp34.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DF/38-07503-ADA69EB5; Mon, 12 Nov 2018 06:58:19 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq8-0002SA-T0; Mon, 12 Nov 2018 11:57:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMAps-0002Qi-OI for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+CWUUTnRrzYFkRKvJ/L/ml6FWeP96uUa+FEa4CXC9+c=; b=DSwB5Bzp7zwqAbz0ZfvEJhAC7/ rNKmDioJ9cG8o1A+U6glVOBTKmhYYMYpffuheXbqx9AJWciBNjhIUBzjilXTNHoKous2u+32efk2y yyk6wikd9GR88hHHCr2m9i74q0ZJUd+FJzVi1RP8IDSxRBV3V4C/wG+643YRcP6NBUIw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+CWUUTnRrzYFkRKvJ/L/ml6FWeP96uUa+FEa4CXC9+c=; b=l+JcnfIhp/JL1wdOyLqWvrKh/T QK7NGFfv1WgIbSKOQJJ0fvjnEuPtG8wiw1GXC44L9hHohOr96j1eJz6UxDk4d6NqeVJMQmIhtHnRW XzeC7FtQmkSmgW7jcW5SyIeMPZQCp8v9vLgiIUrTl9ARMjjJLM/8yVwccynRg6OUtfeQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApd-006cTu-FB for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:56 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAT-KJ for openvpn-devel@lists.sourceforge.net; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5168 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:23 +0100 Message-Id: <20181112115627.5096-10-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApd-006cTu-FB Subject: [Openvpn-devel] [PATCH v3 09/13] client-connect: Move adding inotify watch into its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This make the code a bit better readable and also prepares resuing the function for client-connect return files Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 46 +++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index c8546238..dafc86d7 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2696,6 +2696,32 @@ multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi compute_wakeup_sigma(&mi->context.c2.timeval)); } +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) +static void +add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, + int inotify_fd, const char* file) +{ + /* watch acf file */ + long watch_descriptor = inotify_add_watch(inotify_fd, file, + IN_CLOSE_WRITE | IN_ONESHOT); + if (watch_descriptor >= 0) + { + if (mi->inotify_watch != -1) + { + hash_remove(m->inotify_watchers, + (void *) (unsigned long)mi->inotify_watch); + } + hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, + mi, true); + mi->inotify_watch = watch_descriptor; + } + else + { + msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error"); + } +} +#endif + /* * Figure instance-specific timers, convert * earliest to absolute time in mi->wakeup, @@ -2725,23 +2751,11 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns pre_select(&mi->context); #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) - if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated) + if (ks && ks->auth_control_file && + ks->auth_deferred && !was_authenticated) { - /* watch acf file */ - long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT); - if (watch_descriptor >= 0) - { - if (mi->inotify_watch != -1) - { - hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch); - } - hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true); - mi->inotify_watch = watch_descriptor; - } - else - { - msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error"); - } + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, + ks->auth_control_file); } #endif From patchwork Mon Nov 12 00:56:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 601 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id qCHPAgJr6VvjJgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:58 -0500 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 8POqAgJr6VuPEQAAalYnBA ; Mon, 12 Nov 2018 06:58:58 -0500 Received: from smtp12.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id cHB3AgJr6VtNLgAA7PHxkg ; Mon, 12 Nov 2018 06:58:58 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 55ad0d34-e672-11e8-a7aa-52540070b731-1-1 Received: from [216.105.38.7] ([216.105.38.7:17458] helo=lists.sourceforge.net) by smtp12.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BC/F9-22334-10B69EB5; Mon, 12 Nov 2018 06:58:57 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq7-00037g-JO; Mon, 12 Nov 2018 11:57:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApy-00036U-49 for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NcW+hq33lrpa7qAAXZ47TH+YgACKgtQppOpILcK/W0M=; b=FoRDiSSdqw3ZO6USx1TgL2xE9n XaJfQuxsk6TAN3lD2C8GmzseqvzDQJ8vn/0bQ+TVQmI4H7lFqrV0DwctRMg1IUhcA3e3j6UeEWMiR WN/wT6tPp1oVY1T0iKn8h7l9hK8TgY0OLrR73i5fVQ44WrNOAnBgcMfttceVoMf4GLNg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NcW+hq33lrpa7qAAXZ47TH+YgACKgtQppOpILcK/W0M=; b=ML43FMbCCiJrS8eop6hPZUG00D DVD/+vc+33mqbZQT+SA9D2eOc4wbw/vzNIijCt6RvsTkwwpgSE+T0Lzc5m9V0CCli19oXuJ7F1l02 pxKZqv+htmzxms1KcPJ4M3bLKGCf1E2T5atwo2FKqTxKwcoQVEL6KD+OEVgfSU7OUnJg=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMAph-006aet-5V for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAX-MD for openvpn-devel@lists.sourceforge.net; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5171 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:24 +0100 Message-Id: <20181112115627.5096-11-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMAph-006aet-5V Subject: [Openvpn-devel] [PATCH v3 10/13] client-connect: Also use inotify for the deferred client-connect status file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As we never do client-connect and authentication at the same time it is safe to reuse the existing fields for client-connect return status file Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index dafc86d7..d515ee0d 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2491,8 +2491,10 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) #ifdef ENABLE_ASYNC_PUSH /* - * Called when inotify event is fired, which happens when acf file is closed or deleted. - * Continues authentication and sends push_reply. + * Called when inotify event is fired, which happens when acf + * or connect-status file is closed or deleted. + * Continues authentication and sends push_reply + * (or be deferred again by client-connect) */ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) @@ -2768,7 +2770,15 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { multi_connection_established(m, mi); } - +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) + if (mi->client_connect_status != CC_STATUS_ESTABLISHED && + mi->client_connect_defer_state.deferred_ret_file) + { + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, + mi->client_connect_defer_state. + deferred_ret_file); + } +#endif /* tell scheduler to wake us up at some point in the future */ multi_schedule_context_wakeup(m, mi); } From patchwork Mon Nov 12 00:56:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 598 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oE3LFOJq6VsnXAAAIUCqbw for ; Mon, 12 Nov 2018 06:58:26 -0500 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id YBp7FOJq6VvgcwAAvGGmqA ; Mon, 12 Nov 2018 06:58:26 -0500 Received: from smtp25.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTP id uDBnFOJq6Vu3RQAA8Zzt7w ; Mon, 12 Nov 2018 06:58:26 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 42c92a5e-e672-11e8-9aaf-52540081550e-1-1 Received: from [216.105.38.7] ([216.105.38.7:43100] helo=lists.sourceforge.net) by smtp25.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 37/AA-29337-1EA69EB5; Mon, 12 Nov 2018 06:58:26 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq8-00015w-K1; Mon, 12 Nov 2018 11:57:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApy-00014k-8e for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wIlnB3QTUgCUb5v4XBxUQ/8B4+qbJ6dchxLzP/vw2Mc=; b=g8brdE+f6Cq7zv4rdaOOyZXF0d 6WW2PsmGoCwpA1xyxYaf7L0hkyTKYJT8z80vJ8yVUg8YXVA86idko1aXbkDfNxtoHWWE48I9Ut3a3 RMyOeiC+0DZo3XoppXyCEO2QRt/6VGzSCuJ1Xk8hdpVsT0cPAXyluCCsiwy5hKvDlz8k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wIlnB3QTUgCUb5v4XBxUQ/8B4+qbJ6dchxLzP/vw2Mc=; b=jQFWzabCn4Alu+s9F+VWIWMe+U 4LbjwikQ0RMPK3I8dRS5HMRwAsKi6bjgDQMaia3a2nGdv0ruU8flxJ2LBoIjdr2TJUT0wPWZJlTNp q7oa0JoVsyRIMZtatoPD9IZ3Fx1SfBeETTpW6sb4sz+iF0vXrCqIGUnMHtJYhzFmlXgo=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApk-00ExNb-1d for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAb-O5; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5174 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:25 +0100 Message-Id: <20181112115627.5096-12-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1gMApk-00ExNb-1d Subject: [Openvpn-devel] [PATCH v3 11/13] client-connect: Add deferred support to the client-connect plugin v1 handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel Uses the infrastructure provided and used in the previous patch to provide deferral support to the v1 client-connect plugin handler as well. Signed-off-by: Fabian Knittel PATCH V3: Modify the API to also (optionally) call the plugin on a deferred call. This allows the plugin authors to be more flexible and make the V1 API more similar to the V2 API. Signed-off-by: Arne Schwabe --- include/openvpn-plugin.h.in | 30 ++++++------ src/openvpn/multi.c | 98 ++++++++++++++++++++++++++++--------- src/openvpn/plugin.c | 3 ++ 3 files changed, 93 insertions(+), 38 deletions(-) diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..38fbe097 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -116,20 +116,22 @@ extern "C" { * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client) * FUNC: openvpn_plugin_close_v1 */ -#define OPENVPN_PLUGIN_UP 0 -#define OPENVPN_PLUGIN_DOWN 1 -#define OPENVPN_PLUGIN_ROUTE_UP 2 -#define OPENVPN_PLUGIN_IPCHANGE 3 -#define OPENVPN_PLUGIN_TLS_VERIFY 4 -#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 -#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 -#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 -#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 -#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 -#define OPENVPN_PLUGIN_TLS_FINAL 10 -#define OPENVPN_PLUGIN_ENABLE_PF 11 -#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 -#define OPENVPN_PLUGIN_N 13 +#define OPENVPN_PLUGIN_UP 0 +#define OPENVPN_PLUGIN_DOWN 1 +#define OPENVPN_PLUGIN_ROUTE_UP 2 +#define OPENVPN_PLUGIN_IPCHANGE 3 +#define OPENVPN_PLUGIN_TLS_VERIFY 4 +#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 +#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 +#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 +#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 +#define OPENVPN_PLUGIN_TLS_FINAL 10 +#define OPENVPN_PLUGIN_ENABLE_PF 11 +#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER 13 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 14 +#define OPENVPN_PLUGIN_N 15 /* * Build a mask out of a set of plug-in types. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index d515ee0d..f66523ec 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1923,59 +1923,109 @@ ccs_gen_config_file(struct multi_instance *mi) return true; } + static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found) + unsigned int *option_types_found, + bool deferred) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT (m); ASSERT (mi); ASSERT (option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { struct argv argv = argv_new(); - struct gc_arena gc = gc_new(); - const char *dc_file = - platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); - - if (!dc_file) + int call; + if (!deferred) { - ret = CC_RET_FAILED; - goto cleanup; + call = OPENVPN_PLUGIN_CLIENT_CONNECT; + if (!ccs_gen_config_file (mi) || + !ccs_gen_deferred_ret_file (mi)) + { + ret = CC_RET_FAILED; + goto cleanup; + } } - - argv_printf(&argv, "%s", dc_file); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, - &argv, NULL, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + else { - msg(M_WARN, "WARNING: client-connect plugin call failed"); - ret=CC_RET_FAILED; + call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER; + /* the initial call should have create these files */ + ASSERT(ccs->config_file); + ASSERT(ccs->deferred_ret_file); } - else + + argv_printf(&argv, "%s", ccs->config_file); + int plug_ret = plugin_call(mi->context.plugins, call, + &argv, NULL, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - multi_client_connect_post(m, mi, dc_file, option_types_found); + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); ret = CC_RET_SUCCEEDED; } - - if (!platform_unlink(dc_file)) + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ret = CC_RET_DEFERRED; + /** + * Contrary to the plugin v2 API, we do not dmeand a working + * deferred plugin as all return can be handled by the files + * and plugin_call return success if a plugin is not defined + */ + } + else + { + msg(M_WARN, "WARNING: client-connect plugin call failed"); + ret = CC_RET_FAILED; } cleanup: + if (ret != CC_RET_SUCCEEDED) + { + ccs_delete_config_file (mi); + ccs_delete_deferred_ret_file (mi); + } argv_reset(&argv); - gc_free(&gc); + } + /** + * plugin api v1 client connect async feature has both plugin and + * file return status, so in case that the file has a code that + * demands override, we override our return code + */ + int file_ret = ccs_test_deferred_ret_file(mi); + if (file_ret == CC_RET_FAILED) + { + return CC_RET_FAILED; + } + else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED) + { + return CC_RET_DEFERRED; } #endif /* ifdef ENABLE_PLUGIN */ return ret; } +static enum client_connect_return +multi_client_connect_call_plugin_v1_initial(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v1(m,mi, option_types_found, false); +} + +static enum client_connect_return +multi_client_connect_call_plugin_v1_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v1(m,mi, option_types_found, true); +} + static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, @@ -2320,8 +2370,8 @@ static const struct client_connect_handlers client_connect_handlers[] = { .deferred = multi_client_connect_fail }, { - .main = multi_client_connect_call_plugin_v1, - .deferred = multi_client_connect_fail + .main = multi_client_connect_call_plugin_v1_initial, + .deferred = multi_client_connect_call_plugin_v1_deferred, }, { .main = multi_client_connect_call_plugin_v2, diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 4d17c821..51c130c1 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -104,6 +104,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Mon Nov 12 00:56:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 589 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wMTOAcxq6Vu5CgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:04 -0500 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id aEChAcxq6VtpYwAAovjBpQ ; Mon, 12 Nov 2018 06:58:04 -0500 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTP id sE9eAcxq6VuLCwAAfSg8FQ ; Mon, 12 Nov 2018 06:58:04 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 35551072-e672-11e8-bdd4-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:21441] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3C/99-07562-BCA69EB5; Mon, 12 Nov 2018 06:58:03 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq4-00015N-Gj; Mon, 12 Nov 2018 11:57:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApw-00014V-8l for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=78/x9HI3lTzKrXRehB+KEhxwn3wgAi8Ndu9DP6Hk7ko=; b=iqdxY6Em/S4dYrMlR23va6AwHs UaH4GX0FUxp8RQiajNUZLJB82iRX9KYupfG6MeeX7oMQbd9hNMTtdOZNE3QmXRXn++/gLgL0sWQeo tl05onjNrGehUGJ5+yk27uKY0JRv6KcmhZC2sQTT7vnYRX/4bGYDALJSOcOAvgS4QQXk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=78/x9HI3lTzKrXRehB+KEhxwn3wgAi8Ndu9DP6Hk7ko=; b=XP5i/QgHivGITAJaj+i3r+gb7l yc4wMMOtycXXbKa/XD0fu2f1dNEyj5IBKGYjkdJD0/WyLds7EOuiyBlgTP/nM5pu0C2I3HPXO8NlL rRb9MwLnO+jK5kkjgie8zy84DWukjfv2URwGmA2mqUzkCPcimj4MBUKb0L4wVEmLoTmo=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMAph-000ioY-8W for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:57:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAe-Ph for openvpn-devel@lists.sourceforge.net; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5177 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:26 +0100 Message-Id: <20181112115627.5096-13-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1gMAph-000ioY-8W Subject: [Openvpn-devel] [PATCH v3 12/13] client-connect: Implement deferred connect support for plugin API v2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The V2 API is simpler than the V1 API since there is no passing of data via files. This also means that with the current API the V2 API cannot support async notify via files. Adding a file just for async notify seems very hacky and when needed we should implement a better option when async is needed for the plugin V2 API Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 58 +++++++++++++++++++++++++++++++++++--------- src/openvpn/plugin.c | 3 +++ 2 files changed, 50 insertions(+), 11 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f66523ec..ce31ef1e 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2029,7 +2029,8 @@ multi_client_connect_call_plugin_v1_deferred(struct multi_context *m, static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found) + unsigned int *option_types_found, + bool deferred) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN @@ -2037,32 +2038,67 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, ASSERT (mi); ASSERT (option_types_found); + int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : + OPENVPN_PLUGIN_CLIENT_CONNECT_V2; /* V2 callback, use a plugin_return struct for passing back return info */ - if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) + if (plugin_defined(mi->context.plugins, call)) { struct plugin_return pr; plugin_return_init(&pr); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, - NULL, &pr, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + int plug_ret = plugin_call(mi->context.plugins, call, + NULL, &pr, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - ret = CC_RET_FAILED; + multi_client_connect_post_plugin(m, mi, &pr, option_types_found); + ret = CC_RET_SUCCEEDED; + } + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) + { + ret = CC_RET_DEFERRED; + if (!(plugin_defined(mi->context.plugins, + OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2))) + { + msg(M_WARN, "A plugin that defers from the " + "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also " + "declare support for " + "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); + ret = CC_RET_FAILED; + } } else { - multi_client_connect_post_plugin(m, mi, &pr, option_types_found); - ret = CC_RET_SUCCEEDED; + msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); + ret = CC_RET_FAILED; } + plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ return ret; } + +static enum client_connect_return +multi_client_connect_call_plugin_v2_initial(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v2(m, mi, option_types_found, + false); +} + +static enum client_connect_return +multi_client_connect_call_plugin_v2_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v2(m, mi, option_types_found, + true); +} + /** * Runs the --client-connect script if one is defined. */ @@ -2374,8 +2410,8 @@ static const struct client_connect_handlers client_connect_handlers[] = { .deferred = multi_client_connect_call_plugin_v1_deferred, }, { - .main = multi_client_connect_call_plugin_v2, - .deferred = multi_client_connect_fail + .main = multi_client_connect_call_plugin_v2_initial, + .deferred = multi_client_connect_call_plugin_v2_deferred, }, { .main = multi_client_connect_call_script, diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 51c130c1..347acade 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -107,6 +107,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Mon Nov 12 00:56:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 596 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id MAc2Adxq6Vu5CgAAIUCqbw for ; Mon, 12 Nov 2018 06:58:20 -0500 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id SDoYAdxq6VsIDgAAIasKDg ; Mon, 12 Nov 2018 06:58:20 -0500 Received: from smtp39.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id 2NflANxq6VumKgAAsk8m8w ; Mon, 12 Nov 2018 06:58:20 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3f1787a2-e672-11e8-9e7b-525400a97bbc-1-1 Received: from [216.105.38.7] ([216.105.38.7:32921] helo=lists.sourceforge.net) by smtp39.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2F/BD-01783-BDA69EB5; Mon, 12 Nov 2018 06:58:19 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gMAq7-00037F-Bi; Mon, 12 Nov 2018 11:57:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gMApu-00035e-A8 for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DbQK4MkcC9kEsTq1Sr91WLRf8a08gJpfttK5XDYTK0U=; b=O9JBMSt94Q8MHeyyH0ZhJo9lce +WU/5g2L7apUuaVzact+aocR6vCk0r1TSNfNj8tTu8gfculGZDfDxgawMe5y7nxHXwz37s2/Kt3fG aZyyAH5N4WiaqmT+YJgRkaxzDOUHFnN3p4LSwn8qW7kFSqSa0yynAIw9Ut4GG/TO6QLY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DbQK4MkcC9kEsTq1Sr91WLRf8a08gJpfttK5XDYTK0U=; b=c5khJm810AfH0V2qL3ln2FO5GS nWDi2ZRhid5MD5D1aeLPv4T0GUQBk8gcZDfyePVg2vmKYHWN00zumcvkZYAb0NByIEP34trDgNCnh p2/PYjvhu5lkYZzF3JrNY197hJTfN77/XOlrviSJ7vfVfgAUrQ0AgwUaD1gYGMwx9TVc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1gMApf-00ExNI-3I for openvpn-devel@lists.sourceforge.NET; Mon, 12 Nov 2018 11:56:58 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gMApQ-000JAk-Ro for openvpn-devel@lists.sourceforge.net; Mon, 12 Nov 2018 12:56:28 +0100 Received: (nullmailer pid 5180 invoked by uid 10006); Mon, 12 Nov 2018 11:56:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Nov 2018 12:56:27 +0100 Message-Id: <20181112115627.5096-14-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181112115627.5096-1-arne@rfc2549.org> References: <20181112115627.5096-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1gMApf-00ExNI-3I Subject: [Openvpn-devel] [PATCH v3 13/13] client-connect: Add documentation for the deferred client connect feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- doc/openvpn.8 | 47 ++++++++++++++++++++++++++++++++++--- include/openvpn-plugin.h.in | 21 ++++++++++++----- 2 files changed, 59 insertions(+), 9 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 94b5cc4f..9377bbf5 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3346,6 +3346,13 @@ is significant. If .B script returns a non\-zero error status, it will cause the client to be disconnected. + +If a +.B \-\-client\-connect cmd +wants to defer the generating the configuration the script should +use the client_connect_deferred_file and client_connect_config_file +environment variables and write status acorrdingly into these files +(See the environment section below for more details). .\"********************************************************* .TP .B \-\-client\-disconnect cmd @@ -3428,12 +3435,18 @@ This directory will be used by in the following cases: * .B \-\-client\-connect -scripts to dynamically generate client\-specific -configuration files. +scripts and +.B OPENVPN_PLUGIN_CLIENT_CONNECT +plugin hook +to dynamically generate client\-specific configuration files +and return success/failure via client_connect_deferred_file +when using deferred client connect method * .B OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY -plugin hook to return success/failure via auth_control_file +and + +plugin hook to return success/failure via auth_control_file/ when using deferred auth method * @@ -6431,6 +6444,34 @@ Set prior to execution of the script. .\"********************************************************* .TP +.B client_connect_config_file +The path to the configuration file that should be written by +the +.B \-\-client\-connect +The content of this enviroment variable is identical to the +file as a argument of the called +.B \-\-client\-connect +script. +.\"********************************************************* +.TP +.B client_connect_defferred_file +This file can be optionally written to communicate a status +code of the +.TP +.B \-\-client\-connect +script. If used for deferring, this file must be written +before the +.B \-\-client\-connect +script exits. The first character in the file is interpreted +and 1 is equal to normal script execution, 0 indicated and +error (in the same way that a non zero exit status does) and +2 indicates that the script deferred returning the config +file. When the script defers the executing it must first write 2 +during the execution of the script. A background process or similar +must then take of writing the client_connect_config_file and when +finished, write the a 1 to this file. +.\"********************************************************* +.TP .B common_name The X509 common name of an authenticated client. Set prior to execution of diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 38fbe097..fce59422 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -557,12 +557,21 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by - * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous - * authentication where the plugin (or one of its agents) may indicate - * authentication success/failure some number of seconds after the return - * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single - * char to the file named by auth_control_file in the environmental variable - * list (envp). + * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_CLIENT_CONNECT and + * OPENVPN_PLUGIN_CLIENT_CONNECT_V2. This enables asynchronous + * authentication or client connect where the plugin (or one of its agents) + * may indicate authentication success/failure or client configuration some + * number of seconds after the return of the function handler. + * For OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY and OPENVPN_PLUGIN_CLIENT_CONNECT + * this done by writing a single char to the file named by + * auth_control_file/client_connect_deferred_file + * in the environmental variable list (envp). + * + * In Addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and + * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to + * get the deferred result. For V2 call implementing this function is + * required as information is not passed by files. For the normal version + * the call is optional. * * first char of auth_control_file: * '0' -- indicates auth failure