From patchwork Fri Jul 10 23:36:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1236 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.9]) by backend30.mail.ord1d.rsapps.net with LMTP id qAzTNnqICV+iPQAAIUCqbw for ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from proxy6.mail.iad3a.rsapps.net ([172.27.255.9]) by director9.mail.ord1d.rsapps.net with LMTP id sBoaNHqICV98YwAAalYnBA ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from smtp11.gate.iad3a ([172.27.255.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3a.rsapps.net with LMTP id kDtqLnqICV+3FgAA8udqhg ; Sat, 11 Jul 2020 05:38:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 36724d8c-c35a-11ea-a799-5254005eb44a-1-1 Received: from [216.105.38.7] ([216.105.38.7:48994] helo=lists.sourceforge.net) by smtp11.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A0/9F-14390-A78890F5; Sat, 11 Jul 2020 05:38:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwV-000473-CV; Sat, 11 Jul 2020 09:37:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-00046c-Je for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=51KEHl6LxxhJuHALeQGyyDLg8JmTmn48RFnOIFHAe7E=; b=bPKGEsIh4zfAO/HhtFsN6CBfN1 eXpQ0pq38dbXfakQ/GmsybEFqSQXV7BRifqZ/IkKgw2smY58iiLHmkSqURFS67K8yCFR/xPciqtY7 usew4X/eFwZU7mf13Htydj4GHktU9GFWhAQHbSYFDuoRS0MHBVElpMmbfg1mpIOahWIc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=51KEHl6LxxhJuHALeQGyyDLg8JmTmn48RFnOIFHAe7E=; b=FTP7F3HLtZgedsPVVzHwvvtR7P ELCU8Ttty6mwjq20pLpW0oJ/CzbrjmyD03HHbgUsKfuINVJDRvH7T5lbYdJMrFn2l9BN9bxTFHge1 QAt+Pm64639At7Co1xnNvqTyJD0rhup5OWGbMG5LiLm8uiBaReqfD4Eh9dYzdZQmvmc4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwR-00GxtP-HR for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwF-0002Q9-Lm for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:55 +0200 Received: (nullmailer pid 23731 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:42 +0200 Message-Id: <20200711093655.23686-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwR-00GxtP-HR Subject: [Openvpn-devel] [PATCH v5 01/14] Allow changing fallback cipher from ccd files/client-connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows to control the fallback cipher that is used when the client/server do have any common cipher on a per client basis. The patch is similar to Steffan's [PATCH v4] Allow changing cipher from a ccd file. Steffan's old patch also moves the cipher negotiation to multi_established_connection() which I independently discovered and implemented in Extract process_incoming_push_reply from process_incoming_push_msg (#FIXME add commitsh when commited to master) Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/options.c | 2 +- src/openvpn/options.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index b93fd4fe..bf2760e1 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7892,7 +7892,7 @@ add_option(struct options *options, } else if (streq(p[0], "cipher") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_NCP); + VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); options->ciphername = p[1]; } else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c83a46aa..c37006d3 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -677,7 +677,7 @@ struct options #define OPT_P_MTU (1<<14) /* TODO */ #define OPT_P_NICE (1<<15) #define OPT_P_PUSH (1<<16) -#define OPT_P_INSTANCE (1<<17) +#define OPT_P_INSTANCE (1<<17) /**< allowed in ccd, client-connect etc*/ #define OPT_P_CONFIG (1<<18) #define OPT_P_EXPLICIT_NOTIFY (1<<19) #define OPT_P_ECHO (1<<20) From patchwork Fri Jul 10 23:36:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1237 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net with LMTP id KPsLDXyICV+iPQAAIUCqbw for ; Sat, 11 Jul 2020 05:38:04 -0400 Received: from proxy21.mail.iad3a.rsapps.net ([172.27.255.52]) by director12.mail.ord1d.rsapps.net with LMTP id 2JNhCnyICV/BdAAAIasKDg ; Sat, 11 Jul 2020 05:38:04 -0400 Received: from smtp6.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy21.mail.iad3a.rsapps.net with LMTP id aOhzBHyICV+VKAAASBQwCQ ; Sat, 11 Jul 2020 05:38:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 37403940-c35a-11ea-9484-5254002f0085-1-1 Received: from [216.105.38.7] ([216.105.38.7:49032] helo=lists.sourceforge.net) by smtp6.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F7/AA-13736-B78890F5; Sat, 11 Jul 2020 05:38:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwW-00047a-Qx; Sat, 11 Jul 2020 09:37:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwU-00046p-7J for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lVNOprhgaeDRoSxS1Ot3ibdYxt6xwem9ODr7QQJloVg=; b=fYU7EpMAaOCD4SaujZg6oaTvH8 FQHSqDdLWVqBIWE2F5/HAR+1xm3rUZUvBekU6Ju6CknX8Ny2LgYPSdPlyRbrUkSzrsUdKNQ2GU1iK ugZe4SbRRcLOPgmj/he2Tmk5lUGReP6bSzAfyDlBtC240yDiNX1qhUpvghaK269cSiR0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lVNOprhgaeDRoSxS1Ot3ibdYxt6xwem9ODr7QQJloVg=; b=OH1Ig7So0IDzYoM2ZyGAq78i/2 Mhn0mkeAWif7O3ViIKiFLL0XWNH8oPZpGZ+KXnwYOVtPxfcuu+HM3ELvJli9hmlPYJMPpGk00Zwsd elW1CUYPDmYcCFC/LONuqnf+jJ02Fn2k41/Oyp164fxjMwxp7e/84itVqW5S6iQRuaB0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwR-00GxtQ-HU for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwF-0002QB-ON; Sat, 11 Jul 2020 11:36:55 +0200 Received: (nullmailer pid 23734 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:43 +0200 Message-Id: <20200711093655.23686-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: lettink.de] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwR-00GxtQ-HU Subject: [Openvpn-devel] [PATCH v5 02/14] client-connect: Split multi_connection_established into separate functions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch splits up the multi_connection_established() function. Each new helper function does a specific job. Functions that do a similar job receive a similar calling interface. The patch tries not to reindent code, so that the real changes are as clearly visible as possible. (A follow-up patch will only do indentation changes.) Signed-off-by: Fabian Knittel PATCH v3: Since the code has changed enough from the time the original patch to the current master, the splitting has been redone from the current code. Also some style and minor code changes have been added doing this patch. This elimininates and the big reformatting done before eliminates the follow up patch with indentation changes. The original patch already replaces some instances of option_permission_mask with CLIENT_CONNECT_OPT_MASK. The V3 version does this more consistenly. Patch v4: Move config -> mi->cc_config into its own commit Patch v5: Clean up some minor issues, add one missing check on temporary file deletion, rebase on latest master. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 588 ++++++++++++++++++++++++++------------------ src/openvpn/multi.h | 4 +- 2 files changed, 350 insertions(+), 242 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a2af071a..3c4ceeb5 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1638,7 +1638,6 @@ static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, - unsigned int option_permissions_mask, unsigned int *option_types_found) { /* Did script generate a dynamic config file? */ @@ -1647,7 +1646,7 @@ multi_client_connect_post(struct multi_context *m, options_server_import(&mi->context.options, dc_file, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); @@ -1671,7 +1670,6 @@ static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, - unsigned int option_permissions_mask, unsigned int *option_types_found) { struct plugin_return config; @@ -1689,7 +1687,7 @@ multi_client_connect_post_plugin(struct multi_context *m, options_string_import(&mi->context.options, config.list[i]->value, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); } @@ -1716,7 +1714,6 @@ multi_client_connect_post_plugin(struct multi_context *m, static void multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, - unsigned int option_permissions_mask, unsigned int *option_types_found) { if (mi->cc_config) @@ -1729,7 +1726,7 @@ multi_client_connect_mda(struct multi_context *m, options_string_import(&mi->context.options, opt, D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, + CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); } @@ -1843,160 +1840,46 @@ multi_client_set_protocol_options(struct context *c) } } -/** - * Generates the data channel keys - */ -static bool -multi_client_generate_tls_keys(struct context *c) -{ - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - register_signal(c, SIGUSR1, "process-push-msg-failed"); - return false; - } - - return true; -} - -/* - * Called as soon as the SSL/TLS connection authenticates. - * - * Instance-specific directives to be processed: - * - * iroute start-ip end-ip - * ifconfig-push local remote-netmask - * push - */ static void -multi_connection_established(struct multi_context *m, struct multi_instance *mi) +multi_client_connect_call_plugin_v1(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) { - if (tls_authentication_status(mi->context.c2.tls_multi, 0) != TLS_AUTHENTICATION_SUCCEEDED) - { - return; - } - - struct gc_arena gc = gc_new(); - unsigned int option_types_found = 0; - - const unsigned int option_permissions_mask = - OPT_P_INSTANCE - | OPT_P_INHERIT - | OPT_P_PUSH - | OPT_P_TIMER - | OPT_P_CONFIG - | OPT_P_ECHO - | OPT_P_COMP - | OPT_P_SOCKFLAGS; - - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; - - ASSERT(mi->context.c1.tuntap); - - /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */ - tls_lock_common_name(mi->context.c2.tls_multi); - tls_lock_cert_hash_set(mi->context.c2.tls_multi); - - /* generate a msg() prefix for this client instance */ - generate_prefix(mi); - - /* delete instances of previous clients with same common-name */ - if (!mi->context.options.duplicate_cn) - { - multi_delete_dup(m, mi); - } - - /* reset pool handle to null */ - mi->vaddr_handle = -1; - - /* - * Try to source a dynamic config file from the - * --client-config-dir directory. - */ - if (mi->context.options.client_config_dir) - { - const char *ccd_file; - - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - tls_common_name(mi->context.c2.tls_multi, - false), - &gc); - - /* try common-name file */ - if (platform_test_file(ccd_file)) - { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, - &option_types_found, - mi->context.c2.es); - } - else /* try default file */ - { - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - CCD_DEFAULT, - &gc); - - if (platform_test_file(ccd_file)) - { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - option_permissions_mask, - &option_types_found, - mi->context.c2.es); - } - } - } - - /* - * Select a virtual address from either --ifconfig-push in --client-config-dir file - * or --ifconfig-pool. - */ - multi_select_virtual_addr(m, mi); - - /* do --client-connect setenvs */ - multi_client_connect_setenv(m, mi); - #ifdef ENABLE_PLUGIN - /* - * Call client-connect plug-in. - */ + ASSERT(m); + ASSERT(mi); + ASSERT(option_types_found); + ASSERT(cc_succeeded); + ASSERT(cc_succeeded_count); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { struct argv argv = argv_new(); - const char *dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); + struct gc_arena gc = gc_new(); + const char *dc_file = + platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); if (!dc_file) { cc_succeeded = false; - goto script_depr_failed; + goto cleanup; } argv_printf(&argv, "%s", dc_file); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, + &argv, NULL, mi->context.c2.es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect plugin call failed"); - cc_succeeded = false; + *cc_succeeded = false; } else { - multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; + multi_client_connect_post(m, mi, dc_file, option_types_found); + (*cc_succeeded_count)++; } if (!platform_unlink(dc_file)) @@ -2005,9 +1888,26 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) dc_file); } -script_depr_failed: +cleanup: argv_free(&argv); + gc_free(&gc); } +#endif /* ifdef ENABLE_PLUGIN */ +} + +static void +multi_client_connect_call_plugin_v2(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) +{ +#ifdef ENABLE_PLUGIN + ASSERT(m); + ASSERT(mi); + ASSERT(option_types_found); + ASSERT(cc_succeeded); + ASSERT(cc_succeeded_count); /* V2 callback, use a plugin_return struct for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) @@ -2016,27 +1916,42 @@ script_depr_failed: plugin_return_init(&pr); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS) + if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, + NULL, &pr, mi->context.c2.es) + != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - cc_succeeded = false; + *cc_succeeded = false; } else { - multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; + multi_client_connect_post_plugin(m, mi, &pr, option_types_found); + (*cc_succeeded_count)++; } plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ +} - /* - * Run --client-connect script. - */ - if (mi->context.options.client_connect_script && cc_succeeded) + + +/** + * Runs the --client-connect script if one is defined. + */ +static void +multi_client_connect_call_script(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found, + int *cc_succeeded, + int *cc_succeeded_count) +{ + ASSERT(m); + ASSERT(mi); + if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); + struct gc_arena gc = gc_new(); const char *dc_file = NULL; setenv_str(mi->context.c2.es, "script_type", "client-connect"); @@ -2045,8 +1960,8 @@ script_depr_failed: "cc", &gc); if (!dc_file) { - cc_succeeded = false; - goto script_failed; + *cc_succeeded = false; + goto cleanup; } argv_parse_cmd(&argv, mi->context.options.client_connect_script); @@ -2054,12 +1969,12 @@ script_depr_failed: if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { - multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; + multi_client_connect_post(m, mi, dc_file, option_types_found); + (*cc_succeeded_count)++; } else { - cc_succeeded = false; + *cc_succeeded = false; } if (!platform_unlink(dc_file)) @@ -2067,130 +1982,322 @@ script_depr_failed: msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", dc_file); } - -script_failed: +cleanup: argv_free(&argv); + gc_free(&gc); } +} - /* - * Check for client-connect script left by management interface client - */ -#ifdef MANAGEMENT_DEF_AUTH - if (cc_succeeded && mi->cc_config) +/** + * Generates the data channel keys + */ +static bool +multi_client_generate_tls_keys(struct context *c) +{ + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) { - multi_client_connect_mda(m, mi, option_permissions_mask, &option_types_found); - ++cc_succeeded_count; + frame_fragment = &c->c2.frame_fragment; } #endif + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(session, &c->options, + &c->c2.frame, frame_fragment)) + { + msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); + register_signal(c, SIGUSR1, "process-push-msg-failed"); + return false; + } + return true; +} + +static void +multi_client_connect_late_setup(struct multi_context *m, + struct multi_instance *mi, + const unsigned int option_types_found) +{ + ASSERT(m); + ASSERT(mi); + + struct gc_arena gc = gc_new(); /* - * Check for "disable" directive in client-config-dir file - * or config file generated by --client-connect script. + * Process sourced options. */ - if (mi->context.options.disable) + do_deferred_options(&mi->context, option_types_found); + + /* + * make sure we got ifconfig settings from somewhere + */ + if (!mi->context.c2.push_ifconfig_defined) { - msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive"); - cc_succeeded = false; - cc_succeeded_count = 0; + msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote" + "--ifconfig address is available for %s", + multi_instance_string(mi, false, &gc)); } - if (cc_succeeded) + /* + * make sure that ifconfig settings comply with constraints + */ + if (!ifconfig_push_constraint_satisfied(&mi->context)) { - /* - * Process sourced options. - */ - do_deferred_options(&mi->context, option_types_found); + const char *ifconfig_constraint_network = + print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc); + const char *ifconfig_constraint_netmask = + print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc); - /* - * make sure we got ifconfig settings from somewhere - */ - if (!mi->context.c2.push_ifconfig_defined) + /* JYFIXME -- this should cause the connection to fail */ + msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s)" + "violates tunnel network/netmask constraint (%s/%s)", + multi_instance_string(mi, false, &gc), + print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), + ifconfig_constraint_network, ifconfig_constraint_netmask); + } + + /* + * For routed tunnels, set up internal route to endpoint + * plus add all iroute routes. + */ + if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) + { + if (mi->context.c2.push_ifconfig_defined) { - msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s", - multi_instance_string(mi, false, &gc)); + multi_learn_in_addr_t(m, mi, + mi->context.c2.push_ifconfig_local, + -1, true); + msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", + multi_instance_string(mi, false, &gc), + print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); } - /* - * make sure that ifconfig settings comply with constraints - */ - if (!ifconfig_push_constraint_satisfied(&mi->context)) + if (mi->context.c2.push_ifconfig_ipv6_defined) { - /* JYFIXME -- this should cause the connection to fail */ - msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)", + multi_learn_in6_addr(m, mi, + mi->context.c2.push_ifconfig_ipv6_local, + -1, true); + /* TODO: find out where addresses are "unlearned"!! */ + const char *ifconfig_local_ipv6 = + print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc); + msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", multi_instance_string(mi, false, &gc), - print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc), - print_in_addr_t(mi->context.options.push_ifconfig_constraint_network, 0, &gc), - print_in_addr_t(mi->context.options.push_ifconfig_constraint_netmask, 0, &gc)); + ifconfig_local_ipv6); } + /* add routes locally, pointing to new client, if + * --iroute options have been specified */ + multi_add_iroutes(m, mi); + /* - * For routed tunnels, set up internal route to endpoint - * plus add all iroute routes. + * iroutes represent subnets which are "owned" by a particular + * client. Therefore, do not actually push a route to a client + * if it matches one of the client's iroutes. */ - if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) - { - if (mi->context.c2.push_ifconfig_defined) - { - multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true); - msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s", - multi_instance_string(mi, false, &gc), - print_in_addr_t(mi->context.c2.push_ifconfig_local, 0, &gc)); - } + remove_iroutes_from_push_route_list(&mi->context.options); + } + else if (mi->context.options.iroutes) + { + msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute" + "only works with tun-style tunnels", + multi_instance_string(mi, false, &gc)); + } - if (mi->context.c2.push_ifconfig_ipv6_defined) - { - multi_learn_in6_addr(m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true); - /* TODO: find out where addresses are "unlearned"!! */ - msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s", - multi_instance_string(mi, false, &gc), - print_in6_addr(mi->context.c2.push_ifconfig_ipv6_local, 0, &gc)); - } + /* set our client's VPN endpoint for status reporting purposes */ + mi->reporting_addr = mi->context.c2.push_ifconfig_local; + mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; - /* add routes locally, pointing to new client, if - * --iroute options have been specified */ - multi_add_iroutes(m, mi); + /* set context-level authentication flag */ + mi->context.c2.context_auth = CAS_SUCCEEDED; - /* - * iroutes represent subnets which are "owned" by a particular - * client. Therefore, do not actually push a route to a client - * if it matches one of the client's iroutes. - */ - remove_iroutes_from_push_route_list(&mi->context.options); - } - else if (mi->context.options.iroutes) - { - msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels", - multi_instance_string(mi, false, &gc)); - } + /* authentication complete, calculate dynamic client specific options */ + multi_client_set_protocol_options(&mi->context); + + /* Generate data channel keys */ + if (!multi_client_generate_tls_keys(&mi->context)) + { + mi->context.c2.context_auth = CAS_FAILED; + } - /* set our client's VPN endpoint for status reporting purposes */ - mi->reporting_addr = mi->context.c2.push_ifconfig_local; - mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; + /* send push reply if ready */ + if (mi->context.c2.push_request_received) + { + process_incoming_push_request(&mi->context); + } - /* set context-level authentication flag */ - mi->context.c2.context_auth = CAS_SUCCEEDED; + gc_free(&gc); +} + +static void +multi_client_connect_early_setup(struct multi_context *m, + struct multi_instance *mi) +{ + ASSERT(mi->context.c1.tuntap); + /* + * lock down the common name and cert hashes so they can't change + * during future TLS renegotiations + */ + tls_lock_common_name(mi->context.c2.tls_multi); + tls_lock_cert_hash_set(mi->context.c2.tls_multi); + + /* generate a msg() prefix for this client instance */ + generate_prefix(mi); + + /* delete instances of previous clients with same common-name */ + if (!mi->context.options.duplicate_cn) + { + multi_delete_dup(m, mi); + } + + /* reset pool handle to null */ + mi->vaddr_handle = -1; +} + +/** + * Try to source a dynamic config file from the + * --client-config-dir directory. + */ +static void +multi_client_connect_source_ccd(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + if (mi->context.options.client_config_dir) + { + struct gc_arena gc = gc_new(); + const char *ccd_file; - /* authentication complete, calculate dynamic client specific options */ - multi_client_set_protocol_options(&mi->context); + ccd_file = platform_gen_path(mi->context.options.client_config_dir, + tls_common_name(mi->context.c2.tls_multi, + false), + &gc); - /* Generate data channel keys */ - if (!multi_client_generate_tls_keys(&mi->context)) + /* try common-name file */ + if (platform_test_file(ccd_file)) { - mi->context.c2.context_auth = CAS_FAILED; + options_server_import(&mi->context.options, + ccd_file, + D_IMPORT_ERRORS|M_OPTERR, + CLIENT_CONNECT_OPT_MASK, + option_types_found, + mi->context.c2.es); } - - /* send push reply if ready */ - if (mi->context.c2.push_request_received) + else /* try default file */ { - process_incoming_push_request(&mi->context); + ccd_file = platform_gen_path(mi->context.options.client_config_dir, + CCD_DEFAULT, + &gc); + + if (platform_test_file(ccd_file)) + { + options_server_import(&mi->context.options, + ccd_file, + D_IMPORT_ERRORS|M_OPTERR, + CLIENT_CONNECT_OPT_MASK, + option_types_found, + mi->context.c2.es); + } } + gc_free(&gc); + } +} + +/* + * Called as soon as the SSL/TLS connection is authenticated. + * + * Will collect the client specific configuration from the different + * sources like ccd files, connect plugins and management interface. + * + * This method starts with cas_context CAS_PENDING and will move the + * state machine to either CAS_SUCCEEDED on success or + * CAS_FAILED/CAS_PARTIAL on failure. + * + * Instance-specific directives to be processed (CLIENT_CONNECT_OPT_MASK) + * include: + * + * iroute start-ip end-ip + * ifconfig-push local remote-netmask + * push + * + * + */ +static void +multi_connection_established(struct multi_context *m, struct multi_instance *mi) +{ + if (tls_authentication_status(mi->context.c2.tls_multi, 0) + != TLS_AUTHENTICATION_SUCCEEDED) + { + return; + } + unsigned int option_types_found = 0; + + int cc_succeeded = true; /* client connect script status */ + int cc_succeeded_count = 0; + + multi_client_connect_early_setup(m, mi); + + multi_client_connect_source_ccd(m, mi, &option_types_found); + + /* + * Select a virtual address from either --ifconfig-push in + * --client-config-dir file or --ifconfig-pool. + */ + multi_select_virtual_addr(m, mi); + + /* do --client-connect setenvs */ + multi_client_connect_setenv(m, mi); + + multi_client_connect_call_plugin_v1(m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); + + multi_client_connect_call_plugin_v2(m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); + + /* + * Check for client-connect script left by management interface client + */ + if (cc_succeeded) + { + multi_client_connect_call_script(m, mi, &option_types_found, + &cc_succeeded, + &cc_succeeded_count); + } + +#ifdef MANAGEMENT_DEF_AUTH + if (cc_succeeded && mi->cc_config) + { + multi_client_connect_mda(m, mi, &option_types_found); + ++cc_succeeded_count; + } +#endif + + /* + * Check for "disable" directive in client-config-dir file + * or config file generated by --client-connect script. + */ + if (mi->context.options.disable) + { + msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " + " 'disable' directive"); + cc_succeeded = false; + cc_succeeded_count = 0; + } + + + + if (cc_succeeded) + { + multi_client_connect_late_setup(m, mi, option_types_found); } else { /* set context-level authentication flag */ - mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + mi->context.c2.context_auth = + cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; } + /* increment number of current authenticated clients */ ++m->n_clients; update_mstat_n_clients(m->n_clients); @@ -2199,11 +2306,10 @@ script_failed: #ifdef MANAGEMENT_DEF_AUTH if (management) { - management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es); + management_connection_established(management, + &mi->context.c2.mda_context, mi->context.c2.es); } #endif - - gc_free(&gc); } #ifdef ENABLE_ASYNC_PUSH diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 8c9c4609..c51107f4 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -623,7 +623,9 @@ multi_process_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags return ret; } - +#define CLIENT_CONNECT_OPT_MASK (OPT_P_INSTANCE | OPT_P_INHERIT \ + |OPT_P_PUSH | OPT_P_TIMER | OPT_P_CONFIG \ + |OPT_P_ECHO | OPT_P_COMP | OPT_P_SOCKFLAGS) static inline bool multi_process_outgoing_link_dowork(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags) From patchwork Fri Jul 10 23:36:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1233 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id iGSnFnqICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id OPaDFnqICV+gdQAAIasKDg ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from smtp7.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTP id 4Io9FnqICV8eDAAAetu3IA ; Sat, 11 Jul 2020 05:38:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3673809e-c35a-11ea-a2f8-525400d0c497-1-1 Received: from [216.105.38.7] ([216.105.38.7:40024] helo=lists.sourceforge.net) by smtp7.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 64/31-21113-978890F5; Sat, 11 Jul 2020 05:38:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwY-0008Ei-RT; Sat, 11 Jul 2020 09:37:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-0008E5-IK for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Rn1g8s5LbnZxALdjwROWt3T/8wA8iGn65iGvfjjNGMs=; b=AOn+AUlyeRvyBwZ9vz+i7oIbUH aC0lq978o7UF2U1FTtN4jA61ewZGOmCNgT2nqdjovnmHPfGXNmWCJRM7pAE7KIhtYtLqzFvXTNcIN DHfq6B5PY9TfGGqYjhQPt1iBp+0tejKm+zhKM3tunf6vpzJMzmkf6Pg7UVbBDWpTZ9KQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Rn1g8s5LbnZxALdjwROWt3T/8wA8iGn65iGvfjjNGMs=; b=fTY3+WGE9XBvqJaR+v0wRYiTa0 +dRGWAgyr57VrDA1tFMXljoYDVt0LpWselJrgMyO8kq2eIAX1rQfNmz6wcgUzipkFL7yivkl0oaFw dIBazAyTViSRCGpEauCkid8+srCkPumh7hnWeh1wEXHyq1iFhQHj9YqF5gAzKUaYrapM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-00Dy2X-7c for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwF-0002QD-Qw; Sat, 11 Jul 2020 11:36:55 +0200 Received: (nullmailer pid 23737 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:44 +0200 Message-Id: <20200711093655.23686-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-00Dy2X-7c Subject: [Openvpn-devel] [PATCH v5 03/14] client-connect: Refactor multi_client_connect_source_ccd X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel Refactor multi_client_connect_source_ccd(), so that options_server_import() (or the success path in general) is only entered in one place within the function. Signed-off-by: Fabian Knittel Patch V5: Simplify the logic even further to make more easy to understand. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 3c4ceeb5..35e0bd10 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2164,15 +2164,30 @@ multi_client_connect_source_ccd(struct multi_context *m, if (mi->context.options.client_config_dir) { struct gc_arena gc = gc_new(); - const char *ccd_file; + const char *ccd_file = NULL; + + const char *ccd_client = platform_gen_path(mi->context.options.client_config_dir, + tls_common_name(mi->context.c2.tls_multi, + false), + &gc); + + const char *ccd_default = platform_gen_path(mi->context.options.client_config_dir, + CCD_DEFAULT, + &gc); - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - tls_common_name(mi->context.c2.tls_multi, - false), - &gc); /* try common-name file */ - if (platform_test_file(ccd_file)) + if (platform_test_file(ccd_client)) + { + ccd_file = ccd_client; + } + /* try default file */ + else if (platform_test_file(ccd_default)) + { + ccd_file = ccd_default; + } + + if (ccd_file) { options_server_import(&mi->context.options, ccd_file, @@ -2181,22 +2196,6 @@ multi_client_connect_source_ccd(struct multi_context *m, option_types_found, mi->context.c2.es); } - else /* try default file */ - { - ccd_file = platform_gen_path(mi->context.options.client_config_dir, - CCD_DEFAULT, - &gc); - - if (platform_test_file(ccd_file)) - { - options_server_import(&mi->context.options, - ccd_file, - D_IMPORT_ERRORS|M_OPTERR, - CLIENT_CONNECT_OPT_MASK, - option_types_found, - mi->context.c2.es); - } - } gc_free(&gc); } } From patchwork Fri Jul 10 23:36:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1225 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UH4ZHW+ICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:37:51 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id OGD1HG+ICV+QYAAAovjBpQ ; Sat, 11 Jul 2020 05:37:51 -0400 Received: from smtp25.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id GNm/HG+ICV+bQgAAsk8m8w ; Sat, 11 Jul 2020 05:37:51 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2ff2ad12-c35a-11ea-83d7-52540081550e-1-1 Received: from [216.105.38.7] ([216.105.38.7:47532] helo=lists.sourceforge.net) by smtp25.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 88/FB-25395-F68890F5; Sat, 11 Jul 2020 05:37:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwX-0007sU-H0; Sat, 11 Jul 2020 09:37:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwW-0007sC-No for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NHGI4+JYQ14vd9otNPdNkIEnCj4baB89at8wCm9eP0U=; b=T8xLXjC3EaI+IsYErcvdPdAg/q yeV30e1FJ7unnZKEf7WfALKK5CJxuOjkTvoxSdNvKogUHwFL1XA/tc8QT7n+tUZ/n6GoPRHeBpEtC YKuxPLomxcscrE4PcEhlkxSFmki1gb1nfa63/z7x6+bPF1F27HLAHh+L4a8QQqy3oWqY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NHGI4+JYQ14vd9otNPdNkIEnCj4baB89at8wCm9eP0U=; b=Kd1O79FgJCzi2neurqKOKFkUnT MltUvtW7Av7p2Ej3kgYOe7T6VvumxjJxdIr7itLNKVVhul/zOF2/iTUIG2qMTnl8wqg9h01rzU4MI sl9RI8VDDOzL08WtfufuCBnYtSZ14E/J5uf5mY9gY+an+XPv4esNRCOPBFKnqqTwnR6A=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwV-00Dy2q-Mn for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwF-0002QG-Ti; Sat, 11 Jul 2020 11:36:55 +0200 Received: (nullmailer pid 23740 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:45 +0200 Message-Id: <20200711093655.23686-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwV-00Dy2q-Mn Subject: [Openvpn-devel] [PATCH v5 04/14] client-connect: Move multi_client_connect_setenv into early_setup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch moves multi_client_connect_setenv into multi_client_connect_early_setup and makes sure that every client-connect handling function updates the virtual address selection. Background: This unifies how the client-connect handling functions work. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe Patch V5: Rebase on master Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/multi.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 35e0bd10..539ebfc0 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2150,6 +2150,12 @@ multi_client_connect_early_setup(struct multi_context *m, /* reset pool handle to null */ mi->vaddr_handle = -1; + + /* do --client-connect setenvs */ + multi_select_virtual_addr(m, mi); + + multi_client_connect_setenv(m, mi); + } /** @@ -2195,6 +2201,13 @@ multi_client_connect_source_ccd(struct multi_context *m, CLIENT_CONNECT_OPT_MASK, option_types_found, mi->context.c2.es); + /* + * Select a virtual address from either --ifconfig-push in + * --client-config-dir file or --ifconfig-pool. + */ + multi_select_virtual_addr(m, mi); + + multi_client_connect_setenv(m, mi); } gc_free(&gc); } @@ -2236,15 +2249,6 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) multi_client_connect_source_ccd(m, mi, &option_types_found); - /* - * Select a virtual address from either --ifconfig-push in - * --client-config-dir file or --ifconfig-pool. - */ - multi_select_virtual_addr(m, mi); - - /* do --client-connect setenvs */ - multi_client_connect_setenv(m, mi); - multi_client_connect_call_plugin_v1(m, mi, &option_types_found, &cc_succeeded, &cc_succeeded_count); From patchwork Fri Jul 10 23:36:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1227 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 4NUuDHGICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:37:53 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id 4IOhCXGICV/DfAAAIasKDg ; Sat, 11 Jul 2020 05:37:53 -0400 Received: from smtp37.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTP id GKL2A3GICV8XdAAAXy6Yeg ; Sat, 11 Jul 2020 05:37:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 309a1944-c35a-11ea-ae87-525400dc5f6a-1-1 Received: from [216.105.38.7] ([216.105.38.7:48838] helo=lists.sourceforge.net) by smtp37.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 54/D6-07527-078890F5; Sat, 11 Jul 2020 05:37:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwX-00047l-1C; Sat, 11 Jul 2020 09:37:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwU-00046v-Hc for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mfh/Osjldcytyw/BzAP3OvlezwR7uxn6v/Snb8fwRbc=; b=bgyWQr766eqdWvzKm5vdcXC++X r+fbPuTvAZtjeXGTaaAHet87NAEJ9OFjYgxcTugWWcwhLWJQH31VoosJqE+Hr8TkvEhP1TU4LIZix grDGRPckeUSiAipyhbIQlR0woQlzSPEeFboGlePpqwoGJUYILdJY9sa8ofWob22ZW1uo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=mfh/Osjldcytyw/BzAP3OvlezwR7uxn6v/Snb8fwRbc=; b=GAKWuD738gVW8t8ynXrfRZ5FGf Qg5nrB9mdsayDSjSxykuylAROmjJHbMqMPnqk1CYtDd7qwiSV8CsufLtTbewqSgi2+GFz5HE7XVoX lzbxLB+tK+dqUmDYcBLITrP+SnjoQhPZ1Ru2hhIOUfWUMP0WeuuQNqqts6EfrYTNbIw0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-002wQ3-ST for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwF-0002QI-Vt; Sat, 11 Jul 2020 11:36:55 +0200 Received: (nullmailer pid 23743 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:46 +0200 Message-Id: <20200711093655.23686-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-002wQ3-ST Subject: [Openvpn-devel] [PATCH v5 05/14] client-connect: Refactor to use return values instead of modifying a passed-in flag X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch changes the way the client-connect helper functions communicate with the main function. Instead of updating cc_succeeded and cc_succeeded_count, they now return either CC_RET_SUCCEEDED, CC_RET_FAILED or CC_RET_SKIPPED. In addition, the client-connect helpers are now called in completely identical ways. This is in preparation of handling the helpers as simple call-backs. Signed-off-by: Fabian Knittel Patch V5: Minor style fixes Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 135 ++++++++++++++++++++++++++------------------ src/openvpn/multi.h | 10 ++++ 2 files changed, 91 insertions(+), 54 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 539ebfc0..9bb52ef7 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1706,20 +1706,21 @@ multi_client_connect_post_plugin(struct multi_context *m, #endif /* ifdef ENABLE_PLUGIN */ -#ifdef MANAGEMENT_DEF_AUTH + /* * Called to load management-derived client-connect config */ -static void +enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; +#ifdef MANAGEMENT_DEF_AUTH if (mi->cc_config) { struct buffer_entry *be; - for (be = mi->cc_config->head; be != NULL; be = be->next) { const char *opt = BSTR(&be->buf); @@ -1739,10 +1740,12 @@ multi_client_connect_mda(struct multi_context *m, */ multi_select_virtual_addr(m, mi); multi_set_virtual_addr_env(mi); - } -} + ret = CC_RET_SUCCEEDED; + } #endif /* ifdef MANAGEMENT_DEF_AUTH */ + return ret; +} static void multi_client_connect_setenv(struct multi_context *m, @@ -1840,19 +1843,16 @@ multi_client_set_protocol_options(struct context *c) } } -static void +static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); ASSERT(mi); ASSERT(option_types_found); - ASSERT(cc_succeeded); - ASSERT(cc_succeeded_count); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) @@ -1864,7 +1864,7 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, if (!dc_file) { - cc_succeeded = false; + ret = CC_RET_FAILED; goto cleanup; } @@ -1874,12 +1874,12 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect plugin call failed"); - *cc_succeeded = false; + ret = CC_RET_FAILED; } else { multi_client_connect_post(m, mi, dc_file, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } if (!platform_unlink(dc_file)) @@ -1893,21 +1893,19 @@ cleanup: gc_free(&gc); } #endif /* ifdef ENABLE_PLUGIN */ + return ret; } -static void +static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); ASSERT(mi); ASSERT(option_types_found); - ASSERT(cc_succeeded); - ASSERT(cc_succeeded_count); /* V2 callback, use a plugin_return struct for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) @@ -1921,17 +1919,18 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, != OPENVPN_PLUGIN_FUNC_SUCCESS) { msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - *cc_succeeded = false; + ret = CC_RET_FAILED; } else { multi_client_connect_post_plugin(m, mi, &pr, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ + return ret; } @@ -1939,15 +1938,17 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, /** * Runs the --client-connect script if one is defined. */ -static void +static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found, - int *cc_succeeded, - int *cc_succeeded_count) + unsigned int *option_types_found) { + ASSERT(m); ASSERT(mi); + + enum client_connect_return ret = CC_RET_SKIPPED; + if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); @@ -1960,7 +1961,7 @@ multi_client_connect_call_script(struct multi_context *m, "cc", &gc); if (!dc_file) { - *cc_succeeded = false; + ret = CC_RET_FAILED; goto cleanup; } @@ -1970,11 +1971,11 @@ multi_client_connect_call_script(struct multi_context *m, if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { multi_client_connect_post(m, mi, dc_file, option_types_found); - (*cc_succeeded_count)++; + ret = CC_RET_SUCCEEDED; } else { - *cc_succeeded = false; + ret = CC_RET_FAILED; } if (!platform_unlink(dc_file)) @@ -1986,6 +1987,7 @@ cleanup: argv_free(&argv); gc_free(&gc); } + return ret; } /** @@ -2155,18 +2157,18 @@ multi_client_connect_early_setup(struct multi_context *m, multi_select_virtual_addr(m, mi); multi_client_connect_setenv(m, mi); - } /** * Try to source a dynamic config file from the * --client-config-dir directory. */ -static void +enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) { + enum client_connect_return ret = CC_RET_SKIPPED; if (mi->context.options.client_config_dir) { struct gc_arena gc = gc_new(); @@ -2208,9 +2210,35 @@ multi_client_connect_source_ccd(struct multi_context *m, multi_select_virtual_addr(m, mi); multi_client_connect_setenv(m, mi); + + ret = CC_RET_SUCCEEDED; } gc_free(&gc); } + return ret; +} + +static inline bool +cc_check_return(int *cc_succeeded_count, + enum client_connect_return ret) +{ + if (ret == CC_RET_SUCCEEDED) + { + (*cc_succeeded_count)++; + return true; + } + else if (ret == CC_RET_FAILED) + { + return false; + } + else if (ret == CC_RET_SKIPPED) + { + return true; + } + else + { + ASSERT(0); + } } /* @@ -2242,38 +2270,40 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) } unsigned int option_types_found = 0; - int cc_succeeded = true; /* client connect script status */ + int cc_succeeded = true; /* client connect script status */ int cc_succeeded_count = 0; + enum client_connect_return ret; multi_client_connect_early_setup(m, mi); - multi_client_connect_source_ccd(m, mi, &option_types_found); + ret = multi_client_connect_source_ccd(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - multi_client_connect_call_plugin_v1(m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); + if (cc_succeeded) + { + ret = multi_client_connect_call_plugin_v1(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + } + + if (cc_succeeded) + { + ret = multi_client_connect_call_plugin_v2(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + } - multi_client_connect_call_plugin_v2(m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); - /* - * Check for client-connect script left by management interface client - */ if (cc_succeeded) { - multi_client_connect_call_script(m, mi, &option_types_found, - &cc_succeeded, - &cc_succeeded_count); + ret = multi_client_connect_call_script(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } -#ifdef MANAGEMENT_DEF_AUTH - if (cc_succeeded && mi->cc_config) + if (cc_succeeded) { - multi_client_connect_mda(m, mi, &option_types_found); - ++cc_succeeded_count; + + ret = multi_client_connect_mda(m, mi, &option_types_found); + cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } -#endif /* * Check for "disable" directive in client-config-dir file @@ -2282,13 +2312,11 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) if (mi->context.options.disable) { msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " - " 'disable' directive"); + "'disable' directive"); cc_succeeded = false; cc_succeeded_count = 0; } - - if (cc_succeeded) { multi_client_connect_late_setup(m, mi, option_types_found); @@ -2300,7 +2328,6 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; } - /* increment number of current authenticated clients */ ++m->n_clients; update_mstat_n_clients(m->n_clients); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index c51107f4..4fb4d0b6 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -187,6 +187,16 @@ struct multi_context { struct deferred_signal_schedule_entry deferred_shutdown_signal; }; +/** + * Return values used by the client connect call-back functions. + */ +enum client_connect_return +{ + CC_RET_FAILED, + CC_RET_SUCCEEDED, + CC_RET_SKIPPED +}; + /* * Host route */ From patchwork Fri Jul 10 23:36:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1231 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2FD2NXiICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:00 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id 2HvaNXiICV+QYAAAovjBpQ ; Sat, 11 Jul 2020 05:38:00 -0400 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTP id UG1xNXiICV90UgAAQyIf0w ; Sat, 11 Jul 2020 05:38:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3592a628-c35a-11ea-88fa-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:47672] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C3/21-14005-878890F5; Sat, 11 Jul 2020 05:38:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwV-0007rd-0G; Sat, 11 Jul 2020 09:37:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-0007rM-Os for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z+uNHOLwhZhfuC4Ig5QT4FjjT3SZ+4B6PdgIQZdKp4M=; b=cwgouj7XYFc87NRtoc7/uZpHAX UwiacBTNuER/Z8L+LQ5+S0F/+J3CHDysf1xSHQ4Sh7Zkr2yNuJ1BilADwdnMBkRMrRqbbQW6NGYEh riFRZvGqx6H3jNP5RvdQf+myjAGcf1SoDQ2lT29SzE4THVajsYhLXWZ0qjCotR5HOQzk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z+uNHOLwhZhfuC4Ig5QT4FjjT3SZ+4B6PdgIQZdKp4M=; b=NkK8VgZ8hfdmdHIOISWN4C0G+Z Z11K9SZ8q4NDtdE5JMLqMfoXj3p81dG7oIRxuXCOiG1brZAZ4UJrVwu4h4L8yacM0gMubwj7iQTh4 tn3S8uqMQy3PMGSWz2n/Z2o/R/G8QyMwPPSy7tuxcr+H43E6Gv2QGw/KtUJf7QSZdBac=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-00Dy2Y-7c for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002QK-2D; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23746 invoked by uid 10006); Sat, 11 Jul 2020 09:36:55 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:47 +0200 Message-Id: <20200711093655.23686-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-00Dy2Y-7c Subject: [Openvpn-devel] [PATCH v5 06/14] client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch changes the calling of the client-connect functions into an array of hooks and a block of code that calls them in a loop. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe Patch V5: Rebase on master. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 43 +++++++++++++++++-------------------------- 1 file changed, 17 insertions(+), 26 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 9bb52ef7..83848fdc 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2241,6 +2241,10 @@ cc_check_return(int *cc_succeeded_count, } } +typedef enum client_connect_return (*multi_client_connect_handler) + (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found); + /* * Called as soon as the SSL/TLS connection is authenticated. * @@ -2268,7 +2272,17 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) { return; } - unsigned int option_types_found = 0; + + multi_client_connect_handler handlers[] = { + multi_client_connect_source_ccd, + multi_client_connect_call_plugin_v1, + multi_client_connect_call_plugin_v2, + multi_client_connect_call_script, + multi_client_connect_mda, + NULL + }; + + unsigned int option_types_found = 0; int cc_succeeded = true; /* client connect script status */ int cc_succeeded_count = 0; @@ -2276,32 +2290,9 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) multi_client_connect_early_setup(m, mi); - ret = multi_client_connect_source_ccd(m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - - if (cc_succeeded) - { - ret = multi_client_connect_call_plugin_v1(m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - if (cc_succeeded) - { - ret = multi_client_connect_call_plugin_v2(m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - - if (cc_succeeded) + for (int i = 0; cc_succeeded && handlers[i]; i++) { - ret = multi_client_connect_call_script(m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); - } - - if (cc_succeeded) - { - - ret = multi_client_connect_mda(m, mi, &option_types_found); + ret = handlers[i](m, mi, &option_types_found); cc_succeeded = cc_check_return(&cc_succeeded_count, ret); } From patchwork Fri Jul 10 23:36:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1235 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6Jq4LXqICV+eTAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id iC+OLXqICV/4JgAAfY0hYg ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from smtp30.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTP id 8IVhLXqICV/OUQAA7h+8OQ ; Sat, 11 Jul 2020 05:38:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp30.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3684fdec-c35a-11ea-a08a-5254001e8e38-1-1 Received: from [216.105.38.7] ([216.105.38.7:47698] helo=lists.sourceforge.net) by smtp30.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 25/B0-25864-A78890F5; Sat, 11 Jul 2020 05:38:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwX-0007sI-DJ; Sat, 11 Jul 2020 09:37:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwU-0007ra-Uo for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=elsaMgvVmTWQjAFqbnV8kbmRmWfG9UY/KQ4k3xKGAMg=; b=A5R/3FTSP6lk3Kw+W0T2cSRK/8 p0dNqlWrz/H3Z4OM9Wl0tjCvtq7Ycz/VfL7IQytR3kAgxM0bVdSbc1iYuMii1jGfol5LsorfQibdx zm1MJ16zRaKxvhOSTh0Xq9uIKfYTm84AkEpf9gbgFu3KXNUhXxBEqLMOaNSN14qVbAR4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=elsaMgvVmTWQjAFqbnV8kbmRmWfG9UY/KQ4k3xKGAMg=; b=Nll10q2uM/r83KbinmqYUgH/g2 9iGrVaKWgzESdTivfb/qCfJ2vDLnaz9hv0hTBp65EOPVUjAG8WUzDNgi229yU0YjVhD9aN2A1JeLB eJwJ41ZqsDJkOY/CnwC0so/12LRZzXq/Z0+3YwGjMR1XwyHjTraw/1dSMG9ojm5DWs1E=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwT-00Dy2p-S8 for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002QM-4j for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23749 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:48 +0200 Message-Id: <20200711093655.23686-7-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwT-00Dy2p-S8 Subject: [Openvpn-devel] [PATCH v5 07/14] client-connect: Change cas_context from int to enum X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This deviates from Fabian's original patch that relied on the now removed connection_established bool as pointer being NULL or non NULL as implicit third state and makeing connection_established as a substate of (cas_context == CAS_PENDING) Signed-off-by: Arne Schwabe Patch V5: extend cas_context with two new states instead adding an extra mini state machine. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 2 +- src/openvpn/multi.h | 1 + src/openvpn/openvpn.h | 24 +++++++++++++++++------- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 83848fdc..f9b8af80 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2163,7 +2163,7 @@ multi_client_connect_early_setup(struct multi_context *m, * Try to source a dynamic config file from the * --client-config-dir directory. */ -enum client_connect_return +static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, unsigned int *option_types_found) diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 4fb4d0b6..1d30dcc6 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -62,6 +62,7 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; + /** * Server-mode state structure for one single VPN tunnel. * diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index a1308852..7c469b01 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -210,6 +210,21 @@ struct context_1 #endif }; + +/* client authentication state, CAS_SUCCEEDED must be 0 since + * non multi code path still checks this variable but does not initialise it + * so the code depends on zero initialisation */ +enum client_connect_status { + CAS_SUCCEEDED=0, + CAS_PENDING, + CAS_FAILED, + CAS_PARTIAL, /**< Variant of CAS_FAILED: at least one + * client-connect script/plugin succeeded + * while a later one in the chain failed + * (we still need cleanup compared to FAILED) + */ +}; + /** * Level 2 %context containing state that is reset on both \c SIGHUP and * \c SIGUSR1 restarts. @@ -444,13 +459,8 @@ struct context_2 int push_ifconfig_ipv6_netbits; struct in6_addr push_ifconfig_ipv6_remote; - /* client authentication state, CAS_SUCCEEDED must be 0 */ -#define CAS_SUCCEEDED 0 -#define CAS_PENDING 1 -#define CAS_FAILED 2 -#define CAS_PARTIAL 3 /* at least one client-connect script/plugin - * succeeded while a later one in the chain failed */ - int context_auth; + + enum client_connect_status context_auth; struct event_timeout push_request_interval; int n_sent_push_requests; From patchwork Fri Jul 10 23:36:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1238 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id CGEkBH2ICV+eTAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:05 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id uPIABH2ICV/GEgAAvGGmqA ; Sat, 11 Jul 2020 05:38:05 -0400 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTP id 8Ir0A32ICV/SUQAA7h+8OQ ; Sat, 11 Jul 2020 05:38:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 37fb186e-c35a-11ea-a536-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:40078] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 26/7F-01771-C78890F5; Sat, 11 Jul 2020 05:38:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwZ-0008FR-LW; Sat, 11 Jul 2020 09:37:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwV-0008EW-KN for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9YOQTpxUVnMq0butRiTGW+wsjKgq4ydm4gZs2OBn91E=; b=aalgyXIKSe7zk89Q/4dJadsilm 4Sy7nr3ToOWLC0xzuLzSw5TQEPkB+aUQ9KVacZcIn13NCJ5m68O5+NttqAKGeos1FzNpll0NjjDUF xjUL4HnSuwy08wmduah9QI25KPmZZeEepfD4hrfyhtYdQsv3htU0riv2T8AxoaaAnzPs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9YOQTpxUVnMq0butRiTGW+wsjKgq4ydm4gZs2OBn91E=; b=RF+tkvHUqlvkNglqZj/4wBOAER nELo+/CgASYu9b8+AcEcYHazJ4EwTvNN2F3h7bsi0EBwZyr+ELWs7whNyCrxXSJZhmexcIXAwJGF3 w5INLhbqmVYIjqbQSxO7+Tjmoi2CrwwcexZS1ALwX6KT3JmDYXqIW8RiHH8Mib4E4owo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwU-002wQQ-48 for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:11 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002QP-7q; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23752 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:49 +0200 Message-Id: <20200711093655.23686-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwU-002wQQ-48 Subject: [Openvpn-devel] [PATCH v5 08/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - without losing the client-connect handling state. The patch also adds the new return value CC_RET_DEFERRED which indicates that the handler couldn't complete immediately, and needs to be called later. At that point multi_connection_established() will exit without indicating completion. Each client-connect handler now has an (optional) additional call-back: The call-back for handling the deferred case. If the main call-back returns CC_RET_DEFERRED, the next call to the handler will be through the deferred call-back. Signed-off-by: Fabian Knittel Patch V3: Use a static struct in multi_instance instead of using malloc/free and use two states (deffered with and without result) instead of one to eliminate the counter that was only tested for > 0. Patch V5: Use new states in context_auth instead of the extra state that the patch series previously used. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 171 +++++++++++++++++++++++++++++++----------- src/openvpn/multi.h | 15 +++- src/openvpn/openvpn.h | 9 +++ 3 files changed, 150 insertions(+), 45 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f9b8af80..ce73f8a1 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2218,32 +2218,51 @@ multi_client_connect_source_ccd(struct multi_context *m, return ret; } -static inline bool -cc_check_return(int *cc_succeeded_count, - enum client_connect_return ret) +typedef enum client_connect_return (*multi_client_connect_handler) + (struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found); + +struct client_connect_handlers +{ + multi_client_connect_handler main; + multi_client_connect_handler deferred; +}; + +static enum client_connect_return +multi_client_connect_fail(struct multi_context *m, struct multi_instance *mi, + unsigned int *option_types_found) { - if (ret == CC_RET_SUCCEEDED) + /* Called null call-back. This should never happen. */ + return CC_RET_FAILED; +} + +static const struct client_connect_handlers client_connect_handlers[] = { { - (*cc_succeeded_count)++; - return true; - } - else if (ret == CC_RET_FAILED) + .main = multi_client_connect_source_ccd, + .deferred = multi_client_connect_fail + }, { - return false; - } - else if (ret == CC_RET_SKIPPED) + .main = multi_client_connect_call_plugin_v1, + .deferred = multi_client_connect_fail + }, { - return true; - } - else + .main = multi_client_connect_call_plugin_v2, + .deferred = multi_client_connect_fail + }, + { + .main = multi_client_connect_call_script, + .deferred = multi_client_connect_fail + }, { - ASSERT(0); + .main = multi_client_connect_mda, + .deferred = multi_client_connect_fail + }, + { + .main = NULL, + .deferred = NULL + /* End of list sentinel. */ } -} - -typedef enum client_connect_return (*multi_client_connect_handler) - (struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found); +}; /* * Called as soon as the SSL/TLS connection is authenticated. @@ -2273,27 +2292,83 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) return; } - multi_client_connect_handler handlers[] = { - multi_client_connect_source_ccd, - multi_client_connect_call_plugin_v1, - multi_client_connect_call_plugin_v2, - multi_client_connect_call_script, - multi_client_connect_mda, - NULL - }; - - unsigned int option_types_found = 0; + /* We are only called for the CAS_PENDING_x states, so we + * can ignore other states here */ + bool from_deferred = (mi->context.c2.context_auth != CAS_PENDING); - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; enum client_connect_return ret; - multi_client_connect_early_setup(m, mi); + struct client_connect_defer_state *defer_state = + &(mi->client_connect_defer_state); - for (int i = 0; cc_succeeded && handlers[i]; i++) + /* We are called for the first time */ + if (!from_deferred) { - ret = handlers[i](m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + defer_state->cur_handler_index = 0; + defer_state->option_types_found = 0; + /* Initially we have no handler that has returned a result */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED; + + multi_client_connect_early_setup(m, mi); + } + + bool cc_succeeded = true; + + while (cc_succeeded + && client_connect_handlers[defer_state->cur_handler_index] + .main != NULL) + { + multi_client_connect_handler handler; + if (from_deferred) + { + handler = client_connect_handlers + [defer_state->cur_handler_index].deferred; + from_deferred = false; + } + else + { + handler = client_connect_handlers + [defer_state->cur_handler_index].main; + } + + ret = handler(m, mi, &(defer_state->option_types_found)); + if (ret == CC_RET_SUCCEEDED) + { + /* + * Remember that we already had at least one handler + * returning a result should go to into deferred state + */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED_PARTIAL; + } + else if (ret == CC_RET_SKIPPED) + { + /* + * Move on with the next handler without modifying any + * other state + */ + } + else if (ret == CC_RET_DEFERRED) + { + /* + * we already set client_connect_status to DEFERRED_RESULT or + * DEFERRED_NO_RESULT and increased index. We just return + * from the function as having client_connect_status + */ + return; + } + else if (ret == CC_RET_FAILED) + { + /* + * One handler failed. We abort the chain and set the final + * result to failed + */ + cc_succeeded = false; + } + else + { + ASSERT(0); + } + (defer_state->cur_handler_index)++; } /* @@ -2305,18 +2380,26 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " "'disable' directive"); cc_succeeded = false; - cc_succeeded_count = 0; } if (cc_succeeded) { - multi_client_connect_late_setup(m, mi, option_types_found); + multi_client_connect_late_setup(m, mi, + defer_state->option_types_found); } else { - /* set context-level authentication flag */ - mi->context.c2.context_auth = - cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + /* set context-level authentication flag to failed but remember + * if had a handler succeed (for cleanup) */ + if (mi->context.c2.context_auth == CAS_PENDING_DEFERRED_PARTIAL) + { + mi->context.c2.context_auth = CAS_PARTIAL; + } + else + { + mi->context.c2.context_auth = CAS_FAILED; + } + } /* increment number of current authenticated clients */ @@ -2604,7 +2687,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { /* connection is "established" when SSL/TLS key negotiation succeeds * and (if specified) auth user/pass succeeds */ - if (mi->context.c2.context_auth == CAS_PENDING + if (is_cas_pending(mi->context.c2.context_auth) && CONNECTION_ESTABLISHED(&mi->context)) { multi_connection_established(m, mi); @@ -3559,7 +3642,7 @@ management_client_auth(void *arg, { if (auth) { - if (mi->context.c2.context_auth == CAS_PENDING) + if (is_cas_pending(mi->context.c2.context_auth)) { set_cc_config(mi, cc_config); cc_config_owned = false; @@ -3571,7 +3654,7 @@ management_client_auth(void *arg, { msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); } - if (mi->context.c2.context_auth != CAS_PENDING) + if (!is_cas_pending(mi->context.c2.context_auth)) { send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */ multi_schedule_context_wakeup(m, mi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 1d30dcc6..11da0209 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -62,6 +62,18 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; +/** + * Detached client connection state. This is the state that is tracked while + * the client connect hooks are executed. + */ +struct client_connect_defer_state +{ + /* Index of currently executed handler. */ + int cur_handler_index; + /* Remember which option classes where processed for delayed option + * handling. */ + unsigned int option_types_found; +}; /** * Server-mode state structure for one single VPN tunnel. @@ -108,7 +120,7 @@ struct multi_instance { struct context context; /**< The context structure storing state * for this VPN tunnel. */ - + struct client_connect_defer_state client_connect_defer_state; #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ #endif @@ -195,6 +207,7 @@ enum client_connect_return { CC_RET_FAILED, CC_RET_SUCCEEDED, + CC_RET_DEFERRED, CC_RET_SKIPPED }; diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 7c469b01..ccc7f118 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -217,6 +217,8 @@ struct context_1 enum client_connect_status { CAS_SUCCEEDED=0, CAS_PENDING, + CAS_PENDING_DEFERRED, + CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded, no result yet*/ CAS_FAILED, CAS_PARTIAL, /**< Variant of CAS_FAILED: at least one * client-connect script/plugin succeeded @@ -225,6 +227,13 @@ enum client_connect_status { */ }; +static inline bool +is_cas_pending(enum client_connect_status cas) +{ + return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED + || cas == CAS_PENDING_DEFERRED_PARTIAL; +} + /** * Level 2 %context containing state that is reset on both \c SIGHUP and * \c SIGUSR1 restarts. From patchwork Fri Jul 10 23:36:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1230 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6AQmC3KICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:37:54 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id gFTkCnKICV9fZQAAalYnBA ; Sat, 11 Jul 2020 05:37:54 -0400 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id SO+pCnKICV8UegAA7PHxkg ; Sat, 11 Jul 2020 05:37:54 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 314a9508-c35a-11ea-88fa-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:39850] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9E/11-14005-178890F5; Sat, 11 Jul 2020 05:37:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwZ-0008FG-Bo; Sat, 11 Jul 2020 09:37:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwU-0008EO-Gm for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DRuk+jOSm5qsHX+YIY16wHy0NEgP7PyGAhqpe+Zxy14=; b=O81MGb2br15PQ7+l0aD85z9CD8 psQQnC554ISdXepdAQWAB8n8xhkruZ/Cpr6SsHBihgQQDAUlt45x2xgwlI7B6nhz0AgZihmOYyG5m Tb10pApGVIraTTreDw6z0wp2Fk5jYxLzkvHYkxlsPZVnUnhHNgMRZg2roC+stRmdAXFk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DRuk+jOSm5qsHX+YIY16wHy0NEgP7PyGAhqpe+Zxy14=; b=KdydEr4Va9IAYN5ty/Cxs8Sh6z drZoCz1nzffGGWAr23sDdV9hAmdxVCkviNW/wPrpdP8SbGxAOgndu/r+aX6800mWSLM2/SdFh3m3p GK+YDCVzFy8f/JJNnITJrvrYTmMOexNE+6BsjXXtmD4qV5VWnL8bMThirx71dFrY+NoE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-002wQ4-SS for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002QR-A8; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23755 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:50 +0200 Message-Id: <20200711093655.23686-9-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-002wQ4-SS Subject: [Openvpn-devel] [PATCH v5 09/14] client-connect: Add deferred support to the client-connect script handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_connect_state struct. In addition, the patch also allows the storage of the client config file name in struct client_connect_state. Both changes are used by the client-connect script handler to support deferred client-connection handling. The deferred return value file (deferred_ret_file) is passed to the actual script via the environment. If the script succeeds and writes the value for deferral into the deferred_ret_file, the handler knows to indicate deferral. Later on, the deferred handler checks whether the value of the deferred_ret_file has been updated to success or failure. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 230 +++++++++++++++++++++++++++++++++++++++++--- src/openvpn/multi.h | 12 +++ 2 files changed, 227 insertions(+), 15 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ce73f8a1..271d09d8 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1843,6 +1843,168 @@ multi_client_set_protocol_options(struct context *c) } } +/** + * Delete the temporary file for the return value of client connect + * It also removes it from it from client_connect_defer_state and + * environment + */ +static void +ccs_delete_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->deferred_ret_file) + { + setenv_del(mi->context.c2.es, "client_connect_deferred_file"); + if (!platform_unlink(ccs->deferred_ret_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->deferred_ret_file); + } + free(ccs->deferred_ret_file); + ccs->deferred_ret_file = NULL; + } +} + +/** + * Create a temporary file for the return value of client connect + * and puts it into the client_connect_defer_state and environment + * as "client_connect_deferred_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new(); + const char *fn; + + if (ccs->deferred_ret_file) + { + ccs_delete_deferred_ret_file(mi); + } + + fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc); + if (!fn) + { + gc_free(&gc); + return false; + } + ccs->deferred_ret_file = string_alloc(fn, NULL); + + setenv_str(mi->context.c2.es, "client_connect_deferred_file", + ccs->deferred_ret_file); + + gc_free(&gc); + return true; +} + +/** + * Tests whether the deferred return value file exists and returns the + * contained return value. + * + * @return CC_RET_SKIPPED if the file does not exist or is empty. + * CC_RET_DEFERRED, CC_RET_SUCCEEDED or CC_RET_FAILED depending on + * the value stored in the file. + */ +static enum client_connect_return +ccs_test_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + FILE *fp = fopen(ccs->deferred_ret_file, "r"); + if (fp) + { + const int c = fgetc(fp); + switch (c) + { + case '0': + ret = CC_RET_FAILED; + break; + + case '1': + ret = CC_RET_SUCCEEDED; + break; + + case '2': + ret = CC_RET_DEFERRED; + break; + + case EOF: + if (feof(fp)) + { + ret = CC_RET_SKIPPED; + break; + } + + /* Not EOF, but other error fall through to error state */ + default: + /* We received an unknown/unexpected value. Assume failure. */ + msg(M_WARN, "WARNING: Unknown/unexcepted value in deferred" + "client-connect resultfile"); + ret = CC_RET_FAILED; + } + fclose(fp); + } + return ret; +} + +/** + * Deletes the temporary file for the config directives of the client connect + * script and removes it into the client_connect_defer_state and environment + * + */ +static void +ccs_delete_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->config_file) + { + setenv_del(mi->context.c2.es, "client_connect_config_file"); + if (!platform_unlink(ccs->config_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->config_file); + } + free(ccs->config_file); + ccs->config_file = NULL; + } +} + +/** + * Create a temporary file for the config directives of the client connect + * script and puts it into the client_connect_defer_state and environment + * as "client_connect_config_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new(); + const char *fn; + + if (ccs->config_file) + { + ccs_delete_config_file(mi); + } + + fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); + if (!fn) + { + gc_free(&gc); + return false; + } + ccs->config_file = string_alloc(fn, NULL); + + setenv_str(mi->context.c2.es, "client_connect_config_file", + ccs->config_file); + + gc_free(&gc); + return true; +} + static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, @@ -1933,8 +2095,6 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, return ret; } - - /** * Runs the --client-connect script if one is defined. */ @@ -1948,48 +2108,88 @@ multi_client_connect_call_script(struct multi_context *m, ASSERT(mi); enum client_connect_return ret = CC_RET_SKIPPED; + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); struct gc_arena gc = gc_new(); - const char *dc_file = NULL; setenv_str(mi->context.c2.es, "script_type", "client-connect"); - dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); - if (!dc_file) + if (!ccs_gen_config_file(mi) + || !ccs_gen_deferred_ret_file(mi)) { ret = CC_RET_FAILED; goto cleanup; } argv_parse_cmd(&argv, mi->context.options.client_connect_script); - argv_printf_cat(&argv, "%s", dc_file); + argv_printf_cat(&argv, "%s", ccs->config_file); if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { - multi_client_connect_post(m, mi, dc_file, option_types_found); - ret = CC_RET_SUCCEEDED; + if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED) + { + ret = CC_RET_DEFERRED; + } + else + { + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ret = CC_RET_SUCCEEDED; + } } else { ret = CC_RET_FAILED; } - - if (!platform_unlink(dc_file)) +cleanup: + if (ret != CC_RET_DEFERRED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ccs_delete_config_file(mi); + ccs_delete_deferred_ret_file(mi); } -cleanup: argv_free(&argv); gc_free(&gc); } return ret; } +static enum client_connect_return +multi_client_connect_script_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + ASSERT(mi); + ASSERT(option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + + ret = ccs_test_deferred_ret_file(mi); + + if (ret == CC_RET_SKIPPED) + { + /* + * Skipped and deferred are equivalent in this context. + * skipped means that the called program has not yet + * written a return status implicitly needing more time + * while deferred is the explicit notifcation that it + * needs more time + */ + ret = CC_RET_DEFERRED; + } + + if (ret != CC_RET_DEFERRED) + { + ccs_delete_deferred_ret_file(mi); + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ccs_delete_config_file(mi); + } + return ret; +} + /** * Generates the data channel keys */ @@ -2251,7 +2451,7 @@ static const struct client_connect_handlers client_connect_handlers[] = { }, { .main = multi_client_connect_call_script, - .deferred = multi_client_connect_fail + .deferred = multi_client_connect_script_deferred }, { .main = multi_client_connect_mda, diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 11da0209..3ebf6b9f 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -73,6 +73,18 @@ struct client_connect_defer_state /* Remember which option classes where processed for delayed option * handling. */ unsigned int option_types_found; + + /** + * The temporrary file name that contains the return status of the + * client-connect script if it exits with defer as status + */ + char *deferred_ret_file; + + /** + * The temporary file name that contains the config directives + * returned by the client-connect script + */ + char *config_file; }; /** From patchwork Fri Jul 10 23:36:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1226 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WLp3B3CICV/xJwAAIUCqbw for ; Sat, 11 Jul 2020 05:37:52 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id YKheB3CICV/obAAApN4f7A ; Sat, 11 Jul 2020 05:37:52 -0400 Received: from smtp38.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTP id cIADB3CICV+ZLQAAAY1PeQ ; Sat, 11 Jul 2020 05:37:52 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 303a7e12-c35a-11ea-8195-525400f6a58b-1-1 Received: from [216.105.38.7] ([216.105.38.7:39820] helo=lists.sourceforge.net) by smtp38.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B6/3C-16960-F68890F5; Sat, 11 Jul 2020 05:37:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwZ-0008Es-0N; Sat, 11 Jul 2020 09:37:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-0008EB-LY for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IfKpUlgRfWW81eXz5YpUj500jxcrmPgAfTZfgVtuyDY=; b=ClcwBtgUwnATFXkFEwq0XC3+fF PH6tJIiAIc0gSJV9sL4jCKfFNMBTf4Y6Yx6eLjDiTwEjjds8o6Nayb4BE89yaWlIJmt+vU/N1Ymqs ktL6u6AhzC0EUijsLwHwHnbMx3NSAZWpuqVt94PP6567LHklLuPB/Zd6BJSdJmkGOXJc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IfKpUlgRfWW81eXz5YpUj500jxcrmPgAfTZfgVtuyDY=; b=TKfvuWBpv4xC2VSjJowpgGw8cR 7pHdnHaUXhc8zPwjARYgTonUiR4LX5KVYbYlHmVq90TJe+lUu/50hFIa8+vBwViNogjugomV3NXX4 iFlSTiQsyXR4V7MgOHbgqVaaIjlJutTThxmLz426NTFFzNhrmPhsRUiEICy8M02KBiKE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwR-00GxtR-HS for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002QT-CN for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23758 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:51 +0200 Message-Id: <20200711093655.23686-10-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwR-00GxtR-HS Subject: [Openvpn-devel] [PATCH v5 10/14] client-connect: Move adding inotify watch into its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This make the code a bit better readable and also prepares resuing the function for client-connect return files Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 271d09d8..dafc85f1 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2828,6 +2828,32 @@ multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi compute_wakeup_sigma(&mi->context.c2.timeval)); } +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) +static void +add_inotify_file_watch(struct multi_context *m, struct multi_instance *mi, + int inotify_fd, const char *file) +{ + /* watch acf file */ + long watch_descriptor = inotify_add_watch(inotify_fd, file, + IN_CLOSE_WRITE | IN_ONESHOT); + if (watch_descriptor >= 0) + { + if (mi->inotify_watch != -1) + { + hash_remove(m->inotify_watchers, + (void *) (unsigned long)mi->inotify_watch); + } + hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, + mi, true); + mi->inotify_watch = watch_descriptor; + } + else + { + msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error"); + } +} +#endif /* if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) */ + /* * Figure instance-specific timers, convert * earliest to absolute time in mi->wakeup, @@ -2865,21 +2891,8 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns if (ks && ks->auth_control_file && was_unauthenticated && (ks->authenticated == KS_AUTH_DEFERRED)) { - /* watch acf file */ - long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT); - if (watch_descriptor >= 0) - { - if (mi->inotify_watch != -1) - { - hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch); - } - hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true); - mi->inotify_watch = watch_descriptor; - } - else - { - msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error"); - } + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, + ks->auth_control_file); } #endif From patchwork Fri Jul 10 23:36:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1228 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id mFnGLnGICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:37:53 -0400 Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.1]) by director9.mail.ord1d.rsapps.net with LMTP id mLFwLHGICV9pZQAAalYnBA ; Sat, 11 Jul 2020 05:37:53 -0400 Received: from smtp31.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3a.rsapps.net with LMTP id 8PdyJ3GICV/xVgAAR4KW9A ; Sat, 11 Jul 2020 05:37:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 31019560-c35a-11ea-914a-5254003d9392-1-1 Received: from [216.105.38.7] ([216.105.38.7:36990] helo=lists.sourceforge.net) by smtp31.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5F/15-18411-078890F5; Sat, 11 Jul 2020 05:37:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwV-0007rs-7t; Sat, 11 Jul 2020 09:37:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-0007rT-Tk for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TZ1p8bLU8PH9XnS4kVOnFYDrkuK0dZcWlTXAEf/QoBo=; b=j3xdwSeqKIzfOrxt09tAkH647F At/9Me4k4IbwANl7aNAN1qoD7MKKfNLqmYk6La0ZO5MHU24onjCDTbTvAOwu29+0YtttIRGQqHPU3 Qkrp1exiQxSIFUSpTla5+OSEa3urKML37DDeavtdiiLeCO2RNHWDV2BW6K73so+TLuxo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TZ1p8bLU8PH9XnS4kVOnFYDrkuK0dZcWlTXAEf/QoBo=; b=STENF9uV9JuB686KiWjr38gInt 4Mwu9Xcu0U7n5zCqe97CyuRYftmz9o6XKu3voLosiofsZuPhx0kJ0avIqnbFP7WwtBlGQmuPGRkNJ fDztXqhLxyUE5Z44ZadrNOUJeSE1gtu996TBCxZQJ+Qlarhpx7VP9hwjneyW8ZbIk7sQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-002wQ5-TQ for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002Qk-EU for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23761 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:52 +0200 Message-Id: <20200711093655.23686-11-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-002wQ5-TQ Subject: [Openvpn-devel] [PATCH v5 11/14] client-connect: Use inotify for the deferred client-connect status file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As we never do client-connect and authentication at the same time it is safe to reuse the existing fields for client-connect return status file Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index dafc85f1..09a25a58 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2618,8 +2618,10 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) #ifdef ENABLE_ASYNC_PUSH /* - * Called when inotify event is fired, which happens when acf file is closed or deleted. - * Continues authentication and sends push_reply. + * Called when inotify event is fired, which happens when acf + * or connect-status file is closed or deleted. + * Continues authentication and sends push_reply + * (or be deferred again by client-connect) */ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) @@ -2905,7 +2907,15 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { multi_connection_established(m, mi); } - +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) + if (is_cas_pending(mi->context.c2.context_auth) + && mi->client_connect_defer_state.deferred_ret_file) + { + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, + mi->client_connect_defer_state. + deferred_ret_file); + } +#endif /* tell scheduler to wake us up at some point in the future */ multi_schedule_context_wakeup(m, mi); } From patchwork Fri Jul 10 23:36:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1229 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id sNO5A3KICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:37:54 -0400 Received: from proxy12.mail.iad3a.rsapps.net ([172.27.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id +Eu2AHKICV+oEgAAvGGmqA ; Sat, 11 Jul 2020 05:37:54 -0400 Received: from smtp29.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3a.rsapps.net with LMTP id sN2vNXGICV+CRwAAh9K5Vw ; Sat, 11 Jul 2020 05:37:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 313da6d6-c35a-11ea-a29b-52540071c87c-1-1 Received: from [216.105.38.7] ([216.105.38.7:48854] helo=lists.sourceforge.net) by smtp29.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C0/12-29064-178890F5; Sat, 11 Jul 2020 05:37:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwW-00047P-Gg; Sat, 11 Jul 2020 09:37:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwT-00046i-Qt for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=n0dDOQ91ISfSq1d250IEFjNgALICDRJnlveoznh6tHA=; b=UsKhcIzK0eVPvngmZOJHOuZjrA CcecJXG09dwZutLsOvfXzFOBTCgRqj6Bpehau7ngyuI+EjGX/uwXRhIDEnFyLEa9CB5boEEXG1yRi fT9iNwFyZa2D8348Zvp3Z4URIXL+RTFgvH8mx5RC+uZvknueNsSk8wNbPHV17QR8s62k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=n0dDOQ91ISfSq1d250IEFjNgALICDRJnlveoznh6tHA=; b=ZOqJ4CItofm7Dn4+aYQnmTGXBo RzRKzNFft15V4Uoc79z9eaFx11hmAQFrRzgZGJEx5Og+4/FEjxXXZne/kQAPXYVt+qCGAOrudPBmq fk3bkdJH182z7SlxhfElrSPpjp7WMNKblhU48CIdnUi4RaawNgLVppghG1grZuziGmw4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwR-00GxtV-HR for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002Qn-OW; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23764 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:53 +0200 Message-Id: <20200711093655.23686-12-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwR-00GxtV-HR Subject: [Openvpn-devel] [PATCH v5 12/14] client-connect: Add deferred support to the client-connect plugin v1 handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel Uses the infrastructure provided and used in the previous patch to provide deferral support to the v1 client-connect plugin handler as well. Signed-off-by: Fabian Knittel PATCH V3: Modify the API to also (optionally) call the plugin on a deferred call. This allows the plugin authors to be more flexible and make the V1 API more similar to the V2 API. Signed-off-by: Arne Schwabe --- include/openvpn-plugin.h.in | 29 +++++------ src/openvpn/multi.c | 97 ++++++++++++++++++++++++++++--------- src/openvpn/plugin.c | 3 ++ 3 files changed, 93 insertions(+), 36 deletions(-) diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..99aa1678 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -116,20 +116,21 @@ extern "C" { * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client) * FUNC: openvpn_plugin_close_v1 */ -#define OPENVPN_PLUGIN_UP 0 -#define OPENVPN_PLUGIN_DOWN 1 -#define OPENVPN_PLUGIN_ROUTE_UP 2 -#define OPENVPN_PLUGIN_IPCHANGE 3 -#define OPENVPN_PLUGIN_TLS_VERIFY 4 -#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 -#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 -#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 -#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 -#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 -#define OPENVPN_PLUGIN_TLS_FINAL 10 -#define OPENVPN_PLUGIN_ENABLE_PF 11 -#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 -#define OPENVPN_PLUGIN_N 13 +#define OPENVPN_PLUGIN_UP 0 +#define OPENVPN_PLUGIN_DOWN 1 +#define OPENVPN_PLUGIN_ROUTE_UP 2 +#define OPENVPN_PLUGIN_IPCHANGE 3 +#define OPENVPN_PLUGIN_TLS_VERIFY 4 +#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 +#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 +#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 +#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 +#define OPENVPN_PLUGIN_TLS_FINAL 10 +#define OPENVPN_PLUGIN_ENABLE_PF 11 +#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER 13 +#define OPENVPN_PLUGIN_N 14 /* * Build a mask out of a set of plug-in types. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 09a25a58..08eb44ba 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2008,56 +2008,109 @@ ccs_gen_config_file(struct multi_instance *mi) static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found) + unsigned int *option_types_found, + bool deferred) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); ASSERT(mi); ASSERT(option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { struct argv argv = argv_new(); - struct gc_arena gc = gc_new(); - const char *dc_file = - platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); + int call; - if (!dc_file) + if (!deferred) { - ret = CC_RET_FAILED; - goto cleanup; + call = OPENVPN_PLUGIN_CLIENT_CONNECT; + if (!ccs_gen_config_file(mi) + || !ccs_gen_deferred_ret_file(mi)) + { + ret = CC_RET_FAILED; + goto cleanup; + } + } + else + { + call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER; + /* the initial call should have created these files */ + ASSERT(ccs->config_file); + ASSERT(ccs->deferred_ret_file); } - argv_printf(&argv, "%s", dc_file); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, - &argv, NULL, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + argv_printf(&argv, "%s", ccs->config_file); + int plug_ret = plugin_call(mi->context.plugins, call, + &argv, NULL, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(M_WARN, "WARNING: client-connect plugin call failed"); - ret = CC_RET_FAILED; + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ret = CC_RET_SUCCEEDED; + } + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) + { + ret = CC_RET_DEFERRED; + /** + * Contrary to the plugin v2 API, we do not demand a working + * deferred plugin as all return can be handled by the files + * and plugin_call return success if a plugin is not defined + */ } else { - multi_client_connect_post(m, mi, dc_file, option_types_found); - ret = CC_RET_SUCCEEDED; + msg(M_WARN, "WARNING: client-connect plugin call failed"); + ret = CC_RET_FAILED; } - if (!platform_unlink(dc_file)) + + /** + * plugin api v1 client connect async feature has both plugin and + * file return status, so in case that the file has a code that + * demands override, we override our return code + */ + int file_ret = ccs_test_deferred_ret_file(mi); + + if (file_ret == CC_RET_FAILED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ret = CC_RET_FAILED; + } + else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED) + { + ret = CC_RET_DEFERRED; } - cleanup: argv_free(&argv); - gc_free(&gc); + + if (ret != CC_RET_DEFERRED) + { + ccs_delete_config_file(mi); + ccs_delete_deferred_ret_file(mi); + } } #endif /* ifdef ENABLE_PLUGIN */ return ret; } +static enum client_connect_return +multi_client_connect_call_plugin_v1_initial(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v1(m,mi, option_types_found, false); +} + +static enum client_connect_return +multi_client_connect_call_plugin_v1_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v1(m,mi, option_types_found, true); +} + static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, @@ -2442,8 +2495,8 @@ static const struct client_connect_handlers client_connect_handlers[] = { .deferred = multi_client_connect_fail }, { - .main = multi_client_connect_call_plugin_v1, - .deferred = multi_client_connect_fail + .main = multi_client_connect_call_plugin_v1_initial, + .deferred = multi_client_connect_call_plugin_v1_deferred, }, { .main = multi_client_connect_call_plugin_v2, diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 4de1d6b7..ea18592f 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -104,6 +104,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Fri Jul 10 23:36:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1234 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id +EVEKHqICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.58]) by director8.mail.ord1d.rsapps.net with LMTP id WCj/JXqICV9IJwAAfY0hYg ; Sat, 11 Jul 2020 05:38:02 -0400 Received: from smtp21.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTP id SHE0IXqICV+IQAAAYaqY3Q ; Sat, 11 Jul 2020 05:38:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 36754032-c35a-11ea-88d2-525400e75841-1-1 Received: from [216.105.38.7] ([216.105.38.7:48996] helo=lists.sourceforge.net) by smtp21.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 62/24-08532-A78890F5; Sat, 11 Jul 2020 05:38:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwX-00047w-Ef; Sat, 11 Jul 2020 09:37:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwV-00047I-Q0 for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=JmwnXoYij7wpI7arnACLfio+xHwWNZ4ziNLeC85nJ+Y=; b=hFpqmeGcJzZsoSAdtOCC/bpqHz 0fUw7fpK3YM/tSN3KQTyIbY921DRKOf07zGDlDrhm1DrrNUA6QGbK3syPTMK5bEGsvq1fr7Goeh0b wWn5F6QPRi9z49D0qXoqvYF3T1FhTiL9AhrfEaG4RcVPOgSUKCSF0zS922akTSVeRaqo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=JmwnXoYij7wpI7arnACLfio+xHwWNZ4ziNLeC85nJ+Y=; b=APnav62UOI2PjCaQGPyO493UPD VRr40OkXniTzj2gkRs9Qsx8m8WGG1L6lbkxHNUD8oNXx/2cZeLuIPbDDBHUErd6CETL4eG0qmZ7yA ZaDHDLWUmrtJwiGluirLO5nvQMUi7YseUTDTjyR/ksD2VEZfUXOsHJusPUx/4mU+Wiuk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwU-00Gxte-Jw for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:11 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwG-0002Qr-US for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:56 +0200 Received: (nullmailer pid 23767 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:54 +0200 Message-Id: <20200711093655.23686-13-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwU-00Gxte-Jw Subject: [Openvpn-devel] [PATCH v5 13/14] client-connect: Implement deferred connect support for plugin API v2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The V2 API is simpler than the V1 API since there is no passing of data via files. This also means that with the current API the V2 API cannot support async notify via files. Adding a file just for async notify seems very hacky and when needed we should implement a better option when async is needed for the plugin V2 API. Signed-off-by: Arne Schwabe --- include/openvpn-plugin.h.in | 3 +- src/openvpn/multi.c | 58 ++++++++++++++++++++++++++++++------- src/openvpn/plugin.c | 3 ++ 3 files changed, 52 insertions(+), 12 deletions(-) diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 99aa1678..38fbe097 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -130,7 +130,8 @@ extern "C" { #define OPENVPN_PLUGIN_ENABLE_PF 11 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 #define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER 13 -#define OPENVPN_PLUGIN_N 14 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 14 +#define OPENVPN_PLUGIN_N 15 /* * Build a mask out of a set of plug-in types. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 08eb44ba..65169719 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2114,7 +2114,8 @@ multi_client_connect_call_plugin_v1_deferred(struct multi_context *m, static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found) + unsigned int *option_types_found, + bool deferred) { enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN @@ -2122,32 +2123,67 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, ASSERT(mi); ASSERT(option_types_found); + int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : + OPENVPN_PLUGIN_CLIENT_CONNECT_V2; /* V2 callback, use a plugin_return struct for passing back return info */ - if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) + if (plugin_defined(mi->context.plugins, call)) { struct plugin_return pr; plugin_return_init(&pr); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, - NULL, &pr, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + int plug_ret = plugin_call(mi->context.plugins, call, + NULL, &pr, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - ret = CC_RET_FAILED; + multi_client_connect_post_plugin(m, mi, &pr, option_types_found); + ret = CC_RET_SUCCEEDED; + } + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) + { + ret = CC_RET_DEFERRED; + if (!(plugin_defined(mi->context.plugins, + OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2))) + { + msg(M_WARN, "A plugin that defers from the " + "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also " + "declare support for " + "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); + ret = CC_RET_FAILED; + } } else { - multi_client_connect_post_plugin(m, mi, &pr, option_types_found); - ret = CC_RET_SUCCEEDED; + msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); + ret = CC_RET_FAILED; } + plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ return ret; } + +static enum client_connect_return +multi_client_connect_call_plugin_v2_initial(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v2(m, mi, option_types_found, + false); +} + +static enum client_connect_return +multi_client_connect_call_plugin_v2_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + return multi_client_connect_call_plugin_v2(m, mi, option_types_found, + true); +} + /** * Runs the --client-connect script if one is defined. */ @@ -2499,8 +2535,8 @@ static const struct client_connect_handlers client_connect_handlers[] = { .deferred = multi_client_connect_call_plugin_v1_deferred, }, { - .main = multi_client_connect_call_plugin_v2, - .deferred = multi_client_connect_fail + .main = multi_client_connect_call_plugin_v2_initial, + .deferred = multi_client_connect_call_plugin_v2_deferred, }, { .main = multi_client_connect_call_script, diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index ea18592f..80abb730 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -107,6 +107,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Fri Jul 10 23:36:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1232 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id KOTiEHmICV+AWAAAIUCqbw for ; Sat, 11 Jul 2020 05:38:01 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id 8FquEHmICV8QKAAAfY0hYg ; Sat, 11 Jul 2020 05:38:01 -0400 Received: from smtp35.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTP id GNZMEHmICV8gOAAAMe1Fpw ; Sat, 11 Jul 2020 05:38:01 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 35c3a78c-c35a-11ea-a8cb-525400a7b7b4-1-1 Received: from [216.105.38.7] ([216.105.38.7:40000] helo=lists.sourceforge.net) by smtp35.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 61/84-18022-878890F5; Sat, 11 Jul 2020 05:38:01 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juBwZ-0008F4-4M; Sat, 11 Jul 2020 09:37:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juBwU-0008EI-7I for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EhUbl7UvsYlLTbaKqhXo7BAK9jIf3b9HrRRNigKuV2U=; b=eU4TTF6aJqkc8MLFPjuQYTAYaR Ud2ASP0O/2frxRI1U9Fyk0tReQetcQuqqFgE+yfNZ+p3b903uclTflw+mBX2ch7XpgIipxHTDLf8+ EJINYZfMZ9caHL8kM45817oFBu7JUkgOhLVzWKV6sJpQNEjZU86rZLhmW/L36QmPQEN4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=EhUbl7UvsYlLTbaKqhXo7BAK9jIf3b9HrRRNigKuV2U=; b=C7FL+xleCOW1MdFoxucVHllhcM 2MexgLmkH0sCGJqhhx7DgirJ+/xTQ2p+q1/wp7PFvTn9PJkHPrYmJ4RSXMiZw1cjacURphl/n7l0K L0U7CWA00R5BZw/9OThy+MdXmhGy0/ZQYvkcC9kPNqqQ163eYqvzXtRVqeSVXSjWUJHU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juBwS-002wQA-TQ for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 09:37:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1juBwH-0002Qu-67 for openvpn-devel@lists.sourceforge.net; Sat, 11 Jul 2020 11:36:57 +0200 Received: (nullmailer pid 23770 invoked by uid 10006); Sat, 11 Jul 2020 09:36:56 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 11 Jul 2020 11:36:55 +0200 Message-Id: <20200711093655.23686-14-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200711093655.23686-1-arne@rfc2549.org> References: <20200711093655.23686-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1juBwS-002wQA-TQ Subject: [Openvpn-devel] [PATCH v5 14/14] client-connect: Add documentation for the deferred client connect feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Patch V5: Fix typos, clarify man page section about deferred client-connect script. Add section to Changes.rst Signed-off-by: Arne Schwabe --- Changes.rst | 4 +++ doc/openvpn.8 | 55 +++++++++++++++++++++++++++++++++++-- include/openvpn-plugin.h.in | 21 ++++++++++---- 3 files changed, 71 insertions(+), 9 deletions(-) diff --git a/Changes.rst b/Changes.rst index 42f0d190..47fa6883 100644 --- a/Changes.rst +++ b/Changes.rst @@ -3,6 +3,10 @@ Overview of changes in 2.5 New features ------------ +Deferred client-connect + client-connect and the connect plugin API allow now asynchronous/deferred + return of the configuration file in the same way as the auth-plugin. + Client-specific tls-crypt keys (``--tls-crypt-v2``) ``tls-crypt-v2`` adds the ability to supply each client with a unique tls-crypt key. This allows large organisations and VPN providers to profit diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 03ae5ac5..7a0080bf 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3422,6 +3422,13 @@ is significant. If .B script returns a non\-zero error status, it will cause the client to be disconnected. + +If a +.B \-\-client\-connect cmd +wants to defer the generating of the configuration the script, should +use the client_connect_deferred_file and client_connect_config_file +environment variables and write status accordingly into these files +(See the environment section below for more details). .\"********************************************************* .TP .B \-\-client\-disconnect cmd @@ -3505,12 +3512,18 @@ This directory will be used by in the following cases: * .B \-\-client\-connect -scripts to dynamically generate client\-specific -configuration files. +scripts and +.B OPENVPN_PLUGIN_CLIENT_CONNECT +plugin hook +to dynamically generate client\-specific configuration files +and return success/failure via client_connect_deferred_file +when using deferred client connect method * .B OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY -plugin hook to return success/failure via auth_control_file +and + +plugin hook to return success/failure via auth_control_file/ when using deferred auth method * @@ -6654,6 +6667,42 @@ Set prior to execution of the script. .\"********************************************************* .TP +.B client_connect_config_file +The path to the configuration file that should be written by +the +.B \-\-client\-connect +script. The content of this environment variable is identical +to the file as a argument of the called +.B \-\-client\-connect +script. +.\"********************************************************* +.TP +.B client_connect_deferred_file +This file can be optionally written to communicate a status +code of the +.TP +.B \-\-client\-connect +script. If used for deferring, this file must be written +before the +.B \-\-client\-connect +script exits. The first character in the file has to be +'1' is to indicate normal script execution, '0' indicates an +error (in the same way that a non zero exit status does) and +'2' indicates that the script deferred returning the config +file. When the script defers returning the configuration, it +must also write '2' to to the file to indicate the deferral. +A background process or similar must then take care of writing the +configuration to the file indicated by the +.B +client_connect_config_file +environment variable and when finished, write the a '1' to this +file (or '0' in case of an error). + +The absence of any character in the file when the script finishes +executing is interpreted the same as '1'. This allows script that +are not written to support the defer mechanism to be used unmodified. +.\"********************************************************* +.TP .B common_name The X509 common name of an authenticated client. Set prior to execution of diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 38fbe097..64b20886 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -557,12 +557,21 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by - * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous - * authentication where the plugin (or one of its agents) may indicate - * authentication success/failure some number of seconds after the return - * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single - * char to the file named by auth_control_file in the environmental variable - * list (envp). + * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_CLIENT_CONNECT and + * OPENVPN_PLUGIN_CLIENT_CONNECT_V2. This enables asynchronous + * authentication or client connect where the plugin (or one of its agents) + * may indicate authentication success/failure or client configuration some + * number of seconds after the return of the function handler. + * For OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY and OPENVPN_PLUGIN_CLIENT_CONNECT + * this is done by writing a single char to the file named by + * auth_control_file/client_connect_deferred_file + * in the environmental variable list (envp). + * + * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and + * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to + * get the deferred result. For a V2 call implementing this function is + * required as information is not passed by files. For the normal version + * the call is optional. * * first char of auth_control_file: * '0' -- indicates auth failure