From patchwork Thu Jul 16 03:43:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1267 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id iLigALpZEF+bEwAAIUCqbw for ; Thu, 16 Jul 2020 09:44:26 -0400 Received: from proxy11.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id sBXiOblZEF/BVQAAalYnBA ; Thu, 16 Jul 2020 09:44:26 -0400 Received: from smtp24.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3b.rsapps.net with LMTP id +CWoNLlZEF8jBgAARNREpw ; Thu, 16 Jul 2020 09:44:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 75e46978-c76a-11ea-98dd-525400892b35-1-1 Received: from [216.105.38.7] ([216.105.38.7:44906] helo=lists.sourceforge.net) by smtp24.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 19/F5-14994-9B9501F5; Thu, 16 Jul 2020 09:44:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4Ac-00024E-2z; Thu, 16 Jul 2020 13:43:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Aa-000246-HD for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vdNU3gqBY9sB+J+5pdeM0muKVzQyhTTSCQK/S22sxRo=; b=hfyPXDOjil7wAkACJkc7S6fbor WSJk1GWinbHyLd+1Dpo4I5j2ItyZbjhQX4lVl6PwEJd/iGa96Gyiq0Dd/fArzU+EgLwr2JeJeQJKe wr2ceICCatEx5Nz43O9qeFiBD/awOw1lv/PxwhvEpvDHWq73ZjeZrvcDEM2kB/7ZC1ZQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=vdNU3gqBY9sB+J+5pdeM0muKVzQyhTTSCQK/S22sxRo=; b=bje93a6ibNxdErH1sWfWdYnC64 HITMPgz5Fp7y75TxMkoaab0BRaptiKj69SyhAYZP+G6WIFjshO6xX8CiG2BkgnD2sTAMnnO3zZ6tC fN+r0s+EZxgPYowqp9QrsK+sYv+Bn/Fb+2TyRvAN6Bq3firyNGHeJFp7NCvGfLTu3joo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4AV-002wIB-Ci for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:28 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cuc-4H; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17787 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:10 +0200 Message-Id: <20200716134315.17742-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4AV-002wIB-Ci Subject: [Openvpn-devel] [PATCH v7 1/6] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - without losing the client-connect handling state. The patch also adds the new return value CC_RET_DEFERRED which indicates that the handler couldn't complete immediately, and needs to be called later. At that point multi_connection_established() will exit without indicating completion. Each client-connect handler now has an (optional) additional call-back: The call-back for handling the deferred case. If the main call-back returns CC_RET_DEFERRED, the next call to the handler will be through the deferred call-back. Signed-off-by: Fabian Knittel Patch V3: Use a static struct in multi_instance instead of using malloc/free and use two states (deffered with and without result) instead of one to eliminate the counter that was only tested for > 0. Patch V5: Use new states in context_auth instead of the extra state that the patch series previously used. Patch V6: Restructure code to make it a bit more readable, rebase on master. Patch V7: move defferred bool into client connect handler calls, switch to switch case Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 157 +++++++++++++++++++++++++++++------------- src/openvpn/multi.h | 15 +++- src/openvpn/openvpn.h | 9 +++ 3 files changed, 132 insertions(+), 49 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 97b7df16..9128798d 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1713,8 +1713,11 @@ multi_client_connect_post_plugin(struct multi_context *m, enum client_connect_return multi_client_connect_mda(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { + /* We never return CC_RET_DEFERRED */ + ASSERT(!deferred); enum client_connect_return ret = CC_RET_SKIPPED; #ifdef MANAGEMENT_DEF_AUTH if (mi->cc_config) @@ -1854,8 +1857,13 @@ multi_client_set_protocol_options(struct context *c) static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { + if (deferred) + { + return CC_RET_FAILED; + } enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); @@ -1907,8 +1915,13 @@ cleanup: static enum client_connect_return multi_client_connect_call_plugin_v2(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { + if (deferred) + { + return CC_RET_FAILED; + } enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); @@ -1949,8 +1962,13 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, static enum client_connect_return multi_client_connect_call_script(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { + if (deferred) + { + return CC_RET_FAILED; + } ASSERT(m); ASSERT(mi); @@ -2173,8 +2191,12 @@ multi_client_connect_early_setup(struct multi_context *m, static enum client_connect_return multi_client_connect_source_ccd(struct multi_context *m, struct multi_instance *mi, + bool deferred, unsigned int *option_types_found) { + /* Since we never return a CC_RET_DEFERRED, this indicates a serious + * problem */ + ASSERT(!deferred); enum client_connect_return ret = CC_RET_SKIPPED; if (mi->context.options.client_config_dir) { @@ -2225,32 +2247,18 @@ multi_client_connect_source_ccd(struct multi_context *m, return ret; } -static inline bool -cc_check_return(int *cc_succeeded_count, - enum client_connect_return ret) -{ - if (ret == CC_RET_SUCCEEDED) - { - (*cc_succeeded_count)++; - return true; - } - else if (ret == CC_RET_FAILED) - { - return false; - } - else if (ret == CC_RET_SKIPPED) - { - return true; - } - else - { - ASSERT(0); - } -} - typedef enum client_connect_return (*multi_client_connect_handler) (struct multi_context *m, struct multi_instance *mi, - unsigned int *option_types_found); + bool from_deferred, unsigned int *option_types_found); + +static const multi_client_connect_handler client_connect_handlers[] = { + multi_client_connect_source_ccd, + multi_client_connect_call_plugin_v1, + multi_client_connect_call_plugin_v2, + multi_client_connect_call_script, + multi_client_connect_mda, + NULL, +}; /* * Called as soon as the SSL/TLS connection is authenticated. @@ -2280,27 +2288,74 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) return; } - multi_client_connect_handler handlers[] = { - multi_client_connect_source_ccd, - multi_client_connect_call_plugin_v1, - multi_client_connect_call_plugin_v2, - multi_client_connect_call_script, - multi_client_connect_mda, - NULL - }; + /* We are only called for the CAS_PENDING_x states, so we + * can ignore other states here */ + bool from_deferred = (mi->context.c2.context_auth != CAS_PENDING); - unsigned int option_types_found = 0; + int *cur_handler_index = &mi->client_connect_defer_state.cur_handler_index; + unsigned int *option_types_found = + &mi->client_connect_defer_state.option_types_found; - int cc_succeeded = true; /* client connect script status */ - int cc_succeeded_count = 0; - enum client_connect_return ret; + /* We are called for the first time */ + if (!from_deferred) + { + *cur_handler_index = 0; + *option_types_found = 0; + /* Initially we have no handler that has returned a result */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED; - multi_client_connect_early_setup(m, mi); + multi_client_connect_early_setup(m, mi); + } - for (int i = 0; cc_succeeded && handlers[i]; i++) + bool cc_succeeded = true; + + while (cc_succeeded + && client_connect_handlers[*cur_handler_index] != NULL) { - ret = handlers[i](m, mi, &option_types_found); - cc_succeeded = cc_check_return(&cc_succeeded_count, ret); + enum client_connect_return ret; + ret = client_connect_handlers[*cur_handler_index](m, mi, from_deferred, + option_types_found); + + from_deferred = false; + + switch (ret) + { + case CC_RET_SUCCEEDED: + /* + * Remember that we already had at least one handler + * returning a result should go to into deferred state + */ + mi->context.c2.context_auth = CAS_PENDING_DEFERRED_PARTIAL; + break; + + case CC_RET_SKIPPED: + /* + * Move on with the next handler without modifying any + * other state + */ + break; + + case CC_RET_DEFERRED: + /* + * we already set client_connect_status to DEFERRED_RESULT or + * DEFERRED_NO_RESULT. We just return + * from the function as having client_connect_status + */ + return; + + case CC_RET_FAILED: + /* + * One handler failed. We abort the chain and set the final + * result to failed + */ + cc_succeeded = false; + break; + + default: + ASSERT(0); + } + + (*cur_handler_index)++; } /* @@ -2312,18 +2367,24 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to " "'disable' directive"); cc_succeeded = false; - cc_succeeded_count = 0; } if (cc_succeeded) { - multi_client_connect_late_setup(m, mi, option_types_found); + multi_client_connect_late_setup(m, mi, *option_types_found); } else { - /* set context-level authentication flag */ - mi->context.c2.context_auth = - cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED; + /* set context-level authentication flag to failed but remember + * if had a handler succeed (for cleanup) */ + if (mi->context.c2.context_auth == CAS_PENDING_DEFERRED_PARTIAL) + { + mi->context.c2.context_auth = CAS_PARTIAL; + } + else + { + mi->context.c2.context_auth = CAS_FAILED; + } } /* increment number of current authenticated clients */ @@ -2624,7 +2685,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { /* connection is "established" when SSL/TLS key negotiation succeeds * and (if specified) auth user/pass succeeds */ - if (mi->context.c2.context_auth == CAS_PENDING + if (is_cas_pending(mi->context.c2.context_auth) && CONNECTION_ESTABLISHED(&mi->context)) { multi_connection_established(m, mi); @@ -3579,7 +3640,7 @@ management_client_auth(void *arg, { if (auth) { - if (mi->context.c2.context_auth == CAS_PENDING) + if (is_cas_pending(mi->context.c2.context_auth)) { set_cc_config(mi, cc_config); cc_config_owned = false; @@ -3591,7 +3652,7 @@ management_client_auth(void *arg, { msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason)); } - if (mi->context.c2.context_auth != CAS_PENDING) + if (!is_cas_pending(mi->context.c2.context_auth)) { send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */ multi_schedule_context_wakeup(m, mi); diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 1d30dcc6..11da0209 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -62,6 +62,18 @@ struct deferred_signal_schedule_entry struct timeval wakeup; }; +/** + * Detached client connection state. This is the state that is tracked while + * the client connect hooks are executed. + */ +struct client_connect_defer_state +{ + /* Index of currently executed handler. */ + int cur_handler_index; + /* Remember which option classes where processed for delayed option + * handling. */ + unsigned int option_types_found; +}; /** * Server-mode state structure for one single VPN tunnel. @@ -108,7 +120,7 @@ struct multi_instance { struct context context; /**< The context structure storing state * for this VPN tunnel. */ - + struct client_connect_defer_state client_connect_defer_state; #ifdef ENABLE_ASYNC_PUSH int inotify_watch; /* watch descriptor for acf */ #endif @@ -195,6 +207,7 @@ enum client_connect_return { CC_RET_FAILED, CC_RET_SUCCEEDED, + CC_RET_DEFERRED, CC_RET_SKIPPED }; diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 7c469b01..ccc7f118 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -217,6 +217,8 @@ struct context_1 enum client_connect_status { CAS_SUCCEEDED=0, CAS_PENDING, + CAS_PENDING_DEFERRED, + CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded, no result yet*/ CAS_FAILED, CAS_PARTIAL, /**< Variant of CAS_FAILED: at least one * client-connect script/plugin succeeded @@ -225,6 +227,13 @@ enum client_connect_status { */ }; +static inline bool +is_cas_pending(enum client_connect_status cas) +{ + return cas == CAS_PENDING || cas == CAS_PENDING_DEFERRED + || cas == CAS_PENDING_DEFERRED_PARTIAL; +} + /** * Level 2 %context containing state that is reset on both \c SIGHUP and * \c SIGUSR1 restarts. From patchwork Thu Jul 16 03:43:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1270 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QIESHdNZEF9lZwAAIUCqbw for ; Thu, 16 Jul 2020 09:44:51 -0400 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id qJmoGtNZEF/FVQAAalYnBA ; Thu, 16 Jul 2020 09:44:51 -0400 Received: from smtp38.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTP id QEIOFdNZEF/newAAPj+4aA ; Thu, 16 Jul 2020 09:44:51 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8518df28-c76a-11ea-9988-5254006f0979-1-1 Received: from [216.105.38.7] ([216.105.38.7:49808] helo=lists.sourceforge.net) by smtp38.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 03/21-23289-2D9501F5; Thu, 16 Jul 2020 09:44:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4BB-0007C2-Dc; Thu, 16 Jul 2020 13:44:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Ah-0007AU-8z for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/bdM36nS3WQlgxsEfxxMnlML/Qj1WeqdKIUkUYzFDJw=; b=GTKxivPnG6tTIQU2+jMcGsSEl5 ca1vZl70lbrTlMCZMykbni5Y/gIyyoRIM/AaxcFfnf5BOAqk5HgXhCsZ+b8UhyD5nVq7jhaDKnr0G OwTbouIuRvvui1kPBImgWRrdYhh6+i9psjS3a8SpORx88k14WRwOg1meMoKHZCAaLwR4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/bdM36nS3WQlgxsEfxxMnlML/Qj1WeqdKIUkUYzFDJw=; b=ZF6xgq5pTN5DZrllB9hNOjDDgX njiQmYDYn/BidnSMS7bfK6ojk7ZGGLVlV4JD6kdKCxNyIp2U4ZssZimS4b40MpmUCXvCh8p6prAHW 142vYV96YYglaGqrPNp063kaFVdwP0KsEtYc6giXPfWE1UqlQmlLPYqKH2IK6gigREGE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4Aa-00AQFN-RW for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cui-6f; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17790 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:11 +0200 Message-Id: <20200716134315.17742-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716134315.17742-1-arne@rfc2549.org> References: <20200716134315.17742-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4Aa-00AQFN-RW Subject: [Openvpn-devel] [PATCH v7 2/6] client-connect: Add deferred support to the client-connect script handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_connect_state struct. In addition, the patch also allows the storage of the client config file name in struct client_connect_state. Both changes are used by the client-connect script handler to support deferred client-connection handling. The deferred return value file (deferred_ret_file) is passed to the actual script via the environment. If the script succeeds and writes the value for deferral into the deferred_ret_file, the handler knows to indicate deferral. Later on, the deferred handler checks whether the value of the deferred_ret_file has been updated to success or failure. Signed-off-by: Fabian Knittel Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 226 +++++++++++++++++++++++++++++++++++++++++--- src/openvpn/multi.h | 12 +++ 2 files changed, 225 insertions(+), 13 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 9128798d..e26daeea 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1854,6 +1854,168 @@ multi_client_set_protocol_options(struct context *c) } } +/** + * Delete the temporary file for the return value of client connect + * It also removes it from it from client_connect_defer_state and + * environment + */ +static void +ccs_delete_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->deferred_ret_file) + { + setenv_del(mi->context.c2.es, "client_connect_deferred_file"); + if (!platform_unlink(ccs->deferred_ret_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->deferred_ret_file); + } + free(ccs->deferred_ret_file); + ccs->deferred_ret_file = NULL; + } +} + +/** + * Create a temporary file for the return value of client connect + * and puts it into the client_connect_defer_state and environment + * as "client_connect_deferred_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new(); + const char *fn; + + if (ccs->deferred_ret_file) + { + ccs_delete_deferred_ret_file(mi); + } + + fn = platform_create_temp_file(mi->context.options.tmp_dir, "ccr", &gc); + if (!fn) + { + gc_free(&gc); + return false; + } + ccs->deferred_ret_file = string_alloc(fn, NULL); + + setenv_str(mi->context.c2.es, "client_connect_deferred_file", + ccs->deferred_ret_file); + + gc_free(&gc); + return true; +} + +/** + * Tests whether the deferred return value file exists and returns the + * contained return value. + * + * @return CC_RET_SKIPPED if the file does not exist or is empty. + * CC_RET_DEFERRED, CC_RET_SUCCEEDED or CC_RET_FAILED depending on + * the value stored in the file. + */ +static enum client_connect_return +ccs_test_deferred_ret_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + FILE *fp = fopen(ccs->deferred_ret_file, "r"); + if (fp) + { + const int c = fgetc(fp); + switch (c) + { + case '0': + ret = CC_RET_FAILED; + break; + + case '1': + ret = CC_RET_SUCCEEDED; + break; + + case '2': + ret = CC_RET_DEFERRED; + break; + + case EOF: + if (feof(fp)) + { + ret = CC_RET_SKIPPED; + break; + } + + /* Not EOF, but other error fall through to error state */ + default: + /* We received an unknown/unexpected value. Assume failure. */ + msg(M_WARN, "WARNING: Unknown/unexcepted value in deferred" + "client-connect resultfile"); + ret = CC_RET_FAILED; + } + fclose(fp); + } + return ret; +} + +/** + * Deletes the temporary file for the config directives of the client connect + * script and removes it into the client_connect_defer_state and environment + * + */ +static void +ccs_delete_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + if (ccs->config_file) + { + setenv_del(mi->context.c2.es, "client_connect_config_file"); + if (!platform_unlink(ccs->config_file)) + { + msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", + ccs->config_file); + } + free(ccs->config_file); + ccs->config_file = NULL; + } +} + +/** + * Create a temporary file for the config directives of the client connect + * script and puts it into the client_connect_defer_state and environment + * as "client_connect_config_file" + * + * @return boolean value if creation was successfull + */ +static bool +ccs_gen_config_file(struct multi_instance *mi) +{ + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + struct gc_arena gc = gc_new(); + const char *fn; + + if (ccs->config_file) + { + ccs_delete_config_file(mi); + } + + fn = platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); + if (!fn) + { + gc_free(&gc); + return false; + } + ccs->config_file = string_alloc(fn, NULL); + + setenv_str(mi->context.c2.es, "client_connect_config_file", + ccs->config_file); + + gc_free(&gc); + return true; +} + static enum client_connect_return multi_client_connect_call_plugin_v1(struct multi_context *m, struct multi_instance *mi, @@ -1954,7 +2116,39 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, return ret; } +static enum client_connect_return +multi_client_connect_script_deferred(struct multi_context *m, + struct multi_instance *mi, + unsigned int *option_types_found) +{ + ASSERT(mi); + ASSERT(option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); + enum client_connect_return ret = CC_RET_SKIPPED; + + ret = ccs_test_deferred_ret_file(mi); + if (ret == CC_RET_SKIPPED) + { + /* + * Skipped and deferred are equivalent in this context. + * skipped means that the called program has not yet + * written a return status implicitly needing more time + * while deferred is the explicit notification that it + * needs more time + */ + ret = CC_RET_DEFERRED; + } + + if (ret != CC_RET_DEFERRED) + { + ccs_delete_deferred_ret_file(mi); + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ccs_delete_config_file(mi); + } + return ret; +} /** * Runs the --client-connect script if one is defined. @@ -1967,48 +2161,54 @@ multi_client_connect_call_script(struct multi_context *m, { if (deferred) { - return CC_RET_FAILED; + return multi_client_connect_script_deferred(m, mi, option_types_found); } ASSERT(m); ASSERT(mi); enum client_connect_return ret = CC_RET_SKIPPED; + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); if (mi->context.options.client_connect_script) { struct argv argv = argv_new(); struct gc_arena gc = gc_new(); - const char *dc_file = NULL; setenv_str(mi->context.c2.es, "script_type", "client-connect"); - dc_file = platform_create_temp_file(mi->context.options.tmp_dir, - "cc", &gc); - if (!dc_file) + if (!ccs_gen_config_file(mi) + || !ccs_gen_deferred_ret_file(mi)) { ret = CC_RET_FAILED; goto cleanup; } argv_parse_cmd(&argv, mi->context.options.client_connect_script); - argv_printf_cat(&argv, "%s", dc_file); + argv_printf_cat(&argv, "%s", ccs->config_file); if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect")) { - multi_client_connect_post(m, mi, dc_file, option_types_found); - ret = CC_RET_SUCCEEDED; + if (ccs_test_deferred_ret_file(mi) == CC_RET_DEFERRED) + { + ret = CC_RET_DEFERRED; + } + else + { + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ret = CC_RET_SUCCEEDED; + } } else { ret = CC_RET_FAILED; } - - if (!platform_unlink(dc_file)) +cleanup: + if (ret != CC_RET_DEFERRED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ccs_delete_config_file(mi); + ccs_delete_deferred_ret_file(mi); } -cleanup: argv_free(&argv); gc_free(&gc); } diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 11da0209..3ebf6b9f 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -73,6 +73,18 @@ struct client_connect_defer_state /* Remember which option classes where processed for delayed option * handling. */ unsigned int option_types_found; + + /** + * The temporrary file name that contains the return status of the + * client-connect script if it exits with defer as status + */ + char *deferred_ret_file; + + /** + * The temporary file name that contains the config directives + * returned by the client-connect script + */ + char *config_file; }; /** From patchwork Thu Jul 16 03:43:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1268 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id qKAKB7pZEF+1fAAAIUCqbw for ; Thu, 16 Jul 2020 09:44:26 -0400 Received: from proxy15.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id SFRVBLpZEF/4GQAAfY0hYg ; Thu, 16 Jul 2020 09:44:26 -0400 Received: from smtp5.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3b.rsapps.net with LMTP id eK7ROblZEF/sTwAAhyf7VQ ; Thu, 16 Jul 2020 09:44:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 7619c74e-c76a-11ea-919b-525400155d63-1-1 Received: from [216.105.38.7] ([216.105.38.7:44908] helo=lists.sourceforge.net) by smtp5.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EB/BD-23368-9B9501F5; Thu, 16 Jul 2020 09:44:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4Am-00025A-Ha; Thu, 16 Jul 2020 13:43:40 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Aj-00024g-OJ for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1zNVYfHAjgdhnEWnXPfmNOCxlM+zyBA5kE0EYZem+Ok=; b=LjcH3ijp5VISJiJ9Qn+Mg75JEd sqy2C6BRn0l6p4zS1clrDSzehb4sTOPgFibU+TsolLxu4efSCFjHxiyc2k/QLkgYp+cxijpJ+QYaY qYMRd2K5UCw7lyp06A4uFRGcQIdBz04Gj3CGrHKaG+GBoDvvwDE7M+pRC3r6sntoX7Uk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1zNVYfHAjgdhnEWnXPfmNOCxlM+zyBA5kE0EYZem+Ok=; b=Uhark58RZwP7XaTC/xGcqFemeO 3yaHfeEtojOAGfjygnO4ZqAWZcLCLnCxyDF6GH3P3hz9ojasa1cMEF/Q84TQvKnT7GhitsmUDZ0Ay K5VWiKkjt0VeMLh6rn5u6QSAVFTfMno28hSyX91GwA9d9cBrFUP1uAQoGhpsyacy2p94=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4Ac-00AQGT-GW for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cuo-8T for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17792 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:12 +0200 Message-Id: <20200716134315.17742-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716134315.17742-1-arne@rfc2549.org> References: <20200716134315.17742-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4Ac-00AQGT-GW Subject: [Openvpn-devel] [PATCH v7 3/6] client-connect: Use inotify for the deferred client-connect status file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As we never do client-connect and authentication at the same time it is safe to reuse the existing fields for client-connect return status file Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e26daeea..60c2af09 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2603,8 +2603,10 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) #ifdef ENABLE_ASYNC_PUSH /* - * Called when inotify event is fired, which happens when acf file is closed or deleted. - * Continues authentication and sends push_reply. + * Called when inotify event is fired, which happens when acf + * or connect-status file is closed or deleted. + * Continues authentication and sends push_reply + * (or be deferred again by client-connect) */ void multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) @@ -2890,7 +2892,15 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns { multi_connection_established(m, mi); } - +#if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) + if (is_cas_pending(mi->context.c2.context_auth) + && mi->client_connect_defer_state.deferred_ret_file) + { + add_inotify_file_watch(m, mi, m->top.c2.inotify_fd, + mi->client_connect_defer_state. + deferred_ret_file); + } +#endif /* tell scheduler to wake us up at some point in the future */ multi_schedule_context_wakeup(m, mi); } From patchwork Thu Jul 16 03:43:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1266 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kK/JFLlZEF+1fAAAIUCqbw for ; Thu, 16 Jul 2020 09:44:25 -0400 Received: from proxy17.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id WA09ErlZEF9yTgAAovjBpQ ; Thu, 16 Jul 2020 09:44:25 -0400 Received: from smtp17.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3b.rsapps.net with LMTP id eItZDLlZEF9cOQAA5ccGVQ ; Thu, 16 Jul 2020 09:44:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 75832d7a-c76a-11ea-95c1-52540094e46f-1-1 Received: from [216.105.38.7] ([216.105.38.7:44900] helo=lists.sourceforge.net) by smtp17.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AB/B5-08819-8B9501F5; Thu, 16 Jul 2020 09:44:24 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4Am-00024y-FK; Thu, 16 Jul 2020 13:43:40 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Aj-00024a-Fk for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OQ75R8kYLVVNZjH2gCjGzdZz8JfJrahOKVdb2Irb4/Y=; b=e4pLEUin8irErxVGy8V9n9/+je 7vfcMv8z7zJf2CbNg43C3mFFGKvcucLCriMXPD83pk6ARtuYZAsvbOvO9zUxuMj684g916C8EO7S4 FP9tdh/oShjAD7Dzg6vJai3AqMo0PQ+N258nCdF3uK6K2LXNeUK/qhNrrP3gTONJzBw8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OQ75R8kYLVVNZjH2gCjGzdZz8JfJrahOKVdb2Irb4/Y=; b=b5UkfquX4yxHGyFeIwfqO5QbbA tuCaLkV2xKuL4cohQQsiMu+dDoMlvOIbtouSd8IG5fM8u5rxEOuMgbuymlR33qqQRB7vPy+sFuwHr guuSMePHzw7BdXK4E/VuffV1a3wZRjyQ9MOLjIHDn5SHY/5DSwUG21acLAxjOV7zDWeE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4Aa-005w7S-LJ for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cuk-7L; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17794 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:13 +0200 Message-Id: <20200716134315.17742-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716134315.17742-1-arne@rfc2549.org> References: <20200716134315.17742-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4Aa-005w7S-LJ Subject: [Openvpn-devel] [PATCH v7 4/6] client-connect: Add deferred support to the client-connect plugin v1 handler X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Fabian Knittel Uses the infrastructure provided and used in the previous patch to provide deferral support to the v1 client-connect plugin handler as well. Signed-off-by: Fabian Knittel PATCH V3: Modify the API to also (optionally) call the plugin on a deferred call. This allows the plugin authors to be more flexible and make the V1 API more similar to the V2 API. Signed-off-by: Arne Schwabe --- include/openvpn-plugin.h.in | 29 +++++++------- src/openvpn/multi.c | 78 ++++++++++++++++++++++++++----------- src/openvpn/plugin.c | 3 ++ 3 files changed, 73 insertions(+), 37 deletions(-) diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..99aa1678 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -116,20 +116,21 @@ extern "C" { * FUNC: openvpn_plugin_client_destructor_v1 (top-level "generic" client) * FUNC: openvpn_plugin_close_v1 */ -#define OPENVPN_PLUGIN_UP 0 -#define OPENVPN_PLUGIN_DOWN 1 -#define OPENVPN_PLUGIN_ROUTE_UP 2 -#define OPENVPN_PLUGIN_IPCHANGE 3 -#define OPENVPN_PLUGIN_TLS_VERIFY 4 -#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 -#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 -#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 -#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 -#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 -#define OPENVPN_PLUGIN_TLS_FINAL 10 -#define OPENVPN_PLUGIN_ENABLE_PF 11 -#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 -#define OPENVPN_PLUGIN_N 13 +#define OPENVPN_PLUGIN_UP 0 +#define OPENVPN_PLUGIN_DOWN 1 +#define OPENVPN_PLUGIN_ROUTE_UP 2 +#define OPENVPN_PLUGIN_IPCHANGE 3 +#define OPENVPN_PLUGIN_TLS_VERIFY 4 +#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY 5 +#define OPENVPN_PLUGIN_CLIENT_CONNECT 6 +#define OPENVPN_PLUGIN_CLIENT_DISCONNECT 7 +#define OPENVPN_PLUGIN_LEARN_ADDRESS 8 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 +#define OPENVPN_PLUGIN_TLS_FINAL 10 +#define OPENVPN_PLUGIN_ENABLE_PF 11 +#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER 13 +#define OPENVPN_PLUGIN_N 14 /* * Build a mask out of a set of plug-in types. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 60c2af09..a15e37a4 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2022,53 +2022,85 @@ multi_client_connect_call_plugin_v1(struct multi_context *m, bool deferred, unsigned int *option_types_found) { - if (deferred) - { - return CC_RET_FAILED; - } enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); ASSERT(mi); ASSERT(option_types_found); + struct client_connect_defer_state *ccs = &(mi->client_connect_defer_state); /* deprecated callback, use a file for passing back return info */ if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT)) { struct argv argv = argv_new(); - struct gc_arena gc = gc_new(); - const char *dc_file = - platform_create_temp_file(mi->context.options.tmp_dir, "cc", &gc); + int call; - if (!dc_file) + if (!deferred) { - ret = CC_RET_FAILED; - goto cleanup; + call = OPENVPN_PLUGIN_CLIENT_CONNECT; + if (!ccs_gen_config_file(mi) + || !ccs_gen_deferred_ret_file(mi)) + { + ret = CC_RET_FAILED; + goto cleanup; + } + } + else + { + call = OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER; + /* the initial call should have created these files */ + ASSERT(ccs->config_file); + ASSERT(ccs->deferred_ret_file); } - argv_printf(&argv, "%s", dc_file); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, - &argv, NULL, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + argv_printf(&argv, "%s", ccs->config_file); + int plug_ret = plugin_call(mi->context.plugins, call, + &argv, NULL, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(M_WARN, "WARNING: client-connect plugin call failed"); - ret = CC_RET_FAILED; + multi_client_connect_post(m, mi, ccs->config_file, + option_types_found); + ret = CC_RET_SUCCEEDED; + } + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) + { + ret = CC_RET_DEFERRED; + /** + * Contrary to the plugin v2 API, we do not demand a working + * deferred plugin as all return can be handled by the files + * and plugin_call return success if a plugin is not defined + */ } else { - multi_client_connect_post(m, mi, dc_file, option_types_found); - ret = CC_RET_SUCCEEDED; + msg(M_WARN, "WARNING: client-connect plugin call failed"); + ret = CC_RET_FAILED; } - if (!platform_unlink(dc_file)) + + /** + * plugin api v1 client connect async feature has both plugin and + * file return status, so in case that the file has a code that + * demands override, we override our return code + */ + int file_ret = ccs_test_deferred_ret_file(mi); + + if (file_ret == CC_RET_FAILED) { - msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s", - dc_file); + ret = CC_RET_FAILED; + } + else if (ret == CC_RET_SUCCEEDED && file_ret == CC_RET_DEFERRED) + { + ret = CC_RET_DEFERRED; } - cleanup: argv_free(&argv); - gc_free(&gc); + + if (ret != CC_RET_DEFERRED) + { + ccs_delete_config_file(mi); + ccs_delete_deferred_ret_file(mi); + } } #endif /* ifdef ENABLE_PLUGIN */ return ret; diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 4de1d6b7..ea18592f 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -104,6 +104,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_V2: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Thu Jul 16 03:43:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1269 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sP9WNclZEF+aRQAAIUCqbw for ; Thu, 16 Jul 2020 09:44:41 -0400 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id qBWrMslZEF8+aQAAIasKDg ; Thu, 16 Jul 2020 09:44:41 -0400 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTP id yKvDLMlZEF+OdwAA/F5p9A ; Thu, 16 Jul 2020 09:44:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 7f5fdeb0-c76a-11ea-8f9e-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:49744] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 11/DB-19352-9C9501F5; Thu, 16 Jul 2020 09:44:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4BB-0007Bt-92; Thu, 16 Jul 2020 13:44:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Ah-0007AV-97 for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XIWo3jRxFvumSzXCMszpku9GGmhZCQs6rOrDl0wv94k=; b=emxfBKlUGoK6B46TDQUCy4kRiq seQkxWt1TSHaCSlzBmtUC8g+hq3dSjvOtH7t5XyXph+kL4lUX59lI8fQvvzi5q1PPbFtrNhkBLhwg 1MDPKUqUJMCSWn8MhulgWnVpxUzyuoPWDYZfscLqEJ89wi+eI6TBn1wPiKtIqPXiQxoM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XIWo3jRxFvumSzXCMszpku9GGmhZCQs6rOrDl0wv94k=; b=VgzKROkM0rGf9aUU81yQElQuei rLs4fXm518Qrj1CyL2o6MFDLTmfs4SBZfndM/nMZDijxNI0RaEU+7fPHOGuvuULQQqDjuWrz9eGcF cqQGVpJG5JuTGFzLSeWcF801FXBbDYrmWjy/n15YLRAjdX45+Cxm1iezY0wNG03DnfqQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4Aa-005w7R-LG for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cug-5l for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17796 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:14 +0200 Message-Id: <20200716134315.17742-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716134315.17742-1-arne@rfc2549.org> References: <20200716134315.17742-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4Aa-005w7R-LG Subject: [Openvpn-devel] [PATCH v7 5/6] client-connect: Implement deferred connect support for plugin API v2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The V2 API is simpler than the V1 API since there is no passing of data via files. This also means that with the current API the V2 API cannot support async notify via files. Adding a file just for async notify seems very hacky and when needed we should implement a better option when async is needed for the plugin V2 API. Signed-off-by: Arne Schwabe --- include/openvpn-plugin.h.in | 3 ++- src/openvpn/multi.c | 36 ++++++++++++++++++++++++------------ src/openvpn/plugin.c | 3 +++ 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 99aa1678..38fbe097 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -130,7 +130,8 @@ extern "C" { #define OPENVPN_PLUGIN_ENABLE_PF 11 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 #define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER 13 -#define OPENVPN_PLUGIN_N 14 +#define OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 14 +#define OPENVPN_PLUGIN_N 15 /* * Build a mask out of a set of plug-in types. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a15e37a4..39878e90 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2112,36 +2112,48 @@ multi_client_connect_call_plugin_v2(struct multi_context *m, bool deferred, unsigned int *option_types_found) { - if (deferred) - { - return CC_RET_FAILED; - } enum client_connect_return ret = CC_RET_SKIPPED; #ifdef ENABLE_PLUGIN ASSERT(m); ASSERT(mi); ASSERT(option_types_found); + int call = deferred ? OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 : + OPENVPN_PLUGIN_CLIENT_CONNECT_V2; /* V2 callback, use a plugin_return struct for passing back return info */ - if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2)) + if (plugin_defined(mi->context.plugins, call)) { struct plugin_return pr; plugin_return_init(&pr); - if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, - NULL, &pr, mi->context.c2.es) - != OPENVPN_PLUGIN_FUNC_SUCCESS) + int plug_ret = plugin_call(mi->context.plugins, call, + NULL, &pr, mi->context.c2.es); + if (plug_ret == OPENVPN_PLUGIN_FUNC_SUCCESS) { - msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); - ret = CC_RET_FAILED; + multi_client_connect_post_plugin(m, mi, &pr, option_types_found); + ret = CC_RET_SUCCEEDED; + } + else if (plug_ret == OPENVPN_PLUGIN_FUNC_DEFERRED) + { + ret = CC_RET_DEFERRED; + if (!(plugin_defined(mi->context.plugins, + OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2))) + { + msg(M_WARN, "A plugin that defers from the " + "OPENVPN_PLUGIN_CLIENT_CONNECT_V2 call must also " + "declare support for " + "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2"); + ret = CC_RET_FAILED; + } } else { - multi_client_connect_post_plugin(m, mi, &pr, option_types_found); - ret = CC_RET_SUCCEEDED; + msg(M_WARN, "WARNING: client-connect-v2 plugin call failed"); + ret = CC_RET_FAILED; } + plugin_return_free(&pr); } #endif /* ifdef ENABLE_PLUGIN */ diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index ea18592f..80abb730 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -107,6 +107,9 @@ plugin_type_name(const int type) case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER: return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2: + return "PLUGIN_CLIENT_CONNECT"; + case OPENVPN_PLUGIN_CLIENT_DISCONNECT: return "PLUGIN_CLIENT_DISCONNECT"; From patchwork Thu Jul 16 03:43:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1265 X-Patchwork-Delegate: davids@openvpn.net Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id yLU6C7lZEF+bEwAAIUCqbw for ; Thu, 16 Jul 2020 09:44:25 -0400 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id cNIZCLlZEF9nXgAApN4f7A ; Thu, 16 Jul 2020 09:44:25 -0400 Received: from smtp13.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTP id EDY2AblZEF/2HAAA3NpJmQ ; Thu, 16 Jul 2020 09:44:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 757b3d18-c76a-11ea-a42c-5254001dfc40-1-1 Received: from [216.105.38.7] ([216.105.38.7:50894] helo=lists.sourceforge.net) by smtp13.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 95/CA-08005-8B9501F5; Thu, 16 Jul 2020 09:44:24 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jw4Ad-0002HV-Hm; Thu, 16 Jul 2020 13:43:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jw4Ac-0002HN-7o for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uduJeAjmYw/clU/+lADE+IGkhgbRJFYgMLz3XwU81ew=; b=R4JCs733IXP2v4h4owAtCsqQ7n aoHwQgoHYhegOvkb0Pb764niIyH6VCejhKL43ZOEx39Zn73MQK5z6FTuWOaXVC5Mjtt633yBvZ3q1 03nVPSMoqRFf+DVTRveJAYBZ775rL0aZatzbgZyR35ltafmouc0aWhTPSA3wFaveE7fQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uduJeAjmYw/clU/+lADE+IGkhgbRJFYgMLz3XwU81ew=; b=BjvLfypnn1ebBn1ebCWjLletWj HE7OPBrAFSxTrQJYyRMWzAxyTHgzNK9DChfZhusFX1jm3eVl8bcEjuMcAKp7XAs9O/a53lBuFBYYR DEqwYv9TzHai0Tyx0EyQ49bxRMVdB+zLplMmqeK/428mtlw/Lz6xLpyAV353blwNpqeU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jw4AV-002wIA-Cw for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 13:43:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jw4AO-000Cue-59 for openvpn-devel@lists.sourceforge.net; Thu, 16 Jul 2020 15:43:16 +0200 Received: (nullmailer pid 17798 invoked by uid 10006); Thu, 16 Jul 2020 13:43:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 15:43:15 +0200 Message-Id: <20200716134315.17742-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200716134315.17742-1-arne@rfc2549.org> References: <20200716134315.17742-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jw4AV-002wIA-Cw Subject: [Openvpn-devel] [PATCH v7 6/6] client-connect: Add documentation for the deferred client connect feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Patch V5: Fix typos, clarify man page section about deferred client-connect script. Add section to Changes.rst Signed-off-by: Arne Schwabe --- Changes.rst | 4 +++ doc/openvpn.8 | 55 +++++++++++++++++++++++++++++++++++-- include/openvpn-plugin.h.in | 21 ++++++++++---- 3 files changed, 71 insertions(+), 9 deletions(-) diff --git a/Changes.rst b/Changes.rst index 18b03e47..a3a8f7b7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -3,6 +3,10 @@ Overview of changes in 2.5 New features ------------ +Deferred client-connect + client-connect and the connect plugin API allow now asynchronous/deferred + return of the configuration file in the same way as the auth-plugin. + Client-specific tls-crypt keys (``--tls-crypt-v2``) ``tls-crypt-v2`` adds the ability to supply each client with a unique tls-crypt key. This allows large organisations and VPN providers to profit diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 03ae5ac5..7a0080bf 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3422,6 +3422,13 @@ is significant. If .B script returns a non\-zero error status, it will cause the client to be disconnected. + +If a +.B \-\-client\-connect cmd +wants to defer the generating of the configuration the script, should +use the client_connect_deferred_file and client_connect_config_file +environment variables and write status accordingly into these files +(See the environment section below for more details). .\"********************************************************* .TP .B \-\-client\-disconnect cmd @@ -3505,12 +3512,18 @@ This directory will be used by in the following cases: * .B \-\-client\-connect -scripts to dynamically generate client\-specific -configuration files. +scripts and +.B OPENVPN_PLUGIN_CLIENT_CONNECT +plugin hook +to dynamically generate client\-specific configuration files +and return success/failure via client_connect_deferred_file +when using deferred client connect method * .B OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY -plugin hook to return success/failure via auth_control_file +and + +plugin hook to return success/failure via auth_control_file/ when using deferred auth method * @@ -6654,6 +6667,42 @@ Set prior to execution of the script. .\"********************************************************* .TP +.B client_connect_config_file +The path to the configuration file that should be written by +the +.B \-\-client\-connect +script. The content of this environment variable is identical +to the file as a argument of the called +.B \-\-client\-connect +script. +.\"********************************************************* +.TP +.B client_connect_deferred_file +This file can be optionally written to communicate a status +code of the +.TP +.B \-\-client\-connect +script. If used for deferring, this file must be written +before the +.B \-\-client\-connect +script exits. The first character in the file has to be +'1' is to indicate normal script execution, '0' indicates an +error (in the same way that a non zero exit status does) and +'2' indicates that the script deferred returning the config +file. When the script defers returning the configuration, it +must also write '2' to to the file to indicate the deferral. +A background process or similar must then take care of writing the +configuration to the file indicated by the +.B +client_connect_config_file +environment variable and when finished, write the a '1' to this +file (or '0' in case of an error). + +The absence of any character in the file when the script finishes +executing is interpreted the same as '1'. This allows script that +are not written to support the defer mechanism to be used unmodified. +.\"********************************************************* +.TP .B common_name The X509 common name of an authenticated client. Set prior to execution of diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 38fbe097..64b20886 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -557,12 +557,21 @@ OPENVPN_PLUGIN_DEF openvpn_plugin_handle_t OPENVPN_PLUGIN_FUNC(openvpn_plugin_op * OPENVPN_PLUGIN_FUNC_SUCCESS on success, OPENVPN_PLUGIN_FUNC_ERROR on failure * * In addition, OPENVPN_PLUGIN_FUNC_DEFERRED may be returned by - * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY. This enables asynchronous - * authentication where the plugin (or one of its agents) may indicate - * authentication success/failure some number of seconds after the return - * of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY handler by writing a single - * char to the file named by auth_control_file in the environmental variable - * list (envp). + * OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, OPENVPN_PLUGIN_CLIENT_CONNECT and + * OPENVPN_PLUGIN_CLIENT_CONNECT_V2. This enables asynchronous + * authentication or client connect where the plugin (or one of its agents) + * may indicate authentication success/failure or client configuration some + * number of seconds after the return of the function handler. + * For OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY and OPENVPN_PLUGIN_CLIENT_CONNECT + * this is done by writing a single char to the file named by + * auth_control_file/client_connect_deferred_file + * in the environmental variable list (envp). + * + * In addition the OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER and + * OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2 are called when OpenVPN tries to + * get the deferred result. For a V2 call implementing this function is + * required as information is not passed by files. For the normal version + * the call is optional. * * first char of auth_control_file: * '0' -- indicates auth failure