mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
Move auth deferred related members into its own struct
This structures the code a bit nicer and also prepares for deferred scripts that needs their own set of files. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210317130312.8585-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21671.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
6ea62d5072
commit
c5fec838e7
@ -993,7 +993,7 @@ key_state_free(struct key_state *ks, bool clear)
|
|||||||
|
|
||||||
packet_id_free(&ks->crypto_options.packet_id);
|
packet_id_free(&ks->crypto_options.packet_id);
|
||||||
|
|
||||||
key_state_rm_auth_control_files(ks);
|
key_state_rm_auth_control_files(&ks->plugin_auth);
|
||||||
|
|
||||||
if (clear)
|
if (clear)
|
||||||
{
|
{
|
||||||
|
@ -145,6 +145,13 @@ enum ks_auth_state {
|
|||||||
*/
|
*/
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct auth_deferred_status
|
||||||
|
{
|
||||||
|
char *auth_control_file;
|
||||||
|
char *auth_pending_file;
|
||||||
|
unsigned int auth_control_status;
|
||||||
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Security parameter state of one TLS and data channel %key session.
|
* Security parameter state of one TLS and data channel %key session.
|
||||||
* @ingroup control_processor
|
* @ingroup control_processor
|
||||||
@ -212,10 +219,9 @@ struct key_state
|
|||||||
unsigned int mda_key_id;
|
unsigned int mda_key_id;
|
||||||
unsigned int mda_status;
|
unsigned int mda_status;
|
||||||
#endif
|
#endif
|
||||||
unsigned int auth_control_status;
|
|
||||||
time_t acf_last_mod;
|
time_t acf_last_mod;
|
||||||
char *auth_control_file;
|
|
||||||
char *auth_pending_file;
|
struct auth_deferred_status plugin_auth;
|
||||||
};
|
};
|
||||||
|
|
||||||
/** Control channel wrapping (--tls-auth/--tls-crypt) context */
|
/** Control channel wrapping (--tls-auth/--tls-crypt) context */
|
||||||
|
@ -885,13 +885,13 @@ man_def_auth_test(const struct key_state *ks)
|
|||||||
* and key_state structure
|
* and key_state structure
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
key_state_rm_auth_pending_file(struct key_state *ks)
|
key_state_rm_auth_pending_file(struct auth_deferred_status *ads)
|
||||||
{
|
{
|
||||||
if (ks && ks->auth_pending_file)
|
if (ads && ads->auth_pending_file)
|
||||||
{
|
{
|
||||||
platform_unlink(ks->auth_pending_file);
|
platform_unlink(ads->auth_pending_file);
|
||||||
free(ks->auth_pending_file);
|
free(ads->auth_pending_file);
|
||||||
ks->auth_pending_file = NULL;
|
ads->auth_pending_file = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -936,13 +936,13 @@ check_auth_pending_method(const char *peer_info, const char *method)
|
|||||||
* @returns false The file had an invlaid format or another error occured
|
* @returns false The file had an invlaid format or another error occured
|
||||||
*/
|
*/
|
||||||
static bool
|
static bool
|
||||||
key_state_check_auth_pending_file(struct key_state *ks,
|
key_state_check_auth_pending_file(struct auth_deferred_status *ads,
|
||||||
struct tls_multi *multi)
|
struct tls_multi *multi)
|
||||||
{
|
{
|
||||||
bool ret = true;
|
bool ret = true;
|
||||||
if (ks && ks->auth_pending_file)
|
if (ads->auth_pending_file)
|
||||||
{
|
{
|
||||||
struct buffer_list *lines = buffer_list_file(ks->auth_pending_file,
|
struct buffer_list *lines = buffer_list_file(ads->auth_pending_file,
|
||||||
1024);
|
1024);
|
||||||
if (lines && lines->head)
|
if (lines && lines->head)
|
||||||
{
|
{
|
||||||
@ -992,7 +992,7 @@ key_state_check_auth_pending_file(struct key_state *ks,
|
|||||||
|
|
||||||
buffer_list_free(lines);
|
buffer_list_free(lines);
|
||||||
}
|
}
|
||||||
key_state_rm_auth_pending_file(ks);
|
key_state_rm_auth_pending_file(ads);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1002,15 +1002,15 @@ key_state_check_auth_pending_file(struct key_state *ks,
|
|||||||
* and key_state structure
|
* and key_state structure
|
||||||
*/
|
*/
|
||||||
void
|
void
|
||||||
key_state_rm_auth_control_files(struct key_state *ks)
|
key_state_rm_auth_control_files(struct auth_deferred_status *ads)
|
||||||
{
|
{
|
||||||
if (ks && ks->auth_control_file)
|
if (ads->auth_control_file)
|
||||||
{
|
{
|
||||||
platform_unlink(ks->auth_control_file);
|
platform_unlink(ads->auth_control_file);
|
||||||
free(ks->auth_control_file);
|
free(ads->auth_control_file);
|
||||||
ks->auth_control_file = NULL;
|
ads->auth_control_file = NULL;
|
||||||
}
|
}
|
||||||
key_state_rm_auth_pending_file(ks);
|
key_state_rm_auth_pending_file(ads);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1020,20 +1020,21 @@ key_state_rm_auth_control_files(struct key_state *ks)
|
|||||||
* @return true if file creation was successful
|
* @return true if file creation was successful
|
||||||
*/
|
*/
|
||||||
static bool
|
static bool
|
||||||
key_state_gen_auth_control_files(struct key_state *ks, const struct tls_options *opt)
|
key_state_gen_auth_control_files(struct auth_deferred_status *ads,
|
||||||
|
const struct tls_options *opt)
|
||||||
{
|
{
|
||||||
struct gc_arena gc = gc_new();
|
struct gc_arena gc = gc_new();
|
||||||
|
|
||||||
key_state_rm_auth_control_files(ks);
|
key_state_rm_auth_control_files(ads);
|
||||||
const char *acf = platform_create_temp_file(opt->tmp_dir, "acf", &gc);
|
const char *acf = platform_create_temp_file(opt->tmp_dir, "acf", &gc);
|
||||||
const char *apf = platform_create_temp_file(opt->tmp_dir, "apf", &gc);
|
const char *apf = platform_create_temp_file(opt->tmp_dir, "apf", &gc);
|
||||||
|
|
||||||
if (acf && apf)
|
if (acf && apf)
|
||||||
{
|
{
|
||||||
ks->auth_control_file = string_alloc(acf, NULL);
|
ads->auth_control_file = string_alloc(acf, NULL);
|
||||||
ks->auth_pending_file = string_alloc(apf, NULL);
|
ads->auth_pending_file = string_alloc(apf, NULL);
|
||||||
setenv_str(opt->es, "auth_control_file", ks->auth_control_file);
|
setenv_str(opt->es, "auth_control_file", ads->auth_control_file);
|
||||||
setenv_str(opt->es, "auth_pending_file", ks->auth_pending_file);
|
setenv_str(opt->es, "auth_pending_file", ads->auth_pending_file);
|
||||||
}
|
}
|
||||||
|
|
||||||
gc_free(&gc);
|
gc_free(&gc);
|
||||||
@ -1041,14 +1042,14 @@ key_state_gen_auth_control_files(struct key_state *ks, const struct tls_options
|
|||||||
}
|
}
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
key_state_test_auth_control_file(struct key_state *ks)
|
key_state_test_auth_control_file(struct auth_deferred_status *ads)
|
||||||
{
|
{
|
||||||
if (ks && ks->auth_control_file)
|
if (ads->auth_control_file)
|
||||||
{
|
{
|
||||||
unsigned int ret = ks->auth_control_status;
|
unsigned int ret = ads->auth_control_status;
|
||||||
if (ret == ACF_UNDEFINED)
|
if (ret == ACF_UNDEFINED)
|
||||||
{
|
{
|
||||||
FILE *fp = fopen(ks->auth_control_file, "r");
|
FILE *fp = fopen(ads->auth_control_file, "r");
|
||||||
if (fp)
|
if (fp)
|
||||||
{
|
{
|
||||||
const int c = fgetc(fp);
|
const int c = fgetc(fp);
|
||||||
@ -1061,7 +1062,7 @@ key_state_test_auth_control_file(struct key_state *ks)
|
|||||||
ret = ACF_FAILED;
|
ret = ACF_FAILED;
|
||||||
}
|
}
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
ks->auth_control_status = ret;
|
ads->auth_control_status = ret;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
@ -1103,7 +1104,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency)
|
|||||||
{
|
{
|
||||||
unsigned int s1 = ACF_DISABLED;
|
unsigned int s1 = ACF_DISABLED;
|
||||||
unsigned int s2 = ACF_DISABLED;
|
unsigned int s2 = ACF_DISABLED;
|
||||||
s1 = key_state_test_auth_control_file(ks);
|
s1 = key_state_test_auth_control_file(&ks->plugin_auth);
|
||||||
#ifdef ENABLE_MANAGEMENT
|
#ifdef ENABLE_MANAGEMENT
|
||||||
s2 = man_def_auth_test(ks);
|
s2 = man_def_auth_test(ks);
|
||||||
#endif
|
#endif
|
||||||
@ -1282,7 +1283,7 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
|
|||||||
setenv_str(session->opt->es, "password", up->password);
|
setenv_str(session->opt->es, "password", up->password);
|
||||||
|
|
||||||
/* generate filename for deferred auth control file */
|
/* generate filename for deferred auth control file */
|
||||||
if (!key_state_gen_auth_control_files(ks, session->opt))
|
if (!key_state_gen_auth_control_files(&ks->plugin_auth, session->opt))
|
||||||
{
|
{
|
||||||
msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
|
msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
|
||||||
"could not create deferred auth control file", __func__);
|
"could not create deferred auth control file", __func__);
|
||||||
@ -1296,16 +1297,16 @@ verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
|
|||||||
{
|
{
|
||||||
/* Check if the plugin has written the pending auth control
|
/* Check if the plugin has written the pending auth control
|
||||||
* file and send the pending auth to the client */
|
* file and send the pending auth to the client */
|
||||||
if(!key_state_check_auth_pending_file(ks, multi))
|
if(!key_state_check_auth_pending_file(&ks->plugin_auth, multi))
|
||||||
{
|
{
|
||||||
retval = OPENVPN_PLUGIN_FUNC_ERROR;
|
retval = OPENVPN_PLUGIN_FUNC_ERROR;
|
||||||
key_state_rm_auth_control_files(ks);
|
key_state_rm_auth_control_files(&ks->plugin_auth);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* purge auth control filename (and file itself) for non-deferred returns */
|
/* purge auth control filename (and file itself) for non-deferred returns */
|
||||||
key_state_rm_auth_control_files(ks);
|
key_state_rm_auth_control_files(&ks->plugin_auth);
|
||||||
}
|
}
|
||||||
|
|
||||||
setenv_del(session->opt->es, "password");
|
setenv_del(session->opt->es, "password");
|
||||||
|
@ -113,11 +113,12 @@ tls_authentication_status(struct tls_multi *multi, const int latency);
|
|||||||
#define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
|
#define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove the given key state's auth control file, if it exists.
|
* Remove the given key state's auth deferred status auth control file,
|
||||||
|
* if it exists.
|
||||||
*
|
*
|
||||||
* @param ks The key state the remove the file for
|
* @param ads The key state the remove the file for
|
||||||
*/
|
*/
|
||||||
void key_state_rm_auth_control_files(struct key_state *ks);
|
void key_state_rm_auth_control_files(struct auth_deferred_status *ads);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Frees the given set of certificate hashes.
|
* Frees the given set of certificate hashes.
|
||||||
|
Loading…
Reference in New Issue
Block a user