Browse code
Extracting key_state deferred auth status update into function
This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22420.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe authored on 2021/05/21 00:11:44Showing 1 changed files
| ... | ... |
@@ -1074,6 +1074,60 @@ key_state_test_auth_control_file(struct auth_deferred_status *ads, bool cached) |
| 1074 | 1074 |
} |
| 1075 | 1075 |
|
| 1076 | 1076 |
/** |
| 1077 |
+ * This method takes a key_state and if updates the state |
|
| 1078 |
+ * of the key if it is deferred. |
|
| 1079 |
+ * @param cached If auth control files should be tried to be opened or th |
|
| 1080 |
+ * cached results should be used |
|
| 1081 |
+ * @param ks The key_state to update |
|
| 1082 |
+ */ |
|
| 1083 |
+static void |
|
| 1084 |
+update_key_auth_status(bool cached, struct key_state *ks) |
|
| 1085 |
+{
|
|
| 1086 |
+ if (ks->authenticated == KS_AUTH_FALSE) |
|
| 1087 |
+ {
|
|
| 1088 |
+ return; |
|
| 1089 |
+ } |
|
| 1090 |
+ else |
|
| 1091 |
+ {
|
|
| 1092 |
+ enum auth_deferred_result auth_plugin = ACF_DISABLED; |
|
| 1093 |
+ enum auth_deferred_result auth_script = ACF_DISABLED; |
|
| 1094 |
+ enum auth_deferred_result auth_man = ACF_DISABLED; |
|
| 1095 |
+ auth_plugin = key_state_test_auth_control_file(&ks->plugin_auth, cached); |
|
| 1096 |
+ auth_script = key_state_test_auth_control_file(&ks->script_auth, cached); |
|
| 1097 |
+#ifdef ENABLE_MANAGEMENT |
|
| 1098 |
+ auth_man = man_def_auth_test(ks); |
|
| 1099 |
+#endif |
|
| 1100 |
+ ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4); |
|
| 1101 |
+ |
|
| 1102 |
+ if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED |
|
| 1103 |
+ || auth_man == ACF_FAILED) |
|
| 1104 |
+ {
|
|
| 1105 |
+ ks->authenticated = KS_AUTH_FALSE; |
|
| 1106 |
+ return; |
|
| 1107 |
+ } |
|
| 1108 |
+ else if (auth_plugin == ACF_PENDING || auth_script == ACF_PENDING |
|
| 1109 |
+ || auth_man == ACF_PENDING) |
|
| 1110 |
+ {
|
|
| 1111 |
+ if (now >= ks->auth_deferred_expire) |
|
| 1112 |
+ {
|
|
| 1113 |
+ /* Window to authenticate the key has expired, mark |
|
| 1114 |
+ * the key as unauthenticated */ |
|
| 1115 |
+ ks->authenticated = KS_AUTH_FALSE; |
|
| 1116 |
+ } |
|
| 1117 |
+ } |
|
| 1118 |
+ else |
|
| 1119 |
+ {
|
|
| 1120 |
+ /* all auth states (auth_plugin, auth_script, auth_man) |
|
| 1121 |
+ * are either ACF_DISABLED or ACF_SUCCEDED now, which |
|
| 1122 |
+ * translates to "not checked" or "auth succeeded" |
|
| 1123 |
+ */ |
|
| 1124 |
+ ks->authenticated = KS_AUTH_TRUE; |
|
| 1125 |
+ } |
|
| 1126 |
+ } |
|
| 1127 |
+} |
|
| 1128 |
+ |
|
| 1129 |
+ |
|
| 1130 |
+/** |
|
| 1077 | 1131 |
* The minimum times to have passed to update the cache. Older versions |
| 1078 | 1132 |
* of OpenVPN had code path that did not do any caching, so we start |
| 1079 | 1133 |
* with no caching (0) here as well to have the same super quick initial |
| ... | ... |
@@ -1115,46 +1169,19 @@ tls_authentication_status(struct tls_multi *multi) |
| 1115 | 1115 |
if (TLS_AUTHENTICATED(multi, ks)) |
| 1116 | 1116 |
{
|
| 1117 | 1117 |
active++; |
| 1118 |
+ update_key_auth_status(cached, ks); |
|
| 1119 |
+ |
|
| 1118 | 1120 |
if (ks->authenticated == KS_AUTH_FALSE) |
| 1119 | 1121 |
{
|
| 1120 | 1122 |
failed_auth = true; |
| 1121 | 1123 |
} |
| 1122 |
- else |
|
| 1124 |
+ else if (ks->authenticated == KS_AUTH_DEFERRED) |
|
| 1123 | 1125 |
{
|
| 1124 |
- enum auth_deferred_result auth_plugin = ACF_DISABLED; |
|
| 1125 |
- enum auth_deferred_result auth_script = ACF_DISABLED; |
|
| 1126 |
- enum auth_deferred_result auth_man = ACF_DISABLED; |
|
| 1127 |
- auth_plugin = key_state_test_auth_control_file(&ks->plugin_auth, cached); |
|
| 1128 |
- auth_script = key_state_test_auth_control_file(&ks->script_auth, cached); |
|
| 1129 |
-#ifdef ENABLE_MANAGEMENT |
|
| 1130 |
- auth_man = man_def_auth_test(ks); |
|
| 1131 |
-#endif |
|
| 1132 |
- ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4); |
|
| 1133 |
- |
|
| 1134 |
- if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED |
|
| 1135 |
- || auth_man == ACF_FAILED) |
|
| 1136 |
- {
|
|
| 1137 |
- ks->authenticated = KS_AUTH_FALSE; |
|
| 1138 |
- failed_auth = true; |
|
| 1139 |
- } |
|
| 1140 |
- else if (auth_plugin == ACF_PENDING |
|
| 1141 |
- || auth_script == ACF_PENDING |
|
| 1142 |
- || auth_man == ACF_PENDING) |
|
| 1143 |
- {
|
|
| 1144 |
- if (now < ks->auth_deferred_expire) |
|
| 1145 |
- {
|
|
| 1146 |
- deferred = true; |
|
| 1147 |
- } |
|
| 1148 |
- } |
|
| 1149 |
- else |
|
| 1150 |
- {
|
|
| 1151 |
- /* all auth states (auth_plugin, auth_script, auth_man) |
|
| 1152 |
- * are either ACF_DISABLED or ACF_SUCCEDED now, which |
|
| 1153 |
- * translates to "not checked" or "auth succeeded" |
|
| 1154 |
- */ |
|
| 1155 |
- success = true; |
|
| 1156 |
- ks->authenticated = KS_AUTH_TRUE; |
|
| 1157 |
- } |
|
| 1126 |
+ deferred = true; |
|
| 1127 |
+ } |
|
| 1128 |
+ else if (ks->authenticated == KS_AUTH_TRUE) |
|
| 1129 |
+ {
|
|
| 1130 |
+ success = true; |
|
| 1158 | 1131 |
} |
| 1159 | 1132 |
} |
| 1160 | 1133 |
} |