This extract the update of a deferred key status into into own
function.
Patch v2: Do not ignore auth_deferred_expire. Minor format changes.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22420.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1074,6 +1074,60 @@ key_state_test_auth_control_file(struct auth_deferred_status *ads, bool cached) |
1074 | 1074 |
} |
1075 | 1075 |
|
1076 | 1076 |
/** |
1077 |
+ * This method takes a key_state and if updates the state |
|
1078 |
+ * of the key if it is deferred. |
|
1079 |
+ * @param cached If auth control files should be tried to be opened or th |
|
1080 |
+ * cached results should be used |
|
1081 |
+ * @param ks The key_state to update |
|
1082 |
+ */ |
|
1083 |
+static void |
|
1084 |
+update_key_auth_status(bool cached, struct key_state *ks) |
|
1085 |
+{ |
|
1086 |
+ if (ks->authenticated == KS_AUTH_FALSE) |
|
1087 |
+ { |
|
1088 |
+ return; |
|
1089 |
+ } |
|
1090 |
+ else |
|
1091 |
+ { |
|
1092 |
+ enum auth_deferred_result auth_plugin = ACF_DISABLED; |
|
1093 |
+ enum auth_deferred_result auth_script = ACF_DISABLED; |
|
1094 |
+ enum auth_deferred_result auth_man = ACF_DISABLED; |
|
1095 |
+ auth_plugin = key_state_test_auth_control_file(&ks->plugin_auth, cached); |
|
1096 |
+ auth_script = key_state_test_auth_control_file(&ks->script_auth, cached); |
|
1097 |
+#ifdef ENABLE_MANAGEMENT |
|
1098 |
+ auth_man = man_def_auth_test(ks); |
|
1099 |
+#endif |
|
1100 |
+ ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4); |
|
1101 |
+ |
|
1102 |
+ if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED |
|
1103 |
+ || auth_man == ACF_FAILED) |
|
1104 |
+ { |
|
1105 |
+ ks->authenticated = KS_AUTH_FALSE; |
|
1106 |
+ return; |
|
1107 |
+ } |
|
1108 |
+ else if (auth_plugin == ACF_PENDING || auth_script == ACF_PENDING |
|
1109 |
+ || auth_man == ACF_PENDING) |
|
1110 |
+ { |
|
1111 |
+ if (now >= ks->auth_deferred_expire) |
|
1112 |
+ { |
|
1113 |
+ /* Window to authenticate the key has expired, mark |
|
1114 |
+ * the key as unauthenticated */ |
|
1115 |
+ ks->authenticated = KS_AUTH_FALSE; |
|
1116 |
+ } |
|
1117 |
+ } |
|
1118 |
+ else |
|
1119 |
+ { |
|
1120 |
+ /* all auth states (auth_plugin, auth_script, auth_man) |
|
1121 |
+ * are either ACF_DISABLED or ACF_SUCCEDED now, which |
|
1122 |
+ * translates to "not checked" or "auth succeeded" |
|
1123 |
+ */ |
|
1124 |
+ ks->authenticated = KS_AUTH_TRUE; |
|
1125 |
+ } |
|
1126 |
+ } |
|
1127 |
+} |
|
1128 |
+ |
|
1129 |
+ |
|
1130 |
+/** |
|
1077 | 1131 |
* The minimum times to have passed to update the cache. Older versions |
1078 | 1132 |
* of OpenVPN had code path that did not do any caching, so we start |
1079 | 1133 |
* with no caching (0) here as well to have the same super quick initial |
... | ... |
@@ -1115,46 +1169,19 @@ tls_authentication_status(struct tls_multi *multi) |
1115 | 1115 |
if (TLS_AUTHENTICATED(multi, ks)) |
1116 | 1116 |
{ |
1117 | 1117 |
active++; |
1118 |
+ update_key_auth_status(cached, ks); |
|
1119 |
+ |
|
1118 | 1120 |
if (ks->authenticated == KS_AUTH_FALSE) |
1119 | 1121 |
{ |
1120 | 1122 |
failed_auth = true; |
1121 | 1123 |
} |
1122 |
- else |
|
1124 |
+ else if (ks->authenticated == KS_AUTH_DEFERRED) |
|
1123 | 1125 |
{ |
1124 |
- enum auth_deferred_result auth_plugin = ACF_DISABLED; |
|
1125 |
- enum auth_deferred_result auth_script = ACF_DISABLED; |
|
1126 |
- enum auth_deferred_result auth_man = ACF_DISABLED; |
|
1127 |
- auth_plugin = key_state_test_auth_control_file(&ks->plugin_auth, cached); |
|
1128 |
- auth_script = key_state_test_auth_control_file(&ks->script_auth, cached); |
|
1129 |
-#ifdef ENABLE_MANAGEMENT |
|
1130 |
- auth_man = man_def_auth_test(ks); |
|
1131 |
-#endif |
|
1132 |
- ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4); |
|
1133 |
- |
|
1134 |
- if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED |
|
1135 |
- || auth_man == ACF_FAILED) |
|
1136 |
- { |
|
1137 |
- ks->authenticated = KS_AUTH_FALSE; |
|
1138 |
- failed_auth = true; |
|
1139 |
- } |
|
1140 |
- else if (auth_plugin == ACF_PENDING |
|
1141 |
- || auth_script == ACF_PENDING |
|
1142 |
- || auth_man == ACF_PENDING) |
|
1143 |
- { |
|
1144 |
- if (now < ks->auth_deferred_expire) |
|
1145 |
- { |
|
1146 |
- deferred = true; |
|
1147 |
- } |
|
1148 |
- } |
|
1149 |
- else |
|
1150 |
- { |
|
1151 |
- /* all auth states (auth_plugin, auth_script, auth_man) |
|
1152 |
- * are either ACF_DISABLED or ACF_SUCCEDED now, which |
|
1153 |
- * translates to "not checked" or "auth succeeded" |
|
1154 |
- */ |
|
1155 |
- success = true; |
|
1156 |
- ks->authenticated = KS_AUTH_TRUE; |
|
1157 |
- } |
|
1126 |
+ deferred = true; |
|
1127 |
+ } |
|
1128 |
+ else if (ks->authenticated == KS_AUTH_TRUE) |
|
1129 |
+ { |
|
1130 |
+ success = true; |
|
1158 | 1131 |
} |
1159 | 1132 |
} |
1160 | 1133 |
} |