Re: [Openvpn-devel] [PATCH] boolean short-circuit auth upon failure

Thu, 11 Nov 2021 06:05:11 -0800 

When evaluating authentication plugins, stop further evaluation
once the first failure is detected.

implementation note: refactoring from a switch-case to an
if-else block allows the break statement to break out of the
outer for loop without additional control variables.

v2: add check for auth plugin before breaking out of loop

Signed-off-by: Peter Nelson <petiep...@gmail.com>
---
 src/openvpn/plugin.c | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index d5704e07..02b17378 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -818,26 +818,24 @@ plugin_call_ssl(const struct plugin_list *pl,
                                                 certdepth,
                                                 current_cert
                                                 );
-            switch (status)
+            if (pr)
             {
-                case OPENVPN_PLUGIN_FUNC_SUCCESS:
-                    break;
-
-                case OPENVPN_PLUGIN_FUNC_DEFERRED:
-                    deferred = true;
-                    break;
-
-                default:
-                    error = true;
+                pr->n = i + 1;
+            }
+            if (status == OPENVPN_PLUGIN_FUNC_DEFERRED)
+            {
+                deferred = true;
+            }
+            else if (status != OPENVPN_PLUGIN_FUNC_SUCCESS)
+            {
+                error = true;
+                if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+                {
                     break;
+                }
             }
         }

-        if (pr)
-        {
-            pr->n = i;
-        }
-
         gc_free(&gc);

         if (error)
-- 
2.17.1

On Thu, Nov 11, 2021 at 1:34 PM Gert Doering <g...@greenie.muc.de> wrote:

> Hi,
>
> On Thu, Nov 11, 2021 at 01:23:43PM +0000, Pete Nelson wrote:
> > Thank you, Frank.  Amended patch so it applies only to auth attempts.
> >
> > Not sure how patchwork handles this.. my intent is this amended patch
> > overwrites the patch from the OP.
> > -- Pete
>
> The best way to do that is to send the patch with "git send-email" and
> add a "-v2" switch to that - it won't overwrite the patch in PW, but
> we can see "ah, it's a v2".
>
> Please add a note to the commit message as well what is new on v2,
> like
>
>  v2: only apply shortcut logic to authentication plugin calls
>
> (if that's what is new)
>
> Please do also do "git commit -s", so we get the signed-off-by:
> line.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>                              Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to