Re: [Openvpn-devel] [PATCH v2 4/4] Allow scripts and plugins to set a custom AUTH_FAILED message

Mon, 23 May 2022 01:42:18 -0700 

> Arne Schwabe <a...@rfc2549.org> hat am 20.05.2022 23:32 geschrieben:
> This is currently only possible when using the management interface
> and the client-deny functionality.
> ---
>  src/openvpn/ssl_common.h |  1 +
>  src/openvpn/ssl_verify.c | 74 ++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 73 insertions(+), 2 deletions(-)
> 
[...]
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index c01841fa9..4cf772fef 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
[...]
> @@ -1184,6 +1218,20 @@ tls_authentication_status(struct tls_multi *multi)
>  #endif
>      if (failed_auth)
>      {
> +        struct gc_arena gc = gc_new();
> +        const struct key_state *ks = get_primary_key(multi);
> +        const char *plugin_message = 
> key_state_check_auth_failed_message_file(&ks->plugin_auth, multi, &gc);
> +        const char *script_message = 
> key_state_check_auth_failed_message_file(&ks->script_auth, multi, &gc);
> +
> +        if (plugin_message)
> +        {
> +            auth_set_client_reason(multi, plugin_message);
> +        }
> +        if (script_message)
> +        {
> +            auth_set_client_reason(multi, script_message);
> +        }
> +

Isn't there a gc_free missing here?

>          /* We have at least one session that failed authentication. There
>           * might be still another session with valid keys.
>           * Although our protocol allows keeping the VPN session alive
> @@ -1248,6 +1296,21 @@ tls_authenticate_key(struct tls_multi *multi, const 
> unsigned int mda_key_id, con
>   * this is the place to start.
>   *************************************************************************** 
> */
>  
> +/**
> + * Check if the script/plugin left a message in the auth failed message
> + * file and rely it to the user */

"relay"

> +static void
> +check_for_client_reason(struct tls_multi *multi,
> +                        struct auth_deferred_status *status)
> +{
> +    struct gc_arena gc = gc_new();
> +    const char *msg = key_state_check_auth_failed_message_file(status, 
> multi, &gc);
> +    if (msg)
> +    {
> +        auth_set_client_reason(multi, msg);
> +    }
> +    gc_free(&gc);
> +}
>  /*
>   * Verify the user name and password using a script
>   */

Regards,
--
Frank Lichtenheld


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to