Marius Tomaschewski
9c3259ca06
- Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] OBS-URL: https://build.opensuse.org/request/show/489820 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
164 lines
4.8 KiB
Diff
164 lines
4.8 KiB
Diff
From 8c39dbd45d3551e838310732a73e05f6d2d2e784 Mon Sep 17 00:00:00 2001
|
|
From: Nirmoy Das <ndas@suse.de>
|
|
Date: Thu, 12 May 2016 12:08:56 +0200
|
|
Subject: [PATCH] preform deferred authentication in the background to not
|
|
cause main daemon processing delays when the underlying pam mechanism (e.g.
|
|
ldap) needs longer to response.
|
|
References: bsc#959511
|
|
|
|
|
|
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
|
|
index bd71792..119fc31 100644
|
|
--- a/src/plugins/auth-pam/auth-pam.c
|
|
+++ b/src/plugins/auth-pam/auth-pam.c
|
|
@@ -55,6 +55,7 @@
|
|
/* Command codes for foreground -> background communication */
|
|
#define COMMAND_VERIFY 0
|
|
#define COMMAND_EXIT 1
|
|
+#define COMMAND_VERIFY_V2 2
|
|
|
|
/* Response codes for background -> foreground communication */
|
|
#define RESPONSE_INIT_SUCCEEDED 10
|
|
@@ -108,6 +109,7 @@ struct user_pass {
|
|
char username[128];
|
|
char password[128];
|
|
char common_name[128];
|
|
+ char auth_control_file[PATH_MAX];
|
|
|
|
const struct name_value_list *name_value_list;
|
|
};
|
|
@@ -687,6 +689,21 @@ pam_auth (const char *service, const struct user_pass *up)
|
|
return ret;
|
|
}
|
|
|
|
+static int handle_auth_control_file(char *auth_control_file, int status)
|
|
+{
|
|
+ FILE *fp = fopen(auth_control_file, "w");
|
|
+
|
|
+ if (fp) {
|
|
+ if (fprintf (fp, "%d\n", status) < 0) {
|
|
+ fclose(fp);
|
|
+ return -1;
|
|
+ }
|
|
+ fclose(fp);
|
|
+ return 0;
|
|
+ }
|
|
+ return -1;
|
|
+}
|
|
+
|
|
/*
|
|
* Background process -- runs with privilege.
|
|
*/
|
|
@@ -781,6 +798,41 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
|
|
}
|
|
break;
|
|
|
|
+ case COMMAND_VERIFY_V2:
|
|
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1
|
|
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
|
|
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
|
|
+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
|
|
+ {
|
|
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
|
|
+ command);
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (DEBUG (verb))
|
|
+ {
|
|
+#if 0
|
|
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
|
|
+ up.username, up.password);
|
|
+#else
|
|
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
|
|
+#endif
|
|
+ }
|
|
+
|
|
+ if (pam_auth (service, &up)) /* Succeeded */
|
|
+ {
|
|
+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
|
|
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
|
|
+ }
|
|
+ }
|
|
+ else /* Failed */
|
|
+ {
|
|
+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
|
|
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
|
|
+ }
|
|
+ }
|
|
+ break;
|
|
+
|
|
case COMMAND_EXIT:
|
|
goto done;
|
|
|
|
@@ -804,3 +856,56 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
|
|
|
|
return;
|
|
}
|
|
+
|
|
+int
|
|
+handle_auth_pass_verify_v2(struct auth_pam_context *context, const char *argv[], const char *envp[])
|
|
+{
|
|
+
|
|
+ /* get username/password from envp string array */
|
|
+ const char *username = get_env ("username", envp);
|
|
+ const char *password = get_env ("password", envp);
|
|
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
|
|
+ const char *auth_control_file = get_env ("auth_control_file", envp);
|
|
+
|
|
+ if (!username || !*username || !password)
|
|
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
|
+
|
|
+ if (!auth_control_file || !*auth_control_file || access( auth_control_file, F_OK ) == -1)
|
|
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
|
+
|
|
+ if (send_control (context->foreground_fd, COMMAND_VERIFY_V2) == -1
|
|
+ || send_string (context->foreground_fd, username) == -1
|
|
+ || send_string (context->foreground_fd, password) == -1
|
|
+ || send_string (context->foreground_fd, common_name) == -1
|
|
+ || send_string (context->foreground_fd, auth_control_file) == -1)
|
|
+ {
|
|
+ fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
|
|
+ }
|
|
+
|
|
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
|
+}
|
|
+
|
|
+OPENVPN_EXPORT int
|
|
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
|
|
+ const int type,
|
|
+ const char *argv[],
|
|
+ const char *envp[],
|
|
+ void *per_client_context,
|
|
+ struct openvpn_plugin_string_list **return_list)
|
|
+{
|
|
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
|
|
+
|
|
+ switch (type)
|
|
+ {
|
|
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
|
|
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
|
|
+ return handle_auth_pass_verify_v2 (context, argv, envp);
|
|
+ default:
|
|
+ printf ("OPENVPN_PLUGIN_?\n");
|
|
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
|
+ }
|
|
+}
|
|
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
|
|
index b07937c..11a80f1 100644
|
|
--- a/src/plugins/auth-pam/auth-pam.exports
|
|
+++ b/src/plugins/auth-pam/auth-pam.exports
|
|
@@ -1,4 +1,5 @@
|
|
openvpn_plugin_open_v1
|
|
openvpn_plugin_func_v1
|
|
+openvpn_plugin_func_v2
|
|
openvpn_plugin_close_v1
|
|
openvpn_plugin_abort_v1
|
|
--
|
|
2.6.2
|
|
|