rpm/openvpn
SHA256
1
0
Fork 0
forked from pool/openvpn
Code Pull Requests Activity
31d719f30d
openvpn/0001-preform-deferred-authentication-in-the-background.patch

164 lines
4.8 KiB
Diff
Raw Normal View History

Accepting request 489820 from home:ndas:branches:network:vpn - Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] - Added fix for possible heap overflow on read accessing getaddrinfo result (bsc#959714). [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] - Added a patch to fix multiple low severity issues (bsc#934237). [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] OBS-URL: https://build.opensuse.org/request/show/489820 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=115
2017-04-27 11:50:39 +02:00
From 8c39dbd45d3551e838310732a73e05f6d2d2e784 Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Thu, 12 May 2016 12:08:56 +0200
Subject: [PATCH] preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response.
References: bsc#959511
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..119fc31 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -55,6 +55,7 @@
/* Command codes for foreground -> background communication */
#define COMMAND_VERIFY 0
#define COMMAND_EXIT 1
+#define COMMAND_VERIFY_V2 2
/* Response codes for background -> foreground communication */
#define RESPONSE_INIT_SUCCEEDED 10
@@ -108,6 +109,7 @@ struct user_pass {
char username[128];
char password[128];
char common_name[128];
+ char auth_control_file[PATH_MAX];
const struct name_value_list *name_value_list;
};
@@ -687,6 +689,21 @@ pam_auth (const char *service, const struct user_pass *up)
return ret;
}
+static int handle_auth_control_file(char *auth_control_file, int status)
+{
+ FILE *fp = fopen(auth_control_file, "w");
+
+ if (fp) {
+ if (fprintf (fp, "%d\n", status) < 0) {
+ fclose(fp);
+ return -1;
+ }
+ fclose(fp);
+ return 0;
+ }
+ return -1;
+}
+
/*
* Background process -- runs with privilege.
*/
@@ -781,6 +798,41 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
}
break;
+ case COMMAND_VERIFY_V2:
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
+ command);
+ goto done;
+ }
+
+ if (DEBUG (verb))
+ {
+#if 0
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
+ up.username, up.password);
+#else
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+#endif
+ }
+
+ if (pam_auth (service, &up)) /* Succeeded */
+ {
+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ }
+ }
+ else /* Failed */
+ {
+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ }
+ }
+ break;
+
case COMMAND_EXIT:
goto done;
@@ -804,3 +856,56 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
return;
}
+
+int
+handle_auth_pass_verify_v2(struct auth_pam_context *context, const char *argv[], const char *envp[])
+{
+
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
+ const char *auth_control_file = get_env ("auth_control_file", envp);
+
+ if (!username || !*username || !password)
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+
+ if (!auth_control_file || !*auth_control_file || access( auth_control_file, F_OK ) == -1)
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+
+ if (send_control (context->foreground_fd, COMMAND_VERIFY_V2) == -1
+ || send_string (context->foreground_fd, username) == -1
+ || send_string (context->foreground_fd, password) == -1
+ || send_string (context->foreground_fd, common_name) == -1
+ || send_string (context->foreground_fd, auth_control_file) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
+ }
+ else
+ {
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
+ const int type,
+ const char *argv[],
+ const char *envp[],
+ void *per_client_context,
+ struct openvpn_plugin_string_list **return_list)
+{
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
+
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ return handle_auth_pass_verify_v2 (context, argv, envp);
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
index b07937c..11a80f1 100644
--- a/src/plugins/auth-pam/auth-pam.exports
+++ b/src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,5 @@
openvpn_plugin_open_v1
openvpn_plugin_func_v1
+openvpn_plugin_func_v2
openvpn_plugin_close_v1
openvpn_plugin_abort_v1
--
2.6.2
Copy Permalink