diff options
author | Lev Stipakov <lstipakov@gmail.com> | 2015-10-10 19:04:25 +0300 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2015-10-11 11:05:09 +0200 |
commit | 0d1a75bfe241466230c41a52c6013494135c5935 (patch) | |
tree | e432b2ffd5f0933aeca0d1a7366e273e56459896 /src/openvpn/push.c | |
parent | 9403e3f4b510fbc4187044f31be8f7dccbde1cf1 (diff) | |
download | openvpn-0d1a75bfe241466230c41a52c6013494135c5935.tar.gz openvpn-0d1a75bfe241466230c41a52c6013494135c5935.tar.xz openvpn-0d1a75bfe241466230c41a52c6013494135c5935.zip |
Send push reply right after async auth complete
v3:
* better comments
* better variable naming
* include sys/inotify.h if HAVE_SYS_INOTIFY_H is defined
v2:
More careful inotify_watchers handling
* Ensure that same multi_instance is added only once
* Ensure that multi_instance is always removed
v1:
This feature speeds up connection establishment in cases when async
authentication result is not ready when first push request arrives. At
the moment server sends push reply only when it receives next push
request, which comes 5 seconds later.
Implementation overview.
Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if
system supports inotify.
Add inotify descriptor to an event loop. Add inotify watch for a
authentication control file. Store mapping between watch descriptor and
multi_instance in a dictionary. When file is closed, inotify fires an
event and we continue with connection establishment - call client-
connect etc and send push reply.
Inotify watch descriptor got automatically deleted after file is closed
or when file is removed. We catch that event and remove it from the
dictionary.
Feature is easily tested with sample "defer" plugin and following settings:
auth-user-pass-optional
setenv test_deferred_auth 3
plugin simple.so
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Add doxygen comment
Acked-by: David Sommerseth <davids@redhat.com>
Message-Id: <1444493065-13506-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10248
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'src/openvpn/push.c')
-rw-r--r-- | src/openvpn/push.c | 69 |
1 files changed, 41 insertions, 28 deletions
diff --git a/src/openvpn/push.c b/src/openvpn/push.c index b9d0c4c..704818d 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -411,6 +411,46 @@ push_reset (struct options *o) #endif int +process_incoming_push_request (struct context *c) +{ + int ret = PUSH_MSG_ERROR; + +#ifdef ENABLE_ASYNC_PUSH + c->c2.push_request_received = true; +#endif + if (tls_authentication_status (c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) + { + const char *client_reason = tls_client_reason (c->c2.tls_multi); + send_auth_failed (c, client_reason); + ret = PUSH_MSG_AUTH_FAILURE; + } + else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) + { + time_t now; + + openvpn_time (&now); + if (c->c2.sent_push_reply_expiry > now) + { + ret = PUSH_MSG_ALREADY_REPLIED; + } + else + { + if (send_push_reply (c)) + { + ret = PUSH_MSG_REQUEST; + c->c2.sent_push_reply_expiry = now + 30; + } + } + } + else + { + ret = PUSH_MSG_REQUEST_DEFERRED; + } + + return ret; +} + +int process_incoming_push_msg (struct context *c, const struct buffer *buffer, bool honor_received_options, @@ -423,34 +463,7 @@ process_incoming_push_msg (struct context *c, #if P2MP_SERVER if (buf_string_compare_advance (&buf, "PUSH_REQUEST")) { - if (tls_authentication_status (c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) - { - const char *client_reason = tls_client_reason (c->c2.tls_multi); - send_auth_failed (c, client_reason); - ret = PUSH_MSG_AUTH_FAILURE; - } - else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) - { - time_t now; - - openvpn_time(&now); - if (c->c2.sent_push_reply_expiry > now) - { - ret = PUSH_MSG_ALREADY_REPLIED; - } - else - { - if (send_push_reply (c)) - { - ret = PUSH_MSG_REQUEST; - c->c2.sent_push_reply_expiry = now + 30; - } - } - } - else - { - ret = PUSH_MSG_REQUEST_DEFERRED; - } + ret = process_incoming_push_request(c); } else #endif |