Thank you, Frank. Amended patch so it applies only to auth attempts.
Not sure how patchwork handles this.. my intent is this amended patch
overwrites the patch from the OP.
-- Pete
---
src/openvpn/plugin.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index d5704e07..02b17378 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -818,26 +818,24 @@ plugin_call_ssl(const struct plugin_list *pl,
certdepth,
current_cert
);
- switch (status)
+ if (pr)
{
- case OPENVPN_PLUGIN_FUNC_SUCCESS:
- break;
-
- case OPENVPN_PLUGIN_FUNC_DEFERRED:
- deferred = true;
- break;
-
- default:
- error = true;
+ pr->n = i + 1;
+ }
+ if (status == OPENVPN_PLUGIN_FUNC_DEFERRED)
+ {
+ deferred = true;
+ }
+ else if (status != OPENVPN_PLUGIN_FUNC_SUCCESS)
+ {
+ error = true;
+ if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
+ {
break;
+ }
}
}
- if (pr)
- {
- pr->n = i;
- }
-
gc_free(&gc);
if (error)
--
2.17.1
On Wed, Nov 10, 2021 at 11:36 AM Frank Lichtenheld <fr...@lichtenheld.com>
wrote:
>
> Pete Nelson <petiep...@gmail.com> hat am 09.11.2021 20:47 geschrieben:
>
>
> When evaluating authentication plugins, stop further evaluation
> once the first failure is detected.
>
> Since plugin_call is only a thin wrapper around plugin_call_ssl I think
> this would short-circuit ALL plugin calls. Doesn't sound like you intended
> that.
>
> Regards,
> Frank
>
> --
> Frank Lichtenheld
>
>
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
