From 2f9cfb036f219df589c20ad9271e15c92722390b Mon Sep 17 00:00:00 2001
From: Aaron Goodman <aaronjg@stanford.edu>
Date: Mon, 20 Jul 2020 10:43:32 -0400
Subject: [PATCH] openfortivpn: block restart after authentication failure

Block restart of the interface if the openfortivpn fails to authenticate.
Without this check, with a bad password, netifd will continually
hit the VPN endpoint with connection attempts

Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
---
 net/openfortivpn/files/openfortivpn-wrapper | 38 ++++++++++++++++++---
 net/openfortivpn/files/openfortivpn.sh      |  2 +-
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/net/openfortivpn/files/openfortivpn-wrapper b/net/openfortivpn/files/openfortivpn-wrapper
index a64d94d83..cbfe64557 100755
--- a/net/openfortivpn/files/openfortivpn-wrapper
+++ b/net/openfortivpn/files/openfortivpn-wrapper
@@ -4,10 +4,40 @@
 # file from cmd and to daemonize
 
 # $1 password file
-# $2... are passed to openconnect
+# $2 is the config name
+# $3... are passed to openconnect
 
 test -z "$1" && exit 1
 
-pwfile=$1
-shift
-exec /usr/sbin/openfortivpn "$@" < $pwfile
\ No newline at end of file
+pwfile=$1; shift
+config=$1; shift
+killed=0
+
+trap_with_arg() {
+    func="$1" ; shift
+    for sig ; do
+        trap "$func $sig" "$sig"
+    done
+}
+
+func_trap() {
+    logger "openfortivpn-wrapper[$$]" "sending signal ${1}"
+    killed=1
+    kill -${1} $child 2>/dev/null
+}
+
+trap_with_arg func_trap INT TERM KILL
+
+
+start_time=$(date '+%s')
+/usr/sbin/openfortivpn "$@" < $pwfile 2>/dev/null &
+child=$!
+wait $child || {
+    [ "$killed" = 1 ] && exit 0
+    current_time=$(date '+%s')
+    elapsed=$(($current_time-$start_time))
+    . /lib/netifd/netifd-proto.sh
+    proto_notify_error "$config" "Failed to connect after $elapsed seconds."
+    proto_block_restart "$config"
+    exit 1
+}
diff --git a/net/openfortivpn/files/openfortivpn.sh b/net/openfortivpn/files/openfortivpn.sh
index 7ddbc7b75..3e6d4cd91 100755
--- a/net/openfortivpn/files/openfortivpn.sh
+++ b/net/openfortivpn/files/openfortivpn.sh
@@ -137,7 +137,7 @@ mru 1354"  > $callfile
         proto_export INTERFACE="$ifname"
         logger -p 6 -t openfortivpn "$config: executing 'openfortivpn $cmdline'"
 
-        eval "proto_run_command '$config' /usr/sbin/openfortivpn-wrapper '$pwfile' $cmdline"
+        eval "proto_run_command '$config' /usr/sbin/openfortivpn-wrapper '$pwfile' '$config' $cmdline"
 
 }