From patchwork Thu May 20 05:11:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1828 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 0Kq9F3N8pmAIbwAAIUCqbw (envelope-from ) for ; Thu, 20 May 2021 11:12:51 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id SNWJF3N8pmAHdgAAfY0hYg (envelope-from ) for ; Thu, 20 May 2021 11:12:51 -0400 Received: from smtp16.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTPS id SKooF3N8pmBpUgAAfawv4w (envelope-from ) for ; Thu, 20 May 2021 11:12:51 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: d7aa5c8e-b97d-11eb-95ee-bc305bf036a4-1-1 Received: from [216.105.38.7] ([216.105.38.7:47758] helo=lists.sourceforge.net) by smtp16.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 09/1A-17694-27C76A06; Thu, 20 May 2021 11:12:51 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1ljkLF-00065H-Mh; Thu, 20 May 2021 15:12:05 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ljkLC-00064N-Ea for openvpn-devel@lists.sourceforge.net; Thu, 20 May 2021 15:12:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rQKYSB8EFjYRMuJtOFYs/sDWAG1T2PWwyGImsQWwlbE=; b=iJSixp9ZTp8VGhZyPvhdLiW83x OpISHn7JNP1j1kRFdNIn/nQRwWHA8Ojn6kGSufq9Z8FcfAN7FeTYdotdEoJYUN0/2uNEoLosfBXZI VoZbOgODGSXGnZSGeDQAiAxICovgAGHznCVQRuo/S29+x1i1Q+UdH9dE6EOWPowuLND4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=rQKYSB8EFjYRMuJtOFYs/sDWAG1T2PWwyGImsQWwlbE=; b=f RT+kxodhJ0bPlEvdGmEbv8AWXcnytY51ePeDJNUKKwDneUsrVUdi7DotmvN5oyyHq9Hv5dKFfiYkB sCUtRvMio4ZC1odkav7TGE2g1P+bvJ7CPoWqowrwkKPsPCGBrm1JqOCj/39j+Vag4fwdd3aOnGT+6 Yn2uliQmeI6dDIVM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1ljkL4-0008Ik-AI for openvpn-devel@lists.sourceforge.net; Thu, 20 May 2021 15:12:03 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1ljkKy-000C2E-7W for openvpn-devel@lists.sourceforge.net; Thu, 20 May 2021 17:11:48 +0200 Received: (nullmailer pid 2565625 invoked by uid 10006); Thu, 20 May 2021 15:11:48 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 20 May 2021 17:11:40 +0200 Message-Id: <20210520151148.2565578-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1ljkL4-0008Ik-AI Subject: [Openvpn-devel] [PATCH v2 1/9] Move auth_token_state from multi to key_state X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The auth-token check is tied to the username/password that is coming via a specific SSL session, so keep the state also in the key_state structure. This also ensures the auth_token_state is always set to 0 on a new session since we clear the key_state object at the start of a new SSL session. This is a prerequisite patch to fix 2020-15078 in the following two commits. This also applies the changes to the auth_token_test.c. The change of tls_session to a pointer is necessary since before that we had tls_session not tied to the multi and had two tls_session used in the test. One implicitly in tls_multi and one explicit one. Merge these to one. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/auth_token.c | 12 +-- src/openvpn/ssl_common.h | 4 +- src/openvpn/ssl_verify.c | 8 +- tests/unit_tests/openvpn/test_auth_token.c | 91 +++++++++++----------- 4 files changed, 60 insertions(+), 55 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index d571b686e..0ea6d1832 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -57,6 +57,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, return; } + int auth_token_state_flags = session->key[KS_PRIMARY].auth_token_state_flags; const char *state; @@ -64,9 +65,9 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, { state = "Initial"; } - else if (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) + else if (auth_token_state_flags & AUTH_TOKEN_HMAC_OK) { - switch (multi->auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER|AUTH_TOKEN_EXPIRED)) + switch (auth_token_state_flags & (AUTH_TOKEN_VALID_EMPTYUSER|AUTH_TOKEN_EXPIRED)) { case 0: state = "Authenticated"; @@ -98,8 +99,8 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi, /* We had a valid session id before */ const char *session_id_source; - if (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK - && !(multi->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) + if (auth_token_state_flags & AUTH_TOKEN_HMAC_OK + && !(auth_token_state_flags & AUTH_TOKEN_EXPIRED)) { session_id_source = up->password; } @@ -236,7 +237,8 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) * a new token with the empty username since we do not want to loose * the information that the username cannot be trusted */ - if (multi->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER) + struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER) { hmac_ctx_update(ctx, (const uint8_t *) "", 0); } diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 61cae7419..53325e556 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -182,6 +182,8 @@ enum auth_deferred_result { struct key_state { int state; + /** The state of the auth-token sent from the client */ + int auth_token_state_flags; /** * Key id for this key_state, inherited from struct tls_session. @@ -598,8 +600,6 @@ struct tls_multi * OpenVPN 3 clients sometimes wipes or replaces the username with a * username hint from their config. */ - int auth_token_state_flags; - /**< The state of the auth-token sent from the client last time */ /* For P_DATA_V2 */ uint32_t peer_id; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 0b41eea2d..7992a6eb9 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1484,7 +1484,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, */ if (session->opt->auth_token_generate && is_auth_token(up->password)) { - multi->auth_token_state_flags = verify_auth_token(up, multi, session); + ks->auth_token_state_flags = verify_auth_token(up, multi, session); if (session->opt->auth_token_call_auth) { /* @@ -1493,7 +1493,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * decide what to do with the result */ } - else if (multi->auth_token_state_flags == AUTH_TOKEN_HMAC_OK) + else if (ks->auth_token_state_flags == AUTH_TOKEN_HMAC_OK) { /* * We do not want the EXPIRED or EMPTY USER flags here so check @@ -1592,8 +1592,8 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * the initial timestamp and session id can be extracted from it */ if (!multi->auth_token - && (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) - && !(multi->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) + && (ks->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) + && !(ks->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) { multi->auth_token = strdup(up->password); } diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index dbde86318..69fc1f8c9 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -45,7 +45,7 @@ struct test_context { struct tls_multi multi; struct key_type kt; struct user_pass up; - struct tls_session session; + struct tls_session *session; }; /* Dummy functions that do nothing to mock the functionality */ @@ -100,10 +100,11 @@ setup(void **state) } ctx->multi.opt.auth_token_generate = true; ctx->multi.opt.auth_token_lifetime = 3000; + ctx->session = &ctx->multi.session[TM_ACTIVE]; - ctx->session.opt = calloc(1, sizeof(struct tls_options)); - ctx->session.opt->renegotiate_seconds = 120; - ctx->session.opt->auth_token_lifetime = 3000; + ctx->session->opt = calloc(1, sizeof(struct tls_options)); + ctx->session->opt->renegotiate_seconds = 120; + ctx->session->opt->auth_token_lifetime = 3000; strcpy(ctx->up.username, "test user name"); strcpy(ctx->up.password, "ignored"); @@ -122,7 +123,7 @@ teardown(void **state) free_key_ctx(&ctx->multi.opt.auth_token_key); wipe_auth_token(&ctx->multi); - free(ctx->session.opt); + free(ctx->session->opt); free(ctx); return 0; @@ -135,7 +136,7 @@ auth_token_basic_test(void **state) generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } @@ -146,7 +147,7 @@ auth_token_fail_invalid_key(void **state) generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Change auth-token key */ @@ -155,13 +156,13 @@ auth_token_fail_invalid_key(void **state) free_key_ctx(&ctx->multi.opt.auth_token_key); init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST"); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), 0); + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0); /* Load original test key again */ memset(&key, 0, sizeof(key)); free_key_ctx(&ctx->multi.opt.auth_token_key); init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST"); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } @@ -176,32 +177,32 @@ auth_token_test_timeout(void **state) strcpy(ctx->up.password, ctx->multi.auth_token); /* No time has passed */ - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token before validity, should be rejected */ now = 100000 - 100; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); /* Token still in validity, should be accepted */ - now = 100000 + 2*ctx->session.opt->renegotiate_seconds - 20; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + now = 100000 + 2*ctx->session->opt->renegotiate_seconds - 20; + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* Token past validity, should be rejected */ - now = 100000 + 2*ctx->session.opt->renegotiate_seconds + 20; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + now = 100000 + 2*ctx->session->opt->renegotiate_seconds + 20; + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); /* Check if the mode for a client that never updates its token works */ ctx->multi.auth_token_initial = strdup(ctx->up.password); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); /* But not when we reached our timeout */ - now = 100000 + ctx->session.opt->auth_token_lifetime + 1; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + now = 100000 + ctx->session->opt->auth_token_lifetime + 1; + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); free(ctx->multi.auth_token_initial); @@ -209,22 +210,22 @@ auth_token_test_timeout(void **state) /* regenerate the token util it hits the expiry */ now = 100000; - while (now < 100000 + ctx->session.opt->auth_token_lifetime + 1) + while (now < 100000 + ctx->session->opt->auth_token_lifetime + 1) { - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - now += ctx->session.opt->renegotiate_seconds; + now += ctx->session->opt->renegotiate_seconds; } - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); ctx->multi.opt.auth_token_lifetime = 0; /* Non expiring token should be fine */ - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } @@ -253,7 +254,7 @@ auth_token_test_known_keys(void **state) assert_string_equal(now0key0, ctx->multi.auth_token); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); } @@ -277,25 +278,25 @@ auth_token_test_empty_user(void **state) generate_auth_token(&ctx->up, &ctx->multi); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK); now = 100000; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED); strcpy(ctx->up.username, "test user name"); now = 0; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER); strcpy(ctx->up.username, "test user name"); now = 100000; - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER); zerohmac(ctx->up.password); - assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session), + assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0); } @@ -304,30 +305,32 @@ auth_token_test_env(void **state) { struct test_context *ctx = (struct test_context *) *state; - ctx->multi.auth_token_state_flags = 0; + struct key_state *ks = &ctx->multi.session[TM_ACTIVE].key[KS_PRIMARY]; + + ks->auth_token_state_flags = 0; ctx->multi.auth_token = NULL; - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Initial"); - ctx->multi.auth_token_state_flags = 0; + ks->auth_token_state_flags = 0; strcpy(ctx->up.password, now0key0); - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Invalid"); - ctx->multi.auth_token_state_flags = AUTH_TOKEN_HMAC_OK; - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK; + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Authenticated"); - ctx->multi.auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED; - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED; + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "Expired"); - ctx->multi.auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER; - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_VALID_EMPTYUSER; + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "AuthenticatedEmptyUser"); - ctx->multi.auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER; - add_session_token_env(&ctx->session, &ctx->multi, &ctx->up); + ks->auth_token_state_flags = AUTH_TOKEN_HMAC_OK|AUTH_TOKEN_EXPIRED|AUTH_TOKEN_VALID_EMPTYUSER; + add_session_token_env(ctx->session, &ctx->multi, &ctx->up); assert_string_equal(lastsesion_statevalue, "ExpiredEmptyUser"); } @@ -351,7 +354,7 @@ auth_token_test_random_keys(void **state) assert_string_equal(random_token, ctx->multi.auth_token); strcpy(ctx->up.password, ctx->multi.auth_token); - assert_true(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session)); + assert_true(verify_auth_token(&ctx->up, &ctx->multi, ctx->session)); } @@ -363,11 +366,11 @@ auth_token_test_key_load(void **state) free_key_ctx(&ctx->multi.opt.auth_token_key); auth_token_init_secret(&ctx->multi.opt.auth_token_key, zeroinline, true); strcpy(ctx->up.password, now0key0); - assert_true(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session)); + assert_true(verify_auth_token(&ctx->up, &ctx->multi, ctx->session)); free_key_ctx(&ctx->multi.opt.auth_token_key); auth_token_init_secret(&ctx->multi.opt.auth_token_key, allx01inline, true); - assert_false(verify_auth_token(&ctx->up, &ctx->multi, &ctx->session)); + assert_false(verify_auth_token(&ctx->up, &ctx->multi, ctx->session)); } int