From patchwork Thu Feb 17 07:22:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2303 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id yDZuM62SDmJsWwAAqwncew (envelope-from ) for ; Thu, 17 Feb 2022 13:23:41 -0500 Received: from proxy19.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id eHTvBa6SDmKqAQAAIasKDg (envelope-from ) for ; Thu, 17 Feb 2022 13:23:42 -0500 Received: from smtp14.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3b.rsapps.net with LMTPS id aMSsOq2SDmKZXgAAIG4riQ (envelope-from ) for ; Thu, 17 Feb 2022 13:23:41 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bb746690-901e-11ec-a447-52540057873d-1-1 Received: from [216.105.38.7] ([216.105.38.7:51682] helo=lists.sourceforge.net) by smtp14.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C7/DA-24185-DA29E026; Thu, 17 Feb 2022 13:23:41 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nKlQf-0001vk-6z; Thu, 17 Feb 2022 18:22:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nKlQR-0001va-W9 for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 18:22:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pSFQ3HjfdCeusiT3/JWjE6eke79+YjWnnzsTzh9aysc=; b=NGJ905sVdKwYltSy+OzY4sc4a2 4ZansFMz0XBfklJGe3ro0OzVp11wIvWlOZQup0AAiiR08hsfAt1hrOczzd6wOvqCLO6+oDKa0HEwY mMhlPWMCRK1rCIQdB+f5AgGL3l/jEiRxjG2h4l1DYMyyN1PoY2g/DfC5kORG/OWFKoew=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=pSFQ3HjfdCeusiT3/JWjE6eke79+YjWnnzsTzh9aysc=; b=F /wZtuTLuh5Lm6qrki7tHK2wa67nvQ0KTzcn3KZauw4epzWAHKmlDyQul0Taio/CTMba9frwfKaZeD 4yGNNLFH0ZO6YnkLxjA9G6QR1z6AJyNxlg1HAIMH/ljPTTnQlxNd3ZjBKzhNZLzO5t8ehIB32ux+X EM05w8PTqIcOeHV8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nKlQP-0056Gr-N3 for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 18:22:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1nKlQI-000HaN-Fx for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 19:22:34 +0100 Received: (nullmailer pid 33896 invoked by uid 10006); Thu, 17 Feb 2022 18:22:34 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 19:22:34 +0100 Message-Id: <20220217182234.33850-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The problematic behaviour happens when start a profile without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nKlQP-0056Gr-N3 Subject: [Openvpn-devel] [PATCH v3] Fix OpenVPN querying user/password if auth-token with user expires X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The problematic behaviour happens when start a profile without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Patch v2: Remove unrelated code change Patch v3: Rebase to master Signed-off-by: Arne Schwabe Acked-By: David Sommerseth Acked-by: Heiko Hund --- src/openvpn/init.c | 1 + src/openvpn/ssl.c | 7 ++++++- src/openvpn/ssl.h | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 21adc3cf..e5fba621 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -590,6 +590,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { + enable_auth_user_pass(); #ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 14a943a7..b68708b0 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -398,9 +398,14 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +enable_auth_user_pass() { auth_user_pass_enabled = true; +} + +void +auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +{ if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index cf754ad2..76d8a7dc 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -436,6 +436,9 @@ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); */ void pem_password_setup(const char *auth_file); +/* Enables the use of user/password authentication */ +void enable_auth_user_pass(); + /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file.