From patchwork Sun Oct 9 02:08:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2806 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.50]) by backend30.mail.ord1d.rsapps.net with LMTP id UArTHfLHQmMlHwAAIUCqbw (envelope-from ) for ; Sun, 09 Oct 2022 09:09:06 -0400 Received: from proxy13.mail.iad3a.rsapps.net ([172.27.255.50]) by director13.mail.ord1d.rsapps.net with LMTP id 8DfOHfLHQmNiOQAA91zNiA (envelope-from ) for ; Sun, 09 Oct 2022 09:09:06 -0400 Received: from smtp32.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3a.rsapps.net with LMTPS id cCNoGPLHQmMGEwAAwhxzoA (envelope-from ) for ; Sun, 09 Oct 2022 09:09:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 8d4bb742-47d3-11ed-8cb6-5254001741cc-1-1 Received: from [216.105.38.7] ([216.105.38.7:48346] helo=lists.sourceforge.net) by smtp32.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6F/1C-11881-1F7C2436; Sun, 09 Oct 2022 09:09:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ohW2U-0003F3-UV; Sun, 09 Oct 2022 13:08:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ohW2T-0003Ew-Tm for openvpn-devel@lists.sourceforge.net; Sun, 09 Oct 2022 13:08:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wZgjZGBAovOzuqVarPacFIommRtIlDOv7ICqQJol9yw=; b=Tiy8vCFTtbdq5N69hsc2BF9CQc WtkApRm1zJi+Ab5pDuw2HN2oKQ/r8ZxibbsvyfBO/QS4YtFEX3+ClGU4FyyN3AjIOUy2Of9QmXofT gc6gcoPRMZrriVL3JQ40ntEidoSjpBhcEDZhn6ZFemzK8GhqC3XUv3Zc9XiGWJpjiGBM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wZgjZGBAovOzuqVarPacFIommRtIlDOv7ICqQJol9yw=; b=Hov90bOE6C5ydg3c5EfCUG2q1t o3jQj6kX4uuWnkkbnOLG9J2Qd2yFFEa9xnZ3Tcyka1O3m7hi/rZ+NbVJWmDfGvA3kmJFZE03M3OM2 SHJBN2SCHKe065br4llgTtXM9QXidcN99f6V7gHOfLFj4A2jYy+YyCh6f3uQqyMGL0gA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ohW2S-0003GH-UJ for openvpn-devel@lists.sourceforge.net; Sun, 09 Oct 2022 13:08:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1ohW2H-0008Wm-SB for openvpn-devel@lists.sourceforge.net; Sun, 09 Oct 2022 15:08:05 +0200 Received: (nullmailer pid 1556563 invoked by uid 10006); Sun, 09 Oct 2022 13:08:05 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 9 Oct 2022 15:08:05 +0200 Message-Id: <20221009130805.1556517-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220217182234.33850-1-arne@rfc2549.org> References: <20220217182234.33850-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The problematic behaviour happens when start a profile without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1ohW2S-0003GH-UJ Subject: [Openvpn-devel] [PATCH v4] Fix OpenVPN querying user/password if auth-token with user expires X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The problematic behaviour happens when start a profile without auth-user-pass and connect to a server that pushes auth-token When the auth token expires OpenVPN asks for auth User and password again. The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Patch v2: Remove unrelated code change Patch v3: Rebase to master Patch v4: Rebase to master Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 1 + src/openvpn/ssl.c | 7 ++++++- src/openvpn/ssl.h | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 80b077653..5141a35c2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -595,6 +595,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { + enable_auth_user_pass(); #ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, c->options.auth_user_pass_file_inline, diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 4f28eb568..5ed71f0c5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -394,6 +394,12 @@ static struct user_pass auth_token; /* GLOBAL */ static char *auth_challenge; /* GLOBAL */ #endif +void +enable_auth_user_pass() +{ + auth_user_pass_enabled = true; +} + void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci) @@ -405,7 +411,6 @@ auth_user_pass_setup(const char *auth_file, bool is_inline, flags |= GET_USER_PASS_INLINE_CREDS; } - auth_user_pass_enabled = true; if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index f8c30762e..9ae6ae8fc 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -371,6 +371,9 @@ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); */ void pem_password_setup(const char *auth_file); +/* Enables the use of user/password authentication */ +void enable_auth_user_pass(); + /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file, however, if is_inline is true then auth_file