From patchwork Tue Mar 12 17:16:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gianmarco De Gregori X-Patchwork-Id: 3644 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:5465:b0:55c:c090:46f0 with SMTP id d5csp1756771mas; Tue, 12 Mar 2024 10:19:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX6BXDqPzGlm9lmawhmnGs3G9zZjQLx97gxlS6bWyAzUT811894HiBcamrFd4/gZ3f1myq78cJ1p/znOJsr8igtFPjRIMY= X-Google-Smtp-Source: AGHT+IHslbonr2l4lvy7exkfTCb9hqxJ6CKwqCaX0H+G+PV5UZfVr141Fg98KEEBc+fwcOn5BAp7 X-Received: by 2002:a05:6a00:4f05:b0:6e6:864d:767 with SMTP id lb5-20020a056a004f0500b006e6864d0767mr9920895pfb.3.1710263968748; Tue, 12 Mar 2024 10:19:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710263968; cv=none; d=google.com; s=arc-20160816; b=FK6vKm9zlHp9fnPjlApHu4Iyk9M4gsw8AUytPyN2JmdLTDu8Tp8DIZtJhKXPe419ba zKjHv1FNWGTTl88dzKB+ZtARZIdrDOb9fhdk0RectSs41o8Mj9nDPalLHKWLP6JN7yzf rpLDMbpDh4dvLdYDKhMO3vTcS84xPzZLlRnhPZTAwc8ydeNWQzS+9019VBjgiSAyulDE eJmShBSvfTj0w51CTe6aX9kyr8wY+swaZvxzlrK4cQFxj3+9q+AtoKIj7xrqqP0BlYc9 qRpvxksXhXak++uLSAZApi5RWsdlxr2ud3r8tELAkgWJlNFMqlTcx10asrVygqUfMc7w Pmiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=WbxccV73OHlklhI+5wXiHOR/TQn6V1TUx8ESVxdWDSc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=t/hl9jYEbssTegGNnMTF/WVMyRmR329qnMGplSNG+iCRQiJCJqAbl75HLxyamoqrbG JGRnaIzQytgrX9BsEJp30FH1ZCA37ZIiwoHatQQoieRAuf281lSZYa5/dO5a7D4mAOzg EVyOVFf9tyr6rJ+xCzAkv1bQELzVu9GVPoz9OJlujw16zRw6jEjTyw48+5otI8FuwWiZ Xob9L3cFykM0Qn63ZVXAyer367mWrLDTojzpxnn2IQHMwX41dfBc+/Sb9x8g4RYyDfvs gItc53yZZGOt/IaYkmf5fnayn+ypCDYoAuFf85kddji122SxZ/u8tGHTvEfwk4QDta37 pCYw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JXWpt6NQ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DPmTjJYH; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector1 header.b=oGmkfa+i; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id g2-20020aa79dc2000000b006e6729cca83si7282511pfq.172.2024.03.12.10.19.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Mar 2024 10:19:28 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JXWpt6NQ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DPmTjJYH; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=selector1 header.b=oGmkfa+i; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rk5kk-0002dT-3F; Tue, 12 Mar 2024 17:17:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rk5kj-0002dM-4r for openvpn-devel@lists.sourceforge.net; Tue, 12 Mar 2024 17:17:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Xzuvj3urbfjH1M/hlnOk1pdvqElZz8i48Aqxij/8n9M=; b=JXWpt6NQruSg6j/kN6ZJNBoMpR B3lVlGMX5Nd3749BTCwifccyFWhoJoB0lVsj6v6KZcgxbaRMZS0XSuADCF6K8oR6y0IHIY1yloLjW NfD9ZeEtvtc5k5cVgQtNWZ+IBHH9a/FK+1y/u1denLw6LnXXeck1/3OsyqNbJ4e5Cb0g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Xzuvj3urbfjH1M/hlnOk1pdvqElZz8i48Aqxij/8n9M=; b=DPmTjJYH2cwBK7Pp79gaPDZRf5 z0ygc2rznapfQEHPdWwOFzEO7pgODLlKAYCro38qjq5OO0YyhULiJrMvDTLLMDlbve5Ka93aRsJn9 F7a+IfkaG8rqLX5dDIe3bFQM7adJN1skU38Q9BQYcGAUHUk3ISyI+7bTNJi4+n/rD3Z8=; Received: from mailtransmit05.runbox.com ([185.226.149.38]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rk5kV-0007oH-IM for openvpn-devel@lists.sourceforge.net; Tue, 12 Mar 2024 17:17:25 +0000 Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1rk5kJ-00Ew3y-OM; Tue, 12 Mar 2024 18:16:59 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mandelbit.com; s=selector1; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=Xzuvj3urbfjH1M/hlnOk1pdvqElZz8i48Aqxij/8n9M=; b=oGmkfa+i4XUXVAyHlGPNKt9f0+ WzE97oNsDCU7lf+wY+P6RCHF+uzsEYNOnCX95acPEUtg4aMiROs6/GgdTKRLxavii8G0DMfBJ5Ul6 LZjTudBPc4bg0FSWkdjKf725BasCM+Jiv6ibDgkiHzhc/NuHrKr3UEpjfDnNz0fbxsHV/NGOZKG2V Mj+irpdYo1ruoTMYdxZ8TqtUmjl6Ro/ev4m/Hcs2r+0WKjRoOVKAoq1RfueY/Kl3lBQ+x7u6kNngb KaDR6KADptBdw4rMdG+VZOURNT2Uq6nxun+VmCK61zc7g5qZPMFj8JdtGBUAWR4iK5ytbnH64Vgs6 exdQNcQw==; Received: from [10.9.9.74] (helo=submission03.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1rk5kJ-0005O8-9x; Tue, 12 Mar 2024 18:16:59 +0100 Received: by submission03.runbox with esmtpsa [Authenticated ID (1146050)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1rk5k6-00GXbi-4U; Tue, 12 Mar 2024 18:16:46 +0100 From: gianmarco@mandelbit.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 12 Mar 2024 18:16:21 +0100 Message-Id: <20240312171621.22629-1-gianmarco@mandelbit.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [185.226.149.38 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rk5kV-0007oH-IM Subject: [Openvpn-devel] [PATCH v8] Http-proxy: fix bug preventing proxy credentials caching X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1793341751104658160?= X-GMAIL-MSGID: =?utf-8?q?1793341751104658160?= From: Gianmarco De Gregori Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Fix this issue by getting the value of c->first_time, that indicates if we're at the first iteration of the main loop and use it as second argument of the get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP upon instance context restart credentials would be erased every time. The nocache member has been added to the struct http_proxy_options and also a getter method to retrieve that option from ssl has been added, by doing this we're able to erase previous queried user credentials to ensure correct operation. Fixes: Trac #1187 Signed-off-by: Gianmarco De Gregori Acked-by: Frank Lichtenheld Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/523 This mail reflects revision 8 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index f8a0f48..1fb17f7 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -19,9 +19,6 @@ When using ``--auth-nocache`` in combination with a user/password file and ``--chroot`` or ``--daemon``, make sure to use an absolute path. - This directive does not affect the ``--http-proxy`` username/password. - It is always cached. - --cd dir Change directory to ``dir`` prior to reading any files such as configuration files, key files, scripts, etc. ``dir`` should be an diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 52b3931..fdee199 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -697,6 +697,8 @@ if (c->options.ce.http_proxy_options) { + c->options.ce.http_proxy_options->first_time = c->first_time; + /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 94a88f9..d276a1a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1650,6 +1650,7 @@ SHOW_STR(auth_file); SHOW_STR(auth_file_up); SHOW_BOOL(inline_creds); + SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -3151,6 +3152,11 @@ ce->flags |= CE_DISABLED; } + if (ce->http_proxy_options) + { + ce->http_proxy_options->nocache = ssl_get_auth_nocache(); + } + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index eeb3989..4570fbc 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -276,7 +276,7 @@ { auth_file = p->options.auth_file_up; } - if (p->queried_creds) + if (p->queried_creds && !static_proxy_user_pass.nocache) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } @@ -288,9 +288,14 @@ auth_file, UP_TYPE_PROXY, flags); - p->queried_creds = true; - p->up = static_proxy_user_pass; + static_proxy_user_pass.nocache = p->options.nocache; } + + /* + * Using cached credentials + */ + p->queried_creds = true; + p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +547,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, true); + get_user_pass_http(p, p->options.first_time); } #if !NTLM @@ -656,6 +661,11 @@ || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); + + if (p->up.nocache) + { + clear_user_pass_http(); + } } /* are we being called again after getting the digest server nonce in the previous transaction? */ @@ -1031,13 +1041,6 @@ } goto error; } - - /* clear state */ - if (p->options.auth_retry) - { - clear_user_pass_http(); - } - store_proxy_authenticate(p, NULL); } /* check return code, success = 200 */ diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 4e78772..474cfc9 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -57,6 +57,8 @@ const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_file_up is inline credentials */ + bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */ + bool nocache; }; struct http_proxy_options_simple { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 33c8670..d174dad 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -335,6 +335,15 @@ } /* + * Get the password caching + */ +bool +ssl_get_auth_nocache() +{ + return passbuf.nocache; +} + +/* * Set an authentication token */ void diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 71b99db..dd6538c 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -397,6 +397,11 @@ void ssl_set_auth_nocache(void); /* + * Getter method for retrieving the auth-nocache option. + */ +bool ssl_get_auth_nocache(); + +/* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. * Note that auth_token is not cleared.