From patchwork Thu Feb 15 10:01:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3617 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a042:b0:554:adf7:68e6 with SMTP id bi2csp301524mab; Thu, 15 Feb 2024 02:02:23 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUvCDL5ssNMQZNLYFU7lJebP4lo5h0WQNfEdzysiGhTjWWcZcp4h+DAeulwF/m0DZVahZbYjtxq3BPhx7+kGDIiqvZ9l74= X-Google-Smtp-Source: AGHT+IG4b9MwryV5ltbvNZHKhOwLD4HFjh47wcG6id5CSDCMBePy+UQexFgM/0if0IXI3EXvtfWg X-Received: by 2002:a05:6a20:3943:b0:1a0:7fa7:52b with SMTP id r3-20020a056a20394300b001a07fa7052bmr210468pzg.5.1707991343136; Thu, 15 Feb 2024 02:02:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1707991343; cv=none; d=google.com; s=arc-20160816; b=JiToy2I38yQHDFnTKyDiuWiyzSBy9cV4I6YSdJ8285+SnRzeHE3+PTARsXlFPRTZER 8N3mY/5L1fzKRivobbP58guwBxe11TUFxAAz1crQtLb85iBDp3t6UCFOoZXhGtiVXJVs 25uGGqsebhaTthf/gN/eqsLFAvqMmn2k6lkCDwsEqQE8JUJQHBV+6zM+DkCKdD18ggaR bokAJGrjurKs6KMI9I4FoNoW/5ML2rEQFxTY0vawR5ZYwVEIWwYyPryYkMMk2R7b5Ujg skXSyryxIgiaaUJf+OndAIZXqkauMcxwOywEuhhgtjg/9zUAAJhYHJtChLUcLJjY42Hk 16qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=sR6K2nUK5/L93QK+da6XKu9Tpg3dt1WF9BKybS34bIE=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=PS66Nd2tuE2AiJ2L7LMVHTDwOaxE1Y39IC2AiGozH0a2z+3+oHt3/TQES3tSpMWJ6Y +fntWUPZXLi4gCmEZfXtojzqoka//4LvyQ7AnPXyJ6vHyGjFYjHp/9uPBhtHEubRWOR6 WmqpHfdraSMyon7Bhlwwa4fS5OqChk6yu2zgMW1T2kifCQqBJOetim8ypi0pwLyXiUKd Y98u4hFwTxk9R1YgyVGTd6AvzStu1QRaxnKk0og/dVqDoYP6IlceyM2NQvVfXGAXQljH p5nkYkR98RXrE4yHhl1TGVq5Ebv5tYbQ+wK8r6qAMcHOT9GM7ujZ2rXT3zSZ7kD+YicU Ryiw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Hi5zK5tv; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Kr+3ti81; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=PxWHmlTX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ep3-20020a17090ae64300b00296a72882c4si2773410pjb.74.2024.02.15.02.02.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Feb 2024 02:02:23 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Hi5zK5tv; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Kr+3ti81; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=PxWHmlTX; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1raYYs-0003aj-6B; Thu, 15 Feb 2024 10:01:46 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1raYYm-0003aK-Td for openvpn-devel@lists.sourceforge.net; Thu, 15 Feb 2024 10:01:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IbtMz30R7fDxqpuRo8bcirIIuyOLT0oqs9qMJq6CT1A=; b=Hi5zK5tv/vkOyMaifZes4D5w44 6pmQij2UcBJzU5bGp+mO3zoAeJaXKFDDPS90II4aXCqdUJJx1KVwzhtu4Ujz7Dob+WrZJBx6KuVwN d+fjjhOFmL7pOuqKfXsiDPtHyMRWtLQh4TSxTCL9/7oBKB5M3FxVIL53UmWMxemmyHXI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=IbtMz30R7fDxqpuRo8bcirIIuyOLT0oqs9qMJq6CT1A=; b=K r+3ti81Tl1RfNGkWlc9VTYnAqoZitlLi2EPHOWVpueCvc67KAZG2+LC3GVLoM2ZYLLKlQhb+UBX5h oOfdVAm8Cl0ZUI0bspOvf7AEznH1nXyZzFxTj4qrJvT/qX0lFNFIMf2v3rq/BLsiANZGBPBiWasrP /+XGuRY8O5A9Z8nw=; Received: from mail-lf1-f52.google.com ([209.85.167.52]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1raYYk-0002JU-Si for openvpn-devel@lists.sourceforge.net; Thu, 15 Feb 2024 10:01:40 +0000 Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-5114b2b3b73so748696e87.0 for ; Thu, 15 Feb 2024 02:01:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1707991293; x=1708596093; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=IbtMz30R7fDxqpuRo8bcirIIuyOLT0oqs9qMJq6CT1A=; b=PxWHmlTXU1f0QahzmI1fyMmXw5KIFExc9Vs43rKTO4Vbt1ciBCBtUokD7KfQ3dXggp VqeH0FJjP8CQ8HKk86/Zjs973UQ2qoFC+4cOa2CAhKbTGmJ6O6eugfyrzbd8gkeSMxdP zFqBTEbM15r4H1q9mMqvqaqGAp/wHqpp04DfOzC63zK6f84Aa/FvVAWWFL545YZNIvwE y5G0Hb8luVfswY+LraqWKIuGQ8lmth64aMUvzx616aV0PrzhjsS5+dunSe9i9l9Z71jX SsSoc6Mh4SwQdT5sHrXuLBF3jI8y78yop6MNV8iWtTsYNlBOIXb/BeAfU8YRS2tEUKwF Clgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707991293; x=1708596093; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IbtMz30R7fDxqpuRo8bcirIIuyOLT0oqs9qMJq6CT1A=; b=qGgLKQsQNfDMHZASF9fKRuahRPI34bqbqOGbjpKN+Bjr5C92XfST7Znzl+x14E/Gi8 AhZFEGpj3Q8yxvlgtxWO1FaC7LPaNvQ2jGiT2BIS0IaC9EENx3HR9A20abk2zcV8Y8ZM x9e1pJTbPr788051jhsu+9NM4wmXM96NTMBjr0hb9x9cuAt+A0IcKkbNO6Eb5zSVRo+6 cH0OhFlLt82bffwOsv5ADx45+cQSXyOONxUdG2gG7F0skBs6JqYN6RWKjp3UE5M1vmUx ukEHTivylaXJXFJqF1hL1YwuCSeIb/LORWvwenVjEGoRKrBb6XwEYPreKlZJEN5ffDRu pVRw== X-Gm-Message-State: AOJu0YwqQHY/eaIPu6Vstj8MxV/BiSKPIrsJyDKyioehKlRvhREgTcnA 39LhoxniRnQs3pHzGe4rMTYP9waMSGitekdyPTe2Ysa1BsDqlhj0kKlLQIYuFo/mWRHQcnxStTE w X-Received: by 2002:a05:6512:6d5:b0:511:a024:dbaa with SMTP id u21-20020a05651206d500b00511a024dbaamr1711725lff.3.1707991292642; Thu, 15 Feb 2024 02:01:32 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id bv6-20020a0560001f0600b0033cfa895283sm1304198wrb.76.2024.02.15.02.01.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 02:01:32 -0800 (PST) From: "its_Giaan (Code Review)" X-Google-Original-From: "its_Giaan (Code Review)" X-Gerrit-PatchSet: 1 Date: Thu, 15 Feb 2024 10:01:31 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a X-Gerrit-Change-Number: 523 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: f08955c33218a3ab0aee7215199c595202ac9f71 References: Message-ID: <10eb2954e1a1f458c3f7b920ca2b395e0dccddbd-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.52 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.52 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1raYYk-0002JU-Si Subject: [Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: Fix bug preventing proxy credentials caching. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: gianmarco@mandelbit.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1790958730723157575?= X-GMAIL-MSGID: =?utf-8?q?1790958730723157575?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email to review the following change. Change subject: Http-proxy: Fix bug preventing proxy credentials caching. ...................................................................... Http-proxy: Fix bug preventing proxy credentials caching. Previously, the caching of proxy credentials was not working due to the missing of handling already defined creds in get_user_pass_http(), which prevented the caching from working correctly. This issue has been solved by rewriting the get_user_pass_http(). This method now sets the appropriate flags based on whether credentials are defined, have been queried before, or are inline. It then calls the get_user_pass() to retrieve the credentials and store them in a static variable, 'static_proxy_user_pass', which will be used for subsequent requests. If credentials were not previously defined, or caching is not allowed, creds are queried again. Fixes: Trac #1187 Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Signed-off-by: Gianmarco De Gregori --- M src/openvpn/options.c M src/openvpn/proxy.c M src/openvpn/proxy.h 3 files changed, 31 insertions(+), 27 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/523/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1e..3f5301f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1858,6 +1858,7 @@ SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); SHOW_BOOL(persist_key); + SHOW_BOOL(ce.http_proxy_options->nocache); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -8978,6 +8979,7 @@ { VERIFY_PERMISSION(OPT_P_GENERAL); ssl_set_auth_nocache(); + options->ce.http_proxy_options->nocache = true; } else if (streq(p[0], "auth-token") && p[1] && !p[2]) { diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index eeb3989..a4af720 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -257,40 +257,41 @@ } static void -get_user_pass_http(struct http_proxy_info *p, const bool force) +get_user_pass_http(struct http_proxy_info *p) { - /* - * in case of forced (re)load, make sure the static storage is set as - * undefined, otherwise get_user_pass() won't try to load any credential - */ - if (force) + static bool is_first_time = true; + unsigned int flags = GET_USER_PASS_MANAGEMENT; + + if (p->queried_creds && !p->options.nocache) { - clear_user_pass_http(); + flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } - if (!static_proxy_user_pass.defined) + if (p->options.inline_creds) { - unsigned int flags = GET_USER_PASS_MANAGEMENT; - const char *auth_file = p->options.auth_file; - if (p->options.auth_file_up) - { - auth_file = p->options.auth_file_up; - } - if (p->queried_creds) - { - flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; - } - if (p->options.inline_creds) - { - flags |= GET_USER_PASS_INLINE_CREDS; - } + flags |= GET_USER_PASS_INLINE_CREDS; + } + + if (!static_proxy_user_pass.defined || (is_first_time && !p->options.nocache) ) + { get_user_pass(&static_proxy_user_pass, - auth_file, + p->options.auth_file, UP_TYPE_PROXY, flags); - p->queried_creds = true; - p->up = static_proxy_user_pass; + is_first_time = false; } + + else + { + get_user_pass(&static_proxy_user_pass, + p->options.auth_file, + UP_TYPE_PROXY, + flags); + static_proxy_user_pass.defined = !p->options.nocache; + } + + p->queried_creds = true; + p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +543,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, true); + get_user_pass_http(p); } #if !NTLM @@ -655,7 +656,7 @@ || p->auth_method == HTTP_AUTH_DIGEST || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, false); + get_user_pass_http(p); } /* are we being called again after getting the digest server nonce in the previous transaction? */ diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 4e78772..b8b4ca9 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -57,6 +57,7 @@ const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_file_up is inline credentials */ + bool nocache; }; struct http_proxy_options_simple {