From patchwork Sun Jun 23 20:05:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3747 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:990b:b0:57d:b2cb:6cf with SMTP id f11csp941287mav; Sun, 23 Jun 2024 13:06:28 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUXrxFT4KMZc2loeXpd1lj2TAPag2RS6rm/eIqskqXsgOGS0s9rciqyDslOFMsCFZIkYruVow1uUecxsmDf+o3SH1T1bCY= X-Google-Smtp-Source: AGHT+IFEzWy2/TtituXhMkrhKQhAuN5COUhZBZ/wUeYUy8xAVHaOQFQON8+MgyopujbQSEgmHmHo X-Received: by 2002:aa7:9e85:0:b0:706:6462:b003 with SMTP id d2e1a72fcca58-706646365edmr4833197b3a.0.1719173188711; Sun, 23 Jun 2024 13:06:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1719173188; cv=none; d=google.com; s=arc-20160816; b=UPdH45RIwez5nM858/TumEpQG1qdoa7TT0ghdjf1rB70/BdisfKbUdFEOjLIN45P70 tCDGY9jb6N3YlGMjBK+DwsW2q4qKsyJ05XpXJ1PuXsMWqLwd6yMBy9h0vohlI70JltV9 G4mu5GvSMEdk/+uQWICyYDsR4FMaRci40jslGLyqQ5r6dKifgEwX2AujrDueVbX6iBF6 9koeV5wsVbx03ACWv5acFpn9MHJME+NPId7d2Mww0GDUYRzbmxkcdk8LNsscJTj+yyln gQcaTTf4S0i38O1zF8mvPdnC1fYmqu5KTkvUnSIWiUOkVjPzadrz5YsoDDKJlm96gWBq jHkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=YysnUxFi+a699lfz7lDjc1yFOUjkfUx+8wdC6nR5bGo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=zkNnrYO+EcLxuIot7LnxQZGn5N2Qky2zfaLSwMD6kFPYSPNw3NFVlOLfsz8TCbmnCF k35b6MBzia7vVjAE0C4OlGTOBzyxoTQl8Y7Kkc1a3rbNpqCy3NhyuFwODC46N/dkz/Iz 1v4iLeFy0s6uPCQy7CojrEJc252Urj+80nVTgca3q4UkBQHNoh9AwPulhiIFVVfHVxRH 37StaMP+b4RdTV5NNYQ0rElR9DbBJcTUYS0GfCbk/Qeu1p0eBI5GKucQPMt2qOg6+/76 RHbPTFtItPs1ztrrDCoWdn1aJbWwrdITmTzIEeKYc77yAW3KqtpN7bV4b3+bWVj2wFDV gs4w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FO41ONli; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jjmOpWlT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d2e1a72fcca58-7065c2cbb34si4201688b3a.335.2024.06.23.13.06.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Jun 2024 13:06:28 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FO41ONli; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jjmOpWlT; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sLTTT-00075Z-Hg; Sun, 23 Jun 2024 20:06:07 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sLTTS-00075O-Jx for openvpn-devel@lists.sourceforge.net; Sun, 23 Jun 2024 20:06:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iYIN+P4a03uzgP9rWQk5le/g/TFvDK+PYEZVMEYzYKY=; b=FO41ONliRIUcFS7zW9nc6pvpxw NVww4PiJUVcp9AFyX/FJBPtKglDi3F+8R/xUN3hv6Izy/wUd8n4PZsH2gNjRvjLeCI6GmLqJ/+ggJ rpv0JVohauyt+yzpJrgeMvEwCv/NqtCHsHWan4MlyNjdr2SAVVNBSUAJdyFk1qXx70Lc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iYIN+P4a03uzgP9rWQk5le/g/TFvDK+PYEZVMEYzYKY=; b=jjmOpWlT8Ms3VCHzvwzoae0kZf 512XO1XWV0mgZ+nY9ekey/WAwfra3ebQyBKaXmHFwiEb/sdPm0xh8zuYlJcyGKTo5tGhoFGqNmJOC bU0o5bCqKLP0J4MW+6iwrqYEqQD6BIH9Qzr7nu25Rra8JBNiRhQ8zwsDIv5qN3zFvLLc=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sLTTR-0001zw-RC for openvpn-devel@lists.sourceforge.net; Sun, 23 Jun 2024 20:06:06 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 45NK5qRN020114 for ; Sun, 23 Jun 2024 22:05:52 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 45NK5qFT020113 for openvpn-devel@lists.sourceforge.net; Sun, 23 Jun 2024 22:05:52 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 23 Jun 2024 22:05:51 +0200 Message-ID: <20240623200551.20092-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.44.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1sLTTR-0001zw-RC Subject: [Openvpn-devel] [PATCH v10] Http-proxy: fix bug preventing proxy credentials caching X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1793341751104658160?= X-GMAIL-MSGID: =?utf-8?q?1802683745649257952?= From: Gianmarco De Gregori Caching proxy credentials was not working due to the lack of handling already defined creds in get_user_pass(), which prevented the caching from working properly. Fix this issue by getting the value of c->first_time, that indicates if we're at the first iteration of the main loop and use it as second argument of the get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP upon instance context restart credentials would be erased every time. The nocache member has been added to the struct http_proxy_options and also a getter method to retrieve that option from ssl has been added, by doing this we're able to erase previous queried user credentials to ensure correct operation. Fixes: Trac #1187 Signed-off-by: Gianmarco De Gregori Acked-by: Gert Doering Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/523 This mail reflects revision 10 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index eb9cf28..ba9376b 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -19,9 +19,6 @@ When using ``--auth-nocache`` in combination with a user/password file and ``--chroot`` or ``--daemon``, make sure to use an absolute path. - This directive does not affect the ``--http-proxy`` username/password. - It is always cached. - --cd dir Change directory to ``dir`` prior to reading any files such as configuration files, key files, scripts, etc. ``dir`` should be an diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b081b2f..a49e563 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -691,6 +691,8 @@ if (c->options.ce.http_proxy_options) { + c->options.ce.http_proxy_options->first_time = c->first_time; + /* Possible HTTP proxy user/pass input */ c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options); if (c->c1.http_proxy) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..dbe1425 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1650,6 +1650,7 @@ SHOW_STR(auth_file); SHOW_STR(auth_file_up); SHOW_BOOL(inline_creds); + SHOW_BOOL(nocache); SHOW_STR(http_version); SHOW_STR(user_agent); for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++) @@ -3151,6 +3152,11 @@ ce->flags |= CE_DISABLED; } + if (ce->http_proxy_options) + { + ce->http_proxy_options->nocache = ssl_get_auth_nocache(); + } + /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not) * so fall back to IPv4-only (trac #1221) */ diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index ba3d87c..5de0da4 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -276,7 +276,7 @@ { auth_file = p->options.auth_file_up; } - if (p->queried_creds) + if (p->queried_creds && !static_proxy_user_pass.nocache) { flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } @@ -288,9 +288,14 @@ auth_file, UP_TYPE_PROXY, flags); - p->queried_creds = true; - p->up = static_proxy_user_pass; + static_proxy_user_pass.nocache = p->options.nocache; } + + /* + * Using cached credentials + */ + p->queried_creds = true; + p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +547,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, true); + get_user_pass_http(p, p->options.first_time); } #if !NTLM @@ -656,6 +661,11 @@ || p->auth_method == HTTP_AUTH_NTLM2) { get_user_pass_http(p, false); + + if (p->up.nocache) + { + clear_user_pass_http(); + } } /* are we being called again after getting the digest server nonce in the previous transaction? */ @@ -1036,13 +1046,6 @@ } goto error; } - - /* clear state */ - if (p->options.auth_retry) - { - clear_user_pass_http(); - } - store_proxy_authenticate(p, NULL); } /* check return code, success = 200 */ diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index a502c9d..d9e598c 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -57,6 +57,8 @@ const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_file_up is inline credentials */ + bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */ + bool nocache; }; struct http_proxy_options_simple { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..7dd687b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -335,6 +335,15 @@ } /* + * Get the password caching + */ +bool +ssl_get_auth_nocache(void) +{ + return passbuf.nocache; +} + +/* * Set an authentication token */ void diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..11ca20d 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -397,6 +397,11 @@ void ssl_set_auth_nocache(void); /* + * Getter method for retrieving the auth-nocache option. + */ +bool ssl_get_auth_nocache(void); + +/* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. * Note that auth_token is not cleared.