From patchwork Mon Jul 6 06:35:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1203 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ED56LRJTA181RAAAIUCqbw for ; Mon, 06 Jul 2020 12:36:34 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id cJIWLRJTA1+iCAAApN4f7A ; Mon, 06 Jul 2020 12:36:34 -0400 Received: from smtp37.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTP id gJUcLRJTA1+BIAAA7h+8OQ ; Mon, 06 Jul 2020 12:36:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: da80346e-bfa6-11ea-8008-525400a11cf3-1-1 Received: from [216.105.38.7] ([216.105.38.7:51426] helo=lists.sourceforge.net) by smtp37.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BB/DE-32273-213530F5; Mon, 06 Jul 2020 12:36:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsU5n-000750-0L; Mon, 06 Jul 2020 16:35:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsU5l-00074t-M3 for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 16:35:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bHwfTRBRLseSVL5n8ECZ/hRKOaSjQSH9l8TRaERO7OA=; b=UHC9mIa8gj9UQbRvYKl+qtIGEl ohr2d59utTjat6N1S7Ka4FSKmZf1empPsXLivnxj0ArE83EK8MRz3d+MkPg3Iotr5wJwBv+27/z9e RziwY0gX0Os/vH4locknEV6FtvIrN3/qxMISwU3j6UahWnEV8nwSOVRacDr5z/GXH9Sg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=bHwfTRBRLseSVL5n8ECZ/hRKOaSjQSH9l8TRaERO7OA=; b=YA8kgSa+S7tx9exDxL8eLOvccB wY0aFJvpwVvEHBe1Oagfbmoayfhg8hmE6AZ1Aht/T50KS2bJ485mcosFqeqN7L5Ie8mnNWyScFdqQ 6OjAZsYt+ZLUScz2QXz0A3lQ4Q26ce5lYc1SDOixYHs73gIePNAe1Y83OagFCdQxwfWw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsU5b-00CRI3-Hb for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 16:35:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsU5N-000G6O-2c for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 18:35:17 +0200 Received: (nullmailer pid 11439 invoked by uid 10006); Mon, 06 Jul 2020 16:35:16 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 6 Jul 2020 18:35:15 +0200 Message-Id: <20200706163516.11390-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jsU5b-00CRI3-Hb Subject: [Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The logic if we already have seen a push request is still correct/useful without async push. I am not entirely sure if also deferred management authentication can trigger this code path but it should be able to. The other benefit is removing a number of ifdefs. Signed-off-by: Arne Schwabe --- src/openvpn/multi.c | 4 +--- src/openvpn/openvpn.h | 2 -- src/openvpn/push.c | 2 -- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f1ced9b7..f6be6618 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -824,8 +824,8 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real) mi->did_cid_hash = true; #endif -#ifdef ENABLE_ASYNC_PUSH mi->context.c2.push_request_received = false; +#ifdef ENABLE_ASYNC_PUSH mi->inotify_watch = -1; #endif @@ -2074,13 +2074,11 @@ script_failed: /* set context-level authentication flag */ mi->context.c2.context_auth = CAS_SUCCEEDED; -#ifdef ENABLE_ASYNC_PUSH /* authentication complete, send push reply */ if (mi->context.c2.push_request_received) { process_incoming_push_request(&mi->context); } -#endif } else { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 4609af3e..a1308852 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -432,9 +432,7 @@ struct context_2 #if P2MP /* --ifconfig endpoints to be pushed to client */ -#ifdef ENABLE_ASYNC_PUSH bool push_request_received; -#endif bool push_ifconfig_defined; time_t sent_push_reply_expiry; in_addr_t push_ifconfig_local; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 56d652a3..e7c3c08c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -794,9 +794,7 @@ process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; -#ifdef ENABLE_ASYNC_PUSH c->c2.push_request_received = true; -#endif if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { const char *client_reason = tls_client_reason(c->c2.tls_multi); From patchwork Mon Jul 6 06:35:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1204 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id MFibIhVTA19LDwAAIUCqbw for ; Mon, 06 Jul 2020 12:36:37 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id AEORIRVTA18EQAAAfY0hYg ; Mon, 06 Jul 2020 12:36:37 -0400 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTP id GPy2IBVTA19yIAAAQyIf0w ; Mon, 06 Jul 2020 12:36:37 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: dbd681e2-bfa6-11ea-b082-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:59294] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6E/51-10668-413530F5; Mon, 06 Jul 2020 12:36:36 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsU5t-0002gM-OU; Mon, 06 Jul 2020 16:35:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsU5r-0002fl-W9 for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 16:35:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GXGtoBvNrSB3Q71Co6GX0DPrDoqxCTZYethrbFs/tU0=; b=VV0mTe8vQWgsh+9KDBdFktFl8Q Fj4X3aJ+babJtejfaRSyu7Ws8sLQkoJNOaowrrHEQbL+n2mlHs1Z32lA5/cqgmytv+/jWbZzjEWS3 DDsir/gE29wjX+4YWmGuaBn/ajD5qAUp8SmNLnqc1e1gJOL5vhwBxu6aO3e9J//6XK7s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GXGtoBvNrSB3Q71Co6GX0DPrDoqxCTZYethrbFs/tU0=; b=ZfboQfQ1nsGXRPpkNXlXTlSTbY WwbK81+vfEfYaaeayi3S0h5hPOpUjaZ6U3Iv8Oq36t/uVQ/HvmIshAN9+3Bl9DT8cHNEi86U4vdde jMtwGqo5uPAMZN93TISnfaSikZz6uiNvbzyKgbM8kso3skkV9UX/8wiqOl7uoUFHLj3c=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsU5b-00CRIH-Ha for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 16:35:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsU5N-000G6R-4g for openvpn-devel@lists.sourceforge.net; Mon, 06 Jul 2020 18:35:17 +0200 Received: (nullmailer pid 11442 invoked by uid 10006); Mon, 06 Jul 2020 16:35:17 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 6 Jul 2020 18:35:16 +0200 Message-Id: <20200706163516.11390-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200706163516.11390-1-arne@rfc2549.org> References: <20200706163516.11390-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1jsU5b-00CRIH-Ha Subject: [Openvpn-devel] [PATCH 2/2] merge key_state->authenticated and key_state->auth_deferred X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Both are tightly coupled often both are checked at the same time. Merging them into one state makes the code simpler and also brings us closer in the direction of a state machine Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 29 ++++++++++++----------------- src/openvpn/ssl_common.h | 9 +++++++-- src/openvpn/ssl_verify.c | 27 ++++++++++++++------------- 3 files changed, 33 insertions(+), 32 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 1cf8e44f..9df7552d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1930,7 +1930,7 @@ tls_session_generate_data_channel_keys(struct tls_session *session) const struct session_id *server_sid = !session->opt->server ? &ks->session_id_remote : &session->session_id; - if (!ks->authenticated) + if (ks->authenticated == KS_AUTH_FALSE) { msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated"); goto cleanup; @@ -2466,7 +2466,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) if (session->opt->server && !(session->opt->ncp_enabled && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { - if (ks->authenticated) + if (ks->authenticated != KS_AUTH_FALSE) { if (!tls_session_generate_data_channel_keys(session)) { @@ -2536,7 +2536,7 @@ key_method_1_read(struct buffer *buf, struct tls_session *session) &session->opt->key_type, OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); secure_memzero(&key, sizeof(key)); - ks->authenticated = true; + ks->authenticated = KS_AUTH_TRUE; return true; error: @@ -2594,7 +2594,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio goto error; } - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; /* always extract username + password fields from buf, even if not * authenticating for it, because otherwise we can't get at the @@ -2652,14 +2652,14 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio "TLS Error: Certificate verification failed (key-method 2)"); goto error; } - ks->authenticated = true; + ks->authenticated = KS_AUTH_TRUE; } /* clear username and password from memory */ secure_memzero(up, sizeof(*up)); /* Perform final authentication checks */ - if (ks->authenticated) + if (ks->authenticated != KS_AUTH_FALSE) { verify_final_auth_checks(multi, session); } @@ -2673,7 +2673,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio if (session->opt->ssl_flags & SSLF_OPT_VERIFY) { msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify"); - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; } } #endif @@ -2684,13 +2684,14 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final * veto opportunity over authentication decision. */ - if (ks->authenticated && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) + if ((ks->authenticated != KS_AUTH_FALSE) + && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { key_state_export_keying_material(&ks->ks_ssl, session); if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; } setenv_del(session->opt->es, "exported_keying_material"); @@ -3394,10 +3395,7 @@ tls_pre_decrypt(struct tls_multi *multi, */ if (DECRYPT_KEY_ENABLED(multi, ks) && key_id == ks->key_id - && ks->authenticated -#ifdef ENABLE_DEF_AUTH - && !ks->auth_deferred -#endif + && (ks->authenticated == KS_AUTH_TRUE) && (floated || link_socket_actual_match(from, &ks->remote_addr))) { if (!ks->crypto_options.key_ctx_bi.initialized) @@ -3946,11 +3944,8 @@ tls_pre_encrypt(struct tls_multi *multi, { struct key_state *ks = multi->key_scan[i]; if (ks->state >= S_ACTIVE - && ks->authenticated + && (ks->authenticated == KS_AUTH_TRUE) && ks->crypto_options.key_ctx_bi.initialized -#ifdef ENABLE_DEF_AUTH - && !ks->auth_deferred -#endif ) { if (!ks_select) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index fe523362..fdf589b5 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -127,6 +127,12 @@ struct key_source2 { struct key_source server; /**< Random provided by server. */ }; +enum ks_auth_state { + KS_AUTH_FALSE, + KS_AUTH_TRUE, + KS_AUTH_DEFERRED +}; + /** * Security parameter state of one TLS and data channel %key session. * @ingroup control_processor @@ -185,12 +191,11 @@ struct key_state /* * If bad username/password, TLS connection will come up but 'authenticated' will be false. */ - bool authenticated; + enum ks_auth_state authenticated; time_t auth_deferred_expire; #ifdef ENABLE_DEF_AUTH /* If auth_deferred is true, authentication is being deferred */ - bool auth_deferred; #ifdef MANAGEMENT_DEF_AUTH unsigned int mda_key_id; unsigned int mda_status; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 68c39c6f..e28f1f3a 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -78,7 +78,7 @@ tls_deauthenticate(struct tls_multi *multi) { for (int j = 0; j < KS_SIZE; ++j) { - multi->session[i].key[j].authenticated = false; + multi->session[i].key[j].authenticated = KS_AUTH_FALSE; } } } @@ -950,7 +950,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) if (DECRYPT_KEY_ENABLED(multi, ks)) { active = true; - if (ks->authenticated) + if (ks->authenticated != KS_AUTH_FALSE) { #ifdef ENABLE_DEF_AUTH unsigned int s1 = ACF_DISABLED; @@ -967,7 +967,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) case ACF_SUCCEEDED: case ACF_DISABLED: success = true; - ks->auth_deferred = false; + ks->authenticated = KS_AUTH_TRUE; break; case ACF_UNDEFINED: @@ -978,7 +978,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) break; case ACF_FAILED: - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; break; default: @@ -1308,7 +1308,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, else { wipe_auth_token(multi); - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; msg(M_WARN, "TLS: Username/auth-token authentication " "failed for username '%s'", up->username); return; @@ -1354,17 +1354,17 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #endif && tls_lock_username(multi, up->username)) { - ks->authenticated = true; + ks->authenticated = KS_AUTH_TRUE; #ifdef PLUGIN_DEF_AUTH if (s1 == OPENVPN_PLUGIN_FUNC_DEFERRED) { - ks->auth_deferred = true; + ks->authenticated = KS_AUTH_DEFERRED; } #endif #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth != KMDA_UNDEF) { - ks->auth_deferred = true; + ks->authenticated = KS_AUTH_DEFERRED; } #endif if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) @@ -1416,7 +1416,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } #ifdef ENABLE_DEF_AUTH msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", - ks->auth_deferred ? "deferred" : "succeeded", + (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); #else @@ -1428,6 +1428,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, } else { + ks->authenticated = KS_AUTH_FALSE; msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } } @@ -1444,7 +1445,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the CN to change once it's been locked */ - if (ks->authenticated && multi->locked_cn) + if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cn) { const char *cn = session->common_name; if (cn && strcmp(cn, multi->locked_cn)) @@ -1460,7 +1461,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the cert hashes to change once they have been locked */ - if (ks->authenticated && multi->locked_cert_hash_set) + if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cert_hash_set) { const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) @@ -1474,7 +1475,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* verify --client-config-dir based authentication */ - if (ks->authenticated && session->opt->client_config_dir_exclusive) + if (ks->authenticated != KS_AUTH_FALSE && session->opt->client_config_dir_exclusive) { struct gc_arena gc = gc_new(); @@ -1483,7 +1484,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) cn, &gc); if (!cn || !strcmp(cn, CCD_DEFAULT) || !platform_test_file(path)) { - ks->authenticated = false; + ks->authenticated = KS_AUTH_FALSE; wipe_auth_token(multi); msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", session->common_name,