Re: [Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push

Gert Doering Mon, 06 Jul 2020 11:45:01 -0700

Hi,

On Mon, Jul 06, 2020 at 06:35:15PM +0200, Arne Schwabe wrote:
> The logic if we already have seen a push request is still
> correct/useful without async push. I am not entirely sure if also
> deferred management authentication can trigger this code path but
> it should be able to. The other benefit is removing a number of
> ifdefs.


NAK.

In combination with async-auth (plugin) this triggers some sort of
key inconsistency - the client does get the proper PUSH_REPLY, but 
key state is kaput

...
Jul  6 20:41:30 gentoo openvpn[32657]: PLUGIN AUTH-PAM: BACKGROUND: name match 
found, query/match-string ['Password: ', 'Password:'] = 'PASSWORD'
Jul  6 20:41:30 gentoo openvpn[32657]: PLUGIN AUTH-PAM: BACKGROUND: 
fbsd-tc-master: deferred auth: PAM succeeded
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: MULTI_sva: pool 
returned IPv4=194.97.145.74, IPv6=2001:608:3:814::1000
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: OPTIONS IMPORT: 
reading client specific options from: 
/tmp/openvpn_cc_6f7cfcfda4cb5ecf1366685a7270c804.tmp
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: SENT CONTROL 
[cron2-freebsd-tc-amd64]: 'PUSH_REPLY,route 10.204.0.0 255.255.0.0,route-ipv6 
fd00:abcd:204::/48,tun-ipv6,route-gateway 194.97.145.73,topology subnet,ping 
10,ping-restart 30,compress lz4,ifconfig-ipv6 2001:608:3:814::1000/64 
2001:608:3:814::1,ifconfig 194.97.145.74 255.255.255.248,peer-id 0,cipher 
AES-256-GCM' (status=1)
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: 
cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 PUSH: Received control message: 
'PUSH_REQUEST'
Jul  6 20:41:32 gentoo tun-udp-p2mp-global-authpam[31884]: 
cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 Key 
[AF_INET6]2001:608:0:814::f000:21:51780 [0] not initialized (yet), dropping 
packet.


"I was about to ACK-and-merge this"... but it's reproduceable, async auth
(without --async-push) is broken with this patch.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] Remember if we have seen a push request without async push

Reply via email to