> /*
> * Send restart message from server to client.
> */
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index 96897e48..b5cc9dc9 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -576,6 +576,7 @@ struct tls_multi
>
> char *remote_ciphername; /**< cipher specified in peer's config file
> */
>
> + bool connection_established; /** Notifies future auth calls this is a
> reneg */
> /*
> * Our session objects.
> */
> diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
> index 97ccb93b..8d8531c7 100644
> --- a/src/openvpn/ssl_verify.c
> +++ b/src/openvpn/ssl_verify.c
> @@ -1318,6 +1318,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi
> *multi,
> }
> else
> {
> + send_push_reply_auth_failed(multi, "SESSION:Auth-token expired");
> wipe_auth_token(multi);
> ks->authenticated = KS_AUTH_FALSE;
> msg(M_WARN, "TLS: Username/auth-token authentication "
> @@ -1432,6 +1433,12 @@ verify_user_pass(struct user_pass *up, struct
> tls_multi *multi,
> }
> else
> {
> + if (multi->connection_established)
> + {
> + /* Notify the client */
> + send_push_reply_auth_failed(multi, "SESSION:Auth failed");
> +
> + }
> ks->authenticated = KS_AUTH_FALSE;
> msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password
> verification failed for peer");
> }
> Here comes a late NACK to the patch. I am currently looking into this problem in detail and this patch fails for deferred authentication. The patch will only send the AUTH_FAILED message if the result of the user/password authentication is already known in verify_user_pass. If the it is deferred with this patch does not send the AUTH_FAILED. Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
