Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/523?usp=email
to review the following change.
Change subject: Http-proxy: Fix bug preventing proxy credentials caching.
......................................................................
Http-proxy: Fix bug preventing proxy credentials caching.
Previously, the caching of proxy credentials was not working
due to the missing of handling already defined creds in
get_user_pass_http(), which prevented the caching from working correctly.
This issue has been solved by rewriting the get_user_pass_http().
This method now sets the appropriate flags based on whether
credentials are defined, have been queried before, or are inline.
It then calls the get_user_pass() to retrieve the credentials
and store them in a static variable, 'static_proxy_user_pass',
which will be used for subsequent requests. If credentials
were not previously defined, or caching is not allowed, creds
are queried again.
Fixes: Trac #1187
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Signed-off-by: Gianmarco De Gregori <gianma...@mandelbit.com>
---
M src/openvpn/options.c
M src/openvpn/proxy.c
M src/openvpn/proxy.h
3 files changed, 31 insertions(+), 27 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/523/1
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2c79a1e..3f5301f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1858,6 +1858,7 @@
SHOW_BOOL(persist_local_ip);
SHOW_BOOL(persist_remote_ip);
SHOW_BOOL(persist_key);
+ SHOW_BOOL(ce.http_proxy_options->nocache);
#if PASSTOS_CAPABILITY
SHOW_BOOL(passtos);
@@ -8978,6 +8979,7 @@
{
VERIFY_PERMISSION(OPT_P_GENERAL);
ssl_set_auth_nocache();
+ options->ce.http_proxy_options->nocache = true;
}
else if (streq(p[0], "auth-token") && p[1] && !p[2])
{
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index eeb3989..a4af720 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -257,40 +257,41 @@
}
static void
-get_user_pass_http(struct http_proxy_info *p, const bool force)
+get_user_pass_http(struct http_proxy_info *p)
{
- /*
- * in case of forced (re)load, make sure the static storage is set as
- * undefined, otherwise get_user_pass() won't try to load any credential
- */
- if (force)
+ static bool is_first_time = true;
+ unsigned int flags = GET_USER_PASS_MANAGEMENT;
+
+ if (p->queried_creds && !p->options.nocache)
{
- clear_user_pass_http();
+ flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
}
- if (!static_proxy_user_pass.defined)
+ if (p->options.inline_creds)
{
- unsigned int flags = GET_USER_PASS_MANAGEMENT;
- const char *auth_file = p->options.auth_file;
- if (p->options.auth_file_up)
- {
- auth_file = p->options.auth_file_up;
- }
- if (p->queried_creds)
- {
- flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
- }
- if (p->options.inline_creds)
- {
- flags |= GET_USER_PASS_INLINE_CREDS;
- }
+ flags |= GET_USER_PASS_INLINE_CREDS;
+ }
+
+ if (!static_proxy_user_pass.defined || (is_first_time &&
!p->options.nocache) )
+ {
get_user_pass(&static_proxy_user_pass,
- auth_file,
+ p->options.auth_file,
UP_TYPE_PROXY,
flags);
- p->queried_creds = true;
- p->up = static_proxy_user_pass;
+ is_first_time = false;
}
+
+ else
+ {
+ get_user_pass(&static_proxy_user_pass,
+ p->options.auth_file,
+ UP_TYPE_PROXY,
+ flags);
+ static_proxy_user_pass.defined = !p->options.nocache;
+ }
+
+ p->queried_creds = true;
+ p->up = static_proxy_user_pass;
}
#if 0
@@ -542,7 +543,7 @@
* we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
- get_user_pass_http(p, true);
+ get_user_pass_http(p);
}
#if !NTLM
@@ -655,7 +656,7 @@
|| p->auth_method == HTTP_AUTH_DIGEST
|| p->auth_method == HTTP_AUTH_NTLM2)
{
- get_user_pass_http(p, false);
+ get_user_pass_http(p);
}
/* are we being called again after getting the digest server nonce in the
previous transaction? */
diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h
index 4e78772..b8b4ca9 100644
--- a/src/openvpn/proxy.h
+++ b/src/openvpn/proxy.h
@@ -57,6 +57,7 @@
const char *user_agent;
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
bool inline_creds; /* auth_file_up is inline credentials */
+ bool nocache;
};
struct http_proxy_options_simple {
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Gerrit-Change-Number: 523
Gerrit-PatchSet: 1
Gerrit-Owner: its_Giaan <gianma...@mandelbit.com>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
