Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld,
I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email to review the following change. Change subject: Http-proxy: Fix bug preventing proxy credentials caching. ...................................................................... Http-proxy: Fix bug preventing proxy credentials caching. Previously, the caching of proxy credentials was not working due to the missing of handling already defined creds in get_user_pass_http(), which prevented the caching from working correctly. This issue has been solved by rewriting the get_user_pass_http(). This method now sets the appropriate flags based on whether credentials are defined, have been queried before, or are inline. It then calls the get_user_pass() to retrieve the credentials and store them in a static variable, 'static_proxy_user_pass', which will be used for subsequent requests. If credentials were not previously defined, or caching is not allowed, creds are queried again. Fixes: Trac #1187 Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Signed-off-by: Gianmarco De Gregori <gianma...@mandelbit.com> --- M src/openvpn/options.c M src/openvpn/proxy.c M src/openvpn/proxy.h 3 files changed, 31 insertions(+), 27 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/523/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1e..3f5301f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1858,6 +1858,7 @@ SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); SHOW_BOOL(persist_key); + SHOW_BOOL(ce.http_proxy_options->nocache); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -8978,6 +8979,7 @@ { VERIFY_PERMISSION(OPT_P_GENERAL); ssl_set_auth_nocache(); + options->ce.http_proxy_options->nocache = true; } else if (streq(p[0], "auth-token") && p[1] && !p[2]) { diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index eeb3989..a4af720 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -257,40 +257,41 @@ } static void -get_user_pass_http(struct http_proxy_info *p, const bool force) +get_user_pass_http(struct http_proxy_info *p) { - /* - * in case of forced (re)load, make sure the static storage is set as - * undefined, otherwise get_user_pass() won't try to load any credential - */ - if (force) + static bool is_first_time = true; + unsigned int flags = GET_USER_PASS_MANAGEMENT; + + if (p->queried_creds && !p->options.nocache) { - clear_user_pass_http(); + flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; } - if (!static_proxy_user_pass.defined) + if (p->options.inline_creds) { - unsigned int flags = GET_USER_PASS_MANAGEMENT; - const char *auth_file = p->options.auth_file; - if (p->options.auth_file_up) - { - auth_file = p->options.auth_file_up; - } - if (p->queried_creds) - { - flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED; - } - if (p->options.inline_creds) - { - flags |= GET_USER_PASS_INLINE_CREDS; - } + flags |= GET_USER_PASS_INLINE_CREDS; + } + + if (!static_proxy_user_pass.defined || (is_first_time && !p->options.nocache) ) + { get_user_pass(&static_proxy_user_pass, - auth_file, + p->options.auth_file, UP_TYPE_PROXY, flags); - p->queried_creds = true; - p->up = static_proxy_user_pass; + is_first_time = false; } + + else + { + get_user_pass(&static_proxy_user_pass, + p->options.auth_file, + UP_TYPE_PROXY, + flags); + static_proxy_user_pass.defined = !p->options.nocache; + } + + p->queried_creds = true; + p->up = static_proxy_user_pass; } #if 0 @@ -542,7 +543,7 @@ * we know whether we need any. */ if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, true); + get_user_pass_http(p); } #if !NTLM @@ -655,7 +656,7 @@ || p->auth_method == HTTP_AUTH_DIGEST || p->auth_method == HTTP_AUTH_NTLM2) { - get_user_pass_http(p, false); + get_user_pass_http(p); } /* are we being called again after getting the digest server nonce in the previous transaction? */ diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h index 4e78772..b8b4ca9 100644 --- a/src/openvpn/proxy.h +++ b/src/openvpn/proxy.h @@ -57,6 +57,7 @@ const char *user_agent; struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]; bool inline_creds; /* auth_file_up is inline credentials */ + bool nocache; }; struct http_proxy_options_simple { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Gerrit-Change-Number: 523 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan <gianma...@mandelbit.com> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: newchange
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel