Attention is currently required from: cron2, flichtenheld, its_Giaan, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/523?usp=email
to look at the new patch set (#9).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review-1 by cron2
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: Http-proxy: fix bug preventing proxy credentials caching
......................................................................
Http-proxy: fix bug preventing proxy credentials caching
Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.
Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.
The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.
Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori <[email protected]>
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
---
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/proxy.c
M src/openvpn/proxy.h
M src/openvpn/ssl.c
M src/openvpn/ssl.h
6 files changed, 38 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/23/523/9
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b081b2f..a49e563 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -691,6 +691,8 @@
if (c->options.ce.http_proxy_options)
{
+ c->options.ce.http_proxy_options->first_time = c->first_time;
+
/* Possible HTTP proxy user/pass input */
c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
if (c->c1.http_proxy)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f2c7536..0d52750 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3121,6 +3121,10 @@
if (ce->proto == PROTO_TCP)
{
ce->proto = PROTO_TCP_CLIENT;
+ if (ce->http_proxy_options)
+ {
+ ce->http_proxy_options->nocache = ssl_get_auth_nocache();
+ }
}
}
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index ba3d87c..ade8a26 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -276,7 +276,7 @@
{
auth_file = p->options.auth_file_up;
}
- if (p->queried_creds)
+ if (p->queried_creds && !static_proxy_user_pass.nocache)
{
flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
}
@@ -288,6 +288,16 @@
auth_file,
UP_TYPE_PROXY,
flags);
+ static_proxy_user_pass.nocache = p->options.nocache;
+ p->queried_creds = true;
+ p->up = static_proxy_user_pass;
+ }
+
+ /*
+ * Using cached credentials
+ */
+ else if (!static_proxy_user_pass.nocache)
+ {
p->queried_creds = true;
p->up = static_proxy_user_pass;
}
@@ -542,7 +552,7 @@
* we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
- get_user_pass_http(p, true);
+ get_user_pass_http(p, p->options.first_time);
}
#if !NTLM
@@ -656,6 +666,10 @@
|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
+ if (p->up.nocache)
+ {
+ clear_user_pass_http();
+ }
}
/* are we being called again after getting the digest server nonce in the
previous transaction? */
diff --git a/src/openvpn/proxy.h b/src/openvpn/proxy.h
index a502c9d..d9e598c 100644
--- a/src/openvpn/proxy.h
+++ b/src/openvpn/proxy.h
@@ -57,6 +57,8 @@
const char *user_agent;
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
bool inline_creds; /* auth_file_up is inline credentials */
+ bool first_time; /* indicates if we need to wipe user creds at the first
iteration of the main loop */
+ bool nocache;
};
struct http_proxy_options_simple {
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2054eb4..7dd687b 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -335,6 +335,15 @@
}
/*
+ * Get the password caching
+ */
+bool
+ssl_get_auth_nocache(void)
+{
+ return passbuf.nocache;
+}
+
+/*
* Set an authentication token
*/
void
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 98e59e8..11ca20d 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -397,6 +397,11 @@
void ssl_set_auth_nocache(void);
/*
+ * Getter method for retrieving the auth-nocache option.
+ */
+bool ssl_get_auth_nocache(void);
+
+/*
* Purge any stored authentication information, both for key files and tunnel
* authentication. If PCKS #11 is enabled, purge authentication for that too.
* Note that auth_token is not cleared.
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Gerrit-Change-Number: 523
Gerrit-PatchSet: 9
Gerrit-Owner: its_Giaan <[email protected]>
Gerrit-Reviewer: cron2 <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: cron2 <[email protected]>
Gerrit-Attention: its_Giaan <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
