Hi,
On Wed, Oct 19, 2022 at 4:56 PM Gert Doering wrote:
> Hi,
>
> On Wed, Oct 19, 2022 at 02:33:27PM -0400, Selva Nair wrote:
> > Using --auth-user-pass, --auth-nocache and --reneg-sec ,
> no
> > auth-tokens in use, I see that username/password is prompted on the first
> > connection attempt and at first renegotiation. After that reneg completes
> > without prompting for user/pass.
>
> It's possibly we broke that by trying to repair all the corner cases
> with either pushing tokens from the server, or *not* using auth-nocache.
>
> I assume you tested with master?
>
> (Unfortunately my automated tests all use "username + passwords are
> coming from a file", which means "send the same one as before" and
> "go read the file again" both produce the same effect... having
> a management-interface driven client test would help here... no
> time yet to write one)
This is broken for a while now -- since commit
dfd624b52bce7ddd0eeaab516df9848e432f3242
(*2.4 and 2.5 are also affected*)
That commit changed the earlier delayed purge logic to
-if (!auth_user_pass.wait_for_push)
+if (!session->opt->pull)
{
purge_user_pass(_user_pass, false);
}
In clients that pull, "wait_push" used to be set to false on completing the
first
negotiation, but after this change we are not purging user/pass at all at
this
point.
Purging still happens on first negotiation in "set_auth_token()" as before,
but that will not get called during renegs unless auth-token is in use and
a new token gets pushed after expiry.
Not clearing the username has been rejected in the past although, somehow,
retaining it with the token has been found acceptable. Instead, we went for
a convoluted logic that has proven itself to be hard to get right.
A compromise is to continue to clear username in the auth_user_pass struct
for
appearances sake (for nocache contract), but always retain it in the
auth_token
struct.That would considerably simplify the logic as well
(see e.g.,
https://github.com/selvanair/openvpn/commit/e9bf3c8227e365099deaadc11d31ac8a0c7668d7
)
Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel