Re: [Openvpn-devel] Is auth-nocache broken?

2022-10-20 Thread Selva Nair 
Hi,

On Wed, Oct 19, 2022 at 4:56 PM Gert Doering  wrote:

> Hi,
>
> On Wed, Oct 19, 2022 at 02:33:27PM -0400, Selva Nair wrote:
> > Using --auth-user-pass, --auth-nocache and --reneg-sec ,
> no
> > auth-tokens in use, I see that username/password is prompted on the first
> > connection attempt and at first renegotiation. After that reneg completes
> > without prompting for user/pass.
>
> It's possibly we broke that by trying to repair all the corner cases
> with either pushing tokens from the server, or *not* using auth-nocache.
>
> I assume you tested with master?
>
> (Unfortunately my automated tests all use "username + passwords are
> coming from a file", which means "send the same one as before" and
> "go read the file again" both produce the same effect... having
> a management-interface driven client test would help here... no
> time yet to write one)


This is broken for a while now -- since commit
dfd624b52bce7ddd0eeaab516df9848e432f3242
(*2.4 and 2.5 are also affected*)
That commit changed the earlier delayed purge logic to

-if (!auth_user_pass.wait_for_push)
+if (!session->opt->pull)
 {
 purge_user_pass(_user_pass, false);
 }

In clients that pull, "wait_push" used to be set to false on completing the
first
negotiation, but after this change we are not purging user/pass at all at
this
point.
Purging still happens on first negotiation in "set_auth_token()" as before,
but that will not get called during renegs unless auth-token is in use and
a new token gets pushed after expiry.

Not clearing the username has been rejected in the past although, somehow,
retaining it with the token has been found acceptable. Instead, we went for
a convoluted logic that has proven itself to be hard to get right.

A compromise is to continue to clear username in the auth_user_pass struct
for
appearances sake (for nocache contract), but always retain it in the
auth_token
struct.That would considerably simplify the logic as well
(see e.g.,
https://github.com/selvanair/openvpn/commit/e9bf3c8227e365099deaadc11d31ac8a0c7668d7
)

Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Is auth-nocache broken?

2022-10-19 Thread Gert Doering 
Hi,

On Wed, Oct 19, 2022 at 02:33:27PM -0400, Selva Nair wrote:
> Using --auth-user-pass, --auth-nocache and --reneg-sec , no
> auth-tokens in use, I see that username/password is prompted on the first
> connection attempt and at first renegotiation. After that reneg completes
> without prompting for user/pass.

It's possibly we broke that by trying to repair all the corner cases
with either pushing tokens from the server, or *not* using auth-nocache.

I assume you tested with master?

(Unfortunately my automated tests all use "username + passwords are
coming from a file", which means "send the same one as before" and
"go read the file again" both produce the same effect... having
a management-interface driven client test would help here... no
time yet to write one)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Is auth-nocache broken?

2022-10-19 Thread Selva Nair 
>
> After reneg, the client progresses beyond AUTH state (as reported on Trac
> #1471 ( https://community.openvpn.net/openvpn/ticket/1471)  which may be
> related. Unless it has been like this all along.
>

Please Ignore that comment -- Trac# 1471 is a special case and may not be
related at all. In this case there is not state stuck at AUTH issue -- just
password does not get purged.

Selva

>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel