diff options
| author | Arne Schwabe | 2020-12-02 12:59:28 +0100 |
|---|---|---|
| committer | Gert Doering | 2020-12-02 14:38:20 +0100 |
| commit | 607dfa9648e9967f89d2ce5bf949e90503011522 (patch) | |
| tree | 67db2dabce967d131ad0f56a21ab458a8f94dc12 | |
| parent | f9b73042892c14b906772e72b3116d809457c721 (diff) | |
| download | openvpn-607dfa9648e9967f89d2ce5bf949e90503011522.zip openvpn-607dfa9648e9967f89d2ce5bf949e90503011522.tar.gz | |
Remove auth_user_pass.wait_for_push variable
This variable was first introduce in earlier attempt to fix the
auth-token problems with auth-nocache before user_password and
auth_token were split into two variables. The idea of the variable it
is being set if --pull is in use. However the variable was not always
set correctly, especially if username/password are queried after an
expired auth-token. Instead using that variable use session->opt->pull
directly.
Patch V2: rename delayed_auth_pass_purge to ssl_clean_user_pass to give
a more fitting name since this function is not only used in
the delayed code path and also the new name aligns with
ssl_clean_auth_token. Also fix a leftover wait_for_push
in that function
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201202115928.16615-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21297.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dfd624b52bce7ddd0eeaab516df9848e432f3242)
| -rw-r--r-- | src/openvpn/init.c | 2 | ||||
| -rw-r--r-- | src/openvpn/manage.c | 1 | ||||
| -rw-r--r-- | src/openvpn/misc.h | 1 | ||||
| -rw-r--r-- | src/openvpn/ssl.c | 10 | ||||
| -rw-r--r-- | src/openvpn/ssl.h | 5 |
5 files changed, 9 insertions, 10 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f35bf9c..34d830a 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1538,7 +1538,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) */ if (c->options.mode == MODE_POINT_TO_POINT) { - delayed_auth_pass_purge(); + ssl_clean_user_pass(); } #endif /* ENABLE_CRYPTO */ diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 61d61ef..6d1bdc1 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3503,7 +3503,6 @@ management_query_user_pass(struct management *man, { /* preserve caller's settings */ man->connection.up_query.nocache = up->nocache; - man->connection.up_query.wait_for_push = up->wait_for_push; *up = man->connection.up_query; } secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query)); diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 59c8ae2..51ca4ed 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -178,7 +178,6 @@ struct user_pass { bool defined; bool nocache; - bool wait_for_push; /* true if this object is waiting for a push-reply */ /* max length of username/password */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c93beea..f98799e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -452,8 +452,6 @@ ssl_set_auth_nocache(void) { passbuf.nocache = true; auth_user_pass.nocache = true; - /* wait for push-reply, because auth-token may still need the username */ - auth_user_pass.wait_for_push = true; } /* @@ -2441,14 +2439,15 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) } /* if auth-nocache was specified, the auth_user_pass object reaches * a "complete" state only after having received the push-reply - * message. + * message. The push message might contain an auth-token that needs + * the username of auth_user_pass. * * For this reason, skip the purge operation here if no push-reply * message has been received yet. * * This normally happens upon first negotiation only. */ - if (!auth_user_pass.wait_for_push) + if (!session->opt->pull) { purge_user_pass(&auth_user_pass, false); } @@ -4322,9 +4321,8 @@ done: } void -delayed_auth_pass_purge(void) +ssl_clean_user_pass(void) { - auth_user_pass.wait_for_push = false; purge_user_pass(&auth_user_pass, false); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 703de99..8cf0378 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -627,7 +627,10 @@ void extract_x509_field_test(void); */ bool is_hard_reset(int op, int key_method); -void delayed_auth_pass_purge(void); +/** + * Cleans the saved user/password unless auth-nocache is in use. + */ +void ssl_clean_user_pass(void); /* |