From ddbe6a6fc26586d09f5a9105f13124c479b4d993 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sun, 3 Jul 2022 22:58:40 -0400 Subject: Fix auth-token usage with management-def-auth When auth-token verify succeeds during a reauth, other auth methods (plugin, script, management) are skipped unless external-auth is in effect (skip_auth gets set to true). However, in this case, the status of management-def-auth (ks->mda_status) stays at its default value of ACF_PENDING and will never change. This causes TLS keys to go out of sync and an eventual client disconnect. Further, a message saying username/password authentication is "deferred" gets logged which is misleading. For example: test/127.0.0.1:35874 TLS: Username/auth-token authentication succeeded for username 'test' followed by test/127.0.0.1:35874 TLS: Username/Password authentication deferred for username 'test' [CN SET] Fix by setting ks->mda_status to ACF_DISABLED, and do not set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true. Also log a warning message when token is marked as expired on missing the reneg window. Reported by: Connor Edwards Signed-off-by: Selva Nair Acked-by: Arne Schwabe Message-Id: <20220704025840.2558-1-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24627.html Signed-off-by: Gert Doering --- src/openvpn/ssl_verify.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src/openvpn/ssl_verify.c') diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c01841f..45eaf8e 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1599,7 +1599,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #ifdef ENABLE_MANAGEMENT if (man_def_auth != KMDA_UNDEF) { - ks->authenticated = KS_AUTH_DEFERRED; + if (skip_auth) + { + ks->mda_status = ACF_DISABLED; + } + else + { + ks->authenticated = KS_AUTH_DEFERRED; + } } #endif if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) -- cgit v1.1