Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.
Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.
The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.
Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <
20240623200551.20092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using ``--auth-nocache`` in combination with a user/password file
and ``--chroot`` or ``--daemon``, make sure to use an absolute path.
- This directive does not affect the ``--http-proxy`` username/password.
- It is always cached.
-
--cd dir
Change directory to ``dir`` prior to reading any files such as
configuration files, key files, scripts, etc. ``dir`` should be an
if (c->options.ce.http_proxy_options)
{
+ c->options.ce.http_proxy_options->first_time = c->first_time;
+
/* Possible HTTP proxy user/pass input */
c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
if (c->c1.http_proxy)
SHOW_STR(auth_file);
SHOW_STR(auth_file_up);
SHOW_BOOL(inline_creds);
+ SHOW_BOOL(nocache);
SHOW_STR(http_version);
SHOW_STR(user_agent);
for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
ce->flags |= CE_DISABLED;
}
+ if (ce->http_proxy_options)
+ {
+ ce->http_proxy_options->nocache = ssl_get_auth_nocache();
+ }
+
/* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
* so fall back to IPv4-only (trac #1221)
*/
{
auth_file = p->options.auth_file_up;
}
- if (p->queried_creds)
+ if (p->queried_creds && !static_proxy_user_pass.nocache)
{
flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
}
auth_file,
UP_TYPE_PROXY,
flags);
- p->queried_creds = true;
- p->up = static_proxy_user_pass;
+ static_proxy_user_pass.nocache = p->options.nocache;
}
+
+ /*
+ * Using cached credentials
+ */
+ p->queried_creds = true;
+ p->up = static_proxy_user_pass;
}
#if 0
* we know whether we need any. */
if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM2)
{
- get_user_pass_http(p, true);
+ get_user_pass_http(p, p->options.first_time);
}
#if !NTLM
|| p->auth_method == HTTP_AUTH_NTLM2)
{
get_user_pass_http(p, false);
+
+ if (p->up.nocache)
+ {
+ clear_user_pass_http();
+ }
}
/* are we being called again after getting the digest server nonce in the previous transaction? */
}
goto error;
}
-
- /* clear state */
- if (p->options.auth_retry)
- {
- clear_user_pass_http();
- }
- store_proxy_authenticate(p, NULL);
}
/* check return code, success = 200 */
const char *user_agent;
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
bool inline_creds; /* auth_file_up is inline credentials */
+ bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */
+ bool nocache;
};
struct http_proxy_options_simple {
auth_user_pass.nocache = true;
}
+/*
+ * Get the password caching
+ */
+bool
+ssl_get_auth_nocache(void)
+{
+ return passbuf.nocache;
+}
+
/*
* Set an authentication token
*/
*/
void ssl_set_auth_nocache(void);
+/*
+ * Getter method for retrieving the auth-nocache option.
+ */
+bool ssl_get_auth_nocache(void);
+
/*
* Purge any stored authentication information, both for key files and tunnel
* authentication. If PCKS #11 is enabled, purge authentication for that too.