Remove auth_user_pass.wait_for_push variable

This variable was first introduce in earlier attempt to fix the
auth-token problems with auth-nocache before user_password and
auth_token were split into two variables. The idea of the variable it
is being set if --pull is in use. However the variable was not always
set correctly, especially if username/password are queried after an
expired auth-token. Instead using that variable use session->opt->pull
directly.

Patch V2: rename delayed_auth_pass_purge to ssl_clean_user_pass to give
          a more fitting name since this function is not only used in
          the delayed code path and also the new name aligns with
          ssl_clean_auth_token. Also fix a leftover wait_for_push
          in that function

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201202115928.16615-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21297.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit dfd624b52bce7ddd0eeaab516df9848e432f3242)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f35bf9c2b8d5a1513dc2c3bf913a044bb54ccd91..34d830a3c56854a62268ae4793ba8c9c6d8e3dee 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1538,7 +1538,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
      */
     if (c->options.mode == MODE_POINT_TO_POINT)
     {
-        delayed_auth_pass_purge();
+        ssl_clean_user_pass();
     }
 #endif /* ENABLE_CRYPTO */
 

diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 61d61ef20f33b43104ce74334a146dd6910e287b..6d1bdc10f8e4869dbf96344fb5aaaa4887f95177 100644 (file)
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -3503,7 +3503,6 @@ management_query_user_pass(struct management *man,
         {
             /* preserve caller's settings */
             man->connection.up_query.nocache = up->nocache;
-            man->connection.up_query.wait_for_push = up->wait_for_push;
             *up = man->connection.up_query;
         }
         secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));

diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 59c8ae2342cf6241690533eca0ac920a106a5624..51ca4ed9fb58c48bd2f0c73911e3d6ef5b3fab3f 100644 (file)
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -178,7 +178,6 @@ struct user_pass
 {
     bool defined;
     bool nocache;
-    bool wait_for_push; /* true if this object is waiting for a push-reply */
 
 /* max length of username/password */
 #ifdef ENABLE_PKCS11

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index c93beea6730be4fcabc6fe2ec3040d24f9cb97c2..f98799ed0e5207efa1d5618b970311d1c6feb2b3 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -452,8 +452,6 @@ ssl_set_auth_nocache(void)
 {
     passbuf.nocache = true;
     auth_user_pass.nocache = true;
-    /* wait for push-reply, because auth-token may still need the username */
-    auth_user_pass.wait_for_push = true;
 }
 
 /*
@@ -2441,14 +2439,15 @@ key_method_2_write(struct buffer *buf, struct tls_session *session)
         }
         /* if auth-nocache was specified, the auth_user_pass object reaches
          * a "complete" state only after having received the push-reply
-         * message.
+         * message. The push message might contain an auth-token that needs
+         * the username of auth_user_pass.
          *
          * For this reason, skip the purge operation here if no push-reply
          * message has been received yet.
          *
          * This normally happens upon first negotiation only.
          */
-        if (!auth_user_pass.wait_for_push)
+        if (!session->opt->pull)
         {
             purge_user_pass(&auth_user_pass, false);
         }
@@ -4322,9 +4321,8 @@ done:
 }
 
 void
-delayed_auth_pass_purge(void)
+ssl_clean_user_pass(void)
 {
-    auth_user_pass.wait_for_push = false;
     purge_user_pass(&auth_user_pass, false);
 }
 

diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 703de99bdcdc92b0efbb28dd4d563b4eb48213c4..8cf037891b9eecf35f803ce87b16eb2ed3aca149 100644 (file)
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -627,7 +627,10 @@ void extract_x509_field_test(void);
  */
 bool is_hard_reset(int op, int key_method);
 
-void delayed_auth_pass_purge(void);
+/**
+ * Cleans the saved user/password unless auth-nocache is in use.
+ */
+void ssl_clean_user_pass(void);
 
 
 /*