Fixed an issue where AUTH_FAILED was not being properly delivered

to the client when a bad password is given for mid-session reauth.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/multi.c b/multi.c
index 7ea64b43d5cd48bde50994d2912281e00f2e016b..342871a79337f2bc4a49ce8dbc24ea841defade7 100644 (file)
--- a/multi.c
+++ b/multi.c
@@ -1843,6 +1843,20 @@ compute_wakeup_sigma (const struct timeval *delta)
     }
 }
 
+static void
+multi_schedule_context_wakeup (struct multi_context *m, struct multi_instance *mi)
+{
+  /* calculate an absolute wakeup time */
+  ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
+  tv_add (&mi->wakeup, &mi->context.c2.timeval);
+
+  /* tell scheduler to wake us up at some point in the future */
+  schedule_add_entry (m->schedule,
+                     (struct schedule_entry *) mi,
+                     &mi->wakeup,
+                     compute_wakeup_sigma (&mi->context.c2.timeval));
+}
+
 /*
  * Figure instance-specific timers, convert
  * earliest to absolute time in mi->wakeup,
@@ -1863,15 +1877,8 @@ multi_process_post (struct multi_context *m, struct multi_instance *mi, const un
 
       if (!IS_SIG (&mi->context))
        {
-         /* calculate an absolute wakeup time */
-         ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
-         tv_add (&mi->wakeup, &mi->context.c2.timeval);
-
          /* tell scheduler to wake us up at some point in the future */
-         schedule_add_entry (m->schedule,
-                             (struct schedule_entry *) mi,
-                             &mi->wakeup,
-                             compute_wakeup_sigma (&mi->context.c2.timeval));
+         multi_schedule_context_wakeup(m, mi);
 
          /* connection is "established" when SSL/TLS key negotiation succeeds
             and (if specified) auth user/pass succeeds */
@@ -2566,13 +2573,24 @@ management_client_auth (void *arg,
       ret = tls_authenticate_key (mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
       if (ret)
        {
-         if (auth && !mi->connection_established_flag)
+         if (auth)
            {
-             set_cc_config (mi, cc_config);
-             cc_config_owned = false;
+             if (!mi->connection_established_flag)
+               {
+                 set_cc_config (mi, cc_config);
+                 cc_config_owned = false;
+               }
+           }
+         else
+           {
+             if (reason)
+               msg (D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
+             if (mi->connection_established_flag)
+               {
+                 send_auth_failed (&mi->context, client_reason); /* mid-session reauth failed */
+                 multi_schedule_context_wakeup(m, mi);
+               }
            }
-         if (!auth && reason)
-           msg (D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
        }
     }
   if (cc_config_owned && cc_config)

diff --git a/ssl.c b/ssl.c
index e6953db42a9b9af74004187c743452d06510bc2f..82e04a3b9b71e016383b20cf9813069c9ce95de1 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -1228,6 +1228,10 @@ tls_authentication_status (struct tls_multi *multi, const int latency)
 }
 
 #ifdef MANAGEMENT_DEF_AUTH
+/*
+ * For deferred auth, this is where the management interface calls (on server)
+ * to indicate auth failure/success.
+ */
 bool
 tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
 {