From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Sat, 16 Jan 2010 03:24:07 +0000 (+0000)
Subject: Fixed an issue where AUTH_FAILED was not being properly delivered
X-Git-Tag: v2.2-beta1~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a345b41ebae094971f60bb9d144dbc56182a2a7c;p=thirdparty%2Fopenvpn.git

Fixed an issue where AUTH_FAILED was not being properly delivered
to the client when a bad password is given for mid-session reauth.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
---

diff --git a/multi.c b/multi.c
index 7ea64b43d..342871a79 100644
--- a/multi.c
+++ b/multi.c
@@ -1843,6 +1843,20 @@ compute_wakeup_sigma (const struct timeval *delta)
     }
 }
 
+static void
+multi_schedule_context_wakeup (struct multi_context *m, struct multi_instance *mi)
+{
+  /* calculate an absolute wakeup time */
+  ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
+  tv_add (&mi->wakeup, &mi->context.c2.timeval);
+
+  /* tell scheduler to wake us up at some point in the future */
+  schedule_add_entry (m->schedule,
+		      (struct schedule_entry *) mi,
+		      &mi->wakeup,
+		      compute_wakeup_sigma (&mi->context.c2.timeval));
+}
+
 /*
  * Figure instance-specific timers, convert
  * earliest to absolute time in mi->wakeup,
@@ -1863,15 +1877,8 @@ multi_process_post (struct multi_context *m, struct multi_instance *mi, const un
 
       if (!IS_SIG (&mi->context))
 	{
-	  /* calculate an absolute wakeup time */
-	  ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
-	  tv_add (&mi->wakeup, &mi->context.c2.timeval);
-
 	  /* tell scheduler to wake us up at some point in the future */
-	  schedule_add_entry (m->schedule,
-			      (struct schedule_entry *) mi,
-			      &mi->wakeup,
-			      compute_wakeup_sigma (&mi->context.c2.timeval));
+	  multi_schedule_context_wakeup(m, mi);
 
 	  /* connection is "established" when SSL/TLS key negotiation succeeds
 	     and (if specified) auth user/pass succeeds */
@@ -2566,13 +2573,24 @@ management_client_auth (void *arg,
       ret = tls_authenticate_key (mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
       if (ret)
 	{
-	  if (auth && !mi->connection_established_flag)
+	  if (auth)
 	    {
-	      set_cc_config (mi, cc_config);
-	      cc_config_owned = false;
+	      if (!mi->connection_established_flag)
+		{
+		  set_cc_config (mi, cc_config);
+		  cc_config_owned = false;
+		}
+	    }
+	  else
+	    {
+	      if (reason)
+		msg (D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
+	      if (mi->connection_established_flag)
+		{
+		  send_auth_failed (&mi->context, client_reason); /* mid-session reauth failed */
+		  multi_schedule_context_wakeup(m, mi);
+		}
 	    }
-	  if (!auth && reason)
-	    msg (D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
 	}
     }
   if (cc_config_owned && cc_config)
diff --git a/ssl.c b/ssl.c
index e6953db42..82e04a3b9 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1228,6 +1228,10 @@ tls_authentication_status (struct tls_multi *multi, const int latency)
 }
 
 #ifdef MANAGEMENT_DEF_AUTH
+/*
+ * For deferred auth, this is where the management interface calls (on server)
+ * to indicate auth failure/success.
+ */
 bool
 tls_authenticate_key (struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
 {