From: Arne Schwabe Date: Thu, 17 Feb 2022 18:22:34 +0000 (+0100) Subject: Fix OpenVPN querying user/password if auth-token with user expires X-Git-Tag: v2.5.8~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af546d798213587285b225cd0031944a81e8e26c;p=thirdparty%2Fopenvpn.git Fix OpenVPN querying user/password if auth-token with user expires The problematic behaviour happens when starting a profile without auth-user-pass and then connecting to a server that pushes auth-token. When the auth token expires OpenVPN asks for auth User and password again (but it shouldn't). The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Signed-off-by: Arne Schwabe Acked-by: David Sommerseth Acked-by: Heiko Hund Message-Id: <20221009130805.1556517-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html Signed-off-by: Gert Doering (cherry-picked from commit 7d291e10bccd1d6b9e584307fb5fe3ebfb114ec9) --- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b1b7b350f..7990e8459 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -596,6 +596,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { + enable_auth_user_pass(); #ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 841a649ab..3de4cc398 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -393,9 +393,14 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +enable_auth_user_pass() { auth_user_pass_enabled = true; +} + +void +auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +{ if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 4fe8004a0..6b5ae8a96 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -419,6 +419,9 @@ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); */ void pem_password_setup(const char *auth_file); +/* Enables the use of user/password authentication */ +void enable_auth_user_pass(); + /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file.