From: Antonio Quartulli <a@unstable.cc>
Date: Mon, 4 Dec 2017 04:49:07 +0000 (+0800)
Subject: reload HTTP proxy credentials when moving to the next connection profile
X-Git-Tag: v2.4.5~43
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbc50963b9f8a4bac4362d472366730fed23aae9;p=thirdparty%2Fopenvpn.git

reload HTTP proxy credentials when moving to the next connection profile

The HTTP proxy credentials are stored in a static variable that is
possibly initialized before each connection attempt.

However, the variable is never "released" therefore get_user_pass()
refuses to overwrite its content and leaves it as it is.
Consequently, if the user config contains multiple connection profiles
with different http-proxy, each having its own credentials, only the
first user/pass couple is loaded and the others are all ignored.
This leads to connection failures because the proper credentials are
not associated with the right proxy server.

The root of the misbehaviour seems to be located in the fact that,
despite the argument force passed to get_user_pass_http() being true,
no action is taken to release the static object containing the
credentials.

Fix the misbehaviour by releasing the http-proxy credential object
when the reload is "forced".

Trac: #836
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Steffan Karger <steffan@karger.me>
Tested-by: David Sommerseth <davids@openvpn.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20171204044907.32261-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16007.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 86b58ceb29cf1cc3acf32e2ff370d9a4af68c051)
---

diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 2e8150396..4badadbee 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -252,10 +252,25 @@ username_password_as_base64(const struct http_proxy_info *p,
     return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc);
 }
 
+static void
+clear_user_pass_http(void)
+{
+    purge_user_pass(&static_proxy_user_pass, true);
+}
+
 static void
 get_user_pass_http(struct http_proxy_info *p, const bool force)
 {
-    if (!static_proxy_user_pass.defined || force)
+    /*
+     * in case of forced (re)load, make sure the static storage is set as
+     * undefined, otherwise get_user_pass() won't try to load any credential
+     */
+    if (force)
+    {
+        clear_user_pass_http();
+    }
+
+    if (!static_proxy_user_pass.defined)
     {
         unsigned int flags = GET_USER_PASS_MANAGEMENT;
         if (p->queried_creds)
@@ -274,11 +289,6 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
         p->up = static_proxy_user_pass;
     }
 }
-static void
-clear_user_pass_http(void)
-{
-    purge_user_pass(&static_proxy_user_pass, true);
-}
 
 #if 0
 /* function only used in #if 0 debug statement */