git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Mon, 4 Jul 2022 02:58:40 +0000 (22:58 -0400)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 19 Aug 2022 12:54:14 +0000 (14:54 +0200)
commit	5b178f591c882a6600414104a77a9240f7a29331
tree	bd6c1e0fafbc4835a4d3d1f8934373c3a57ca3e6	tree
parent	e3c397b0edd86158b8c417f6d396920a7e2eae68	commit \| diff

Fix auth-token usage with management-def-auth

When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).

However, in this case, the status of management-def-auth
(ks->mda_status) stays at its default value of ACF_PENDING
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.

Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:

test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'

followed by

test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]

Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.

Also log a warning message when token is marked as expired on
missing the reneg window.

Reported by: Connor Edwards <connor.edwards@b2c2.com>

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220704025840.2558-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24627.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ddbe6a6fc26586d09f5a9105f13124c479b4d993)

src/openvpn/auth_token.c		diff \| blob \| blame \| history
src/openvpn/ssl_verify.c		diff \| blob \| blame \| history