GitList

Browse code

Http-proxy: fix bug preventing proxy credentials caching

Caching proxy credentials was not working due to the
lack of handling already defined creds in get_user_pass(),
which prevented the caching from working properly.

Fix this issue by getting the value of c->first_time,
that indicates if we're at the first iteration
of the main loop and use it as second argument of the
get_user_pass_http(). Otherwise, on SIGUSR1 or SIGHUP
upon instance context restart credentials would be erased
every time.

The nocache member has been added to the struct
http_proxy_options and also a getter method to retrieve
that option from ssl has been added, by doing this
we're able to erase previous queried user credentials
to ensure correct operation.

Fixes: Trac #1187
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240623200551.20092-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28835.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3cfd6f961d5c92bec283ac3616e1633b4e16760c)

Gianmarco De Gregori authored on 2024/06/24 05:05:51
Showing 7 changed files

doc/man-sections/generic-options.rst index 4579486..f805d13 100644
src/openvpn/init.c index 7e231ec..103aa3c 100644
src/openvpn/options.c index c0a2606..9d33dad 100644
src/openvpn/proxy.c index f88a1f7..f6475fb 100644
src/openvpn/proxy.h index 04ab13a..3448e7d 100644
src/openvpn/ssl.c index 162a862..e37ebc1 100644
src/openvpn/ssl.h index 47a170f..1e15e26 100644

doc/man-sections/generic-options.rst

History View file @ ad0c2c0

@@ -19,9 +19,6 @@ which mode OpenVPN is configured as.
                        When using ``--auth-nocache`` in combination with a user/password file
                        and ``--chroot`` or ``--daemon``, make sure to use an absolute path.
                     -  This directive does not affect the ``--http-proxy`` username/password.
                     -  It is always cached.
+                    -
                      --cd dir
                        Change directory to ``dir`` prior to reading any files such as
                        configuration files, key files, scripts, etc. ``dir`` should be an

src/openvpn/init.c

History View file @ ad0c2c0

@@ -691,6 +691,8 @@ init_proxy_dowork(struct context *c)
                          if (c->options.ce.http_proxy_options)
+                         {
                     +        c->options.ce.http_proxy_options->first_time = c->first_time;
+                    +
                              /* Possible HTTP proxy user/pass input */
                              c->c1.http_proxy = http_proxy_new(c->options.ce.http_proxy_options);
                              if (c->c1.http_proxy)

src/openvpn/options.c

History View file @ ad0c2c0

@@ -1653,6 +1653,7 @@ show_http_proxy_options(const struct http_proxy_options *o)
                          SHOW_STR(auth_file);
                          SHOW_STR(auth_file_up);
                          SHOW_BOOL(inline_creds);
                     +    SHOW_BOOL(nocache);
                          SHOW_STR(http_version);
                          SHOW_STR(user_agent);
                          for  (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
@@ -3156,6 +3157,11 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
                              ce->flags |= CE_DISABLED;
+                         }
                     +    if (ce->http_proxy_options)
                     +    {
                     +        ce->http_proxy_options->nocache = ssl_get_auth_nocache();
                     +    }
+                    +
                          /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
                           * so fall back to IPv4-only (trac #1221)
                           */

src/openvpn/proxy.c

History View file @ ad0c2c0

@@ -276,7 +276,7 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
         {
             auth_file = p->options.auth_file_up;
         }
-        if (p->queried_creds)
+        if (p->queried_creds && !static_proxy_user_pass.nocache)
         {
             flags |= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
         }
@@ -288,9 +288,14 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
                       auth_file,
                       UP_TYPE_PROXY,
                       flags);
-        p->queried_creds = true;
-        p->up = static_proxy_user_pass;
+        static_proxy_user_pass.nocache = p->options.nocache;
     }
+
+    /*
+     * Using cached credentials
+     */
+    p->queried_creds = true;
+    p->up = static_proxy_user_pass;
 }
 
 #if 0
@@ -541,7 +546,7 @@ http_proxy_new(const struct http_proxy_options *o)
     /* only basic and NTLM/NTLMv2 authentication supported so far */
     if (p->auth_method == HTTP_AUTH_BASIC || p->auth_method == HTTP_AUTH_NTLM || p->auth_method == HTTP_AUTH_NTLM2)
     {
-        get_user_pass_http(p, true);
+        get_user_pass_http(p, p->options.first_time);
     }
 
 #if !NTLM
@@ -656,6 +661,11 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
         || p->auth_method == HTTP_AUTH_NTLM)
     {
         get_user_pass_http(p, false);
+
+        if (p->up.nocache)
+        {
+            clear_user_pass_http();
+        }
     }
 
     /* are we being called again after getting the digest server nonce in the previous transaction? */
@@ -1031,13 +1041,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
             }
             goto error;
         }
-
-        /* clear state */
-        if (p->options.auth_retry)
-        {
-            clear_user_pass_http();
-        }
-        store_proxy_authenticate(p, NULL);
     }
 
     /* check return code, success = 200 */

src/openvpn/proxy.h

History View file @ ad0c2c0

@@ -57,6 +57,8 @@ struct http_proxy_options {
                          const char *user_agent;
                          struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER];
                          bool inline_creds; /* auth_file_up is inline credentials */
                     +    bool first_time; /* indicates if we need to wipe user creds at the first iteration of the main loop */
                     +    bool nocache;
                      };
                      struct http_proxy_options_simple {

src/openvpn/ssl.c

History View file @ ad0c2c0

@@ -499,6 +499,15 @@ ssl_set_auth_nocache(void)
+                     }
                      /*
                     + * Get the password caching
                     + */
                     +bool
                     +ssl_get_auth_nocache(void)
                     +{
                     +    return passbuf.nocache;
                     +}
+                    +
                     +/*
                       * Set an authentication token
                       */
                      void

src/openvpn/ssl.h

History View file @ ad0c2c0

@@ -397,6 +397,11 @@ void auth_user_pass_setup(const char *auth_file, bool is_inline,
                      void ssl_set_auth_nocache(void);
                      /*
                     + * Getter method for retrieving the auth-nocache option.
                     + */
                     +bool ssl_get_auth_nocache(void);
+                    +
                     +/*
                       * Purge any stored authentication information, both for key files and tunnel
                       * authentication. If PCKS #11 is enabled, purge authentication for that too.
                       * Note that auth_token is not cleared.

...	...	@@ -276,7 +276,7 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
276	276	{
277	277	auth_file = p->options.auth_file_up;
278	278	}
279		- if (p->queried_creds)
	279	+ if (p->queried_creds && !static_proxy_user_pass.nocache)
280	280	{
281	281	flags \|= GET_USER_PASS_PREVIOUS_CREDS_FAILED;
282	282	}
...	...	@@ -288,9 +288,14 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
288	288	auth_file,
289	289	UP_TYPE_PROXY,
290	290	flags);
291		- p->queried_creds = true;
292		- p->up = static_proxy_user_pass;
	291	+ static_proxy_user_pass.nocache = p->options.nocache;
293	292	}
	293	+
	294	+ /*
	295	+ * Using cached credentials
	296	+ */
	297	+ p->queried_creds = true;
	298	+ p->up = static_proxy_user_pass;
294	299	}
295	300
296	301	#if 0
...	...	@@ -541,7 +546,7 @@ http_proxy_new(const struct http_proxy_options *o)
541	541	/* only basic and NTLM/NTLMv2 authentication supported so far */
542	542	if (p->auth_method == HTTP_AUTH_BASIC \|\| p->auth_method == HTTP_AUTH_NTLM \|\| p->auth_method == HTTP_AUTH_NTLM2)
543	543	{
544		- get_user_pass_http(p, true);
	544	+ get_user_pass_http(p, p->options.first_time);
545	545	}
546	546
547	547	#if !NTLM
...	...	@@ -656,6 +661,11 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
656	656	\|\| p->auth_method == HTTP_AUTH_NTLM)
657	657	{
658	658	get_user_pass_http(p, false);
	659	+
	660	+ if (p->up.nocache)
	661	+ {
	662	+ clear_user_pass_http();
	663	+ }
659	664	}
660	665
661	666	/* are we being called again after getting the digest server nonce in the previous transaction? */
...	...	@@ -1031,13 +1041,6 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
1031	1031	}
1032	1032	goto error;
1033	1033	}
1034		-
1035		- /* clear state */
1036		- if (p->options.auth_retry)
1037		- {
1038		- clear_user_pass_http();
1039		- }
1040		- store_proxy_authenticate(p, NULL);
1041	1034	}
1042	1035
1043	1036	/* check return code, success = 200 */