Am 04.07.22 um 04:58 schrieb selva.n...@gmail.com:
From: Selva Nair <selva.n...@gmail.com>
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_satus) stays at its default value of ACF_PENDING
ks->mda_status
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.
Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:
test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'
followed by
test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]
Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.
Also log a warning message when token is marked as expired on
missing the reneg window.
Reported by: Connor Edwards <connor.edwa...@b2c2.com>
Acked-By: Arne Schwabe <a...@rfc2549.org>
Note that you need have management enabled for this bug to trigger. If
you go through all the effort to talk to management like this, you
probably want to use external-auth anyway.
Basically currently AS is the only management+server mode application
that active developer use, bugs like this tend to slip.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
