auth-gen-token: Push generated auth-tokens to the client

If --auth-gen-token has been enabled and a token has been generated,
ensure this token is pushed to the client using the 'auth-token' option.

This patch will also remove the logging of auth-token values being
pushed, unless --verb level is 7 or higher.

  v2 - Don't exceed 80 chars line length
     - Clarify the magic in sanitize_control_message()
     - Relocate auth_token_sent struct member slightly

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1477684124-26083-5-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12824.html

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 225f0bfbefb864d77ff0c2c8dcb4edf886a2d7be..b06d446b7027a7cb6375e8e3b40261958339db80 100644 (file)
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -2073,6 +2073,15 @@ sanitize_control_message(const char *src, struct gc_arena *gc)
          skip = 4;
          redact = true;
        }
+      else if (!check_debug_level(D_SHOW_KEYS)
+               && (c == 'a' && !strncmp(src, "auth-token ", 11)))
+       {
+          /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide
+           * the auth-token value coming in the src string
+           */
+         skip = 10;
+         redact = true;
+       }
 
       if (c == ',') /* end of redacted item? */
        {

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 4f24b581d3d37975e0523b695ace1b51aad4f2be..f86bdd37613c494cdb2ffbbd3bcbf343365bbad7 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
                    struct push_list *push_list)
 {
   const char *optstr = NULL;
-  const struct tls_multi *tls_multi = c->c2.tls_multi;
+  struct tls_multi *tls_multi = c->c2.tls_multi;
   const char * const peer_info = tls_multi->peer_info;
   struct options *o = &c->options;
 
@@ -371,6 +371,16 @@ prepare_push_reply (struct context *c, struct gc_arena *gc,
          push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
        }
     }
+
+  /* If server uses --auth-gen-token and we have an auth token
+   * to send to the client
+   */
+  if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token)
+    {
+      push_option_fmt(gc, push_list, M_USAGE,
+                      "auth-token %s", tls_multi->auth_token);
+      tls_multi->auth_token_sent = true;
+    }
   return true;
 }
 

diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 9b63a1293ebff212c602e865c698a07ac6e5553f..b04a24c3dc141dca168bd5e4ab36f7211c9b4b08 100644 (file)
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -533,6 +533,8 @@ struct tls_multi
                           *   user/pass authentications in this session.
                           */
   time_t auth_token_tstamp; /**< timestamp of the generated token */
+  bool auth_token_sent;  /**< If server uses --auth-gen-token and
+                          *   token has been sent to client */
   /*
    * Our session objects.
    */