git.ipfire.org Git - thirdparty/openvpn.git/commit

author	David Sommerseth <davids@openvpn.net>
	Fri, 28 Oct 2016 19:48:44 +0000 (21:48 +0200)
committer	David Sommerseth <davids@openvpn.net>
	Mon, 31 Oct 2016 11:06:38 +0000 (12:06 +0100)
commit	703c9784f4dcd4f77166201074c21c6ea4aeb033
tree	66911175fd1ef8333014af2eb11d8b87c9b6f019	tree
parent	2c0403ac359097bbcb1e97b777120e218e29014f	commit \| diff

auth-gen-token: Authenticate generated auth-tokens when client re-authenticates

On a server with --auth-gen-token enabled, the server will have created
a random token and pushed it to the client.  When the client needs to
renegotiate the connection or otherwise reconnect, it will at this point
use the auth-token as password.

Here we check if we have a token generated and that it has been pushed
to the client, if so, then we check if the token matches the locally
stored token.  If everything matches, we're done and the connection
is still authenticated.

If the auth-token authentication fails, we delete our local copy of
the token and changes the connection to not being authenticated.  From
this moment of, the client needs to do a full reconnect providing
the users password again.

This token authentication also considers the token lifetime, if that
have been set via --auth-gen-token.  If the token have expired, the
client is rejected and needs to do a full reconnect with a new
authentication using the users password.

  v2 - Rename auth_generate_token to auth_token_generate
     - Wrap lines exceeding 80 chars
     - Improved several comments (rephrasing, grammar)

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1477684124-26083-6-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12822.html