From: David Sommerseth Date: Fri, 28 Oct 2016 19:48:44 +0000 (+0200) Subject: auth-gen-token: Authenticate generated auth-tokens when client re-authenticates X-Git-Tag: v2.4_beta1~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=703c9784f4dcd4f77166201074c21c6ea4aeb033;p=thirdparty%2Fopenvpn.git auth-gen-token: Authenticate generated auth-tokens when client re-authenticates On a server with --auth-gen-token enabled, the server will have created a random token and pushed it to the client. When the client needs to renegotiate the connection or otherwise reconnect, it will at this point use the auth-token as password. Here we check if we have a token generated and that it has been pushed to the client, if so, then we check if the token matches the locally stored token. If everything matches, we're done and the connection is still authenticated. If the auth-token authentication fails, we delete our local copy of the token and changes the connection to not being authenticated. From this moment of, the client needs to do a full reconnect providing the users password again. This token authentication also considers the token lifetime, if that have been set via --auth-gen-token. If the token have expired, the client is rejected and needs to do a full reconnect with a new authentication using the users password. v2 - Rename auth_generate_token to auth_token_generate - Wrap lines exceeding 80 chars - Improved several comments (rephrasing, grammar) Signed-off-by: David Sommerseth Acked-by: Steffan Karger Message-Id: <1477684124-26083-6-git-send-email-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12822.html --- diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 0ac5689fb..99a2f70ec 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1139,6 +1139,63 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, string_mod_remap_name (up->username, COMMON_NAME_CHAR_CLASS); string_mod (up->password, CC_PRINT, CC_CRLF, '_'); + /* If server is configured with --auth-gen-token and we have an + * authentication token for this client, this authentication + * round will be done internally using the token instead of + * calling any external authentication modules. + */ + if (session->opt->auth_token_generate && multi->auth_token_sent + && NULL != multi->auth_token) + { + unsigned int ssl_flags = session->opt->ssl_flags; + + /* Ensure that the username has not changed */ + if (!tls_lock_username(multi, up->username)) + { + ks->authenticated = false; + goto done; + } + + /* If auth-token lifetime has been enabled, + * ensure the token has not expired + */ + if (session->opt->auth_token_lifetime > 0 + && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < now) + { + msg (D_HANDSHAKE, "Auth-token for client expired\n"); + ks->authenticated = false; + goto done; + } + + /* The core authentication of the token itself */ + if (memcmp_constant_time(multi->auth_token, up->password, + strlen(multi->auth_token)) != 0) + { + memset (multi->auth_token, 0, AUTH_TOKEN_SIZE); + free (multi->auth_token); + multi->auth_token = NULL; + multi->auth_token_sent = false; + ks->authenticated = false; + tls_deauthenticate (multi); + + msg (D_TLS_ERRORS, "TLS Auth Error: Auth-token verification " + "failed for username '%s' %s", up->username, + (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); + } + else + { + ks->authenticated = true; + + if (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) + set_common_name (session, up->username); + msg (D_HANDSHAKE, "TLS: Username/auth-token authentication " + "succeeded for username '%s' %s", + up->username, + (ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); + } + goto done; + } + /* call plugin(s) and/or script */ #ifdef MANAGEMENT_DEF_AUTH if (man_def_auth == KMDA_DEF) @@ -1232,6 +1289,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer"); } + done: gc_free (&gc); }