diff options
author | Arne Schwabe | 2022-10-17 11:51:45 +0200 |
---|---|---|
committer | Gert Doering | 2022-10-17 13:30:12 +0200 |
commit | 9a5161704173e31f2510d3f5c29361f76e275d0f (patch) | |
tree | 4a0dd06c52bb176a0fe188aa395893e8dc11276a /src/openvpn/auth_token.c | |
parent | d468dff7bdfd79059818c190ddf41b125bb658de (diff) | |
download | openvpn-9a5161704173e31f2510d3f5c29361f76e275d0f.zip openvpn-9a5161704173e31f2510d3f5c29361f76e275d0f.tar.gz |
Allow Authtoken lifetime to be short than renegotiation time
Currently the life time of the auth-token is tied to the renegotiation
time. While this is fine for many setups, some setups prefer a user
to be no longer authenticated when the user disconnects from the VPN
for a certain amount of time.
This commit allows to shorten the renewal time of the auth-token and
ensures that the server resends the auth-token often enough over the
existing control channel. This way of updating the auth token is a lot
more lightweight than the alternative (frequent renegotiations).
Patch v2: fix grammar mistakes (thanks Gert), fix unit tests
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221017095145.2580186-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25407.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/auth_token.c')
-rw-r--r-- | src/openvpn/auth_token.c | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index b5f9f6d..7b963a9 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -174,7 +174,7 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi) if (multi->auth_token_initial) { - /* Just enough space to fit 8 bytes+ 1 extra to decode a non padded + /* Just enough space to fit 8 bytes+ 1 extra to decode a non-padded * base64 string (multiple of 3 bytes). 9 bytes => 12 bytes base64 * bytes */ @@ -349,11 +349,11 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, /* Accept session tokens only if their timestamp is in the acceptable range * for renegotiations */ bool in_renegotiation_time = now >= timestamp - && now < timestamp + 2 * session->opt->renegotiate_seconds; + && now < timestamp + 2 * session->opt->auth_token_renewal; if (!in_renegotiation_time) { - msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the renegotiation window", + msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the renewal window", timestamp); ret |= AUTH_TOKEN_EXPIRED; } @@ -417,6 +417,44 @@ wipe_auth_token(struct tls_multi *multi) } void +check_send_auth_token(struct context *c) +{ + struct tls_multi *multi = c->c2.tls_multi; + struct tls_session *session = &multi->session[TM_ACTIVE]; + + if (get_primary_key(multi)->state < S_GENERATED_KEYS + || get_primary_key(multi)->authenticated != KS_AUTH_TRUE) + { + /* the currently active session is still in renegotiation or another + * not fully authorized state. We are either very close to a + * renegotiation or have deauthorized the client. In both cases + * we just ignore the request to send another token + */ + return; + } + + if (!multi->auth_token_initial) + { + msg(D_SHOW_KEYS, "initial auth-token not generated yet, skipping " + "auth-token renewal."); + return; + } + + if (!multi->locked_username) + { + msg(D_SHOW_KEYS, "username not locked, skipping auth-token renewal."); + return; + } + + struct user_pass up; + strncpynt(up.username, multi->locked_username, sizeof(up.username)); + + generate_auth_token(&up, multi); + + resend_auth_token_renegotiation(multi, session); +} + +void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session) { /* @@ -424,12 +462,10 @@ resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *ses * The initial auth-token is sent as part of the push message, for this * update we need to schedule an extra push message. * - * Otherwise the auth-token get pushed out as part of the "normal" + * Otherwise, the auth-token get pushed out as part of the "normal" * push-reply */ - bool is_renegotiation = session->key[KS_PRIMARY].key_id != 0; - - if (multi->auth_token_initial && is_renegotiation) + if (multi->auth_token_initial) { /* * We do not explicitly reschedule the sending of the |