diff options
author | Selva Nair | 2022-07-03 22:58:40 -0400 |
---|---|---|
committer | Gert Doering | 2022-08-19 13:07:41 +0200 |
commit | ddbe6a6fc26586d09f5a9105f13124c479b4d993 (patch) | |
tree | 3ea43811cc09af71160853e1f33181eb18b8501e /src | |
parent | 8c3b7c11d1212a6521e84a1d423abe75b974741e (diff) | |
download | openvpn-ddbe6a6fc26586d09f5a9105f13124c479b4d993.zip openvpn-ddbe6a6fc26586d09f5a9105f13124c479b4d993.tar.gz |
Fix auth-token usage with management-def-auth
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_status) stays at its default value of ACF_PENDING
and will never change. This causes TLS keys to go out of sync
and an eventual client disconnect.
Further, a message saying username/password authentication is
"deferred" gets logged which is misleading.
For example:
test/127.0.0.1:35874 TLS: Username/auth-token authentication
succeeded for username 'test'
followed by
test/127.0.0.1:35874 TLS: Username/Password authentication
deferred for username 'test' [CN SET]
Fix by setting ks->mda_status to ACF_DISABLED, and do not
set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true.
Also log a warning message when token is marked as expired on
missing the reneg window.
Reported by: Connor Edwards <connor.edwards@b2c2.com>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220704025840.2558-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24627.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
-rw-r--r-- | src/openvpn/auth_token.c | 8 | ||||
-rw-r--r-- | src/openvpn/ssl_verify.c | 9 |
2 files changed, 13 insertions, 4 deletions
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 096edc7..b5f9f6d 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -346,20 +346,22 @@ verify_auth_token(struct user_pass *up, struct tls_multi *multi, return 0; } - /* Accept session tokens that not expired are in the acceptable range - * for renogiations */ + /* Accept session tokens only if their timestamp is in the acceptable range + * for renegotiations */ bool in_renegotiation_time = now >= timestamp && now < timestamp + 2 * session->opt->renegotiate_seconds; if (!in_renegotiation_time) { + msg(M_WARN, "Timestamp (%" PRIu64 ") of auth-token is out of the renegotiation window", + timestamp); ret |= AUTH_TOKEN_EXPIRED; } /* Sanity check the initial timestamp */ if (timestamp < timestamp_initial) { - msg(M_WARN, "Initial timestamp (%" PRIu64 " in token from client earlier than " + msg(M_WARN, "Initial timestamp (%" PRIu64 ") in token from client earlier than " "current timestamp %" PRIu64 ". Broken/unsynchronised clock?", timestamp_initial, timestamp); ret |= AUTH_TOKEN_EXPIRED; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c01841f..45eaf8e 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1599,7 +1599,14 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, #ifdef ENABLE_MANAGEMENT if (man_def_auth != KMDA_UNDEF) { - ks->authenticated = KS_AUTH_DEFERRED; + if (skip_auth) + { + ks->mda_status = ACF_DISABLED; + } + else + { + ks->authenticated = KS_AUTH_DEFERRED; + } } #endif if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)) |