If --auth-gen-token has been enabled and a token has been generated,
ensure this token is pushed to the client using the 'auth-token' option.
This patch will also remove the logging of auth-token values being
pushed, unless --verb level is 7 or higher.
v2 - Don't exceed 80 chars line length
- Clarify the magic in sanitize_control_message()
- Relocate auth_token_sent struct member slightly
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1477684124-26083-5-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12824.html
... | ... |
@@ -2073,6 +2073,15 @@ sanitize_control_message(const char *src, struct gc_arena *gc) |
2073 | 2073 |
skip = 4; |
2074 | 2074 |
redact = true; |
2075 | 2075 |
} |
2076 |
+ else if (!check_debug_level(D_SHOW_KEYS) |
|
2077 |
+ && (c == 'a' && !strncmp(src, "auth-token ", 11))) |
|
2078 |
+ { |
|
2079 |
+ /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide |
|
2080 |
+ * the auth-token value coming in the src string |
|
2081 |
+ */ |
|
2082 |
+ skip = 10; |
|
2083 |
+ redact = true; |
|
2084 |
+ } |
|
2076 | 2085 |
|
2077 | 2086 |
if (c == ',') /* end of redacted item? */ |
2078 | 2087 |
{ |
... | ... |
@@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc, |
309 | 309 |
struct push_list *push_list) |
310 | 310 |
{ |
311 | 311 |
const char *optstr = NULL; |
312 |
- const struct tls_multi *tls_multi = c->c2.tls_multi; |
|
312 |
+ struct tls_multi *tls_multi = c->c2.tls_multi; |
|
313 | 313 |
const char * const peer_info = tls_multi->peer_info; |
314 | 314 |
struct options *o = &c->options; |
315 | 315 |
|
... | ... |
@@ -371,6 +371,16 @@ prepare_push_reply (struct context *c, struct gc_arena *gc, |
371 | 371 |
push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); |
372 | 372 |
} |
373 | 373 |
} |
374 |
+ |
|
375 |
+ /* If server uses --auth-gen-token and we have an auth token |
|
376 |
+ * to send to the client |
|
377 |
+ */ |
|
378 |
+ if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token) |
|
379 |
+ { |
|
380 |
+ push_option_fmt(gc, push_list, M_USAGE, |
|
381 |
+ "auth-token %s", tls_multi->auth_token); |
|
382 |
+ tls_multi->auth_token_sent = true; |
|
383 |
+ } |
|
374 | 384 |
return true; |
375 | 385 |
} |
376 | 386 |
|
... | ... |
@@ -533,6 +533,8 @@ struct tls_multi |
533 | 533 |
* user/pass authentications in this session. |
534 | 534 |
*/ |
535 | 535 |
time_t auth_token_tstamp; /**< timestamp of the generated token */ |
536 |
+ bool auth_token_sent; /**< If server uses --auth-gen-token and |
|
537 |
+ * token has been sent to client */ |
|
536 | 538 |
/* |
537 | 539 |
* Our session objects. |
538 | 540 |
*/ |