Browse code
auth-gen-token: Push generated auth-tokens to the client
If --auth-gen-token has been enabled and a token has been generated,
ensure this token is pushed to the client using the 'auth-token' option.
This patch will also remove the logging of auth-token values being
pushed, unless --verb level is 7 or higher.
v2 - Don't exceed 80 chars line length
- Clarify the magic in sanitize_control_message()
- Relocate auth_token_sent struct member slightly
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1477684124-26083-5-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12824.html
David Sommerseth authored on 2016/10/29 04:48:43Showing 3 changed files
| ... | ... |
@@ -2073,6 +2073,15 @@ sanitize_control_message(const char *src, struct gc_arena *gc) |
| 2073 | 2073 |
skip = 4; |
| 2074 | 2074 |
redact = true; |
| 2075 | 2075 |
} |
| 2076 |
+ else if (!check_debug_level(D_SHOW_KEYS) |
|
| 2077 |
+ && (c == 'a' && !strncmp(src, "auth-token ", 11))) |
|
| 2078 |
+ {
|
|
| 2079 |
+ /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide |
|
| 2080 |
+ * the auth-token value coming in the src string |
|
| 2081 |
+ */ |
|
| 2082 |
+ skip = 10; |
|
| 2083 |
+ redact = true; |
|
| 2084 |
+ } |
|
| 2076 | 2085 |
|
| 2077 | 2086 |
if (c == ',') /* end of redacted item? */ |
| 2078 | 2087 |
{
|
| ... | ... |
@@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena *gc, |
| 309 | 309 |
struct push_list *push_list) |
| 310 | 310 |
{
|
| 311 | 311 |
const char *optstr = NULL; |
| 312 |
- const struct tls_multi *tls_multi = c->c2.tls_multi; |
|
| 312 |
+ struct tls_multi *tls_multi = c->c2.tls_multi; |
|
| 313 | 313 |
const char * const peer_info = tls_multi->peer_info; |
| 314 | 314 |
struct options *o = &c->options; |
| 315 | 315 |
|
| ... | ... |
@@ -371,6 +371,16 @@ prepare_push_reply (struct context *c, struct gc_arena *gc, |
| 371 | 371 |
push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); |
| 372 | 372 |
} |
| 373 | 373 |
} |
| 374 |
+ |
|
| 375 |
+ /* If server uses --auth-gen-token and we have an auth token |
|
| 376 |
+ * to send to the client |
|
| 377 |
+ */ |
|
| 378 |
+ if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token) |
|
| 379 |
+ {
|
|
| 380 |
+ push_option_fmt(gc, push_list, M_USAGE, |
|
| 381 |
+ "auth-token %s", tls_multi->auth_token); |
|
| 382 |
+ tls_multi->auth_token_sent = true; |
|
| 383 |
+ } |
|
| 374 | 384 |
return true; |
| 375 | 385 |
} |
| 376 | 386 |
|
| ... | ... |
@@ -533,6 +533,8 @@ struct tls_multi |
| 533 | 533 |
* user/pass authentications in this session. |
| 534 | 534 |
*/ |
| 535 | 535 |
time_t auth_token_tstamp; /**< timestamp of the generated token */ |
| 536 |
+ bool auth_token_sent; /**< If server uses --auth-gen-token and |
|
| 537 |
+ * token has been sent to client */ |
|
| 536 | 538 |
/* |
| 537 | 539 |
* Our session objects. |
| 538 | 540 |
*/ |