On 28 October 2016 at 21:48, David Sommerseth <[email protected]> wrote: > If --auth-gen-token has been enabled and a token has been generated, > ensure this token is pushed to the client using the 'auth-token' option. > > This patch will also remove the logging of auth-token values being > pushed, unless --verb level is 7 or higher. > > v2 - Don't exceed 80 chars line length > - Clarify the magic in sanitize_control_message() > - Relocate auth_token_sent struct member slightly > > Signed-off-by: David Sommerseth <[email protected]> > --- > src/openvpn/misc.c | 9 +++++++++ > src/openvpn/push.c | 12 +++++++++++- > src/openvpn/ssl_common.h | 2 ++ > 3 files changed, 22 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c > index 225f0bf..b06d446 100644 > --- a/src/openvpn/misc.c > +++ b/src/openvpn/misc.c > @@ -2073,6 +2073,15 @@ sanitize_control_message(const char *src, struct > gc_arena *gc) > skip = 4; > redact = true; > } > + else if (!check_debug_level(D_SHOW_KEYS) > + && (c == 'a' && !strncmp(src, "auth-token ", 11))) > + { > + /* Unless --verb is 7 or higher (D_SHOW_KEYS), hide > + * the auth-token value coming in the src string > + */ > + skip = 10; > + redact = true; > + } > > if (c == ',') /* end of redacted item? */ > { > diff --git a/src/openvpn/push.c b/src/openvpn/push.c > index 4f24b58..f86bdd3 100644 > --- a/src/openvpn/push.c > +++ b/src/openvpn/push.c > @@ -309,7 +309,7 @@ prepare_push_reply (struct context *c, struct gc_arena > *gc, > struct push_list *push_list) > { > const char *optstr = NULL; > - const struct tls_multi *tls_multi = c->c2.tls_multi; > + struct tls_multi *tls_multi = c->c2.tls_multi; > const char * const peer_info = tls_multi->peer_info; > struct options *o = &c->options; > > @@ -371,6 +371,16 @@ prepare_push_reply (struct context *c, struct gc_arena > *gc, > push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); > } > } > + > + /* If server uses --auth-gen-token and we have an auth token > + * to send to the client > + */ > + if (false == tls_multi->auth_token_sent && NULL != tls_multi->auth_token) > + { > + push_option_fmt(gc, push_list, M_USAGE, > + "auth-token %s", tls_multi->auth_token); > + tls_multi->auth_token_sent = true; > + } > return true; > } > > diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h > index 9b63a12..b04a24c 100644 > --- a/src/openvpn/ssl_common.h > +++ b/src/openvpn/ssl_common.h > @@ -533,6 +533,8 @@ struct tls_multi > * user/pass authentications in this session. > */ > time_t auth_token_tstamp; /**< timestamp of the generated token */ > + bool auth_token_sent; /**< If server uses --auth-gen-token and > + * token has been sent to client */ > /* > * Our session objects. > */ > --
ACK - all my previous nagging points are resolved now. -Steffan ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
