Hi All,
This patch relies on Arne's "Add send_control_channel_string_dowork
variant" patch.
This patch modifies auth so that on a renegotiation the client is
informed of a SESSION re-auth failure during a renegotiation if either
their auth-token has expired, or they enter a wrong password in the case
of auth-nocache for example.
This also addresses my previous patch for supporting a client reason
being rejected.
Regards,
Eric
--
--
Eric Thorpe
SparkLabs Developer
https://www.sparklabs.com
https://twitter.com/sparklabs
supp...@sparklabs.com
From bb0fada899a43e48e2ca38358912f92447422f53 Mon Sep 17 00:00:00 2001
From: Eric Thorpe <eric+...@sparklabs.com>
Date: Wed, 10 Apr 2019 19:06:16 +1000
Subject: [PATCH] Send auth failed message to client on renegotiation failure
via user-pass or auth-token expiry
---
src/openvpn/multi.c | 1 +
src/openvpn/push.c | 30 ++++++++++++++++++++++++++++++
src/openvpn/ssl_common.h | 1 +
src/openvpn/ssl_verify.c | 7 +++++++
4 files changed, 39 insertions(+)
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 28c3b8867..a883faa79 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2085,6 +2085,7 @@ multi_connection_established(struct multi_context *m,
struct multi_instance *mi)
/* set flag so we don't get called again */
mi->connection_established_flag = true;
+ mi->context.c2.tls_multi->connection_established = true;
/* increment number of current authenticated clients */
++m->n_clients;
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index dd5bd4163..327ae0891 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -233,6 +233,36 @@ send_auth_failed(struct context *c, const char
*client_reason)
gc_free(&gc);
}
+/*
+ * Send auth failed message from server to client without scheduling.
+ * Main use for queuing a message during renegotiation
+ */
+void
+send_push_reply_auth_failed(struct tls_multi *multi, const char *client_reason)
+{
+ struct gc_arena gc = gc_new();
+ static const char auth_failed[] = "AUTH_FAILED";
+ size_t len;
+
+ len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
+ if (len > PUSH_BUNDLE_SIZE)
+ {
+ len = PUSH_BUNDLE_SIZE;
+ }
+
+ {
+ struct buffer buf = alloc_buf_gc(len, &gc);
+ buf_printf(&buf, auth_failed);
+ if (client_reason)
+ {
+ buf_printf(&buf, ",%s", client_reason);
+ }
+ send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
+ }
+
+ gc_free(&gc);
+}
+
/*
* Send restart message from server to client.
*/
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index ac25ffa78..b82a014a0 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -547,6 +547,7 @@ struct tls_multi
time_t auth_token_tstamp; /**< timestamp of the generated token */
bool auth_token_sent; /**< If server uses --auth-gen-token and
* token has been sent to client */
+ bool connection_established ; /** Notifies future auth calls this is a
reneg */
/*
* Our session objects.
*/
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c7e595e46..fd83cde85 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1336,6 +1336,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi
*multi,
&& (multi->auth_token_tstamp + session->opt->auth_token_lifetime)
< now)
{
msg(D_HANDSHAKE, "Auth-token for client expired\n");
+ send_push_reply_auth_failed(multi, "SESSION:Auth-token expired");
wipe_auth_token(multi);
ks->authenticated = false;
goto done;
@@ -1458,6 +1459,12 @@ verify_user_pass(struct user_pass *up, struct tls_multi
*multi,
}
else
{
+ if (multi->connection_established)
+ {
+ /* Notify the client */
+ send_push_reply_auth_failed(multi, "SESSION:Auth failed");
+
+ }
msg(D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification
failed for peer");
}
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
