The previous auth-token implementation had a serious problem, especially when
paired with an unpatched OpenVPN client that keeps trying the auth-token
(commit e61b401a).
The auth-token-gen implementation forgot the auth-token on reconnect, this
lead to reconnect with auth-token never working.
This new implementation implements the auth-token in a stateles variant. By
using HMAC to sign the auth-token the server can verify if a token has been
authenticated and by checking the embedded timestamp in the token it can
also verify that the auth-token is still valid.
Using the new config directive auth-gen-token-secret instead of
extending auth-gen-token (--auth-gen-token [lifetime] [secret-key]) was
chosen to allow inlinening the secret key.
Patch V2: cleaned up code, use refactored read_pem_key_file function
Patch V3: clarify some design decision in the commit message
Patch V4: Use ephermal_generate_key
Patch V5: Use C99 PRIu64 instead of %lld int printf like statement,
fix strict aliasing
Patch V6: Rebase on master
Patch V7: fix compiling with --disable-server
---
doc/openvpn.8| 25
src/openvpn/Makefile.am | 1 +
src/openvpn/auth_token.c | 273 +++
src/openvpn/auth_token.h | 116 +
src/openvpn/init.c | 34 -
src/openvpn/openvpn.h| 1 +
src/openvpn/options.c| 22 +++-
src/openvpn/options.h| 4 +
src/openvpn/push.c | 70 --
src/openvpn/push.h | 8 ++
src/openvpn/ssl.c| 7 +-
src/openvpn/ssl_common.h | 36 --
src/openvpn/ssl_verify.c | 184 --
13 files changed, 646 insertions(+), 135 deletions(-)
create mode 100644 src/openvpn/auth_token.c
create mode 100644 src/openvpn/auth_token.h
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 4185ffed..a50d67d4 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3720,6 +3720,9 @@ the token authentication internally and it will NOT do any
additional authentications against configured external
user/password authentication mechanisms.
+The tokens implemented by this mechanism include a initial timestamp
+and a renew timestamp and are secured by HMAC.
+
The
.B lifetime
argument defines how long the generated token is valid. The
@@ -3730,6 +3733,16 @@ This feature is useful for environments which is
configured
to use One Time Passwords (OTP) as part of the user/password
authentications and that authentication mechanism does not
implement any auth\-token support.
+.\"*
+.TP
+.B \-\-auth\-gen\-token\-secret [file]
+Specifies a file that hold a secret for the HMAC used in
+.B \-\-auth\-gen\-token
+If not present OpenVPN will generate a random secret on startup. This file
+should be used if auth-token should valid after restarting a server or if
+client should be able to roam between multiple OpenVPN server with their
+auth\-token.
+
.\"*
.TP
.B \-\-opt\-verify
@@ -5775,6 +5788,17 @@ Servers can use
.B \-\-tls\-crypt\-v2\-verify
to specify a metadata verification command.
.\"*
+.TP
+.B \-\-genkey auth\-token [keyfile]
+Generate a new secret that can be used
+with
+.B \-\-auth\-gen\-token\-secret
+
+.B Note:
+this file should be kept secret to the server as anyone
+that access to this file will be to generate auth tokens
+that the OpenVPN server will accept as valid.
+.\"*
.SS TUN/TAP persistent tunnel config mode:
Available with Linux 2.4.7+. These options comprise a standalone mode
of OpenVPN which can be used to create and delete persistent tunnels.
@@ -6986,6 +7010,7 @@ X509_1_C=KG
OpenVPN allows including files in the main configuration for the
.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret,
.B \-\-crl\-verify, \-\-http\-proxy\-user\-pass, \-\-tls\-auth,
+.B \-\-auth\-gen\-token\-secret
.B \-\-tls\-crypt,
and
.B \-\-tls\-crypt-v2
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 30caa01f..3754fd95 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -39,6 +39,7 @@ sbin_PROGRAMS = openvpn
openvpn_SOURCES = \
argv.c argv.h \
+ auth_token.c auth_token.h \
base64.c base64.h \
basic.h \
buffer.c buffer.h \
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
new file mode 100644
index ..a6158d2a
--- /dev/null
+++ b/src/openvpn/auth_token.c
@@ -0,0 +1,273 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#elif defined(_MSC_VER)
+#include "config-msvc.h"
+#endif
+
+#include "syshead.h"
+
+#include "base64.h"
+#include "buffer.h"
+#include "crypto.h"
+#include "openvpn.h"
+#include "ssl_common.h"
+#include "auth_token.h"
+#include "push.h"
+#include "integer.h"
+#include "ssl.h"
+#include
+
+const char *auth_token_pem_name = "OpenVPN auth-