From patchwork Tue May 12 02:43:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1110 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id KJYRNUeaul5rZgAAIUCqbw for ; Tue, 12 May 2020 08:44:55 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 0LjdNEeaul5kAwAAalYnBA ; Tue, 12 May 2020 08:44:55 -0400 Received: from smtp24.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTP id 0BhRNEeaul4xUQAAMe1Fpw ; Tue, 12 May 2020 08:44:55 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 60fe0c8e-944e-11ea-a275-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:35306] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 02/3A-22545-64A9ABE5; Tue, 12 May 2020 08:44:55 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jYUGN-0007qo-En; Tue, 12 May 2020 12:43:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jYUGM-0007qg-O6 for openvpn-devel@lists.sourceforge.net; Tue, 12 May 2020 12:43:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FgYvgNSn6cyFvGD7BcpQKeH09Ple//ZdSuBKgut/gI0=; b=h3m9lHs9UonUf5N7P7ywMqUMNX DINVdK1PymRwvfMQr1/TItQ02aU32gbER27Gb4jVwehx7EPSZZjm4OXTVLW1hanyPCVKsp2QS4ZuM PhpTbP10dnIuo+/ATB8uZ18AXOd2yyJrD4OHC3M7JnaZaTjKZwGSaAmE4UT6fwaVs4oo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FgYvgNSn6cyFvGD7BcpQKeH09Ple//ZdSuBKgut/gI0=; b=cR3sKmZ4VfpT1LV6V+Pcv52LvU uvDHzF/l2GJ4kP8sB+tSPtYHxepnWoC7PKRBuGKcj1N4WyWkCmv4eubOuvK6egg0ove017EXnjQJ1 /BVuE6+sUL1O1RIOEYt5yqljI4hDThopSTgAg7EnNdZ4E1CeUhqGH7k5ecAv076U8tUc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jYUGK-0068HQ-Ie for openvpn-devel@lists.sourceforge.net; Tue, 12 May 2020 12:43:58 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jYUG8-000DKt-Ps for openvpn-devel@lists.sourceforge.net; Tue, 12 May 2020 14:43:44 +0200 Received: (nullmailer pid 15976 invoked by uid 10006); Tue, 12 May 2020 12:43:44 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 12 May 2020 14:43:44 +0200 Message-Id: <20200512124344.15929-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200326172332.2356-1-arne@rfc2549.org> References: <20200326172332.2356-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jYUGK-0068HQ-Ie Subject: [Openvpn-devel] [PATCH v2 1/3] [Auth-token] Fix session id and initial timestamp not begin preserved X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In the initial state of checking whether an auth-token has been validated, the check check if multi->auth_token is already set and only then sets the value. This defeats the purpose and lead to always a new auth-token with new session id and lifetime being generated when the server restarts or the client reconnect to another server. Patch V2: Only set multi->auth_token when NULL to avoid leaking memory. Improve comments and documentation of auth-token. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/auth_token.h | 17 +++++++++++------ src/openvpn/ssl_verify.c | 9 ++++++--- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/src/openvpn/auth_token.h b/src/openvpn/auth_token.h index 6f34b760..d5694898 100644 --- a/src/openvpn/auth_token.h +++ b/src/openvpn/auth_token.h @@ -34,8 +34,8 @@ * * Format of the auth-token (before base64 encode) * - * session id(12 bytes)|uint64 timestamp (4 bytes)| - * uint64 timestamp (4 bytes)|sha256-hmac(32 bytes) + * session id(12 bytes)|uint64 timestamp (8 bytes)| + * uint64 timestamp (8 bytes)|sha256-hmac(32 bytes) * * The first timestamp is the time the token was initially created and is used to * determine the maximum renewable time of the token. We always include this even @@ -45,14 +45,19 @@ * to determine if this token has been renewed in the acceptable time range * (2 * renogiation timeout) * - * The session is a random string of 12 byte (or 16 in base64) that is not used by - * OpenVPN itself but kept intact so that external logging/managment can track the - * session multiple reconnects/servers + * The session id is a random string of 12 byte (or 16 in base64) that is not + * used by OpenVPN itself but kept intact so that external logging/managment + * can track the session multiple reconnects/servers. It is delibrately chosen + * be a multiple of 3 bytes to have a base64 encoding without padding. * * The hmac is calculated over the username contactinated with the * raw auth-token bytes to include authentication of the username in the token * - * we prepend the session id with SESS_ID_ before sending it to the client + * We encode the auth-token with base64 and then it with SESS_ID_ before + * sending it to the client. + * + * This function will free() an existing multi->auth_token and keep the existing + * initial timestamp and session id contained in that token. */ void generate_auth_token(const struct user_pass *up, struct tls_multi *multi); diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e66d81e1..ddaef6d7 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -1380,15 +1380,15 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * to store the auth-token in multi->auth_token, so * the initial timestamp and session id can be extracted from it */ - if (multi->auth_token && (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) + if (!multi->auth_token && (multi->auth_token_state_flags & AUTH_TOKEN_HMAC_OK) && !(multi->auth_token_state_flags & AUTH_TOKEN_EXPIRED)) { multi->auth_token = strdup(up->password); } /* - * Server is configured with --auth-gen-token but no token has yet - * been generated for this client. Generate one and save it. + * Server is configured with --auth-gen-token. Generate or renew + * the token. */ generate_auth_token(up, multi); } @@ -1396,6 +1396,9 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, * Auth token already sent to client, update auth-token on client. * The initial auth-token is sent as part of the push message, for this * update we need to schedule an extra push message. + * + * Otherwise the auth-token get pushed out as part of the "normal" + * push-reply */ if (multi->auth_token_initial) {