mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
d75e0736b4
This changes that auth_token_initial is set when the token is
initially generated instead when pushing the token. Even I do not
know anymore why I did it in this way in the first place. Also use
multi->auth_token_initial as source for the sesssion ID since it should
now always be available. Also set auth_token_initial directly to
up->password once we verified that we have gotten a valid token from
a client. This cleans ups the logic in generating the environment and
makes the code flow clearer.
Since the change makes auth_token_initial always available we need to add
a check to only send a PUSH reply to update the token on renegotiations.
The old code relied on multi->auth_token not being set in this case.
This commit also removes the workaround for old OpenVPN clients. These
were only available as commercial OpenVPN Connect client and not in use
anymore.
Furthermore, introduce a check if the session ID has changed during a
session. Even though this is still a valid authentication changing to
a different auth token mid session is highly irregular and should never
occur naturally.
Patch V2: rebase.
Patch V3: fix formatting, clarifying commit message, remove initial
token workaround for old v3.
Patch v4: move sending the auth-token for renegotiations to a sane place
and trigger it when the TLS session reaches its fully authenticated
state.
Patch v5: Move also setting auth_token_inital from up->password to a more
logical place, general cleanups, add session id mismatch check
Patch v6: Rework some comments and general cleanup of small things
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210719133132.128783-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22645.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||
|---|---|---|
| .. | ||
| unit_tests | ||
| Makefile.am | ||
| t_client.rc-sample | ||
| t_client.sh.in | ||
| t_cltsrv-down.sh | ||
| t_cltsrv.sh | ||
| t_lpback.sh | ||
| t_net.sh | ||
| update_t_client_ips.sh | ||