mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
d75e0736b4
This changes that auth_token_initial is set when the token is initially generated instead when pushing the token. Even I do not know anymore why I did it in this way in the first place. Also use multi->auth_token_initial as source for the sesssion ID since it should now always be available. Also set auth_token_initial directly to up->password once we verified that we have gotten a valid token from a client. This cleans ups the logic in generating the environment and makes the code flow clearer. Since the change makes auth_token_initial always available we need to add a check to only send a PUSH reply to update the token on renegotiations. The old code relied on multi->auth_token not being set in this case. This commit also removes the workaround for old OpenVPN clients. These were only available as commercial OpenVPN Connect client and not in use anymore. Furthermore, introduce a check if the session ID has changed during a session. Even though this is still a valid authentication changing to a different auth token mid session is highly irregular and should never occur naturally. Patch V2: rebase. Patch V3: fix formatting, clarifying commit message, remove initial token workaround for old v3. Patch v4: move sending the auth-token for renegotiations to a sane place and trigger it when the TLS session reaches its fully authenticated state. Patch v5: Move also setting auth_token_inital from up->password to a more logical place, general cleanups, add session id mismatch check Patch v6: Rework some comments and general cleanup of small things Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <20210719133132.128783-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22645.html Signed-off-by: Gert Doering <gert@greenie.muc.de> |
||
---|---|---|
.. | ||
doxygen | ||
man-sections | ||
android.txt | ||
gui-notes.txt | ||
interactive-service-notes.rst | ||
keying-material-exporter.txt | ||
Makefile.am | ||
management-notes.txt | ||
openvpn-examples.5.rst | ||
openvpn.8.rst | ||
README.man | ||
README.plugins | ||
tls-crypt-v2.txt |
OpenVPN Plugins --------------- Starting with OpenVPN 2.0-beta17, compiled plugin modules are supported on any *nix OS which includes libdl or on Windows. One or more modules may be loaded into OpenVPN using the --plugin directive, and each plugin module is capable of intercepting any of the script callbacks which OpenVPN supports: (1) up (2) down (3) route-up (4) ipchange (5) tls-verify (6) auth-user-pass-verify (7) client-connect (8) client-disconnect (9) learn-address See the openvpn-plugin.h file in the top-level directory of the OpenVPN source distribution for more detailed information on the plugin interface. Included Plugins ---------------- auth-pam -- Authenticate using PAM and a split privilege execution model which functions even if root privileges or the execution environment have been altered with --user/--group/--chroot. Tested on Linux only. down-root -- Enable the running of down scripts with root privileges even if --user/--group/--chroot have been used to drop root privileges or change the execution environment. Not applicable on Windows. examples -- A simple example that demonstrates a portable plugin, i.e. one which can be built for *nix or Windows from the same source. Building Plugins ---------------- cd to the top-level directory of a plugin, and use the "make" command to build it. The examples plugin is built using a build script, not a makefile.