openvpn/auth__token_8h_source.html

/*

 *  OpenVPN -- An application to securely tunnel IP networks

 *             over a single TCP/UDP port, with support for SSL/TLS-based

 *             session authentication and key exchange,

 *             packet encryption, packet authentication, and

 *             packet compression.

 *

 *  Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>

 *

 *  This program is free software; you can redistribute it and/or modify

 *  it under the terms of the GNU General Public License version 2

 *  as published by the Free Software Foundation.

 *

 *  This program is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *  GNU General Public License for more details.

 *

 *  You should have received a copy of the GNU General Public License along

 *  with this program; if not, write to the Free Software Foundation, Inc.,

 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

 */

#ifndef AUTH_TOKEN_H

#define AUTH_TOKEN_H


void

generate_auth_token(const struct user_pass *up, struct tls_multi *multi);


unsigned

verify_auth_token(struct user_pass *up, struct tls_multi *multi,

                  struct tls_session *session);


void

auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file,

                       bool key_inline);


void auth_token_write_server_key_file(const char *filename);


void add_session_token_env(struct tls_session *session, struct tls_multi *multi,

                           const struct user_pass *up);


void wipe_auth_token(struct tls_multi *multi);


#define SESSION_ID_PREFIX "SESS_ID_AT_"


static inline bool


is_auth_token(const char *password)

{

    return (memcmp_constant_time(SESSION_ID_PREFIX, password,

                                 strlen(SESSION_ID_PREFIX)) == 0);

}


void

resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);


void

check_send_auth_token(struct context *c);


#endif /* AUTH_TOKEN_H */

verify_auth_token
unsigned verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verifies the auth token to be in the format that generate_auth_token create and checks if the token i...
Definition auth_token.c:294

auth_token_write_server_key_file
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition auth_token.c:118

is_auth_token
static bool is_auth_token(const char *password)
Return if the password string has the format of a password.
Definition auth_token.h:127

auth_token_init_secret
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124

generate_auth_token
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:164

add_session_token_env
void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Put the session id, and auth token status into the environment if auth-token is enabled.
Definition auth_token.c:38

SESSION_ID_PREFIX
#define SESSION_ID_PREFIX
The prefix given to auth tokens start with, this prefix is special cased to not show up in log files ...
Definition auth_token.h:115

check_send_auth_token
void check_send_auth_token(struct context *c)
Checks if the timer to resend the auth-token has expired and if a new auth-token should be send to th...
Definition auth_token.c:422

wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:401

resend_auth_token_renegotiation
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:461

memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition crypto_openssl.c:1346

context
Contains all state information for one tunnel.
Definition openvpn.h:474

key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:201

session
Definition keyingmaterialexporter.c:56

tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:597

tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:480

user_pass
Definition misc.h:57