OpenVPN
test_auth_token.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include <stdio.h>
30#include <stdlib.h>
31#include <stdarg.h>
32#include <string.h>
33#include <setjmp.h>
34#include <cmocka.h>
35
36#include "auth_token.c"
37#include "test_common.h"
38
40{
42 struct key_type kt;
43 struct user_pass up;
45};
46
47/* Dummy functions that do nothing to mock the functionality */
48void
52
53void
54auth_set_client_reason(struct tls_multi *multi, const char *reason)
55{
56}
57
58static const char *now0key0 =
59 "SESS_ID_AT_0123456789abcdefAAAAAAAAAAAAAAAAAAAAAE5JsQJOVfo8jnI3RL3tBaR5NkE4yPfcylFUHmHSc5Bu";
60
61static const char *zeroinline = "-----BEGIN OpenVPN auth-token server key-----\n"
62 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"
63 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"
64 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n"
65 "-----END OpenVPN auth-token server key-----";
66
67static const char *allx01inline =
68 "-----BEGIN OpenVPN auth-token server key-----\n"
69 "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
70 "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB\n"
71 "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=\n"
72 "-----END OpenVPN auth-token server key-----";
73
74static const char *random_key =
75 "-----BEGIN OpenVPN auth-token server key-----\n"
76 "+mmmf7IQ5cymtMVjKYTWk8IOcYanRlpQmV9Tb3EjkHYxueBVDg3yqRgzeBlVGzNLD//rAPiOVhau\n"
77 "3NDBjNOQB8951bfs7Cc2mYfay92Bh2gRJ5XEM/DMfzCWN+7uU6NWoTTHr4FuojnIQtjtqVAj/JS9\n"
78 "w+dTSp/vYHl+c7uHd19uVRu/qLqV85+rm4tUGIjO7FfYuwyPqwmhuIsi3hs9QkSimh888FmBpoKY\n"
79 "/tbKVTJZmSERKti9KEwtV2eVAR0znN5KW7lCB3mHVAhN7bUpcoDjfCzYIFARxwswTFu9gFkwqUMY\n"
80 "I1KUOgIsVNs4llACioeXplYekWETR+YkJwDc/A==\n"
81 "-----END OpenVPN auth-token server key-----";
82
83static const char *random_token =
84 "SESS_ID_AT_ThhRItzOKNKrh3dfAAAAAFwzHpwAAAAAXDMenDdrq0RoH3dkA1f7O3wO+7kZcx2DusVZrRmFlWQM9HOb";
85
86
87static int
88setup(void **state)
89{
90 struct test_context *ctx = calloc(1, sizeof(*ctx));
91 *state = ctx;
92
93 struct key_parameters key = { 0 };
94 key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */
95
96 ctx->kt = auth_token_kt();
97 if (!ctx->kt.digest)
98 {
99 return 0;
100 }
101 ctx->multi.opt.auth_token_generate = true;
102 ctx->multi.opt.auth_token_lifetime = 3000;
103 ctx->session = &ctx->multi.session[TM_ACTIVE];
104
105 ctx->session->opt = calloc(1, sizeof(struct tls_options));
106 ctx->session->opt->renegotiate_seconds = 240;
107 ctx->session->opt->auth_token_renewal = 120;
108 ctx->session->opt->auth_token_lifetime = 3000;
109
110 strcpy(ctx->up.username, "test user name");
111 strcpy(ctx->up.password, "ignored");
112
113 init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
114
115 now = 0;
116 return 0;
117}
118
119static int
120teardown(void **state)
121{
122 struct test_context *ctx = (struct test_context *)*state;
123
125 wipe_auth_token(&ctx->multi);
126
127 free(ctx->session->opt);
128 free(ctx);
129
130 return 0;
131}
132
133static void
135{
136 struct test_context *ctx = (struct test_context *)*state;
137
138 generate_auth_token(&ctx->up, &ctx->multi);
139 strcpy(ctx->up.password, ctx->multi.auth_token);
140 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
141}
142
143static void
145{
146 struct test_context *ctx = (struct test_context *)*state;
147
148 generate_auth_token(&ctx->up, &ctx->multi);
149 strcpy(ctx->up.password, ctx->multi.auth_token);
150 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
151
152 /* Change auth-token key */
153 struct key_parameters key;
154 memset(key.hmac, '1', sizeof(key.hmac));
155 key.hmac_size = MAX_HMAC_KEY_LENGTH;
156
158 init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
159
160 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0);
161
162 /* Load original test key again */
163 memset(&key.hmac, 0, sizeof(key.hmac));
165 init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
166 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
167}
168
169static void
171{
172 struct test_context *ctx = (struct test_context *)*state;
173
174 now = 100000;
175 generate_auth_token(&ctx->up, &ctx->multi);
176
177 strcpy(ctx->up.password, ctx->multi.auth_token);
178 free(ctx->multi.auth_token_initial);
179 ctx->multi.auth_token_initial = NULL;
180
181 /* No time has passed */
182 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
183
184 /* Token before validity, should be rejected */
185 now = 100000 - 100;
186 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
188
189 /* Token no valid for renegotiate_seconds but still for renewal_time */
190 now = 100000 + 2 * ctx->session->opt->renegotiate_seconds - 20;
191 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
193
194
195 now = 100000 + 2 * ctx->session->opt->auth_token_renewal - 20;
196 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
197
198 /* Token past validity, should be rejected */
199 now = 100000 + 2 * ctx->session->opt->renegotiate_seconds + 20;
200 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
202
203 /* But not when we reached our timeout */
204 now = 100000 + ctx->session->opt->auth_token_lifetime + 1;
205 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
207
208 free(ctx->multi.auth_token_initial);
209 ctx->multi.auth_token_initial = NULL;
210
211 /* regenerate the token util it hits the expiry */
212 now = 100000;
213 while (now < 100000 + ctx->session->opt->auth_token_lifetime + 1)
214 {
215 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
217 generate_auth_token(&ctx->up, &ctx->multi);
218 strcpy(ctx->up.password, ctx->multi.auth_token);
220 }
221
222
223 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
226
227 /* Non expiring token should be fine */
228 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
229}
230
231static void
232zerohmac(char *token)
233{
234 char *hmacstart =
235 token + AUTH_TOKEN_SESSION_ID_LEN + strlen(SESSION_ID_PREFIX) + 2 * sizeof(uint64_t);
236 memset(hmacstart, 0x8d, strlen(hmacstart));
237}
238
239static void
241{
242 struct test_context *ctx = (struct test_context *)*state;
243
244 now = 0;
245 /* Preload the session id so the same session id is used here */
246 ctx->multi.auth_token_initial = strdup(now0key0);
247 assert_non_null(ctx->multi.auth_token_initial);
248
249 /* Zero the hmac part to ensure we have a newly generated token */
251
252 generate_auth_token(&ctx->up, &ctx->multi);
253
254 assert_string_equal(now0key0, ctx->multi.auth_token);
255
256 strcpy(ctx->up.password, ctx->multi.auth_token);
257 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
258}
259
260static const char *lastsesion_statevalue;
261void
262setenv_str(struct env_set *es, const char *name, const char *value)
263{
264 if (streq(name, "session_state"))
265 {
266 lastsesion_statevalue = value;
267 }
268}
269
270void
272{
273 struct test_context *ctx = (struct test_context *)*state;
274
275 /* Generate first auth token and check it is correct */
276 generate_auth_token(&ctx->up, &ctx->multi);
277 strcpy(ctx->up.password, ctx->multi.auth_token);
278 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
279
280 char *token_sessiona = strdup(ctx->multi.auth_token);
281
282 /* Generate second token */
283 wipe_auth_token(&ctx->multi);
284
285 generate_auth_token(&ctx->up, &ctx->multi);
286 strcpy(ctx->up.password, ctx->multi.auth_token);
287 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
288
289 assert_int_not_equal(0, memcmp(ctx->multi.auth_token_initial + strlen(SESSION_ID_PREFIX),
290 token_sessiona + strlen(SESSION_ID_PREFIX),
292
293 /* The first token is valid but should trigger the invalid response since
294 * the session id is not the same */
295 strcpy(ctx->up.password, token_sessiona);
296 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0);
297 free(token_sessiona);
298}
299
300static void
302{
303 struct test_context *ctx = (struct test_context *)*state;
304
305 CLEAR(ctx->up.username);
306 now = 0;
307
308 generate_auth_token(&ctx->up, &ctx->multi);
309 strcpy(ctx->up.password, ctx->multi.auth_token);
310 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), AUTH_TOKEN_HMAC_OK);
311
312 now = 100000;
313 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
315 strcpy(ctx->up.username, "test user name");
316
317 now = 0;
318 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
320
321 strcpy(ctx->up.username, "test user name");
322 now = 100000;
323 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
325
326 zerohmac(ctx->up.password);
327 assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0);
328}
329
330static void
332{
333 struct test_context *ctx = (struct test_context *)*state;
334
335 struct key_state *ks = &ctx->multi.session[TM_ACTIVE].key[KS_PRIMARY];
336
338 ctx->multi.auth_token = NULL;
339 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
340 assert_string_equal(lastsesion_statevalue, "Initial");
341
343 strcpy(ctx->up.password, now0key0);
344 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
345 assert_string_equal(lastsesion_statevalue, "Invalid");
346
348 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
349 assert_string_equal(lastsesion_statevalue, "Authenticated");
350
352 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
353 assert_string_equal(lastsesion_statevalue, "Expired");
354
356 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
357 assert_string_equal(lastsesion_statevalue, "AuthenticatedEmptyUser");
358
361 add_session_token_env(ctx->session, &ctx->multi, &ctx->up);
362 assert_string_equal(lastsesion_statevalue, "ExpiredEmptyUser");
363}
364
365static void
367{
368 struct test_context *ctx = (struct test_context *)*state;
369
370 now = 0x5c331e9c;
371 /* Preload the session id so the same session id is used here */
373 assert_non_null(ctx->multi.auth_token_initial);
374
377
378 /* Zero the hmac part to ensure we have a newly generated token */
380
381 generate_auth_token(&ctx->up, &ctx->multi);
382
383 assert_string_equal(random_token, ctx->multi.auth_token);
384
385 strcpy(ctx->up.password, ctx->multi.auth_token);
386 assert_true(verify_auth_token(&ctx->up, &ctx->multi, ctx->session));
387}
388
389
390static void
392{
393 struct test_context *ctx = (struct test_context *)*state;
394
397 strcpy(ctx->up.password, now0key0);
398 assert_true(verify_auth_token(&ctx->up, &ctx->multi, ctx->session));
399
402 assert_false(verify_auth_token(&ctx->up, &ctx->multi, ctx->session));
403}
404
405int
406main(void)
407{
409 const struct CMUnitTest tests[] = {
410 cmocka_unit_test_setup_teardown(auth_token_basic_test, setup, teardown),
411 cmocka_unit_test_setup_teardown(auth_token_fail_invalid_key, setup, teardown),
412 cmocka_unit_test_setup_teardown(auth_token_test_known_keys, setup, teardown),
413 cmocka_unit_test_setup_teardown(auth_token_test_empty_user, setup, teardown),
414 cmocka_unit_test_setup_teardown(auth_token_test_env, setup, teardown),
415 cmocka_unit_test_setup_teardown(auth_token_test_random_keys, setup, teardown),
416 cmocka_unit_test_setup_teardown(auth_token_test_key_load, setup, teardown),
417 cmocka_unit_test_setup_teardown(auth_token_test_timeout, setup, teardown),
418 cmocka_unit_test_setup_teardown(auth_token_test_session_mismatch, setup, teardown)
419 };
420
421#if defined(ENABLE_CRYPTO_OPENSSL)
422 OpenSSL_add_all_algorithms();
423#endif
424
425 int ret = cmocka_run_group_tests_name("auth-token tests", tests, NULL, NULL);
426
427 return ret;
428}
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition auth_token.c:124
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition auth_token.c:161
#define AUTH_TOKEN_SESSION_ID_LEN
Definition auth_token.c:21
unsigned int verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verifies the auth token to be in the format that generate_auth_token create and checks if the token i...
Definition auth_token.c:291
static struct key_type auth_token_kt(void)
Definition auth_token.c:32
#define AUTH_TOKEN_SESSION_ID_BASE64_LEN
Definition auth_token.c:22
void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Put the session id, and auth token status into the environment if auth-token is enabled.
Definition auth_token.c:38
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:395
#define SESSION_ID_PREFIX
The prefix given to auth tokens start with, this prefix is special cased to not show up in log files ...
Definition auth_token.h:109
void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix)
Definition crypto.c:990
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1075
#define MAX_HMAC_KEY_LENGTH
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
#define CLEAR(x)
Definition basic.h:32
#define streq(x, y)
Definition options.h:727
time_t now
Definition otime.c:33
#define AUTH_TOKEN_HMAC_OK
Auth-token sent from client has valid hmac.
Definition ssl_common.h:687
#define AUTH_TOKEN_EXPIRED
Auth-token sent from client has expired.
Definition ssl_common.h:689
#define AUTH_TOKEN_VALID_EMPTYUSER
Auth-token is only valid for an empty username and not the username actually supplied from the client...
Definition ssl_common.h:697
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:163
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
unsigned int auth_token_state_flags
The state of the auth-token sent from the client.
Definition ssl_common.h:211
const char * digest
Message digest static parameters.
Definition crypto.h:143
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
struct user_pass up
struct tls_multi multi
struct tls_session * session
struct key_type kt
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
char * auth_token_initial
The first auth-token we sent to a client.
Definition ssl_common.h:684
struct tls_options opt
Definition ssl_common.h:617
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition ssl_common.h:679
struct key_ctx auth_token_key
Definition ssl_common.h:408
unsigned int auth_token_renewal
Definition ssl_common.h:406
unsigned int auth_token_lifetime
Definition ssl_common.h:405
interval_t renegotiate_seconds
Definition ssl_common.h:348
bool auth_token_generate
Generate auth-tokens on successful user/pass auth,seet via options->auth_token_generate.
Definition ssl_common.h:401
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
struct tls_options * opt
Definition ssl_common.h:492
char password[USER_PASS_LEN]
Definition misc.h:68
char username[USER_PASS_LEN]
Definition misc.h:67
static void auth_token_test_env(void **state)
static int teardown(void **state)
void auth_set_client_reason(struct tls_multi *multi, const char *reason)
Sets the reason why authentication of a client failed.
static void auth_token_test_known_keys(void **state)
static const char * zeroinline
static void auth_token_test_key_load(void **state)
static const char * random_token
static const char * now0key0
static void auth_token_test_timeout(void **state)
static void auth_token_test_random_keys(void **state)
void auth_token_test_session_mismatch(void **state)
static void auth_token_test_empty_user(void **state)
int main(void)
void setenv_str(struct env_set *es, const char *name, const char *value)
static void auth_token_fail_invalid_key(void **state)
static const char * random_key
static int setup(void **state)
static const char * lastsesion_statevalue
static void auth_token_basic_test(void **state)
static const char * allx01inline
static void zerohmac(char *token)
void send_push_reply_auth_token(struct tls_multi *multi)
Sends a push reply message only containin the auth-token to update the auth-token on the client.
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
Definition test_common.h:35
struct env_set * es