OpenVPN
auth_token.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 #ifndef AUTH_TOKEN_H
24 #define AUTH_TOKEN_H
25 
62 void
63 generate_auth_token(const struct user_pass *up, struct tls_multi *multi);
64 
70 unsigned
71 verify_auth_token(struct user_pass *up, struct tls_multi *multi,
72  struct tls_session *session);
73 
74 
75 
80 void
81 auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file,
82  bool key_inline);
83 
84 
90 void auth_token_write_server_key_file(const char *filename);
91 
92 
98 void add_session_token_env(struct tls_session *session, struct tls_multi *multi,
99  const struct user_pass *up);
100 
107 void wipe_auth_token(struct tls_multi *multi);
108 
115 #define SESSION_ID_PREFIX "SESS_ID_AT_"
116 
126 static inline bool
127 is_auth_token(const char *password)
128 {
129  return (memcmp_constant_time(SESSION_ID_PREFIX, password,
130  strlen(SESSION_ID_PREFIX)) == 0);
131 }
132 #endif /* AUTH_TOKEN_H */
void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
Put the session id, and auth token status into the environment if auth-token is enabled.
Definition: auth_token.c:52
void generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
Generate an auth token based on username and timestamp.
Definition: auth_token.c:174
#define SESSION_ID_PREFIX
The prefix given to auth tokens start with, this prefix is special cased to not show up in log files ...
Definition: auth_token.h:115
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:533
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags...
Definition: auth_token.c:390
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:425
Definition: misc.h:56
void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline)
Loads an HMAC secret from a file or if no file is present generates a epheremal secret for the run ti...
Definition: auth_token.c:137
void auth_token_write_server_key_file(const char *filename)
Generate a auth-token server secret key, and write to file.
Definition: auth_token.c:131
unsigned verify_auth_token(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verifies the auth token to be in the format that generate_auth_token create and checks if the token i...
Definition: auth_token.c:299
static bool is_auth_token(const char *password)
Return if the password string has the format of a password.
Definition: auth_token.h:127