Hi,
On Wed, Jul 18, 2018 at 7:46 PM, Jonathan K. Bullard
<jkbull...@gmail.com> wrote:
> I'm trying to implement dynamic challenge/response in Tunnelblick and
> have some questions. I've been using the management-interface
> documentation [1] as my guide.
>
> 1. Is what the management interface sends something like (all on one line):
>
>>PASSWORD:Verification Failed: 'Auth'
>>['CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN:']
>
> and not just the challenge all by itself?
There are two messages involved:
1. First comes the fake auth failure message which contains the
challenge string. The format of this is as you have quoted above. The
single quoted string between the square brackets is what is actually
sent by the server. This should be parsed as
CRV1:flags:state_id:base64_username:challenge
(note that there is no colon at the end)
So in the above example
flags = R,E
state_id = Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6I
base64_username = Y3Ixh
challenge = Please enter token PIN:
In this case the last colon is a part of the challenge as its not a
part of the protocol.
As the daemon thinks auth failed, this will trigger a restart. On
restart the client openvpn daemon will prompt for username password as
usual. So
2. The usual auth prompt comes as
>PASSWORD:Need 'Auth' username
>PASSWORD:Need 'Auth' password
The GUI should remember that this prompt follows the
verification-failure message that contained a CRV1 challenge and be
ready to respond accordingly. And should be responded to in the same
format as usual user-auth response but this time with the decoded
username as username and the specially formatted challenge response
(see below) as the password.
> 2. Is the final ":" in the above part of the prompt to be shown to the
> user, or is it a delimiter showing the end of the prompt?
Yes
>
>
> 3. Is the response back to the management interface really like this:
>
> Username: cr1 ("Y3Ix" base64 decoded)
> Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309
No, the management-notes.txt is a bit less explicit here. Its only
indicating what username and password should be returned, not the
format of the reply. The response is in reply to the usual "Auth" username
and password prompts so should be formatted as
username "Auth" cr1
password "Auth" CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309
where 8675309 is the response to the challenge provided by the user.
>
> I ask because the syntax for the username/password for a
> NON-challenge/response response back to the management interface is
>
> username "Auth" THE_USERNAME
> password "Auth" THE_PASSWORD
>
> which has "username" and "password" in lower-case and without the ":"s.
That description in management-notes.txt means that the text following
Username: should be passed back as username and the text following
Password: as password. It should be returned in the above format is
assumed to be understood --- but, yes, that text could be made more explicit.
>
>
> 4. Can the Username and Password fields sent to the OpenVPN management
> interface be quoted (and must double-quotes within the fields be
> escaped), as with the NON-challenge/response response?
Internally, the username and password are parsed by openvpn the same
way whether its a simple user/password or user/password/challenge or
user/dynamic-challenge-response. That's why in all cases the format is
"username type THE_USERNAME" and "password type THE_PASSWORD". So,
quoting rules are the same in all three cases. The only difference is
THE_PASSWORD is a specially formatted string in case of static and
dynamic challenge responses.
The verification scripts on server side will pick the password apart to isolate
the challenge response but openvpn treats it as an opaque string. As with
everything received from the management, It does, however, pass through the
config parser which does quote processing and unescaping.
OpenVPN-GUI for windows uses this template for the format string to
construct the CRV1 "password" reply:
template = "password \"Auth\" \"CRV1::%s::%s\""
and pass the result though an escape processor before writing to the
management socket. Alternatively you can use single quotes to enclose
the 'THE_PASSWORD'.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
