Attention is currently required from: flichtenheld, selvanair.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/665?usp=email
to look at the new patch set (#2).
Change subject: Static-challenge concatenation option
......................................................................
Static-challenge concatenation option
Extend "--static-challenge" option to take a third
argument (= scrv1 or concat) to specify that the password and
response should be concatenated instead of using the
SCRV1 protocol. If unspecified, it defaults to "scrv1"
meaning that the SCRV1 protocol should be used.
v2: use scrv1|concat instead of 0|1 as option argument
fix typos
Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d
---
M doc/man-sections/client-options.rst
M doc/management-notes.txt
M src/openvpn/manage.c
M src/openvpn/misc.c
M src/openvpn/misc.h
M src/openvpn/options.c
M src/openvpn/ssl.c
7 files changed, 68 insertions(+), 20 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/665/2
diff --git a/doc/man-sections/client-options.rst
b/doc/man-sections/client-options.rst
index b75fe5b..a06948e 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -541,12 +541,15 @@
Valid syntax:
::
- static-challenge text echo
+ static-challenge text echo [format]
The ``text`` challenge text is presented to the user which describes what
information is requested. The ``echo`` flag indicates if the user's
input should be echoed on the screen. Valid ``echo`` values are
- :code:`0` or :code:`1`.
+ :code:`0` or :code:`1`. The optional ``format`` indicates whether
+ the password and response should be combined using the SCRV1 protocol
+ (``format`` = :code:`scrv1`) or simply concatenated (``format`` =
:code:`concat`).
+ :code:`scrv1` is the default.
See management-notes.txt in the OpenVPN distribution for a description of
the OpenVPN challenge/response protocol.
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index b9947fa..06ffa72 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -1320,14 +1320,19 @@
OpenVPN's --static-challenge option is used to provide the
challenge text to OpenVPN and indicate whether or not the response
-should be echoed.
+should be echoed and how the response should be combined with the
+password.
When credentials are needed and the --static-challenge option is
used, the management interface will send:
- >PASSWORD:Need 'Auth' username/password SC:<ECHO>,<TEXT>
+ >PASSWORD:Need 'Auth' username/password SC:<flags>,<TEXT>
- ECHO: "1" if response should be echoed, "0" to not echo
+ flags: a bit field describing the ECHO and FORMAT flags
+ ECHO = bit 1 = 1 if response should be echoed, 0 to not echo
+ FORMAT = bit 2 = 1 if response should be concatenated with password
+ as plain text, 0 if response and password should be encoded
+ as described below
TEXT: challenge text that should be shown to the user to
facilitate their response
@@ -1342,8 +1347,8 @@
The management interface client in this case should add the static
challenge text to the auth dialog followed by a field for the user to
-enter a response. Then the management interface client should pack the
-password and response together into an encoded password and send:
+enter a response. If FORMAT=0, the management interface client should
+pack the password and response together into an encoded password and send:
username "Auth" <username>
password "Auth" "SCRV1:<password_base64>:<response_base64>"
@@ -1354,6 +1359,12 @@
the user. The <password_base64> and/or the <response_base64> can be
empty strings.
+If FORMAT=1, the client should simply concatenate password and response
+with no separator and send:
+
+ username "Auth" <username>
+ password "Auth" "SCRV1:<password><response>"
+
(As in all username/password responses described in the "COMMAND --
password and username" section above, the username can be in quotes,
and special characters such as double quotes or backslashes must be
@@ -1361,10 +1372,15 @@
For example, if user "foo" entered "bar" as the password and 8675309
as the PIN, the following management interface commands should be
-issued:
+issued if FORMAT = 0:
username "Auth" foo
password "Auth" "SCRV1:YmFy:ODY3NTMwOQ=="
("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the
base 64 encoding of "8675309".)
+
+or, if FORMAT = 1:
+
+ username "Auth" foo
+ password "Auth" "bar8675309"
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 24f3121..05b5a1a 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -3544,7 +3544,8 @@
if (sc)
{
buf_printf(&alert_msg, " SC:%d,%s",
- BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO),
+ BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)
+ |(BOOL_CAST(flags &
GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1),
sc);
}
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 598fbae..516b1ed 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -438,17 +438,28 @@
{
msg(M_FATAL, "ERROR: could not retrieve static
challenge response");
}
- if (openvpn_base64_encode(up->password,
strlen(up->password), &pw64) == -1
- || openvpn_base64_encode(response, strlen(response),
&resp64) == -1)
+ if (!(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT))
{
- msg(M_FATAL, "ERROR: could not base64-encode
password/static_response");
+ if (openvpn_base64_encode(up->password,
strlen(up->password), &pw64) == -1
+ || openvpn_base64_encode(response,
strlen(response), &resp64) == -1)
+ {
+ msg(M_FATAL, "ERROR: could not base64-encode
password/static_response");
+ }
+ buf_set_write(&packed_resp, (uint8_t *)up->password,
USER_PASS_LEN);
+ buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64);
+ string_clear(pw64);
+ free(pw64);
+ string_clear(resp64);
+ free(resp64);
}
- buf_set_write(&packed_resp, (uint8_t *)up->password,
USER_PASS_LEN);
- buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64);
- string_clear(pw64);
- free(pw64);
- string_clear(resp64);
- free(resp64);
+ else
+ {
+ if (strlen(up->password) + strlen(response) >=
USER_PASS_LEN)
+ {
+ msg(M_FATAL, "ERROR: could not concatenate
password/static_response: string too long");
+ }
+ strncat(up->password, response, USER_PASS_LEN -
strlen(up->password) - 1);
+ }
}
#endif /* ifdef ENABLE_MANAGEMENT */
}
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 963f3e6..f3b824e 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -91,6 +91,7 @@
*/
struct static_challenge_info {
#define SC_ECHO (1<<0) /* echo response when typed by user */
+#define SC_CONCAT (1<<1) /* concatenate password and response and do not
base64 encode */
unsigned int flags;
const char *challenge_text;
@@ -117,6 +118,7 @@
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo
response */
#define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is
actually inline creds */
+#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11) /* indicates password
and response should be concatenated */
/**
* Retrieves the user credentials from various sources depending on the flags.
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index abcde89..eb19010 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -518,8 +518,10 @@
" Add domains to DNS domain search list\n"
"--auth-retry t : How to handle auth failures. Set t to\n"
" none (default), interact, or nointeract.\n"
- "--static-challenge t e : Enable static challenge/response protocol
using\n"
+ "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response
protocol using\n"
" challenge text t, with e indicating echo flag (0|1)\n"
+ " and optional argument scrv1 or concat to use SCRV1
protocol or"
+ " concatenate response with password. Default is scrv1.\n"
"--connect-timeout n : when polling possible remote servers to connect
to\n"
" in a round-robin fashion, spend no more than n
seconds\n"
" waiting for a response before trying the next server.\n"
@@ -7926,7 +7928,7 @@
auth_retry_set(msglevel, p[1]);
}
#ifdef ENABLE_MANAGEMENT
- else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
+ else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->sc_info.challenge_text = p[1];
@@ -7934,6 +7936,15 @@
{
options->sc_info.flags |= SC_ECHO;
}
+ if (p[3] && streq(p[3], "concat"))
+ {
+ options->sc_info.flags |= SC_CONCAT;
+ }
+ else if (p[3] && !streq(p[3], "scrv1"))
+ {
+ msg(msglevel, "--static-challenge: unknown format indicator '%s'",
p[3]);
+ goto err;
+ }
}
#endif
else if (streq(p[0], "msg-channel") && p[1])
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2054eb4..faf83a9 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -312,6 +312,10 @@
{
flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
}
+ if (sci->flags & SC_CONCAT)
+ {
+ flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
+ }
get_user_pass_cr(&auth_user_pass,
auth_file,
UP_TYPE_AUTH,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/665?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d
Gerrit-Change-Number: 665
Gerrit-PatchSet: 2
Gerrit-Owner: selvanair <selva.n...@gmail.com>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-Attention: selvanair <selva.n...@gmail.com>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
