Hi All,
This patch allows for a client reason to be returned from an auth plugin
and sent to the connecting client on an auth fail. This change is
backwards compatible with existing plugins and hasn't caused issues with
existing plugins like the included pam plugin in our testing. The main
purpose of this change is to support dynamic challenge/response from
plugins, currently this is only possible from the management interface.
Example usage for this change can be found in a new plugin here modified
from the included PAM plugin -
https://github.com/thesparklabs/openvpn-two-factor-extensions/tree/master/yubikey-u2f-pam-plugin
Regards,
Eric
--
--
Eric Thorpe
SparkLabs Developer
https://www.sparklabs.com
https://twitter.com/sparklabs
supp...@sparklabs.com
From 0970f16c27c2b90df04ad148bea84a9bfd3ad4a0 Mon Sep 17 00:00:00 2001
From: ethorpe <e...@sparklabs.com>
Date: Wed, 18 Apr 2018 19:05:54 +1000
Subject: [PATCH] Modify verify_user_pass_plugin to support returning a
client_reason when
auth is rejected. This is backwards compatible with existing plugins.
---
src/openvpn/ssl_verify.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 25395b2..6266fb3 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1167,7 +1167,7 @@ done:
* Verify the username and password using a plugin
*/
static int
-verify_user_pass_plugin(struct tls_session *session, const struct user_pass
*up, const char *raw_username)
+verify_user_pass_plugin(struct tls_session *session, struct tls_multi *multi,
const struct user_pass *up, const char *raw_username)
{
int retval = OPENVPN_PLUGIN_FUNC_ERROR;
#ifdef PLUGIN_DEF_AUTH
@@ -1177,6 +1177,9 @@ verify_user_pass_plugin(struct tls_session *session,
const struct user_pass *up,
/* Is username defined? */
if ((session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) ||
strlen(up->username))
{
+ struct plugin_return pr, prfetch;
+ plugin_return_init(&pr);
+
/* set username/password in private env space */
setenv_str(session->opt->es, "username", (raw_username ? raw_username
: up->username));
setenv_str(session->opt->es, "password", up->password);
@@ -1198,7 +1201,23 @@ verify_user_pass_plugin(struct tls_session *session,
const struct user_pass *up,
#endif
/* call command */
- retval = plugin_call(session->opt->plugins,
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, NULL, session->opt->es);
+ retval = plugin_call(session->opt->plugins,
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, &pr, session->opt->es);
+
+ /* Fetch client reason */
+ plugin_return_get_column(&pr, &prfetch, "client_reason");
+ if (plugin_return_defined(&prfetch))
+ {
+ int i;
+ for (i = 0; i < prfetch.n; ++i)
+ {
+ if (prfetch.list[i] && prfetch.list[i]->value)
+ {
+ man_def_auth_set_client_reason(multi,
prfetch.list[i]->value);
+ }
+ }
+ }
+
+ plugin_return_free(&pr);
#ifdef PLUGIN_DEF_AUTH
/* purge auth control filename (and file itself) for non-deferred
returns */
@@ -1378,7 +1397,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi
*multi,
#endif
if (plugin_defined(session->opt->plugins,
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY))
{
- s1 = verify_user_pass_plugin(session, up, raw_username);
+ s1 = verify_user_pass_plugin(session, multi, up, raw_username);
}
if (session->opt->auth_user_pass_verify_script)
{
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
