On 25/01/2021 13:56, Arne Schwabe wrote:
This patch also refactors the if condition that checks the result of the authentication since that has become quite unreadable. It renames s1/s2 and extracts some parts of the condition into individual variables to make the condition better understandlePatch V2: add refactoring of the if condition Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- Changes.rst | 12 ++++ doc/man-sections/script-options.rst | 14 ++++- src/openvpn/ssl.c | 2 - src/openvpn/ssl_verify.c | 86 +++++++++++++++++++++-------- 4 files changed, 89 insertions(+), 25 deletions(-) diff --git a/Changes.rst b/Changes.rst index 2a2829e7..188bd8ab 100644 --- a/Changes.rst +++ b/Changes.rst @@ -9,6 +9,18 @@ Keying Material Exporters (RFC 5705) based key generation the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.+Deferred auth support for scripts+ The ``--auth-user-pass-verify`` script supports now deferred authentication. + +Pending auth support for plugins and scripts + Both auth plugin and script can now signal pending authentication to + the client when using deferred authentication. The new ``client-crresponse`` + script option and ``OPENVPN_PLUGIN_CLIENT_CRRESPONSE`` plugin function can + be used to parse a client response to a ``CR_TEXT`` two factor challenge. + + See ``sample/sample-scripts/totpauth.py`` for an example.
This sample script is not yet added; but I don't think it matter much at this stage and in this file.
+ + Overview of changes in 2.5 ==========================diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rstindex 03b3dd77..50edd986 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -90,7 +90,19 @@ SCRIPT HOOKSThe script should examine the username and password, returning a successexit code (:code:`0`) if the client's authentication request is to be - accepted, or a failure code (:code:`1`) to reject the client. + accepted, a failure code (:code:`1`) to reject the client, or a that + the authentication is deferred (:code:`2`). If the authentication is + deferred, the script must fork/start a background or another non-blocking + operation to continue the authentication in the background. When finshing + the authentication, a :code:`1` or :code:`0` must be written to the + file specified by the :code:`auth_control_file`. + + When deferred authentication is in use, the script can also request + pending authentication by writing to the file specified by the + :code:`auth_pending_file`. The first line must be the timeout in + seconds and the second line the EXTRA as documented in the + ``client-pending-auth`` section of `doc/management.txt`.
Doesn't the auth_pending_file need to be 3 lines? -------- $timeout $method $extra -------This is what the plug-in is required to write to the file, which the write_auth_pending() Python function in the totp example in patch 11/11 also does.
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index b9647c1a..fc9f1d2e 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c
[...snip...]
@@ -1223,25 +1223,61 @@ verify_user_pass_script(struct tls_session *session, struct tls_multi *multi,
[...snip...]+#ifdef ENABLE_DEF_AUTH
+ if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED)
+ {
Didn't you kill ENABLE_DEF_AUTH in commit 99d217b20064e7fef9 ? I had to
remove this #ifdef to be able to test it with the totpauth.py script in
patch 11/11 (with patch 10/11 applied as well).
Otherwise looking good and works when removing this #ifdef. But needs a bit more polish.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
