upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-04-26 00:27:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote branch SVN 2.1 into the git tree

Browse source 
Hopefully the last SVN merge we need to do, as these merges are getting
more and more difficult.  Most of the files had minor changes, but due to
the CRLF unification patch (commit 6b2883a637) we got an increased
number of conflicts.  In addition inclusion of IPv6 support makes the
creates a lot of merge issues in route.c and socket.c

This merge also reverts commit 7c18c63539 which merged
add_bypass_address() into add_host_route_if_nonlocal().  However the SVN
tree began to use add_bypass_address() another place, where at first glance
it did not be appropriate to use add_host_route_if_nonlocal().

This merge has gone through a 'make check' without any errors, but have
not been tested more thoroughly yet.

Conflicts:
	ChangeLog
	INSTALL
	INSTALL-win32.txt
	Makefile.am
	acinclude.m4
	base64.c
	buffer.c
	buffer.h
	common.h
	configure.ac
	contrib/pull-resolv-conf/client.down
	contrib/pull-resolv-conf/client.up
	crypto.c
	cryptoapi.c
	easy-rsa/2.0/Makefile
	easy-rsa/2.0/README
	easy-rsa/2.0/build-ca
	easy-rsa/2.0/build-dh
	easy-rsa/2.0/build-inter
	easy-rsa/2.0/build-key
	easy-rsa/2.0/build-key-pass
	easy-rsa/2.0/build-key-pkcs12
	easy-rsa/2.0/build-key-server
	easy-rsa/2.0/build-req
	easy-rsa/2.0/build-req-pass
	easy-rsa/2.0/clean-all
	easy-rsa/2.0/inherit-inter
	easy-rsa/2.0/list-crl
	easy-rsa/2.0/pkitool
	easy-rsa/2.0/revoke-full
	easy-rsa/2.0/sign-req
	easy-rsa/2.0/vars
	easy-rsa/2.0/whichopensslcnf
	easy-rsa/Windows/build-ca-pass.bat
	easy-rsa/Windows/build-key-pass.bat
	easy-rsa/Windows/build-key-server-pass.bat
	easy-rsa/Windows/init-config.bat
	easy-rsa/Windows/vars.bat.sample
	error.c
	error.h
	forward.c
	helper.c
	httpdigest.c
	httpdigest.h
	ieproxy.c
	init.c
	init.h
	install-win32/Makefile.am
	install-win32/makeopenvpn
	install-win32/openssl/openssl097.patch
	install-win32/openssl/openssl098.patch
	install-win32/openvpn.nsi
	list.c
	list.h
	manage.c
	manage.h
	management/management-notes.txt
	mbuf.c
	mbuf.h
	misc.c
	misc.h
	mroute.c
	mroute.h
	msvc/autodefs.h.in
	msvc/config.py
	msvc/msvc.mak
	mtcp.c
	mudp.c
	multi.c
	multi.h
	occ.c
	openvpn-plugin.h
	openvpn.8
	openvpn.h
	options.c
	options.h
	otime.c
	otime.h
	perf.c
	pf.c
	ping.c
	pkcs11.c
	plugin.c
	plugin.h
	plugin/auth-pam/README
	plugin/auth-pam/auth-pam.c
	pool.c
	pool.h
	proto.h
	proxy.c
	ps.c
	push.c
	reliable.c
	route.c
	route.h
	sample-config-files/firewall.sh
	sample-scripts/bridge-start
	sample-scripts/bridge-stop
	sample-scripts/openvpn.init
	sample-scripts/verify-cn
	schedule.c
	schedule.h
	service-win32/openvpnserv.c
	sig.c
	socket.c
	socket.h
	socks.c
	socks.h
	ssl.c
	ssl.h
	status.c
	syshead.h
	tap-win32/SOURCES.in
	tap-win32/common.h
	tap-win32/proto.h
	tap-win32/tapdrvr.c
	tap-win32/types.h
	tun.c
	tun.h
	version.m4
	win/autodefs.h.in
	win/build.py
	win/build_all.py
	win/build_ddk.py
	win/build_exe.py
	win/config.py
	win/config_all.py
	win/config_tap.py
	win/config_ti.py
	win/js.py
	win/make_dist.py
	win/msvc.mak.in
	win/settings.in
	win/show.py
	win/sign.py
	win/tap_span.py
	win/wb.py
	win32.c
	win32.h

Signed-off-by: David Sommerseth <davids@redhat.com>
Reviewed-by: Gert Doering <gert@greenie.muc.de>
Reviewed-by: James Yonan <james@openvpn.net>
Reviewed-by: Adriaan de Jong <dejong@fox-it.com>
This commit is contained in:
David Sommerseth 2011-07-25 01:44:27 +02:00
commit 576dc96ca1
18 changed files with 1370 additions and 712 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
base64.c
View file

@ -41,7 +41,11 @@
static char base64_chars[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
/*
* base64 encode input data of length size to malloced
* buffer which is returned as *str. Returns string
* length of *str.
*/
int
base64_encode(const void *data, int size, char **str)
{
@ -115,7 +119,11 @@ token_decode(const char *token)
return DECODE_ERROR;
return (marker << 24) | val;
}
/*
* Decode base64 str, outputting data to buffer
* at data of length size. Return length of
* decoded data written or -1 on error or overflow.
*/
int
base64_decode(const char *str, void *data, int size)
{

4
forward.c
View file

@ -1006,7 +1006,7 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)
if (!c->options.passtos)
flags &= ~PIPV4_PASSTOS;
#endif
if (!c->options.route_gateway_via_dhcp || !route_list_default_gateway_needed (c->c1.route_list))
if (!c->options.route_gateway_via_dhcp || !route_list_vpn_gateway_needed (c->c1.route_list))
flags &= ~PIPV4_EXTRACT_DHCP_ROUTER;
if (buf->len > 0)
@ -1047,7 +1047,7 @@ process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf)
{
const in_addr_t dhcp_router = dhcp_extract_router_msg (&ipbuf);
if (dhcp_router)
route_list_add_default_gateway (c->c1.route_list, c->c2.es, dhcp_router);
route_list_add_vpn_gateway (c->c1.route_list, c->c2.es, dhcp_router);
}
}
}

128
init.c
View file

@ -199,6 +199,90 @@ management_callback_http_proxy_fallback_cmd (void *arg, const char *server, cons
#endif
#if MANAGEMENT_QUERY_REMOTE
static bool
management_callback_remote_cmd (void *arg, const char **p)
{
struct context *c = (struct context *) arg;
struct connection_entry *ce = &c->options.ce;
int ret = false;
if (p[1] && ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT)&CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
{
int flags = 0;
if (!strcmp(p[1], "ACCEPT"))
{
flags = CE_MAN_QUERY_REMOTE_ACCEPT;
ret = true;
}
else if (!strcmp(p[1], "SKIP"))
{
flags = CE_MAN_QUERY_REMOTE_SKIP;
ret = true;
}
else if (!strcmp(p[1], "MOD") && p[2] && p[3])
{
const int port = atoi(p[3]);
if (strlen(p[2]) < RH_HOST_LEN && legal_ipv4_port(port))
{
struct remote_host_store *rhs = c->options.rh_store;
if (!rhs)
{
ALLOC_OBJ_CLEAR_GC (rhs, struct remote_host_store, &c->options.gc);
c->options.rh_store = rhs;
}
strncpynt(rhs->host, p[2], RH_HOST_LEN);
ce->remote = rhs->host;
ce->remote_port = port;
flags = CE_MAN_QUERY_REMOTE_MOD;
ret = true;
}
}
if (ret)
{
ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
ce->flags |= ((flags&CE_MAN_QUERY_REMOTE_MASK)<<CE_MAN_QUERY_REMOTE_SHIFT);
}
}
return ret;
}
static bool
ce_management_query_remote (struct context *c, const char *remote_ip_hint)
{
struct gc_arena gc = gc_new ();
volatile struct connection_entry *ce = &c->options.ce;
int ret = true;
update_time();
if (management)
{
struct buffer out = alloc_buf_gc (256, &gc);
buf_printf (&out, ">REMOTE:%s,%d,%s", np(ce->remote), ce->remote_port, proto2ascii(ce->proto, false));
management_notify_generic(management, BSTR (&out));
ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK<<CE_MAN_QUERY_REMOTE_SHIFT);
ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY<<CE_MAN_QUERY_REMOTE_SHIFT);
while (((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK) == CE_MAN_QUERY_REMOTE_QUERY)
{
management_event_loop_n_seconds (management, 1);
if (IS_SIG (c))
{
ret = false;
break;
}
}
}
{
const int flags = ((ce->flags>>CE_MAN_QUERY_REMOTE_SHIFT) & CE_MAN_QUERY_REMOTE_MASK);
if (flags == CE_MAN_QUERY_REMOTE_ACCEPT && remote_ip_hint)
ce->remote = remote_ip_hint;
ret = (flags != CE_MAN_QUERY_REMOTE_SKIP);
}
gc_free (&gc);
return ret;
}
#endif
/*
* Initialize and possibly randomize connection list.
*/
@ -313,6 +397,15 @@ next_connection_entry (struct context *c)
c->options.ce = *ce;
#if MANAGEMENT_QUERY_REMOTE
if (ce_defined && management && management_query_remote_enabled(management))
{
/* allow management interface to override connection entry details */
ce_defined = ce_management_query_remote(c, remote_ip_hint);
if (IS_SIG (c))
break;
} else
#endif
if (remote_ip_hint)
c->options.ce.remote = remote_ip_hint;
@ -343,7 +436,13 @@ init_query_passwords (struct context *c)
#if P2MP
/* Auth user/pass input */
if (c->options.auth_user_pass_file)
auth_user_pass_setup (c->options.auth_user_pass_file);
{
#ifdef ENABLE_CLIENT_CR
auth_user_pass_setup (c->options.auth_user_pass_file, &c->options.sc_info);
#else
auth_user_pass_setup (c->options.auth_user_pass_file, NULL);
#endif
}
#endif
}
@ -598,21 +697,9 @@ init_static (void)
#ifdef TEST_GET_DEFAULT_GATEWAY
{
struct gc_arena gc = gc_new ();
in_addr_t addr;
char macaddr[6];
if (get_default_gateway(&addr, NULL))
msg (M_INFO, "GW %s", print_in_addr_t(addr, 0, &gc));
else
msg (M_INFO, "GDG ERROR");
if (get_default_gateway_mac_addr(macaddr))
msg (M_INFO, "MAC %s", format_hex_ex (macaddr, 6, 0, 1, ":", &gc));
else
msg (M_INFO, "GDGMA ERROR");
gc_free (&gc);
struct route_gateway_info rgi;
get_default_gateway(&rgi);
print_default_gateway(M_INFO, &rgi);
return false;
}
#endif
@ -1241,7 +1328,7 @@ do_route (const struct options *options,
if (!options->route_noexec && ( route_list || route_ipv6_list ) )
{
add_routes (route_list, route_ipv6_list, tt, ROUTE_OPTION_FLAGS (options), es);
setenv_int (es, "redirect_gateway", route_list->did_redirect_default_gateway);
setenv_int (es, "redirect_gateway", route_did_redirect_default_gateway(route_list));
}
#ifdef ENABLE_MANAGEMENT
if (management)
@ -2154,6 +2241,10 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
to.x509_track = options->x509_track;
#endif
#ifdef ENABLE_CLIENT_CR
to.sci = &options->sc_info;
#endif
/* TLS handshake authentication (--tls-auth) */
if (options->tls_auth_file)
{
@ -3045,6 +3136,9 @@ init_management_callback_p2p (struct context *c)
cb.show_net = management_show_net_callback;
#if HTTP_PROXY_FALLBACK
cb.http_proxy_fallback_cmd = management_callback_http_proxy_fallback_cmd;
#endif
#if MANAGEMENT_QUERY_REMOTE
cb.remote_cmd = management_callback_remote_cmd;
#endif
management_set_callback (management, &cb);
}

88
manage.c
View file

@ -86,6 +86,9 @@ man_help ()
msg (M_CLIENT, " where action is reply string.");
msg (M_CLIENT, "net : (Windows only) Show network info and routing table.");
msg (M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
#if MANAGEMENT_QUERY_REMOTE
msg (M_CLIENT, "remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.");
#endif
msg (M_CLIENT, "pid : Show process ID of the current OpenVPN process.");
#ifdef ENABLE_PKCS11
msg (M_CLIENT, "pkcs11-id-count : Get number of available PKCS#11 identities.");
@ -606,25 +609,19 @@ man_up_finalize (struct management *man)
{
switch (man->connection.up_query_mode)
{
case UP_QUERY_DISABLED:
man->connection.up_query.defined = false;
break;
case UP_QUERY_USER_PASS:
if (strlen (man->connection.up_query.username) && strlen (man->connection.up_query.password))
man->connection.up_query.defined = true;
break;
if (!strlen (man->connection.up_query.username))
break;
/* fall through */
case UP_QUERY_PASS:
if (strlen (man->connection.up_query.password))
man->connection.up_query.defined = true;
break;
case UP_QUERY_NEED_OK:
if (strlen (man->connection.up_query.password))
man->connection.up_query.defined = true;
break;
case UP_QUERY_NEED_STR:
if (strlen (man->connection.up_query.password))
man->connection.up_query.defined = true;
break;
case UP_QUERY_DISABLED:
man->connection.up_query.defined = false;
break;
default:
ASSERT (0);
}
@ -665,16 +662,17 @@ man_query_user_pass (struct management *man,
static void
man_query_username (struct management *man, const char *type, const char *string)
{
const bool needed = (man->connection.up_query_mode == UP_QUERY_USER_PASS && man->connection.up_query_type);
const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
) && man->connection.up_query_type);
man_query_user_pass (man, type, string, needed, "username", man->connection.up_query.username, USER_PASS_LEN);
}
static void
man_query_password (struct management *man, const char *type, const char *string)
{
const bool needed = ((man->connection.up_query_mode == UP_QUERY_USER_PASS
|| man->connection.up_query_mode == UP_QUERY_PASS)
&& man->connection.up_query_type);
const bool needed = ((man->connection.up_query_mode == UP_QUERY_PASS
|| man->connection.up_query_mode == UP_QUERY_USER_PASS
) && man->connection.up_query_type);
if (!string[0]) /* allow blank passwords to be passed through using the blank_up tag */
string = blank_up;
man_query_user_pass (man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
@ -1090,6 +1088,31 @@ man_http_proxy_fallback (struct management *man, const char *server, const char
#endif
#if MANAGEMENT_QUERY_REMOTE
static void
man_remote (struct management *man, const char **p)
{
if (man->persist.callback.remote_cmd)
{
const bool status = (*man->persist.callback.remote_cmd)(man->persist.callback.arg, p);
if (status)
{
msg (M_CLIENT, "SUCCESS: remote command succeeded");
}
else
{
msg (M_CLIENT, "ERROR: remote command failed");
}
}
else
{
msg (M_CLIENT, "ERROR: The remote command is not supported by the current daemon mode");
}
}
#endif
static void
man_dispatch_command (struct management *man, struct status_output *so, const char **p, const int nparms)
{
@ -1319,6 +1342,13 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch
man_http_proxy_fallback (man, NULL, NULL, NULL);
}
#endif
#if MANAGEMENT_QUERY_REMOTE
else if (streq (p[0], "remote"))
{
if (man_need (man, p, 1, MN_AT_LEAST))
man_remote (man, p);
}
#endif
#if 1
else if (streq (p[0], "test"))
{
@ -2339,6 +2369,12 @@ management_notify(struct management *man, const char *severity, const char *type
msg (M_CLIENT, ">NOTIFY:%s,%s,%s", severity, type, text);
}
void
management_notify_generic (struct management *man, const char *str)
{
msg (M_CLIENT, "%s", str);
}
#ifdef MANAGEMENT_DEF_AUTH
static bool
@ -2843,7 +2879,8 @@ bool
management_query_user_pass (struct management *man,
struct user_pass *up,
const char *type,
const unsigned int flags)
const unsigned int flags,
const char *static_challenge)
{
struct gc_arena gc = gc_new ();
bool ret = false;
@ -2856,7 +2893,9 @@ management_query_user_pass (struct management *man,
const char *alert_type = NULL;
const char *prefix = NULL;
unsigned int up_query_mode = 0;
#ifdef ENABLE_CLIENT_CR
const char *sc = NULL;
#endif
ret = true;
man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
man->persist.special_state_msg = NULL;
@ -2886,6 +2925,10 @@ management_query_user_pass (struct management *man,
up_query_mode = UP_QUERY_USER_PASS;
prefix = "PASSWORD";
alert_type = "username/password";
#ifdef ENABLE_CLIENT_CR
if (static_challenge)
sc = static_challenge;
#endif
}
buf_printf (&alert_msg, ">%s:Need '%s' %s",
prefix,
@ -2895,6 +2938,13 @@ management_query_user_pass (struct management *man,
if (flags & (GET_USER_PASS_NEED_OK | GET_USER_PASS_NEED_STR))
buf_printf (&alert_msg, " MSG:%s", up->username);
#ifdef ENABLE_CLIENT_CR
if (sc)
buf_printf (&alert_msg, " SC:%d,%s",
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO),
sc);
#endif
man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
if (signal_received)
ret = false;
@ -2908,7 +2958,7 @@ management_query_user_pass (struct management *man,
man->connection.up_query_mode = up_query_mode;
man->connection.up_query_type = type;
/* run command processing event loop until we get our username/password */
/* run command processing event loop until we get our username/password/response */
do
{
man_standalone_event_loop (man, &signal_received, 0);

22
manage.h
View file

@ -174,6 +174,9 @@ struct management_callback
#if HTTP_PROXY_FALLBACK
bool (*http_proxy_fallback_cmd) (void *arg, const char *server, const char *port, const char *flags);
#endif
#if MANAGEMENT_QUERY_REMOTE
bool (*remote_cmd) (void *arg, const char **p);
#endif
};
/*
@ -333,6 +336,9 @@ struct management *management_init (void);
# define MF_EXTERNAL_KEY (1<<9)
#endif
#define MF_UP_DOWN (1<<10)
#if MANAGEMENT_QUERY_REMOTE
#define MF_QUERY_REMOTE (1<<11)
#endif
bool management_open (struct management *man,
const char *addr,
@ -365,7 +371,11 @@ void management_set_callback (struct management *man,
void management_clear_callback (struct management *man);
bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const unsigned int flags);
bool management_query_user_pass (struct management *man,
struct user_pass *up,
const char *type,
const unsigned int flags,
const char *static_challenge);
bool management_should_daemonize (struct management *man);
bool management_would_hold (struct management *man);
@ -377,6 +387,8 @@ void management_up_down(struct management *man, const char *updown, const struct
void management_notify(struct management *man, const char *severity, const char *type, const char *text);
void management_notify_generic (struct management *man, const char *str);
#ifdef MANAGEMENT_DEF_AUTH
void management_notify_client_needing_auth (struct management *management,
const unsigned int auth_id,
@ -415,6 +427,14 @@ management_query_user_pass_enabled (const struct management *man)
return BOOL_CAST(man->settings.flags & MF_QUERY_PASSWORDS);
}
#if MANAGEMENT_QUERY_REMOTE
static inline bool
management_query_remote_enabled (const struct management *man)
{
return BOOL_CAST(man->settings.flags & MF_QUERY_REMOTE);
}
#endif
#ifdef MANAGEMENT_PF
static inline bool
management_enable_pf (const struct management *man)

142
management/management-notes.txt
View file

@ -687,6 +687,38 @@ the 10.0.0.0/8 netblock is allowed: 10.10.0.1. Also, the client
may not interact with external IP addresses using an "unknown"
protocol (i.e. one that is not IPv4 or ARP).
COMMAND -- remote (OpenVPN AS 2.1.5/OpenVPN 2.3 or higher)
--------------------------------------------
Provide remote host/port in response to a >REMOTE notification
(client only). Requires that the --management-query-remote
directive is used.
remote ACTION [HOST PORT]
The "remote" command should only be given in response to a >REMOTE
notification. For example, the following >REMOTE notification
indicates that the client config file would ordinarily connect
to vpn.example.com port 1194 (UDP):
>REMOTE:vpn.example.com,1194,udp
Now, suppose we want to override the host and port, connecting
instead to vpn.otherexample.com port 1234. After receiving
the above notification, use this command:
remote MOD vpn.otherexample.com 1234
To accept the same host and port as the client would ordinarily
have connected to, use this command:
remote ACCEPT
To skip the current connection entry and advance to the next one,
use this command:
remote SKIP
OUTPUT FORMAT
-------------
@ -836,3 +868,113 @@ mappings, when not in single quotations:
interpret it as enclosing a parameter.
\[SPACE] Pass a literal space or tab character, don't
interpret it as a parameter delimiter.
Challenge/Response Protocol
---------------------------
The OpenVPN Challenge/Response Protocol allows an OpenVPN server to
generate challenge questions that are shown to the user, and to see
the user's responses to those challenges. Based on the responses, the
server can allow or deny access.
In this way, the OpenVPN Challenge/Response Protocol can be used
to implement multi-factor authentication. Two different
variations on the challenge/response protocol are supported: the
"Dynamic" and "Static" protocols.
The basic idea of Challenge/Response is that the user must enter an
additional piece of information, in addition to the username and
password, to successfully authenticate. Normally, this information
is used to prove that the user posesses a certain key-like device
such as cryptographic token or a particular mobile phone.
Dynamic protocol:
The OpenVPN dynamic challenge/response protocol works by returning
a specially formatted error message after initial successful
authentication. This error message contains the challenge question,
and is formatted as such:
CRV1:<flags>:<state_id>:<username_base64>:<challenge_text>
flags: a series of optional, comma-separated flags:
E : echo the response when the user types it
R : a response is required
state_id: an opaque string that should be returned to the server
along with the response.
username_base64 : the username formatted as base64
challenge_text : the challenge text to be shown to the user
Example challenge:
CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN
After showing the challenge_text and getting a response from the user
(if R flag is specified), the client should submit the following
auth creds back to the OpenVPN server:
Username: [username decoded from username_base64]
Password: CRV1::<state_id>::<response_text>
Where state_id is taken from the challenge request and response_text
is what the user entered in response to the challenge_text.
If the R flag is not present, response_text may be the empty
string.
Example response (suppose the user enters "8675309" for the token PIN):
Username: cr1 ("Y3Ix" base64 decoded)
Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309
Static protocol:
The static protocol differs from the dynamic protocol in that the
challenge question and response field is given to the user in the
initial username/password dialog, and the username, password, and
response are delivered back to the server in a single transaction.
The "static-challenge" directive is used to give the challenge text
to OpenVPN and indicate whether or not the response should be echoed.
When the "static-challenge" directive is used, the management
interface will respond as such when credentials are needed:
>PASSWORD:Need 'Auth' username/password SC:<ECHO>,<TEXT>
ECHO: "1" if response should be echoed, "0" to not echo
TEXT: challenge text that should be shown to the user to
facilitate their response
For example:
>PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN
The above notification indicates that OpenVPN needs a --auth-user-pass
password plus a response to a static challenge ("Please enter token PIN").
The "1" after the "SC:" indicates that the response should be echoed.
The management interface client in this case should add the static
challenge text to the auth dialog followed by a field for the user to
enter a response. Then the client should pack the password and response
together into an encoded password:
username "Auth" foo
password "Auth" "SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>"
For example, if the user entered "bar" as the password and 8675309
as the PIN, the following management interface commands should be
issued:
username "Auth" foo
password "Auth" "SCRV1:Zm9v:ODY3NTMwOQ=="
Client-side support for challenge/response protocol:
Currently, the Access Server client and standalone OpenVPN
client support both static and dynamic challenge/response
protocols. However, any OpenVPN client UI that drives OpenVPN
via the management interface needs to add explicit support
for the challenge/response protocol.

72
misc.c
View file

@ -1403,10 +1403,16 @@ get_user_pass_cr (struct user_pass *up,
&& ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT)))
&& management_query_user_pass_enabled (management))
{
const char *sc = NULL;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
management_auth_failure (management, prefix, "previous auth credentials failed");
if (!management_query_user_pass (management, up, prefix, flags))
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
sc = auth_challenge;
#endif
if (!management_query_user_pass (management, up, prefix, flags, sc))
{
if ((flags & GET_USER_PASS_NOFATAL) != 0)
return false;
@ -1438,7 +1444,7 @@ get_user_pass_cr (struct user_pass *up,
else if (from_stdin)
{
#ifdef ENABLE_CLIENT_CR
if (auth_challenge)
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
struct auth_challenge_info *ac = get_auth_challenge (auth_challenge, &gc);
if (ac)
@ -1447,7 +1453,7 @@ get_user_pass_cr (struct user_pass *up,
struct buffer packed_resp;
buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);
msg (M_INFO, "CHALLENGE: %s", ac->challenge_text);
msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text);
if (!get_console_input ("Response:", BOOL_CAST(ac->flags&CR_ECHO), response, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read challenge response from stdin");
strncpynt (up->username, ac->user, USER_PASS_LEN);
@ -1477,6 +1483,28 @@ get_user_pass_cr (struct user_pass *up,
if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
{
char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc);
struct buffer packed_resp;
char *pw64=NULL, *resp64=NULL;
msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", auth_challenge);
if (!get_console_input ("Response:", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), response, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read static challenge response from stdin");
if (base64_encode(up->password, strlen(up->password), &pw64) == -1
|| base64_encode(response, strlen(response), &resp64) == -1)
msg (M_FATAL, "ERROR: could not base64-encode password/static_response");
buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);
buf_printf (&packed_resp, "SCRV1:%s:%s", pw64, resp64);
string_clear(pw64);
free(pw64);
string_clear(resp64);
free(resp64);
}
#endif
}
}
else
@ -1544,42 +1572,8 @@ get_user_pass_cr (struct user_pass *up,
#ifdef ENABLE_CLIENT_CR
/*
* Parse a challenge message returned along with AUTH_FAILED.
* The message is formatted as such:
*
* CRV1:<flags>:<state_id>:<username_base64>:<challenge_text>
*
* flags: a series of optional, comma-separated flags:
* E : echo the response when the user types it
* R : a response is required
*
* state_id: an opaque string that should be returned to the server
* along with the response.
*
* username_base64 : the username formatted as base64
*
* challenge_text : the challenge text to be shown to the user
*
* Example challenge:
*
* CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN
*
* After showing the challenge_text and getting a response from the user
* (if R flag is specified), the client should submit the following
* auth creds back to the OpenVPN server:
*
* Username: [username decoded from username_base64]
* Password: CRV1::<state_id>::<response_text>
*
* Where state_id is taken from the challenge request and response_text
* is what the user entered in response to the challenge_text.
* If the R flag is not present, response_text may be the empty
* string.
*
* Example response (suppose the user enters "8675309" for the token PIN):
*
* Username: cr1 ("Y3Ix" base64 decoded)
* Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309
* See management/management-notes.txt for more info on the
* the dynamic challenge/response protocol implemented here.
*/
struct auth_challenge_info *
get_auth_challenge (const char *auth_challenge, struct gc_arena *gc)

15
misc.h
View file

@ -278,8 +278,19 @@ struct auth_challenge_info {
struct auth_challenge_info *get_auth_challenge (const char *auth_challenge, struct gc_arena *gc);
/*
* Challenge response info on client as pushed by server.
*/
struct static_challenge_info {
# define SC_ECHO (1<<0) /* echo response when typed by user */
unsigned int flags;
const char *challenge_text;
};
#else
struct auth_challenge_info {};
struct static_challenge_info {};
#endif
bool get_console_input (const char *prompt, const bool echo, char *input, const int capacity);
@ -295,6 +306,10 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const
#define GET_USER_PASS_NEED_STR (1<<5)
#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6)
#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /* CRV1 protocol -- dynamic challenge */
#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */
bool get_user_pass_cr (struct user_pass *up,
const char *auth_file,
const char *prefix,

5
mtcp.c
View file

@ -150,11 +150,6 @@ multi_tcp_instance_specific_init (struct multi_context *m, struct multi_instance
ASSERT (mi->context.c2.link_socket);
ASSERT (mi->context.c2.link_socket->info.lsa);
ASSERT (mi->context.c2.link_socket->mode == LS_MODE_TCP_ACCEPT_FROM);
ASSERT (mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET
#ifdef USE_PF_INET6
|| mi->context.c2.link_socket->info.lsa->actual.dest.addr.sa.sa_family == AF_INET6
#endif
);
if (!mroute_extract_openvpn_sockaddr (&mi->real, &mi->context.c2.link_socket->info.lsa->actual.dest, true))
{
msg (D_MULTI_ERRORS, "MULTI TCP: TCP client address is undefined");

47
openvpn.8
View file

@ -1114,8 +1114,8 @@ addresses in packets.
.\"*********************************************************
.TP
.B \-\-redirect-gateway flags...
(Experimental) Automatically execute routing commands to cause all outgoing IP traffic
to be redirected over the VPN.
Automatically execute routing commands to cause all outgoing IP traffic
to be redirected over the VPN. This is a client-side option.
This option performs three steps:
@ -1154,6 +1154,11 @@ flag will cause step
.B 1
above to be omitted.
.B autolocal \-\-
Try to automatically determine whether to enable
.B local
flag above.
.B def1 \-\-
Use this flag to override
the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
@ -1172,12 +1177,10 @@ bypasses the tunnel
(Available on Windows clients, may not be available
on non-Windows clients).
Using the def1 flag is highly recommended.
.\"*********************************************************
.TP
.B \-\-redirect-private [flags]
Like \-\-redirect-gateway, but omit actually changing the default
gateway. Useful when pushing private subnets.
.B block-local \-\-
Block access to local LAN when the tunnel is active, except for
the LAN gateway itself. This is accomplished by routing the local
LAN (except for the LAN gateway address) into the tunnel.
.\"*********************************************************
.TP
.B \-\-link-mtu n
@ -1185,6 +1188,12 @@ Sets an upper bound on the size of UDP packets which are sent
between OpenVPN peers. It's best not to set this parameter unless
you know what you're doing.
.\"*********************************************************
.\"*********************************************************
.TP
.B \-\-redirect-private [flags]
Like \-\-redirect-gateway, but omit actually changing the default
gateway. Useful when pushing private subnets.
.\"*********************************************************
.TP
.B \-\-tun-mtu n
Take the TUN device MTU to be
@ -2406,6 +2415,12 @@ for inputs which ordinarily would have been queried from the
console.
.\"*********************************************************
.TP
.B \-\-management-query-remote
Allow management interface to override
.B \-\-remote
directives (client-only).
.\"*********************************************************
.TP
.B \-\-management-forget-disconnect
Make OpenVPN forget passwords when management session
disconnects.
@ -3425,6 +3440,21 @@ Note that while this option cannot be pushed, it can be controlled
from the management interface.
.\"*********************************************************
.TP
.B \-\-static\-challenge t e
Enable static challenge/response protocol using challenge text
.B t,
with
echo flag given by
.B e
(0|1).
The echo flag indicates whether or not the user's response
to the challenge should be echoed.
See management\-notes.txt in the OpenVPN distribution for a
description of the OpenVPN challenge/response protocol.
.\"*********************************************************
.TP
.B \-\-server-poll-timeout n
when polling possible remote servers to connect to
in a round-robin fashion, spend no more than
@ -5532,6 +5562,7 @@ script being run. It can be one of the following:
.B client-connect, client-disconnect,
or
.B learn-address.
Set prior to execution of any script.
.\"*********************************************************
.TP
.B signal

34
options.c
View file

@ -358,6 +358,9 @@ static const char usage_message[] =
" ip/port rather than listen as a TCP server.\n"
"--management-query-passwords : Query management channel for private key\n"
" and auth-user-pass passwords.\n"
#if MANAGEMENT_QUERY_REMOTE
"--management-query-remote : Query management channel for --remote directive.\n"
#endif
"--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
" of the management interface explicitly starts it.\n"
"--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
@ -469,6 +472,8 @@ static const char usage_message[] =
" when connecting to a '--mode server' remote host.\n"
"--auth-retry t : How to handle auth failures. Set t to\n"
" none (default), interact, or nointeract.\n"
"--static-challenge t e : Enable static challenge/response protocol using\n"
" challenge text t, with e indicating echo flag (0|1)\n"
"--server-poll-timeout n : when polling possible remote servers to connect to\n"
" in a round-robin fashion, spend no more than n seconds\n"
" waiting for a response before trying the next server.\n"
@ -701,6 +706,9 @@ static const char usage_message[] =
"--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
" --verb option can be added *BEFORE* this.\n"
#endif /* ENABLE_PKCS11 */
"\n"
"General Standalone Options:\n"
"--show-gateway : Show info about default gateway.\n"
;
#endif /* !ENABLE_SMALL */
@ -3845,6 +3853,14 @@ add_option (struct options *options,
read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
}
else if (streq (p[0], "show-gateway"))
{
struct route_gateway_info rgi;
VERIFY_PERMISSION (OPT_P_GENERAL);
get_default_gateway(&rgi);
print_default_gateway(M_INFO, &rgi);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
#if 0
else if (streq (p[0], "foreign-option") && p[1])
{
@ -3928,6 +3944,13 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_PASSWORDS;
}
#if MANAGEMENT_QUERY_REMOTE
else if (streq (p[0], "management-query-remote"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_REMOTE;
}
#endif
else if (streq (p[0], "management-hold"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
@ -5031,6 +5054,8 @@ add_option (struct options *options,
options->routes->flags |= RG_BYPASS_DHCP;
else if (streq (p[j], "bypass-dns"))
options->routes->flags |= RG_BYPASS_DNS;
else if (streq (p[j], "block-local"))
options->routes->flags |= RG_BLOCK_LOCAL;
else
{
msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
@ -5611,6 +5636,15 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
auth_retry_set (msglevel, p[1]);
}
#ifdef ENABLE_CLIENT_CR
else if (streq (p[0], "static-challenge") && p[1] && p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sc_info.challenge_text = p[1];
if (atoi(p[2]))
options->sc_info.flags |= SC_ECHO;
}
#endif
#endif
#ifdef WIN32
else if (streq (p[0], "win-sys") && p[1])

25
options.h
View file

@ -110,7 +110,15 @@ struct connection_entry
# define CE_HTTP_PROXY_FALLBACK (1<<1)
time_t ce_http_proxy_fallback_timestamp; /* time when fallback http_proxy_options was last updated */
#endif
#if MANAGEMENT_QUERY_REMOTE
# define CE_MAN_QUERY_REMOTE_UNDEF 0
# define CE_MAN_QUERY_REMOTE_QUERY 1
# define CE_MAN_QUERY_REMOTE_ACCEPT 2
# define CE_MAN_QUERY_REMOTE_MOD 3
# define CE_MAN_QUERY_REMOTE_SKIP 4
# define CE_MAN_QUERY_REMOTE_MASK (0x07)
# define CE_MAN_QUERY_REMOTE_SHIFT (2)
#endif
unsigned int flags;
};
@ -150,6 +158,14 @@ struct hpo_store
};
#endif
#if MANAGEMENT_QUERY_REMOTE
struct remote_host_store
{
# define RH_HOST_LEN 80
char host[RH_HOST_LEN];
};
#endif
/* Command line options */
struct options
{
@ -202,6 +218,10 @@ struct options
struct hpo_store *hpo_store; /* used to store dynamic proxy info given by management interface */
#endif
#if MANAGEMENT_QUERY_REMOTE
struct remote_host_store *rh_store;
#endif
bool remote_random;
const char *ipchange;
const char *dev;
@ -457,6 +477,9 @@ struct options
int scheduled_exit_interval;
#ifdef ENABLE_CLIENT_CR
struct static_challenge_info sc_info;
#endif
#endif
#ifdef USE_CRYPTO

1301
route.c
View file

File diff suppressed because it is too large Load diff

116
route.h
View file

@ -29,6 +29,7 @@
#ifndef ROUTE_H
#define ROUTE_H
#include "basic.h"
#include "tun.h"
#include "misc.h"
@ -58,15 +59,17 @@ struct route_bypass
struct route_special_addr
{
/* bits indicating which members below are defined */
# define RTSA_REMOTE_ENDPOINT (1<<0)
# define RTSA_REMOTE_HOST (1<<1)
# define RTSA_DEFAULT_METRIC (1<<2)
unsigned int flags;
in_addr_t remote_endpoint;
bool remote_endpoint_defined;
in_addr_t net_gateway;
bool net_gateway_defined;
in_addr_t remote_host;
bool remote_host_defined;
int remote_host_local; /* TLA_x value */
struct route_bypass bypass;
int default_metric;
bool default_metric_defined;
};
struct route_option {
@ -84,9 +87,10 @@ struct route_option {
#define RG_BYPASS_DNS (1<<4)
#define RG_REROUTE_GW (1<<5)
#define RG_AUTO_LOCAL (1<<6)
#define RG_BLOCK_LOCAL (1<<7)
struct route_option_list {
unsigned int flags;
unsigned int flags; /* RG_x flags */
int capacity;
int n;
struct route_option routes[EMPTY_ARRAY_SIZE];
@ -106,26 +110,17 @@ struct route_ipv6_option_list {
};
struct route {
bool defined;
# define RT_DEFINED (1<<0)
# define RT_ADDED (1<<1)
# define RT_METRIC_DEFINED (1<<2)
unsigned int flags;
const struct route_option *option;
in_addr_t network;
in_addr_t netmask;
in_addr_t gateway;
bool metric_defined;
int metric;
};
struct route_list {
bool routes_added;
struct route_special_addr spec;
unsigned int flags;
bool did_redirect_default_gateway;
bool did_local;
int capacity;
int n;
struct route routes[EMPTY_ARRAY_SIZE];
};
struct route_ipv6 {
bool defined;
const struct route_ipv6_option *option;
@ -151,6 +146,52 @@ struct route_ipv6_list {
};
struct route_gateway_address {
in_addr_t addr;
in_addr_t netmask;
};
struct route_gateway_info {
# define RGI_ADDR_DEFINED (1<<0) /* set if gateway.addr defined */
# define RGI_NETMASK_DEFINED (1<<1) /* set if gateway.netmask defined */
# define RGI_HWADDR_DEFINED (1<<2) /* set if hwaddr is defined */
# define RGI_IFACE_DEFINED (1<<3) /* set if iface is defined */
# define RGI_OVERFLOW (1<<4) /* set if more interface addresses than will fit in addrs */
unsigned int flags;
/* gateway interface */
# ifdef WIN32
DWORD adapter_index; /* interface or ~0 if undefined */
#else
char iface[16]; /* interface name (null terminated), may be empty */
#endif
/* gateway interface hardware address */
uint8_t hwaddr[6];
/* gateway/router address */
struct route_gateway_address gateway;
/* address/netmask pairs bound to interface */
# define RGI_N_ADDRESSES 8
int n_addrs; /* len of addrs, may be 0 */
struct route_gateway_address addrs[RGI_N_ADDRESSES]; /* local addresses attached to iface */
};
struct route_list {
# define RL_DID_REDIRECT_DEFAULT_GATEWAY (1<<0)
# define RL_DID_LOCAL (1<<1)
# define RL_ROUTES_ADDED (1<<2)
unsigned int iflags;
struct route_special_addr spec;
struct route_gateway_info rgi;
unsigned int flags; /* RG_x flags */
int capacity;
int n;
struct route routes[EMPTY_ARRAY_SIZE];
};
#if P2MP
/* internal OpenVPN route */
struct iroute {
@ -168,16 +209,22 @@ struct iroute_ipv6 {
struct route_option_list *new_route_option_list (const int max_routes, struct gc_arena *a);
struct route_ipv6_option_list *new_route_ipv6_option_list (const int max_routes, struct gc_arena *a);
struct route_option_list *clone_route_option_list (const struct route_option_list *src, struct gc_arena *a);
void copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src);
struct route_list *new_route_list (const int max_routes, struct gc_arena *a);
struct route_ipv6_list *new_route_ipv6_list (const int max_routes, struct gc_arena *a);
void add_route (struct route *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es);
void add_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es);
void delete_route_ipv6 (const struct route_ipv6 *r, const struct tuntap *tt, unsigned int flags, const struct env_set *es);
void add_route (struct route *r,
const struct tuntap *tt,
unsigned int flags,
const struct route_gateway_info *rgi,
const struct env_set *es);
void add_route_to_option_list (struct route_option_list *l,
const char *network,
const char *netmask,
@ -202,9 +249,9 @@ bool init_route_ipv6_list (struct route_ipv6_list *rl6,
int default_metric,
struct env_set *es);
void route_list_add_default_gateway (struct route_list *rl,
struct env_set *es,
const in_addr_t addr);
void route_list_add_vpn_gateway (struct route_list *rl,
struct env_set *es,
const in_addr_t addr);
void add_routes (struct route_list *rl,
struct route_ipv6_list *rl6,
@ -221,9 +268,12 @@ void delete_routes (struct route_list *rl,
void setenv_routes (struct env_set *es, const struct route_list *rl);
void setenv_routes_ipv6 (struct env_set *es, const struct route_ipv6_list *rl6);
bool is_special_addr (const char *addr_str);
bool get_default_gateway (in_addr_t *ip, in_addr_t *netmask);
void get_default_gateway (struct route_gateway_info *rgi);
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi);
/*
* Test if addr is reachable via a local interface (return ILA_LOCAL),
@ -234,11 +284,7 @@ bool get_default_gateway (in_addr_t *ip, in_addr_t *netmask);
#define TLA_NOT_IMPLEMENTED 0
#define TLA_NONLOCAL 1
#define TLA_LOCAL 2
int test_local_addr (const in_addr_t addr);
#if AUTO_USERID || defined(ENABLE_PUSH_PEER_INFO)
bool get_default_gateway_mac_addr (unsigned char *macaddr);
#endif
int test_local_addr (const in_addr_t addr, const struct route_gateway_info *rgi);
#ifdef ENABLE_DEBUG
void print_route_options (const struct route_option_list *rol,
@ -251,7 +297,7 @@ void print_routes (const struct route_list *rl, int level);
void show_routes (int msglev);
bool test_routes (const struct route_list *rl, const struct tuntap *tt);
bool add_route_ipapi (const struct route *r, const struct tuntap *tt);
bool add_route_ipapi (const struct route *r, const struct tuntap *tt, DWORD adapter_index);
bool del_route_ipapi (const struct route *r, const struct tuntap *tt);
#else
@ -271,12 +317,18 @@ netbits_to_netmask (const int netbits)
}
static inline bool
route_list_default_gateway_needed (const struct route_list *rl)
route_list_vpn_gateway_needed (const struct route_list *rl)
{
if (!rl)
return false;
else
return !rl->spec.remote_endpoint_defined;
return !(rl->spec.flags & RTSA_REMOTE_ENDPOINT);
}
static inline int
route_did_redirect_default_gateway(const struct route_list *rl)
{
return BOOL_CAST(rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY);
}
#endif

41
ssl.c
View file

@ -52,6 +52,7 @@
#include "pkcs11.h"
#include "list.h"
#include "base64.h"
#include "route.h"
#ifdef WIN32
#include "cryptoapi.h"
@ -295,17 +296,35 @@ static char *auth_challenge; /* GLOBAL */
#endif
void
auth_user_pass_setup (const char *auth_file)
auth_user_pass_setup (const char *auth_file, const struct static_challenge_info *sci)
{
auth_user_pass_enabled = true;
if (!auth_user_pass.defined)
{
#if AUTO_USERID
get_user_pass_auto_userid (&auth_user_pass, auth_file);
#elif defined(ENABLE_CLIENT_CR)
get_user_pass_cr (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE, auth_challenge);
#else
get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
# ifdef ENABLE_CLIENT_CR
if (auth_challenge) /* dynamic challenge/response */
get_user_pass_cr (&auth_user_pass,
auth_file,
UP_TYPE_AUTH,
GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_DYNAMIC_CHALLENGE,
auth_challenge);
else if (sci) /* static challenge response */
{
int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_STATIC_CHALLENGE;
if (sci->flags & SC_ECHO)
flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
get_user_pass_cr (&auth_user_pass,
auth_file,
UP_TYPE_AUTH,
flags,
sci->challenge_text);
}
else
# endif
get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
#endif
}
}
@ -4033,10 +4052,10 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
/* push mac addr */
{
bool get_default_gateway_mac_addr (unsigned char *macaddr);
uint8_t macaddr[6];
get_default_gateway_mac_addr (macaddr);
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (macaddr, 6, 0, 1, ":", &gc));
struct route_gateway_info rgi;
get_default_gateway (&rgi);
if (rgi.flags & RGI_HWADDR_DEFINED)
buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
}
/* push LZO status */
@ -4097,7 +4116,11 @@ key_method_2_write (struct buffer *buf, struct tls_session *session)
/* write username/password if specified */
if (auth_user_pass_enabled)
{
auth_user_pass_setup (NULL);
#ifdef ENABLE_CLIENT_CR
auth_user_pass_setup (NULL, session->opt->sci);
#else
auth_user_pass_setup (NULL, NULL);
#endif
if (!write_string (buf, auth_user_pass.username, -1))
goto error;
if (!write_string (buf, auth_user_pass.password, -1))

6
ssl.h
View file

@ -519,6 +519,10 @@ struct tls_options
const struct x509_track *x509_track;
#endif
#ifdef ENABLE_CLIENT_CR
const struct static_challenge_info *sci;
#endif
/* --gremlin bits */
int gremlin;
};
@ -723,7 +727,7 @@ void get_highest_preference_tls_cipher (char *buf, int size);
void pem_password_setup (const char *auth_file);
int pem_password_callback (char *buf, int size, int rwflag, void *u);
void auth_user_pass_setup (const char *auth_file);
void auth_user_pass_setup (const char *auth_file, const struct static_challenge_info *sc_info);
void ssl_set_auth_nocache (void);
void ssl_set_auth_token (const char *token);
void ssl_purge_auth (const bool auth_user_pass_only);

11
syshead.h
View file

@ -651,6 +651,15 @@ socket_defined (const socket_descriptor_t sd)
#define HTTP_PROXY_FALLBACK 0
#endif
/*
* Should we include --management-query-remote functionality
*/
#if defined(ENABLE_CONNECTION) && defined(ENABLE_MANAGEMENT)
#define MANAGEMENT_QUERY_REMOTE 1
#else
#define MANAGEMENT_QUERY_REMOTE 0
#endif
/*
* Reduce sensitivity to system clock instability
* and backtracks.
@ -674,7 +683,7 @@ socket_defined (const socket_descriptor_t sd)
#endif
/*
* Do we support challenge/response authentication, as a console-based client?
* Do we support challenge/response authentication as client?
*/
#define ENABLE_CLIENT_CR

13
tun.c
View file

@ -248,11 +248,12 @@ check_subnet_conflict (const in_addr_t ip,
const in_addr_t netmask,
const char *prefix)
{
#if 0 /* too many false positives */
struct gc_arena gc = gc_new ();
in_addr_t lan_gw = 0;
in_addr_t lan_netmask = 0;
if (get_default_gateway (&lan_gw, &lan_netmask))
if (get_default_gateway (&lan_gw, &lan_netmask) && lan_netmask)
{
const in_addr_t lan_network = lan_gw & lan_netmask;
const in_addr_t network = ip & netmask;
@ -270,18 +271,20 @@ check_subnet_conflict (const in_addr_t ip,
}
}
gc_free (&gc);
#endif
}
void
warn_on_use_of_common_subnets (void)
{
struct gc_arena gc = gc_new ();
in_addr_t lan_gw = 0;
in_addr_t lan_netmask = 0;
struct route_gateway_info rgi;
const int needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
if (get_default_gateway (&lan_gw, &lan_netmask))
get_default_gateway (&rgi);
if ((rgi.flags & needed) == needed)
{
const in_addr_t lan_network = lan_gw & lan_netmask;
const in_addr_t lan_network = rgi.gateway.addr & rgi.gateway.netmask;
if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100)
msg (M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.");
}