From 3cf9dd88fd84108eccfcce0ebf44e00f9481cd82 Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Sun, 24 Oct 2010 09:12:47 +0000
Subject: Implement challenge/response authentication support in client mode,
 where credentials are entered from stdin.  This capability is compiled when
 ENABLE_CLIENT_CR is defined in syshead.h (enabled by default).

Challenge/response support was previously implemented for creds
that are queried via the management interface.  In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.

Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 misc.h | 38 ++++++++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

(limited to 'misc.h')

diff --git a/misc.h b/misc.h
index 328107d..3cd7d9e 100644
--- a/misc.h
+++ b/misc.h
@@ -252,6 +252,26 @@ struct user_pass
   char password[USER_PASS_LEN];
 };
 
+#ifdef ENABLE_CLIENT_CR
+/*
+ * Challenge response info on client as pushed by server.
+ */
+struct auth_challenge_info {
+# define CR_ECHO     (1<<0) /* echo response when typed by user */
+# define CR_RESPONSE (1<<1) /* response needed */
+  unsigned int flags;
+
+  const char *user;
+  const char *state_id;
+  const char *challenge_text;
+};
+
+struct auth_challenge_info *get_auth_challenge (const char *auth_challenge, struct gc_arena *gc);
+
+#else
+struct auth_challenge_info {};
+#endif
+
 bool get_console_input (const char *prompt, const bool echo, char *input, const int capacity);
 
 /*
@@ -265,10 +285,20 @@ bool get_console_input (const char *prompt, const bool echo, char *input, const
 #define GET_USER_PASS_NEED_STR      (1<<5)
 #define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6)
 
-bool get_user_pass (struct user_pass *up,
-		    const char *auth_file,
-		    const char *prefix,
-		    const unsigned int flags);
+bool get_user_pass_cr (struct user_pass *up,
+		       const char *auth_file,
+		       const char *prefix,
+		       const unsigned int flags,
+		       const char *auth_challenge);
+
+static inline bool
+get_user_pass (struct user_pass *up,
+	       const char *auth_file,
+	       const char *prefix,
+	       const unsigned int flags)
+{
+  return get_user_pass_cr (up, auth_file, prefix, flags, NULL);
+}
 
 void fail_user_pass (const char *prefix,
 		     const unsigned int flags,
-- 
cgit