From 3cf9dd88fd84108eccfcce0ebf44e00f9481cd82 Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Sun, 24 Oct 2010 09:12:47 +0000
Subject: Implement challenge/response authentication support in client mode,
 where credentials are entered from stdin.  This capability is compiled when
 ENABLE_CLIENT_CR is defined in syshead.h (enabled by default).

Challenge/response support was previously implemented for creds
that are queried via the management interface.  In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.

Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 ssl.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'ssl.c')

diff --git a/ssl.c b/ssl.c
index a1268ac..dffe882 100644
--- a/ssl.c
+++ b/ssl.c
@@ -286,6 +286,10 @@ pem_password_callback (char *buf, int size, int rwflag, void *u)
 static bool auth_user_pass_enabled;     /* GLOBAL */
 static struct user_pass auth_user_pass; /* GLOBAL */
 
+#ifdef ENABLE_CLIENT_CR
+static char *auth_challenge; /* GLOBAL */
+#endif
+
 void
 auth_user_pass_setup (const char *auth_file)
 {
@@ -294,6 +298,8 @@ auth_user_pass_setup (const char *auth_file)
     {
 #if AUTO_USERID
       get_user_pass_auto_userid (&auth_user_pass, auth_file);
+#elif defined(ENABLE_CLIENT_CR)
+      get_user_pass_cr (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE, auth_challenge);
 #else
       get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
 #endif
@@ -321,8 +327,29 @@ ssl_purge_auth (void)
 #endif
   purge_user_pass (&passbuf, true);
   purge_user_pass (&auth_user_pass, true);
+#ifdef ENABLE_CLIENT_CR
+  ssl_purge_auth_challenge();
+#endif
+}
+
+#ifdef ENABLE_CLIENT_CR
+
+void
+ssl_purge_auth_challenge (void)
+{
+  free (auth_challenge);
+  auth_challenge = NULL;
 }
 
+void
+ssl_put_auth_challenge (const char *cr_str)
+{
+  ssl_purge_auth_challenge();
+  auth_challenge = string_alloc(cr_str, NULL);
+}
+
+#endif
+
 /*
  * OpenSSL callback to get a temporary RSA key, mostly
  * used for export ciphers.
-- 
cgit