diff -Naur openvpn-2.4.5/src/openvpn/console.h openvpn-2.4.5_bug-538/src/openvpn/console.h
old
|
new
|
|
116 | 116 | return query_user_exec(); |
117 | 117 | } |
118 | 118 | |
| 119 | /** |
| 120 | * A plain "make Gert happy" wrapper over built-in user querying method. |
| 121 | * Same arguments as @query_user_add |
| 122 | * |
| 123 | * Allows to use built-in method for PKCS11 PIN prompt regardless of |
| 124 | * the systemd support status and presence, |
| 125 | * see https://community.openvpn.net/openvpn/ticket/538 for details. |
| 126 | */ |
| 127 | static inline bool |
| 128 | query_user_builtin_SINGLE(char *prompt, size_t prompt_len, |
| 129 | char *resp, size_t resp_len, |
| 130 | bool echo) |
| 131 | { |
| 132 | query_user_clear(); |
| 133 | query_user_add(prompt, prompt_len, resp, resp_len, echo); |
| 134 | return query_user_exec_builtin(); |
| 135 | } |
| 136 | |
119 | 137 | #endif /* ifndef CONSOLE_H */ |
diff -Naur openvpn-2.4.5/src/openvpn/misc.c openvpn-2.4.5_bug-538/src/openvpn/misc.c
old
|
new
|
|
930 | 930 | struct buffer user_prompt = alloc_buf_gc(128, &gc); |
931 | 931 | |
932 | 932 | buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username); |
933 | | if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), |
934 | | up->password, USER_PASS_LEN, false)) |
935 | | { |
936 | | msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); |
| 933 | if (flags & GET_USER_PASS_FORCE_BUILTIN) { |
| 934 | if (!query_user_builtin_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), |
| 935 | up->password, USER_PASS_LEN, false)) |
| 936 | { |
| 937 | msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); |
| 938 | } |
| 939 | } |
| 940 | else { |
| 941 | if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt), |
| 942 | up->password, USER_PASS_LEN, false)) |
| 943 | { |
| 944 | msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix); |
| 945 | } |
937 | 946 | } |
938 | 947 | |
939 | 948 | if (!strlen(up->password)) |
… |
… |
|
941 | 950 | strcpy(up->password, "ok"); |
942 | 951 | } |
943 | 952 | } |
944 | | else if (flags & GET_USER_PASS_INLINE_CREDS) |
| 953 | else if (flags & GET_USER_PASS_NEED_OK) |
945 | 954 | { |
946 | 955 | struct buffer buf; |
947 | 956 | buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1); |
… |
… |
|
1030 | 1039 | buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text); |
1031 | 1040 | buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); |
1032 | 1041 | |
1033 | | if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), |
1034 | | response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) |
1035 | | { |
1036 | | msg(M_FATAL, "ERROR: could not read challenge response from stdin"); |
| 1042 | if (flags & GET_USER_PASS_FORCE_BUILTIN) { |
| 1043 | if (!query_user_builtin_SINGLE(BSTR(&challenge), BLEN(&challenge), |
| 1044 | response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) |
| 1045 | { |
| 1046 | msg(M_FATAL, "ERROR: could not read challenge response from stdin"); |
| 1047 | } |
| 1048 | } |
| 1049 | else { |
| 1050 | if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), |
| 1051 | response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO))) |
| 1052 | { |
| 1053 | msg(M_FATAL, "ERROR: could not read challenge response from stdin"); |
| 1054 | } |
1037 | 1055 | } |
1038 | 1056 | strncpynt(up->username, ac->user, USER_PASS_LEN); |
1039 | 1057 | buf_printf(&packed_resp, "CRV1::%s::%s", ac->state_id, response); |
… |
… |
|
1065 | 1083 | up->password, USER_PASS_LEN, false); |
1066 | 1084 | } |
1067 | 1085 | |
1068 | | if (!query_user_exec() ) |
1069 | | { |
1070 | | msg(M_FATAL, "ERROR: Failed retrieving username or password"); |
| 1086 | if (flags & GET_USER_PASS_FORCE_BUILTIN) { |
| 1087 | if (!query_user_exec_builtin() ) |
| 1088 | { |
| 1089 | msg(M_FATAL, "ERROR: Failed retrieving username or password"); |
| 1090 | } |
| 1091 | } |
| 1092 | else { |
| 1093 | if (!query_user_exec() ) |
| 1094 | { |
| 1095 | msg(M_FATAL, "ERROR: Failed retrieving username or password"); |
| 1096 | } |
1071 | 1097 | } |
1072 | 1098 | |
1073 | 1099 | if (!(flags & GET_USER_PASS_PASSWORD_ONLY)) |
… |
… |
|
1088 | 1114 | challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc); |
1089 | 1115 | buf_printf(&challenge, "CHALLENGE: %s", auth_challenge); |
1090 | 1116 | |
1091 | | if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), |
1092 | | response, USER_PASS_LEN, |
1093 | | BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) |
1094 | | { |
1095 | | msg(M_FATAL, "ERROR: could not retrieve static challenge response"); |
| 1117 | if (flags & GET_USER_PASS_FORCE_BUILTIN) { |
| 1118 | if (!query_user_builtin_SINGLE(BSTR(&challenge), BLEN(&challenge), |
| 1119 | response, USER_PASS_LEN, |
| 1120 | BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) |
| 1121 | { |
| 1122 | msg(M_FATAL, "ERROR: could not retrieve static challenge response"); |
| 1123 | } |
| 1124 | } |
| 1125 | else { |
| 1126 | if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge), |
| 1127 | response, USER_PASS_LEN, |
| 1128 | BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO))) |
| 1129 | { |
| 1130 | msg(M_FATAL, "ERROR: could not retrieve static challenge response"); |
| 1131 | } |
1096 | 1132 | } |
1097 | 1133 | if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 |
1098 | 1134 | || openvpn_base64_encode(response, strlen(response), &resp64) == -1) |
diff -Naur openvpn-2.4.5/src/openvpn/misc.h openvpn-2.4.5_bug-538/src/openvpn/misc.h
old
|
new
|
|
232 | 232 | #define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */ |
233 | 233 | #define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ |
234 | 234 | |
235 | | #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ |
| 235 | #define GET_USER_PASS_INLINE_CREDS (1<<10) |
| 236 | |
| 237 | #define GET_USER_PASS_FORCE_BUILTIN (1<<11) /* force builtin prompt to work around 538 */ |
236 | 238 | |
237 | 239 | bool get_user_pass_cr(struct user_pass *up, |
238 | 240 | const char *auth_file, |
diff -Naur openvpn-2.4.5/src/openvpn/pkcs11.c openvpn-2.4.5_bug-538/src/openvpn/pkcs11.c
old
|
new
|
|
257 | 257 | &token_pass, |
258 | 258 | NULL, |
259 | 259 | prompt, |
260 | | GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL |
| 260 | GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL|GET_USER_PASS_FORCE_BUILTIN |
261 | 261 | ) |
262 | 262 | ) |
263 | 263 | { |
… |
… |
|
813 | 813 | ASSERT(token!=NULL); |
814 | 814 | |
815 | 815 | buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display); |
816 | | if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), |
| 816 | if (!query_user_builtin_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt), |
817 | 817 | pin, pin_max, false)) |
818 | 818 | { |
819 | 819 | msg(M_FATAL, "Could not retrieve the PIN"); |