]>
Commit | Line | Data |
---|---|---|
e1e10515 TE |
1 | #!/usr/bin/perl |
2 | ############################################################################ | |
3 | # # | |
4 | # This file is part of the IPFire Firewall. # | |
5 | # # | |
6 | # IPFire is free software; you can redistribute it and/or modify # | |
7 | # it under the terms of the GNU General Public License as published by # | |
8 | # the Free Software Foundation; either version 2 of the License, or # | |
9 | # (at your option) any later version. # | |
10 | # # | |
11 | # IPFire is distributed in the hope that it will be useful, # | |
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
14 | # GNU General Public License for more details. # | |
15 | # # | |
16 | # You should have received a copy of the GNU General Public License # | |
17 | # along with IPFire; if not, write to the Free Software # | |
18 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # | |
19 | # # | |
20 | # Copyright (C) 2022 IPFire Team <info@ipfire.org>. # | |
21 | # # | |
22 | ############################################################################ | |
23 | ||
24 | use strict; | |
25 | use warnings; | |
26 | ||
27 | use MIME::Base64; | |
28 | ||
29 | require '/var/ipfire/general-functions.pl'; | |
30 | ||
31 | my $cn; | |
32 | my $prefix; | |
33 | my $password; | |
34 | my $otp; | |
35 | my @valid_otps; | |
36 | ||
37 | #&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}"); | |
38 | ||
39 | # line 1: <COMMON NAME> | |
40 | # line 2: <CREDENTIALS> e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2 | |
41 | while(<>) { | |
42 | #&General::log("otp-verify DEBUG: line: $_"); | |
43 | if ($_ =~ /^(?!SCRV[[:digit:]]).+/) { | |
44 | chomp; | |
45 | $cn = $_; | |
46 | #$cn =~ s/\s*$//g; | |
47 | } | |
48 | if ($_ =~ /^SCRV[[:digit:]]:.+/) { | |
49 | ($prefix, $password, $otp) = split /:/; | |
50 | $password = decode_base64($password); | |
51 | $otp = decode_base64($otp); | |
52 | } | |
53 | } | |
54 | ||
55 | if ($cn == "") { | |
56 | #&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV."); | |
57 | $cn = $ENV{'common_name'}; | |
58 | } | |
59 | ||
60 | #&General::log("otp-verify DEBUG: CN: \"$cn\"\n"); | |
61 | #&General::log("otp-verify DEBUG: PW: \"$password\"\n"); | |
62 | #&General::log("otp-verify DEBUG: OTP: \"$otp\"\n"); | |
63 | #&General::log("otp-verify DEBUG: ----\n"); | |
64 | ||
65 | my %confighash = (); | |
66 | if (-f "${General::swroot}/ovpn/ovpnconfig") { | |
67 | &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); | |
68 | foreach my $key (keys %confighash){ | |
69 | if ($cn eq $confighash{$key}[2]) { | |
70 | # Exit successfully for non-roadwarrior connections. | |
71 | exit 0 unless ($confighash{$key}[3] eq "host"); | |
72 | ||
73 | # Exit successfully for disabled otp connections. | |
74 | exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on"); | |
75 | ||
76 | # Exit with failure if required otp config is missing. | |
77 | exit 1 if (not defined $confighash{$key}[42]); | |
78 | exit 1 if (not defined $confighash{$key}[44]); | |
79 | ||
80 | #&General::log("otp-verify DEBUG: connection key: $key\n"); | |
81 | #&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n"); | |
82 | #&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n"); | |
83 | #&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n"); | |
84 | #&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n"); | |
85 | #&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n"); | |
86 | ||
87 | # Get valid OTPs. | |
88 | my @valid_otps = &General::system_output("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]"); | |
89 | foreach (@valid_otps) { | |
90 | # Exit successfully if OTP is correct. | |
91 | exit 0 if ($otp == $_) | |
92 | } | |
93 | ||
94 | # Exit with failure if no matching OTP was found. | |
95 | exit 1; | |
96 | } | |
97 | } | |
98 | } else { | |
99 | # Return an error if ovpnconfig could not be found. | |
100 | exit 1; | |
101 | } | |
102 | ||
103 | # Exit successfully if no auth-user-pass data received. | |
104 | exit 0; | |
105 | ||
106 | # vim: ts=3 sts=3 sw=3 et nu list |