[ipfire-2.x.git] / config / ovpn / otp-verify

#!/usr/bin/perl
############################################################################
#                                                                          #
# This file is part of the IPFire Firewall.                                #
#                                                                          #
# IPFire is free software; you can redistribute it and/or modify           #
# it under the terms of the GNU General Public License as published by     #
# the Free Software Foundation; either version 2 of the License, or        #
# (at your option) any later version.                                      #
#                                                                          #
# IPFire is distributed in the hope that it will be useful,                #
# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
# GNU General Public License for more details.                             #
#                                                                          #
# You should have received a copy of the GNU General Public License        #
# along with IPFire; if not, write to the Free Software                    #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
#                                                                          #
# Copyright (C) 2022 IPFire Team <info@ipfire.org>.                        #
#                                                                          #
############################################################################

use strict;
use warnings;

use MIME::Base64;

require '/var/ipfire/general-functions.pl';

my $cn;
my $prefix;
my $password;
my $otp;
my @valid_otps;

#&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}");

# line 1: <COMMON NAME>
# line 2: <CREDENTIALS> e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2
while(<>) {
   #&General::log("otp-verify DEBUG: line: $_");
   if ($_ =~ /^(?!SCRV[[:digit:]]).+/) {
      chomp;
      $cn = $_;
      #$cn =~ s/\s*$//g;
   }
   if ($_ =~ /^SCRV[[:digit:]]:.+/) {
      ($prefix, $password, $otp) = split /:/;
      $password = decode_base64($password);
      $otp = decode_base64($otp);
   }
}

if ($cn == "") {
   #&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV.");
   $cn = $ENV{'common_name'};
}

#&General::log("otp-verify DEBUG: CN: \"$cn\"\n");
#&General::log("otp-verify DEBUG: PW: \"$password\"\n");
#&General::log("otp-verify DEBUG: OTP: \"$otp\"\n");
#&General::log("otp-verify DEBUG: ----\n");

my %confighash = ();
if (-f "${General::swroot}/ovpn/ovpnconfig") {
   &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
   foreach my $key (keys %confighash){
      if ($cn eq $confighash{$key}[2]) {
         # Exit successfully for non-roadwarrior connections.
         exit 0 unless ($confighash{$key}[3] eq "host");

         # Exit successfully for disabled otp connections.
         exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on");

         # Exit with failure if required otp config is missing.
         exit 1 if (not defined $confighash{$key}[42]);
         exit 1 if (not defined $confighash{$key}[44]);

         #&General::log("otp-verify DEBUG: connection key: $key\n");
         #&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n");
         #&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n");
         #&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n");
         #&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n");
         #&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n");

         # Get valid OTPs.
         my @valid_otps = &General::system_output("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]");
         foreach (@valid_otps) {
            # Exit successfully if OTP is correct.
            exit 0 if ($otp == $_)
         }

         # Exit with failure if no matching OTP was found.
         exit 1;
      }
   }
} else {
   # Return an error if ovpnconfig could not be found.
   exit 1;
}

# Exit successfully if no auth-user-pass data received.
exit 0;

# vim: ts=3 sts=3 sw=3 et nu list
Commit	Line	Data
e1e10515 TE	1	#!/usr/bin/perl
	2	############################################################################
	3	# #
	4	# This file is part of the IPFire Firewall. #
	5	# #
	6	# IPFire is free software; you can redistribute it and/or modify #
	7	# it under the terms of the GNU General Public License as published by #
	8	# the Free Software Foundation; either version 2 of the License, or #
	9	# (at your option) any later version. #
	10	# #
	11	# IPFire is distributed in the hope that it will be useful, #
	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	14	# GNU General Public License for more details. #
	15	# #
	16	# You should have received a copy of the GNU General Public License #
	17	# along with IPFire; if not, write to the Free Software #
	18	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
	19	# #
	20	# Copyright (C) 2022 IPFire Team <info@ipfire.org>. #
	21	# #
	22	############################################################################
	23
	24	use strict;
	25	use warnings;
	26
	27	use MIME::Base64;
	28
	29	require '/var/ipfire/general-functions.pl';
	30
	31	my $cn;
	32	my $prefix;
	33	my $password;
	34	my $otp;
	35	my @valid_otps;
	36
	37	#&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}");
	38
	39	# line 1: <COMMON NAME>
	40	# line 2: <CREDENTIALS> e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2
	41	while(<>) {
	42	#&General::log("otp-verify DEBUG: line: $_");
	43	if ($_ =~ /^(?!SCRV[[:digit:]]).+/) {
	44	chomp;
	45	$cn = $_;
	46	#$cn =~ s/\s*$//g;
	47	}
	48	if ($_ =~ /^SCRV[[:digit:]]:.+/) {
	49	($prefix, $password, $otp) = split /:/;
	50	$password = decode_base64($password);
	51	$otp = decode_base64($otp);
	52	}
	53	}
	54
	55	if ($cn == "") {
	56	#&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV.");
	57	$cn = $ENV{'common_name'};
	58	}
	59
	60	#&General::log("otp-verify DEBUG: CN: \"$cn\"\n");
	61	#&General::log("otp-verify DEBUG: PW: \"$password\"\n");
	62	#&General::log("otp-verify DEBUG: OTP: \"$otp\"\n");
	63	#&General::log("otp-verify DEBUG: ----\n");
	64
65	my %confighash = ();
66	if (-f "${General::swroot}/ovpn/ovpnconfig") {
67	&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
68	foreach my $key (keys %confighash){
69	if ($cn eq $confighash{$key}[2]) {
70	# Exit successfully for non-roadwarrior connections.
71	exit 0 unless ($confighash{$key}[3] eq "host");
72
73	# Exit successfully for disabled otp connections.
74	exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on");
75
76	# Exit with failure if required otp config is missing.
77	exit 1 if (not defined $confighash{$key}[42]);
78	exit 1 if (not defined $confighash{$key}[44]);
79
80	#&General::log("otp-verify DEBUG: connection key: $key\n");
81	#&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n");
82	#&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n");
83	#&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n");
84	#&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n");
85	#&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n");
86
87	# Get valid OTPs.
88	my @valid_otps = &General::system_output("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]");
89	foreach (@valid_otps) {
90	# Exit successfully if OTP is correct.
91	exit 0 if ($otp == $_)
92	}
93
94	# Exit with failure if no matching OTP was found.
95	exit 1;
96	}
97	}
98	} else {
99	# Return an error if ovpnconfig could not be found.
100	exit 1;
101	}
102
103	# Exit successfully if no auth-user-pass data received.
104	exit 0;
105
106	# vim: ts=3 sts=3 sw=3 et nu list