]>
git.ipfire.org Git - ipfire-2.x.git/blob - config/ovpn/otp-verify
2 ############################################################################
4 # This file is part of the IPFire Firewall. #
6 # IPFire is free software; you can redistribute it and/or modify #
7 # it under the terms of the GNU General Public License as published by #
8 # the Free Software Foundation; either version 2 of the License, or #
9 # (at your option) any later version. #
11 # IPFire is distributed in the hope that it will be useful, #
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
14 # GNU General Public License for more details. #
16 # You should have received a copy of the GNU General Public License #
17 # along with IPFire; if not, write to the Free Software #
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
20 # Copyright (C) 2022 IPFire Team <info@ipfire.org>. #
22 ############################################################################
29 require '/var/ipfire/general-functions.pl';
37 #&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}");
39 # line 1: <COMMON NAME>
40 # line 2: <CREDENTIALS> e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2
42 #&General::log("otp-verify DEBUG: line: $_");
43 if ($_ =~ /^(?!SCRV[[:digit:]]).+/) {
48 if ($_ =~ /^SCRV[[:digit:]]:.+/) {
49 ($prefix, $password, $otp) = split /:/;
50 $password = decode_base64
($password);
51 $otp = decode_base64
($otp);
56 #&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV.");
57 $cn = $ENV{'common_name'};
60 #&General::log("otp-verify DEBUG: CN: \"$cn\"\n");
61 #&General::log("otp-verify DEBUG: PW: \"$password\"\n");
62 #&General::log("otp-verify DEBUG: OTP: \"$otp\"\n");
63 #&General::log("otp-verify DEBUG: ----\n");
66 if (-f
"${General::swroot}/ovpn/ovpnconfig") {
67 &General
::readhasharray
("${General::swroot}/ovpn/ovpnconfig", \
%confighash);
68 foreach my $key (keys %confighash){
69 if ($cn eq $confighash{$key}[2]) {
70 # Exit successfully for non-roadwarrior connections.
71 exit 0 unless ($confighash{$key}[3] eq "host");
73 # Exit successfully for disabled otp connections.
74 exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on");
76 # Exit with failure if required otp config is missing.
77 exit 1 if (not defined $confighash{$key}[42]);
78 exit 1 if (not defined $confighash{$key}[44]);
80 #&General::log("otp-verify DEBUG: connection key: $key\n");
81 #&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n");
82 #&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n");
83 #&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n");
84 #&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n");
85 #&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n");
88 my @valid_otps = &General
::system_output
("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]");
89 foreach (@valid_otps) {
90 # Exit successfully if OTP is correct.
91 exit 0 if ($otp == $_)
94 # Exit with failure if no matching OTP was found.
99 # Return an error if ovpnconfig could not be found.
103 # Exit successfully if no auth-user-pass data received.
106 # vim: ts=3 sts=3 sw=3 et nu list