]> git.ipfire.org Git - ipfire-2.x.git/blob - config/ovpn/otp-verify
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
openvpn-2fa: Import a prototype of an authenticator
[ipfire-2.x.git] / config / ovpn / otp-verify
1 #!/usr/bin/perl
2 ############################################################################
3 # #
4 # This file is part of the IPFire Firewall. #
5 # #
6 # IPFire is free software; you can redistribute it and/or modify #
7 # it under the terms of the GNU General Public License as published by #
8 # the Free Software Foundation; either version 2 of the License, or #
9 # (at your option) any later version. #
10 # #
11 # IPFire is distributed in the hope that it will be useful, #
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
14 # GNU General Public License for more details. #
15 # #
16 # You should have received a copy of the GNU General Public License #
17 # along with IPFire; if not, write to the Free Software #
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
19 # #
20 # Copyright (C) 2022 IPFire Team <info@ipfire.org>. #
21 # #
22 ############################################################################
23
24 use strict;
25 use warnings;
26
27 use MIME::Base64;
28
29 require '/var/ipfire/general-functions.pl';
30
31 my $cn;
32 my $prefix;
33 my $password;
34 my $otp;
35 my @valid_otps;
36
37 #&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}");
38
39 # line 1: <COMMON NAME>
40 # line 2: <CREDENTIALS> e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2
41 while(<>) {
42 #&General::log("otp-verify DEBUG: line: $_");
43 if ($_ =~ /^(?!SCRV[[:digit:]]).+/) {
44 chomp;
45 $cn = $_;
46 #$cn =~ s/\s*$//g;
47 }
48 if ($_ =~ /^SCRV[[:digit:]]:.+/) {
49 ($prefix, $password, $otp) = split /:/;
50 $password = decode_base64($password);
51 $otp = decode_base64($otp);
52 }
53 }
54
55 if ($cn == "") {
56 #&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV.");
57 $cn = $ENV{'common_name'};
58 }
59
60 #&General::log("otp-verify DEBUG: CN: \"$cn\"\n");
61 #&General::log("otp-verify DEBUG: PW: \"$password\"\n");
62 #&General::log("otp-verify DEBUG: OTP: \"$otp\"\n");
63 #&General::log("otp-verify DEBUG: ----\n");
64
65 my %confighash = ();
66 if (-f "${General::swroot}/ovpn/ovpnconfig") {
67 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
68 foreach my $key (keys %confighash){
69 if ($cn eq $confighash{$key}[2]) {
70 # Exit successfully for non-roadwarrior connections.
71 exit 0 unless ($confighash{$key}[3] eq "host");
72
73 # Exit successfully for disabled otp connections.
74 exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on");
75
76 # Exit with failure if required otp config is missing.
77 exit 1 if (not defined $confighash{$key}[42]);
78 exit 1 if (not defined $confighash{$key}[44]);
79
80 #&General::log("otp-verify DEBUG: connection key: $key\n");
81 #&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n");
82 #&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n");
83 #&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n");
84 #&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n");
85 #&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n");
86
87 # Get valid OTPs.
88 my @valid_otps = &General::system_output("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]");
89 foreach (@valid_otps) {
90 # Exit successfully if OTP is correct.
91 exit 0 if ($otp == $_)
92 }
93
94 # Exit with failure if no matching OTP was found.
95 exit 1;
96 }
97 }
98 } else {
99 # Return an error if ovpnconfig could not be found.
100 exit 1;
101 }
102
103 # Exit successfully if no auth-user-pass data received.
104 exit 0;
105
106 # vim: ts=3 sts=3 sw=3 et nu list
IPFire 2.x development tree