From: Antonio Quartulli Date: Sat, 17 Sep 2022 13:48:32 +0000 (+0200) Subject: auth-user-pass: add support for inline credentials X-Git-Tag: v2.6_beta1~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d48d31b8226d5e3a5638e2369876381038bf5e2;p=thirdparty%2Fopenvpn.git auth-user-pass: add support for inline credentials --auth-user-pass is probably the only option expecting a filename as argument that cannot be inline'd as of today. This patch allows specifying username and password inline in the config file within the tag. This logic was already implemented for --http-proxy-user-pass, therefore it was just about applying it to this specific option as well. Note that the current logic expects username and password to always be specified when inline. Therefore omitting the password will result in storing an empty password. A later patch will change this behaviour to make it consistent with the classic case (username writte in file), where the password is requested via stdin when missing. While a it, add an empty line between prototypes in init.c to make uncrustify happy. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Message-Id: <20220917134832.16359-1-a@unstable.cc> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25236.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 25325b22b..5a80dc0db 100644 --- a/Changes.rst +++ b/Changes.rst @@ -93,6 +93,10 @@ Session timeout using ``--session-timeout``. This option can be configured on the server, on the client or can also be pushed. +Inline auth username and password + Username and password can now be specified inline in the configuration file + within the tags. + Deprecated features ------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d87923665..80b077653 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -71,6 +71,7 @@ static const char *saved_pid_file_name; /* GLOBAL */ #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) static void do_init_first_time(struct context *c); + static bool do_deferred_p2p_ncp(struct context *c); void @@ -595,9 +596,12 @@ init_query_passwords(const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file_inline, + &c->options.sc_info); #else - auth_user_pass_setup(c->options.auth_user_pass_file, NULL); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file_inline, NULL); #endif } } @@ -3080,6 +3084,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.client_config_dir_exclusive = options->client_config_dir; } to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; to.auth_token_generate = options->auth_token_generate; to.auth_token_lifetime = options->auth_token_lifetime; to.auth_token_call_auth = options->auth_token_call_auth; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 01117d982..52b861abc 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1562,7 +1562,7 @@ show_p2mp_parms(const struct options *o) SHOW_BOOL(client); SHOW_BOOL(pull); - SHOW_STR(auth_user_pass_file); + SHOW_STR_INLINE(auth_user_pass_file); gc_free(&gc); } @@ -4046,9 +4046,10 @@ options_postprocess_filechecks(struct options *options) options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ - errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, - options->auth_user_pass_file, R_OK, - "--auth-user-pass"); + errs |= check_file_access_inline(options->auth_user_pass_file_inline, + CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, + options->auth_user_pass_file, R_OK, + "--auth-user-pass"); /* ** System related ** */ errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK|X_OK, "--chroot directory"); @@ -7727,10 +7728,11 @@ add_option(struct options *options, } else if (streq(p[0], "auth-user-pass") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); if (p[1]) { options->auth_user_pass_file = p[1]; + options->auth_user_pass_file_inline = is_inline; } else { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 7e0ed7792..3d1d37d05 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -532,6 +532,7 @@ struct options int push_continuation; unsigned int push_option_types_found; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; int scheduled_exit_interval; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 672cd9c84..4f28eb568 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -395,23 +395,32 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sci) { + unsigned int flags = GET_USER_PASS_MANAGEMENT; + + if (is_inline) + { + flags |= GET_USER_PASS_INLINE_CREDS; + } + auth_user_pass_enabled = true; if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT if (auth_challenge) /* dynamic challenge/response */ { + flags |= GET_USER_PASS_DYNAMIC_CHALLENGE; get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_DYNAMIC_CHALLENGE, + flags, auth_challenge); } else if (sci) /* static challenge response */ { - int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_STATIC_CHALLENGE; + flags |= GET_USER_PASS_STATIC_CHALLENGE; if (sci->flags & SC_ECHO) { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; @@ -424,7 +433,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * } else #endif /* ifdef ENABLE_MANAGEMENT */ - get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); + get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags); } } @@ -2139,9 +2148,12 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined)) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, + session->opt->sci); #else - auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, NULL); #endif struct user_pass *up = &auth_user_pass; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 8ca4c4aa8..f8c30762e 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -373,9 +373,11 @@ void pem_password_setup(const char *auth_file); /* * Setup authentication username and password. If auth_file is given, use the - * credentials stored in the file. + * credentials stored in the file, however, if is_inline is true then auth_file + * contains the username/password inline. */ -void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info); +void auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sc_info); /* * Ensure that no caching is performed on authentication information diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index f1cade2ef..9aa28f1e5 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -367,6 +367,7 @@ struct tls_options bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; bool auth_token_generate; /**< Generate auth-tokens on successful * user/pass auth,seet via