Support concatenating response with password

Static challenge response and password are optionally concatenated and submitted instead of using the SCRV1 protocol. The code is activated in the next commit. Signed-off-by: Selva Nair <selva.nair@gmail.com>
2024-06-09 20:15:44 -04:00 · 2024-06-09 20:15:44 -04:00 · 927953021a
parent 2a68580dd9
commit 927953021a
2 changed files with 14 additions and 3 deletions
--- a/openvpn.c
+++ b/openvpn.c
@ -589,7 +589,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
            if (RecallAuthPass(param->c->config_name, password))
            {
                SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password);
-                if (username[0] != L'\0' && !(param->flags & FLAG_CR_TYPE_SCRV1)
+                if (username[0] != L'\0' && !(param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT))
                    && password[0] != L'\0' && param->c->failed_auth_attempts == 0)
                {
                    /* user/pass available and no challenge response needed: skip dialog
@ -605,7 +605,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
                {
                    SendMessage(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS), EM_SETSEL, 0, MAKELONG(0, -1));
                }
-                else if (param->flags & FLAG_CR_TYPE_SCRV1)
+                else if (param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT))
                {
                    SetFocus(GetDlgItem(hwndDlg, ID_EDT_AUTH_CHALLENGE));
                }
@ -662,7 +662,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
                        /* enable OK button only if username and either password or response are filled */
                        BOOL enableOK = GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER))
                                        && (GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS))
-                                            || ((param->flags & FLAG_CR_TYPE_SCRV1)
+                                            || ((param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT))
                                                && GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_CHALLENGE)))
                                            );
                        EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK);
@ -706,9 +706,19 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
                        {
                            SaveAuthPass(param->c->config_name, password);
                        }
+                        if (param->flags & FLAG_CR_TYPE_CONCAT)
+                        {
+                            GetDlgItemTextW(hwndDlg, ID_EDT_AUTH_CHALLENGE, password + wcslen(password), _countof(password)-wcslen(password));
+                            SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password);
+                            /* erase potentially secret contents in the response text box */
+                            memset(password, L'x', wcslen(password));
+                            SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_CHALLENGE, password);
+                        }
+
                        SecureZeroMemory(password, sizeof(password));
                    }
                    ManagementCommandFromInput(param->c, "username \"Auth\" \"%s\"", hwndDlg, ID_EDT_AUTH_USER);
+
                    if (param->flags & FLAG_CR_TYPE_SCRV1)
                    {
                        ManagementCommandFromTwoInputsBase64(param->c, "password \"Auth\" \"SCRV1:%s:%s\"", hwndDlg, ID_EDT_AUTH_PASS, ID_EDT_AUTH_CHALLENGE);
--- a/openvpn.h
+++ b/openvpn.h
@ -94,6 +94,7 @@ void WriteStatusLog(connection_t *c, const WCHAR *prefix, const WCHAR *line, BOO
 #define FLAG_STRING_PKCS11  0x20   /* PKCS11 id needed */
 #define FLAG_PASS_PKEY      0x40   /* Private key password needed */
 #define FLAG_CR_TYPE_CRTEXT 0x80   /* crtext */
+#define FLAG_CR_TYPE_CONCAT 0x100  /* concatenate otp with password */

 typedef struct {
    connection_t *c;