From 927953021af90cf96466effa7ecf798b4d54726f Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Sun, 9 Jun 2024 20:15:44 -0400 Subject: [PATCH] Support concatenating response with password Static challenge response and password are optionally concatenated and submitted instead of using the SCRV1 protocol. The code is activated in the next commit. Signed-off-by: Selva Nair --- openvpn.c | 16 +++++++++++++--- openvpn.h | 1 + 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/openvpn.c b/openvpn.c index 8debf90..8a6338b 100644 --- a/openvpn.c +++ b/openvpn.c @@ -589,7 +589,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) if (RecallAuthPass(param->c->config_name, password)) { SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password); - if (username[0] != L'\0' && !(param->flags & FLAG_CR_TYPE_SCRV1) + if (username[0] != L'\0' && !(param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT)) && password[0] != L'\0' && param->c->failed_auth_attempts == 0) { /* user/pass available and no challenge response needed: skip dialog @@ -605,7 +605,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) { SendMessage(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS), EM_SETSEL, 0, MAKELONG(0, -1)); } - else if (param->flags & FLAG_CR_TYPE_SCRV1) + else if (param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT)) { SetFocus(GetDlgItem(hwndDlg, ID_EDT_AUTH_CHALLENGE)); } @@ -662,7 +662,7 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) /* enable OK button only if username and either password or response are filled */ BOOL enableOK = GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_USER)) && (GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_PASS)) - || ((param->flags & FLAG_CR_TYPE_SCRV1) + || ((param->flags & (FLAG_CR_TYPE_SCRV1|FLAG_CR_TYPE_CONCAT)) && GetWindowTextLength(GetDlgItem(hwndDlg, ID_EDT_AUTH_CHALLENGE))) ); EnableWindow(GetDlgItem(hwndDlg, IDOK), enableOK); @@ -706,9 +706,19 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam) { SaveAuthPass(param->c->config_name, password); } + if (param->flags & FLAG_CR_TYPE_CONCAT) + { + GetDlgItemTextW(hwndDlg, ID_EDT_AUTH_CHALLENGE, password + wcslen(password), _countof(password)-wcslen(password)); + SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password); + /* erase potentially secret contents in the response text box */ + memset(password, L'x', wcslen(password)); + SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_CHALLENGE, password); + } + SecureZeroMemory(password, sizeof(password)); } ManagementCommandFromInput(param->c, "username \"Auth\" \"%s\"", hwndDlg, ID_EDT_AUTH_USER); + if (param->flags & FLAG_CR_TYPE_SCRV1) { ManagementCommandFromTwoInputsBase64(param->c, "password \"Auth\" \"SCRV1:%s:%s\"", hwndDlg, ID_EDT_AUTH_PASS, ID_EDT_AUTH_CHALLENGE); diff --git a/openvpn.h b/openvpn.h index e529cea..123ab27 100644 --- a/openvpn.h +++ b/openvpn.h @@ -94,6 +94,7 @@ void WriteStatusLog(connection_t *c, const WCHAR *prefix, const WCHAR *line, BOO #define FLAG_STRING_PKCS11 0x20 /* PKCS11 id needed */ #define FLAG_PASS_PKEY 0x40 /* Private key password needed */ #define FLAG_CR_TYPE_CRTEXT 0x80 /* crtext */ +#define FLAG_CR_TYPE_CONCAT 0x100 /* concatenate otp with password */ typedef struct { connection_t *c;