Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support static-challenge "concat" option #701

Merged
merged 2 commits into from
Sep 10, 2024
Merged

Support static-challenge "concat" option #701

merged 2 commits into from
Sep 10, 2024

Conversation

selvanair
Copy link
Collaborator

No description provided.

@selvanair
Support concatenating response with password
0ed9eba 
Static challenge response and password are optionally
concatenated and submitted instead of using the SCRV1
protocol. The code is activated in the next commit.

Signed-off-by: Selva Nair <[email protected]>
@selvanair
Parse new static-challenge format option from management interface
d1dd944 
Parse the flag in SC:<flag>,TEXT directive for static-challenge,
and enable the option to concatenate password and response
if indicated in flag.

Signed-off-by: Selva Nair <[email protected]>
@selvanair selvanair mentioned this pull request Sep 9, 2024
Merged
cron2
cron2 reviewed Sep 10, 2024
View reviewed changes
openvpn.c
SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_PASS, password);
/* erase potentially secret contents in the response text box */
memset(password, L'x', wcslen(password));
SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_CHALLENGE, password);
Copy link
Contributor

@cron2 cron2 Sep 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure I understand this code here - the GetDlgItemTextW() seems clear to me ("if we have CONCAT, read the text field from the window and put it after the existing content in password = concat).

What I'm unclear on is the SetDlgItemTextW() part - so we put the concatenated password into the
ID_EDT_AUTH_PASS field of the window, and a full set of x (of length password+challenge) into the ID_EDT_AUTH_CHALLENGE field?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that's because later in ManagementCommandFromInput() we get the value of password+auth_challenge from ID_EDT_AUTH_PASS field - so we need that field to contain those concatenated values. And we do erase the content in ID_EDT_AUTH_CHALLENGE because ManagementCommandFromInput() does it only for ID_EDT_AUTH_PASS.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, as lev said. This allows one to reuse the password submission code by re-writing the password filed with password+OTP. A less "hacky" way would be to add a new function "ManagementComamndFromTwoInputs()" duplicating most of "ManagementCommandFromInput()"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, thanks. I only half-understood this - I saw "ok, it's appending the CR to the password, to be used later down" and then totally overlooked that password[] is actually x-ed out right after :-) - makes sense.

LGTM.

@lstipakov
Copy link
Member

I didn't test it but the code looks reasonable. Let's get all build checks passed.

@cron2 cron2 merged commit 5494ebb into OpenVPN:master Sep 10, 2024
10 checks passed
@selvanair selvanair mentioned this pull request Sep 21, 2024
Closed
@selvanair selvanair mentioned this pull request Nov 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cron2 cron2 cron2 left review comments

@lstipakov lstipakov lstipakov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@selvanair @lstipakov @cron2