[Openvpn-devel,2/2] Accept empty password and/or response in auth-pam plugin

Message ID 1533696271-21799-2-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series [Openvpn-devel,1/2] Bump version of openvpn plugin argument structs to 5 | expand

Commit Message

Selva Nair Aug. 7, 2018, 4:44 p.m. UTC
From: Selva Nair <selva.nair@gmail.com>

In the auth-pam plugin correctly parse the static challenge string
even when password or challenge response is empty.

Whether an empty user input is an error is determined by the PAM
conversation function depending on whether the PAM module queries
for it or not.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
 src/plugins/auth-pam/auth-pam.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


Gert Doering Aug. 7, 2018, 9:41 p.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

Looks good and passes my use case ("PIN set, OTP empty").  So it was
not a bug in the openvpn client at all, I just misread the logs.

Since I join PIN+OTP into one string passed to PAM anyway, I also tested
"PIN empty, OTP set" and that works just as well.  Thanks.

Your patch has been applied to the master branch.

commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b
Author: Selva Nair
Date:   Tue Aug 7 22:44:31 2018 -0400

     Accept empty password and/or response in auth-pam plugin

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 1324307..88b5320 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -310,11 +310,11 @@  split_scrv1_password(struct user_pass *up)
     *resp++ = '\0';
     int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
-    if (n > 0)
+    if (n >= 0)
         up->password[n] = '\0';
         n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
-        if (n > 0)
+        if (n >= 0)
             up->response[n] = '\0';
             if (DEBUG(up->verb))