From patchwork Sat Jun 15 02:24:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3732 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a68e:b0:57d:b2cb:6cf with SMTP id hn14csp556393mab; Fri, 14 Jun 2024 19:25:37 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUKQq44kaD0OFxP9UMy6Qb1d5lO82miLnTLy5w2NtM/y5JiOTU3Cwr83fJjtV2zkbd091LKUsrSwFrjEm5UGeaZc4RhQec= X-Google-Smtp-Source: AGHT+IH7aRKqLxuRZJcghcug2lmp1XReqJtkywTb5JQH/nugfDQD8dm5LRqWXzvPSIa/u7gIuXqk X-Received: by 2002:a05:6a20:da9d:b0:1b5:ae2c:c730 with SMTP id adf61e73a8af0-1bae8001712mr5089911637.3.1718418337555; Fri, 14 Jun 2024 19:25:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718418337; cv=none; d=google.com; s=arc-20160816; b=lAdRc4wwHPzfw2NLa/Q/V3UMTc/zvYtpBjkpc5VAq4swZIQfFeOv0M+nxO7zedU2Fi YjYASMIYmAPIKiEBUH9dXs6fVSyGXElogfN8yDHD8yqH0Xa2jLaLqAE2jP2ThcRipSAJ jU/QI5m8eU3tnHCBzQ36I+JcnPV3EaWr466XTqntGfDTdCi7I/yd3d6uZ307rWEBNXwP Nd3G/c4YiXD+WUCWlxZj2J2cPLBz8veozR5ZJdhsZQz50/NVK3mfibg70TTc4wFp4Xin Ck3t9Rv95RtqqTV50bkMs8cgtwGCiKJHDaoG0+uRZJr8URhlWcgIZuTaO0cK/RaMHY/D 1gpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=uzmtoKg737PepCw5oBakqWj891q9f5JyszxNdHLWkx4=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=SbTyt5nFkfQs+RHeKcS7rMpgaGgB0H+vdhijFZ0DsmOPkpKCzkAbUd/4fnwlhUfpKr J2LhkRVbc9274zIZVramBu2zzEv3NdwXMWLDynAYxEgIO5io9Sgrp9a+0mND5w4Jwp5n NapwyycOf8rjbWaMQ4+BmTqCOvv9XIHH44oRjD1WdL9+1gpr0RPSxBIQcvimBoL7HhVH k8/flUQ9PTF3UkjI68jeTzvprP5x+OkG6m+MO9JA2wsqoSk0KLLkeCXDAdARKf07Vhe5 KemN+ygCsHtGkwye5dyC1bZ8zfydtEroU/nvO9vEMMMggxNgnp0MRrOYlZxug7w0DJjs J8EQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FtgZXMd7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eDpwnE29; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=bSngX2dG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2c4d5e799c4si3568306a91.173.2024.06.14.19.25.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 14 Jun 2024 19:25:37 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FtgZXMd7; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eDpwnE29; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=bSngX2dG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sIJ6J-00071g-80; Sat, 15 Jun 2024 02:25:08 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sIJ6H-00071X-Gx for openvpn-devel@lists.sourceforge.net; Sat, 15 Jun 2024 02:25:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CuRH774l9D1PCogvYh5nUIoU60ZorgvoOAOfTfXOErg=; b=FtgZXMd7KpcF8xJVNrXL19VWtW P42c0LLXz3fAjcoId9P6toaSQiYmC27EUDLXmOY6HUV3e0f3XBiLdIlvkXJWFA9HgOytVs9zydwGH 3uGwGX8CDhsTTa/O+fGxViu/ICDNPQosog/ILbE0OIXR5hkMBrW7rRZ4ZP0wf1wFXKnE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=CuRH774l9D1PCogvYh5nUIoU60ZorgvoOAOfTfXOErg=; b=e DpwnE29qpJAxulfxqlFhR/PjC09ROFvmBwV9Z4NB+BIzR1A2j+P+JcB9yabpgDn6gfXSF2kQQr6YL HXbggas3zmcLRF5+PJhL540w7d6OgjTLVcl+SrJnvSRm1FblXXvkfEas4rI84NP6jyKKa35wi9SQh LY2iFsTWUhiKn6ac=; Received: from mail-wm1-f46.google.com ([209.85.128.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sIJ6H-0000FX-T6 for openvpn-devel@lists.sourceforge.net; Sat, 15 Jun 2024 02:25:06 +0000 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4230366ad7bso22845145e9.1 for ; Fri, 14 Jun 2024 19:25:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1718418293; x=1719023093; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=CuRH774l9D1PCogvYh5nUIoU60ZorgvoOAOfTfXOErg=; b=bSngX2dGGuwwweMABEwLeUza0i9p3XEbTq/V4+tg+FJ1f+pNoSy3b/Ue26zjk9A2yc ED6cq78YExMZENjfJWspY44klTMJ52wWAHjN+1zevPI9uSaJOX8M+CG/7BSjHynDVJJP 4HfnuZu2lALZUGUfEj1t8B6oTmdN9CqQ31Q1rgnoHowdx6Xkh9IdsQEhL1ptBp0MkJg1 DCgG0WnITavlwBCbI6I3pJeKmXhc3bOpgNL34k/SPcTNzzCX1AfhwwdP0IZnYFiTTwCc XxNm//14ezdiI2CV2ojdkMfvS/bwUtpC657pUQo5LempSCaJiBDpCzZtgOYrHIzBI62A cXOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718418293; x=1719023093; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CuRH774l9D1PCogvYh5nUIoU60ZorgvoOAOfTfXOErg=; b=eDpCSRaIop3zruBb7FyfkLYE6joqusyBrQPE4Dism1ybLgs6MH0AUjTMTA4nwBHXQ8 67x5fqV2+29p08ICxidsZglK7OgvTPqZDNDUVFOc0/yCLs6rps7hpsZ6T5VxkLBtJzG1 N5ItkVvix/DdiEz2AjFaqY77eA077ZMRiU1wzMvQTkd04bFxnAUFd5QsyUYgCTr7x6g+ lN408D2aMGcJz01AlosVIoVT9ZXkrxbLb8pbvtb8VEP5n1oDz0ibjM2tCYaeYd75dRTB DBG0TxCoquGN1twFaXh+zZtfJtKIdt1gD6B7x8qoTEe/fhOps3ufffAStlhfMk1bU6gL cecw== X-Gm-Message-State: AOJu0YywUxf4qZeWLEA6kJuGegm8RQXoPJ55zC7iXHHfJL7YZ2RrcexT MLnr0cwLlyMmjL0nUkxkJehF9ZBUSm9m1D/k82mwNt9c2Bi3rTfZa+GgBZDfA3SPZPHbu/lKIIZ n X-Received: by 2002:a05:600c:1c1c:b0:422:aca:f87e with SMTP id 5b1f17b1804b1-423056f04a4mr38421405e9.19.1718418293524; Fri, 14 Jun 2024 19:24:53 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42286fe9230sm116900225e9.17.2024.06.14.19.24.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 14 Jun 2024 19:24:53 -0700 (PDT) From: "selvanair (Code Review)" X-Google-Original-From: "selvanair (Code Review)" X-Gerrit-PatchSet: 1 Date: Sat, 15 Jun 2024 02:24:52 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d X-Gerrit-Change-Number: 665 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 765ec88e549b142f64ea179f7d06e2d82b121123 References: Message-ID: <5840c33081c0940d5d60533dbdcab60c317d7ff6-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.46 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.46 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [209.85.128.46 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1sIJ6H-0000FX-T6 Subject: [Openvpn-devel] [M] Change in openvpn[master]: Static-challenge concatentation option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: selva.nair@gmail.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1801892226530768958?= X-GMAIL-MSGID: =?utf-8?q?1801892226530768958?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/665?usp=email to review the following change. Change subject: Static-challenge concatentation option ...................................................................... Static-challenge concatentation option Extend "--static-challenge" option to take a third argument (=0 or 1) to specify that the password and response should be concatenated instead of using the SCRV1 protocol. If unspecified, it defaults to "0" meaning that the SCRV1 protocol should be used. Change-Id: I59a90446bfe73d8856516025a58a6f62cc98ab0d --- M doc/man-sections/client-options.rst M doc/management-notes.txt M src/openvpn/manage.c M src/openvpn/misc.c M src/openvpn/misc.h M src/openvpn/options.c M src/openvpn/ssl.c 7 files changed, 63 insertions(+), 21 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/665/1 diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5b..ca4ccff 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -541,12 +541,15 @@ Valid syntax: :: - static-challenge text echo + static-challenge text echo [format] The ``text`` challenge text is presented to the user which describes what information is requested. The ``echo`` flag indicates if the user's input should be echoed on the screen. Valid ``echo`` values are - :code:`0` or :code:`1`. + :code:`0` or :code:`1`. The optional ``format`` flag indicates whether + the password and response should be combined using the SCRV1 protocol + (``format`` = :code: `0`) or simply concatenated (``format`` = :code: `1`). + :code: `0` is the default. See management-notes.txt in the OpenVPN distribution for a description of the OpenVPN challenge/response protocol. diff --git a/doc/management-notes.txt b/doc/management-notes.txt index b9947fa..f568a36 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -1320,14 +1320,19 @@ OpenVPN's --static-challenge option is used to provide the challenge text to OpenVPN and indicate whether or not the response -should be echoed. +should be echoed and how the response should be combined with the +password. When credentials are needed and the --static-challenge option is used, the management interface will send: - >PASSWORD:Need 'Auth' username/password SC:, + >PASSWORD:Need 'Auth' username/password SC:, - ECHO: "1" if response should be echoed, "0" to not echo + flags: bitwise OR of ECHO and CONCAT flags + ECHO = 1 if response should be echoed, 0 to not echo + FORMAT = 1 if response should be concatenated with password + as plain text, 0 if response and password should be + encoded as described below TEXT: challenge text that should be shown to the user to facilitate their response @@ -1342,8 +1347,8 @@ The management interface client in this case should add the static challenge text to the auth dialog followed by a field for the user to -enter a response. Then the management interface client should pack the -password and response together into an encoded password and send: +enter a response. If FORMAT=0, the management interface client should +pack the password and response together into an encoded password and send: username "Auth" password "Auth" "SCRV1::" @@ -1354,6 +1359,12 @@ the user. The and/or the can be empty strings. +If FORMAT=1, the client should simply concatenate password and response +with no separator and send: + + username "Auth" + password "Auth" "SCRV1:" + (As in all username/password responses described in the "COMMAND -- password and username" section above, the username can be in quotes, and special characters such as double quotes or backslashes must be @@ -1361,10 +1372,15 @@ For example, if user "foo" entered "bar" as the password and 8675309 as the PIN, the following management interface commands should be -issued: +issued if FROMAT = 0: username "Auth" foo password "Auth" "SCRV1:YmFy:ODY3NTMwOQ==" ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the base 64 encoding of "8675309".) + +or, if FORMAT = 1: + + username "Auth" foo + password "Auth" "bar8675309" diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 24f3121..05b5a1a 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3544,7 +3544,8 @@ if (sc) { buf_printf(&alert_msg, " SC:%d,%s", - BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), + BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO) + |(BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT) << 1), sc); } diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 598fbae..516b1ed 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -438,17 +438,28 @@ { msg(M_FATAL, "ERROR: could not retrieve static challenge response"); } - if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 - || openvpn_base64_encode(response, strlen(response), &resp64) == -1) + if (!(flags & GET_USER_PASS_STATIC_CHALLENGE_CONCAT)) { - msg(M_FATAL, "ERROR: could not base64-encode password/static_response"); + if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1 + || openvpn_base64_encode(response, strlen(response), &resp64) == -1) + { + msg(M_FATAL, "ERROR: could not base64-encode password/static_response"); + } + buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); + buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64); + string_clear(pw64); + free(pw64); + string_clear(resp64); + free(resp64); } - buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN); - buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64); - string_clear(pw64); - free(pw64); - string_clear(resp64); - free(resp64); + else + { + if (strlen(up->password) + strlen(response) >= USER_PASS_LEN) + { + msg(M_FATAL, "ERROR: could not concatenate password/static_response: string too long"); + } + strncat(up->password, response, USER_PASS_LEN - strlen(up->password) - 1); + } } #endif /* ifdef ENABLE_MANAGEMENT */ } diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 963f3e6..1e0cb16 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -91,6 +91,7 @@ */ struct static_challenge_info { #define SC_ECHO (1<<0) /* echo response when typed by user */ +#define SC_CONCAT (1<<1) /* concatenate password and response and do not base64 endode */ unsigned int flags; const char *challenge_text; @@ -117,6 +118,7 @@ #define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */ #define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */ +#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11) /* indicates password and response should be concatenated */ /** * Retrieves the user credentials from various sources depending on the flags. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index abcde89..270d0c9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -518,8 +518,9 @@ " Add domains to DNS domain search list\n" "--auth-retry t : How to handle auth failures. Set t to\n" " none (default), interact, or nointeract.\n" - "--static-challenge t e : Enable static challenge/response protocol using\n" - " challenge text t, with e indicating echo flag (0|1)\n" + "--static-challenge t e [p]: Enable static challenge/response protocol using\n" + " challenge text t, with f indicating echo flag (0|1)\n" + " p indicating SCRV1 protocol or concatenate response with password (0/1)\n" "--connect-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" @@ -7926,7 +7927,7 @@ auth_retry_set(msglevel, p[1]); } #ifdef ENABLE_MANAGEMENT - else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) + else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->sc_info.challenge_text = p[1]; @@ -7934,6 +7935,10 @@ { options->sc_info.flags |= SC_ECHO; } + if (p[3] && atoi(p[3])) + { + options->sc_info.flags |= SC_CONCAT; + } } #endif else if (streq(p[0], "msg-channel") && p[1]) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..faf83a9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -312,6 +312,10 @@ { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; } + if (sci->flags & SC_CONCAT) + { + flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT; + } get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH,