From patchwork Tue Apr 14 05:58:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4890 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3ad5:b0:84a:48f:a1fd with SMTP id q21csp526794mas; Mon, 13 Apr 2026 22:59:16 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/LZWYSuE+oRVyKHgFWQdqsWV8w0yE5/mL3jwA/Vjn//5EvXtc7yaBJpy4CkDEmdlyzVXo1h0X6v2w=@openvpn.net X-Received: by 2002:a05:6870:45aa:b0:41c:6512:8419 with SMTP id 586e51a60fabf-423e10dbd2cmr8519252fac.28.1776146355926; Mon, 13 Apr 2026 22:59:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776146355; cv=none; d=google.com; s=arc-20240605; b=Ay132sfnURM+/3ChP61oFZ6wkhoa5wmhCHFcZd3lgQLV4AQBFUDt2CfJZUzd2zE+3c 4PthLPif2/hGSaPW8NTb5YBdFR01ViYsHhKoYres+6hj/97QTWw7a4XXkIWTVKmccXqR wa5Un5NQdYed2fH+854MFgShuSY79XDmBKC6RPYzcOScFS5HOg/GoF/d6UV85ftq1eg7 AShnoXUsAPDDhbbCn6ytRzU/doO+J/aXonmZ7V6PyVotUSiCR58lwQAWXwqKa/w9l9Dz de/Sa49xwOzTNvyCNM5Dl/QHaHq9zF2vLklG8r0Jdnlk2wdxVHQ5vxRnn2HqQ8YP/WtE T3mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=cnI1cHRuN5Ikft/61pL1w5fOIL7dI/+mD9GR1qRRiMI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=YH+FVDgprF1kVecH/GHeVUr7jTXsMtnoQk8UtQ39Vp+mpFyOrqD3pRGkef1EM3OCwl Ew3caci6RLX//e/3w34TLwf+K9faXNWcYi2gD9Lklwr7GIQMjEiQ10rk4B8F8Ggj2/lj zJmO0u3+GqLT07Ot1YUJ5UcAuhmq5VE66mLAxXSfTYzUiEo6id/a/aZQC9ZSVfsjIOvT mvmivfs4KFspN2RO0+OPSHFJckcYj1KFy7jo9H5Tp5+mU3j3MxPk6XI5Oy3AphhAL9zz 11bnaYA+WVpzlOmTq7gkBrt3MzCLBzKfOmzBRq7Y7DEsTgydNHEA3fhTHmAV37MJ7cUN G68w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=hnyDZf5N; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=USckzmkJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Aux0PALS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-423ddd43ccbsi10999278fac.252.2026.04.13.22.59.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Apr 2026 22:59:15 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=hnyDZf5N; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=USckzmkJ; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Aux0PALS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=cnI1cHRuN5Ikft/61pL1w5fOIL7dI/+mD9GR1qRRiMI=; b=hnyDZf5NhUPEWJpK03MBNqEah9 tH1FOgl7rtcVIEe2vonBtLLKAfhrM+9sQt1FVmZLLt7K3kiQv7RNUzFIPDbTQzpYdfatN4vWa1foD OP1eT3/norW4/8Wv5lwDkQi2Z+aWDzFQzkJG9pEI8CUzj6lCKzBP6AS7JmU6rabqNuyw=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wCWnp-0000Mt-PX; Tue, 14 Apr 2026 05:59:13 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wCWnp-0000Ml-1n for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 05:59:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nriLYG3vRSeaabj+lQU4ccsJXQxXC6vPrnd6kMzZc7Q=; b=USckzmkJNBfHOwWO9KpfEzteRE 5Mav6A8qHvx1MQhah6LceRY5f65jUrT8HSbr6faKlTZH3WYg9wOAJUiihTFgoST97ml7izbwjXdED RUwBmy7bAGXeeDVWylLVgJdDymoRSjzajt6YLFkDJVYb2+YoEpSWH6hF2BcYcaXjJVqM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nriLYG3vRSeaabj+lQU4ccsJXQxXC6vPrnd6kMzZc7Q=; b=Aux0PALSV1lrHWdyaapeV4TBBb 4RBmHrJtiG3k3rFZhhXA/yvlP3wL23STV1SLIeqHEH7RT53qxfNTMgYEF/m8bBFHu0ATiGILP3kF1 zjbLz8Ov0Gx2T36vtQ4BsVlBdAyI0Q0JP0/DbDxIECHBAuzG8VAPzKfOKtRbmvFFEFTc=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wCWno-0003hJ-73 for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 05:59:12 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63E5x0qQ017193 for ; Tue, 14 Apr 2026 07:59:00 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63E5x0v0017192 for openvpn-devel@lists.sourceforge.net; Tue, 14 Apr 2026 07:59:00 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Apr 2026 07:58:54 +0200 Message-ID: <20260414055900.17132-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair When commit 39619b7fab added support for inlining username only, fallback for password was from console. This is not ideal when graphical UI is in use as there is no console. Instead, query the manage [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wCWno-0003hJ-73 Subject: [Openvpn-devel] [PATCH v1] Inlined credentials: read missing password from management interface X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1862424441091721918?= X-GMAIL-MSGID: =?utf-8?q?1862424441091721918?= From: Selva Nair When commit 39619b7fab added support for inlining username only, fallback for password was from console. This is not ideal when graphical UI is in use as there is no console. Instead, query the management interface when possible. This patch just extends a similar fix when username is read from a file and password is missing. As before, any username read from file or inlined is not peserved as we currently have no way of locking the username in the management interface prompt. Change-Id: Ieeb2f980330d485739dbf3d722f107c1dbf704fc Signed-off-by: Selva Nair Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index c00a3ce..979293f 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -305,24 +305,6 @@ { strncpy(up->password, password_buf, USER_PASS_LEN); } - /* The auth-file does not have the password: get both username - * and password from the management interface if possible. - * Otherwise set to read password from console. - */ -#if defined(ENABLE_MANAGEMENT) - else if (management && (flags & GET_USER_PASS_MANAGEMENT) - && management_query_user_pass_enabled(management)) - { - msg(D_LOW, - "No password found in %s authfile '%s'. Querying the management interface", - prefix, auth_file); - if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) - { - fclose(fp); - return false; - } - } -#endif else { password_from_stdin = 1; @@ -348,7 +330,23 @@ if (username_from_stdin || password_from_stdin || response_from_stdin) { #ifdef ENABLE_MANAGEMENT - if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) + /* If management-query-passwords is true, we could be here because + * of no password present in auth-file or inline. In that case + * query via the management interface instead of stdin/console. + */ + if (management && (flags & GET_USER_PASS_MANAGEMENT) + && management_query_user_pass_enabled(management) + && !(flags & GET_USER_PASS_USERNAME_ONLY)) + { + msg(D_LOW, + "No '%s' password found in authfile or inline. Querying the management interface", + prefix); + if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) + { + return false; + } + } + else if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) { struct auth_challenge_info *ac = parse_auth_challenge(auth_challenge, &gc); if (ac)