pool/openvpn
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6c81d3760a
openvpn/0001-preform-deferred-authentication-in-the-background.patch
Reinhard Max 5126890df2 - Update to 2.5.3: 
* Removal of BF-CBC support in default configuration
    *** POSSIBLE INCOMPATIBILITY ***
    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
  * Connections setup is now much faster
  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * HMAC based auth-token support for seamless reconnects to
    standalone servers or a group of servers
  * Asynchronous (deferred) authentication support for auth-pam
    plugin
  * Asynchronous (deferred) support for client-connect scripts and
    plugins
  * Support IPv4 configs with /31 netmasks
  * 802.1q VLAN support on TAP servers
  * Support IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * Support Virtual Routing and Forwarding (VRF)
  * Netlink integration (OpenVPN no longer needs to execute
    ifconfig/route or ip commands)
  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
  crypto self-test of newer openvpn versions.
  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
2021-08-05 14:32:44 +00:00

157 lines
4.4 KiB
Diff
Raw Blame History

--- src/plugins/auth-pam/auth-pam.c.orig
+++ src/plugins/auth-pam/auth-pam.c
@@ -43,6 +43,7 @@
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include <linux/limits.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
@@ -56,6 +57,7 @@
/* Command codes for foreground -> background communication */
#define COMMAND_VERIFY 0
#define COMMAND_EXIT 1
+#define COMMAND_VERIFY_V2 2
/* Response codes for background -> foreground communication */
#define RESPONSE_INIT_SUCCEEDED 10
@@ -120,6 +122,7 @@ struct user_pass {
char password[128];
char common_name[128];
char response[128];
+ char auth_control_file[PATH_MAX];
const struct name_value_list *name_value_list;
};
@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char
exit(0);
}
+static int handle_auth_control_file(char *auth_control_file, int status)
+{
+ FILE *fp = fopen(auth_control_file, "w");
+
+ if (fp) {
+ if (fprintf (fp, "%d\n", status) < 0) {
+ fclose(fp);
+ return -1;
+ }
+ fclose(fp);
+ return 0;
+ }
+ return -1;
+}
+
/*
* Background process -- runs with privilege.
*/
@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service,
plugin_secure_memzero(up.password, sizeof(up.password));
break;
+ case COMMAND_VERIFY_V2:
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
+ command);
+ goto done;
+ }
+
+ if (DEBUG (verb))
+ {
+#if 0
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
+ up.username, up.password);
+#else
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+#endif
+ }
+
+ if (pam_auth (service, &up)) /* Succeeded */
+ {
+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ }
+ }
+ else /* Failed */
+ {
+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ }
+ }
+ break;
+
+
case COMMAND_EXIT:
goto done;
@@ -1029,3 +1083,56 @@ done:
return;
}
+
+int
+handle_auth_pass_verify_v2(struct auth_pam_context *context, const char *argv[], const char *envp[])
+{
+
+ /* get username/password from envp string array */
+ const char *username = get_env ("username", envp);
+ const char *password = get_env ("password", envp);
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
+ const char *auth_control_file = get_env ("auth_control_file", envp);
+
+ if (!username || !*username || !password)
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+
+ if (!auth_control_file || !*auth_control_file || access( auth_control_file, F_OK ) == -1)
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+
+ if (send_control (context->foreground_fd, COMMAND_VERIFY_V2) == -1
+ || send_string (context->foreground_fd, username) == -1
+ || send_string (context->foreground_fd, password) == -1
+ || send_string (context->foreground_fd, common_name) == -1
+ || send_string (context->foreground_fd, auth_control_file) == -1)
+ {
+ fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
+ }
+ else
+ {
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
+
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
+ const int type,
+ const char *argv[],
+ const char *envp[],
+ void *per_client_context,
+ struct openvpn_plugin_string_list **return_list)
+{
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
+
+ switch (type)
+ {
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
+ return handle_auth_pass_verify_v2 (context, argv, envp);
+ default:
+ printf ("OPENVPN_PLUGIN_?\n");
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
--- src/plugins/auth-pam/auth-pam.exports.orig
+++ src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,5 @@
openvpn_plugin_open_v3
openvpn_plugin_func_v1
+openvpn_plugin_func_v2
openvpn_plugin_close_v1
openvpn_plugin_abort_v1
Reference in New Issue View Git Blame Copy Permalink