OTP support

2019-08-18 16:29:37 +02:00
parent 07b37e9bc4
commit e9f6a04864
7 changed files with 118 additions and 32 deletions
--- a/openvpn.go
+++ b/openvpn.go
@@ -2,6 +2,7 @@ package main

 import (
 	"bufio"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net"
@@ -14,6 +15,7 @@ import (
 type OpenVpnPassword struct {
 	User string
 	Pass string
+	OTP  string
 }

 type OpenVpnSrv struct {
@@ -21,6 +23,7 @@ type OpenVpnSrv struct {
 	Status     string `json:"status"`
 	Provider   string `json:"provider"`
 	Identifier string `json:"identifier"`
+	Message    string `json:"message"`
 	chanHold   chan bool
 	chanPass   chan OpenVpnPassword
 	m          sync.RWMutex
@@ -28,6 +31,7 @@ type OpenVpnSrv struct {
 	buf        *bufio.ReadWriter
 	mgt        *OpenVpnMgt
 	hold       bool
+	authWait   bool
 	authCache  *OpenVpnPassword
 }

@@ -47,12 +51,21 @@ func NewOpenVpnSrv(conn net.Conn, mgt *OpenVpnMgt) *OpenVpnSrv {
 		ret:        make(chan []string),
 		mgt:        mgt,
 		hold:       false,
+		authWait:   false,
 		Status:     "Starting",
 		Identifier: "Unknown",
 		Provider:   "Unknown",
 	}
 }

+func (v *OpenVpnSrv) B64OTP() string {
+	return base64.StdEncoding.EncodeToString([]byte(v.authCache.OTP))
+}
+
+func (v *OpenVpnSrv) B64Pass() string {
+	return base64.StdEncoding.EncodeToString([]byte(v.authCache.Pass))
+}
+
 // send a command to the server. Set the channel to receive the response
 func (v *OpenVpnSrv) sendCommand(msg []string) (error, []string) {
 	v.Lock()
@@ -149,7 +162,9 @@ func (v *OpenVpnSrv) GetLine() (string, error) {
 }

 func (v *OpenVpnSrv) ValidRemote(server, port, proto string) {
-	v.Status = "Connected"
+	if !v.authWait {
+		v.Status = "Connected"
+	}
 	if v.Remote != "" {
 		v.sendCommand([]string{fmt.Sprintf("remote MOD %s %s %s", v.Remote, port, proto)})
 		return
@@ -182,12 +197,31 @@ func (v *OpenVpnSrv) SetRemote(server string) error {
 }

 func (v *OpenVpnSrv) NeedPassword(line string) {
+	if v.authWait {
+		return
+	}
+	v.authWait = true
 	v.mgt.Debug(line)
 	v.Status = "Need Password"
-	switch line {
-	case ">PASSWORD:Need 'Auth' username/password":
+	v.Message = ""
+	backup := v.authCache
+
+	OtpPassRegexp := rcache.Get("^>PASSWORD:Need 'Auth' username/password SC:([01]),(.*)$")
+	OtpPassMatch := OtpPassRegexp.FindStringSubmatch(line)
+
+	CRV1Regexep := rcache.Get(">PASSWORD:Verification Failed: 'Auth' \\['CRV1:([R,E]*):(.*):(.*):(.*)'\\]")
+	CRV1Match := CRV1Regexep.FindStringSubmatch(line)
+	switch {
+	case len(CRV1Match) > 1:
+		v.Status = "Need OTP"
+		v.Message = CRV1Match[4]
+		v.authCache = nil
+	case len(OtpPassMatch) > 1:
+		v.Status = "Need Password and OTP"
+		v.Message = OtpPassMatch[2]
+	case line == ">PASSWORD:Need 'Auth' username/password":
 		v.Status = "Need Password"
-	case ">PASSWORD:Verification Failed: 'Auth'":
+	case line == ">PASSWORD:Verification Failed: 'Auth'":
 		v.authCache = nil
 		v.Status = "Auth Failed"
 		return
@@ -196,20 +230,55 @@ func (v *OpenVpnSrv) NeedPassword(line string) {
 		ident := <-v.chanPass
 		v.authCache = &ident
 	}
-	switch line {
-	case ">PASSWORD:Need 'Auth' username/password":
-		v.sendCommand([]string{fmt.Sprintf("username \"Auth\" %s", v.authCache.User)})
-		v.sendCommand([]string{fmt.Sprintf("password \"Auth\" %s", v.authCache.Pass)})
+	var cmd []string
+	switch {
+	case len(CRV1Match) > 1:
+		cmd = []string{
+			fmt.Sprintf("username \"Auth\" %s", B64decode(CRV1Match[3])),
+			fmt.Sprintf("password \"Auth\" CRV1::%s::%s", CRV1Match[2], v.authCache.OTP),
+		}
+		// restore auth backup
+		v.authCache = backup
+
+	case len(OtpPassMatch) > 1:
+		cmd = []string{
+			fmt.Sprintf("username \"Auth\" %s", v.authCache.User),
+			fmt.Sprintf("password \"Auth\" SCRV1:%s:%s", v.B64Pass(), v.B64OTP()),
+		}
+	case line == ">PASSWORD:Need 'Auth' username/password":
+		cmd = []string{
+			fmt.Sprintf("username \"Auth\" %s", v.authCache.User),
+			fmt.Sprintf("password \"Auth\" %s", v.authCache.Pass),
+		}
 	}
+	for _, c := range cmd {
+		v.sendCommand([]string{c})
+	}
+	v.authWait = false
+	v.Message = ""
+	v.Status = "Connected"
 }

-func (v *OpenVpnSrv) AuthUserPass(user, pass string) {
-	auth := OpenVpnPassword{user, pass}
-	v.authCache = &auth
-	if v.Status == "Need Password" {
-		v.Status = "Authenticate"
-		v.chanPass <- auth
+func (v *OpenVpnSrv) AuthUserPass(user, pass, otp string) {
+	auth := OpenVpnPassword{user, pass, otp}
+	if v.authCache == nil {
+		v.authCache = &auth
 	}
+	switch v.Status {
+	case "Need Password and OTP":
+		v.authCache.User = user
+		v.authCache.Pass = pass
+		v.authCache.OTP = otp
+	case "Need OTP":
+		v.authCache.OTP = otp
+	case "Need Password":
+		v.authCache.User = user
+		v.authCache.Pass = pass
+	default:
+		return
+	}
+	v.chanPass <- auth
+	v.Status = "Check Password"
 }

 func (v *OpenVpnSrv) waitForRelase() {