void
set_auth_token (struct user_pass *up, const char *token)
{
if (token && strlen(token) && up && up->defined && !up->nocache)
{
CLEAR (up->password);
strncpynt (up->password, token, USER_PASS_LEN);
}
}
/*
* write a string to the end of a buffer that was
* truncated by buf_printf
*/
void
buf_catrunc (struct buffer *buf, const char *str)
{
if (buf_forward_capacity (buf) <= 1)
{
int len = (int) strlen (str) + 1;
if (len < buf_forward_capacity_total (buf))
{
strncpynt ((char *)(buf->data + buf->capacity - len), str, len);
}
}
}
static
bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
{
bool retval = false;
X509_EXTENSION *pExt;
char *buf = 0;
int length = 0;
GENERAL_NAMES *extensions;
int nid = OBJ_txt2nid(fieldname);
extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
if ( extensions )
{
int numalts;
int i;
/* get amount of alternatives,
* RFC2459 claims there MUST be at least
* one, but we don't depend on it...
*/
numalts = sk_GENERAL_NAME_num(extensions);
/* loop through all alternatives */
for (i=0; i<numalts; i++)
{
/* get a handle to alternative name number i */
const GENERAL_NAME *name = sk_GENERAL_NAME_value (extensions, i );
switch (name->type)
{
case GEN_EMAIL:
ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
if ( strlen (buf) != name->d.ia5->length )
{
msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
OPENSSL_free (buf);
} else {
strncpynt(out, buf, size);
OPENSSL_free(buf);
retval = true;
}
break;
default:
msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i",
name->type);
break;
}
}
sk_GENERAL_NAME_free (extensions);
}
return retval;
}
static
PKCS11H_BOOL
_pkcs11_openvpn_pin_prompt(
void *const global_data,
void *const user_data,
const pkcs11h_token_id_t token,
const unsigned retry,
char *const pin,
const size_t pin_max
) {
struct user_pass token_pass;
char prompt[1024];
(void)global_data;
(void)user_data;
(void)retry;
ASSERT(token!=NULL);
openvpn_snprintf(prompt, sizeof(prompt), "%s token", token->label);
token_pass.defined = false;
token_pass.nocache = true;
if (
!get_user_pass(
&token_pass,
NULL,
prompt,
GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
)
)
{
return false;
}
else
{
strncpynt(pin, token_pass.password, pin_max);
purge_user_pass(&token_pass, true);
if (strlen(pin) == 0)
{
return false;
}
else
{
return true;
}
}
}
bool
buf_puts(struct buffer *buf, const char *str)
{
int ret = false;
uint8_t *ptr = BEND (buf);
int cap = buf_forward_capacity (buf);
if (cap > 0)
{
strncpynt ((char *)ptr,str, cap);
*(buf->data + buf->capacity - 1) = 0; /* windows vsnprintf needs this */
buf->len += (int) strlen ((char *)ptr);
ret = true;
}
return ret;
}
static
bool
_pkcs11_openvpn_pin_prompt (
IN const void *pData,
IN const pkcs11h_token_id_t token,
IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
) {
static struct user_pass token_pass;
char szPrompt[1024];
(void)retry;
ASSERT (token!=NULL);
openvpn_snprintf (szPrompt, sizeof (szPrompt), "%s token", token->label);
token_pass.defined = false;
token_pass.nocache = true;
if (
!get_user_pass (
&token_pass,
NULL,
szPrompt,
GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
)
) {
return false;
}
else {
strncpynt (szPIN, token_pass.password, nMaxPIN);
purge_user_pass (&token_pass, true);
if (strlen (szPIN) == 0) {
return false;
}
else {
return true;
}
}
}
void
get_highest_preference_tls_cipher (char *buf, int size)
{
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
ctx = SSL_CTX_new (TLSv1_method ());
if (!ctx)
msg (M_SSLERR, "Cannot create SSL_CTX object");
ssl = SSL_new (ctx);
if (!ssl)
msg (M_SSLERR, "Cannot create SSL object");
cipher_name = SSL_get_cipher_list (ssl, 0);
strncpynt (buf, cipher_name, size);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* * Extract a field from an X509 subject name. * * Example: * * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/[email protected] * * The common name is 'Test-CA' * * Return true on success, false on error (insufficient buffer size in 'out' * to contain result is grounds for error). */ static result_t extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) { int lastpos = -1; int tmp = -1; X509_NAME_ENTRY *x509ne = 0; ASN1_STRING *asn1 = 0; unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ int nid = OBJ_txt2nid((char *)field_name); ASSERT (size > 0); *out = '\0'; do { lastpos = tmp; tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); } while (tmp > -1); /* Nothing found */ if (lastpos == -1) return FAILURE; x509ne = X509_NAME_get_entry(x509, lastpos); if (!x509ne) return FAILURE; asn1 = X509_NAME_ENTRY_get_data(x509ne); if (!asn1) return FAILURE; tmp = ASN1_STRING_to_UTF8(&buf, asn1); if (tmp <= 0) return FAILURE; strncpynt(out, (char *)buf, size); { const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE; OPENSSL_free (buf); return ret; } }
/*
* Get input from console
*/
bool
get_console_input (const char *prompt, const bool echo, char *input, const int capacity)
{
bool ret = false;
ASSERT (prompt);
ASSERT (input);
ASSERT (capacity > 0);
input[0] = '\0';
#ifdef ENABLE_SYSTEMD
if (check_systemd_running ())
return get_console_input_systemd (prompt, echo, input, capacity);
#endif
#if defined(WIN32)
return get_console_input_win32 (prompt, echo, input, capacity);
#elif defined(HAVE_GETPASS)
/* did we --daemon'ize before asking for passwords?
* (in which case neither stdin or stderr are connected to a tty and
* /dev/tty can not be open()ed anymore)
*/
if ( !isatty(0) && !isatty(2) )
{
int fd = open( "/dev/tty", O_RDWR );
if ( fd < 0 )
{ msg(M_FATAL, "neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for '%s'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prompt ); }
close(fd);
}
if (echo)
{
FILE *fp;
fp = open_tty (true);
fprintf (fp, "%s", prompt);
fflush (fp);
close_tty (fp);
fp = open_tty (false);
if (fgets (input, capacity, fp) != NULL)
{
chomp (input);
ret = true;
}
close_tty (fp);
}
else
{
char *gp = getpass (prompt);
if (gp)
{
strncpynt (input, gp, capacity);
memset (gp, 0, strlen (gp));
ret = true;
}
}
#else
msg (M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt);
#endif
return ret;
}
bool
get_user_pass_cr (struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags,
const char *auth_challenge)
{
struct gc_arena gc = gc_new ();
if (!up->defined)
{
const bool from_stdin = (!auth_file || !strcmp (auth_file, "stdin"));
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
msg (M_WARN, "Note: previous '%s' credentials failed", prefix);
#ifdef ENABLE_MANAGEMENT
/*
* Get username/password from management interface?
*/
if (management
&& ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT)))
&& management_query_user_pass_enabled (management))
{
const char *sc = NULL;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
management_auth_failure (management, prefix, "previous auth credentials failed");
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
sc = auth_challenge;
#endif
if (!management_query_user_pass (management, up, prefix, flags, sc))
{
if ((flags & GET_USER_PASS_NOFATAL) != 0)
return false;
else
msg (M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix);
}
}
else
#endif
/*
* Get NEED_OK confirmation from the console
*/
if (flags & GET_USER_PASS_NEED_OK)
{
struct buffer user_prompt = alloc_buf_gc (128, &gc);
buf_printf (&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
if (!get_console_input (BSTR (&user_prompt), true, up->password, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
if (!strlen (up->password))
strcpy (up->password, "ok");
}
/*
* Get username/password from standard input?
*/
else if (from_stdin)
{
#ifndef WIN32
/* did we --daemon'ize before asking for passwords? */
if ( !isatty(0) && !isatty(2) )
{ msg(M_FATAL, "neither stdin nor stderr are a tty device, can't ask for %s password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prefix ); }
#endif
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
struct auth_challenge_info *ac = get_auth_challenge (auth_challenge, &gc);
if (ac)
{
char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc);
struct buffer packed_resp;
buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);
msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", ac->challenge_text);
if (!get_console_input ("Response:", BOOL_CAST(ac->flags&CR_ECHO), response, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read challenge response from stdin");
strncpynt (up->username, ac->user, USER_PASS_LEN);
buf_printf (&packed_resp, "CRV1::%s::%s", ac->state_id, response);
}
else
{
msg (M_FATAL, "ERROR: received malformed challenge request from server");
}
}
else
#endif
{
struct buffer user_prompt = alloc_buf_gc (128, &gc);
struct buffer pass_prompt = alloc_buf_gc (128, &gc);
buf_printf (&user_prompt, "Enter %s Username:"******"Enter %s Password:"******"ERROR: could not read %s username from stdin", prefix);
if (strlen (up->username) == 0)
msg (M_FATAL, "ERROR: %s username is empty", prefix);
}
if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
{
char *response = (char *) gc_malloc (USER_PASS_LEN, false, &gc);
struct buffer packed_resp;
char *pw64=NULL, *resp64=NULL;
msg (M_INFO|M_NOPREFIX, "CHALLENGE: %s", auth_challenge);
if (!get_console_input ("Response:", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), response, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read static challenge response from stdin");
if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1
|| openvpn_base64_encode(response, strlen(response), &resp64) == -1)
msg (M_FATAL, "ERROR: could not base64-encode password/static_response");
buf_set_write (&packed_resp, (uint8_t*)up->password, USER_PASS_LEN);
buf_printf (&packed_resp, "SCRV1:%s:%s", pw64, resp64);
string_clear(pw64);
free(pw64);
string_clear(resp64);
free(resp64);
}
#endif
}
}
else
{
/*
* Get username/password from a file.
*/
FILE *fp;
#ifndef ENABLE_PASSWORD_SAVE
/*
* Unless ENABLE_PASSWORD_SAVE is defined, don't allow sensitive passwords
* to be read from a file.
*/
if (flags & GET_USER_PASS_SENSITIVE)
msg (M_FATAL, "Sorry, '%s' password cannot be read from a file", prefix);
#endif
warn_if_group_others_accessible (auth_file);
fp = platform_fopen (auth_file, "r");
if (!fp)
msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
if (flags & GET_USER_PASS_PASSWORD_ONLY)
{
if (fgets (up->password, USER_PASS_LEN, fp) == NULL)
msg (M_FATAL, "Error reading password from %s authfile: %s",
prefix,
auth_file);
}
else
{
if (fgets (up->username, USER_PASS_LEN, fp) == NULL
|| fgets (up->password, USER_PASS_LEN, fp) == NULL)
msg (M_FATAL, "Error reading username and password (must be on two consecutive lines) from %s authfile: %s",
prefix,
auth_file);
}
fclose (fp);
chomp (up->username);
chomp (up->password);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) == 0)
msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file);
}
string_mod (up->username, CC_PRINT, CC_CRLF, 0);
string_mod (up->password, CC_PRINT, CC_CRLF, 0);
up->defined = true;
}
#if 0
msg (M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password);
#endif
gc_free (&gc);
return true;
}
static struct pf_set *
pf_init(const struct buffer_list *bl, const char *prefix, const bool allow_kill)
{
#define MODE_UNDEF 0
#define MODE_CLIENTS 1
#define MODE_SUBNETS 2
int mode = MODE_UNDEF;
int line_num = 0;
int n_clients = 0;
int n_subnets = 0;
int n_errors = 0;
struct pf_set *pfs = NULL;
char line[PF_MAX_LINE_LEN];
ALLOC_OBJ_CLEAR(pfs, struct pf_set);
if (bl)
{
struct pf_cn_elem **cl = &pfs->cns.list;
struct pf_subnet **sl = &pfs->sns.list;
struct buffer_entry *be;
for (be = bl->head; be != NULL; be = be->next)
{
++line_num;
strncpynt(line, BSTR(&be->buf), sizeof(line));
rm_trailing_chars(line, "\r\n\t ");
if (line[0] == '\0' || line[0] == '#')
{
}
else if (line[0] == '+' || line[0] == '-')
{
bool exclude = (line[0] == '-');
if (line[1] =='\0')
{
msg(D_PF_INFO, "PF: %s/%d: no data after +/-: '%s'", prefix, line_num, line);
++n_errors;
}
else if (mode == MODE_CLIENTS)
{
if (add_client(&line[1], prefix, line_num, &cl, exclude))
{
++n_clients;
}
else
{
++n_errors;
}
}
else if (mode == MODE_SUBNETS)
{
if (add_subnet(&line[1], prefix, line_num, &sl, exclude))
{
++n_subnets;
}
else
{
++n_errors;
}
}
else if (mode == MODE_UNDEF)
{
}
else
{
ASSERT(0);
}
}
else if (line[0] == '[')
{
if (!strcasecmp(line, "[clients accept]"))
{
mode = MODE_CLIENTS;
pfs->cns.default_allow = true;
}
else if (!strcasecmp(line, "[clients drop]"))
{
mode = MODE_CLIENTS;
pfs->cns.default_allow = false;
}
else if (!strcasecmp(line, "[subnets accept]"))
{
mode = MODE_SUBNETS;
pfs->sns.default_allow = true;
}
else if (!strcasecmp(line, "[subnets drop]"))
{
mode = MODE_SUBNETS;
pfs->sns.default_allow = false;
}
else if (!strcasecmp(line, "[end]"))
{
goto done;
}
else if (allow_kill && !strcasecmp(line, "[kill]"))
{
goto kill;
}
else
{
mode = MODE_UNDEF;
msg(D_PF_INFO, "PF: %s/%d unknown tag: '%s'", prefix, line_num, line);
++n_errors;
}
}
else
{
msg(D_PF_INFO, "PF: %s/%d line must begin with '+', '-', or '[' : '%s'", prefix, line_num, line);
++n_errors;
}
}
++n_errors;
msg(D_PF_INFO, "PF: %s: missing [end]", prefix);
}
else
{
msg(D_PF_INFO, "PF: %s: cannot open", prefix);
++n_errors;
}
done:
if (bl)
{
if (!n_errors)
{
if (!genhash(&pfs->cns, prefix, n_clients))
{
++n_errors;
}
}
if (n_errors)
{
msg(D_PF_INFO, "PF: %s rejected due to %d error(s)", prefix, n_errors);
}
}
if (n_errors)
{
pf_destroy(pfs);
pfs = NULL;
}
return pfs;
kill:
pf_destroy(pfs);
ALLOC_OBJ_CLEAR(pfs, struct pf_set);
pfs->kill = true;
return pfs;
}
bool
get_user_pass_cr(struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags,
const char *auth_challenge)
{
struct gc_arena gc = gc_new();
if (!up->defined)
{
bool from_authfile = (auth_file && !streq(auth_file, "stdin"));
bool username_from_stdin = false;
bool password_from_stdin = false;
bool response_from_stdin = true;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
{
msg(M_WARN, "Note: previous '%s' credentials failed", prefix);
}
#ifdef ENABLE_MANAGEMENT
/*
* Get username/password from management interface?
*/
if (management
&& (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))
&& management_query_user_pass_enabled(management))
{
const char *sc = NULL;
response_from_stdin = false;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
{
management_auth_failure(management, prefix, "previous auth credentials failed");
}
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
{
sc = auth_challenge;
}
#endif
if (!management_query_user_pass(management, up, prefix, flags, sc))
{
if ((flags & GET_USER_PASS_NOFATAL) != 0)
{
return false;
}
else
{
msg(M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix);
}
}
}
else
#endif /* ifdef ENABLE_MANAGEMENT */
/*
* Get NEED_OK confirmation from the console
*/
if (flags & GET_USER_PASS_NEED_OK)
{
struct buffer user_prompt = alloc_buf_gc(128, &gc);
buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt),
up->password, USER_PASS_LEN, false))
{
msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
}
if (!strlen(up->password))
{
strcpy(up->password, "ok");
}
}
else if (flags & GET_USER_PASS_INLINE_CREDS)
{
struct buffer buf;
buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
buf_parse(&buf, '\n', up->username, USER_PASS_LEN);
}
buf_parse(&buf, '\n', up->password, USER_PASS_LEN);
}
/*
* Read from auth file unless this is a dynamic challenge request.
*/
else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
/*
* Try to get username/password from a file.
*/
FILE *fp;
char password_buf[USER_PASS_LEN] = { '\0' };
fp = platform_fopen(auth_file, "r");
if (!fp)
{
msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
}
if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0)
{
/* Read username first */
if (fgets(up->username, USER_PASS_LEN, fp) == NULL)
{
msg(M_FATAL, "Error reading username from %s authfile: %s",
prefix,
auth_file);
}
}
chomp(up->username);
if (fgets(password_buf, USER_PASS_LEN, fp) != NULL)
{
chomp(password_buf);
}
if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0])
{
msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file);
}
if (password_buf[0])
{
strncpy(up->password, password_buf, USER_PASS_LEN);
}
else
{
password_from_stdin = 1;
}
fclose(fp);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0)
{
msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file);
}
}
else
{
username_from_stdin = true;
password_from_stdin = true;
}
/*
* Get username/password from standard input?
*/
if (username_from_stdin || password_from_stdin || response_from_stdin)
{
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin)
{
struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc);
if (ac)
{
char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
challenge = alloc_buf_gc(14+strlen(ac->challenge_text), &gc);
buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text);
buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO)))
{
msg(M_FATAL, "ERROR: could not read challenge response from stdin");
}
strncpynt(up->username, ac->user, USER_PASS_LEN);
buf_printf(&packed_resp, "CRV1::%s::%s", ac->state_id, response);
}
else
{
msg(M_FATAL, "ERROR: received malformed challenge request from server");
}
}
else
#endif /* ifdef ENABLE_CLIENT_CR */
{
struct buffer user_prompt = alloc_buf_gc(128, &gc);
struct buffer pass_prompt = alloc_buf_gc(128, &gc);
query_user_clear();
buf_printf(&user_prompt, "Enter %s Username:"******"Enter %s Password:"******"ERROR: Failed retrieving username or password");
}
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
if (strlen(up->username) == 0)
{
msg(M_FATAL, "ERROR: %s username is empty", prefix);
}
}
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin)
{
char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
char *pw64 = NULL, *resp64 = NULL;
challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc);
buf_printf(&challenge, "CHALLENGE: %s", auth_challenge);
if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
response, USER_PASS_LEN,
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)))
{
msg(M_FATAL, "ERROR: could not retrieve static challenge response");
}
if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1
|| openvpn_base64_encode(response, strlen(response), &resp64) == -1)
{
msg(M_FATAL, "ERROR: could not base64-encode password/static_response");
}
buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64);
string_clear(pw64);
free(pw64);
string_clear(resp64);
free(resp64);
}
#endif /* ifdef ENABLE_CLIENT_CR */
}
}
string_mod(up->username, CC_PRINT, CC_CRLF, 0);
string_mod(up->password, CC_PRINT, CC_CRLF, 0);
up->defined = true;
}
#if 0
msg(M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password);
#endif
gc_free(&gc);
return true;
}
