static const char *
parse_windows_proxy_setting (const char *str, struct auto_proxy_info_entry *e, struct gc_arena *gc)
{
char buf[128];
const char *ret = NULL;
struct buffer in;
CLEAR (*e);
buf_set_read (&in, (const uint8_t *)str, strlen (str));
if (strchr (str, '=') != NULL)
{
if (buf_parse (&in, '=', buf, sizeof (buf)))
ret = string_alloc (buf, gc);
}
if (buf_parse (&in, ':', buf, sizeof (buf)))
e->server = string_alloc (buf, gc);
if (e->server && buf_parse (&in, '\0', buf, sizeof (buf)))
e->port = atoi (buf);
return ret;
}
bool
key_des_check (uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
buf_set_read (&b, key, key_len);
for (i = 0; i < ndc; ++i)
{
DES_cblock *dc = (DES_cblock*) buf_read_alloc (&b, sizeof (DES_cblock));
if (!dc)
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material");
goto err;
}
if (DES_is_weak_key(dc))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected");
goto err;
}
if (!DES_check_key_parity (dc))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected");
goto err;
}
}
return true;
err:
ERR_clear_error ();
return false;
}
bool
key_des_check (uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
buf_set_read (&b, key, key_len);
for (i = 0; i < ndc; ++i)
{
unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);
if (!key)
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material");
goto err;
}
if (0 != des_key_check_weak(key))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected");
goto err;
}
if (0 != des_key_check_key_parity(key))
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected");
goto err;
}
}
return true;
err:
return false;
}
const char *
mroute_addr_print_ex (const struct mroute_addr *ma,
const unsigned int flags,
struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (64, gc);
if (ma)
{
struct mroute_addr maddr = *ma;
switch (maddr.type & MR_ADDR_MASK)
{
case MR_ADDR_ETHER:
buf_printf (&out, "%s", format_hex_ex (ma->addr, 6, 0, 1, ":", gc));
break;
case MR_ADDR_IPV4:
{
struct buffer buf;
in_addr_t addr;
int port;
bool status;
buf_set_read (&buf, maddr.addr, maddr.len);
addr = buf_read_u32 (&buf, &status);
if (status)
{
if ((flags & MAPF_SHOW_ARP) && (maddr.type & MR_ARP))
buf_printf (&out, "ARP/");
buf_printf (&out, "%s", print_in_addr_t (addr, (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc));
if (maddr.type & MR_WITH_NETBITS)
{
if (flags & MAPF_SUBNET)
{
const in_addr_t netmask = netbits_to_netmask (maddr.netbits);
buf_printf (&out, "/%s", print_in_addr_t (netmask, 0, gc));
}
else
buf_printf (&out, "/%d", maddr.netbits);
}
}
if (maddr.type & MR_WITH_PORT)
{
port = buf_read_u16 (&buf);
if (port >= 0)
buf_printf (&out, ":%d", port);
}
}
break;
case MR_ADDR_IPV6:
buf_printf (&out, "IPV6");
break;
default:
buf_printf (&out, "UNKNOWN");
break;
}
return BSTR (&out);
}
else
return "[NULL]";
}
string_alloc_buf (const char *str, struct gc_arena *gc)
#endif
{
struct buffer buf;
ASSERT (str);
#ifdef DMALLOC
buf_set_read (&buf, (uint8_t*) string_alloc_debug (str, gc, file, line), strlen (str) + 1);
#else
buf_set_read (&buf, (uint8_t*) string_alloc (str, gc), strlen (str) + 1);
#endif
if (buf.len > 0) /* Don't count trailing '\0' as part of length */
--buf.len;
return buf;
}
void
ipv4_packet_size_verify(const uint8_t *data,
const int size,
const int tunnel_type,
const char *prefix,
counter_type *errors)
{
if (size > 0)
{
struct buffer buf;
buf_set_read(&buf, data, size);
if (is_ipv4(tunnel_type, &buf))
{
const struct openvpn_iphdr *pip;
int hlen;
int totlen;
const char *msgstr = "PACKET SIZE INFO";
unsigned int msglevel = D_PACKET_TRUNC_DEBUG;
if (BLEN(&buf) < (int) sizeof(struct openvpn_iphdr))
{
return;
}
verify_align_4(&buf);
pip = (struct openvpn_iphdr *) BPTR(&buf);
hlen = OPENVPN_IPH_GET_LEN(pip->version_len);
totlen = ntohs(pip->tot_len);
if (BLEN(&buf) != totlen)
{
msgstr = "PACKET TRUNCATION ERROR";
msglevel = D_PACKET_TRUNC_ERR;
if (errors)
{
++(*errors);
}
}
msg(msglevel, "%s %s: size=%d totlen=%d hlen=%d errcount=" counter_format,
msgstr,
prefix,
BLEN(&buf),
totlen,
hlen,
errors ? *errors : (counter_type)0);
}
}
}
/*
* See management/management-notes.txt for more info on the
* the dynamic challenge/response protocol implemented here.
*/
struct auth_challenge_info *
get_auth_challenge (const char *auth_challenge, struct gc_arena *gc)
{
if (auth_challenge)
{
struct auth_challenge_info *ac;
const int len = strlen (auth_challenge);
char *work = (char *) gc_malloc (len+1, false, gc);
char *cp;
struct buffer b;
buf_set_read (&b, (const uint8_t *)auth_challenge, len);
ALLOC_OBJ_CLEAR_GC (ac, struct auth_challenge_info, gc);
/* parse prefix */
if (!buf_parse(&b, ':', work, len))
return NULL;
if (strcmp(work, "CRV1"))
return NULL;
/* parse flags */
if (!buf_parse(&b, ':', work, len))
return NULL;
for (cp = work; *cp != '\0'; ++cp)
{
const char c = *cp;
if (c == 'E')
ac->flags |= CR_ECHO;
else if (c == 'R')
ac->flags |= CR_RESPONSE;
}
/* parse state ID */
if (!buf_parse(&b, ':', work, len))
return NULL;
ac->state_id = string_alloc(work, gc);
/* parse user name */
if (!buf_parse(&b, ':', work, len))
return NULL;
ac->user = (char *) gc_malloc (strlen(work)+1, true, gc);
openvpn_base64_decode(work, (void*)ac->user, -1);
/* parse challenge text */
ac->challenge_text = string_alloc(BSTR(&b), gc);
return ac;
}
else
return NULL;
}
void
key_des_fixup (uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
buf_set_read (&b, key, key_len);
for (i = 0; i < ndc; ++i)
{
unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);
if (!key)
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material");
return;
}
des_key_set_parity(key);
}
}
void
key_des_fixup (uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
buf_set_read (&b, key, key_len);
for (i = 0; i < ndc; ++i)
{
DES_cblock *dc = (DES_cblock*) buf_read_alloc(&b, sizeof(DES_cblock));
if (!dc)
{
msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material");
ERR_clear_error ();
return;
}
DES_set_odd_parity (dc);
}
}
static void
parse_windows_proxy_setting_list (const char *str, const char *type, struct auto_proxy_info_entry *e, struct gc_arena *gc)
{
struct gc_arena gc_local = gc_new ();
struct auto_proxy_info_entry el;
CLEAR (*e);
if (type)
{
char buf[128];
struct buffer in;
buf_set_read (&in, (const uint8_t *)str, strlen (str));
if (strchr (str, '=') != NULL)
{
while (buf_parse (&in, ' ', buf, sizeof (buf)))
{
const char *t = parse_windows_proxy_setting (buf, &el, &gc_local);
if (t && !strcmp (t, type))
goto found;
}
}
}
else
{
if (!parse_windows_proxy_setting (str, &el, &gc_local))
goto found;
}
goto done;
found:
if (el.server && el.port > 0)
{
e->server = string_alloc (el.server, gc);
e->port = el.port;
}
done:
gc_free (&gc_local);
}
void
read_key_file (struct key2 *key2, const char *file, const unsigned int flags)
{
struct gc_arena gc = gc_new ();
struct buffer in;
int fd, size;
uint8_t hex_byte[3] = {0, 0, 0};
const char *error_filename = file;
/* parse info */
const unsigned char *cp;
int hb_index = 0;
int line_num = 1;
int line_index = 0;
int match = 0;
/* output */
uint8_t* out = (uint8_t*) &key2->keys;
const int keylen = sizeof (key2->keys);
int count = 0;
/* parse states */
# define PARSE_INITIAL 0
# define PARSE_HEAD 1
# define PARSE_DATA 2
# define PARSE_DATA_COMPLETE 3
# define PARSE_FOOT 4
# define PARSE_FINISHED 5
int state = PARSE_INITIAL;
/* constants */
const int hlen = strlen (static_key_head);
const int flen = strlen (static_key_foot);
const int onekeylen = sizeof (key2->keys[0]);
CLEAR (*key2);
/*
* Key can be provided as a filename in 'file' or if RKF_INLINE
* is set, the actual key data itself in ascii form.
*/
if (flags & RKF_INLINE) /* 'file' is a string containing ascii representation of key */
{
size = strlen (file) + 1;
buf_set_read (&in, (const uint8_t *)file, size);
error_filename = INLINE_FILE_TAG;
}
else /* 'file' is a filename which refers to a file containing the ascii key */
{
in = alloc_buf_gc (2048, &gc);
fd = platform_open (file, O_RDONLY, 0);
if (fd == -1)
msg (M_ERR, "Cannot open file key file '%s'", file);
size = read (fd, in.data, in.capacity);
if (size < 0)
msg (M_FATAL, "Read error on key file ('%s')", file);
if (size == in.capacity)
msg (M_FATAL, "Key file ('%s') can be a maximum of %d bytes", file, (int)in.capacity);
close (fd);
}
cp = (unsigned char *)in.data;
while (size > 0)
{
const unsigned char c = *cp;
#if 0
msg (M_INFO, "char='%c'[%d] s=%d ln=%d li=%d m=%d c=%d",
c, (int)c, state, line_num, line_index, match, count);
#endif
if (c == '\n')
{
line_index = match = 0;
++line_num;
}
else
{
/* first char of new line */
if (!line_index)
{
/* first char of line after header line? */
if (state == PARSE_HEAD)
state = PARSE_DATA;
/* first char of footer */
if ((state == PARSE_DATA || state == PARSE_DATA_COMPLETE) && c == '-')
state = PARSE_FOOT;
}
/* compare read chars with header line */
if (state == PARSE_INITIAL)
{
if (line_index < hlen && c == static_key_head[line_index])
{
if (++match == hlen)
state = PARSE_HEAD;
}
}
/* compare read chars with footer line */
if (state == PARSE_FOOT)
{
if (line_index < flen && c == static_key_foot[line_index])
{
if (++match == flen)
state = PARSE_FINISHED;
}
}
/* reading key */
if (state == PARSE_DATA)
{
if (isxdigit(c))
{
ASSERT (hb_index >= 0 && hb_index < 2);
hex_byte[hb_index++] = c;
if (hb_index == 2)
{
unsigned int u;
ASSERT(sscanf((const char *)hex_byte, "%x", &u) == 1);
*out++ = u;
hb_index = 0;
if (++count == keylen)
state = PARSE_DATA_COMPLETE;
}
}
else if (isspace(c))
;
else
{
msg (M_FATAL,
(isprint (c) ? printable_char_fmt : unprintable_char_fmt),
c, line_num, error_filename, count, onekeylen, keylen);
}
}
++line_index;
}
++cp;
--size;
}
/*
* Normally we will read either 1 or 2 keys from file.
*/
key2->n = count / onekeylen;
ASSERT (key2->n >= 0 && key2->n <= (int) SIZE (key2->keys));
if (flags & RKF_MUST_SUCCEED)
{
if (!key2->n)
msg (M_FATAL, "Insufficient key material or header text not found in file '%s' (%d/%d/%d bytes found/min/max)",
error_filename, count, onekeylen, keylen);
if (state != PARSE_FINISHED)
msg (M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",
error_filename, count, onekeylen, keylen);
}
/* zero file read buffer if not an inline file */
if (!(flags & RKF_INLINE))
ovpn_buf_clear (&in);
if (key2->n)
warn_if_group_others_accessible (error_filename);
#if 0
/* DEBUGGING */
{
int i;
printf ("KEY READ, n=%d\n", key2->n);
for (i = 0; i < (int) SIZE (key2->keys); ++i)
{
/* format key as ascii */
const char *fmt = format_hex_ex ((const uint8_t*)&key2->keys[i],
sizeof (key2->keys[i]),
0,
16,
"\n",
&gc);
printf ("[%d]\n%s\n\n", i, fmt);
}
}
#endif
/* pop our garbage collection level */
gc_free (&gc);
}
/*
* If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet.
*
* Set buf->len to 0 and return false on decrypt error.
*
* On success, buf is set to point to plaintext, true
* is returned.
*/
bool
openvpn_decrypt (struct buffer *buf, struct buffer work,
const struct crypto_options *opt,
const struct frame* frame)
{
static const char error_prefix[] = "Authenticate/Decrypt packet error";
struct gc_arena gc;
gc_init (&gc);
if (buf->len > 0 && opt->key_ctx_bi)
{
struct key_ctx *ctx = &opt->key_ctx_bi->decrypt;
struct packet_id_net pin;
bool have_pin = false;
/* Verify the HMAC */
if (ctx->hmac)
{
int hmac_len;
uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */
hmac_ctx_reset(ctx->hmac);
/* Assume the length of the input HMAC */
hmac_len = hmac_ctx_size (ctx->hmac);
/* Authentication fails if insufficient data in packet for HMAC */
if (buf->len < hmac_len)
CRYPT_ERROR ("missing authentication info");
hmac_ctx_update (ctx->hmac, BPTR (buf) + hmac_len, BLEN (buf) - hmac_len);
hmac_ctx_final (ctx->hmac, local_hmac);
/* Compare locally computed HMAC with packet HMAC */
if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
CRYPT_ERROR ("packet HMAC authentication failed");
ASSERT (buf_advance (buf, hmac_len));
}
/* Decrypt packet ID + payload */
if (ctx->cipher)
{
const int iv_size = cipher_ctx_iv_length (ctx->cipher);
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher);
uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
int outlen;
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT)));
/* use IV if user requested it */
CLEAR (iv_buf);
if (opt->flags & CO_USE_IV)
{
if (buf->len < iv_size)
CRYPT_ERROR ("missing IV info");
memcpy (iv_buf, BPTR (buf), iv_size);
ASSERT (buf_advance (buf, iv_size));
}
/* show the IV's initial state */
if (opt->flags & CO_USE_IV)
dmsg (D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex (iv_buf, iv_size, 0, &gc));
if (buf->len < 1)
CRYPT_ERROR ("missing payload");
/* ctx->cipher was already initialized with key & keylen */
if (!cipher_ctx_reset (ctx->cipher, iv_buf))
CRYPT_ERROR ("cipher init failed");
/* Buffer overflow check (should never happen) */
if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
CRYPT_ERROR ("potential buffer overflow");
/* Decrypt packet ID, payload */
if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)))
CRYPT_ERROR ("cipher update failed");
ASSERT (buf_inc_len(&work, outlen));
/* Flush the decryption buffer */
if (!cipher_ctx_final (ctx->cipher, BPTR (&work) + outlen, &outlen))
CRYPT_ERROR ("cipher final failed");
ASSERT (buf_inc_len(&work, outlen));
dmsg (D_PACKET_CONTENT, "DECRYPT TO: %s",
format_hex (BPTR (&work), BLEN (&work), 80, &gc));
/* Get packet ID from plaintext buffer or IV, depending on cipher mode */
{
if (cipher_kt_mode_cbc(cipher_kt))
{
if (opt->packet_id)
{
if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)))
CRYPT_ERROR ("error reading CBC packet-id");
have_pin = true;
}
}
else if (cipher_kt_mode_ofb_cfb(cipher_kt))
{
struct buffer b;
ASSERT (opt->flags & CO_USE_IV); /* IV and packet-ID required */
ASSERT (opt->packet_id); /* for this mode. */
buf_set_read (&b, iv_buf, iv_size);
if (!packet_id_read (&pin, &b, true))
CRYPT_ERROR ("error reading CFB/OFB packet-id");
have_pin = true;
}
else /* We only support CBC, CFB, or OFB modes right now */
{
ASSERT (0);
}
}
}
else
{
work = *buf;
if (opt->packet_id)
{
if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)))
CRYPT_ERROR ("error reading packet-id");
have_pin = !BOOL_CAST (opt->flags & CO_IGNORE_PACKET_ID);
}
}
if (have_pin)
{
packet_id_reap_test (&opt->packet_id->rec);
if (packet_id_test (&opt->packet_id->rec, &pin))
{
packet_id_add (&opt->packet_id->rec, &pin);
if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM))
packet_id_persist_save_obj (opt->pid_persist, opt->packet_id);
}
else
{
if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS))
msg (D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings",
error_prefix, packet_id_net_print (&pin, true, &gc));
goto error_exit;
}
}
*buf = work;
}
gc_free (&gc);
return true;
error_exit:
crypto_clear_error();
buf->len = 0;
gc_free (&gc);
return false;
}
bool
get_user_pass_cr(struct user_pass *up,
const char *auth_file,
const char *prefix,
const unsigned int flags,
const char *auth_challenge)
{
struct gc_arena gc = gc_new();
if (!up->defined)
{
bool from_authfile = (auth_file && !streq(auth_file, "stdin"));
bool username_from_stdin = false;
bool password_from_stdin = false;
bool response_from_stdin = true;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
{
msg(M_WARN, "Note: previous '%s' credentials failed", prefix);
}
#ifdef ENABLE_MANAGEMENT
/*
* Get username/password from management interface?
*/
if (management
&& (!from_authfile && (flags & GET_USER_PASS_MANAGEMENT))
&& management_query_user_pass_enabled(management))
{
const char *sc = NULL;
response_from_stdin = false;
if (flags & GET_USER_PASS_PREVIOUS_CREDS_FAILED)
{
management_auth_failure(management, prefix, "previous auth credentials failed");
}
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE))
{
sc = auth_challenge;
}
#endif
if (!management_query_user_pass(management, up, prefix, flags, sc))
{
if ((flags & GET_USER_PASS_NOFATAL) != 0)
{
return false;
}
else
{
msg(M_FATAL, "ERROR: could not read %s username/password/ok/string from management interface", prefix);
}
}
}
else
#endif /* ifdef ENABLE_MANAGEMENT */
/*
* Get NEED_OK confirmation from the console
*/
if (flags & GET_USER_PASS_NEED_OK)
{
struct buffer user_prompt = alloc_buf_gc(128, &gc);
buf_printf(&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
if (!query_user_SINGLE(BSTR(&user_prompt), BLEN(&user_prompt),
up->password, USER_PASS_LEN, false))
{
msg(M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
}
if (!strlen(up->password))
{
strcpy(up->password, "ok");
}
}
else if (flags & GET_USER_PASS_INLINE_CREDS)
{
struct buffer buf;
buf_set_read(&buf, (uint8_t *) auth_file, strlen(auth_file) + 1);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
buf_parse(&buf, '\n', up->username, USER_PASS_LEN);
}
buf_parse(&buf, '\n', up->password, USER_PASS_LEN);
}
/*
* Read from auth file unless this is a dynamic challenge request.
*/
else if (from_authfile && !(flags & GET_USER_PASS_DYNAMIC_CHALLENGE))
{
/*
* Try to get username/password from a file.
*/
FILE *fp;
char password_buf[USER_PASS_LEN] = { '\0' };
fp = platform_fopen(auth_file, "r");
if (!fp)
{
msg(M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
}
if ((flags & GET_USER_PASS_PASSWORD_ONLY) == 0)
{
/* Read username first */
if (fgets(up->username, USER_PASS_LEN, fp) == NULL)
{
msg(M_FATAL, "Error reading username from %s authfile: %s",
prefix,
auth_file);
}
}
chomp(up->username);
if (fgets(password_buf, USER_PASS_LEN, fp) != NULL)
{
chomp(password_buf);
}
if (flags & GET_USER_PASS_PASSWORD_ONLY && !password_buf[0])
{
msg(M_FATAL, "Error reading password from %s authfile: %s", prefix, auth_file);
}
if (password_buf[0])
{
strncpy(up->password, password_buf, USER_PASS_LEN);
}
else
{
password_from_stdin = 1;
}
fclose(fp);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen(up->username) == 0)
{
msg(M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file);
}
}
else
{
username_from_stdin = true;
password_from_stdin = true;
}
/*
* Get username/password from standard input?
*/
if (username_from_stdin || password_from_stdin || response_from_stdin)
{
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin)
{
struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc);
if (ac)
{
char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
challenge = alloc_buf_gc(14+strlen(ac->challenge_text), &gc);
buf_printf(&challenge, "CHALLENGE: %s", ac->challenge_text);
buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
response, USER_PASS_LEN, BOOL_CAST(ac->flags&CR_ECHO)))
{
msg(M_FATAL, "ERROR: could not read challenge response from stdin");
}
strncpynt(up->username, ac->user, USER_PASS_LEN);
buf_printf(&packed_resp, "CRV1::%s::%s", ac->state_id, response);
}
else
{
msg(M_FATAL, "ERROR: received malformed challenge request from server");
}
}
else
#endif /* ifdef ENABLE_CLIENT_CR */
{
struct buffer user_prompt = alloc_buf_gc(128, &gc);
struct buffer pass_prompt = alloc_buf_gc(128, &gc);
query_user_clear();
buf_printf(&user_prompt, "Enter %s Username:"******"Enter %s Password:"******"ERROR: Failed retrieving username or password");
}
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
if (strlen(up->username) == 0)
{
msg(M_FATAL, "ERROR: %s username is empty", prefix);
}
}
#ifdef ENABLE_CLIENT_CR
if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin)
{
char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc);
struct buffer packed_resp, challenge;
char *pw64 = NULL, *resp64 = NULL;
challenge = alloc_buf_gc(14+strlen(auth_challenge), &gc);
buf_printf(&challenge, "CHALLENGE: %s", auth_challenge);
if (!query_user_SINGLE(BSTR(&challenge), BLEN(&challenge),
response, USER_PASS_LEN,
BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO)))
{
msg(M_FATAL, "ERROR: could not retrieve static challenge response");
}
if (openvpn_base64_encode(up->password, strlen(up->password), &pw64) == -1
|| openvpn_base64_encode(response, strlen(response), &resp64) == -1)
{
msg(M_FATAL, "ERROR: could not base64-encode password/static_response");
}
buf_set_write(&packed_resp, (uint8_t *)up->password, USER_PASS_LEN);
buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64);
string_clear(pw64);
free(pw64);
string_clear(resp64);
free(resp64);
}
#endif /* ifdef ENABLE_CLIENT_CR */
}
}
string_mod(up->username, CC_PRINT, CC_CRLF, 0);
string_mod(up->password, CC_PRINT, CC_CRLF, 0);
up->defined = true;
}
#if 0
msg(M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password);
#endif
gc_free(&gc);
return true;
}
const char *
mroute_addr_print_ex (const struct mroute_addr *ma,
const unsigned int flags,
struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (64, gc);
if (ma)
{
struct mroute_addr maddr = *ma;
switch (maddr.type & MR_ADDR_MASK)
{
case MR_ADDR_ETHER:
buf_printf (&out, "%s", format_hex_ex (ma->addr, 6, 0, 1, ":", gc));
break;
case MR_ADDR_IPV4:
{
struct buffer buf;
in_addr_t addr;
int port;
bool status;
buf_set_read (&buf, maddr.addr, maddr.len);
addr = buf_read_u32 (&buf, &status);
if (status)
{
if ((flags & MAPF_SHOW_ARP) && (maddr.type & MR_ARP))
buf_printf (&out, "ARP/");
buf_printf (&out, "%s", print_in_addr_t (addr, (flags & MAPF_IA_EMPTY_IF_UNDEF) ? IA_EMPTY_IF_UNDEF : 0, gc));
if (maddr.type & MR_WITH_NETBITS)
{
if (flags & MAPF_SUBNET)
{
const in_addr_t netmask = netbits_to_netmask (maddr.netbits);
buf_printf (&out, "/%s", print_in_addr_t (netmask, 0, gc));
}
else
buf_printf (&out, "/%d", maddr.netbits);
}
}
if (maddr.type & MR_WITH_PORT)
{
port = buf_read_u16 (&buf);
if (port >= 0)
buf_printf (&out, ":%d", port);
}
}
break;
case MR_ADDR_IPV6:
#ifdef USE_PF_INET6
{
struct buffer buf;
struct sockaddr_in6 sin6;
int port;
char buf6[INET6_ADDRSTRLEN] = "";
CLEAR(sin6);
sin6.sin6_family = AF_INET6;
buf_set_read (&buf, maddr.addr, maddr.len);
if (buf_read(&buf, &sin6.sin6_addr, sizeof (sin6.sin6_addr)))
{
if (getnameinfo((struct sockaddr *)&sin6, sizeof (struct sockaddr_in6),
buf6, sizeof (buf6), NULL, 0, NI_NUMERICHOST) != 0)
{
buf_printf (&out, "MR_ADDR_IPV6 getnameinfo() err");
break;
}
buf_puts (&out, buf6);
if (maddr.type & MR_WITH_NETBITS)
buf_printf (&out, "/%d", maddr.netbits);
if (maddr.type & MR_WITH_PORT)
{
port = buf_read_u16 (&buf);
if (port >= 0)
buf_printf (&out, ":%d", port);
}
}
}
#else /* old, pre USE_PF_INET6 code */
buf_printf (&out, "IPV6");
#endif
break;
default:
buf_printf (&out, "UNKNOWN");
break;
}
return BSTR (&out);
}
else
return "[NULL]";
}
