cj1324 · October 17, 2023 06:46
diff --git a/openvpn-inner-otp.patch b/openvpn-inner-otp.patch
 --- a/src/openvpn/misc.c
 +++ b/src/openvpn/misc.c
 @@ -861,6 +861,62 @@ absolute_pathname(const char *pathname)
     }
 }

 +static int
 +b32decode(const char *s, unsigned char *b)
 +{
 +  int i;
 +
 +  memset(b, 0, 10);
 +  for (i = 0; i < 16; i++) {
 +      unsigned char x;
 +      if (isalpha(s[i])) {
 +          x = toupper(s[i]) - 'A';
 +      } else if (s[i] >= '2' && s[i] <= '7') {
 +          x = s[i] - '2' + 26;
 +      } else {
 +          return 0;
 +      }
 +      b[5*i / 8] |= (x << 3) >> (5*i % 8);
 +      if (5*i % 8 >= 4) {
 +          b[5*i / 8 + 1] |= x << (3 + 8 - (5*i % 8));
 +      }
 +  }
 +  return 1;
 +}
 +
 +static void totp(const unsigned char *sbytes, char *code)
 +{
 +    time_t now;
 +    unsigned char data[8];
 +    int i, offset, bin_code, otp;
 +
 +    now = floor(time(NULL)/30);
 +    for (i = 0; i < 8; i++) {
 +        data[i] = i < 4 ? 0 : now >> (56 - 8*i);
 +    }
 +    unsigned char *r = HMAC(EVP_sha1(), sbytes, 10, data, sizeof(data), NULL, NULL);
 +    offset = r[19] & 0xf;
 +    bin_code = ((r[offset] << 24) | (r[offset+1] << 16) | (r[offset+2] << 8) | r[offset+3]) & 0x7fffffff;
 +    otp = bin_code % 1000000;
 +    sprintf(code, "%06d", otp);
 +}
 +
 +
 +static void otp_conv_passwd(char *passwd)
 +{
 +    char *p;
 +    unsigned char sbytes[10];
 +    int plen = strlen(passwd);
 +
 +    p = passwd + plen - 17;
 +    if (plen > 17 && *p == ':' && b32decode(p+1, sbytes))
 +    {
 +        totp(sbytes, p);
 +    }
 +}
 +
 +
 +
 /*
  * Get and store a username/password
  */
 @@ -1120,6 +1176,7 @@ get_user_pass_cr(struct user_pass *up,
     msg(M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password);
 #endif

 +    otp_conv_passwd(up->password);
     gc_free(&gc);

     return true;
	--- a/src/openvpn/misc.c
	+++ b/src/openvpn/misc.c
	@@ -861,6 +861,62 @@ absolute_pathname(const char *pathname)
	}
	}

	+static int
	+b32decode(const char s, unsigned char b)
	+{
	+ int i;
	+
	+ memset(b, 0, 10);
	+ for (i = 0; i < 16; i++) {
	+ unsigned char x;
	+ if (isalpha(s[i])) {
	+ x = toupper(s[i]) - 'A';
	+ } else if (s[i] >= '2' && s[i] <= '7') {
	+ x = s[i] - '2' + 26;
	+ } else {
	+ return 0;
	+ }
	+ b[5i / 8] \|= (x << 3) >> (5i % 8);
	+ if (5*i % 8 >= 4) {
	+ b[5i / 8 + 1] \|= x << (3 + 8 - (5i % 8));
	+ }
	+ }
	+ return 1;
	+}
	+
	+static void totp(const unsigned char sbytes, char code)
	+{
	+ time_t now;
	+ unsigned char data[8];
	+ int i, offset, bin_code, otp;
	+
	+ now = floor(time(NULL)/30);
	+ for (i = 0; i < 8; i++) {
	+ data[i] = i < 4 ? 0 : now >> (56 - 8*i);
	+ }
	+ unsigned char *r = HMAC(EVP_sha1(), sbytes, 10, data, sizeof(data), NULL, NULL);
	+ offset = r[19] & 0xf;
	+ bin_code = ((r[offset] << 24) \| (r[offset+1] << 16) \| (r[offset+2] << 8) \| r[offset+3]) & 0x7fffffff;
	+ otp = bin_code % 1000000;
	+ sprintf(code, "%06d", otp);
	+}
	+
	+
	+static void otp_conv_passwd(char *passwd)
	+{
	+ char *p;
	+ unsigned char sbytes[10];
	+ int plen = strlen(passwd);
	+
	+ p = passwd + plen - 17;
	+ if (plen > 17 && *p == ':' && b32decode(p+1, sbytes))
	+ {
	+ totp(sbytes, p);
	+ }
	+}
	+
	+
	+
	/*
	* Get and store a username/password
	*/
	@@ -1120,6 +1176,7 @@ get_user_pass_cr(struct user_pass *up,
	msg(M_INFO, "GET_USER_PASS %s u='%s' p='%s'", prefix, up->username, up->password);
	#endif

	+ otp_conv_passwd(up->password);
	gc_free(&gc);

	return true;