WIP: Add a global option to always prompt for OTP

This adds a checkbox to the general settings menu to always prompt for OTP when prompting for pasword even if no static-challenge request is received from the core. The prompt text may be localized. The response and password are concatenated to a single string and send in plain to the management interface. This is suggested as an alternative to OpenVPN core supporting an extension to the static-challenge format. The latter is preferred over this approach. Signed-off-by: Selva Nair <[email protected]>
selvanair · Jun 15, 2024 · 85729d7 · 85729d7
1 parent ae69dfe
commit 85729d7
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 2 deletions.
diff --git a/localization.c b/localization.c
@@ -640,6 +640,10 @@ GeneralSettingsDlgProc(HWND hwndDlg, UINT msg, UNUSED WPARAM wParam, LPARAM lPar
             {
                 Button_SetCheck(GetDlgItem(hwndDlg, ID_CHK_AUTO_RESTART), BST_CHECKED);
             }
+            if (o.auth_pass_concat_otp)
+            {
+                Button_SetCheck(GetDlgItem(hwndDlg, ID_CHK_CONCAT_OTP), BST_CHECKED);
+            }
 
             break;
 
@@ -704,7 +708,8 @@ GeneralSettingsDlgProc(HWND hwndDlg, UINT msg, UNUSED WPARAM wParam, LPARAM lPar
                     (Button_GetCheck(GetDlgItem(hwndDlg, ID_CHK_SHOW_SCRIPT_WIN)) == BST_CHECKED);
                 o.enable_auto_restart =
                     (Button_GetCheck(GetDlgItem(hwndDlg, ID_CHK_AUTO_RESTART)) == BST_CHECKED);
-
+                o.auth_pass_concat_otp =
+                    (Button_GetCheck(GetDlgItem(hwndDlg, ID_CHK_CONCAT_OTP)) == BST_CHECKED);
 
                 SaveRegistryKeys();
 

diff --git a/openvpn-gui-res.h b/openvpn-gui-res.h
@@ -166,6 +166,10 @@
 #define ID_LVW_PKCS11                    451
 #define ID_TXT_PKCS11                    452
 
+/* General settings contd.. */
+
+#define ID_CHK_CONCAT_OTP                470
+
 /*
  * String Table Resources
  */
@@ -263,6 +267,7 @@
 #define IDS_NFO_CONN_CANCELLED          1264
 #define IDS_NFO_STATE_ROUTE_ERROR       1265
 #define IDS_NFO_NOTIFY_ROUTE_ERROR      1266
+#define IDS_NFO_OTP_PROMPT              1267
 
 /* Program Startup Related */
 #define IDS_ERR_OPEN_DEBUG_FILE         1301

diff --git a/openvpn.c b/openvpn.c
@@ -580,6 +580,10 @@ UserAuthDialogFunc(HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam)
                 }
 
             }
+            else if (param->flags & FLAG_CR_TYPE_CONCAT)
+            {
+                SetDlgItemTextW(hwndDlg, ID_TXT_AUTH_CHALLENGE, LoadLocalizedString(IDS_NFO_OTP_PROMPT));
+            }
             if (RecallUsername(param->c->config_name, username))
             {
                 SetDlgItemTextW(hwndDlg, ID_EDT_AUTH_USER, username);
@@ -1426,6 +1430,11 @@ OnPassword(connection_t *c, char *msg)
             param->str = strdup(chstr + 5);
             LocalizedDialogBoxParamEx(ID_DLG_AUTH_CHALLENGE, c->hwndStatus, UserAuthDialogFunc, (LPARAM) param);
         }
+        else if (o.auth_pass_concat_otp)
+        {
+            param->flags |= FLAG_CR_ECHO | FLAG_CR_TYPE_CONCAT;
+            LocalizedDialogBoxParamEx(ID_DLG_AUTH_CHALLENGE, c->hwndStatus, UserAuthDialogFunc, (LPARAM) param);
+        }
         else
         {
             LocalizedDialogBoxParamEx(ID_DLG_AUTH, c->hwndStatus, UserAuthDialogFunc, (LPARAM) param);

diff --git a/options.h b/options.h
@@ -206,6 +206,7 @@ typedef struct {
     TCHAR priority_string[64];
     TCHAR ovpn_admin_group[MAX_NAME];
     DWORD disable_save_passwords;
+    DWORD auth_pass_concat_otp;
     /* HKCU registry values */
     TCHAR config_dir[MAX_PATH];
     TCHAR ext_string[16];

diff --git a/registry.c b/registry.c
@@ -67,6 +67,7 @@ struct regkey_int {
     {L"management_port_offset", &o.mgmt_port_offset, 25340},
     {L"enable_peristent_connections", &o.enable_persistent, 2},
     {L"enable_auto_restart", &o.enable_auto_restart, 1},
+    {L"auth_pass_concat_otp", &o.auth_pass_concat_otp, 0},
     {L"ovpn_engine", &o.ovpn_engine, OPENVPN_ENGINE_OVPN2}
 };
 

diff --git a/res/openvpn-gui-res-en.rc b/res/openvpn-gui-res-en.rc
@@ -178,7 +178,7 @@ BEGIN
     GROUPBOX "Startup", 202, 6, 47, 235, 30
     AUTOCHECKBOX "Launch on User &Logon", ID_CHK_STARTUP, 17, 59, 100, 12
 
-    GROUPBOX "Preferences", ID_GROUPBOX3, 6, 82, 235, 165
+    GROUPBOX "Preferences", ID_GROUPBOX3, 6, 82, 235, 180
     AUTOCHECKBOX "A&ppend to log", ID_CHK_LOG_APPEND, 17, 95, 60, 10
     AUTOCHECKBOX "Show script &window", ID_CHK_SHOW_SCRIPT_WIN, 17, 110, 200, 10
     AUTOCHECKBOX "S&ilent connection", ID_CHK_SILENT, 17, 125, 200, 10
@@ -193,6 +193,7 @@ BEGIN
     AUTORADIOBUTTON "&Disable", ID_RB_BALLOON5, 181, 200, 40, 10
     AUTOCHECKBOX "Enable Pre-Logon A&ccess Provider (requires admin access)", ID_CHK_PLAP_REG, 17, 215, 200, 10
     AUTOCHECKBOX "Enable auto restart of active connections", ID_CHK_AUTO_RESTART, 17, 230, 200, 10
+    AUTOCHECKBOX "Prompt for &OTP and combine with password", ID_CHK_CONCAT_OTP, 17, 245, 200, 10
 END
 
 /* Advanced Dialog */
@@ -576,6 +577,7 @@ once as Administrator to update the registry."
     IDS_NFO_AUTO_CONNECT    "Connecting automatically in %u seconds…"
     IDS_NFO_CLICK_HERE_TO_START "OpenVPN GUI is already running. Right click on the tray icon to start."
     IDS_NFO_BYTECOUNT "Bytes in: %ls  out: %ls"
+    IDS_NFO_OTP_PROMPT "Input OTP or passcode"
 
     /* AS profile import */
     IDS_ERR_URL_IMPORT_PROFILE "Error fetching profile from URL: [%d] %ls"