diff options
| author | Adam Goodman <akgood@duosecurity.com> | 2012-01-25 12:00:44 -0500 |
|---|---|---|
| committer | Adam Goodman <akgood@duosecurity.com> | 2012-01-25 12:02:49 -0500 |
| commit | 7d09203598664809f6372141cee594f7c22b9ff6 (patch) | |
| tree | 3c23bb5ea2e8806bd34f03a6e62703467202ff1d | |
| parent | 9847008070022cf19a2fb5db33e36cc11c8aec45 (diff) | |
| download | openvpn-duo-plugin-7d09203598664809f6372141cee594f7c22b9ff6.tar.gz openvpn-duo-plugin-7d09203598664809f6372141cee594f7c22b9ff6.zip | |
fixes for perl script; add compile options to select between perl and python
| -rw-r--r-- | Makefile | 12 | ||||
| -rw-r--r-- | duo_openvpn.c | 11 | ||||
| -rwxr-xr-x[-rw-r--r--] | duo_openvpn.pl | 30 |
3 files changed, 35 insertions, 18 deletions
@@ -1,8 +1,14 @@ +ifdef USE_PERL +CFLAGS=-DUSE_PERL +SCRIPT_NAME=duo_openvpn.pl +else +SCRIPT_NAME=duo_openvpn.py +endif all: duo_openvpn.so duo_openvpn.o: duo_openvpn.c - gcc -fPIC -c duo_openvpn.c + gcc $(CFLAGS) -fPIC -c duo_openvpn.c duo_openvpn.so: duo_openvpn.o gcc -fPIC -shared -Wl,-soname,duo_openvpn.so -o duo_openvpn.so duo_openvpn.o -lc @@ -10,9 +16,9 @@ duo_openvpn.so: duo_openvpn.o install: duo_openvpn.so mkdir -p /opt/duo cp duo_openvpn.so /opt/duo - cp duo_openvpn.py /opt/duo + cp $(SCRIPT_NAME) /opt/duo chmod 755 /opt/duo/duo_openvpn.so - chmod 755 /opt/duo/duo_openvpn.py + chmod 755 /opt/duo/$(SCRIPT_NAME) uninstall: rm -rf /opt/duo diff --git a/duo_openvpn.c b/duo_openvpn.c index 0486765..8437907 100644 --- a/duo_openvpn.c +++ b/duo_openvpn.c @@ -7,8 +7,13 @@ #include "openvpn-plugin.h" -#define PYTHON "python" -#define DUO_PATH "/opt/duo/duo_openvpn.py" +#ifndef USE_PERL +#define INTERPRETER "python" +#define DUO_SCRIPT_PATH "/opt/duo/duo_openvpn.py" +#else +#define INTERPRETER "perl" +#define DUO_SCRIPT_PATH "/opt/duo/duo_openvpn.pl" +#endif struct context { char *ikey; @@ -41,7 +46,7 @@ auth_user_pass_verify(struct context *ctx, const char *args[], const char *envp[ { int pid; const char *control, *username, *password, *ipaddr; - char *argv[] = { PYTHON, DUO_PATH, NULL }; + char *argv[] = { INTERPRETER, DUO_SCRIPT_PATH, NULL }; control = get_env("auth_control_file", envp); username = get_env("common_name", envp); diff --git a/duo_openvpn.pl b/duo_openvpn.pl index 9998fcd..08a0524 100644..100755 --- a/duo_openvpn.pl +++ b/duo_openvpn.pl @@ -54,14 +54,15 @@ sub canonicalize { my $uri = shift; my $params = shift; - my @canon = ('POST', lc $host, $uri); my @args = (); - foreach my $key (keys %{$params}) { + foreach my $key (sort (keys %{$params})) { push @args, (uri_escape($key) . '=' . uri_escape($params->{$key})); } - return join '&', @canon, @args; + my @canon = ('POST', lc $host, $uri, (join '&', @args)); + + return join "\n", @canon; } @@ -70,7 +71,7 @@ sub sign { my $sig = hmac_sha1_hex(canonicalize($host, $path, $args), $skey); my $auth = "$ikey:$sig"; - return 'Basic ' . encode_base64($auth); + return 'Basic ' . encode_base64($auth, ''); } @@ -111,22 +112,17 @@ sub api { failure(); } - if (not defined $data->{response}) { + if (not defined $data->{'response'}) { logger("Received bad response: $json"); failure(); } if (not defined $data->{'response'}{'result'}) { - logger("invalid API response: $json"); + logger("invalid API response: " . $data->{'response'}); failure(); } - if (not defined $data->{'response'}{'status'}) { - logger("invalid API response: $json"); - failure(); - } - - return $data->{response}; + return $data->{'response'}; } @@ -145,6 +141,11 @@ sub auth { my $result = $response->{'result'}; my $status = $response->{'status'}; + if (not defined $status) { + logger("invalid API response: $response"); + failure(); + } + if ($result =~ $API_RESULT_ALLOW) { logger("auth success for $username: $status"); success(); @@ -176,6 +177,11 @@ sub preauth { return; } + if (not defined $status) { + logger("invalid API response: $response"); + failure(); + } + if ($result =~ $API_RESULT_ENROLL) { logger("user $username is not enrolled: $status"); failure(); |