From 830701a11730a1de814c1f5d9cf297802c7320c6 Mon Sep 17 00:00:00 2001 From: Fabian van der Veen Date: Tue, 16 Jun 2020 12:58:59 +0200 Subject: [PATCH] Add command-line option to skip FTM push authentication --- doc/openfortivpn.1.in | 7 +++++++ src/config.c | 3 +++ src/config.h | 1 + src/http.c | 4 +++- src/main.c | 3 +++ 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in index a2346440..1ba0fb21 100644 --- a/doc/openfortivpn.1.in +++ b/doc/openfortivpn.1.in @@ -11,6 +11,7 @@ openfortivpn \- Client for PPP+SSL VPN tunnel services [\fB\-\-otp=\fI\fR] [\fB\-\-otp\-prompt=\fI\fR] [\fB\-\-otp\-delay=\fI\fR] +[\fB\-\-no\-ftm\-push\fR] [\fB\-\-realm=\fI\fR] [\fB\-\-set\-routes=\fR] [\fB\-\-no\-routes\fR] @@ -79,6 +80,12 @@ Set the amount of time to wait before sending the One-Time-Password. The delay time must be specified in seconds, where 0 means no wait (this is the default). .TP +\fB\-\-no\-ftm\-push\fR +Do not use FTM push if the server provides the option. +The server may be configured to allow two factor authentication through a +push notification to the mobile application. If this option is provided, +authentication based on OTP will be used instead. +.TP \fB\-\-realm=\fI\fR Connect to the specified authentication realm. Defaults to empty, which is usually what you want. diff --git a/src/config.c b/src/config.c index 95b66e12..3036f9d5 100644 --- a/src/config.c +++ b/src/config.c @@ -48,6 +48,7 @@ const struct vpn_config invalid_cfg = { .otp = {'\0'}, .otp_prompt = NULL, .otp_delay = -1, + .no_ftm_push = -1, .pinentry = NULL, .realm = {'\0'}, .set_routes = -1, @@ -484,6 +485,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src) strcpy(dst->otp, src->otp); if (src->otp_delay != invalid_cfg.otp_delay) dst->otp_delay = src->otp_delay; + if (src->no_ftm_push != invalid_cfg.no_ftm_push) + dst->no_ftm_push = src->no_ftm_push; if (src->pinentry) { free(dst->pinentry); dst->pinentry = src->pinentry; diff --git a/src/config.h b/src/config.h index c41a9534..676812fc 100644 --- a/src/config.h +++ b/src/config.h @@ -85,6 +85,7 @@ struct vpn_config { char otp[FIELD_SIZE + 1]; char *otp_prompt; unsigned int otp_delay; + int no_ftm_push; char *pinentry; char realm[FIELD_SIZE + 1]; diff --git a/src/http.c b/src/http.c index 6a0e2580..46dddfb9 100644 --- a/src/http.c +++ b/src/http.c @@ -672,7 +672,9 @@ int auth_log_in(struct tunnel *tunnel) get_value_from_response(res, "reqid=", reqid, 32); get_value_from_response(res, "polid=", polid, 32); - if (cfg->otp[0] == '\0' && strncmp(token, "ftm_push", 8) == 0) { + if (cfg->otp[0] == '\0' + && strncmp(token, "ftm_push", 8) == 0 + && cfg->no_ftm_push == 0) { /* * The server supports FTM push if `tokeninfo` is `ftm_push`, * but only try this if the OTP is not provided by the config diff --git a/src/main.c b/src/main.c index 1c4b949e..3870a377 100644 --- a/src/main.c +++ b/src/main.c @@ -117,6 +117,7 @@ PPPD_USAGE \ " -o , --otp= One-Time-Password.\n" \ " --otp-prompt= Search for the OTP prompt starting with this string\n" \ " --otp-delay= Wait seconds before sending the OTP.\n" \ +" --no-ftm-push Do not use FTM push if the server provides the option.\n" \ " --pinentry= Use the program to supply a secret instead of asking for it\n" \ " --realm= Use specified authentication realm.\n" \ " --set-routes=[01] Set if openfortivpn should configure routes\n" \ @@ -197,6 +198,7 @@ int main(int argc, char **argv) .otp = {'\0'}, .otp_prompt = NULL, .otp_delay = 0, + .no_ftm_push = 0, .pinentry = NULL, .realm = {'\0'}, .set_routes = 1, @@ -245,6 +247,7 @@ int main(int argc, char **argv) {"otp", required_argument, NULL, 'o'}, {"otp-prompt", required_argument, NULL, 0}, {"otp-delay", required_argument, NULL, 0}, + {"no-ftm-push", no_argument, &cli_cfg.no_ftm_push, 1}, {"set-routes", required_argument, NULL, 0}, {"no-routes", no_argument, &cli_cfg.set_routes, 0}, {"half-internet-routes", required_argument, NULL, 0},