New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vici prompt #201
base: master
Are you sure you want to change the base?
Vici prompt #201
Conversation
Eh, well, I didn't touch libptls or others, so there's still work to be done. |
Did you miss |
No, because |
Not sure what you are referring to. The callback receives the same information that's passed to the |
Well, okay, I did not know about the type. At the very least, to get the peer's text message to the callback, it needs to be passed to the credentials manager, so some code change in libcharon is needed anyway. Would it be acceptable to rewrite the code to make use of |
Can't the message be determined before and passed to the callback as data? Or could it be generated as needed in the callback (e.g. based on the passed data and maybe context information that could be retrieved via |
No, the message is dynamically generated by the server. E.g. eap-gtc supports that. And so does XAUTH (but IKEv1 is deprecated anyway). The message is part of the challenge, so it's available at the time the challenge is processed. The context and language should be evident from the message sent by the other peer, so that's no issue. I think we can safely assume only UTF-8 or ASCII is part of the message, no UTF-16. We only need to make sure no weird formatting characters are in there, or NULL bytes. At the moment, the message is simply not processed by strongSwan and strongSwan itself sends out a static message. See https://tools.ietf.org/html/rfc3748#section-5.6:
For XAUTH, this is relevant https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02#section-5.2 and https://tools.ietf.org/html/draft-beaulieu-ike-xauth-02#section-6.2, specifically the XAUTH-MESSAGE attribute. Generally, other authentication methods might need user visible messages, too. |
This allows plugins to provide a message that could be displayed to users when prompting for passwords.
Yeah, I saw that we print the XAuth message to the log (after running it through |
Quick'n dirty implementation of a callback for VICI in credential_manager_t so VICI clients can provide shared credentials, e.g. PINs and passwords via VICI. Useful and necessary for implementing a desktop client that supports TOTP.