adds a Makefile, updates README.md

.gitignore

@@ -1,69 +1,37 @@
-# Created by https://www.toptal.com/developers/gitignore/api/visualstudiocode,go,macos
-# Edit at https://www.toptal.com/developers/gitignore?templates=visualstudiocode,go,macos
-
-### Go ###
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-# Output of the go coverage tool, specifically when used with LiteIDE
-*.out
-
-# Dependency directories (remove the comment below to include it)
-# vendor/
-
-### Go Patch ###
-/vendor/
-/Godeps/
-
-### macOS ###
-# General
-.DS_Store
-.AppleDouble
-.LSOverride
-
-# Icon must end with two \r
-Icon
-
-# Thumbnails
 ._*
-
-# Files that might appear in the root of a volume
+.apdisk
+.AppleDB
+.AppleDesktop
+.AppleDouble
+.com.apple.timemachine.donotpresent
 .DocumentRevisions-V100
+.DS_Store
 .fseventsd
+.history
+.history/
+.ionide
+.LSOverride
 .Spotlight-V100
 .TemporaryItems
 .Trashes
 .VolumeIcon.icns
-.com.apple.timemachine.donotpresent
-
-# Directories potentially created on remote AFP share
-.AppleDB
-.AppleDesktop
+.vscode/*
+*.code-workspace
+*.dll
+*.dylib
+*.exe
+*.exe~
+*.out
+*.so
+*.test
+build
+Godeps
+Icon
 Network Trash Folder
 Temporary Items
-.apdisk
+vendor
 
-### VisualStudioCode ###
-.vscode/*
+!.vscode/extensions.json
+!.vscode/launch.json
 !.vscode/settings.json
 !.vscode/tasks.json
-!.vscode/launch.json
-!.vscode/extensions.json
-*.code-workspace
-
-# Local History for Visual Studio Code
-.history/
-
-### VisualStudioCode Patch ###
-# Ignore all local history of files
-.history
-.ionide
-
-# End of https://www.toptal.com/developers/gitignore/api/visualstudiocode,go,macos

Makefile

@@ -0,0 +1,32 @@
+VERSION=$(shell git describe --tags --always --dirty)
+
+.PHONY: build-mac build-linux install-dependencies-mac install-dependencies-linux
+
+build-mac:
+	mkdir -p build
+	CGO_ENABLED=1 CGO_CFLAGS="-I/usr/local/include" CGO_LDFLAGS="-L/usr/local/lib" \
+		go build -o build/ovpn-auth-darwin-x64-$(VERSION) .
+
+build-linux:
+	mkdir -p build
+	CGO_ENABLED=1 go build -o build/ovpn-auth-linux-x64-$(VERSION) .
+
+install-dependencies-mac:
+	cd "$$(mktemp -d)" && \
+		pwd -P && \
+		curl -sSLo 20190702.tar.gz https://github.com/P-H-C/phc-winner-argon2/archive/refs/tags/20190702.tar.gz && \
+		tar -xvf 20190702.tar.gz && \
+		cd phc-winner-argon2-20190702 && \
+		sudo make install PREFIX=/usr/local
+	brew install oath-toolkit
+	pip install qrcode
+
+install-dependencies-linux:
+	cd "$$(mktemp -d)" && \
+		pwd -P && \
+		wget -sSLo 20190702.tar.gz https://github.com/P-H-C/phc-winner-argon2/archive/refs/tags/20190702.tar.gz && \
+		tar -xvf 20190702.tar.gz && \
+		cd phc-winner-argon2-20190702 && \
+		sudo make install
+	apt install oathtool
+	pip install qrcode

README.md

@@ -1,15 +1,7 @@
-2021.07.03
-
 # ovpn-auth
 
 ovpn-auth is a multi-factor authentication solution for OpenVPN that supports both password and time based one-time-pasword (otp, e.g. Google Authenticator) nonces. It stores passwords after processing them with the state-of-the-art key derivation function Argon2. It is written in Go and has a setup assistance shell script to start using quickly as possible.
 
-## Caution
-
-> Solutions in this repository may not be safe or secure to use. Review it before use. Take your own risk. If you find an issue, create an issue in GitHub.
->
-> Software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE file.
-
 ## Objectives of the project
 
 If you find the project doesn't meet any of those requirements, create an issue or PR.
@@ -18,48 +10,26 @@ If you find the project doesn't meet any of those requirements, create an issue
 -   Prevent injection
 -   Similar time of completion for both valid & invalid requests (one of the possible measures against brute-force & timing attacks)
 
-## Usage requirements
-
-### Requirements for using ovpn-auth
-
--   **OpenVPN**
--   **Argon2 (libargon2)**
-
-    ```sh
-    $ wget https://github.com/P-H-C/phc-winner-argon2/archive/refs/tags/20190702.tar.gz
-    $ tar -xvf 20190702.tar.gz
-    $ cd phc-winner-argon2-20190702
-    $ sudo make install
-    ```
+## Read before use
 
-### Requirements for using setup_assistance.sh
+-   Solutions in this repository may not be safe or secure to use. Review it before use. Take your own risk. If you find an issue, create an issue in GitHub.
 
--   **oathtool**
+-   Software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the LICENSE file.
 
-    ```sh
-    # ubuntu
-    $ apt install oathtool
-    # macos
-    $ brew install oath-toolkit
-    # centos
-    $ yum install oathtool
-    # fedora
-    $ dnf install oathtool
-    ```
-
--   **qr**
-
-    Optional. Install this only if you want to get the qr code of the Authenticator link and have a monitor connected to the system that runs the script.
+-   Password derivation function takes 32 MiB of space in memory for each login request. So, adjust firewall in a way it will deny abusive amount of requests may originate by attackers from different IPs to take one of the measures against Denial-of-Service attacks.
 
-    ```sh
-    $ pip install qrcode
-    ```
+-   Since, OpenVPN daemon starts the `ovpn-auth` script as the user `nobody`, `secrets.yml` file should be accessible by `nobody`. That means username, password, and otp secret will be able to seen by anyone in the server. While it is not a big problem for argon2 hashes, you should mind the exposure of otp secret.
 
-### [IMPORTANT] Further requirements:
+## Dependencies
 
--   Password derivation function takes 32 MiB of space in memory for each login request. So, adjust firewall in a way it will deny abusive amount of requests may originate by attackers from different IPs to take one of the measures against Denial-of-Service attacks.
+Run `make install-dependencies-mac` or `make install-dependencies-linux` to get dependencies.
 
--   Since, OpenVPN daemon starts the `ovpn-auth` script as the user `nobody`, `secrets.yml` file should be accessible by `nobody`. That means username, password, and otp secret will be able to seen by anyone in the server. While it is not a big problem for argon2 hashes, you should mind the exposure of otp secret.
+-   Dependencies of ovpn-auth:
+    -   OpenVPN (not included in Makefile)
+    -   Argon2 (libargon2)
+-   Dependencies of setup assistance:
+    -   oathtool (brew/apt)
+    -   qr (pip)
 
 ## How to use
 

go.mod

@@ -3,8 +3,8 @@ module main
 go 1.16
 
 require (
-	github.com/pquerna/otp v1.3.0
+	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/pquerna/otp v1.4.0
 	github.com/tvdburgt/go-argon2 v0.0.0-20181109175329-49d0f0e5973c
-	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
+	gopkg.in/yaml.v3 v3.0.1
 )

go.sum

@@ -1,19 +1,19 @@
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
+github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/otp v1.3.0 h1:oJV/SkzR33anKXwQU3Of42rL4wbrffP4uvUf1SvS5Xs=
-github.com/pquerna/otp v1.3.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/tvdburgt/go-argon2 v0.0.0-20181109175329-49d0f0e5973c h1:ZUBYitup1fOHz1sXBG4gVpTrSDOCQ1TAJgg6ANJDWc8=
 github.com/tvdburgt/go-argon2 v0.0.0-20181109175329-49d0f0e5973c/go.mod h1:vF0GTqOQNLQNidMrh6zrEDpGczXEgBpZ6iuZvtisD5s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

validate/main_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 	"time"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // internal use for tests
@@ -177,10 +177,10 @@ func Test_Final_TimingAttack_InvalidPassword(test *testing.T) {
 	compare_datasets_on_final_method(stored_secret_dataset, user_inputs_invalid, user_inputs_valid, test)
 }
 
-func Test_Final_TimingAttack_EmptyOTP(test *testing.T) {
-	test.Log("Test is not implemented yet.")
+func Test_Final_TimingAttack_EmptyOTP(t *testing.T) {
+	t.Fatal("Test is not implemented yet.")
 }
 
-func Test_Final_TimingAttack_InvalidOTP(test *testing.T) {
-	test.Log("Test is not implemented yet.")
+func Test_Final_TimingAttack_InvalidOTP(t *testing.T) {
+	t.Fatal("Test is not implemented yet.")
 }