Implement deferred auth for scripts

This patch also refactors the if condition that checks the result of
the authentication since that has become quite unreadable. It renames
s1/s2 and extracts some parts of the condition into individual variables
to make the condition better understandle

Patch v2: add refactoring of the if condition
Patch v4: fix documentation not mentioning method as 2nd line
Patch v5: fix deferred auth used by both plugin and script not working
Patch v6: Add missing async inotify for script deferred auth

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210407154951.13330-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22072.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

1 files changed, 10 insertions, 0 deletions

diff --git a/Changes.rst b/Changes.rst
index 457dfc0..9185b55 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -30,6 +30,16 @@ TLS mode with self-signed certificates
     become optional. This allows for small OpenVPN setups without setting up
     a PKI with Easy-RSA or similar software.
 
+Deferred auth support for scripts
+    The ``--auth-user-pass-verify`` script supports now deferred authentication.
+
+Pending auth support for plugins and scripts
+    Both auth plugin and script can now signal pending authentication to
+    the client when using deferred authentication. The new ``client-crresponse``
+    script option and ``OPENVPN_PLUGIN_CLIENT_CRRESPONSE`` plugin function can
+    be used to parse a client response to a ``CR_TEXT`` two factor challenge.
+
+    See ``sample/sample-scripts/totpauth.py`` for an example.
 
 Deprecated features
 -------------------