diff options
author | Selva Nair | 2022-10-23 15:51:05 -0400 |
---|---|---|
committer | Gert Doering | 2022-10-26 21:31:11 +0200 |
commit | 5ad4b4b374f072459ab2436ed372c92d3a42d65d (patch) | |
tree | fa483a04abdbfb01bf89041d58b378575053194c | |
parent | af546d798213587285b225cd0031944a81e8e26c (diff) | |
download | openvpn-5ad4b4b374f072459ab2436ed372c92d3a42d65d.zip openvpn-5ad4b4b374f072459ab2436ed372c92d3a42d65d.tar.gz |
Ensure --auth-nocache is handled during renegotiation
Currently, clearing auth_user_pass struct is delayed until
push-reply processing to support auth-token. This results in
username/password not purged after renegotiations that may
not accompany any pushed tokens -- say, when auth-token is not
in use.
Fix by always clearing auth_user_pass soon after it is used,
instead of delaying the purge as in pre-token days. But, when
"pull" is true, retain the username in auth_token in anticipation
of a token that may or may not arrive later.
Remove ssl_clean_user_pass() as there is no delayed purge any
longer -- auth-nocache handling is now done immediately after
writing username/password to the send-buffer.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20221023195105.31714-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25452.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3a4fb17d103be37599d72d072bbee42cc121a39d)
-rw-r--r-- | src/openvpn/init.c | 13 | ||||
-rw-r--r-- | src/openvpn/misc.c | 10 | ||||
-rw-r--r-- | src/openvpn/ssl.c | 23 | ||||
-rw-r--r-- | src/openvpn/ssl.h | 6 |
4 files changed, 7 insertions, 45 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7990e84..be8ff80 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1597,19 +1597,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); - - /* - * In some cases (i.e. when receiving auth-token via - * push-reply) the auth-nocache option configured on the - * client is overridden; for this reason we have to wait - * for the push-reply message before attempting to wipe - * the user/pass entered by the user - */ - if (c->options.mode == MODE_POINT_TO_POINT) - { - ssl_clean_user_pass(); - } - /* Test if errors */ if (flags & ISC_ERRORS) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index dceccd2..40b3bf5 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -519,19 +519,13 @@ set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token) * --auth-token has no username, so it needs the username * either already set or copied from up, or later set by * --auth-token-user - * - * Do not overwrite the username if already set to avoid - * overwriting an username set by --auth-token-user + * If already set, tk is fully defined. */ - if (up->defined && !tk->defined) + if (strlen(tk->username)) { - strncpynt(tk->username, up->username, USER_PASS_LEN); tk->defined = true; } } - - /* Cleans user/pass for nocache */ - purge_user_pass(up, false); } void diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3de4cc3..aa8266d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2391,20 +2391,13 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, { goto error; } - /* if auth-nocache was specified, the auth_user_pass object reaches - * a "complete" state only after having received the push-reply - * message. The push message might contain an auth-token that needs - * the username of auth_user_pass. - * - * For this reason, skip the purge operation here if no push-reply - * message has been received yet. - * - * This normally happens upon first negotiation only. - */ - if (!session->opt->pull) + /* save username for auth-token which may get pushed later */ + if (session->opt->pull) { - purge_user_pass(&auth_user_pass, false); + strncpynt(auth_token.username, up->username, USER_PASS_LEN); } + /* respect auth-nocache */ + purge_user_pass(&auth_user_pass, false); } else { @@ -4143,9 +4136,3 @@ print_data: done: return BSTR(&out); } - -void -ssl_clean_user_pass(void) -{ - purge_user_pass(&auth_user_pass, false); -} diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 6b5ae8a..5dabcdf 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -603,12 +603,6 @@ void extract_x509_field_test(void); */ bool is_hard_reset_method2(int op); -/** - * Cleans the saved user/password unless auth-nocache is in use. - */ -void ssl_clean_user_pass(void); - - /* * Show the TLS ciphers that are available for us to use in the SSL * library with headers hinting their usage and warnings about usage. |