diff options
author | David Sommerseth | 2017-03-28 22:53:46 +0200 |
---|---|---|
committer | David Sommerseth | 2017-03-29 12:04:19 +0200 |
commit | daab0a9fa8ff4f40e8a34707db0ac156d49fbfcb (patch) | |
tree | f421a9756b8f650cf0022c6989b4ff43376775c6 /src/openvpn/ssl_verify.c | |
parent | 363af65178b8bbb482df958d6570c8763aee5d1d (diff) | |
download | openvpn-daab0a9fa8ff4f40e8a34707db0ac156d49fbfcb.zip openvpn-daab0a9fa8ff4f40e8a34707db0ac156d49fbfcb.tar.gz |
auth-token: Ensure tokens are always wiped on de-auth
If tls_deauthenticate() was called, it could in some scenarios leave the
authentication token for a session in memory. This change just ensures
auth-tokens are always wiped as soon as a TLS session is considered
broken.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20170328205346.18844-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14344.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Diffstat (limited to 'src/openvpn/ssl_verify.c')
-rw-r--r-- | src/openvpn/ssl_verify.c | 47 |
1 files changed, 27 insertions, 20 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index a6e9be3..ac1e110 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -80,6 +80,28 @@ setenv_untrusted(struct tls_session *session) setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } + +/** + * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags + * + * @param multi Pointer to a multi object holding the auth_token variables + */ +static void +wipe_auth_token(struct tls_multi *multi) +{ + if(multi) + { + if (multi->auth_token) + { + secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); + free(multi->auth_token); + } + multi->auth_token = NULL; + multi->auth_token_sent = false; + } +} + + /* * Remove authenticated state from all sessions in the given tunnel */ @@ -88,10 +110,10 @@ tls_deauthenticate(struct tls_multi *multi) { if (multi) { - int i, j; - for (i = 0; i < TM_SIZE; ++i) + wipe_auth_token(multi); + for (int i = 0; i < TM_SIZE; ++i) { - for (j = 0; j < KS_SIZE; ++j) + for (int j = 0; j < KS_SIZE; ++j) { multi->session[i].key[j].authenticated = false; } @@ -1219,21 +1241,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass } #endif /* ifdef MANAGEMENT_DEF_AUTH */ -/** - * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags - * - * @param multi Pointer to a multi object holding the auth_token variables - */ -static void -wipe_auth_token(struct tls_multi *multi) -{ - secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); - free(multi->auth_token); - multi->auth_token = NULL; - multi->auth_token_sent = false; -} - - /* * Main username/password verification entry point */ @@ -1285,7 +1292,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, /* Ensure that the username has not changed */ if (!tls_lock_username(multi, up->username)) { - wipe_auth_token(multi); + /* auth-token cleared in tls_lock_username() on failure */ ks->authenticated = false; goto done; } @@ -1306,7 +1313,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (memcmp_constant_time(multi->auth_token, up->password, strlen(multi->auth_token)) != 0) { - wipe_auth_token(multi); ks->authenticated = false; tls_deauthenticate(multi); @@ -1478,6 +1484,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path)) { ks->authenticated = false; + wipe_auth_token(multi); msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", session->common_name, path ? path : "UNDEF"); |