[Openvpn-devel] [PATCH] auth-gen-token: Hardening memory cleanup on auth-token failuers

Wed, 14 Dec 2016 07:15:41 -0800 

Further improve the memory management when a clients --auth-token
fails the server side token authentication enabled via --auth-gen-token.

Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
 src/openvpn/ssl_verify.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index 4328828..1effdf5 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -1108,6 +1108,21 @@ verify_user_pass_management (struct tls_session 
*session, const struct user_pass
 }
 #endif
 
+/**
+ *  Wipes the authentication token out of the memory, frees and cleans up 
related buffers and flags
+ *
+ *  @param multi  Pointer to a multi object holding the auth_token variables
+ */
+static void
+wipe_auth_token(struct tls_multi *multi)
+{
+  secure_memzero (multi->auth_token, AUTH_TOKEN_SIZE);
+  free (multi->auth_token);
+  multi->auth_token = NULL;
+  multi->auth_token_sent = false;
+}
+
+
 /*
  * Main username/password verification entry point
  */
@@ -1157,6 +1172,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
       /* Ensure that the username has not changed */
       if (!tls_lock_username(multi, up->username))
         {
+          wipe_auth_token(multi);
           ks->authenticated = false;
           goto done;
         }
@@ -1168,6 +1184,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
           && (multi->auth_token_tstamp + session->opt->auth_token_lifetime) < 
now)
         {
           msg (D_HANDSHAKE, "Auth-token for client expired\n");
+          wipe_auth_token(multi);
           ks->authenticated = false;
           goto done;
         }
@@ -1176,10 +1193,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi 
*multi,
       if (memcmp_constant_time(multi->auth_token, up->password,
                  strlen(multi->auth_token)) != 0)
         {
-          secure_memzero (multi->auth_token, AUTH_TOKEN_SIZE);
-          free (multi->auth_token);
-          multi->auth_token = NULL;
-          multi->auth_token_sent = false;
+          wipe_auth_token(multi);
           ks->authenticated = false;
           tls_deauthenticate (multi);
 
-- 
1.8.3.1


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to