Re: [Openvpn-devel] [PATCH] auth-token: Ensure tokens are always wiped on de-auth

Tue, 28 Mar 2017 14:05:33 -0700 

On 28/03/17 22:24, Steffan Karger wrote:
> Hi,
> 
> On 28-03-17 21:19, David Sommerseth wrote:
>> If tls_deauthenticate() was called, it could in some scenarios leave the
>> authentication token for a session in memory.  This change just ensures
>> auth-tokens are always wiped as soon as a TLS session is considered
>> broken.
>>
>> Signed-off-by: David Sommerseth <dav...@openvpn.net>
>>
>> ---
>>
>> The wipe_auth_token() function is otherwise moved to be declared before
>> tls_deauthenticate() and the latter function is also slightly modified to
>> make use of the C99 feature of inline declaration - mostly to have a more
>> reasonable coding style when adding the wipe_auth_token() call.
>> ---
>>  src/openvpn/ssl_verify.c | 44 ++++++++++++++++++++++++--------------------
>>  1 file changed, 24 insertions(+), 20 deletions(-)
>>
[...snip...]
>> +
>> +/**
>> + *  Wipes the authentication token out of the memory, frees and cleans up 
>> related buffers and flags
>> + *
>> + *  @param multi  Pointer to a multi object holding the auth_token variables
>> + */
>> +static void
>> +wipe_auth_token(struct tls_multi *multi)
>> +{
>> +    if( multi ) {
>> +    if (multi->auth_token ) {
> 
> The spaces in theses lines look a bit odd.

Sigh ... seems my Emacs config have re-decided on tabs vs spaces :/  Fixed!

[...snip...]
> 
> Shouldn't we also clear the token if the ccd authentication check in
> verify_final_auth_checks() fails?

Thanks!  I didn't consider that so much, as in my mind this check
happened before the user/password auth ... but it seems it actually
happens afterwards.  So you're right, as this is really happening after
we have generated a token, this should be wiped here too.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to