From patchwork Wed Oct 19 22:46:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2825 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.9]) by backend30.mail.ord1d.rsapps.net with LMTP id 0FFuOKN+UGO5AgAAIUCqbw (envelope-from ) for ; Wed, 19 Oct 2022 18:48:03 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.9]) by director10.mail.ord1d.rsapps.net with LMTP id cBn9N6N+UGNLagAApN4f7A (envelope-from ) for ; Wed, 19 Oct 2022 18:48:03 -0400 Received: from smtp11.gate.iad3a ([172.27.255.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id 2LhWMaN+UGMsUwAAYaqY3Q (envelope-from ) for ; Wed, 19 Oct 2022 18:48:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 16906244-5000-11ed-9ad6-5254005eb44a-1-1 Received: from [216.105.38.7] ([216.105.38.7:37788] helo=lists.sourceforge.net) by smtp11.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F9/A4-28835-3AE70536; Wed, 19 Oct 2022 18:48:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1olHq3-0000Xg-Q9; Wed, 19 Oct 2022 22:47:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1olHpw-0000XV-8C for openvpn-devel@lists.sourceforge.net; Wed, 19 Oct 2022 22:46:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7HMhgyoTyFxzE+TetxZXE9hrMfOw0/eqqSudcQUamUs=; b=X9xGAv0tPuG9y/Ze070Ljwq7vx IwARVef0q+Cr+Rr3LO3YMMimMJynLzSq9hSZ0JWu8tD8Lc6z1e1rE89Gkd1PMabBlYadGeMe/8dNo gLeeBJpBn3bku/5GOlu+wiBuDd3JM25oiWjLSdSFuCLyLZYpO6bBsUoDuuChDavGzOTw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=7HMhgyoTyFxzE+TetxZXE9hrMfOw0/eqqSudcQUamUs=; b=V 2i8qCJlEPKDmtvOsNrQRY7W/8+9sb4nLm+FYt4gKY+8rh2RH927CYx5MBzCUFLiyMF6XPuW5vybgT RFUOnBcqKIcnLfwFUx2Zfxu3kchUKbdSKYRgAv0xY9ImCMYLlhIn3tTXAj8b4l/B+uUd3Pmay1yQr 06zNFMjYhSEyQyoY=; Received: from mail-qv1-f53.google.com ([209.85.219.53]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1olHps-0004aK-1H for openvpn-devel@lists.sourceforge.net; Wed, 19 Oct 2022 22:46:56 +0000 Received: by mail-qv1-f53.google.com with SMTP id y10so12386735qvo.11 for ; Wed, 19 Oct 2022 15:46:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=7HMhgyoTyFxzE+TetxZXE9hrMfOw0/eqqSudcQUamUs=; b=VA18D5DWPJVzDAj7hqcSEvp3aE22uxATVADxNRrpX7yawNT7W1z8BHfnJbrIaJPTp4 vlvSj9+a4iQwzDqibtH9a9JqmcLU7/u//aIDoE38heAaTi3vsEPQFyeq+OjiwmD+dlYA d0OXRlWNxWkqyEM3Atw/+gHt13gS86BlLbrAWzpI+tq40ZSpmpyCdiHyCrTpie5QUDPi qDpZpXZx5Sd5iaBPQ2x95S5bvK2Ptn3BDz6fkjgB5C3MyXqPYcro68bcisYU1C20nIPO VPQ7fmsxd5tm5a8jI4aSuLQLSH+A6a3UE86r9Hm8WjXTjbVLXZ135ynWF+cK7ntMQPit 9/Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7HMhgyoTyFxzE+TetxZXE9hrMfOw0/eqqSudcQUamUs=; b=oxMbs+R5XpoSbqJk7RfTjUCzUIKmF03bzjNPvVsZexmc3YiXCQ0ZlWP3zIcxOPpoPx fo/YJh/vxF1qRypO1dNh443WA4o8i6o237Ptu6gu0prcvC775AQku5z+QRZjxsuJHT7i 2Xk0RDEp2X/8rXdTG8Xwq4dFd5dBBNLcxa1/1UQa3yaSCwJ34aQt52XqmAXQ3Lpm30zP bfrhdZs/lYXtL9EkYnZjBxQ4Y2Szo7Vb/hy+7s9uvBm7KJ0h1c2TvxCiJXEMjL85Jags YlLAK0FIUyRWgxC817PpkXhZC31Rf+rrH3zd/vku26XCBqeyUKx1xBm3MMgoosrjnocN Wxsw== X-Gm-Message-State: ACrzQf3d7VV380KNu+0wOYUZMnbqERA/hGliZ3rTM3qCI26ZBX3uv9g2 Hyo7eSrnHGFryaig48lXigiYuW++Lc0= X-Google-Smtp-Source: AMsMyM72yZ3WUds5knXFOleaKl/TKM4PMqlG4bz9AtU4XRpNeevE0HPOAPCqimTIi3QvuRxZR5v2yA== X-Received: by 2002:a0c:b689:0:b0:4b4:a840:4cf9 with SMTP id u9-20020a0cb689000000b004b4a8404cf9mr9019201qvd.85.1666219606015; Wed, 19 Oct 2022 15:46:46 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-89.dsl.bell.ca. [70.51.222.89]) by smtp.gmail.com with ESMTPSA id y21-20020a37e315000000b006ecb3694163sm5589153qki.95.2022.10.19.15.46.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Oct 2022 15:46:45 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Oct 2022 18:46:42 -0400 Message-Id: <20221019224642.11178-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Starting from commit e61b401a auth-token is saved in a separate struct from auth-user-pass and is not cleared when ssl_purge_auth() is called. This makes "forget-passwords" sent to the management inte [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.219.53 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.219.53 listed in wl.mailspike.net] X-Headers-End: 1olHps-0004aK-1H Subject: [Openvpn-devel] [PATCH for 2.5/2.6] Purge auth-token as well while purging passwords X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Starting from commit e61b401a auth-token is saved in a separate struct from auth-user-pass and is not cleared when ssl_purge_auth() is called. This makes "forget-passwords" sent to the management interface or "--management-forget-disconnect" option not to work as expected. Purging caused by --auth-nocache is not affected (auth-token is retained in that case as it should be). Use case: For Pre-Logon access and persistent connections on Windows, use of "forget-passwords" before disconnect is probably the only way to ensure that no credentials are left behind. Note that openvpn.exe continues to run after disconnect in these cases. Also, the original intent of "forget-passwords" appears to be to clear all "passwords" that can be used to reconnect. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d9b21819..4c0d78a1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -492,6 +492,7 @@ ssl_purge_auth(const bool auth_user_pass_only) purge_user_pass(&passbuf, true); } purge_user_pass(&auth_user_pass, true); + purge_user_pass(&auth_token, true); #ifdef ENABLE_MANAGEMENT ssl_purge_auth_challenge(); #endif