From patchwork Sun Oct 23 08:51:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2830 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 0K5dGVybVWPScAAAIUCqbw (envelope-from ) for ; Sun, 23 Oct 2022 15:51:56 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id cPNpGVybVWP/HgAAalYnBA (envelope-from ) for ; Sun, 23 Oct 2022 15:51:56 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id WPsVGVybVWPmOgAAgjf6aA (envelope-from ) for ; Sun, 23 Oct 2022 15:51:56 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 25b7133a-530c-11ed-91ae-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:41550] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DD/C4-07040-C5B95536; Sun, 23 Oct 2022 15:51:56 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1omh0I-0005he-QF; Sun, 23 Oct 2022 19:51:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1omh0H-0005hX-0Z for openvpn-devel@lists.sourceforge.net; Sun, 23 Oct 2022 19:51:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=epdC+SMCezjATP7LoO5j1bQyxrVZGHxlGG3+kRztJR4=; b=mgAkmgMYa+MtqXrDd73kQVicNX NJnH9I03t7SgJXd+6kKdF4j55xLpHRP/zIMOk9XqgRwbAGyGg0Jy6g3G9HGaVuDDBbcd5IkYxrVBV vdb3kBERnvNYot2jjb3xeBoUBGNCkdYgVtyWGaqbYaN9G3Q5EqaZ0wdApBxESUPQfxZU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=epdC+SMCezjATP7LoO5j1bQyxrVZGHxlGG3+kRztJR4=; b=L GIq9of50761UGI09YjW4wmXV8efxDlEzfTfKgF+2cIsx3aIffHERZlyV29k+HFHUhxE7tBnKR6d9J /Y6zGYzL5JfejJRpNQ7bFd+S0zPthslJZiKZmVGpxrxjvflV60cfYZcxIRApEh9jBeU3nUwAHRklE 341NF1lhFtdIahfU=; Received: from mail-qv1-f43.google.com ([209.85.219.43]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1omh0D-00Ex5r-Pl for openvpn-devel@lists.sourceforge.net; Sun, 23 Oct 2022 19:51:23 +0000 Received: by mail-qv1-f43.google.com with SMTP id x13so3920588qvn.6 for ; Sun, 23 Oct 2022 12:51:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=epdC+SMCezjATP7LoO5j1bQyxrVZGHxlGG3+kRztJR4=; b=T8QIjma7LMz1Vnvx8xPeem1cILL/hNEd1Fr+ughD5O6cdghR510NDjAdqSU7asYl3l +aR/+3X8tfjjdzyDSKBgsavWOfHZnIQdWJLvB9vBcJA8pK/K/+qGoge6yRROZ7ZCKajO CHtrame9y6mrhDsPZ3Q0XtyvpI+xa7rQz6YatBsPwUI49eRRRpXipRYozuJML/ton5p6 4ljX+DIJ3bxipm8U+Wf0MmjigH+NITDUbVW6uJ8FvpixtfA2DEuhIymDo9SMPaVUJlty SvKbGb+qBpvpzm28JG4jQ2XohhDp7kXVsAELZhMENCqyXAS7Zhm7X+CPEqb98GLNWIn4 K/TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=epdC+SMCezjATP7LoO5j1bQyxrVZGHxlGG3+kRztJR4=; b=fj22N69q/HXSLsGxoYgNG6s8WPKNz0dTZrX3R2byG/oo9CelBamw/s93I+jp8eqogE kNja99u+42ZUaI9gnhNXnKiKKhcHork3e4AQbST/rsDZFWLk0NPmlxibDDCip84B1nJ9 Vowd/rV/v/FPmaGF/SJSbCBkp4+oJXAVBu5QNd9P7DyreTc8OQWqhreFScqV66AniRN6 4VFoBhAkKgnlYFmsNATYWkFMgV87vvEWmVuGMZdZzptsR2XWkJB2tyNRd5Ny6es/7leH wKHtx8TTN1+teEg3mE/SK2WFasprMbp3XPRvA+6AzKbMGOH+K25Y46IK1kiRKmsz2sox 9Bxw== X-Gm-Message-State: ACrzQf0uDIBv4sPDOq9GpOswzqNhr5nqUhaJPLaP1vLJmCA3VoS4JYGV /hYdjj0KIEaOAMiXtVamX6ZUQiCPEF4= X-Google-Smtp-Source: AMsMyM5GcIlKeKVWwmduWbCJ3zDO6KlOfO6e5fSWNnXoIIS5iDve25y9KVQOw7cwm/zoLC6vkZaXDA== X-Received: by 2002:a05:6214:b6c:b0:4bb:6747:3085 with SMTP id ey12-20020a0562140b6c00b004bb67473085mr3625500qvb.27.1666554675636; Sun, 23 Oct 2022 12:51:15 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-89.dsl.bell.ca. [70.51.222.89]) by smtp.gmail.com with ESMTPSA id u30-20020a37ab1e000000b006ef0350db8asm7847431qke.128.2022.10.23.12.51.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 23 Oct 2022 12:51:15 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 23 Oct 2022 15:51:05 -0400 Message-Id: <20221023195105.31714-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Currently, clearing auth_user_pass struct is delayed until push-reply processing to support auth-token. This results in username/password not purged after renegotiations that may not accompany any pus [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.219.43 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.219.43 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1omh0D-00Ex5r-Pl Subject: [Openvpn-devel] [PATCH] Ensure --auth-nocache is handled during renegotiation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Currently, clearing auth_user_pass struct is delayed until push-reply processing to support auth-token. This results in username/password not purged after renegotiations that may not accompany any pushed tokens -- say, when auth-token is not in use. Fix by always clearing auth_user_pass soon after it is used, instead of delaying the purge as in pre-token days. But, when "pull" is true, retain the username in auth_token in anticipation of a token that may or may not arrive later. Remove ssl_clean_user_pass() as there is no delayed purge any longer -- auth-nocache handling is now done immediately after writing username/password to the send-buffer. Signed-off-by: Selva Nair Acked-By: Arne Schwabe options.mode == MODE_POINT_TO_POINT) - { - ssl_clean_user_pass(); - } - /* Test if errors */ if (flags & ISC_ERRORS) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 50f7f975..d78106cd 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -504,19 +504,13 @@ set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token) * --auth-token has no username, so it needs the username * either already set or copied from up, or later set by * --auth-token-user - * - * Do not overwrite the username if already set to avoid - * overwriting an username set by --auth-token-user + * If already set, tk is fully defined. */ - if (up->defined && !tk->defined) + if (strlen(tk->username)) { - strncpynt(tk->username, up->username, USER_PASS_LEN); tk->defined = true; } } - - /* Cleans user/pass for nocache */ - purge_user_pass(up, false); } void diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 4c0d78a1..765861b1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2180,20 +2180,13 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi { goto error; } - /* if auth-nocache was specified, the auth_user_pass object reaches - * a "complete" state only after having received the push-reply - * message. The push message might contain an auth-token that needs - * the username of auth_user_pass. - * - * For this reason, skip the purge operation here if no push-reply - * message has been received yet. - * - * This normally happens upon first negotiation only. - */ - if (!session->opt->pull) + /* save username for auth-token which may get pushed later */ + if (session->opt->pull) { - purge_user_pass(&auth_user_pass, false); + strncpynt(auth_token.username, up->username, USER_PASS_LEN); } + /* respect auth-nocache */ + purge_user_pass(&auth_user_pass, false); } else { @@ -4092,9 +4085,3 @@ print_data: done: return BSTR(&out); } - -void -ssl_clean_user_pass(void) -{ - purge_user_pass(&auth_user_pass, false); -} diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 9ae6ae8f..96de9ccc 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -538,12 +538,6 @@ void extract_x509_field_test(void); */ bool is_hard_reset_method2(int op); -/** - * Cleans the saved user/password unless auth-nocache is in use. - */ -void ssl_clean_user_pass(void); - - /* * Show the TLS ciphers that are available for us to use in the SSL * library with headers hinting their usage and warnings about usage.