From patchwork Wed Oct 26 07:55:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2832 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +JnAERCDWWMLYQAAIUCqbw (envelope-from ) for ; Wed, 26 Oct 2022 14:57:20 -0400 Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id CNqnERCDWWOnMAAAIcMcQg (envelope-from ) for ; Wed, 26 Oct 2022 14:57:20 -0400 Received: from smtp24.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3b.rsapps.net with LMTPS id mMsgCBCDWWNYaAAAoCsc3g (envelope-from ) for ; Wed, 26 Oct 2022 14:57:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 03bb048e-5560-11ed-a722-525400892b35-1-1 Received: from [216.105.38.7] ([216.105.38.7:54724] helo=lists.sourceforge.net) by smtp24.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D5/47-18995-F0389536; Wed, 26 Oct 2022 14:57:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1onlZl-0003J0-AH; Wed, 26 Oct 2022 18:56:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1onlZk-0003It-F2 for openvpn-devel@lists.sourceforge.net; Wed, 26 Oct 2022 18:56:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MS+b8hEWuwT5w0s9GiBwwX2Bx70yIYAlmlfwp25ua7s=; b=nA9M3pI8mPbImoLItLvPLUY2pJ usUr4w05n9NW0ZQzYHoElJVJV8H94TwArGGj0+50P8m+IIFPoJLJRrdXbRkp7xvomNBX1X+9eeVBz UXVGoFFLOznezL3I5Blw+WCOiIj54kG3K3Y4JAsKm0hKuKkzsIKKFQQeDkTp7BkX6ym8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MS+b8hEWuwT5w0s9GiBwwX2Bx70yIYAlmlfwp25ua7s=; b=BLPOJLcawD+XxYxZdNZlDSti7k hw8nE7Hk4eXY19KUPcm26zk81PQmDBcg7IPgKbIbviHfjYodL4a83dC/eC32hBomkx7pJsvZeUOa0 v3Dpp8MEu8iZAji68EI4xMLoXnu2J67eIA4iXahBAvp81Jvl12zhkWiJBLTjdBErPhwo=; Received: from mail-io1-f47.google.com ([209.85.166.47]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1onlZg-000vi6-LO for openvpn-devel@lists.sourceforge.net; Wed, 26 Oct 2022 18:56:28 +0000 Received: by mail-io1-f47.google.com with SMTP id b79so14319437iof.5 for ; Wed, 26 Oct 2022 11:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MS+b8hEWuwT5w0s9GiBwwX2Bx70yIYAlmlfwp25ua7s=; b=IxwWhOMGaJd6Z9zKm45bE4lKFhNLfhCEMWjPPLmp3oSXiAKBW7VJ3UB0Bvnfv7T8gi Ty0qoKHtmOBX5BxItJ78txaZPceg0pX7hWshqTmu1AsNvHQKAzQFHk+xfKrCNfTkXzzY eVoxDeoaZB2kvTafIdusm/MOhUL90lY8pHur42nEh3FZfqGeJlPriosjon4CU7TCLgI5 ybuoJt8OMgvVDiAOlykM7wkU8terTgoVZkMxUvaPkU4GLEQwYdABPteyiW3rc1hanolA QkT+dXql4q9tCAFKD0VRg7mZEmLtcwIc5cpGRyr1eXA7pKSq6HR71jCuM3Bp0sJ6vQHk D9iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MS+b8hEWuwT5w0s9GiBwwX2Bx70yIYAlmlfwp25ua7s=; b=0lDH50JywnpOJRZtjs8TS230weq7ar26FJsiD+e12frDttg2OX75Q91L/Ay5u56eD/ AzVWwiTtl7o6IV2xKJlUbSpWwZ84gubkZVq8eIbKvjmneCuSzhKKk+XqWAn19x9IcmI1 n1aBBJZc4cDd+ugzu4EZv8DANuSaJ8A2hnbVFsNAavYbSnp0AFOjVny9ShM0o9H4bIDa 2QJR8wlCfNH0vqomwgHUNjIAfYn5v6YE0mb+KznNaWn9XYGiB0xD42EUu2F3JiWSaFGZ kKs5oxXPhXCLs96U0jWb0zFoFn01Z/SlZViO9J86jQhe4qTzOXj+Kg3RmTumRoIjukUq CU4A== X-Gm-Message-State: ACrzQf374GxrPg+wfhTTx4WYrrvBoToSCOCZgI9DWDVqLzOmlAhrIItM wJ8hBLCNfrEJI6ueNSTQU85iel0hrIxKqgpM X-Google-Smtp-Source: AMsMyM53NL3lBTsjgMytpxOZ7zy5J+vLx2P2wI/iiQXdnVJjxQmNcseXwF41laPPaoxsFsdfGfP0YA== X-Received: by 2002:a05:6638:32a2:b0:364:de6:cdbe with SMTP id f34-20020a05663832a200b003640de6cdbemr26961443jav.73.1666810578888; Wed, 26 Oct 2022 11:56:18 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-89.dsl.bell.ca. [70.51.222.89]) by smtp.gmail.com with ESMTPSA id y69-20020a02954b000000b0035a274c8030sm2316476jah.44.2022.10.26.11.56.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Oct 2022 11:56:18 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 26 Oct 2022 14:55:43 -0400 Message-Id: <20221026185543.5378-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221019224642.11178-1-selva.nair@gmail.com> References: <20221019224642.11178-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Starting from commit e61b401a auth-token is saved in a separate struct from auth-user-pass and is not cleared when ssl_purge_auth() is called. This makes "forget-passwords" sent to the management inte [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.47 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.47 listed in wl.mailspike.net] X-Headers-End: 1onlZg-000vi6-LO Subject: [Openvpn-devel] [PATCH v2 for 2.5/2.6] Purge auth-token as well while purging passwords X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Starting from commit e61b401a auth-token is saved in a separate struct from auth-user-pass and is not cleared when ssl_purge_auth() is called. This makes "forget-passwords" sent to the management interface or "--management-forget-disconnect" option not to work as expected. Purging caused by --auth-nocache is not affected (auth-token is retained in that case as it should be). Use case: For Pre-Logon access and persistent connections on Windows, use of "forget-passwords" before disconnect is probably the only way to ensure that no credentials are left behind. Note that openvpn.exe continues to run after disconnect in these cases. Also, the original intent of "forget-passwords" appears to be to clear all "passwords" that can be used to reconnect. v2: - call ssl_clean_auth_token() directly from manage.c instead of amending ssl_purge_auth() - Add a comment that ssl_purge_auth() does not clear auth-token Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/manage.c | 2 ++ src/openvpn/ssl.h | 1 + 2 files changed, 3 insertions(+) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 5670e594..5b288eab 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -762,6 +762,7 @@ static void man_forget_passwords(struct management *man) { ssl_purge_auth(false); + (void)ssl_clean_auth_token(); msg(M_CLIENT, "SUCCESS: Passwords were forgotten"); } @@ -1922,6 +1923,7 @@ man_reset_client_socket(struct management *man, const bool exiting) if (man->settings.flags & MF_FORGET_DISCONNECT) { ssl_purge_auth(false); + (void)ssl_clean_auth_token(); } if (man->settings.flags & MF_SIGNAL) diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 9ae6ae8f..94137b23 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -390,6 +390,7 @@ void ssl_set_auth_nocache(void); /* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. + * Note that auth_token is not cleared. */ void ssl_purge_auth(const bool auth_user_pass_only);