| Message ID | 20251031100819.24855-1-gert@greenie.muc.de |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7001:2f13:b0:72f:f16c:e055 with SMTP id
sa19csp1493053mab;
Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCUblzIemzgHJukBOm+jd29yEIAppEQoVZhDQofFz8Vt1Uw2qsYDcy0Gic2zwgbHaisdZ0SFaJLDTiM=@openvpn.net
X-Google-Smtp-Source:
AGHT+IEqe6RT1IoqFlurwEep4wchE5qOYqpeKnfcaF5FrDjNvq9opLQvhv1bu+S45Slp4rEymGj2
X-Received: by 2002:a05:6e02:1542:b0:42f:880a:cff7 with SMTP id
e9e14a558f8ab-4330d138fbfmr51930945ab.13.1761905312392;
Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1761905312; cv=none;
d=google.com; s=arc-20240605;
b=jaCHSS9r7tCLUOYMUyE0kr1tOsFkKvEa60RQhKfwoM8bmL37/9JEJ3JVFDIp3emA0S
lNOdFbfNUDxplDONAb+xcKYeQMXV4pY57g8uCsLYf0acwtyMK1qh95ZpLbDv06ydWHh6
csI154h01KAJu17NVLKZs8w3tvsAXTmKPHOdprSqnAybhDdptPJfwAn3Ab0A3KRYZGKD
MaJjDcB1voEaJ+D1ZkoE1C2AJkPMv7HQAlFjAUGlxoETyON7VdtPd/oHdpOQAcCE2lay
ZJdZv0RE33uuWbEiR050bNHpUfU8z/twlUovy0BnWfhQwoWOPTAQ4j0XCj2yMO/E3V3J
3X8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature;
bh=DM0LJxbHTMh6MFk7WZUZiMV5EU5qW6iQrI3mXpv3c6Q=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=KVTB29VmzqQv1+3KBBg2iCl/D2sWV4y4DIlPaEUiqs7317LdRe54P55QP+6kHN116n
2Qs0YgTbr8EmlNgHtsvcoyz1cnYt025xfWo5FWrHH/PKJnejv/xl0a7gPXL0n7xWZvqa
opTwPpjCNrlm8is89dx3PpgJnqvOggkAJ0k1S05G5wNGxkHVA9qfsEAQ8YNVYU+c4chJ
rKKa736VwLQ37riTgOYnn2Njrspa91IP2oZiCE9n4y/xDboWxgZjfvDDrDVrwYzIG3hV
n8iME0HFx6Vi/RW1BYqYGHVrW0pvBYkxfjRvKPlQYkfnaewgEDOOIkiUyBN8pRovCkFl
9A1w==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=ljt2iou+;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=BIi5hF9B;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Lh8RExO1;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
e9e14a558f8ab-433103449d8si9660905ab.88.2025.10.31.03.08.32
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=ljt2iou+;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=BIi5hF9B;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Lh8RExO1;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=DM0LJxbHTMh6MFk7WZUZiMV5EU5qW6iQrI3mXpv3c6Q=; b=ljt2iou+kPRSt+4WkuFzFAqeeI
W1kHZ1vmoIdi799IBJ4wEXKjk8XoroFPyHHrbt5ryWANNj1E7IBb0sqALHEdfTUy/YjQqjAe4O4Ml
No3kO1f0BMIU9FGnmRTDaqHXaNYAJiNPpwCtn/44Pvzwu6ejdVxGZRad8hflAAiFh5+Q=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1vEm3Z-0007fx-Lm;
Fri, 31 Oct 2025 10:08:30 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gert@blue4.greenie.muc.de>) id 1vEm3X-0007ff-E6
for openvpn-devel@lists.sourceforge.net;
Fri, 31 Oct 2025 10:08:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=6yfv27RTI9gK1UKVHGJ2lOSCcnh4itjpKqHxYx00lOk=; b=BIi5hF9BtNWRlMzD3W/LreI3UO
1QXFv6BSFtTxRtRaFrmspPae2IrK88RVNhh6EZ5COUsYgwjWqr2fqRM5B+T1xmbH/nMY8a6mJMby5
zaAk1eTwqR6RQYVICP3Io+B1DYeb+BHikPQvLehgcSDKbnc9BVtgyA0CJZx1I9u9tREk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=6yfv27RTI9gK1UKVHGJ2lOSCcnh4itjpKqHxYx00lOk=; b=Lh8RExO14x+VWTDVn09yXrktZV
OlzB4PI0ASWX+lA1CsrnfyMXZL/ZWxRUqbR1tr2f7eBufN0PPv+l8vjvuPZ5B14ER45KAg0O/IixH
pka28ISCP3F/eNqYOMpJphLEbWdgMuWuSRbNOf3MLNxgahbRfMtxXYMpsb8qPDndbcuc=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1vEm3X-0001Gw-3H for openvpn-devel@lists.sourceforge.net;
Fri, 31 Oct 2025 10:08:27 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59VA8KMr024883
for <openvpn-devel@lists.sourceforge.net>; Fri, 31 Oct 2025 11:08:20 +0100
Received: (from gert@localhost)
by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59VA8K5M024882
for openvpn-devel@lists.sourceforge.net; Fri, 31 Oct 2025 11:08:20 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 31 Oct 2025 11:08:04 +0100
Message-ID: <20251031100819.24855-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To:
<gerrit.1761580588000.Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c@gerrit.openvpn.net>
References:
<gerrit.1761580588000.Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-2.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: From: Max Fillinger <max@max-fillinger.net> Joshua Rogers
sent in a bug report generated with ZeroPath that the tls-crypt-v2 client
key is loaded before running the verify script. If the verify script fails,
the key is not zeroized.
Content analysis details: (1.3 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vEm3X-0001Gw-3H
Subject: [Openvpn-devel] [PATCH v2] Zeroize tls-crypt-v2 client keys
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1847491624931677163?=
X-GMAIL-MSGID: =?utf-8?q?1847491624931677163?=
|
| Series |
[Openvpn-devel,v2] Zeroize tls-crypt-v2 client keys
|
|
Commit Message
Gert Doering
Oct. 31, 2025, 10:08 a.m. UTC
From: Max Fillinger <max@max-fillinger.net> Joshua Rogers sent in a bug report generated with ZeroPath that the tls-crypt-v2 client key is loaded before running the verify script. If the verify script fails, the key is not zeroized. While investigating this report, I found that free_tls_pre_decrypt_state never zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the check is successful, key data will remain in memory when it is no longer needed. This commit moves the tls-crypt-v2-verify check before loading the key. If it fails, original_wrap_keydata is zeroized. Also, in free_tls_pre_decrypt_state, if a key has been loaded, original_wrap_keydata is zeroized. Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: Zeropath Change-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arne-openvpn@rfc2549.org>
Comments
I did not test this, and when reviewing, felt it's above my paygrade - but
since Arne is happy, and he really understands that code, perfect :-)
BB is happy as well!
(I *do* have tested this on the t_server testbed which has tls-crypt[-v2]
using instances, and it still works, so confidence level is high ;-)).
Your patch has been applied to the master branch.
commit 9f71f906ea95331fd9b269502e92c42d1812dd9e
Author: Max Fillinger
Date: Fri Oct 31 11:08:04 2025 +0100
Zeroize tls-crypt-v2 client keys
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315
Message-Id: <20251031100819.24855-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34103.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c index 825719c..d7f7ac3 100644 --- a/src/openvpn/ssl_pkt.c +++ b/src/openvpn/ssl_pkt.c @@ -280,6 +280,7 @@ if (state->tls_wrap_tmp.cleanup_key_ctx) { free_key_ctx_bi(&state->tls_wrap_tmp.opt.key_ctx_bi); + secure_memzero(&state->tls_wrap_tmp.original_wrap_keydata, sizeof(state->tls_wrap_tmp.original_wrap_keydata)); } } diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 51b4eb3..a808de3 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -642,6 +642,12 @@ return false; } + if (opt && opt->tls_crypt_v2_verify_script && !tls_crypt_v2_verify_metadata(ctx, opt)) + { + secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata)); + return false; + } + /* Load the decrypted key */ ctx->mode = TLS_WRAP_CRYPT; ctx->cleanup_key_ctx = true; @@ -652,11 +658,6 @@ /* Remove client key from buffer so tls-crypt code can unwrap message */ ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key)))); - if (opt && opt->tls_crypt_v2_verify_script) - { - return tls_crypt_v2_verify_metadata(ctx, opt); - } - return true; }