| Message ID | ea76bd73ca4ffff1607e4082e054ca8087a5cf74-HTML@gerrit.openvpn.net |
|---|---|
| State | Superseded |
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:77d2:b0:5a1:d4fc:4ac6 with SMTP id
r18csp1162525mau;
Wed, 14 Aug 2024 20:20:22 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AJvYcCXLcisTAzltRnw03jbD/bQ6qlNvPouNbfCCCFcsLNmFesWlhhxzF5jFkI3VcloBG+d5+ipjZezMn30rM2DoUGB3tVe2Tjc=
X-Google-Smtp-Source:
AGHT+IET+udhZ/FRfCHeuHKabdAPagPZXGM3hw3B5WxXLewtTJeQ0hVDHcplt3BDSLBmb9io/uIS
X-Received: by 2002:a05:6a20:432b:b0:1c0:e263:77dd with SMTP id
adf61e73a8af0-1c8f9f65503mr899035637.1.1723692022121;
Wed, 14 Aug 2024 20:20:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1723692022; cv=none;
d=google.com; s=arc-20160816;
b=H3KSHY7L0qKt2nwjjeV1x+u/kyFwczj3HjLE66sM5Vlhe9Rim6nx2bKZVpKDOw0Zu3
qF8fbuWUMdhc/9ZlFEPlbrLTMA+zKeRb0P9/BMIIYd3BcyDcSdusIMSZrM6onwVMw0wW
IvrKkzzQREYa8+5RvaIXBUNeyOCFBhyBm0DwUB+GG6aA+4k1ozB44xAJf7Vn10Jgscn6
4cF9mdSx25/O5LdSZ0XGN4ZAiVuBrSVlxyehAXZuhHKMy5LqVMzj39iR39Ij6R/gQn3w
/WXe30cXM9OTwruFshJwS5RGHzCopm/S2h+YVS/mZVpOA9Wk8HKxj3L9MEfPKkLag7Im
RFLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
:list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
:mime-version:message-id:references:auto-submitted:to:date:from
:dkim-signature:dkim-signature:dkim-signature;
bh=UQavfsbfuUO41WhT4pgxCoIkIlm6oufx0OcT2zS94vU=;
fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=;
b=g7vK0uJ84vbHykFSny/Hx8k/wl6v/JbxEIa3iJeUMA3CCdeYcpM5KhsDh6FIA4r9l2
pY9jLA4Xr6xLO3/JuOs7aSklVLVzLm8Y5TvxYTPKm92FGoJDVYB+2ZAlYZ954Gj9e33r
VGForBsKcLFtbwRXhLPCUwlsb1GXzzp2Hxx52HC4Qc9PZf2LWEnFx+MQHpOJv+dqGh92
RnHEyIdd+tboZewOqqpGCxxxRKNaWfGxayy/C8QUendSPHR2BnI9wecEOu0P6PDxkwgY
34EugA0g6jFFje/19k1ysYtu/6d41vAT+LH/qg078rtMD4PL8r+oE3z3snMJdX629fkU
552Q==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=XONWNuu6;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=aGzex3xc;
dkim=neutral (body hash did not verify) header.i=@openvpn.net
header.s=google header.b=EXB7tc02;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net;
dara=fail header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
41be03b00d2f7-7c6b638b90bsi518980a12.633.2024.08.14.20.20.21
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 14 Aug 2024 20:20:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=XONWNuu6;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=aGzex3xc;
dkim=neutral (body hash did not verify) header.i=@openvpn.net
header.s=google header.b=EXB7tc02;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net;
dara=fail header.i=@openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1seR1h-0007B0-7n;
Thu, 15 Aug 2024 03:19:49 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <gerrit@openvpn.net>) id 1seR1Y-0007AK-78
for openvpn-devel@lists.sourceforge.net;
Thu, 15 Aug 2024 03:19:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
:Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:
From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=xwogmrqCVeTT9W+XUrwHnjLXmefxfblJNrCRWWw1zCs=; b=XONWNuu6lT5udlLlT8AJOMfgwn
mdBwkepcMUhmYt1zYeAAglq6vIlC1AXiCloICieyNKJ0YhH1YXDWSMHOS0VQyvpxjWn9vPPl0k2Ej
jkBRbly7/kVd6C+mMq/mqCQRve+KH9ZcQ3ntx32JHdC+GNaLG+T7pMf0VyJ9sYKonmXM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID
:Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
List-Owner:List-Archive; bh=xwogmrqCVeTT9W+XUrwHnjLXmefxfblJNrCRWWw1zCs=; b=a
Gzex3xccyu4tKU0HmOGiDP9/C7fpb72Rsn5VzDj/FlkuTETz9B6u7fe9qt2+jso2VvTdUuzkFnyTA
GmAI8Tgf3eIFg0HU0qKv9ywxy+yWnl6POgYdTyyIfzHG5wxPIhLjdJYso4T6J5Ko2x59NRYrWUMTz
CtOXtgDaaTYFGdVk=;
Received: from mail-wr1-f41.google.com ([209.85.221.41])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
id 1seR1X-0000ao-7B for openvpn-devel@lists.sourceforge.net;
Thu, 15 Aug 2024 03:19:40 +0000
Received: by mail-wr1-f41.google.com with SMTP id
ffacd0b85a97d-36ba3b06186so284789f8f.2
for <openvpn-devel@lists.sourceforge.net>;
Wed, 14 Aug 2024 20:19:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=openvpn.net; s=google; t=1723691972; x=1724296772;
darn=lists.sourceforge.net;
h=user-agent:content-disposition:content-transfer-encoding
:mime-version:message-id:reply-to:references:subject
:list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc
:subject:date:message-id:reply-to;
bh=xwogmrqCVeTT9W+XUrwHnjLXmefxfblJNrCRWWw1zCs=;
b=EXB7tc020yS1J+wxY520xS+1Gsbs2CT1krIxiFVVZr3/3AvPk7t5AzkqwMviYpp93b
hzGTBo/6gOFx4NRHvTrLojmv7X+9pXd21pJeMMLSeeTPurJJPif6FitNGEyCh52Z580O
EQK8n9Kt6gE8T7XqRz678DDCcb/QjZ338jo5tKevSKnoqzfJ2HdXkyTg691r5U6hhAJQ
cPfvdgpxltnHSC+EguO2Rfhj+/KXQ+ZeWnNseH2/8Ga+H3Fz5aXNescsbokRQwmVG5PM
TRLkZo0uqCrt5fLiY7f+lhkaf+v4ak844S615qxpYj7SBRpZHCGzxATdjX/dwFUTcalg
RQRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1723691972; x=1724296772;
h=user-agent:content-disposition:content-transfer-encoding
:mime-version:message-id:reply-to:references:subject
:list-unsubscribe:list-id:auto-submitted:cc:to:date:from
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=xwogmrqCVeTT9W+XUrwHnjLXmefxfblJNrCRWWw1zCs=;
b=qcK/Le/dSXllCS5BE3zEDABLSnOjVELJIGG4E6N5zKuJ9K48ApwXLI50FNFZIc6tQA
zRrCIyDjb0ue1rDvhGObn3jvptdvu4NykELdCSF48Zfw1YZ2zzo8nzae0EWMpIIhfQna
5CE1fUjsopZ8ZsCneNFoetLnnLtIANUMKzsR1CZdr3Vj08/5bRvHYesX+DExVFQufKbG
TYCamwzkCLQptbwb6Xmng8PjRoReCJF6GRA3wgUKkw5Fx6jIRUaaO6AWS9vbjYLGsfUC
mxU/nYtwX6U7sgCPd9nCcmwmWeCcooqGmxBU8hhXAy2MFu4Mo/i7oFIclj4O6ujTcRgQ
RHzg==
X-Gm-Message-State: AOJu0Yx/tARDBa/nPp4ITOB2UZbRTN2FEpcWFJjUUtmRW75zD01MJsSL
dRg/jvhvIObIuhApluQBLCrJ5PONUAWFQvSnDcw5lH0tLyiFWe0Oy8VyYXteMRk=
X-Received: by 2002:a5d:5847:0:b0:371:8a74:4170 with SMTP id
ffacd0b85a97d-3718a744330mr448263f8f.24.1723691972343;
Wed, 14 Aug 2024 20:19:32 -0700 (PDT)
Received: from gerrit.openvpn.in
(ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
by smtp.gmail.com with ESMTPSA id
5b1f17b1804b1-429ded720eesm35934225e9.33.2024.08.14.20.19.31
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 14 Aug 2024 20:19:31 -0700 (PDT)
From: "selvanair (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "selvanair (Code Review)" <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 1
Date: Thu, 15 Aug 2024 03:19:31 +0000
To: plaisthos <arne-openvpn@rfc2549.org>, flichtenheld <frank@lichtenheld.com>
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34
X-Gerrit-Change-Number: 727
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/727?usp=email>
X-Gerrit-Commit: ec298dd973b197dbb8aa31c51c9e41fc055e270a
References:
<gerrit.1723691967000.Ic6d63a319d272a56ac0e278f1356bc5241b56a34@gerrit.openvpn.net>
Message-ID: <ea76bd73ca4ffff1607e4082e054ca8087a5cf74-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "util-spamd-2.v13.lw.sourceforge.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Attention is currently required from: flichtenheld,
plaisthos.
Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit
Content analysis details: (-0.2 points, 6.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
The query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[209.85.221.41 listed in sa-trusted.bondedsender.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information. [URIs: openvpn.net]
-0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[209.85.221.41 listed in wl.mailspike.net]
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP
0.0 HTML_MESSAGE BODY: HTML included in message
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily
valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
Colors in HTML
-0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Headers-End: 1seR1X-0000ao-7B
Subject: [Openvpn-devel] [S] Change in openvpn[master]: proxy.c: Clear
sensitive data after use
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: selva.nair@gmail.com, arne-openvpn@rfc2549.org,
openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Content-Type: multipart/mixed; boundary="===============5749110026228691338=="
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1807422085484541088?=
X-GMAIL-MSGID: =?utf-8?q?1807422085484541088?=
X-getmail-filter-classifier: gerrit message type newchange
|
| Series |
[Openvpn-devel,S] Change in openvpn[master]: proxy.c: Clear sensitive data after use
|
expand
|
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index 5de0da4..eddacc9 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -247,7 +247,9 @@ struct buffer out = alloc_buf_gc(strlen(p->up.username) + strlen(p->up.password) + 2, gc); ASSERT(strlen(p->up.username) > 0); buf_printf(&out, "%s:%s", p->up.username, p->up.password); - return (const char *)make_base64_string((const uint8_t *)BSTR(&out), gc); + char *ret = (char *)make_base64_string((const uint8_t *)BSTR(&out), gc); + secure_memzero(BSTR(&out), out.len); + return ret; } static void @@ -736,6 +738,9 @@ ASSERT(0); } + /* clear any sensitive content in buf */ + secure_memzero(buf, sizeof(buf)); + /* send empty CR, LF */ if (!send_crlf(sd)) { @@ -983,6 +988,8 @@ { goto error; } + /* clear any sensitive content in buf */ + secure_memzero(buf, sizeof(buf)); /* receive reply from proxy */ if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) @@ -1086,10 +1093,12 @@ #endif done: + purge_user_pass(&p->up, true); gc_free(&gc); return ret; error: + purge_user_pass(&p->up, true); register_signal(sig_info, SIGUSR1, "HTTP proxy error"); /* SOFT-SIGUSR1 -- HTTP proxy error */ gc_free(&gc); return ret;
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/727?usp=email to review the following change. Change subject: proxy.c: Clear sensitive data after use ...................................................................... proxy.c: Clear sensitive data after use Usage of credentials is a bit odd in this file. Actually the copy of "struct user_pass" kept in p->up is not required at all. It just defeats the purpose of auth-nocahe as it never gets cleared. Removing it is beyond the scope of this patch -- we just ensure it's purged after use. Change-Id: Ic6d63a319d272a56ac0e278f1356bc5241b56a34 --- M src/openvpn/proxy.c 1 file changed, 10 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/727/1