From patchwork Fri Mar 19 05:45:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kristof Provost via Openvpn-devel X-Patchwork-Id: 1638 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id eMkZDordVGAnPAAAIUCqbw (envelope-from ) for ; Fri, 19 Mar 2021 13:21:14 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id cOvcDYrdVGCKeQAAIcMcQg (envelope-from ) for ; Fri, 19 Mar 2021 13:21:14 -0400 Received: from smtp17.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTPS id uPuEDYrdVGCSKAAAfawv4w (envelope-from ) for ; Fri, 19 Mar 2021 13:21:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=pass header.d=lists.sourceforge.net; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=fox-it.com; dmarc=pass (p=none; dis=none) header.from=lists.sourceforge.net X-Suspicious-Flag: NO X-Classification-ID: 8131f050-88d7-11eb-8492-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:44638] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0C/70-22606-98DD4506; Fri, 19 Mar 2021 13:21:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: Reply-To:From:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:Date:To:Sender:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=q9i9y+epSE6RY7I36HI0SvjjfkkVyLY7J938EyuO9yg=; b=lpt5grxL8TmM4DXgxq0nGntrId 6duecMBGftiwsxQuIpLhqu0+0GHJS3B/HOQJJ0Zew6kuq2Cc4tMmEv53o5Cmrejm0AYJulKFB47+F FuICBcLaWBGULtFyMnNTvlKKc0xGGvRShxexXAfQXGniJepAqes+P56prd4WEhFgMY5k=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lNInR-0004kW-9L; Fri, 19 Mar 2021 17:20:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNInQ-0004k4-12 for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 17:20:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=MIME-Version:Content-Transfer-Encoding:Content-Type :Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jCkZkC6PWCY1EdEzs0qdJpUIgwqbzGgWsyw9d7voBnQ=; b=USAVZvpnq99ja3xV/cqgkN5xRd WYpd0ZwOJ47XOnv0oHKD1r3RUHnIIulNnvr4TGI6t4OGV/wrJAdv+hVPaK1JLmDyNNZeShIGVl226 r2gL3SZIWtYQw4YWhZC87lSVMyi5EX/J8QPMQbT7xEkbhlA5SRv1VOV8G6StF/EFhRfo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=MIME-Version:Content-Transfer-Encoding:Content-Type:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=jCkZkC6PWCY1EdEzs0qdJpUIgwqbzGgWsyw9d7voBnQ=; b=U uWtb3NQp6ea29vB4dWK+yFcjeJjDYRlvyaacHjLiGfsAIhTLTetpcWP+YLo8vrQGYaxtNpLv3U5jN 03MKYwR+nk48jBOgIdvnx7HqEMcvMS0RsaCPzFMIrVP3Ork/M3/y4cmsNb2Ed7ZI5WIIq7eOBRiG3 7XZwBaUMduODS7kw=; Received: from mail-db8eur05on2066.outbound.protection.outlook.com ([40.107.20.66] helo=EUR05-DB8-obe.outbound.protection.outlook.com) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lNImX-0006bG-JW for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 17:19:46 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f8gQUOY1tcdh8qzPLqUYTLCiNJQgkLSj3gHapkJgcAmw0/8hy2U1g266zPoQ9rqfCJtxfRvI54lL5VmgXSUnVeiGRThEs46tp63YguJAZMTp4XK/CDN2c4YgbmBt86E2E8i3/D95F22dSaXoDQ7HF3+ax9ZL3ZWixNNhD0AebQMDOh5lvj0TiS0xW+GeSthHz1vBHnGcxo/kgIgOEe2Wacg5KjJxH0TNQ8g7qCy0GGXERcEictdbTO9wWBFPMZLxUnN43BIgX09GfLo4mo7/YWBIOzjfKuspmtXfYEMNC7pkBVhqbsYIx1xMVN4RIRoo+IQKiJh1QtqtmxQQbNG/kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jCkZkC6PWCY1EdEzs0qdJpUIgwqbzGgWsyw9d7voBnQ=; b=VFgDnJGK9ekCZNWFZTAmdI6AlzNFhz04FbnQnDe5cBwEAqFOqTDPByIRW18fVcTu6v8yEhNmPiVlSZM7VR97U4gEiPD5h4Sgb225lJwXQnPSooQU3l8Mrpr4zHvZ6TgOL9RabPivuf5navWt50pI/xBsvC2AQrzJnbhzOvxYQeWm85PYXcjdz1kjwztDELzk2FFh1L5xMQ+mbmtWWdsYT4X/e3DQHIVgFDrBBHOAChaP380DUQ009WsHQYHHdcASqPPK69O9DOlcWR7UvaysgfOj58Y8oQ2yu6NrpPkX6U9IAi8a1FqOpelTE2q1vg/RWjR52/8fMrzS4qzgWuIjyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fox-it.com; dmarc=pass action=none header.from=fox-it.com; dkim=pass header.d=fox-it.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fox-it.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jCkZkC6PWCY1EdEzs0qdJpUIgwqbzGgWsyw9d7voBnQ=; b=DOyNNnpbTBwx80KzxwyHBvHiHiOs1FsAH6NKjRxmQKqtY0hjM5KdqSqobVPvcLrcOkQtKLy0MhG0TWtmq0V4V6IUaKuOAgz7yXGyZCzpCb41Y0wegWs4LXvhdHoWq0eUeQhpjSdwZgoIZzH/9fUI32ILfkCkJ6pzeeEZR8JmeB1aYfc5IRUmkgxdW2sVl0Y1suENwCUu8dYrdpwPGSb9PUINHmxbB6z9ioqVz1B39GUYc5JUAehUa4UFo169kPCpwW7W10fD6jnV+WlnERQi3wQV3wZa77Oq3SX1XzNc+M/iIbhUmbQrPjWjZcZ+oSfyi3BUEbI5PVjIZJf+32VunQ== Received: from AM0PR04MB5331.eurprd04.prod.outlook.com (2603:10a6:208:65::25) by AM0PR04MB6307.eurprd04.prod.outlook.com (2603:10a6:208:142::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Fri, 19 Mar 2021 16:45:18 +0000 Received: from AM0PR04MB5331.eurprd04.prod.outlook.com ([fe80::de8:7eb8:7b4c:3a7]) by AM0PR04MB5331.eurprd04.prod.outlook.com ([fe80::de8:7eb8:7b4c:3a7%6]) with mapi id 15.20.3955.023; Fri, 19 Mar 2021 16:45:18 +0000 To: "openvpn-devel@lists.sourceforge.net" Thread-Topic: [Patch] Wipe Socks5 credentials after use Thread-Index: Adcc3qulRjZoIgbvTOKtjHHX7VBE5w== Date: Fri, 19 Mar 2021 16:45:18 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ed61e1d9-2b53-434d-8ddb-08d8eaf6614c x-ms-traffictypediagnostic: AM0PR04MB6307: x-microsoft-antispam-prvs: campaign: C_Default signature: S_NoSignature disclaimer: D_NoDisclaimer x-ms-oob-tlc-oobclassifiers: OLM:663; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: jRDchZBTBZOZPcuUXXce3GFGTNbdypcPiCABxCMfEwWBB1/bWydyVHxFJm5ptGjM1CuDxEspfdf7yk7XVSOmqY4bUfEG3qM1sQciybH2SlxCsyuCQc4O9CjepOQ4YwFmz5EU2ntocItbHUCcvneO9Pu/S3qAM7jvVQiFzj2N+wFZFsWpqZHhXW7cehex7B0wZGkrd4tVQOfVw830k2Na/7XmWWoX4uZVr8C9I7yrQrGXH7cPFcgof1MNroZ/BxpNStyL1Rq8A3cpuJpgPfTS3UWVem7ZLf9hOeu7JAqRI2NZmTeLTiY/wUy1GLhzzpO/K3WZCVsIufzr3SIg/POO6c7n77/f43d6X3hpnivOGoY14wnDJ9jAhHQ3FZnME7AiyAaTPF9MNvdKYFY2pSI66UChRQ1TFAj6B1FGro0vB7x0MrXT71pS0scPZ/53XyMrTgPJaxhfopXZtL6FUqCFXJf+cpJrsdCl3gfqiIal2TF/MBfUOLlfjh4R5e1HKjSysEH0C41yJKIAXF+pie2rR6O131cZNWuRPmrJhE6baf4mvIXJb2z3fUOvlvhfS1BWuj1qaD8bQ3XV1/QOUYDInbrvGlZGCkNmFMTlZtbuhUiKyhPLBtUKjEs48vX3KMSPUupxncwKAh60RwWWvCjA/elevIdmGH/GfZoUKzaE53s= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR04MB5331.eurprd04.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(39850400004)(366004)(396003)(136003)(186003)(26005)(9686003)(86362001)(478600001)(2906002)(38100700001)(6916009)(316002)(66446008)(33656002)(55016002)(71200400001)(76116006)(52536014)(66556008)(66946007)(7696005)(8676002)(66476007)(83380400001)(64756008)(6506007)(5660300002)(44832011)(8936002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: fDI4yWkowtC3XuVyyqznmRlrAiESJuwhXT2+UV1FVYuxHXRLF+dcWkw1wlvFkgg8iqsvGV7vbAwkdAehZRGocJy9+5Qk1sErVy4G7HQ7Kt7C6/xHgP8yNdKGSZoDxUlqsKDe6kdFHhqdx46Fn4OOGAbhxAyw75IAZJ3y9yFcgB6IsueCeW1wA4Dey/BQkctKmB60lUm5Il0mTQA+6Z3vMfwx+7qPhALsoSngDUdf8aIWbSurh0Plk69yC3VUzjJ08EE2FJRHtH3B2FnsIWfqvltmtsDC+Mxaz4FTd/s2W80ULNTofSn8ijWeRy8QFOa/9OmJf7pyhPELPv/RgbWWB4ywxu7V+rXUqhe9UJgCVVS3kzzA4fAud2LLUjxbAZvoeqMNV/ZdE6y8mjZYxTVFPPYpfHSoq+Y24CPd8OGawJ54MGWb7WE/KodAZCeiJHiY2VxA3qWOUlwmLcYI5fLy7wBOVdUBbn25Ubf7LDA9u7/aDBihc93x6sa/f1sQoh0myI3rohYQry3VCl9MTxhKX8VaTZC1S062/fhSrF1Ic5N/n0pubMxMhvVzJ/ln5fRCieRV+6O+WHYJHE3Sq4rCBkW/8UFuZ7fKjUfr74SN9cJw5RkI/9BqqVQa5KoIuwfEdFnuMBYGqXZTQmeSzFfrOVBdnt3ws4D43PfDK7IBCIfynTlstAtdGLZwMT7guZ+rjh6/Waxfiody7Bkk1pNbJDyjPO91kEEUG4HB2taWbNUfY9VrulipwbRTqBSqibPA+hEq38v5N/hVp2h6M/400feDQgVBvxtw5c2q+liBHSJXghdSORwN0qcUNn+kLS+sPIGaOqrdwVrsjf0Gcp9YPwtRjlC/850MsM49jfedEWAAe+H3l0c9LEaPPLq25bPkXz5M8RDiki9CsExTOhbPdF+tKuSmSL2/6LtszAGrRicYESqHVro75lwgSLUkmp0kDEwcactQqyQyblyQBHUqnU7EB14qyE6T0Z86D3kqO/fazHZb/c6eVnPGVJzGYCU5nvyjfihBgJD+eG/T9GgLgg4sNr76L8HONGcQEETfYUKYYGDTR8xrWdE8LLnIF3AJ/Um7ggZv1Mdr+arFor9aMJl/I3B3MBn77R3eEChAdlKxF2YkMYJ5+8PR9eTJzdGElbdjdHS61NE4y/zEKaNVdPcROhVwEGU3QvnLF3YRR1UCPG4crS1l/KwAXl1OogvoVRyQnAP7UtYgG0ANuoij8PhJnNUBqYauuUEMB37WaZxEunwwsT2iwuxMq6ocOr96GZgY3CqQyzfR6pOA+uIrh9ABIOVns+miKmLjDWOOhJs= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: fox-it.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: AM0PR04MB5331.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed61e1d9-2b53-434d-8ddb-08d8eaf6614c X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2021 16:45:18.7496 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a41111be-486b-45f6-8bd0-ee01a62f368e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: PSlYGyjALAphXIMCCLnFTXABYri6YtVRFyWCy+u6LfNkBxETsnGLnjIu4ljMK4oQFaf4gRvMdXBmsLF0KbLfDXnEJh8lZpz6axkWqrq0S68= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB6307 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [40.107.20.66 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1lNImX-0006bG-JW Subject: [Openvpn-devel] [Patch] Wipe Socks5 credentials after use X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Maximilian Fillinger via Openvpn-devel From: Kristof Provost via Openvpn-devel Reply-To: Maximilian Fillinger Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Socks5 plaintext authentication is not exactly high security, but we might as well memzero the credentials before leaving the function. --- src/openvpn/socks.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c index 36df7470..add7a6d4 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c @@ -104,12 +104,13 @@ socks_username_password_auth(struct socks_proxy_info *p, const int timeout_sec = 5; struct user_pass creds; ssize_t size; + bool ret = false; creds.defined = 0; if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) { msg(M_NONFATAL, "SOCKS failed to get username/password."); - return false; + goto cleanup; } if ( (strlen(creds.username) > 255) || (strlen(creds.password) > 255) ) @@ -117,7 +118,7 @@ socks_username_password_auth(struct socks_proxy_info *p, msg(M_NONFATAL, "SOCKS username and/or password exceeds 255 characters. " "Authentication not possible."); - return false; + goto cleanup; } openvpn_snprintf(to_send, sizeof(to_send), "\x01%c%s%c%s", (int) strlen(creds.username), creds.username, (int) strlen(creds.password), creds.password); @@ -126,7 +127,7 @@ socks_username_password_auth(struct socks_proxy_info *p, if (size != strlen(to_send)) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port write failed on send()"); - return false; + goto cleanup; } while (len < 2) @@ -147,21 +148,21 @@ socks_username_password_auth(struct socks_proxy_info *p, get_signal(signal_received); if (*signal_received) { - return false; + goto cleanup; } /* timeout? */ if (status == 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read timeout expired"); - return false; + goto cleanup; } /* error */ if (status < 0) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on select()"); - return false; + goto cleanup; } /* read single char */ @@ -171,7 +172,7 @@ socks_username_password_auth(struct socks_proxy_info *p, if (size != 1) { msg(D_LINK_ERRORS | M_ERRNO, "socks_username_password_auth: TCP port read failed on recv()"); - return false; + goto cleanup; } /* store char in buffer */ @@ -182,10 +183,14 @@ socks_username_password_auth(struct socks_proxy_info *p, if (buf[0] != 5 && buf[1] != 0) { msg(D_LINK_ERRORS, "socks_username_password_auth: server refused the authentication"); - return false; + goto cleanup; } - return true; + ret = true; +cleanup: + secure_memzero(&creds, sizeof(creds)); + secure_memzero(to_send, sizeof(to_send)); + return ret; } static bool