From patchwork Thu Oct 27 11:32:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2834 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.51]) by backend30.mail.ord1d.rsapps.net with LMTP id AIbvDDsHW2P6UAAAIUCqbw (envelope-from ) for ; Thu, 27 Oct 2022 18:33:31 -0400 Received: from proxy12.mail.iad3a.rsapps.net ([172.27.255.51]) by director9.mail.ord1d.rsapps.net with LMTP id 2AnpDDsHW2MLHwAAalYnBA (envelope-from ) for ; Thu, 27 Oct 2022 18:33:31 -0400 Received: from smtp8.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3a.rsapps.net with LMTPS id WJwFBjsHW2O6TQAAh9K5Vw (envelope-from ) for ; Thu, 27 Oct 2022 18:33:31 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 61b37cdc-5647-11ed-b1d2-525400b8fe03-1-1 Received: from [216.105.38.7] ([216.105.38.7:54352] helo=lists.sourceforge.net) by smtp8.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DA/FF-22276-A370B536; Thu, 27 Oct 2022 18:33:30 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ooBQS-0000uj-Ha; Thu, 27 Oct 2022 22:32:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ooBQQ-0000uc-Bp for openvpn-devel@lists.sourceforge.net; Thu, 27 Oct 2022 22:32:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FE+S5n8oyITQsufBxl9ivuaz+8oUbmAcOtffSGvRbhg=; b=lBd+j9VQcRkN7qHcHdfL26W87Q 4mMG72itKJWknf0KuXqnL9I6AjBFuzYH6xxzrQTb8vbsR05oa3yFmGMegPlnJRqUsW/QHLdhQudGL A6TUez1FHOJ2NUbowwbif+R10lVMYatzP/qiOmWFq4BuYlrFh3jLI87c8dEAkYOydYcA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FE+S5n8oyITQsufBxl9ivuaz+8oUbmAcOtffSGvRbhg=; b=PfbVqxz3HeAM1Cr3AffDTKGDcQ ZYMQbNawhK/9O7H+pfmjnwmL5FbqmT0PvRrsidPRmOMpLVdjrRJ85s/U/tqjOV/XS7pnoWbuncQpx JH9FaGywR7ZBGdUdL8mOLoqLGTWyhkCT78aGjHaQ0oOKDHflrFRK6ooo2uUUZXYeRo0s=; Received: from mail-io1-f45.google.com ([209.85.166.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1ooBQP-0005uN-Gb for openvpn-devel@lists.sourceforge.net; Thu, 27 Oct 2022 22:32:34 +0000 Received: by mail-io1-f45.google.com with SMTP id b79so3109554iof.5 for ; Thu, 27 Oct 2022 15:32:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FE+S5n8oyITQsufBxl9ivuaz+8oUbmAcOtffSGvRbhg=; b=lQfQEID5VVcxvMw5RFJto+L2Ae1uypsMtC/6cmD+JFWiVqsZ+rpqPsjrpOyjDSc5GN l0FIweBW5ulpw3eXO6J60n2kkaSjqUIjS+9BqA0wBoty0cYGEQnOixCDQGXwoYIrONH2 ybfj2SkeRgYZYTQtvFUPQy1VRv8NDrSAZp6MbBcVTmVXRg8BfyIxqAjUSc6aaQJ6kY28 iWkw6l7Vqjwe7kQ7X0PyeZDeqMWH4QNl4qhCws/S+vNSjBW942M5lduLbsK/WGlLY8NJ 7RhGq2116Mr7ruY5/7/g+UUm7/0G5l6TX+WQhYyHyqHt9PQekbL+/IDV3jWzKcf9yedr 5RuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FE+S5n8oyITQsufBxl9ivuaz+8oUbmAcOtffSGvRbhg=; b=LvesGVx2ZChEkd394wX2IEvRsxO8/Hs4UknpUzEG5x+M9vtVAen3C8Ev3ZoI55qskU J0EXsGSKigrRVSAMSz6glZjqBmVrZpsH64I9nCWG8jV2dQmuoMmMU12wV54sYxHKBPOH r9bNavfB7XGMxGbl012FbFtDlJ2NRtRkq1CmxBMrIW7frotXlQelrpU1Kwgy+PGOfR8M TeOqJ4/P17aNRzsml2bvdusx/BVw6NQT8F1WKwDL3F0UMUQHERfJniUQFDhgcSIcHPaC kse1dM3/JiF4qnMTs2pM7PnmaHu6I3nB2zN0WxnlUZo9F8SGe4hLixH8AEGQM2f9ezwZ 1COA== X-Gm-Message-State: ACrzQf18Td/vMJQ1Af727UxI3eh6KTBP/9eRaVqyU9/kD8HqdfhGKYIr TnuxyCU/0CRq/tJDA0VqXWGv/JFjF0VS/Q== X-Google-Smtp-Source: AMsMyM4NtNLaND14PYg3P0Kp8vXYeEa0EpFAIRfmDg5GEGFKIpgjWO/6Wlu7sufRxi/NkxnkqJ4WLg== X-Received: by 2002:a05:6638:d0d:b0:374:60f4:52b5 with SMTP id q13-20020a0566380d0d00b0037460f452b5mr7643730jaj.59.1666909947697; Thu, 27 Oct 2022 15:32:27 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-89.dsl.bell.ca. [70.51.222.89]) by smtp.gmail.com with ESMTPSA id y27-20020a056638039b00b0036377aa5a35sm1048125jap.100.2022.10.27.15.32.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 15:32:27 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 27 Oct 2022 18:32:01 -0400 Message-Id: <20221027223201.24480-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <202210270607.29R67xBm021921@chekov.greenie.muc.de> References: <202210270607.29R67xBm021921@chekov.greenie.muc.de> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Currently, clearing auth_user_pass struct is delayed until push-reply processing to support auth-token. This results in username/password not purged after renegotiations that may not accompany any pus [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.45 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.45 listed in wl.mailspike.net] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1ooBQP-0005uN-Gb Subject: [Openvpn-devel] [PATCH for 2.4] Ensure --auth-nocache is handled during renegotiation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Currently, clearing auth_user_pass struct is delayed until push-reply processing to support auth-token. This results in username/password not purged after renegotiations that may not accompany any pushed tokens -- say, when auth-token is not in use. Fix by always clearing auth_user_pass soon after it is used, instead of delaying the purge as in pre-token days. But, when "pull" is true, retain the username in auth_token in anticipation of a token that may or may not arrive later. Remove ssl_clean_user_pass() as there is no delayed purge any longer -- auth-nocache handling is now done immediately after writing username/password to the send-buffer. Same as commit ecad4839caf4c2fab9c6627ceeca9b9cb32e8929 on master, except: dest != src checked before copying username. minor edits to match the context in release/2.4 (no code changes). Note: In 2.4 atuth_token was set as defined even if there is no username. This patch changes that to set tk->defined only if username is availble, matching with 2.5 and 2.6. Signed-off-by: Selva Nair --- src/openvpn/init.c | 15 --------------- src/openvpn/misc.c | 13 +++++-------- src/openvpn/ssl.c | 23 +++++------------------ src/openvpn/ssl.h | 6 ------ 4 files changed, 10 insertions(+), 47 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0c2fd03b..4909debf 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1527,21 +1527,6 @@ initialization_sequence_completed(struct context *c, const unsigned int flags) /* If we delayed UID/GID downgrade or chroot, do it now */ do_uid_gid_chroot(c, true); - -#ifdef ENABLE_CRYPTO - /* - * In some cases (i.e. when receiving auth-token via - * push-reply) the auth-nocache option configured on the - * client is overridden; for this reason we have to wait - * for the push-reply message before attempting to wipe - * the user/pass entered by the user - */ - if (c->options.mode == MODE_POINT_TO_POINT) - { - ssl_clean_user_pass(); - } -#endif /* ENABLE_CRYPTO */ - /* Test if errors */ if (flags & ISC_ERRORS) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index e3a2ef31..ec769e95 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1326,18 +1326,15 @@ set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token) if (strlen(token) && (up->defined || tk->defined)) { - /* auth-token has no password, so it needs the username - * either already set or copied from up */ strncpynt(tk->password, token, USER_PASS_LEN); - if (up->defined) + /* auth-token has no username, so it needs the username + * either already set or copied from up. If set, tk is defined. + */ + if (strlen(tk->username)) { - strncpynt(tk->username, up->username, USER_PASS_LEN); + tk->defined = true; } - tk->defined = true; } - - /* Cleans user/pass for nocache */ - purge_user_pass(up, false); } /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index f98799ed..1c3bac4a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2437,20 +2437,13 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) { goto error; } - /* if auth-nocache was specified, the auth_user_pass object reaches - * a "complete" state only after having received the push-reply - * message. The push message might contain an auth-token that needs - * the username of auth_user_pass. - * - * For this reason, skip the purge operation here if no push-reply - * message has been received yet. - * - * This normally happens upon first negotiation only. - */ - if (!session->opt->pull) + /* save username for auth-token which may get pushed later */ + if (session->opt->pull && up != &auth_token) { - purge_user_pass(&auth_user_pass, false); + strncpynt(auth_token.username, up->username, USER_PASS_LEN); } + /* respect auth-nocache */ + purge_user_pass(&auth_user_pass, false); } else { @@ -4320,12 +4313,6 @@ done: return BSTR(&out); } -void -ssl_clean_user_pass(void) -{ - purge_user_pass(&auth_user_pass, false); -} - char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 8cf03789..2cda6c72 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -627,12 +627,6 @@ void extract_x509_field_test(void); */ bool is_hard_reset(int op, int key_method); -/** - * Cleans the saved user/password unless auth-nocache is in use. - */ -void ssl_clean_user_pass(void); - - /* * Show the TLS ciphers that are available for us to use in the SSL * library with headers hinting their usage and warnings about usage.