From patchwork Fri Oct 31 10:08:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4557
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7001:2f13:b0:72f:f16c:e055 with SMTP id
 sa19csp1493053mab;
        Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUblzIemzgHJukBOm+jd29yEIAppEQoVZhDQofFz8Vt1Uw2qsYDcy0Gic2zwgbHaisdZ0SFaJLDTiM=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IEqe6RT1IoqFlurwEep4wchE5qOYqpeKnfcaF5FrDjNvq9opLQvhv1bu+S45Slp4rEymGj2
X-Received: by 2002:a05:6e02:1542:b0:42f:880a:cff7 with SMTP id
 e9e14a558f8ab-4330d138fbfmr51930945ab.13.1761905312392;
        Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1761905312; cv=none;
        d=google.com; s=arc-20240605;
        b=jaCHSS9r7tCLUOYMUyE0kr1tOsFkKvEa60RQhKfwoM8bmL37/9JEJ3JVFDIp3emA0S
         lNOdFbfNUDxplDONAb+xcKYeQMXV4pY57g8uCsLYf0acwtyMK1qh95ZpLbDv06ydWHh6
         csI154h01KAJu17NVLKZs8w3tvsAXTmKPHOdprSqnAybhDdptPJfwAn3Ab0A3KRYZGKD
         MaJjDcB1voEaJ+D1ZkoE1C2AJkPMv7HQAlFjAUGlxoETyON7VdtPd/oHdpOQAcCE2lay
         ZJdZv0RE33uuWbEiR050bNHpUfU8z/twlUovy0BnWfhQwoWOPTAQ4j0XCj2yMO/E3V3J
         3X8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=DM0LJxbHTMh6MFk7WZUZiMV5EU5qW6iQrI3mXpv3c6Q=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=KVTB29VmzqQv1+3KBBg2iCl/D2sWV4y4DIlPaEUiqs7317LdRe54P55QP+6kHN116n
         2Qs0YgTbr8EmlNgHtsvcoyz1cnYt025xfWo5FWrHH/PKJnejv/xl0a7gPXL0n7xWZvqa
         opTwPpjCNrlm8is89dx3PpgJnqvOggkAJ0k1S05G5wNGxkHVA9qfsEAQ8YNVYU+c4chJ
         rKKa736VwLQ37riTgOYnn2Njrspa91IP2oZiCE9n4y/xDboWxgZjfvDDrDVrwYzIG3hV
         n8iME0HFx6Vi/RW1BYqYGHVrW0pvBYkxfjRvKPlQYkfnaewgEDOOIkiUyBN8pRovCkFl
         9A1w==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=ljt2iou+;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=BIi5hF9B;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Lh8RExO1;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 e9e14a558f8ab-433103449d8si9660905ab.88.2025.10.31.03.08.32
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 31 Oct 2025 03:08:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=ljt2iou+;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=BIi5hF9B;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Lh8RExO1;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=DM0LJxbHTMh6MFk7WZUZiMV5EU5qW6iQrI3mXpv3c6Q=; b=ljt2iou+kPRSt+4WkuFzFAqeeI
	W1kHZ1vmoIdi799IBJ4wEXKjk8XoroFPyHHrbt5ryWANNj1E7IBb0sqALHEdfTUy/YjQqjAe4O4Ml
	No3kO1f0BMIU9FGnmRTDaqHXaNYAJiNPpwCtn/44Pvzwu6ejdVxGZRad8hflAAiFh5+Q=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vEm3Z-0007fx-Lm;
	Fri, 31 Oct 2025 10:08:30 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1vEm3X-0007ff-E6
 for openvpn-devel@lists.sourceforge.net;
 Fri, 31 Oct 2025 10:08:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=6yfv27RTI9gK1UKVHGJ2lOSCcnh4itjpKqHxYx00lOk=; b=BIi5hF9BtNWRlMzD3W/LreI3UO
 1QXFv6BSFtTxRtRaFrmspPae2IrK88RVNhh6EZ5COUsYgwjWqr2fqRM5B+T1xmbH/nMY8a6mJMby5
 zaAk1eTwqR6RQYVICP3Io+B1DYeb+BHikPQvLehgcSDKbnc9BVtgyA0CJZx1I9u9tREk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=6yfv27RTI9gK1UKVHGJ2lOSCcnh4itjpKqHxYx00lOk=; b=Lh8RExO14x+VWTDVn09yXrktZV
 OlzB4PI0ASWX+lA1CsrnfyMXZL/ZWxRUqbR1tr2f7eBufN0PPv+l8vjvuPZ5B14ER45KAg0O/IixH
 pka28ISCP3F/eNqYOMpJphLEbWdgMuWuSRbNOf3MLNxgahbRfMtxXYMpsb8qPDndbcuc=;
Received: from [193.149.48.134] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1vEm3X-0001Gw-3H for openvpn-devel@lists.sourceforge.net;
 Fri, 31 Oct 2025 10:08:27 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59VA8KMr024883
 for <openvpn-devel@lists.sourceforge.net>; Fri, 31 Oct 2025 11:08:20 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59VA8K5M024882
 for openvpn-devel@lists.sourceforge.net; Fri, 31 Oct 2025 11:08:20 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 31 Oct 2025 11:08:04 +0100
Message-ID: <20251031100819.24855-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.49.1
In-Reply-To: 
 <gerrit.1761580588000.Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c@gerrit.openvpn.net>
References: 
 <gerrit.1761580588000.Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Max Fillinger <max@max-fillinger.net> Joshua Rogers
 sent in a bug report generated with ZeroPath that the tls-crypt-v2 client
 key is loaded before running the verify script. If the verify script fails,
 the key is not zeroized.
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1vEm3X-0001Gw-3H
Subject: [Openvpn-devel] [PATCH v2] Zeroize tls-crypt-v2 client keys
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1847491624931677163?=
X-GMAIL-MSGID: =?utf-8?q?1847491624931677163?=

From: Max Fillinger <max@max-fillinger.net>

Joshua Rogers sent in a bug report generated with ZeroPath that the
tls-crypt-v2 client key is loaded before running the verify script. If
the verify script fails, the key is not zeroized.

While investigating this report, I found that free_tls_pre_decrypt_state
never zeroizes tls_wrap_tmp.original_wrap_keydata. So also when the
check is successful, key data will remain in memory when it is no longer
needed.

This commit moves the tls-crypt-v2-verify check before loading the key.
If it fails, original_wrap_keydata is zeroized. Also, in
free_tls_pre_decrypt_state, if a key has been loaded,
original_wrap_keydata is zeroized.

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-By: Zeropath

Change-Id: Icfcbf8ee20c1c0016eb98b570f24b9325b157c5c
Signed-off-by: Max Fillinger <max@max-fillinger.net>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1315
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
index 825719c..d7f7ac3 100644
--- a/src/openvpn/ssl_pkt.c
+++ b/src/openvpn/ssl_pkt.c
@@ -280,6 +280,7 @@
     if (state->tls_wrap_tmp.cleanup_key_ctx)
     {
         free_key_ctx_bi(&state->tls_wrap_tmp.opt.key_ctx_bi);
+        secure_memzero(&state->tls_wrap_tmp.original_wrap_keydata, sizeof(state->tls_wrap_tmp.original_wrap_keydata));
     }
 }
 
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 51b4eb3..a808de3 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -642,6 +642,12 @@
         return false;
     }
 
+    if (opt && opt->tls_crypt_v2_verify_script && !tls_crypt_v2_verify_metadata(ctx, opt))
+    {
+        secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata));
+        return false;
+    }
+
     /* Load the decrypted key */
     ctx->mode = TLS_WRAP_CRYPT;
     ctx->cleanup_key_ctx = true;
@@ -652,11 +658,6 @@
     /* Remove client key from buffer so tls-crypt code can unwrap message */
     ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
 
-    if (opt && opt->tls_crypt_v2_verify_script)
-    {
-        return tls_crypt_v2_verify_metadata(ctx, opt);
-    }
-
     return true;
 }