auth-token: Ensure tokens are always wiped on de-auth

If tls_deauthenticate() was called, it could in some scenarios leave the authentication token for a session in memory. This change just ensures auth-tokens are always wiped as soon as a TLS session is considered broken. Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Steffan Karger <steffan@karger.me> Message-Id: <20170328205346.18844-1-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14344.html Signed-off-by: David Sommerseth <davids@openvpn.net>
2026-06-08 16:35:26 -04:00 · 2017-03-28 22:53:46 +02:00 · 2017-03-28 22:53:46 +02:00 · daab0a9fa8
commit daab0a9fa8
parent 363af65178
1 changed files with 27 additions and 20 deletions
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@ -80,6 +80,28 @@ setenv_untrusted(struct tls_session *session)
    setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
 }

+
+/**
+ *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
+ *
+ *  @param multi  Pointer to a multi object holding the auth_token variables
+ */
+static void
+wipe_auth_token(struct tls_multi *multi)
+{
+    if(multi)
+    {
+        if (multi->auth_token)
+        {
+            secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
+            free(multi->auth_token);
+        }
+        multi->auth_token = NULL;
+        multi->auth_token_sent = false;
+    }
+}
+
+
 /*
 * Remove authenticated state from all sessions in the given tunnel
 */
@ -88,10 +110,10 @@ tls_deauthenticate(struct tls_multi *multi)
 {
    if (multi)
    {
-        int i, j;
-        for (i = 0; i < TM_SIZE; ++i)
+        wipe_auth_token(multi);
+        for (int i = 0; i < TM_SIZE; ++i)
        {
-            for (j = 0; j < KS_SIZE; ++j)
+            for (int j = 0; j < KS_SIZE; ++j)
            {
                multi->session[i].key[j].authenticated = false;
            }
@ -1219,21 +1241,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass
 }
 #endif /* ifdef MANAGEMENT_DEF_AUTH */

-/**
- *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
- *
- *  @param multi  Pointer to a multi object holding the auth_token variables
- */
-static void
-wipe_auth_token(struct tls_multi *multi)
-{
-    secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
-    free(multi->auth_token);
-    multi->auth_token = NULL;
-    multi->auth_token_sent = false;
-}
-
-
 /*
 * Main username/password verification entry point
 */
@ -1285,7 +1292,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
        /* Ensure that the username has not changed */
        if (!tls_lock_username(multi, up->username))
        {
-            wipe_auth_token(multi);
+            /* auth-token cleared in tls_lock_username() on failure */
            ks->authenticated = false;
            goto done;
        }
@ -1306,7 +1313,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
        if (memcmp_constant_time(multi->auth_token, up->password,
                                 strlen(multi->auth_token)) != 0)
        {
-            wipe_auth_token(multi);
            ks->authenticated = false;
            tls_deauthenticate(multi);

@ -1478,6 +1484,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
        if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path))
        {
            ks->authenticated = false;
+            wipe_auth_token(multi);
            msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
                session->common_name,
                path ? path : "UNDEF");