On 25/02/17 10:19, Gert Doering wrote: > Hi, > > On Sat, Feb 25, 2017 at 08:40:14AM +0800, Antonio Quartulli wrote: >> When the auth-token option is pushed from the server to the client, >> the latter has to ignore the auth-nocache directive (if specified). >> >> The password will now be substituted by the unique token, therefore >> it can't be wiped out, otherwise the next renegotiation will fail. > > Without looking at the patch itself - is this suitable material for > inclusion in 2.3? We do have quite a few "slow adopters" - and this > is a very useful feature to mitigate SWEET32 in 2FA environments...
The code paths involved shouldn't be very differ too much between v2.3 and v2.4. So I would say this should go into v2.3 as well. Attached is a very preliminary (and only compile and 'make check' tested) patch of a backport to v2.3. This needs to get a thorough test as well before we'll send an official patch to this ML. Btw. since I have worked closely with Antonio on this patch, testing and debugging and discussing it for some time, I think it would be good if someone else than me does the final code review and ACK/NAK it. I'm not able to be objective on this patch. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index dc63475..3603c36 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1253,6 +1253,18 @@ initialization_sequence_completed (struct context *c, const unsigned int flags)
/* If we delayed UID/GID downgrade or chroot, do it now */
do_uid_gid_chroot (c, true);
+ /*
+ * In some cases (i.e. when receiving auth-token via
+ * push-reply) the auth-nocache option configured on the
+ * client is overridden; for this reason we have to wait
+ * for the push-reply message before attempting to wipe
+ * the user/pass entered by the user
+ */
+ if (c->options.mode == MODE_POINT_TO_POINT)
+ {
+ delayed_auth_pass_purge();
+ }
+
/* Test if errors */
if (flags & ISC_ERRORS)
{
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 39aa936..546d87b 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1343,7 +1343,11 @@ purge_user_pass (struct user_pass *up, const bool force)
CLEAR (*up);
up->nocache = nocache;
}
- else if (!warn_shown)
+ /*
+ * don't show warning if the pass has been replaced by a token: this is an
+ * artificial "auth-nocache"
+ */
+ else if (!warn_shown && (!up->tokenized))
{
msg (M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
warn_shown = true;
@@ -1357,6 +1361,7 @@ set_auth_token (struct user_pass *up, const char *token)
{
CLEAR (up->password);
strncpynt (up->password, token, USER_PASS_LEN);
+ up->tokenized = true;
}
}
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 2fc281d..43d6b6c 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -196,6 +196,8 @@ struct user_pass
{
bool defined;
bool nocache;
+ bool tokenized; /* true if password has been substituted by a token */
+ bool wait_for_push; /* true if this object is waiting for a push-reply */
/* max length of username/password */
# ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 32d0b6b..831b003 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -430,6 +430,8 @@ ssl_set_auth_nocache (void)
{
passbuf.nocache = true;
auth_user_pass.nocache = true;
+ /* wait for push-reply, because auth-token may invert nocache */
+ auth_user_pass.wait_for_push = true;
}
/*
@@ -438,6 +440,13 @@ ssl_set_auth_nocache (void)
void
ssl_set_auth_token (const char *token)
{
+ if (auth_user_pass.nocache)
+ {
+ msg(M_INFO,
+ "auth-token received, disabling auth-nocache for the "
+ "authentication token");
+ auth_user_pass.nocache = false;
+ }
set_auth_token (&auth_user_pass, token);
}
@@ -1944,7 +1953,21 @@ key_method_2_write (struct buffer *buf, struct tls_session *session)
goto error;
if (!write_string (buf, auth_user_pass.password, -1))
goto error;
- purge_user_pass (&auth_user_pass, false);
+ /* if auth-nocache was specified, the auth_user_pass object reaches
+ * a "complete" state only after having received the push-reply
+ * message.
+ * This is the case because auth-token statement in a push-reply would
+ * invert its nocache.
+ *
+ * For this reason, skip the purge operation here if no push-reply
+ * message has been received yet.
+ *
+ * This normally happens upon first negotiation only.
+ */
+ if (!auth_user_pass.wait_for_push)
+ {
+ purge_user_pass(&auth_user_pass, false);
+ }
}
else
{
@@ -3620,6 +3643,13 @@ done:
return BSTR (&out);
}
+void
+delayed_auth_pass_purge(void)
+{
+ auth_user_pass.wait_for_push = false;
+ purge_user_pass(&auth_user_pass, false);
+}
+
#else
static void dummy(void) {}
#endif /* ENABLE_CRYPTO && ENABLE_SSL*/
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index c3d32c7..136ad75 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -503,6 +503,8 @@ void show_tls_performance_stats(void);
/*#define EXTRACT_X509_FIELD_TEST*/
void extract_x509_field_test (void);
+void delayed_auth_pass_purge(void);
+
#endif /* ENABLE_CRYPTO && ENABLE_SSL */
#endif
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
