On 05/05/17 20:28, Gert Doering wrote: > Hi, > > On Fri, May 05, 2017 at 02:24:01PM -0400, [email protected] wrote: >> From: Selva Nair <[email protected]> >> >> This adds a minimal secure_memzero() >> >> Signed-off-by: Selva Nair <[email protected]> > > Feature-ACK, Code-NAK, but just because David is planning to export > secure_memzero() to plugins from OpenVPN proper - mentioned just today > on IRC > > 17:09 <@dazo> syzzer: just thinking aloud (remembered our discussion on > wiping > passwords securely in plug-ins) ... what do you think about > exposing secure_memzero() to plug-ins, similar to what we do > with > plugin_{log,vlog}()? > 17:09 <@dazo> to avoid each plug-in needing to re-implement this > 17:09 <@syzzer> yeah, sounds useful > 17:10 <@dazo> I'll send a patch doing that too (should be quick to solve) > > > So I'd postpone this until David's patch plus instructions for plugin > authors show up. > > Good timing :-)
Indeed :)
So the patch exporting secure_memzero() is on the way to the mailing
list now.
To use this, you need to switch the openvpn_plugin_open_v1() to
openvpn_plugin_open_v3(). The API on this function is quite different,
but you shouldn't need to tweak too much. All the pointers are
available in the new struct pointers the _v3 function uses.
Then you basically can declare a global variable like this:
plugin_secure_memzero_t ovpn_secure_memzero = NULL;
And in the the openvpn_plugin_open_v3() function, you should add an API
check:
if (v3structver < 4)
{
/* printf() some noise to the log */
return OPENVPN_PLUGIN_FUNC_ERROR;
}
This ensures that the OpenVPN version is new enough to export the
secure_memzero() function.
Then you just assign the ovpn_secure_memzero pointer:
/* Hook into exported plug-in functions */
ovpn_secure_memzero = args->callbacks->plugin_secure_memzero;
From this point of, you can now do:
ovpn_secure_memzero(buf, strlen(buf));
There exists much more features in the _v3 API, such as improved log
functions (plugin_log() and plugin_vlog()). Which might be interesting
to move over to as well. The approach is identical to what I've
described here.
There exists also a _v3 version of openvpn_plugin_func_v1() auth-pam
implements. That should not need to be changed at all; all the API
versions uses the same pointers the buffers under the hood in OpenVPN.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
