On 05/05/17 20:28, Gert Doering wrote:
> Hi,
>
> On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote:
>> From: Selva Nair <selva.n...@gmail.com>
>>
>> This adds a minimal secure_memzero()
>>
>> Signed-off-by: Selva Nair <selva.n...@gmail.com>
>
> Feature-ACK, Code-NAK, but just because David is planning to export
> secure_memzero() to plugins from OpenVPN proper - mentioned just today
> on IRC
>
> 17:09 <@dazo> syzzer: just thinking aloud (remembered our discussion on
> wiping
> passwords securely in plug-ins) ... what do you think about
> exposing secure_memzero() to plug-ins, similar to what we do
> with
> plugin_{log,vlog}()?
> 17:09 <@dazo> to avoid each plug-in needing to re-implement this
> 17:09 <@syzzer> yeah, sounds useful
> 17:10 <@dazo> I'll send a patch doing that too (should be quick to solve)
>
>
> So I'd postpone this until David's patch plus instructions for plugin
> authors show up.
>
> Good timing :-)
Indeed :)
So the patch exporting secure_memzero() is on the way to the mailing
list now.
To use this, you need to switch the openvpn_plugin_open_v1() to
openvpn_plugin_open_v3(). The API on this function is quite different,
but you shouldn't need to tweak too much. All the pointers are
available in the new struct pointers the _v3 function uses.
Then you basically can declare a global variable like this:
plugin_secure_memzero_t ovpn_secure_memzero = NULL;
And in the the openvpn_plugin_open_v3() function, you should add an API
check:
if (v3structver < 4)
{
/* printf() some noise to the log */
return OPENVPN_PLUGIN_FUNC_ERROR;
}
This ensures that the OpenVPN version is new enough to export the
secure_memzero() function.
Then you just assign the ovpn_secure_memzero pointer:
/* Hook into exported plug-in functions */
ovpn_secure_memzero = args->callbacks->plugin_secure_memzero;
From this point of, you can now do:
ovpn_secure_memzero(buf, strlen(buf));
There exists much more features in the _v3 API, such as improved log
functions (plugin_log() and plugin_vlog()). Which might be interesting
to move over to as well. The approach is identical to what I've
described here.
There exists also a _v3 version of openvpn_plugin_func_v1() auth-pam
implements. That should not need to be changed at all; all the API
versions uses the same pointers the buffers under the hood in OpenVPN.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
