Re: [Openvpn-devel] [PATCH 1/2] In auth-pam plugin clear the password after use

Fri, 05 May 2017 12:47:43 -0700 

On Fri, May 5, 2017 at 3:01 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

> On 05/05/17 20:28, Gert Doering wrote:
> > Hi,
> >
> > On Fri, May 05, 2017 at 02:24:01PM -0400, selva.n...@gmail.com wrote:
> >> From: Selva Nair <selva.n...@gmail.com>
> >>
> >> This adds a minimal secure_memzero()
> >>
> >> Signed-off-by: Selva Nair <selva.n...@gmail.com>
> >
> > Feature-ACK, Code-NAK, but just because David is planning to export
> > secure_memzero() to plugins from OpenVPN proper - mentioned just today
> > on IRC
> >
> > 17:09 <@dazo> syzzer: just thinking aloud (remembered our discussion on
> wiping
> >               passwords securely in plug-ins) ... what do you think about
> >               exposing secure_memzero() to plug-ins, similar to what we
> do with
> >               plugin_{log,vlog}()?
> > 17:09 <@dazo> to avoid each plug-in needing to re-implement this
> > 17:09 <@syzzer> yeah, sounds useful
> > 17:10 <@dazo> I'll send a patch doing that too (should be quick to solve)
> >
> >
> > So I'd postpone this until David's patch plus instructions for plugin
> > authors show up.
> >
> > Good timing :-)
>
> Indeed :)
>

Good to know.. This happened to be a dependency for the second patch I sent
(parsing static challenge in auth-pam).


>
> So the patch exporting secure_memzero() is on the way to the mailing
> list now.
>
> To use this, you need to switch the openvpn_plugin_open_v1() to
> openvpn_plugin_open_v3().  The API on this function is quite different,
> but you shouldn't need to tweak too much.  All the pointers are
> available in the new struct pointers the _v3 function uses.
>
> Then you basically can declare a global variable like this:
>
>   plugin_secure_memzero_t ovpn_secure_memzero = NULL;


OK, I'll change this to use v3.

For the static-challenge patch I call openvpn_base64_decode() by compiling
base64.c into the plugin. Instead, can we also get base64_encode/decode
available as callbacks?

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to