Re: [Openvpn-devel] [PATCH] Always clear username/password from memory on error

On 09-05-17 19:47, David Sommerseth wrote: > On 09/05/17 12:50, Steffan Karger wrote: >> This issue was found by Quarkslab during the OSTIF-founded security audit >> (issue 5.4), we agree with their analysis: >> >> "There’s a special case where the client username and password are not >> erased whe

Re: [Openvpn-devel] [PATCH] Always clear username/password from memory on error

On 09/05/17 20:08, Selva Nair wrote: > Hi, > > On Tue, May 9, 2017 at 1:47 PM, David Sommerseth > > wrote: > > That said, I think we should fix secure_memzero() to just return if the > input pointer is NULL. And even though most compilers do ini

Re: [Openvpn-devel] [PATCH] Always clear username/password from memory on error

Hi, On Tue, May 9, 2017 at 1:47 PM, David Sommerseth wrote: > That said, I think we should fix secure_memzero() to just return if the > input pointer is NULL. And even though most compilers do initialize > variables, I think it's good to be defensive here and initialize `up` too. > No, compile

Re: [Openvpn-devel] [PATCH] Always clear username/password from memory on error

On 09/05/17 12:50, Steffan Karger wrote: > This issue was found by Quarkslab during the OSTIF-founded security audit > (issue 5.4), we agree with their analysis: > > "There’s a special case where the client username and password are not > erased when the server is launched without an external scri

[Openvpn-devel] [PATCH] Always clear username/password from memory on error

This issue was found by Quarkslab during the OSTIF-founded security audit (issue 5.4), we agree with their analysis: "There’s a special case where the client username and password are not erased when the server is launched without an external script or authentication plugin. While being invalid, t