Refresh patches for 2.4.3

author: Alberto Gonzalez Iniesta <agi@inittab.org> 2017-06-22 13:19:58 +0200
committer: Alberto Gonzalez Iniesta <agi@inittab.org> 2017-06-22 13:19:58 +0200
commit: 3505b0888ab94c90468bd6f41f82770d46677342 (patch)
tree: a937d2b6832d4291b181bd1f89da3c148c254ae0 /debian/patches/wipe_tokens_on_de-auth.patch
parent: 766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (diff)
1 files changed, 0 insertions, 118 deletions
diff --git a/debian/patches/wipe_tokens_on_de-auth.patch b/debian/patches/wipe_tokens_on_de-auth.patch
deleted file mode 100644
index 8db560f..0000000
--- a/debian/patches/wipe_tokens_on_de-auth.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From daab0a9fa8ff4f40e8a34707db0ac156d49fbfcb Mon Sep 17 00:00:00 2001
-From: David Sommerseth <davids@openvpn.net>
-Date: Tue, 28 Mar 2017 22:53:46 +0200
-Subject: [PATCH] auth-token: Ensure tokens are always wiped on de-auth
-
-If tls_deauthenticate() was called, it could in some scenarios leave the
-authentication token for a session in memory.  This change just ensures
-auth-tokens are always wiped as soon as a TLS session is considered
-broken.
-
-Signed-off-by: David Sommerseth <davids@openvpn.net>
-
-Acked-by: Steffan Karger <steffan@karger.me>
-Message-Id: <20170328205346.18844-1-davids@openvpn.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14344.html
-Signed-off-by: David Sommerseth <davids@openvpn.net>
----
- src/openvpn/ssl_verify.c | 47 +++++++++++++++++++++++++++--------------------
- 1 file changed, 27 insertions(+), 20 deletions(-)
-
-Index: openvpn-2.4.0/src/openvpn/ssl_verify.c
-===================================================================
---- openvpn-2.4.0.orig/src/openvpn/ssl_verify.c
-+++ openvpn-2.4.0/src/openvpn/ssl_verify.c
-@@ -80,6 +80,28 @@ setenv_untrusted(struct tls_session *ses
-     setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
- }
- 
-+
-+/**
-+ *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
-+ *
-+ *  @param multi  Pointer to a multi object holding the auth_token variables
-+ */
-+static void
-+wipe_auth_token(struct tls_multi *multi)
-+{
-+    if(multi)
-+    {
-+        if (multi->auth_token)
-+        {
-+            secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
-+            free(multi->auth_token);
-+        }
-+        multi->auth_token = NULL;
-+        multi->auth_token_sent = false;
-+    }
-+}
-+
-+
- /*
-  * Remove authenticated state from all sessions in the given tunnel
-  */
-@@ -88,10 +110,14 @@ tls_deauthenticate(struct tls_multi *mul
- {
-     if (multi)
-     {
--        int i, j;
--        for (i = 0; i < TM_SIZE; ++i)
--            for (j = 0; j < KS_SIZE; ++j)
-+        wipe_auth_token(multi);
-+        for (int i = 0; i < TM_SIZE; ++i)
-+        {
-+            for (int j = 0; j < KS_SIZE; ++j)
-+            {
-                 multi->session[i].key[j].authenticated = false;
-+            }
-+        }
-     }
- }
- 
-@@ -1213,21 +1239,6 @@ verify_user_pass_management(struct tls_s
- }
- #endif /* ifdef MANAGEMENT_DEF_AUTH */
- 
--/**
-- *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
-- *
-- *  @param multi  Pointer to a multi object holding the auth_token variables
-- */
--static void
--wipe_auth_token(struct tls_multi *multi)
--{
--    secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
--    free(multi->auth_token);
--    multi->auth_token = NULL;
--    multi->auth_token_sent = false;
--}
--
--
- /*
-  * Main username/password verification entry point
-  */
-@@ -1279,7 +1290,7 @@ verify_user_pass(struct user_pass *up, s
-         /* Ensure that the username has not changed */
-         if (!tls_lock_username(multi, up->username))
-         {
--            wipe_auth_token(multi);
-+            /* auth-token cleared in tls_lock_username() on failure */
-             ks->authenticated = false;
-             goto done;
-         }
-@@ -1300,7 +1311,6 @@ verify_user_pass(struct user_pass *up, s
-         if (memcmp_constant_time(multi->auth_token, up->password,
-                                  strlen(multi->auth_token)) != 0)
-         {
--            wipe_auth_token(multi);
-             ks->authenticated = false;
-             tls_deauthenticate(multi);
- 
-@@ -1472,6 +1482,7 @@ verify_final_auth_checks(struct tls_mult
-         if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path))
-         {
-             ks->authenticated = false;
-+            wipe_auth_token(multi);
-             msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
-                 session->common_name,
-                 path ? path : "UNDEF");
author	Alberto Gonzalez Iniesta <agi@inittab.org>	2017-06-22 13:19:58 +0200
committer	Alberto Gonzalez Iniesta <agi@inittab.org>	2017-06-22 13:19:58 +0200
commit	3505b0888ab94c90468bd6f41f82770d46677342 (patch)
tree	a937d2b6832d4291b181bd1f89da3c148c254ae0 /debian/patches/wipe_tokens_on_de-auth.patch
parent	766cdd4b4d1fcb31addf6727dbcfd3d99e390456 (diff)