1 files changed, 20 insertions, 31 deletions

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index c553484..334eb29 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -80,28 +80,6 @@ setenv_untrusted(struct tls_session *session)
     setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);
 }
 
-
-/**
- *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
- *
- *  @param multi  Pointer to a multi object holding the auth_token variables
- */
-static void
-wipe_auth_token(struct tls_multi *multi)
-{
-    if(multi)
-    {
-        if (multi->auth_token)
-        {
-            secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
-            free(multi->auth_token);
-        }
-        multi->auth_token = NULL;
-        multi->auth_token_sent = false;
-    }
-}
-
-
 /*
  * Remove authenticated state from all sessions in the given tunnel
  */
@@ -110,14 +88,10 @@ tls_deauthenticate(struct tls_multi *multi)
 {
     if (multi)
     {
-        wipe_auth_token(multi);
-        for (int i = 0; i < TM_SIZE; ++i)
-        {
-            for (int j = 0; j < KS_SIZE; ++j)
-            {
+        int i, j;
+        for (i = 0; i < TM_SIZE; ++i)
+            for (j = 0; j < KS_SIZE; ++j)
                 multi->session[i].key[j].authenticated = false;
-            }
-        }
     }
 }
 
@@ -1239,6 +1213,21 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass
 }
 #endif /* ifdef MANAGEMENT_DEF_AUTH */
 
+/**
+ *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags
+ *
+ *  @param multi  Pointer to a multi object holding the auth_token variables
+ */
+static void
+wipe_auth_token(struct tls_multi *multi)
+{
+    secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);
+    free(multi->auth_token);
+    multi->auth_token = NULL;
+    multi->auth_token_sent = false;
+}
+
+
 /*
  * Main username/password verification entry point
  */
@@ -1290,7 +1279,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
         /* Ensure that the username has not changed */
         if (!tls_lock_username(multi, up->username))
         {
-            /* auth-token cleared in tls_lock_username() on failure */
+            wipe_auth_token(multi);
             ks->authenticated = false;
             goto done;
         }
@@ -1311,6 +1300,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
         if (memcmp_constant_time(multi->auth_token, up->password,
                                  strlen(multi->auth_token)) != 0)
         {
+            wipe_auth_token(multi);
             ks->authenticated = false;
             tls_deauthenticate(multi);
 
@@ -1482,7 +1472,6 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
         if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path))
         {
             ks->authenticated = false;
-            wipe_auth_token(multi);
             msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
                 session->common_name,
                 path ? path : "UNDEF");