From 87c2fd4310e5b345102d7a4915dc5e3a65052305 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 14 Oct 2018 22:51:08 +0200 Subject: Revert "Merge branch 'stretch' of ssh://git.debian.org/git/collab-maint/openvpn into stretch" This reverts commit 3804bc2606a92e2f2f4b3a2b043af0d77d92b386, reversing changes made to 678cfd249add7ca758e4c41933c7b730132c99f4. --- src/openvpn/ssl_verify.c | 51 +++++++++++++++++++----------------------------- 1 file changed, 20 insertions(+), 31 deletions(-) (limited to 'src/openvpn/ssl_verify.c') diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index c553484..334eb29 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -80,28 +80,6 @@ setenv_untrusted(struct tls_session *session) setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } - -/** - * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags - * - * @param multi Pointer to a multi object holding the auth_token variables - */ -static void -wipe_auth_token(struct tls_multi *multi) -{ - if(multi) - { - if (multi->auth_token) - { - secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); - free(multi->auth_token); - } - multi->auth_token = NULL; - multi->auth_token_sent = false; - } -} - - /* * Remove authenticated state from all sessions in the given tunnel */ @@ -110,14 +88,10 @@ tls_deauthenticate(struct tls_multi *multi) { if (multi) { - wipe_auth_token(multi); - for (int i = 0; i < TM_SIZE; ++i) - { - for (int j = 0; j < KS_SIZE; ++j) - { + int i, j; + for (i = 0; i < TM_SIZE; ++i) + for (j = 0; j < KS_SIZE; ++j) multi->session[i].key[j].authenticated = false; - } - } } } @@ -1239,6 +1213,21 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass } #endif /* ifdef MANAGEMENT_DEF_AUTH */ +/** + * Wipes the authentication token out of the memory, frees and cleans up related buffers and flags + * + * @param multi Pointer to a multi object holding the auth_token variables + */ +static void +wipe_auth_token(struct tls_multi *multi) +{ + secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE); + free(multi->auth_token); + multi->auth_token = NULL; + multi->auth_token_sent = false; +} + + /* * Main username/password verification entry point */ @@ -1290,7 +1279,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, /* Ensure that the username has not changed */ if (!tls_lock_username(multi, up->username)) { - /* auth-token cleared in tls_lock_username() on failure */ + wipe_auth_token(multi); ks->authenticated = false; goto done; } @@ -1311,6 +1300,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, if (memcmp_constant_time(multi->auth_token, up->password, strlen(multi->auth_token)) != 0) { + wipe_auth_token(multi); ks->authenticated = false; tls_deauthenticate(multi); @@ -1482,7 +1472,6 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path)) { ks->authenticated = false; - wipe_auth_token(multi); msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'", session->common_name, path ? path : "UNDEF"); -- cgit v1.2.3