mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 03:52:28 +02:00
Code

Purge auth-token as well while purging passwords

Browse Source 
Starting from commit e61b401a auth-token is saved in a separate struct
from auth-user-pass and is not cleared when ssl_purge_auth() is called.
This makes "forget-passwords" sent to the management
interface or "--management-forget-disconnect" option not to work
as expected.

Purging caused by --auth-nocache is not affected
(auth-token is retained in that case as it should be).

Use case:
For Pre-Logon access and persistent connections on Windows, use of
"forget-passwords" before disconnect is probably the only way to
ensure that no credentials are left behind. Note that openvpn.exe
continues to run after disconnect in these cases.

Also, the original intent of "forget-passwords" appears to be to
clear all "passwords" that can be used to reconnect.

v2:
- call ssl_clean_auth_token() directly from manage.c instead
  of amending ssl_purge_auth()
- Add a comment that ssl_purge_auth() does not clear auth-token

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221026185543.5378-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25460.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Selva Nair 2022-10-26 14:55:43 -04:00 committed by Gert Doering
parent 3a4fb17d10
commit ecad4839ca
2 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/openvpn/manage.c
View File

@ -762,6 +762,7 @@ static void
man_forget_passwords(struct management *man)
{
ssl_purge_auth(false);
(void)ssl_clean_auth_token();
msg(M_CLIENT, "SUCCESS: Passwords were forgotten");
}
@ -1922,6 +1923,7 @@ man_reset_client_socket(struct management *man, const bool exiting)
if (man->settings.flags & MF_FORGET_DISCONNECT)
{
ssl_purge_auth(false);
(void)ssl_clean_auth_token();
}
if (man->settings.flags & MF_SIGNAL)

1
src/openvpn/ssl.h
View File

@ -390,6 +390,7 @@ void ssl_set_auth_nocache(void);
/*
* Purge any stored authentication information, both for key files and tunnel
* authentication. If PCKS #11 is enabled, purge authentication for that too.
* Note that auth_token is not cleared.
*/
void ssl_purge_auth(const bool auth_user_pass_only);