git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Fri, 6 Sep 2024 11:29:08 +0000 (13:29 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 8 Sep 2024 16:17:48 +0000 (18:17 +0200)
commit	9e1598de43383ac655fd71bd34021026ac105f23
tree	ad00451ccfe88fc2684fa4815fac951300c8f600	tree \| snapshot
parent	534609a2a7f0dcd56c8eab764c9c9c99834dcc6f	commit \| diff

Protect cached username, password and token on client

Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.

Username and auth-token cached by the server are not covered
here.

v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.

v3: move up ASSERT in auth_token.c

Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906112908.1009-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 12a9c357b6a7b55bea929eb5d9669e6386ab0d0e)

src/openvpn/auth_token.c		diff \| blob \| blame \| history
src/openvpn/misc.c		diff \| blob \| blame \| history
src/openvpn/misc.h		diff \| blob \| blame \| history
src/openvpn/proxy.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_verify.c		diff \| blob \| blame \| history
src/openvpn/win32.c		diff \| blob \| blame \| history
src/openvpn/win32.h		diff \| blob \| blame \| history