git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Fri, 6 Sep 2024 11:29:08 +0000 (13:29 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sun, 8 Sep 2024 13:10:32 +0000 (15:10 +0200)
commit	12a9c357b6a7b55bea929eb5d9669e6386ab0d0e
tree	568e3e1fbaa066e15397bbd511800579e0c3ac79	tree \| snapshot
parent	dbe7e456954bf001420c4552c2b6e184ec6e068c	commit \| diff

Protect cached username, password and token on client

Keep the memory segment containing username and password in
"struct user_pass" encrypted. Works only on Windows.

Username and auth-token cached by the server are not covered
here.

v2: Encrypt username and password separately as it looks more
robust. We continue to depend on the username and password buffer
sizes to be a multiple of CRYPTPROTECTMEMORY_BLOCK_SIZE = 16,
which is the case now. An error is logged if this is not the case.

v3: move up ASSERT in auth_token.c

Change-Id: I42e17e09a02f01aedadc2b03f9527967f6e1e8ff
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906112908.1009-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29079.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/auth_token.c		diff \| blob \| blame \| history
src/openvpn/misc.c		diff \| blob \| blame \| history
src/openvpn/misc.h		diff \| blob \| blame \| history
src/openvpn/proxy.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_verify.c		diff \| blob \| blame \| history
src/openvpn/win32.c		diff \| blob \| blame \| history
src/openvpn/win32.h		diff \| blob \| blame \| history
tests/unit_tests/openvpn/test_user_pass.c		diff \| blob \| blame \| history