backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed

This is a backport to release/2.3 of the following commit:

commit 571165360db0392fa83ec8e6f8de145f623c53fe
Author: Antonio Quartulli <a@unstable.cc>
Date:   Sat Feb 25 08:40:14 2017 +0800

    When the auth-token option is pushed from the server to the client,
    the latter has to ignore the auth-nocache directive (if specified).

    The password will now be substituted by the unique token, therefore
    it can't be wiped out, otherwise the next renegotiation will fail.

    Trac: #840
    Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net>
    Signed-off-by: Antonio Quartulli <a@unstable.cc>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20170225004014.28638-1-a@unstable.cc>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14194.html
    Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-By: Arne Schwabe <arne@rfc2549.org>
Message-Id: <f7ac719e-0b28-4c4d-5e8a-2932827789b6@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14201.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 42380b7826f718338d40f54a69415c7d0002d093..ae1f65da2044450a19a38dbc24022631d3b5476e 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1253,6 +1253,18 @@ initialization_sequence_completed (struct context *c, const unsigned int flags)
   /* If we delayed UID/GID downgrade or chroot, do it now */
   do_uid_gid_chroot (c, true);
 
+  /*
+   * In some cases (i.e. when receiving auth-token via
+   * push-reply) the auth-nocache option configured on the
+   * client is overridden; for this reason we have to wait
+   * for the push-reply message before attempting to wipe
+   * the user/pass entered by the user
+   */
+   if (c->options.mode == MODE_POINT_TO_POINT)
+     {
+       delayed_auth_pass_purge();
+     }
+
   /* Test if errors */
   if (flags & ISC_ERRORS)
     {

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index dc650c66bd5be1efe62b2dda85544a49bf9155e9..c0bef5a0da9ccd7371fba6801921420045a47dbc 100644 (file)
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1343,7 +1343,11 @@ purge_user_pass (struct user_pass *up, const bool force)
       secure_memzero (up, sizeof(*up));
       up->nocache = nocache;
     }
-  else if (!warn_shown)
+  /*
+   * don't show warning if the pass has been replaced by a token: this is an
+   * artificial "auth-nocache"
+   */
+  else if (!warn_shown && (!up->tokenized))
     {
       msg (M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
       warn_shown = true;
@@ -1357,6 +1361,7 @@ set_auth_token (struct user_pass *up, const char *token)
     {
       CLEAR (up->password);
       strncpynt (up->password, token, USER_PASS_LEN);
+      up->tokenized = true;
     }
 }
 

diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 2fc281d973f8924c9996ea7195e0ce507d11abb8..43d6b6cf5a6bb8bfee916455ad23d88a2de887c3 100644 (file)
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -196,6 +196,8 @@ struct user_pass
 {
   bool defined;
   bool nocache;
+  bool tokenized; /* true if password has been substituted by a token */
+  bool wait_for_push; /* true if this object is waiting for a push-reply */
 
 /* max length of username/password */
 # ifdef ENABLE_PKCS11

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index e704b73e0b23069f34dc72df029414c74e37a46e..d25edfc08127d1b92f822c9306c0991b2cd44a6c 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -430,6 +430,8 @@ ssl_set_auth_nocache (void)
 {
   passbuf.nocache = true;
   auth_user_pass.nocache = true;
+  /* wait for push-reply, because auth-token may invert nocache */
+  auth_user_pass.wait_for_push = true;
 }
 
 /*
@@ -438,6 +440,13 @@ ssl_set_auth_nocache (void)
 void
 ssl_set_auth_token (const char *token)
 {
+  if (auth_user_pass.nocache)
+    {
+      msg(M_INFO,
+          "auth-token received, disabling auth-nocache for the "
+          "authentication token");
+      auth_user_pass.nocache = false;
+    }
   set_auth_token (&auth_user_pass, token);
 }
 
@@ -1941,7 +1950,21 @@ key_method_2_write (struct buffer *buf, struct tls_session *session)
        goto error;
       if (!write_string (buf, auth_user_pass.password, -1))
        goto error;
-      purge_user_pass (&auth_user_pass, false);
+      /* if auth-nocache was specified, the auth_user_pass object reaches
+       * a "complete" state only after having received the push-reply
+       * message.
+       * This is the case because auth-token statement in a push-reply would
+       * invert its nocache.
+       *
+       * For this reason, skip the purge operation here if no push-reply
+       * message has been received yet.
+       *
+       * This normally happens upon first negotiation only.
+       */
+      if (!auth_user_pass.wait_for_push)
+        {
+          purge_user_pass(&auth_user_pass, false);
+        }
     }
   else
     {
@@ -3622,6 +3645,13 @@ done:
   return BSTR (&out);
 }
 
+void
+delayed_auth_pass_purge(void)
+{
+    auth_user_pass.wait_for_push = false;
+    purge_user_pass(&auth_user_pass, false);
+}
+
 #else
 static void dummy(void) {}
 #endif /* ENABLE_CRYPTO && ENABLE_SSL*/

diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index c3d32c71cfade1c1ac40716eb8865778c7d48c83..136ad75c41077b1c5de21d551cb42d6a59ca3388 100644 (file)
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -503,6 +503,8 @@ void show_tls_performance_stats(void);
 /*#define EXTRACT_X509_FIELD_TEST*/
 void extract_x509_field_test (void);
 
+void delayed_auth_pass_purge(void);
+
 #endif /* ENABLE_CRYPTO && ENABLE_SSL */
 
 #endif