From: David Sommerseth <davids@openvpn.net>
Date: Sat, 25 Feb 2017 13:10:29 +0000 (+0100)
Subject: backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed
X-Git-Tag: v2.3.17~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=199ef1321c77c43ca5151119bef65c7a3d8b716f;p=thirdparty%2Fopenvpn.git

backport: Ignore auth-nocache for auth-user-pass if auth-token is pushed

This is a backport to release/2.3 of the following commit:

commit 571165360db0392fa83ec8e6f8de145f623c53fe
Author: Antonio Quartulli <a@unstable.cc>
Date:   Sat Feb 25 08:40:14 2017 +0800

    When the auth-token option is pushed from the server to the client,
    the latter has to ignore the auth-nocache directive (if specified).

    The password will now be substituted by the unique token, therefore
    it can't be wiped out, otherwise the next renegotiation will fail.

    Trac: #840
    Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net>
    Signed-off-by: Antonio Quartulli <a@unstable.cc>
    Acked-by: Arne Schwabe <arne@rfc2549.org>
    Message-Id: <20170225004014.28638-1-a@unstable.cc>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14194.html
    Signed-off-by: David Sommerseth <davids@openvpn.net>

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-By: Arne Schwabe <arne@rfc2549.org>
Message-Id: <f7ac719e-0b28-4c4d-5e8a-2932827789b6@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14201.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 42380b782..ae1f65da2 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1253,6 +1253,18 @@ initialization_sequence_completed (struct context *c, const unsigned int flags)
   /* If we delayed UID/GID downgrade or chroot, do it now */
   do_uid_gid_chroot (c, true);
 
+  /*
+   * In some cases (i.e. when receiving auth-token via
+   * push-reply) the auth-nocache option configured on the
+   * client is overridden; for this reason we have to wait
+   * for the push-reply message before attempting to wipe
+   * the user/pass entered by the user
+   */
+   if (c->options.mode == MODE_POINT_TO_POINT)
+     {
+       delayed_auth_pass_purge();
+     }
+
   /* Test if errors */
   if (flags & ISC_ERRORS)
     {
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index dc650c66b..c0bef5a0d 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1343,7 +1343,11 @@ purge_user_pass (struct user_pass *up, const bool force)
       secure_memzero (up, sizeof(*up));
       up->nocache = nocache;
     }
-  else if (!warn_shown)
+  /*
+   * don't show warning if the pass has been replaced by a token: this is an
+   * artificial "auth-nocache"
+   */
+  else if (!warn_shown && (!up->tokenized))
     {
       msg (M_WARN, "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this");
       warn_shown = true;
@@ -1357,6 +1361,7 @@ set_auth_token (struct user_pass *up, const char *token)
     {
       CLEAR (up->password);
       strncpynt (up->password, token, USER_PASS_LEN);
+      up->tokenized = true;
     }
 }
 
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index 2fc281d97..43d6b6cf5 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -196,6 +196,8 @@ struct user_pass
 {
   bool defined;
   bool nocache;
+  bool tokenized; /* true if password has been substituted by a token */
+  bool wait_for_push; /* true if this object is waiting for a push-reply */
 
 /* max length of username/password */
 # ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index e704b73e0..d25edfc08 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -430,6 +430,8 @@ ssl_set_auth_nocache (void)
 {
   passbuf.nocache = true;
   auth_user_pass.nocache = true;
+  /* wait for push-reply, because auth-token may invert nocache */
+  auth_user_pass.wait_for_push = true;
 }
 
 /*
@@ -438,6 +440,13 @@ ssl_set_auth_nocache (void)
 void
 ssl_set_auth_token (const char *token)
 {
+  if (auth_user_pass.nocache)
+    {
+      msg(M_INFO,
+          "auth-token received, disabling auth-nocache for the "
+          "authentication token");
+      auth_user_pass.nocache = false;
+    }
   set_auth_token (&auth_user_pass, token);
 }
 
@@ -1941,7 +1950,21 @@ key_method_2_write (struct buffer *buf, struct tls_session *session)
 	goto error;
       if (!write_string (buf, auth_user_pass.password, -1))
 	goto error;
-      purge_user_pass (&auth_user_pass, false);
+      /* if auth-nocache was specified, the auth_user_pass object reaches
+       * a "complete" state only after having received the push-reply
+       * message.
+       * This is the case because auth-token statement in a push-reply would
+       * invert its nocache.
+       *
+       * For this reason, skip the purge operation here if no push-reply
+       * message has been received yet.
+       *
+       * This normally happens upon first negotiation only.
+       */
+      if (!auth_user_pass.wait_for_push)
+        {
+          purge_user_pass(&auth_user_pass, false);
+        }
     }
   else
     {
@@ -3622,6 +3645,13 @@ done:
   return BSTR (&out);
 }
 
+void
+delayed_auth_pass_purge(void)
+{
+    auth_user_pass.wait_for_push = false;
+    purge_user_pass(&auth_user_pass, false);
+}
+
 #else
 static void dummy(void) {}
 #endif /* ENABLE_CRYPTO && ENABLE_SSL*/
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index c3d32c71c..136ad75c4 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -503,6 +503,8 @@ void show_tls_performance_stats(void);
 /*#define EXTRACT_X509_FIELD_TEST*/
 void extract_x509_field_test (void);
 
+void delayed_auth_pass_purge(void);
+
 #endif /* ENABLE_CRYPTO && ENABLE_SSL */
 
 #endif