@@ -80,6 +80,28 @@ setenv_untrusted(struct tls_session *session)

     setenv_link_socket_actual(session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT);

 }

+

+/**

+ *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags

+ *

+ *  @param multi  Pointer to a multi object holding the auth_token variables

+ */

+static void

+wipe_auth_token(struct tls_multi *multi)

+{

+    if(multi)

+    {

+        if (multi->auth_token)

+        {

+            secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);

+            free(multi->auth_token);

+        }

+        multi->auth_token = NULL;

+        multi->auth_token_sent = false;

+    }

+}

+

+

 /*

  * Remove authenticated state from all sessions in the given tunnel

  */

@@ -88,10 +110,10 @@ tls_deauthenticate(struct tls_multi *multi)

 {

     if (multi)

     {

-        int i, j;

-        for (i = 0; i < TM_SIZE; ++i)

+        wipe_auth_token(multi);

+        for (int i = 0; i < TM_SIZE; ++i)

         {

-            for (j = 0; j < KS_SIZE; ++j)

+            for (int j = 0; j < KS_SIZE; ++j)

             {

                 multi->session[i].key[j].authenticated = false;

             }

@@ -1219,21 +1241,6 @@ verify_user_pass_management(struct tls_session *session, const struct user_pass

 }

 #endif /* ifdef MANAGEMENT_DEF_AUTH */

-/**

- *  Wipes the authentication token out of the memory, frees and cleans up related buffers and flags

- *

- *  @param multi  Pointer to a multi object holding the auth_token variables

- */

-static void

-wipe_auth_token(struct tls_multi *multi)

-{

-    secure_memzero(multi->auth_token, AUTH_TOKEN_SIZE);

-    free(multi->auth_token);

-    multi->auth_token = NULL;

-    multi->auth_token_sent = false;

-}

-

-

 /*

  * Main username/password verification entry point

  */

@@ -1285,7 +1292,7 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,

         /* Ensure that the username has not changed */

         if (!tls_lock_username(multi, up->username))

         {

-            wipe_auth_token(multi);

+            /* auth-token cleared in tls_lock_username() on failure */

             ks->authenticated = false;

             goto done;

         }

@@ -1306,7 +1313,6 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,

         if (memcmp_constant_time(multi->auth_token, up->password,

                                  strlen(multi->auth_token)) != 0)

         {

-            wipe_auth_token(multi);

             ks->authenticated = false;

             tls_deauthenticate(multi);

@@ -1478,6 +1484,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)

         if (!cn || !strcmp(cn, CCD_DEFAULT) || !test_file(path))

         {

             ks->authenticated = false;

+            wipe_auth_token(multi);

             msg(D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",

                 session->common_name,

                 path ? path : "UNDEF");