Internal change

PiperOrigin-RevId: 477302086
Change-Id: Ib268dfbcfb9b4fc229a18dad3fb9633cb6c2642a
diff --git a/patches/remove_session_opt_pull_check.patch b/patches/remove_session_opt_pull_check.patch
new file mode 100644
index 0000000..8e4d3b6
--- /dev/null
+++ b/patches/remove_session_opt_pull_check.patch
@@ -0,0 +1,30 @@
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -2386,20 +2386,15 @@ key_method_2_write(struct buffer *buf, s
+         {
+             goto error;
+         }
+-        /* if auth-nocache was specified, the auth_user_pass object reaches
+-         * a "complete" state only after having received the push-reply
+-         * message. The push message might contain an auth-token that needs
+-         * the username of auth_user_pass.
++        /* purge username/password after writing them to the buffer for
++         * authentication.
+          *
+-         * For this reason, skip the purge operation here if no push-reply
+-         * message has been received yet.
+-         *
+-         * This normally happens upon first negotiation only.
++         * We don't wait for the server push-reply message, which might contain
++         * an auth-token that needs the username of auth_user_pass. It means
++         * auth-token may not work properly if username and password are purged
++         * too early.
+          */
+-        if (!session->opt->pull)
+-        {
+-            purge_user_pass(&auth_user_pass, false);
+-        }
++        purge_user_pass(&auth_user_pass, false);
+     }
+     else
+     {
diff --git a/patches/series b/patches/series
index c79e662..16c07cc 100644
--- a/patches/series
+++ b/patches/series
@@ -2,3 +2,4 @@
 add_missing_licenses.patch
 fix_long_password.patch
 cleanup_makefiles.patch
+remove_session_opt_pull_check.patch
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 841a649..94ab142 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2386,20 +2386,15 @@
         {
             goto error;
         }
-        /* if auth-nocache was specified, the auth_user_pass object reaches
-         * a "complete" state only after having received the push-reply
-         * message. The push message might contain an auth-token that needs
-         * the username of auth_user_pass.
+        /* purge username/password after writing them to the buffer for
+         * authentication.
          *
-         * For this reason, skip the purge operation here if no push-reply
-         * message has been received yet.
-         *
-         * This normally happens upon first negotiation only.
+         * We don't wait for the server push-reply message, which might contain
+         * an auth-token that needs the username of auth_user_pass. It means
+         * auth-token may not work properly if username and password are purged
+         * too early.
          */
-        if (!session->opt->pull)
-        {
-            purge_user_pass(&auth_user_pass, false);
-        }
+        purge_user_pass(&auth_user_pass, false);
     }
     else
     {