| --- a/src/openvpn/ssl.c |
| +++ b/src/openvpn/ssl.c |
| @@ -2386,20 +2386,15 @@ key_method_2_write(struct buffer *buf, s |
| { |
| goto error; |
| } |
| - /* if auth-nocache was specified, the auth_user_pass object reaches |
| - * a "complete" state only after having received the push-reply |
| - * message. The push message might contain an auth-token that needs |
| - * the username of auth_user_pass. |
| + /* purge username/password after writing them to the buffer for |
| + * authentication. |
| * |
| - * For this reason, skip the purge operation here if no push-reply |
| - * message has been received yet. |
| - * |
| - * This normally happens upon first negotiation only. |
| + * We don't wait for the server push-reply message, which might contain |
| + * an auth-token that needs the username of auth_user_pass. It means |
| + * auth-token may not work properly if username and password are purged |
| + * too early. |
| */ |
| - if (!session->opt->pull) |
| - { |
| - purge_user_pass(&auth_user_pass, false); |
| - } |
| + purge_user_pass(&auth_user_pass, false); |
| } |
| else |
| { |
