diff mbox series

[Openvpn-devel] Fail on odd number of hex digits in key files

Message ID ab19d7c6-302f-3056-d83e-0433f889e490@gmail.com
State New
Headers show
Series [Openvpn-devel] Fail on odd number of hex digits in key files | expand

Commit Message

Reynir Dec. 8, 2023, 1:05 p.m. UTC 
Dear openvpn-devel,

Please find attached a patch that addresses the following bug:
When a key file has an odd number of hex digits the last digit is 
silently ignored. This can easily be tested by adding an extra hex digit 
at the line before the footer; openvpn does not notice and will use the 
key as if the file was not modified.

Best,
Reynir Björnsson

Comments

Reynir Dec. 8, 2023, 1:26 p.m. UTC | #1 
Dear openvpn-devel,

Please find an updated version that doesn't hide away the format string 
in a variable and is instead a string literal.

Best,
Reynir Björnsson
diff mbox series

Patch

From fff3e26a90a4e373baa03ed207f67d561ed9ace5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk>
Date: Fri, 8 Dec 2023 13:58:33 +0100
Subject: [PATCH] read_key_file: Fail on odd number of hex digits

When reading a key file we must ensure we have processed all the data.
If there is an odd number of hex digits we should not silently ignore
the last digit but instead fail.
---
 src/openvpn/crypto.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7a..ee5afe1b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1139,6 +1139,9 @@  static const char printable_char_fmt[] =
 static const char unprintable_char_fmt[] =
     "Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)";
 
+static const char odd_hex_digits_fmt[] =
+    "Odd number of hex digits found in key file '%s'";
+
 /* read key from file */
 
 void
@@ -1292,6 +1295,14 @@  read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
         --size;
     }
 
+    /* fail on odd number of hex digits */
+    if (hb_index > 0)
+    {
+        msg(M_FATAL,
+            odd_hex_digits_fmt,
+            print_key_filename(file, flags & RKF_INLINE));
+    }
+
     /*
      * Normally we will read either 1 or 2 keys from file.
      */
-- 
2.30.2