From patchwork Mon Apr  6 03:00:01 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 1075
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6])
	by backend30.mail.ord1d.rsapps.net with LMTP id gL8pAJssi16EKwAAIUCqbw
	for <patchwork@openvpn.net>; Mon, 06 Apr 2020 09:20:27 -0400
Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6])
	by director9.mail.ord1d.rsapps.net with LMTP id CBcWOZosi14GSQAAalYnBA
	; Mon, 06 Apr 2020 09:20:27 -0400
Received: from smtp11.gate.iad3b ([172.31.255.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy10.mail.iad3b.rsapps.net with LMTP id UPQoM5osi15PPQAA/F5p9A
	; Mon, 06 Apr 2020 09:20:26 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp11.gate.iad3b.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: 6077bafa-7809-11ea-a839-52540070b5bb-1-1
Received: from [216.105.38.7] ([216.105.38.7:41130]
 helo=lists.sourceforge.net)
	by smtp11.gate.iad3b.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id E0/65-18878-A9C2B8E5; Mon, 06 Apr 2020 09:20:26 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1jLRez-00077o-5t; Mon, 06 Apr 2020 13:19:29 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <arne@kamera.blinkt.de>) id 1jLRex-00077f-Fz
 for openvpn-devel@lists.sourceforge.net; Mon, 06 Apr 2020 13:19:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=JqzmmjOUmj715k2Rw68NoNtPULehTUEQykDWSepcjcU=; b=kbeVqlToUaiWpBEbLhHMb6OJCF
 Qd2+jajm/xRIbweFKCrX9fTmzsnofmFG0xhuOroZfXrk5wCqlvpYPBjTE20gHE2vk/Tg3D4G669mz
 B3urvsd/NDuOh6lYLd3V7/f52ZgUpqyTF9h96r+jx7ZNW3MGByEDLGikjWwUSch2Nykk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=JqzmmjOUmj715k2Rw68NoNtPULehTUEQykDWSepcjcU=; b=InyrE7/d3c97i8WEnSE4j8SvCD
 1F/uL5ZY6lfwWBoVelwETYu/CehKe8ViBzLmN0wbbT5nkKn0sWrpvqVxeNONaYpabF59XgWS5u8s0
 CB+E/PJFZmt1sNDePhmx6ioq28qFdpHadY20oe9d3N8ev8EsdP0lxzCtx48t+WRjPdCM=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-3.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2)
 id 1jLRMM-005YIz-KY
 for openvpn-devel@lists.sourceforge.net; Mon, 06 Apr 2020 13:00:18 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1jLRM9-000I7Y-Qv
 for openvpn-devel@lists.sourceforge.net; Mon, 06 Apr 2020 15:00:01 +0200
Received: (nullmailer pid 6905 invoked by uid 10006);
 Mon, 06 Apr 2020 13:00:01 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Mon,  6 Apr 2020 15:00:01 +0200
Message-Id: <20200406130001.6860-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.17.1
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: rfc2549.org]
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.1 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1jLRMM-005YIz-KY
Subject: [Openvpn-devel] [PATCH] Do not write extra 0 byte for --gen-key
 with auth-token/tls-crypt-v2
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

crypto_pem_encode put a nul-terminated terminated string into the
buffer. This is useful for printf but should not be written into
the file.

Also for static keys, we were missing the nul termination when priting
it to stadout but since the buffer was cleared before, there was always
a NULL byte in the right place. Make it explicit instead.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Tested-by: Richard Bonhomme <tincanteksup@gmail.com>
---
 src/openvpn/crypto.c    | 11 +++++++++--
 src/openvpn/tls_crypt.c | 10 ++++++++--
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 453cb20a..7af48df0 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1477,6 +1477,7 @@ write_key_file(const int nkeys, const char *filename)
     /* write key file to stdout if no filename given */
     if (!filename || strcmp(filename, "")==0)
     {
+        buf_null_terminate(&out);
         printf("%s\n", BPTR(&out));
     }
     /* write key file, now formatted in out, to file */
@@ -1888,9 +1889,15 @@ write_pem_key_file(const char *filename, const char *pem_name)
     {
         printf("%s\n", BPTR(&server_key_pem));
     }
-    else if (!buffer_write_file(filename, &server_key_pem))
+    else
     {
-        msg(M_ERR, "ERROR: could not write key file");
+        /* crypto_pem_encode null terminates the buffer, do
+         * not write this to the file */
+        buf_inc_len(&server_key_pem, -1);
+        if (!buffer_write_file(filename, &server_key_pem))
+        {
+            msg(M_ERR, "ERROR: could not write key file");
+        }
         goto cleanup;
     }
 
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index e9f9cc2a..85f2862b 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -706,9 +706,15 @@ tls_crypt_v2_write_client_key_file(const char *filename,
         client_filename = INLINE_FILE_TAG;
         client_inline = (const char *)BPTR(&client_key_pem);
     }
-    else if (!buffer_write_file(filename, &client_key_pem))
+    else
     {
-        msg(M_FATAL, "ERROR: could not write client key file");
+        /* crypto_pem_encode null terminates the buffer, do
+         * not write this to the file */
+        buf_inc_len(&client_key_pem, -1);
+        if (!buffer_write_file(filename, &client_key_pem))
+        {
+            msg(M_FATAL, "ERROR: could not write client key file");
+        }
         goto cleanup;
     }