[Openvpn-devel,1/6] Fix loading inline tls-crypt-v2 keys with mbed TLS

Message ID 20190114154819.6064-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel,1/6] Fix loading inline tls-crypt-v2 keys with mbed TLS
Related show

Commit Message

Arne Schwabe Jan. 14, 2019, 3:48 p.m.
From: Arne Schwabe <arne@openvpn.net>

Using a tls-crypt-v2 key with mbed TLS inline results in

PEM decode error: source buffer not null-terminated

This is because the mbed TLS decode PEM function excepts the last byte
in the buffer to be 0x00. When constructing the buffer we only made as
big as strlen, which does not include the 0x00 byte of a string. Add an
extra byte to ensure also the null byte is included in the buffer.
---
 src/openvpn/tls_crypt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Steffan Karger Jan. 16, 2019, 1:33 p.m. | #1
Hi,

On 14-01-19 16:48, Arne Schwabe wrote:
> From: Arne Schwabe <arne@openvpn.net>
> 
> Using a tls-crypt-v2 key with mbed TLS inline results in
> 
> PEM decode error: source buffer not null-terminated
> 
> This is because the mbed TLS decode PEM function excepts the last byte
> in the buffer to be 0x00. When constructing the buffer we only made as
> big as strlen, which does not include the 0x00 byte of a string. Add an
> extra byte to ensure also the null byte is included in the buffer.
> ---
>  src/openvpn/tls_crypt.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
> index 85495d7f..6bc2b7f8 100644
> --- a/src/openvpn/tls_crypt.c
> +++ b/src/openvpn/tls_crypt.c
> @@ -298,7 +298,7 @@ tls_crypt_v2_read_keyfile(struct buffer *key, const char *pem_name,
>      }
>      else
>      {
> -        buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline));
> +        buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline) + 1);
>      }
>  
>      if (!crypto_pem_decode(pem_name, key, &key_pem))
> 

Change makes sense. Thanks for fixing my bugs.

I think we should try to add regression tests for bugs we encounter (if
reasonably doable), but let's not postpone merging the bugfix for that.
I'll sent a patch with a regression test later on.

Acked-by: Steffan Karger <steffan.karger@fox-it.com>

-Steffan
Gert Doering Jan. 16, 2019, 6:42 p.m. | #2
Your patch has been applied to the master branch.

commit 92a5ec31363e76e64748c4fc9aa144eefad17323
Author: Arne Schwabe
Date:   Mon Jan 14 16:48:14 2019 +0100

     Fix loading inline tls-crypt-v2 keys with mbed TLS

     Acked-by: Steffan Karger <steffan.karger@fox-it.com>
     Message-Id: <20190114154819.6064-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18091.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 85495d7f..6bc2b7f8 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -298,7 +298,7 @@  tls_crypt_v2_read_keyfile(struct buffer *key, const char *pem_name,
     }
     else
     {
-        buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline));
+        buf_set_read(&key_pem, (const void *)key_inline, strlen(key_inline) + 1);
     }
 
     if (!crypto_pem_decode(pem_name, key, &key_pem))