From patchwork Mon Apr 20 02:06:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1094 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 4LfZGnSQnV4gUgAAIUCqbw for ; Mon, 20 Apr 2020 08:07:16 -0400 Received: from proxy7.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id 6L+SGnSQnV5sOQAAfY0hYg ; Mon, 20 Apr 2020 08:07:16 -0400 Received: from smtp37.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1c.rsapps.net with LMTP id cPliGnSQnV7cbwAAknS3pQ ; Mon, 20 Apr 2020 08:07:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 795d4e9e-82ff-11ea-91e4-525400e8d833-1-1 Received: from [216.105.38.7] ([216.105.38.7:34276] helo=lists.sourceforge.net) by smtp37.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EC/9A-12421-3709D9E5; Mon, 20 Apr 2020 08:07:15 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jQVBt-0005Qn-VJ; Mon, 20 Apr 2020 12:06:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jQVBt-0005QW-1p for openvpn-devel@lists.sourceforge.net; Mon, 20 Apr 2020 12:06:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hNCKbk79/iFyMewNUnHPo6S118x1oEhmjM/KYPnFNHk=; b=KN4WZBsUAle/I4n3GENQBxLtqV U1C5ooSUGghE0b2wawtRLvxHDAC1SzV/cUSSYBNd6F+OFh3sUoDdBnB8B7o9Do/mFVczZ8uAybHel kL0rKQTXfCtkqLN/kL+gVfC8m6DUmXstoci+fFYrtsJ+tcIYwTfa/JccjgICQym0qoZE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hNCKbk79/iFyMewNUnHPo6S118x1oEhmjM/KYPnFNHk=; b=SESl0lvpmifKZxsPUBa4wpFV4k qxc5Q33Cj+sTINWsRdb+RJYsWGKiKhALERFJd1Plj9KoARr4IbNGEY/u1Xkh86qlouSsWeSSYbbhQ 0bRiMXNw32kwAQha4iloxQxR+LgcRPbBzMjbzOwWlCWQIxTHOpfNhWD0NK5aAoRVbjaU=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jQVBq-004NYX-Sp for openvpn-devel@lists.sourceforge.net; Mon, 20 Apr 2020 12:06:20 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jQVBa-000PEu-BT for openvpn-devel@lists.sourceforge.net; Mon, 20 Apr 2020 14:06:02 +0200 Received: (nullmailer pid 15756 invoked by uid 10006); Mon, 20 Apr 2020 12:06:02 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 20 Apr 2020 14:06:02 +0200 Message-Id: <20200420120602.15711-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200406130001.6860-1-arne@rfc2549.org> References: <20200406130001.6860-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jQVBq-004NYX-Sp Subject: [Openvpn-devel] [PATCH v2] Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Change crypto_pem_encode to not put a nul-terminated terminated string into the buffer. This was useful for printf but should not be written into the file. Instead do not assume that the buffer is null terminated and print only the number of bytes in the buffer. Also fix a similar case in printing static key where the 0 byte was never added to the buffer Patch V2: make pem_encode behave more like other similar functions in OpenVPN and do not null terminate. Signed-off-by: Arne Schwabe --- src/openvpn/crypto.c | 4 ++-- src/openvpn/crypto_mbedtls.c | 4 +++- src/openvpn/crypto_openssl.c | 3 +-- src/openvpn/tls_crypt.c | 2 +- tests/unit_tests/openvpn/test_tls_crypt.c | 6 ++++-- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1678cba8..b05262e1 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1478,7 +1478,7 @@ write_key_file(const int nkeys, const char *filename) /* write key file to stdout if no filename given */ if (!filename || strcmp(filename, "")==0) { - printf("%s\n", BPTR(&out)); + printf("%.*s\n", BLEN(&out), BPTR(&out)); } /* write key file, now formatted in out, to file */ else if (!buffer_write_file(filename, &out)) @@ -1887,7 +1887,7 @@ write_pem_key_file(const char *filename, const char *pem_name) if (!filename || strcmp(filename, "")==0) { - printf("%s\n", BPTR(&server_key_pem)); + printf("%.*s", BLEN(&server_key_pem), BPTR(&server_key_pem)); } else if (!buffer_write_file(filename, &server_key_pem)) { diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 3e77fa9e..14a528af 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -239,10 +239,12 @@ crypto_pem_encode(const char *name, struct buffer *dst, return false; } + /* We set the size buf to out_len-1 to NOT include the 0 byte that + * mbedtls_pem_write_buffer in its length calculation */ *dst = alloc_buf_gc(out_len, gc); if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), BPTR(dst), BCAP(dst), &out_len)) - || !buf_inc_len(dst, out_len)) + || !buf_inc_len(dst, out_len-1)) { CLEAR(*dst); return false; diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a81dcfd8..4fa65ba8 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -400,9 +400,8 @@ crypto_pem_encode(const char *name, struct buffer *dst, BUF_MEM *bptr; BIO_get_mem_ptr(bio, &bptr); - *dst = alloc_buf_gc(bptr->length + 1, gc); + *dst = alloc_buf_gc(bptr->length, gc); ASSERT(buf_write(dst, bptr->data, bptr->length)); - buf_null_terminate(dst); ret = true; cleanup: diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index e9f9cc2a..3018c18e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -702,7 +702,7 @@ tls_crypt_v2_write_client_key_file(const char *filename, if (!filename || streq(filename, "")) { - printf("%s\n", BPTR(&client_key_pem)); + printf("%.*s\n", BLEN(&client_key_pem), BPTR(&client_key_pem)); client_filename = INLINE_FILE_TAG; client_inline = (const char *)BPTR(&client_key_pem); } diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index b9e3a7a6..54fc917d 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -512,7 +512,8 @@ test_tls_crypt_v2_write_server_key_file(void **state) { const char *filename = "testfilename.key"; expect_string(__wrap_buffer_write_file, filename, filename); - expect_string(__wrap_buffer_write_file, pem, test_server_key); + expect_memory(__wrap_buffer_write_file, pem, test_server_key, + strlen(test_server_key)); will_return(__wrap_buffer_write_file, true); tls_crypt_v2_write_server_key_file(filename); @@ -524,7 +525,8 @@ test_tls_crypt_v2_write_client_key_file(void **state) { /* Test writing the client key */ expect_string(__wrap_buffer_write_file, filename, filename); - expect_string(__wrap_buffer_write_file, pem, test_client_key); + expect_memory(__wrap_buffer_write_file, pem, test_client_key, + strlen(test_client_key)); will_return(__wrap_buffer_write_file, true); /* Key generation re-reads the created file as a sanity check */