From patchwork Fri Dec 8 13:05:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Reynir X-Patchwork-Id: 3508 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:8d12:b0:fc:24ac:f0cb with SMTP id i18csp3584587dys; Fri, 8 Dec 2023 05:06:59 -0800 (PST) X-Google-Smtp-Source: AGHT+IHKUMrugO+khdTJQj4q2AbjrrR8MhzafBP9eN41HpjMLwFrC4QVRDlqX2FTyJChdBAD4n0O X-Received: by 2002:a17:90a:c082:b0:286:5123:ddaf with SMTP id o2-20020a17090ac08200b002865123ddafmr57783pjs.3.1702040818925; Fri, 08 Dec 2023 05:06:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702040818; cv=none; d=google.com; s=arc-20160816; b=xosslcnmM+FHAgJ9bxxJrchT7jlfK0Ealdt5FtuGy8nZiAMEVyrDwrwUmv7i5oZVkG N1CY3OjstxG8+YzplKUpJHMMOJvoX7VthrHRnlyx1u8Vtsermh1f46zMpTeRN10RnZvk UC9Hf/7fCj0rMxZtK4xJtVykWi6tkNQYcZRUuwUrz5DKgcDJCTwLGqlwsE2EVzCMFNfK LJ03CqnSxKI7JK5YvgX42dSU6Dn2qZxpYRAUuM72/rjTrUxwk5NEb2+IIQ51MSjC6Du1 u2XTaYCvS9dehc9o0fiVZEg+owejktH7LByqUhLUEpBOcabYdeDWJsqG4Ak6vd1MWvtm FiTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:from:to :content-language:user-agent:mime-version:date:message-id :dkim-signature:dkim-signature:dkim-signature; bh=R1yCj3rTeSLuOYoLJ/6VtDPOpLjahHfeoJK1jlWhJi4=; fh=UWlByhJXNGJKzcJ5WmyoA1tw5ugXp4S86SRVYqcTfsM=; b=MJ+9QNERx2r2JaotXGDpx+mSHWf7E2UrZhTqPcqeBMNzDgt6PSx7OlimY3Ba5lmMmI iBMWtLC0Tlg+MnuhEjC+p6gNcpakQAZtwU6LsQLdmZHB0E/X7CTbriz/A6oHaAwyIXFQ pEhswIe+3mo7fvc4I22QQ7QWUWJBdGng1ZIQ2GxbBax7SNIEjZoZWr78eHAFGq9ZEkvi QJtXRdB2t93z3g2iEjSLESIUltCX4KzPRe8Xp5IYY1EhpvEoFOsBG44VvZ0N1u3+JqU2 CFMD/tOdjEAgCWEDjaG479++s2JvzARrmpiglB8hrzswi1u7p8sUWvODO9IMpFA+8tiD mapA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=O8Pdptqw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EQY1Ugoq; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=WmKMrsaZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h18-20020a17090aa89200b00285b8197a32si2932390pjq.167.2023.12.08.05.06.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Dec 2023 05:06:58 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=O8Pdptqw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EQY1Ugoq; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=WmKMrsaZ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rBaYn-0002j5-Aq; Fri, 08 Dec 2023 13:06:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rBaYk-0002iv-Ef for openvpn-devel@lists.sourceforge.net; Fri, 08 Dec 2023 13:06:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Subject:From:To:MIME-Version:Date:Message-ID: Content-Type:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FkOs3Zf4wLdPLGM9WFOuHB6SKtuEJl2TWuvLeNdnhPI=; b=O8PdptqwnxejFy39MHsPuRiPyu GRs50poQvo0wkdwra/GinQ9mdGpUQMODm5Xttnqk7GhJ20TFc5VSDt0FZ4Zg3acVEdYvgTpDKE7Hy xAZSDLnMgI6t8cS7/VIe2FAmoCB/3BBQHLYTZ7KqY7p62Ud+Jc1oSP2hjZyPvrIOnep8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Subject:From:To:MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=FkOs3Zf4wLdPLGM9WFOuHB6SKtuEJl2TWuvLeNdnhPI=; b=E QY1UgoqYyEHmfQdiOr+BRPNLKyNvSAsyNKpxXDOV1ENMvuqbJ9o/cZQGmhjmf60pg4S9My9McaDUx LsakIaz3uZ3PPZh8sTcSj5s+++vYvz+h3gz6fF7ink258nMcZL7n3LWAl6TLOnfCujqdLBjGzC0NM Ly10LzwhaS5HbIfQ=; Received: from mail-lf1-f41.google.com ([209.85.167.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rBaYk-0004nB-5K for openvpn-devel@lists.sourceforge.net; Fri, 08 Dec 2023 13:06:26 +0000 Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-50bf32c0140so2294469e87.1 for ; Fri, 08 Dec 2023 05:06:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702040760; x=1702645560; darn=lists.sourceforge.net; h=subject:from:to:content-language:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=FkOs3Zf4wLdPLGM9WFOuHB6SKtuEJl2TWuvLeNdnhPI=; b=WmKMrsaZWTJzRnYBAfGuknMbGCg+0CUFZtI2yZu4UHqeTMoe5a3EUJvRG0yemCDvIo DoBjQ287hLtZHuzpGRKm9fAAs/UszntaAteB845D1GI6guGj0PFZ9oblnqkLx0sFr9IR tBcOyxTpK0r8v90Cxw7eFbjAKYHR2etyDJPmVGUIJ55UQQd65nhLVIryjRBXHsB6bUow cnhTyVzY/p5EnNkPAR/qsMXKIZntd9MOxRSBWbuVzHftr4LhAugszS837YT1H5az0LJh oIemkPQOOx5tKP+1zDeOHI9pcUg4tazH3iC6ZI5mUlLYsq6Y+Ot/NRPl4v0f8ft/6Kfm Y+vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702040760; x=1702645560; h=subject:from:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FkOs3Zf4wLdPLGM9WFOuHB6SKtuEJl2TWuvLeNdnhPI=; b=Mxhsr0d2t3zUCevGnxzbV/YIEpE9Ml1QK+fvKBVnRigSzubBNptOh6h5gNT2NR30dw v0INZ5jHItEu3kh60ixRYpeAU/W6/it+fwusMwox1fdSnh65OQM8QYn5vh5gGMrl0gUQ 9dygHyO7bJQgMZ8RWQe1EByHX0tNPaB3qAsYKHnoSsZd9Z84j0zPjrlYkKyIlnNNBvWb kjsJ6dTo3FWjZY7zgfk5Lvl41H7NBjwSRUWoce590t5A2WkFwaN4loO4CW8N9uF7u2M2 O8aSI3zOzSdXIPmHLp53qkSnpTRo+Hf+8g19FYlGXbgGaqGq0MA5LyBQUQac3z2CKkGf 58yg== X-Gm-Message-State: AOJu0Yxfs8KPQgBxtttycUeXX9B58NGG8q0CazRD0kr3fxXWnp16xxMl h10i4DN5L7bvLPk6VFbhc+IQu6RtmhM= X-Received: by 2002:a19:5005:0:b0:50c:e4c:2f59 with SMTP id e5-20020a195005000000b0050c0e4c2f59mr2108841lfb.136.1702040760353; Fri, 08 Dec 2023 05:06:00 -0800 (PST) Received: from [192.168.1.84] (176-23-192-106-dynamic.dk.customer.tdc.net. [176.23.192.106]) by smtp.gmail.com with ESMTPSA id w18-20020ac254b2000000b0050bfce1bc37sm209400lfk.166.2023.12.08.05.05.58 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 08 Dec 2023 05:05:59 -0800 (PST) Message-ID: Date: Fri, 8 Dec 2023 14:05:58 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 Content-Language: en-US To: openvpn-devel From: Reynir X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Dear openvpn-devel, Please find attached a patch that addresses the following bug: When a key file has an odd number of hex digits the last digit is silently ignored. This can easily be tested by adding an extra hex digi [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [reynirr[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.41 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.41 listed in list.dnswl.org] -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rBaYk-0004nB-5K Subject: [Openvpn-devel] Fail on odd number of hex digits in key files X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1784719153893492098?= X-GMAIL-MSGID: =?utf-8?q?1784719153893492098?= Dear openvpn-devel, Please find attached a patch that addresses the following bug: When a key file has an odd number of hex digits the last digit is silently ignored. This can easily be tested by adding an extra hex digit at the line before the footer; openvpn does not notice and will use the key as if the file was not modified. Best, Reynir Björnsson From fff3e26a90a4e373baa03ed207f67d561ed9ace5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= Date: Fri, 8 Dec 2023 13:58:33 +0100 Subject: [PATCH] read_key_file: Fail on odd number of hex digits When reading a key file we must ensure we have processed all the data. If there is an odd number of hex digits we should not silently ignore the last digit but instead fail. --- src/openvpn/crypto.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index e4452d7a..ee5afe1b 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1139,6 +1139,9 @@ static const char printable_char_fmt[] = static const char unprintable_char_fmt[] = "Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)"; +static const char odd_hex_digits_fmt[] = + "Odd number of hex digits found in key file '%s'"; + /* read key from file */ void @@ -1292,6 +1295,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) --size; } + /* fail on odd number of hex digits */ + if (hb_index > 0) + { + msg(M_FATAL, + odd_hex_digits_fmt, + print_key_filename(file, flags & RKF_INLINE)); + } + /* * Normally we will read either 1 or 2 keys from file. */ -- 2.30.2