From patchwork Tue Jun  9 10:24:01 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 5015
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:bc1d:b0:861:c897:cb9d with SMTP id
 jc29csp2566939mab;
        Tue, 9 Jun 2026 07:19:43 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AFNElJ+bOVEVINpX5cwGjaIhKNdzXyGT3LGA9IZDSptGSyHfniJLQ5pGthVcjYIPKBW4vY8LLAU6HIfcu54=@openvpn.net
X-Received: by 2002:a05:6808:1a1d:b0:486:560d:aa93 with SMTP id
 5614622812f47-4868d88ca0cmr12331296b6e.0.1781014782998;
        Tue, 09 Jun 2026 07:19:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1781014782; cv=none;
        d=google.com; s=arc-20240605;
        b=Xje7kRWLyvuKeTfksH/B4xr1pxEKaKreuof5lpOcdJalWbHIE7kRlTtx5OvHeyFKg0
         oYblYtdRQPnypXKv0gWF2+Rz6msy6C34iqFfDbnPp7Yw1iAufhXXmB/bx/t6slW6Q5m7
         Psr7E8jm7oJ4exE6zG8K/kj1gy80xicTSsX1cKQiD9TQxtq+gtyCZR0kkt5O/7f60ZpE
         H2D5T5SrldbrzBCDEKUnCMenDykhOyQEZR+bMcnUuqjmrLQY+K8sW6ZwDGuFBH0pw6n2
         rr82jymYQjWDTEdXL3ohxl6FVjznaIMlNqjcU4nsn6mYy0zZZri/Fw/JaGSxujnUe0i0
         2JqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=bD06jgc+ArpEAhhqXVYQ5kCpku6Y+XC0bu1hjUi4UeE=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=VNBHODKOcNi/FCcRpQHfbDoQGBMmXGpsHkcVDwR0Znmo4V6EI2E1qOBaTyUbDcUo+D
         TI/abOBmFveGs3COhaQzeNpxHg/CQKHXOOqOcbVN1N/r0A6xy/pSEDupUwn78Eg3E9XR
         ixCUmYCKSdEDimB8khuHQxAb9FxYXi9jS95NQNzsrOQqSxY5NBsgRUeT6JBsd/iCqZDj
         y6ytOxacdC8Mt40te0fjUtThaaIWBBOXTb43qoTb6oCDb7mbMfafO6G50uxn+39stcA1
         7q2y2PyMtUKLwsilaeMNc+VF8aua/ZtfETSIQjYHdCbxveA2M+uz0u/yRpOBakvV/UPv
         Catg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fLFVpPe3;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=NC+ew0V5;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Cu7w3fP9;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-440d7d50f35si15885684fac.99.2026.06.09.07.19.42
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 09 Jun 2026 07:19:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fLFVpPe3;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=NC+ew0V5;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Cu7w3fP9;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=bD06jgc+ArpEAhhqXVYQ5kCpku6Y+XC0bu1hjUi4UeE=; b=fLFVpPe3k8ldt/ZRKdvJQJw/f1
	Rzwk4SZIELZJMUQRXUEwnVuOCP9EHERDSGvLSx0TGnLAkClDtuaLLzyWR/v00AM5oNfBrSyHjrFBL
	5ul8jp0OpaTRWLoBegcMm2aR4nOaLFPEJeLm1jtGxuO3Weg1gCmOQ4f7J1F8W85HpavI=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1wWxIp-0005P9-J0;
	Tue, 09 Jun 2026 14:19:40 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1wWxIn-0005Os-IF
 for openvpn-devel@lists.sourceforge.net;
 Tue, 09 Jun 2026 14:19:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=G5Xcgl6XqC++o8CaxxkzZuS2cneGU5OlFaWEl1o9r2E=; b=NC+ew0V5p9Szp4qCjkHiWXUZRQ
 V1DTuwvP+VYHBxaaMJF4rJtg0V6gbR4Fk6BkcYNQPHDsJ6nKQRYGG7xXwPaJYboUkwWYAEmIxGQmt
 xjKP+qIRHevdxWba3vmL0yzYx9wnNK6Y4bU3i7ooGn0qyFa/JhKgMOEA1nSR59TCzFiA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=G5Xcgl6XqC++o8CaxxkzZuS2cneGU5OlFaWEl1o9r2E=; b=Cu7w3fP9jUsQaPN26K/EVQbIaO
 LehO5m6Pyj+QABxwGoaRbYjHVnvvHrN2m8dy8vz9/2x9p2KUSgG5SkZZ0eicNuOodRi3f0WmlBs4O
 Ommuatz3z0nFT47Q6M1rSFNlfUxo8UPtSHd5MBM+K6ALfHQW1c2ScsQQhXkcM05MrYPo=;
Received: from [193.149.48.129] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1wWxIj-00014z-HX for openvpn-devel@lists.sourceforge.net;
 Tue, 09 Jun 2026 14:19:38 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 659AO82O032620
 for <openvpn-devel@lists.sourceforge.net>; Tue, 9 Jun 2026 12:24:08 +0200
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 659AO8tQ032619
 for openvpn-devel@lists.sourceforge.net; Tue, 9 Jun 2026 12:24:08 +0200
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Tue,  9 Jun 2026 12:24:01 +0200
Message-ID: <20260609102407.32590-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.53.0
In-Reply-To: 
 <gerrit.1779381787000.I2ca8bf90a796f2b757c2fde0ae24468ef3abc3b5@gerrit.openvpn.net>
References: 
 <gerrit.1779381787000.I2ca8bf90a796f2b757c2fde0ae24468ef3abc3b5@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-1.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Max Fillinger <maximilian.fillinger@sentyron.com>
 After
 generating a tls-crypt-v2 client key, OpenVPN will try to load the generated
 key to verify that it was generated correctly. If the client key is not
 written to disk but printed out on the comman [...]
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1wWxIj-00014z-HX
Subject: [Openvpn-devel] [PATCH v1] Null-terminate tls-crypt client keys
 when testing
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1867529357502235660
X-GMAIL-MSGID: 1867529357502235660

From: Max Fillinger <maximilian.fillinger@sentyron.com>

After generating a tls-crypt-v2 client key, OpenVPN will try to load the
generated key to verify that it was generated correctly. If the client
key is not written to disk but printed out on the command line, the PEM
encoded key is stored in memory and read_pem_key_file is called with
key_file_inline = true. However, this key is not a null-terminated
string, so we end up calling strlen on a buffer that isn't
null-terminated.

This commit adds a null-byte at the end of the key.

Change-Id: I2ca8bf90a796f2b757c2fde0ae24468ef3abc3b5
Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1701
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1701
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index e91f80c..8c3d722 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -758,9 +758,10 @@
 
     if (!filename || streq(filename, ""))
     {
-        printf("%.*s\n", BLEN(&client_key_pem), BPTR(&client_key_pem));
+        buf_null_terminate(&client_key_pem);
         client_file = (const char *)BPTR(&client_key_pem);
         client_inline = true;
+        printf("%s\n", client_file);
     }
     else if (!buffer_write_file(filename, &client_key_pem))
     {