Dear openvpn-devel,
Please find attached a patch that addresses the following bug:
When a key file has an odd number of hex digits the last digit is
silently ignored. This can easily be tested by adding an extra hex digit
at the line before the footer; openvpn does not notice and will use the
key as if the file was not modified.
Best,
Reynir Björnsson
From fff3e26a90a4e373baa03ed207f67d561ed9ace5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <rey...@reynir.dk>
Date: Fri, 8 Dec 2023 13:58:33 +0100
Subject: [PATCH] read_key_file: Fail on odd number of hex digits
When reading a key file we must ensure we have processed all the data.
If there is an odd number of hex digits we should not silently ignore
the last digit but instead fail.
---
src/openvpn/crypto.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7a..ee5afe1b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1139,6 +1139,9 @@ static const char printable_char_fmt[] =
static const char unprintable_char_fmt[] =
"Non-Hex, unprintable character (0x%02x) found at line %d in key file '%s' (%d/%d/%d bytes found/min/max)";
+static const char odd_hex_digits_fmt[] =
+ "Odd number of hex digits found in key file '%s'";
+
/* read key from file */
void
@@ -1292,6 +1295,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
--size;
}
+ /* fail on odd number of hex digits */
+ if (hb_index > 0)
+ {
+ msg(M_FATAL,
+ odd_hex_digits_fmt,
+ print_key_filename(file, flags & RKF_INLINE));
+ }
+
/*
* Normally we will read either 1 or 2 keys from file.
*/
--
2.30.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
