Opened 5 months ago

Closed 3 months ago

#1260 closed Bug / Defect (fixed)

Generated TLS crypt V2 keys have control code appended

Reported by: tincantech Owned by: plaisthos
Priority: major Milestone: release 2.5
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: genkey tls-crypt-v2
Cc:

Description (last modified by tincantech)

Both TLS crypt v2 server & client have \00 appended to the key file, examples below. (Tested on git/master, cloned and build today)

Server:

To replicate openvpn --genkey tls-crypt-v2-server $out_file

-----BEGIN OpenVPN tls-crypt-v2 server key-----
8R+N2YzMWHMET9ZUDj0HpEgwyBAuwJqDjKHNELV/e0F1P/5T8DKk58XyydlXc/9T
tgB5EX4MS9AnT1Q2K7SI+pWN4+a7/HB6kTMEkU28gFonDAizD1hPphONt4CEwEty
Wik0Dq1UNYWynxtAsjev8LcLfmRbqwuedcjLyHTAZ+8=
-----END OpenVPN tls-crypt-v2 server key-----
\00

Client:

To replicate openvpn --tls-crypt-v2 $in_file --genkey tls-crypt-v2-client $out_file

-----BEGIN OpenVPN tls-crypt-v2 client key-----
noh38T3fSaTaiRzBXCmoOdEiYnZIPz/uUxu/Cl02kOVduDXY8qOQB6IEGR3nzvmC
U+bzoMOPxyL+wrrE6FaQrrJbrnSqvcm8SJpI7HF7rXIaY6ADIPLOsA5xazxgadLa
ARO+3y3MmS62dlafIvUWzEuzNyDKzA6qX1EUeIDP/cXN3dsDk0iisHvw46uHeY6q
IWRqcy3p4BRJZFCrPAdQthvXrDltxLs6XRUBHvvGlpDaWqMnyEBu8iFbjYw1WY9h
z9w0zgaeUdTh6HuDcDrVY71sWdipJHnwBPOQ1r06P7oYK7zt/0xG+BP2RRi22Xdx
L6A2C/4qttyDrIv5OKp+P83gSLkHG9RhOvMmRPn09qTGld5SR8/7NZEiAivrJAl5
6lcxlp9xdnBFI1bJBqpn42R+6x972lWf3AlixJCLvjc158sTlPVzXxduNhZ88Dsg
39q0bf7pgvDR51nHJJBBcSklWDV+ROA/IATDZ6z6fFGqo58C0f8eFyfRKcObhUJt
a+okNNwy1i7Hg9IMiq084a1JoLEi5F1wuU0sgzLP/DhQw/1jAtnjvg/WhJY/MIux
Ez+qy1KO4+7pFrcEQOk3Vq0DqYQMgOGQc2Lk5flJVZCt7JMGAtukf22jnCQvez/N
l1XPP9GNI4Uqn6gMJxDmSoAW9BLVCmG5LFRZSQYxMGh3QvOtizHauCE849ojuFyp
xlz2KQvdEox5VdFbKnCyX3JL5BZnmX4xaQEr
-----END OpenVPN tls-crypt-v2 client key-----
\00

Change History (6)

comment:1 Changed 5 months ago by tincantech

Adding comment for email notifications.

comment:2 Changed 5 months ago by tincantech

Description: modified (diff)

comment:3 Changed 5 months ago by Gert Döring

Milestone: release 2.5
Owner: set to plaisthos
Status: newassigned

comment:4 Changed 5 months ago by David Sommerseth

Confirmed. Just checked with gdb

$ gdb ./src/openvpn/openvpn --args ./src/openvpn/openvpn --genkey tls-crypt-v2-server testkey
[...]
Breakpoint 1, buffer_write_file (filename=filename@entry=0x7fffffffe121 "testkey", buf=buf@entry=0x7fffffffcb10) at buffer.c:383
383	    const int size = write(fd, BPTR(buf), BLEN(buf));
(gdb) print *buf
$2 = {capacity = 270, offset = 0, len = 270, 
  data = 0x703d88 "-----BEGIN OpenVPN tls-crypt-v2 server key-----\nBTZqluaYuxB6SI9GYG0BpBimReejU3q4QC9YwbyQfhIQDLYwy/NCPaP2XqzXYsni\n5P9zs5YWCmfaVUZgtB2+bAHA5ky8iSEhaakGsZbIyPMOi2dh8u+eLOkiLsU/c1uY\n41vIEUVuKmPnRn1CY8LPjM"...}
(gdb) print (*buf)->data
$3 = (uint8_t *) 0x703d88 "-----BEGIN OpenVPN tls-crypt-v2 server key-----\nBTZqluaYuxB6SI9GYG0BpBimReejU3q4QC9YwbyQfhIQDLYwy/NCPaP2XqzXYsni\n5P9zs5YWCmfaVUZgtB2+bAHA5ky8iSEhaakGsZbIyPMOi2dh8u+eLOkiLsU/c1uY\n41vIEUVuKmPnRn1CY8LPjM"...
(gdb) print strlen((*buf)->data)
$4 = 269
(gdb) quit

Since buffer_write_file() uses write(2) using buf->len and the last byte of buf->data is 0, it does append the extra byte.

On a quick glance it looks like crypto_pem_encode() in crypto_openssl.c might be worthy further investigation. I see the crypto_mbedtls.c implementation is quite different, but I have not tested it.

Last edited 5 months ago by David Sommerseth (previous) (diff)

comment:6 Changed 3 months ago by tincantech

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.