Generated TLS crypt V2 keys have control code appended

[tct]

Both TLS crypt v2 server & client have \00 appended to the key file, examples below. (Tested on git/master, cloned and build today)

Server:

To replicate openvpn --genkey tls-crypt-v2-server $out_file

-----BEGIN OpenVPN tls-crypt-v2 server key-----
8R+N2YzMWHMET9ZUDj0HpEgwyBAuwJqDjKHNELV/e0F1P/5T8DKk58XyydlXc/9T
tgB5EX4MS9AnT1Q2K7SI+pWN4+a7/HB6kTMEkU28gFonDAizD1hPphONt4CEwEty
Wik0Dq1UNYWynxtAsjev8LcLfmRbqwuedcjLyHTAZ+8=
-----END OpenVPN tls-crypt-v2 server key-----
\00

Client:

To replicate openvpn --tls-crypt-v2 $in_file --genkey tls-crypt-v2-client $out_file

-----BEGIN OpenVPN tls-crypt-v2 client key-----
noh38T3fSaTaiRzBXCmoOdEiYnZIPz/uUxu/Cl02kOVduDXY8qOQB6IEGR3nzvmC
U+bzoMOPxyL+wrrE6FaQrrJbrnSqvcm8SJpI7HF7rXIaY6ADIPLOsA5xazxgadLa
ARO+3y3MmS62dlafIvUWzEuzNyDKzA6qX1EUeIDP/cXN3dsDk0iisHvw46uHeY6q
IWRqcy3p4BRJZFCrPAdQthvXrDltxLs6XRUBHvvGlpDaWqMnyEBu8iFbjYw1WY9h
z9w0zgaeUdTh6HuDcDrVY71sWdipJHnwBPOQ1r06P7oYK7zt/0xG+BP2RRi22Xdx
L6A2C/4qttyDrIv5OKp+P83gSLkHG9RhOvMmRPn09qTGld5SR8/7NZEiAivrJAl5
6lcxlp9xdnBFI1bJBqpn42R+6x972lWf3AlixJCLvjc158sTlPVzXxduNhZ88Dsg
39q0bf7pgvDR51nHJJBBcSklWDV+ROA/IATDZ6z6fFGqo58C0f8eFyfRKcObhUJt
a+okNNwy1i7Hg9IMiq084a1JoLEi5F1wuU0sgzLP/DhQw/1jAtnjvg/WhJY/MIux
Ez+qy1KO4+7pFrcEQOk3Vq0DqYQMgOGQc2Lk5flJVZCt7JMGAtukf22jnCQvez/N
l1XPP9GNI4Uqn6gMJxDmSoAW9BLVCmG5LFRZSQYxMGh3QvOtizHauCE849ojuFyp
xlz2KQvdEox5VdFbKnCyX3JL5BZnmX4xaQEr
-----END OpenVPN tls-crypt-v2 client key-----
\00

[tct]

Adding comment for email notifications.

[David Sommerseth]

Confirmed. Just checked with gdb

$ gdb ./src/openvpn/openvpn --args ./src/openvpn/openvpn --genkey tls-crypt-v2-server testkey
[...]
Breakpoint 1, buffer_write_file (filename=filename@entry=0x7fffffffe121 "testkey", buf=buf@entry=0x7fffffffcb10) at buffer.c:383
383	    const int size = write(fd, BPTR(buf), BLEN(buf));
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.x86_64 elfutils-libelf-0.176-2.el7.x86_64 elfutils-libs-0.176-2.el7.x86_64 glibc-2.17-292.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-37.el7_7.2.x86_64 libattr-2.4.46-13.el7.x86_64 libcap-2.22-10.el7.x86_64 libcom_err-1.42.9-16.el7.x86_64 libgcc-4.8.5-39.el7.x86_64 libgcrypt-1.5.3-14.el7.x86_64 libgpg-error-1.12-3.el7.x86_64 lz4-1.7.5-3.el7.x86_64 lzo-2.06-8.el7.x86_64 openssl-libs-1.0.2k-19.el7.x86_64 pkcs11-helper-1.11-3.el7.x86_64 systemd-libs-219-67.el7_7.3.x86_64 xz-libs-5.2.2-1.el7.x86_64
(gdb) print buf
$1 = (const struct buffer *) 0x7fffffffcb10
(gdb) print *buf
$2 = {capacity = 270, offset = 0, len = 270, 
  data = 0x703d88 "-----BEGIN OpenVPN tls-crypt-v2 server key-----\nBTZqluaYuxB6SI9GYG0BpBimReejU3q4QC9YwbyQfhIQDLYwy/NCPaP2XqzXYsni\n5P9zs5YWCmfaVUZgtB2+bAHA5ky8iSEhaakGsZbIyPMOi2dh8u+eLOkiLsU/c1uY\n41vIEUVuKmPnRn1CY8LPjM"...}
(gdb) print (*buf)->data
$3 = (uint8_t *) 0x703d88 "-----BEGIN OpenVPN tls-crypt-v2 server key-----\nBTZqluaYuxB6SI9GYG0BpBimReejU3q4QC9YwbyQfhIQDLYwy/NCPaP2XqzXYsni\n5P9zs5YWCmfaVUZgtB2+bAHA5ky8iSEhaakGsZbIyPMOi2dh8u+eLOkiLsU/c1uY\n41vIEUVuKmPnRn1CY8LPjM"...
(gdb) print strlen((*buf)->data)
$4 = 269
(gdb) quit

Since buffer_write_file() uses write(2) using buf->len and the last byte of buf->data is 0, it does append the extra byte.

On a quick glance it looks like crypto_pem_encode() in crypto_openssl.c might be worthy further investigation. I see the crypto_mbedtls.c implementation is quite different, but I have not tested it.

[tct]

Closed via commit 14a57be4609fc23e4775072948bf722f21f25099

​https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19852.html