From: Steffan Karger <steffan@karger.me>
Date: Wed, 28 Sep 2016 10:40:51 +0000 (+0200)
Subject: Make sure options->ciphername and options->authname are always defined
X-Git-Tag: v2.4_alpha1~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=348c416face9a025b618ebcae9d3a74c5a4a242b;p=thirdparty%2Fopenvpn.git

Make sure options->ciphername and options->authname are always defined

The NCP code does a strcmp(options->ciphername, ...) without first checking
whether options->ciphername is NULL.  This could cause a crash when using
"--cipher none".  This patch fixes that problem by ensuring that
options->ciphername (and options->authname) are never NULL.  Ensuring that
options->ciphername is never null prevents us from having to write null
checks everywhere.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1475055231-1778-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12576.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 6f578419a..4ea0082c4 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -759,8 +759,11 @@ init_key_type (struct key_type *kt, const char *ciphername,
 {
   bool aead_cipher = false;
 
+  ASSERT(ciphername);
+  ASSERT(authname);
+
   CLEAR (*kt);
-  if (ciphername)
+  if (strcmp (ciphername, "none") != 0)
     {
       kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername));
       kt->cipher_length = cipher_kt_key_size (kt->cipher);
@@ -785,7 +788,7 @@ init_key_type (struct key_type *kt, const char *ciphername,
       if (warn)
 	msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used");
     }
-  if (authname)
+  if (strcmp (authname, "none") != 0)
     {
       if (!aead_cipher) { /* Ignore auth for AEAD ciphers */
 	kt->digest = md_kt_get (authname);
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 45ce025ee..e3206b05e 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2266,7 +2266,7 @@ do_init_crypto_tls_c1 (struct context *c)
 
 	  /* Initialize key_type for tls-auth with auth only */
 	  CLEAR (c->c1.ks.tls_auth_key_type);
-	  if (options->authname)
+	  if (!streq (options->authname, "none"))
 	    {
 	      c->c1.ks.tls_auth_key_type.digest = md_kt_get (options->authname);
 	      c->c1.ks.tls_auth_key_type.hmac_length =
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 4b7203d9b..9f6099c20 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6659,19 +6659,11 @@ add_option (struct options *options,
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->authname = p[1];
-      if (streq (options->authname, "none"))
-	{
-	  options->authname = NULL;
-	}
     }
   else if (streq (p[0], "cipher") && p[1] && !p[2])
     {
       VERIFY_PERMISSION (OPT_P_NCP);
       options->ciphername = p[1];
-      if (streq (options->ciphername, "none"))
-	{
-	  options->ciphername = NULL;
-	}
     }
   else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
     {