This part of the function is not used by any part of our source code. It looks also broken if called with kt!=NULL The function cipher_kt_key_size expects its argument to be not NULL and would break. So remove the unused code instead of fixing it.
Found by Coverity. Change-Id: Id56628cfb3dfd2f306bd9bdcca2e567ac0ca9ab2 Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- src/openvpn/crypto.c | 38 +++++++++++--------------------------- src/openvpn/crypto.h | 2 -- 2 files changed, 11 insertions(+), 29 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b5ae17ec8..930f15a42 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -957,41 +957,25 @@ check_replay_consistency(const struct key_type *kt, bool packet_id) } /* - * Generate a random key. If key_type is provided, make - * sure generated key is valid for key_type. + * Generate a random key. */ -void -generate_key_random(struct key *key, const struct key_type *kt) +static void +generate_key_random(struct key *key) { int cipher_len = MAX_CIPHER_KEY_LENGTH; int hmac_len = MAX_HMAC_KEY_LENGTH; struct gc_arena gc = gc_new(); - do + CLEAR(*key); + if (!rand_bytes(key->cipher, cipher_len) + || !rand_bytes(key->hmac, hmac_len)) { - CLEAR(*key); - if (kt) - { - cipher_len = cipher_kt_key_size(kt->cipher); - - int kt_hmac_length = md_kt_size(kt->digest); - - if (kt->digest && kt_hmac_length > 0 && kt_hmac_length <= hmac_len) - { - hmac_len = kt_hmac_length; - } - } - if (!rand_bytes(key->cipher, cipher_len) - || !rand_bytes(key->hmac, hmac_len)) - { - msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); - } - - dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); - dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); + msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); + } - } while (kt && !check_key(key, kt)); + dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); + dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); gc_free(&gc); } @@ -1398,7 +1382,7 @@ write_key_file(const int nkeys, const char *filename) char *fmt; /* generate random bits */ - generate_key_random(&key, NULL); + generate_key_random(&key); /* format key as ascii */ fmt = format_hex_ex((const uint8_t *)&key, diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 229a4eb1c..88f8f4472 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -304,8 +304,6 @@ void read_key_file(struct key2 *key2, const char *file, const unsigned int flags */ int write_key_file(const int nkeys, const char *filename); -void generate_key_random(struct key *key, const struct key_type *kt); - void check_replay_consistency(const struct key_type *kt, bool packet_id); bool check_key(struct key *key, const struct key_type *kt); -- 2.39.2 (Apple Git-143) _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel