@@ -957,41 +957,25 @@ check_replay_consistency(const struct key_type *kt, bool packet_id)
}
/*
- * Generate a random key. If key_type is provided, make
- * sure generated key is valid for key_type.
+ * Generate a random key.
*/
-void
-generate_key_random(struct key *key, const struct key_type *kt)
+static void
+generate_key_random(struct key *key)
{
int cipher_len = MAX_CIPHER_KEY_LENGTH;
int hmac_len = MAX_HMAC_KEY_LENGTH;
struct gc_arena gc = gc_new();
- do
+ CLEAR(*key);
+ if (!rand_bytes(key->cipher, cipher_len)
+ || !rand_bytes(key->hmac, hmac_len))
{
- CLEAR(*key);
- if (kt)
- {
- cipher_len = cipher_kt_key_size(kt->cipher);
-
- int kt_hmac_length = md_kt_size(kt->digest);
-
- if (kt->digest && kt_hmac_length > 0 && kt_hmac_length <= hmac_len)
- {
- hmac_len = kt_hmac_length;
- }
- }
- if (!rand_bytes(key->cipher, cipher_len)
- || !rand_bytes(key->hmac, hmac_len))
- {
- msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
- }
-
- dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc));
- dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc));
+ msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
+ }
- } while (kt && !check_key(key, kt));
+ dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc));
+ dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc));
gc_free(&gc);
}
@@ -1398,7 +1382,7 @@ write_key_file(const int nkeys, const char *filename)
char *fmt;
/* generate random bits */
- generate_key_random(&key, NULL);
+ generate_key_random(&key);
/* format key as ascii */
fmt = format_hex_ex((const uint8_t *)&key,
@@ -304,8 +304,6 @@ void read_key_file(struct key2 *key2, const char *file, const unsigned int flags
*/
int write_key_file(const int nkeys, const char *filename);
-void generate_key_random(struct key *key, const struct key_type *kt);
-
void check_replay_consistency(const struct key_type *kt, bool packet_id);
bool check_key(struct key *key, const struct key_type *kt);
This part of the function is not used by any part of our source code. It looks also broken if called with kt!=NULL The function cipher_kt_key_size expects its argument to be not NULL and would break. So remove the unused code instead of fixing it. Found by Coverity. Change-Id: Id56628cfb3dfd2f306bd9bdcca2e567ac0ca9ab2 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/crypto.c | 38 +++++++++++--------------------------- src/openvpn/crypto.h | 2 -- 2 files changed, 11 insertions(+), 29 deletions(-)