From patchwork Thu Jun 1 10:25:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3243 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp321173dyk; Thu, 1 Jun 2023 03:25:46 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6hY53iBBTMTTZ2JMV+lfeMkqcONaJA/B+BJl3cinYrPVMQaKMxp0hkDh7KW44aUEOWR3pV X-Received: by 2002:a05:6870:7406:b0:183:f806:29e1 with SMTP id x6-20020a056870740600b00183f80629e1mr6932807oam.19.1685615146370; Thu, 01 Jun 2023 03:25:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685615146; cv=none; d=google.com; s=arc-20160816; b=t8ZxAQTXt4ge25QKXT0IyFpqaLgboMR0DSQfGl1EUsMCQdfi5BE/sjkPlKdRaI2XC/ fUU+YGMGOgvHZWJkjsn6dhEXnTJm2binmGgahkjjwmi+1VsC2XUDVfQq5avXLTtT6YXC btCTigV/3WAM7vd3MBqki3tqJr1DOfYSPFk+QEjVeheMdk6ZTm8osaL7L/STN+U0WFB2 +ryZc8O5MLd7ih0Vf11d8HpIldMsBu+A8dnmXATmVSLHA+lZiLxeiFTBY9ZnhKU51b5i /m3Ok5/QIX93wZXARDjn7SnLe6Un4l4+q9AZSJzE4rq68Z9EoZuCyaUVxWit2CvoBbSf Yv9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=ydgqlzxw+WMSphCGpvOhWfkmjH/TXZHS4SuylMoUx+k=; b=gczEAvvvobcWwPEfU4u/bARL2hD/1Wulbm04+vY0U/mzpyvJ4osxl0r4pKJQqK8nY/ wXkFK35QV1Tuy/N/wskt+idmipck9c/DWcIfp4nI3XqsjscRI9elDpPPFPvX3g+vy35u LBK4oKID92rSqNYdGk4G2FovKcGh1rBeFw7sUZsRukr4SFSdk/Zf+/p2alKeqHEWmf+/ +7NoRZJNx6yd/aOfbD3KXe2XycbnSVgAchr31VjpKIw1q2CjYMVFGcUnN0TpUhJgMco2 SpGbhBcmMiY40+wx9AW2LHOOgNKpKttSAAdWT/R+Y0rhqSdg4kcdZjmyqnXJeJLQFwci mF1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aPyx9LuE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=djRo3nuJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s8-20020a025108000000b00418a1db1420si2983661jaa.115.2023.06.01.03.25.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Jun 2023 03:25:46 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aPyx9LuE; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=djRo3nuJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q4fUd-0003O7-2H; Thu, 01 Jun 2023 10:25:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q4fUY-0003O1-Tl for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 10:25:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Mo2KORMIDfd3fhyEuHOFq2NdkRsKIBZjAu/k6GTD5WY=; b=aPyx9LuEMfUfTgOgsFqUx6Iw+o R9XJO3Z7EsXlo2N1IHdW/wdbTfA0fH0qmFBSWR+BTpLbenqhY1Anv4xfHaqEWeC8fvk4yEjbiMJwy 28bUfuvotHuL08iamUje/6vZd60XCT9YO36SG9TpidoZ3XqSVg1rEJEHlBLrwjcy9mIM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Mo2KORMIDfd3fhyEuHOFq2NdkRsKIBZjAu/k6GTD5WY=; b=d jRo3nuJ4c2VCI3Pcl8bsnRfiq5D1G/mgDl0ZFrAg6wad4MO0T9aSzGVtZt9SN6OkqL1/xJL1T/HZx SlmKJgUMbSUk805upqyvNHvJnppLr4Pjum36vCKjw3SYzwduk6adErXr+Q5sOuDaWEzEZjJzMUUro xvewlmyb04FwykUE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q4fUX-0004fv-JV for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 10:25:15 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q4fUR-000IJe-0O for openvpn-devel@lists.sourceforge.net; Thu, 01 Jun 2023 12:25:07 +0200 Received: (nullmailer pid 4068231 invoked by uid 10006); Thu, 01 Jun 2023 10:25:06 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 1 Jun 2023 12:25:06 +0200 Message-Id: <20230601102506.4068185-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This part of the function is not used by any part of our source code. It looks also broken if called with kt!=NULL The function cipher_kt_key_size expects its argument to be not NULL and would break. [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1q4fUX-0004fv-JV Subject: [Openvpn-devel] [PATCH] Remove key_type argument from generate_key_random X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1767495587566765711?= X-GMAIL-MSGID: =?utf-8?q?1767495587566765711?= This part of the function is not used by any part of our source code. It looks also broken if called with kt!=NULL The function cipher_kt_key_size expects its argument to be not NULL and would break. So remove the unused code instead of fixing it. Found by Coverity. Change-Id: Id56628cfb3dfd2f306bd9bdcca2e567ac0ca9ab2 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto.c | 38 +++++++++++--------------------------- src/openvpn/crypto.h | 2 -- 2 files changed, 11 insertions(+), 29 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b5ae17ec8..930f15a42 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -957,41 +957,25 @@ check_replay_consistency(const struct key_type *kt, bool packet_id) } /* - * Generate a random key. If key_type is provided, make - * sure generated key is valid for key_type. + * Generate a random key. */ -void -generate_key_random(struct key *key, const struct key_type *kt) +static void +generate_key_random(struct key *key) { int cipher_len = MAX_CIPHER_KEY_LENGTH; int hmac_len = MAX_HMAC_KEY_LENGTH; struct gc_arena gc = gc_new(); - do + CLEAR(*key); + if (!rand_bytes(key->cipher, cipher_len) + || !rand_bytes(key->hmac, hmac_len)) { - CLEAR(*key); - if (kt) - { - cipher_len = cipher_kt_key_size(kt->cipher); - - int kt_hmac_length = md_kt_size(kt->digest); - - if (kt->digest && kt_hmac_length > 0 && kt_hmac_length <= hmac_len) - { - hmac_len = kt_hmac_length; - } - } - if (!rand_bytes(key->cipher, cipher_len) - || !rand_bytes(key->hmac, hmac_len)) - { - msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); - } - - dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); - dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); + msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); + } - } while (kt && !check_key(key, kt)); + dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); + dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); gc_free(&gc); } @@ -1398,7 +1382,7 @@ write_key_file(const int nkeys, const char *filename) char *fmt; /* generate random bits */ - generate_key_random(&key, NULL); + generate_key_random(&key); /* format key as ascii */ fmt = format_hex_ex((const uint8_t *)&key, diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 229a4eb1c..88f8f4472 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -304,8 +304,6 @@ void read_key_file(struct key2 *key2, const char *file, const unsigned int flags */ int write_key_file(const int nkeys, const char *filename); -void generate_key_random(struct key *key, const struct key_type *kt); - void check_replay_consistency(const struct key_type *kt, bool packet_id); bool check_key(struct key *key, const struct key_type *kt);