This function potentially allocates memory, and can therefor not be run
again on an initialized key_ctx_bi. Make this explicit by adding an error
if someone tries do to this anyway.
While touching the function, cleanup it up a bit to make up for the added
lines of code.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 3c137d8..fe6493e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1622,13 +1622,15 @@ generate_key_expansion (struct key_ctx_bi *key,
const struct session_id *server_sid,
bool server)
{
- uint8_t master[48];
- struct key2 key2;
+ uint8_t master[48] = { 0 };
+ struct key2 key2 = { 0 };
bool ret = false;
- int i;
- CLEAR (master);
- CLEAR (key2);
+ if (key->initialized)
+ {
+ msg (D_TLS_ERRORS, "TLS Error: key already initialized");
+ goto exit;
+ }
/* debugging print of source key material */
key_source2_print (key_src);
@@ -1664,7 +1666,7 @@ generate_key_expansion (struct key_ctx_bi *key,
key2_print (&key2, key_type, "Master Encrypt", "Master Decrypt");
/* check for weak keys */
- for (i = 0; i < 2; ++i)
+ for (int i = 0; i < 2; ++i)
{
fixup_key (&key2.keys[i], key_type);
if (!check_key (&key2.keys[i], key_type))
--
2.7.4
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
