From 48d41413c4b181e00769cdb83ccfe179299ad8e4 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Tue, 22 Nov 2016 21:09:26 +0100
Subject: [PATCH] generate_key_expansion: make assumption explicit, use C99
 features

This function potentially allocates memory, and can therefor not be run
again on an initialized key_ctx_bi.  Make this explicit by adding an error
if someone tries do to this anyway.

While touching the function, cleanup it up a bit to make up for the added
lines of code.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479845366-15774-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13202.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 97e9aaba..16b9cb7b 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1620,13 +1620,15 @@ generate_key_expansion (struct key_ctx_bi *key,
 			const struct session_id *server_sid,
 			bool server)
 {
-  uint8_t master[48];
-  struct key2 key2;
+  uint8_t master[48] = { 0 };
+  struct key2 key2 = { 0 };
   bool ret = false;
-  int i;
 
-  CLEAR (master);
-  CLEAR (key2);
+  if (key->initialized)
+    {
+      msg (D_TLS_ERRORS, "TLS Error: key already initialized");
+      goto exit;
+    }
 
   /* debugging print of source key material */
   key_source2_print (key_src);
@@ -1662,7 +1664,7 @@ generate_key_expansion (struct key_ctx_bi *key,
   key2_print (&key2, key_type, "Master Encrypt", "Master Decrypt");
 
   /* check for weak keys */
-  for (i = 0; i < 2; ++i)
+  for (int i = 0; i < 2; ++i)
     {
       fixup_key (&key2.keys[i], key_type);
       if (!check_key (&key2.keys[i], key_type))