Use the private RNG for data that is not public

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Fixes: #4641
GH: #4665

diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c
index c41b5d58dc5abd695125078265e039572ce65410..1acb717743aa873910c462ad1620ca3ff0a12b46 100644 (file)
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -89,7 +89,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
         return 0;
 
     BIO_clear_retry_flags(b);
-    if (RAND_bytes(&n, 1) <= 0)
+    if (RAND_priv_bytes(&n, 1) <= 0)
         return -1;
     num = (n & 0x07);
 
@@ -126,7 +126,7 @@ static int nbiof_write(BIO *b, const char *in, int inl)
         num = nt->lwn;
         nt->lwn = 0;
     } else {
-        if (RAND_bytes(&n, 1) <= 0)
+        if (RAND_priv_bytes(&n, 1) <= 0)
             return -1;
         num = (n & 7);
     }

diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
index 985d3ef32bb66a190647f6ba456b8168310fbcdd..1ee902cb21927370bb609cc2a12b3199becdb680 100644 (file)
--- a/crypto/bn/bn_blind.c
+++ b/crypto/bn/bn_blind.c
@@ -250,7 +250,7 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
 
     do {
         int rv;
-        if (!BN_rand_range(ret->A, ret->mod))
+        if (!BN_priv_rand_range(ret->A, ret->mod))
             goto err;
         if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) {
             /*

diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 36d6e88478438bf211dff6c5a90f03ab2120f309..4e7908682eacba8a369a258cbc7b75090feb8f11 100644 (file)
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -279,6 +279,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
     char is_single_word = bits <= BN_BITS2;
 
  again:
+    /* TODO: Not all primes are private */
     if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD))
         return 0;
     /* we now have a random number 'rnd' to test. */
@@ -363,7 +364,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits,
     if ((t1 = BN_CTX_get(ctx)) == NULL)
         goto err;
 
-    if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */
@@ -419,7 +420,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
     if (!BN_rshift1(qadd, padd))
         goto err;
 
-    if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
+    if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD))
         goto err;
 
     /* we need ((rnd-rem) % add) == 0 */

diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 604b6bf6cf5c39dc15b043c1afc361af7a4eb290..c0d1a32292bace170ad817964b3497a158e1d964 100644 (file)
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -239,7 +239,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
     memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
 
     for (done = 0; done < num_k_bytes;) {
-        if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1)
+        if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1)
             goto err;
         SHA512_Init(&sha);
         SHA512_Update(&sha, &done, sizeof(done));

diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 37cdaf87d58bd791475ef801dbdd260720b29264..be8bd1238b621723f2e98ef93b440223b3936b31 100644 (file)
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -179,7 +179,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
             if (!BN_set_word(y, i))
                 goto end;
         } else {
-            if (!BN_rand(y, BN_num_bits(p), 0, 0))
+            if (!BN_priv_rand(y, BN_num_bits(p), 0, 0))
                 goto end;
             if (BN_ucmp(y, p) >= 0) {
                 if (!(p->neg ? BN_add : BN_sub) (y, y, p))

diff --git a/crypto/des/rand_key.c b/crypto/des/rand_key.c
index 09d7e4cf1420b9055d6ef2c0ba22bb49d14caaac..b49ce6f17b8f87582293b36c41bba16ba2e64d6d 100644 (file)
--- a/crypto/des/rand_key.c
+++ b/crypto/des/rand_key.c
@@ -13,7 +13,7 @@
 int DES_random_key(DES_cblock *ret)
 {
     do {
-        if (RAND_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1)
+        if (RAND_priv_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1)
             return 0;
     } while (DES_is_weak_key(ret));
     DES_set_odd_parity(ret);

diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c
index 9b2facfecfce98bf421892f0bde536bd4d5e5f2b..3b886263da43d05523bace0ad3b569948a5e1d67 100644 (file)
--- a/crypto/evp/e_des.c
+++ b/crypto/evp/e_des.c
@@ -229,7 +229,7 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 
     switch (type) {
     case EVP_CTRL_RAND_KEY:
-        if (RAND_bytes(ptr, 8) <= 0)
+        if (RAND_priv_bytes(ptr, 8) <= 0)
             return 0;
         DES_set_odd_parity((DES_cblock *)ptr);
         return 1;

diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index da77936c969cbf7b6f751023cc86f8042f803ddc..7a2c12dbb740b86565c6688180f7ff510b905419 100644 (file)
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -283,7 +283,7 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 
     switch (type) {
     case EVP_CTRL_RAND_KEY:
-        if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0)
+        if (RAND_priv_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0)
             return 0;
         DES_set_odd_parity(deskey);
         if (EVP_CIPHER_CTX_key_length(ctx) >= 16)

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 0297d2eea7c64e569b430d65356157067aae7e31..38633410cd1ab4bb6fd4164cac60d75e929b19e6 100644 (file)
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -602,7 +602,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
     if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
         return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
-    if (RAND_bytes(key, ctx->key_len) <= 0)
+    if (RAND_priv_bytes(key, ctx->key_len) <= 0)
         return 0;
     return 1;
 }

diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 99a3f1424c0162ad11102a4dcece50c414d3f1f6..7cac8e9eb5499879783634ebada51b56635d4a82 100644 (file)
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -166,7 +166,7 @@ int RAND_write_file(const char *file)
 #endif
 
     /* Collect enough random data. */
-    if (RAND_bytes(buf, (int)sizeof(buf)) != 1)
+    if (RAND_priv_bytes(buf, (int)sizeof(buf)) != 1)
         return  -1;
 
 #if defined(O_CREAT) && !defined(OPENSSL_NO_POSIX_IO) && \

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 56ae94b19608bc25c59e2de4fe6159b0fb958990..b85033b3058d6ccf61f8b4cbba0697265d11515a 100644 (file)
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -422,7 +422,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
     if (!SRP_user_pwd_set_ids(user, username, NULL))
         goto err;
 
-    if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
+    if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
         goto err;
     ctxt = EVP_MD_CTX_new();
     if (ctxt == NULL

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9d4c4d48998066e41cd866d610a70071ba30af32..1509423020b4a24dff4514bc8c1f702f63da5f4e 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3047,13 +3047,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     /* Setup RFC5077 ticket keys */
     if ((RAND_bytes(ret->ext.tick_key_name,
                     sizeof(ret->ext.tick_key_name)) <= 0)
-        || (RAND_bytes(ret->ext.secure->tick_hmac_key,
+        || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key,
                        sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
-        || (RAND_bytes(ret->ext.secure->tick_aes_key,
+        || (RAND_priv_bytes(ret->ext.secure->tick_aes_key,
                        sizeof(ret->ext.secure->tick_aes_key)) <= 0))
         ret->options |= SSL_OP_NO_TICKET;
 
-    if (RAND_bytes(ret->ext.cookie_hmac_key,
+    if (RAND_priv_bytes(ret->ext.cookie_hmac_key,
                    sizeof(ret->ext.cookie_hmac_key)) <= 0)
         goto err;
 

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 876b6a79e3e45bb23234e318a567b542a4d7b940..60e0bc73734bd8db429e6203a030456dc8721281 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2936,7 +2936,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
      * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
      */
 
-    if (RAND_bytes(rand_premaster_secret,
+    if (RAND_priv_bytes(rand_premaster_secret,
                       sizeof(rand_premaster_secret)) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                  ERR_R_INTERNAL_ERROR);

diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 87614cb00363be8d0141376e33428c30b59b182b..f94e46b4e872c0c0b5585ee9847205ea9aa8f652 100644 (file)
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -157,7 +157,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad)
         (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
         return SSL3_AL_FATAL;
 
-    if (RAND_bytes(b, sizeof(b)) <= 0)
+    if (RAND_priv_bytes(b, sizeof(b)) <= 0)
         return SSL3_AL_FATAL;
     s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
     OPENSSL_cleanse(b, sizeof(b));
@@ -369,7 +369,7 @@ int SRP_Calc_A_param(SSL *s)
 {
     unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
 
-    if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
+    if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0)
         return 0;
     s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
     OPENSSL_cleanse(rnd, sizeof(rnd));