From 16cfc2c90d9e7776965db07c1f31bbec2f6c41e3 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Thu, 8 Mar 2018 22:30:28 +0100 Subject: [PATCH] Don't use a ssl specific DRBG anymore Since the public and private DRBG are per thread we don't need one per ssl object anymore. It could also try to get entropy from a DRBG that's really from an other thread because the SSL object moved to an other thread. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/5547) --- crypto/evp/e_aes.c | 22 ++++-------------- crypto/evp/e_aes_cbc_hmac_sha1.c | 15 +++--------- crypto/evp/e_aes_cbc_hmac_sha256.c | 15 +++--------- crypto/evp/e_aria.c | 11 +++------ crypto/evp/e_des.c | 8 +------ crypto/evp/e_des3.c | 13 ++--------- crypto/evp/evp_enc.c | 14 +---------- crypto/evp/evp_locl.h | 1 - crypto/evp/p_seal.c | 13 +++-------- doc/man3/EVP_EncryptInit.pod | 14 ----------- include/openssl/evp.h | 2 -- ssl/record/ssl3_record.c | 2 +- ssl/s3_enc.c | 1 - ssl/s3_lib.c | 6 ++--- ssl/ssl_lib.c | 37 ------------------------------ ssl/ssl_locl.h | 2 -- ssl/ssl_sess.c | 2 +- ssl/statem/statem_clnt.c | 7 +++--- ssl/statem/statem_srvr.c | 9 ++++---- ssl/t1_enc.c | 1 - ssl/tls13_enc.c | 1 - ssl/tls_srp.c | 4 ++-- 22 files changed, 35 insertions(+), 165 deletions(-) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 2421385425..1d5007acf8 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -17,7 +17,6 @@ #include "internal/evp_int.h" #include "modes_lcl.h" #include -#include #include "evp_locl.h" typedef struct { @@ -1405,14 +1404,8 @@ static int s390x_aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) memcpy(gctx->iv, ptr, arg); enc = EVP_CIPHER_CTX_encrypting(c); - if (enc) { - if (c->drbg != NULL) { - if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) - return 0; - } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { - return 0; - } - } + if (enc && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) + return 0; gctx->iv_gen = 1; return 1; @@ -2639,14 +2632,9 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; if (arg) memcpy(gctx->iv, ptr, arg); - if (EVP_CIPHER_CTX_encrypting(c)) { - if (c->drbg != NULL) { - if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) - return 0; - } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { - return 0; - } - } + if (EVP_CIPHER_CTX_encrypting(c) + && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) + return 0; gctx->iv_gen = 1; return 1; diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index ac564a20f8..09d24dc3d0 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -17,11 +17,9 @@ #include #include #include -#include #include "modes_lcl.h" #include "internal/evp_int.h" #include "internal/constant_time_locl.h" -#include "evp_locl.h" typedef struct { AES_KEY ks; @@ -156,8 +154,7 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, unsigned char *out, const unsigned char *inp, - size_t inp_len, int n4x, - RAND_DRBG *drbg) + size_t inp_len, int n4x) { /* n4x is 1 or 2 */ HASH_DESC hash_d[8], edges[8]; CIPH_DESC ciph_d[8]; @@ -177,13 +174,8 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA1 *key, # endif /* ask for IVs in bulk */ - IVs = blocks[0].c; - if (drbg != NULL) { - if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0) - return 0; - } else if (RAND_bytes(IVs, 16 * x4) <= 0) { + if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0) return 0; - } ctx = (SHA1_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); /* align */ @@ -901,8 +893,7 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, - param->interleave / 4, - ctx->drbg); + param->interleave / 4); } case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: # endif diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index e752d304b6..caac0c9d3d 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -18,11 +18,9 @@ #include #include #include -#include #include "modes_lcl.h" #include "internal/constant_time_locl.h" #include "internal/evp_int.h" -#include "evp_locl.h" typedef struct { AES_KEY ks; @@ -152,8 +150,7 @@ void aesni_multi_cbc_encrypt(CIPH_DESC *, void *, int); static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, unsigned char *out, const unsigned char *inp, - size_t inp_len, int n4x, - RAND_DRBG *drbg) + size_t inp_len, int n4x) { /* n4x is 1 or 2 */ HASH_DESC hash_d[8], edges[8]; CIPH_DESC ciph_d[8]; @@ -173,13 +170,8 @@ static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key, # endif /* ask for IVs in bulk */ - IVs = blocks[0].c; - if (drbg != NULL) { - if (RAND_DRBG_bytes(drbg, IVs, 16 * x4) == 0) - return 0; - } else if (RAND_bytes(IVs, 16 * x4) <= 0) { + if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0) return 0; - } /* align */ ctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32)); @@ -885,8 +877,7 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return (int)tls1_1_multi_block_encrypt(key, param->out, param->inp, param->len, - param->interleave / 4, - ctx->drbg); + param->interleave / 4); } case EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT: # endif diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index 9c1036b4bd..ffd9530d57 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -302,14 +302,9 @@ static int aria_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; if (arg) memcpy(gctx->iv, ptr, arg); - if (EVP_CIPHER_CTX_encrypting(c)) { - if (c->drbg != NULL) { - if (RAND_DRBG_bytes(c->drbg, gctx->iv + arg, gctx->ivlen - arg) == 0) - return 0; - } else if (RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) { - return 0; - } - } + if (EVP_CIPHER_CTX_encrypting(c) + && RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) + return 0; gctx->iv_gen = 1; return 1; diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 3b4b714e38..9b2facfecf 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -15,8 +15,6 @@ # include "internal/evp_int.h" # include # include -# include -# include "evp_locl.h" typedef struct { union { @@ -231,12 +229,8 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (c->drbg != NULL) { - if (RAND_DRBG_bytes(c->drbg, ptr, 8) == 0) - return 0; - } else if (RAND_bytes(ptr, 8) <= 0) { + if (RAND_bytes(ptr, 8) <= 0) return 0; - } DES_set_odd_parity((DES_cblock *)ptr); return 1; diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index b8fe42cb96..da77936c96 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -15,7 +15,6 @@ # include "internal/evp_int.h" # include # include -# include # include "evp_locl.h" typedef struct { @@ -284,12 +283,8 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (ctx->drbg != NULL) { - if (RAND_DRBG_bytes(ctx->drbg, ptr, EVP_CIPHER_CTX_key_length(ctx)) == 0) - return 0; - } else if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) { + if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) return 0; - } DES_set_odd_parity(deskey); if (EVP_CIPHER_CTX_key_length(ctx) >= 16) DES_set_odd_parity(deskey + 1); @@ -377,12 +372,8 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy(out + inl + 8, sha1tmp, 8); OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); /* Generate random IV */ - if (ctx->drbg != NULL) { - if (RAND_DRBG_bytes(ctx->drbg, EVP_CIPHER_CTX_iv_noconst(ctx), 8) == 0) - return -1; - } else if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) { + if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) return -1; - } memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8); /* Encrypt everything after IV in place */ des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 9832e562b2..cc710435e7 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -579,14 +579,6 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { int ret; - if (type == EVP_CTRL_GET_DRBG) { - *(RAND_DRBG **)ptr = ctx->drbg; - return 1; - } - if (type == EVP_CTRL_SET_DRBG) { - ctx->drbg = ptr; - return 1; - } if (!ctx->cipher) { EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET); return 0; @@ -610,12 +602,8 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) { if (ctx->cipher->flags & EVP_CIPH_RAND_KEY) return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key); - if (ctx->drbg) { - if (RAND_DRBG_bytes(ctx->drbg, key, ctx->key_len) == 0) - return 0; - } else if (RAND_bytes(key, ctx->key_len) <= 0) { + if (RAND_bytes(key, ctx->key_len) <= 0) return 0; - } return 1; } diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index 82b9433f75..209577b7c2 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -39,7 +39,6 @@ struct evp_cipher_ctx_st { int final_used; int block_mask; unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ - RAND_DRBG *drbg; } /* EVP_CIPHER_CTX */ ; int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 731879330b..50ea60235a 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -14,8 +14,6 @@ #include #include #include -#include -#include "evp_locl.h" int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv, @@ -33,14 +31,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; - if (EVP_CIPHER_CTX_iv_length(ctx)) { - if (ctx->drbg) { - if (RAND_DRBG_bytes(ctx->drbg, iv, EVP_CIPHER_CTX_iv_length(ctx)) == 0) - return 0; - } else if (RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) { - return 0; - } - } + if (EVP_CIPHER_CTX_iv_length(ctx) + && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) + return 0; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) return 0; diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index b1b51cb3a0..030b010898 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -457,20 +457,6 @@ This call is only valid when decrypting data. =back -=head1 Random numbers - -The following can be used to select the DRBG that is used to generate the random -numbers: - -EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, drbg) - -The following can be used to get the DRBG: - -EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_DRBG, 0, &drbg) - -By default it's set to NULL which results in RAND_bytes() being used. - - =head1 NOTES Where possible the B interface to symmetric ciphers should be used in diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 29fd3e28fa..328587d6bb 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -347,8 +347,6 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, # define EVP_CTRL_SET_PIPELINE_INPUT_BUFS 0x23 /* Set the input buffer lengths to use for a pipelined operation */ # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24 -# define EVP_CTRL_GET_DRBG 0x25 -# define EVP_CTRL_SET_DRBG 0x26 /* Padding modes */ #define EVP_PADDING_PKCS7 1 diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index fa902f30fb..c21a478a71 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -972,7 +972,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; - } else if (ssl_randbytes(s, recs[ctr].input, ivlen) <= 0) { + } else if (RAND_bytes(recs[ctr].input, ivlen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_ENC, ERR_R_INTERNAL_ERROR); return -1; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 966d498e61..d6a08de5a6 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -168,7 +168,6 @@ int ssl3_change_cipher_state(SSL *s, int which) */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index f230b5ff46..bbf49a205d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4524,12 +4524,12 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = ssl_randbytes(s, p, len - 4); + ret = RAND_bytes(p, len - 4); } else { - ret = ssl_randbytes(s, result, len); + ret = RAND_bytes(result, len); } #ifndef OPENSSL_NO_TLS13DOWNGRADE - if (ret) { + if (ret > 0) { if (!ossl_assert(sizeof(tls11downgrade) < len) || !ossl_assert(sizeof(tls12downgrade) < len)) return 0; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cd972ae63f..e42333160b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -690,20 +690,6 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; } - /* - * If not using the standard RAND (say for fuzzing), then don't use a - * chained DRBG. - */ - if (RAND_get_rand_method() == RAND_OpenSSL()) { - s->drbg = - RAND_DRBG_new(0, 0, RAND_DRBG_get0_public()); - if (s->drbg == NULL - || RAND_DRBG_instantiate(s->drbg, - (const unsigned char *) SSL_version_str, - sizeof(SSL_version_str) - 1) == 0) - goto err; - } - RECORD_LAYER_init(&s->rlayer, s); s->options = ctx->options; @@ -1220,7 +1206,6 @@ void SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif - RAND_DRBG_free(s->drbg); CRYPTO_THREAD_lock_free(s->lock); OPENSSL_free(s); @@ -5397,28 +5382,6 @@ uint32_t SSL_get_max_early_data(const SSL *s) return s->max_early_data; } -int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size) -{ - if (s->drbg != NULL) { - /* - * Currently, it's the duty of the caller to serialize the generate - * requests to the DRBG. So formally we have to check whether - * s->drbg->lock != NULL and take the lock if this is the case. - * However, this DRBG is unique to a given SSL object, and we already - * require that SSL objects are only accessed by a single thread at - * a given time. Also, SSL DRBGs have no child DRBG, so there is - * no risk that this DRBG is accessed by a child DRBG in parallel - * for reseeding. As such, we can rely on the application's - * serialization of SSL accesses for the needed concurrency protection - * here. - */ - return RAND_DRBG_bytes(s->drbg, rnd, size); - } - if (size > INT_MAX) - return 0; - return RAND_bytes(rnd, size); -} - __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl) { /* Return any active Max Fragment Len extension */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4b8482aeb7..83a033445d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1407,7 +1407,6 @@ struct ssl_st { size_t block_padding; CRYPTO_RWLOCK *lock; - RAND_DRBG *drbg; }; /* @@ -2238,7 +2237,6 @@ __owur int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags); __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref); -__owur int ssl_randbytes(SSL *s, unsigned char *buf, size_t num); __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6513bf84cc..2dd54566ef 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -295,7 +295,7 @@ static int def_generate_session_id(SSL *ssl, unsigned char *id, { unsigned int retry = 0; do - if (ssl_randbytes(ssl, id, *id_len) <= 0) + if (RAND_bytes(id, *id_len) <= 0) return 0; while (SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)) ; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d770706a6e..86cf5b6ab2 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1188,8 +1188,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) s->tmp_session_id_len = sess_id_len; session_id = s->tmp_session_id; if (s->hello_retry_request == SSL_HRR_NONE - && ssl_randbytes(s, s->tmp_session_id, - sess_id_len) <= 0) { + && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); @@ -2925,7 +2924,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; /* TODO(size_t): Convert this function */ - if (ssl_randbytes(s, pms + 2, (int)(pmslen - 2)) <= 0) { + if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_MALLOC_FAILURE); goto err; @@ -3146,7 +3145,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) /* Generate session key * TODO(size_t): Convert this function */ - || ssl_randbytes(s, pms, (int)pmslen) <= 0) { + || RAND_bytes(pms, (int)pmslen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c198aa7246..8826b7f00f 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2737,7 +2737,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) OPENSSL_free(s->pha_context); s->pha_context_len = 32; if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL - || ssl_randbytes(s, s->pha_context, s->pha_context_len) <= 0 + || RAND_bytes(s->pha_context, s->pha_context_len) <= 0 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, @@ -2926,7 +2926,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (ssl_randbytes(s, rand_premaster_secret, + if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); @@ -3692,7 +3692,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) /* SSLfatal() already called */ goto err; } - if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { + if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); @@ -3758,7 +3758,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); p = senc; if (!i2d_SSL_SESSION(s->session, &p)) { @@ -3830,7 +3829,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) const EVP_CIPHER *cipher = EVP_aes_256_cbc(); iv_len = EVP_CIPHER_iv_length(cipher); - if (ssl_randbytes(s, iv, iv_len) <= 0 + if (RAND_bytes(iv, iv_len) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, tctx->ext.tick_aes_key, iv) || !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key, diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index a138b60633..58d5e25361 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -171,7 +171,6 @@ int tls1_change_cipher_state(SSL *s, int which) ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); dd = s->enc_write_ctx; if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_new(); diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 7f4395843a..a793e0c8af 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -407,7 +407,6 @@ int tls13_change_cipher_state(SSL *s, int which) SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg); } ciph_ctx = s->enc_write_ctx; iv = s->write_iv; diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index d7323289ac..87614cb003 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -157,7 +157,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (ssl_randbytes(s, b, sizeof(b)) <= 0) + if (RAND_bytes(b, sizeof(b)) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -369,7 +369,7 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (ssl_randbytes(s, rnd, sizeof(rnd)) <= 0) + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); -- 2.25.1