From 266483d2f56b0764849797f31866bfd84f9c3aa8 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 26 Feb 2015 11:57:37 +0000 Subject: [PATCH] RAND_bytes updates Ensure RAND_bytes return value is checked correctly, and that we no longer use RAND_pseudo_bytes. Reviewed-by: Richard Levitte --- apps/enc.c | 2 +- apps/passwd.c | 4 ++-- apps/s_cb.c | 2 +- apps/s_server.c | 3 ++- apps/speed.c | 4 ++-- crypto/asn1/asn_mime.c | 3 ++- crypto/asn1/p5_pbe.c | 2 +- crypto/asn1/p5_pbev2.c | 4 ++-- crypto/bio/bf_nbio.c | 6 ++++-- crypto/bn/bn_lcl.h | 2 +- crypto/bn/bn_rand.c | 5 +++-- crypto/cms/cms_enc.c | 2 +- crypto/cms/cms_ess.c | 3 +-- crypto/cms/cms_pwri.c | 7 ++++--- crypto/des/enc_writ.c | 3 ++- crypto/dsa/dsa_gen.c | 4 ++-- crypto/ecdsa/ecdsatest.c | 3 +-- crypto/evp/bio_ok.c | 3 ++- crypto/evp/e_des3.c | 3 ++- crypto/evp/p_seal.c | 5 +++-- crypto/ocsp/ocsp_ext.c | 4 ++-- crypto/pem/pem_lib.c | 2 +- crypto/pkcs12/p12_mutl.c | 2 +- crypto/pkcs7/pk7_doit.c | 2 +- crypto/rand/randtest.c | 4 ++-- crypto/srp/srp_vfy.c | 9 ++++++--- crypto/srp/srptest.c | 4 ++-- demos/easy_tls/easy-tls.c | 3 ++- ssl/d1_both.c | 18 ++++++++++++++---- ssl/s23_clnt.c | 5 +++-- ssl/s3_clnt.c | 7 ++++++- ssl/s3_srvr.c | 5 +---- ssl/ssl_lib.c | 2 +- ssl/ssl_sess.c | 2 +- ssl/t1_lib.c | 19 ++++++++++++++----- test/igetest.c | 8 ++++---- 36 files changed, 100 insertions(+), 66 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index 3bf4a6eb04..1739b7ec23 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -505,7 +505,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } - } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0) + } else if (RAND_bytes(salt, sizeof salt) <= 0) goto end; /* * If -P option then don't bother writing diff --git a/apps/passwd.c b/apps/passwd.c index 5ff53b5743..798a6d5936 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) goto err; (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */ (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */ @@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) goto err; for (i = 0; i < 8; i++) diff --git a/apps/s_cb.c b/apps/s_cb.c index 8bc4b81710..ea7d35c700 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -949,7 +949,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, /* Initialize a random secret */ if (!cookie_initialized) { - if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) { + if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) { BIO_printf(bio_err, "error setting random cookie secret\n"); return 0; } diff --git a/apps/s_server.c b/apps/s_server.c index 97aa23da19..c3884d26ab 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3199,7 +3199,8 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int count = 0; do { - RAND_pseudo_bytes(id, *id_len); + if (RAND_bytes(id, *id_len) <= 0) + return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix * is too long, clip it - but there will be worse effects anyway, eg. diff --git a/apps/speed.c b/apps/speed.c index b023f2877f..d2034a4898 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1967,7 +1967,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_SYS_WIN32 #endif - RAND_pseudo_bytes(buf, 36); + RAND_bytes(buf, 36); #ifndef OPENSSL_NO_RSA for (j = 0; j < RSA_NUM; j++) { int ret; @@ -2039,7 +2039,7 @@ int MAIN(int argc, char **argv) } #endif - RAND_pseudo_bytes(buf, 20); + RAND_bytes(buf, 20); #ifndef OPENSSL_NO_DSA if (RAND_status() != 1) { RAND_seed(rnd_seed, sizeof rnd_seed); diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index 28622f2815..e96fb02094 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -286,7 +286,8 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - RAND_pseudo_bytes((unsigned char *)bound, 32); + if (RAND_bytes((unsigned char *)bound, 32) <= 0) + return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; if (c < 10) diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index d54b0943fe..a65b659452 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, sstr = ASN1_STRING_data(pbe->salt); if (salt) memcpy(sstr, salt, saltlen); - else if (RAND_pseudo_bytes(sstr, saltlen) < 0) + else if (RAND_bytes(sstr, saltlen) <= 0) goto err; if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) { diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index c56d850a74..60abbe2649 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -120,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } @@ -225,7 +225,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, if (salt) memcpy(osalt->data, salt, saltlen); - else if (RAND_pseudo_bytes(osalt->data, saltlen) < 0) + else if (RAND_bytes(osalt->data, saltlen) <= 0) goto merr; if (iter <= 0) diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 3af58bd38f..0ba6055e07 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -136,7 +136,8 @@ static int nbiof_read(BIO *b, char *out, int outl) return (0); BIO_clear_retry_flags(b); - RAND_pseudo_bytes(&n, 1); + if (RAND_bytes(&n, 1) <= 0) + return -1; num = (n & 0x07); if (outl > num) @@ -172,7 +173,8 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - RAND_pseudo_bytes(&n, 1); + if (RAND_bytes(&n, 1) <= 0) + return -1; num = (n & 7); } diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index ba22f3a125..a24ae7fdc9 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -168,7 +168,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num); * wouldn't be constructed with top!=dmax. */ \ BN_ULONG *_not_const; \ memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ - RAND_pseudo_bytes(&_tmp_char, 1); \ + RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\ memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ } \ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 9488454c12..be58a5ab2f 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -142,7 +142,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) RAND_add(&tim, sizeof(tim), 0.0); if (pseudorand) { - if (RAND_pseudo_bytes(buf, bytes) == -1) + if (RAND_bytes(buf, bytes) <= 0) goto err; } else { if (RAND_bytes(buf, bytes) <= 0) @@ -157,7 +157,8 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char c; for (i = 0; i < bytes; i++) { - RAND_pseudo_bytes(&c, 1); + if (RAND_bytes(&c, 1) <= 0) + goto err; if (c >= 128 && i > 0) buf[i] = buf[i - 1]; else if (c < 42) diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 85ae928a49..ffa85fc0dd 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; piv = iv; } diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 8631a2eb2b..8212560628 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -107,8 +107,7 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, else { if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) goto merr; - if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32) - <= 0) + if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0) goto err; } diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index dd5f636145..83a65d2f59 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -131,7 +131,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, ivlen = EVP_CIPHER_CTX_iv_length(&ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); @@ -299,8 +299,9 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, out[3] = in[2] ^ 0xFF; memcpy(out + 4, in, inlen); /* Add random padding to end */ - if (olen > inlen + 4) - RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen); + if (olen > inlen + 4 + && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0) + return 0; /* Encrypt twice */ if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen) || !EVP_EncryptUpdate(ctx, out, &dummy, out, olen)) diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index b4eecc3812..55cc7fcb41 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -132,7 +132,8 @@ int DES_enc_write(int fd, const void *_buf, int len, if (len < 8) { cp = shortbuf; memcpy(shortbuf, buf, len); - RAND_pseudo_bytes(shortbuf + len, 8 - len); + if (RAND_bytes(shortbuf + len, 8 - len) <= 0) + return -1; rnum = 8; } else { cp = buf; diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 37b23c9f41..3506bc3dd1 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -173,7 +173,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; if (!seed_len) { - if (RAND_pseudo_bytes(seed, qsize) < 0) + if (RAND_bytes(seed, qsize) <= 0) goto err; seed_is_random = 1; } else { @@ -448,7 +448,7 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, goto err; if (!seed_in) { - if (RAND_pseudo_bytes(seed, seed_len) < 0) + if (RAND_bytes(seed, seed_len) <= 0) goto err; } /* step 2 */ diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c index 31d9c84e99..c2132da882 100644 --- a/crypto/ecdsa/ecdsatest.c +++ b/crypto/ecdsa/ecdsatest.c @@ -311,8 +311,7 @@ int test_builtin(BIO *out) int nid, ret = 0; /* fill digest values with some random data */ - if (!RAND_pseudo_bytes(digest, 20) || - !RAND_pseudo_bytes(wrong_digest, 20)) { + if (RAND_bytes(digest, 20) <= 0 || RAND_bytes(wrong_digest, 20) <= 0) { BIO_printf(out, "ERROR: unable to get random data\n"); goto builtin_err; } diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index b097a4d57b..ffdde6cf79 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -491,7 +491,8 @@ static int sig_out(BIO *b) * FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ - RAND_pseudo_bytes(md->md_data, md->digest->md_size); + if (RAND_bytes(md->md_data, md->digest->md_size) <= 0) + goto berr; memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); ctx->buf_len += md->digest->md_size; diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 73d792304f..c720242af7 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -439,7 +439,8 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy(out + inl + 8, sha1tmp, 8); OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); /* Generate random IV */ - RAND_bytes(ctx->iv, 8); + if (RAND_bytes(ctx->iv, 8) <= 0) + return -1; memcpy(out, ctx->iv, 8); /* Encrypt everything after IV in place */ des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index caabbf406f..ba9dfff215 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -82,8 +82,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; - if (EVP_CIPHER_CTX_iv_length(ctx)) - RAND_pseudo_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)); + if (EVP_CIPHER_CTX_iv_length(ctx) + && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) + return 0; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) return 0; diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 4c6edb1f2c..b564259134 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -319,8 +319,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else - RAND_pseudo_bytes(tmpval, len); + else if (RAND_bytes(tmpval, len) <= 0) + goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 410c2b2b95..70e6a70772 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -387,7 +387,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, } RAND_add(data, i, 0); /* put in the RSA key. */ OPENSSL_assert(enc->iv_len <= (int)sizeof(iv)); - if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */ + if (RAND_bytes(iv, enc->iv_len) <= 0) /* Generate a salt */ goto err; /* * The 'iv' is used as the iv and as a salt. It is NOT taken from diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index d5eb8ffe74..252aca0021 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -177,7 +177,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, return 0; } if (!salt) { - if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0) + if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0) return 0; } else memcpy(p12->mac->salt->data, salt, saltlen); diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 0200b3b91f..f77326b883 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -340,7 +340,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) ivlen = EVP_CIPHER_iv_length(evp_cipher); xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0) goto err; diff --git a/crypto/rand/randtest.c b/crypto/rand/randtest.c index 267752e4f5..67acf700ee 100644 --- a/crypto/rand/randtest.c +++ b/crypto/rand/randtest.c @@ -77,8 +77,8 @@ int main(int argc, char **argv) */ long d; - i = RAND_pseudo_bytes(buf, 2500); - if (i < 0) { + i = RAND_bytes(buf, 2500); + if (i <= 0) { printf("init failed, the rand method is not properly installed\n"); err++; goto err; diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 4aed5b4ba5..9d83a8f606 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -498,7 +498,8 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH); + if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0) + goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); EVP_DigestUpdate(&ctxt, vb->seed_key, strlen(vb->seed_key)); @@ -550,7 +551,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) + goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); } else { @@ -608,7 +610,8 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, goto err; if (*salt == NULL) { - RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); + if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0) + goto err; *salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); } diff --git a/crypto/srp/srptest.c b/crypto/srp/srptest.c index 17a8256f86..1d463cd782 100644 --- a/crypto/srp/srptest.c +++ b/crypto/srp/srptest.c @@ -59,7 +59,7 @@ static int run_srp(const char *username, const char *client_pass, showbn("Verifier", v); /* Server random */ - RAND_pseudo_bytes(rand_tmp, sizeof(rand_tmp)); + RAND_bytes(rand_tmp, sizeof(rand_tmp)); b = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL); /* TODO - check b != 0 */ showbn("b", b); @@ -74,7 +74,7 @@ static int run_srp(const char *username, const char *client_pass, } /* Client random */ - RAND_pseudo_bytes(rand_tmp, sizeof(rand_tmp)); + RAND_bytes(rand_tmp, sizeof(rand_tmp)); a = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL); /* TODO - check a != 0 */ showbn("a", a); diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index 33303cc117..3475551d6a 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -760,7 +760,8 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg) if (tls_dhe1024 == NULL) { int i; - RAND_bytes((unsigned char *)&i, sizeof i); + if (RAND_bytes((unsigned char *)&i, sizeof i) <= 0) + goto err_return; /* * make sure that i is non-negative -- pick one of the provided * seeds diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 22626f1f0b..8d15f70a4f 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1396,7 +1396,10 @@ int dtls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - RAND_pseudo_bytes(bp, padding); + if (RAND_bytes(bp, padding) <= 0) { + OPENSSL_free(buffer); + return -1; + } r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); @@ -1430,7 +1433,7 @@ int dtls1_process_heartbeat(SSL *s) int dtls1_heartbeat(SSL *s) { unsigned char *buf, *p; - int ret; + int ret = -1; unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ @@ -1482,10 +1485,16 @@ int dtls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - RAND_pseudo_bytes(p, 16); + if (RAND_bytes(p, 16) <= 0) { + SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } p += 16; /* Random padding */ - RAND_pseudo_bytes(p, padding); + if (RAND_bytes(p, padding) <= 0) { + SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); if (ret >= 0) { @@ -1498,6 +1507,7 @@ int dtls1_heartbeat(SSL *s) s->tlsext_hb_pending = 1; } + err: OPENSSL_free(buf); return ret; diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 21a32bce70..3451b7c1ef 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -263,6 +263,7 @@ int ssl23_connect(SSL *s) int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) { int send_time = 0; + if (len < 4) return 0; if (server) @@ -273,9 +274,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) unsigned long Time = (unsigned long)time(NULL); unsigned char *p = result; l2n(Time, p); - return RAND_pseudo_bytes(p, len - 4); + return RAND_bytes(p, len - 4); } else - return RAND_pseudo_bytes(result, len); + return RAND_bytes(result, len); } static int ssl23_client_hello(SSL *s) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 27f03d4937..bab95f3200 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2810,7 +2810,12 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key */ - RAND_bytes(pms, pmslen); + if (RAND_bytes(pms, pmslen) <= 0) { + EVP_PKEY_CTX_free(pkey_ctx); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto err; + }; /* * If we have client certificate, use its secret as peer key */ diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index ce52854e0d..05dc439c2d 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2168,10 +2168,7 @@ int ssl3_get_client_key_exchange(SSL *s) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - /* - * should be RAND_bytes, but we cannot work around a failure. - */ - if (RAND_pseudo_bytes(rand_premaster_secret, + if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) goto err; decrypt_len = diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 54974df17e..29bbc03e4c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1957,7 +1957,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ - if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) + if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) ret->options |= SSL_OP_NO_TICKET; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 22d2e661b9..9273eb6c48 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -257,7 +257,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int retry = 0; do - if (RAND_pseudo_bytes(id, *id_len) <= 0) + if (RAND_bytes(id, *id_len) <= 0) return 0; while (SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)) ; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dd28cd6ed8..b5eb4bfadc 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3634,7 +3634,10 @@ int tls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - RAND_pseudo_bytes(bp, padding); + if (RAND_bytes(bp, padding) <= 0) { + OPENSSL_free(buffer); + return -1; + } r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); @@ -3669,7 +3672,7 @@ int tls1_process_heartbeat(SSL *s) int tls1_heartbeat(SSL *s) { unsigned char *buf, *p; - int ret; + int ret = -1; unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ @@ -3721,10 +3724,16 @@ int tls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - RAND_pseudo_bytes(p, 16); + if (RAND_bytes(p, 16) <= 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } p += 16; /* Random padding */ - RAND_pseudo_bytes(p, padding); + if (RAND_bytes(p, padding) <= 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); if (ret >= 0) { @@ -3736,8 +3745,8 @@ int tls1_heartbeat(SSL *s) s->tlsext_hb_pending = 1; } + err: OPENSSL_free(buf); - return ret; } # endif diff --git a/test/igetest.c b/test/igetest.c index f3d10a975d..96e98845e6 100644 --- a/test/igetest.c +++ b/test/igetest.c @@ -289,9 +289,9 @@ int main(int argc, char **argv) assert(BIG_TEST_SIZE >= TEST_SIZE); - RAND_pseudo_bytes(rkey, sizeof rkey); - RAND_pseudo_bytes(plaintext, sizeof plaintext); - RAND_pseudo_bytes(iv, sizeof iv); + RAND_bytes(rkey, sizeof rkey); + RAND_bytes(plaintext, sizeof plaintext); + RAND_bytes(iv, sizeof iv); memcpy(saved_iv, iv, sizeof saved_iv); /* Forward IGE only... */ @@ -390,7 +390,7 @@ int main(int argc, char **argv) */ /* possible with biIGE, so the IV is not updated. */ - RAND_pseudo_bytes(rkey2, sizeof rkey2); + RAND_bytes(rkey2, sizeof rkey2); /* Straight encrypt/decrypt */ AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key); -- 2.25.1