From 4cffafe96786558f66e1900ac462f9ccba921132 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Fri, 3 Nov 2017 20:59:16 +0100 Subject: [PATCH] Use the private RNG for data that is not public Reviewed-by: Dr. Matthias St. Pierre Reviewed-by: Rich Salz Fixes: #4641 GH: #4665 --- crypto/bio/bf_nbio.c | 4 ++-- crypto/bn/bn_blind.c | 2 +- crypto/bn/bn_prime.c | 5 +++-- crypto/bn/bn_rand.c | 2 +- crypto/bn/bn_sqrt.c | 2 +- crypto/des/rand_key.c | 2 +- crypto/evp/e_des.c | 2 +- crypto/evp/e_des3.c | 2 +- crypto/evp/evp_enc.c | 2 +- crypto/rand/randfile.c | 2 +- crypto/srp/srp_vfy.c | 2 +- ssl/ssl_lib.c | 6 +++--- ssl/statem/statem_srvr.c | 2 +- ssl/tls_srp.c | 4 ++-- 14 files changed, 20 insertions(+), 19 deletions(-) diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index c41b5d58dc..1acb717743 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -89,7 +89,7 @@ static int nbiof_read(BIO *b, char *out, int outl) return 0; BIO_clear_retry_flags(b); - if (RAND_bytes(&n, 1) <= 0) + if (RAND_priv_bytes(&n, 1) <= 0) return -1; num = (n & 0x07); @@ -126,7 +126,7 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - if (RAND_bytes(&n, 1) <= 0) + if (RAND_priv_bytes(&n, 1) <= 0) return -1; num = (n & 7); } diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 985d3ef32b..1ee902cb21 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -250,7 +250,7 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, do { int rv; - if (!BN_rand_range(ret->A, ret->mod)) + if (!BN_priv_rand_range(ret->A, ret->mod)) goto err; if (!int_bn_mod_inverse(ret->Ai, ret->A, ret->mod, ctx, &rv)) { /* diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 36d6e88478..4e7908682e 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -279,6 +279,7 @@ static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) char is_single_word = bits <= BN_BITS2; again: + /* TODO: Not all primes are private */ if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) return 0; /* we now have a random number 'rnd' to test. */ @@ -363,7 +364,7 @@ int bn_probable_prime_dh(BIGNUM *rnd, int bits, if ((t1 = BN_CTX_get(ctx)) == NULL) goto err; - if (!BN_priv_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; /* we need ((rnd-rem) % add) == 0 */ @@ -419,7 +420,7 @@ static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd, if (!BN_rshift1(qadd, padd)) goto err; - if (!BN_priv_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) + if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) goto err; /* we need ((rnd-rem) % add) == 0 */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 604b6bf6cf..c0d1a32292 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -239,7 +239,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, memset(private_bytes + todo, 0, sizeof(private_bytes) - todo); for (done = 0; done < num_k_bytes;) { - if (RAND_bytes(random_bytes, sizeof(random_bytes)) != 1) + if (RAND_priv_bytes(random_bytes, sizeof(random_bytes)) != 1) goto err; SHA512_Init(&sha); SHA512_Update(&sha, &done, sizeof(done)); diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index 37cdaf87d5..be8bd1238b 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -179,7 +179,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (!BN_set_word(y, i)) goto end; } else { - if (!BN_rand(y, BN_num_bits(p), 0, 0)) + if (!BN_priv_rand(y, BN_num_bits(p), 0, 0)) goto end; if (BN_ucmp(y, p) >= 0) { if (!(p->neg ? BN_add : BN_sub) (y, y, p)) diff --git a/crypto/des/rand_key.c b/crypto/des/rand_key.c index 09d7e4cf14..b49ce6f17b 100644 --- a/crypto/des/rand_key.c +++ b/crypto/des/rand_key.c @@ -13,7 +13,7 @@ int DES_random_key(DES_cblock *ret) { do { - if (RAND_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1) + if (RAND_priv_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1) return 0; } while (DES_is_weak_key(ret)); DES_set_odd_parity(ret); diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 9b2facfecf..3b886263da 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -229,7 +229,7 @@ static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (RAND_bytes(ptr, 8) <= 0) + if (RAND_priv_bytes(ptr, 8) <= 0) return 0; DES_set_odd_parity((DES_cblock *)ptr); return 1; diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index da77936c96..7a2c12dbb7 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -283,7 +283,7 @@ static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_RAND_KEY: - if (RAND_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) + if (RAND_priv_bytes(ptr, EVP_CIPHER_CTX_key_length(ctx)) <= 0) return 0; DES_set_odd_parity(deskey); if (EVP_CIPHER_CTX_key_length(ctx) >= 16) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0297d2eea7..38633410cd 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -602,7 +602,7 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) { if (ctx->cipher->flags & EVP_CIPH_RAND_KEY) return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key); - if (RAND_bytes(key, ctx->key_len) <= 0) + if (RAND_priv_bytes(key, ctx->key_len) <= 0) return 0; return 1; } diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 99a3f1424c..7cac8e9eb5 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -166,7 +166,7 @@ int RAND_write_file(const char *file) #endif /* Collect enough random data. */ - if (RAND_bytes(buf, (int)sizeof(buf)) != 1) + if (RAND_priv_bytes(buf, (int)sizeof(buf)) != 1) return -1; #if defined(O_CREAT) && !defined(OPENSSL_NO_POSIX_IO) && \ diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 56ae94b196..b85033b305 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -422,7 +422,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0) + if (RAND_priv_bytes(digv, SHA_DIGEST_LENGTH) <= 0) goto err; ctxt = EVP_MD_CTX_new(); if (ctxt == NULL diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9d4c4d4899..1509423020 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3047,13 +3047,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) /* Setup RFC5077 ticket keys */ if ((RAND_bytes(ret->ext.tick_key_name, sizeof(ret->ext.tick_key_name)) <= 0) - || (RAND_bytes(ret->ext.secure->tick_hmac_key, + || (RAND_priv_bytes(ret->ext.secure->tick_hmac_key, sizeof(ret->ext.secure->tick_hmac_key)) <= 0) - || (RAND_bytes(ret->ext.secure->tick_aes_key, + || (RAND_priv_bytes(ret->ext.secure->tick_aes_key, sizeof(ret->ext.secure->tick_aes_key)) <= 0)) ret->options |= SSL_OP_NO_TICKET; - if (RAND_bytes(ret->ext.cookie_hmac_key, + if (RAND_priv_bytes(ret->ext.cookie_hmac_key, sizeof(ret->ext.cookie_hmac_key)) <= 0) goto err; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 876b6a79e3..60e0bc7373 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2936,7 +2936,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (RAND_bytes(rand_premaster_secret, + if (RAND_priv_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR); diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 87614cb003..f94e46b4e8 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -157,7 +157,7 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (RAND_bytes(b, sizeof(b)) <= 0) + if (RAND_priv_bytes(b, sizeof(b)) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -369,7 +369,7 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (RAND_bytes(rnd, sizeof(rnd)) <= 0) + if (RAND_priv_bytes(rnd, sizeof(rnd)) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); -- 2.25.1