[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Wed Mar 25 12:40:25 UTC 2015
The branch master has been updated
via 302d38e3f73d5fd2ba2fd30bb7798778cb9f18dd (commit)
via 266483d2f56b0764849797f31866bfd84f9c3aa8 (commit)
from 8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d (commit)
- Log -----------------------------------------------------------------
commit 302d38e3f73d5fd2ba2fd30bb7798778cb9f18dd
Author: Matt Caswell <matt at openssl.org>
Date: Thu Feb 26 13:52:30 2015 +0000
Deprecate RAND_pseudo_bytes
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:
if(RAND_pseudo_bytes(...) <= 1)
goto err;
In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.
This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;
This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.
Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.
If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.
Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 266483d2f56b0764849797f31866bfd84f9c3aa8
Author: Matt Caswell <matt at openssl.org>
Date: Thu Feb 26 11:57:37 2015 +0000
RAND_bytes updates
Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 2 ++
apps/enc.c | 2 +-
apps/passwd.c | 4 ++--
apps/s_cb.c | 2 +-
apps/s_server.c | 3 ++-
apps/speed.c | 4 ++--
crypto/asn1/asn_mime.c | 3 ++-
crypto/asn1/p5_pbe.c | 2 +-
crypto/asn1/p5_pbev2.c | 4 ++--
crypto/bio/bf_nbio.c | 6 ++++--
crypto/bn/bn_lcl.h | 2 +-
crypto/bn/bn_rand.c | 5 +++--
crypto/cms/cms_enc.c | 2 +-
crypto/cms/cms_ess.c | 3 +--
crypto/cms/cms_pwri.c | 7 ++++---
crypto/des/enc_writ.c | 3 ++-
crypto/dsa/dsa_gen.c | 4 ++--
crypto/ecdsa/ecdsatest.c | 3 +--
crypto/evp/bio_ok.c | 3 ++-
crypto/evp/e_des3.c | 3 ++-
crypto/evp/p_seal.c | 5 +++--
crypto/ocsp/ocsp_ext.c | 4 ++--
crypto/pem/pem_lib.c | 2 +-
crypto/pkcs12/p12_mutl.c | 2 +-
crypto/pkcs7/pk7_doit.c | 2 +-
crypto/rand/md_rand.c | 8 ++++++++
crypto/rand/rand.h | 4 +++-
crypto/rand/rand_lib.c | 2 ++
crypto/rand/randtest.c | 4 ++--
crypto/srp/srp_vfy.c | 9 ++++++---
crypto/srp/srptest.c | 4 ++--
demos/easy_tls/easy-tls.c | 3 ++-
doc/crypto/RAND_bytes.pod | 3 +++
ssl/d1_both.c | 18 ++++++++++++++----
ssl/s23_clnt.c | 5 +++--
ssl/s3_clnt.c | 7 ++++++-
ssl/s3_srvr.c | 5 +----
ssl/ssl_lib.c | 2 +-
ssl/ssl_sess.c | 2 +-
ssl/t1_lib.c | 19 ++++++++++++++-----
test/igetest.c | 8 ++++----
41 files changed, 118 insertions(+), 67 deletions(-)
diff --git a/CHANGES b/CHANGES
index ab5b482..7c57410 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,8 @@
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
+ *) RAND_pseudo_bytes has been deprecated. Users should use RAND bytes instead.
+
*) Added support for TLS extended master secret from
draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
initial patch which was a great help during development.
diff --git a/apps/enc.c b/apps/enc.c
index 3bf4a6e..1739b7e 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -505,7 +505,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "invalid hex salt value\n");
goto end;
}
- } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+ } else if (RAND_bytes(salt, sizeof salt) <= 0)
goto end;
/*
* If -P option then don't bother writing
diff --git a/apps/passwd.c b/apps/passwd.c
index 5ff53b5..798a6d5 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
goto err;
(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
goto err;
for (i = 0; i < 8; i++)
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 8bc4b81..ea7d35c 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -949,7 +949,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
/* Initialize a random secret */
if (!cookie_initialized) {
- if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) {
+ if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) {
BIO_printf(bio_err, "error setting random cookie secret\n");
return 0;
}
diff --git a/apps/s_server.c b/apps/s_server.c
index 97aa23d..c3884d2 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3199,7 +3199,8 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
{
unsigned int count = 0;
do {
- RAND_pseudo_bytes(id, *id_len);
+ if (RAND_bytes(id, *id_len) <= 0)
+ return 0;
/*
* Prefix the session_id with the required prefix. NB: If our prefix
* is too long, clip it - but there will be worse effects anyway, eg.
diff --git a/apps/speed.c b/apps/speed.c
index b023f28..d2034a4 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1967,7 +1967,7 @@ int MAIN(int argc, char **argv)
}
#ifndef OPENSSL_SYS_WIN32
#endif
- RAND_pseudo_bytes(buf, 36);
+ RAND_bytes(buf, 36);
#ifndef OPENSSL_NO_RSA
for (j = 0; j < RSA_NUM; j++) {
int ret;
@@ -2039,7 +2039,7 @@ int MAIN(int argc, char **argv)
}
#endif
- RAND_pseudo_bytes(buf, 20);
+ RAND_bytes(buf, 20);
#ifndef OPENSSL_NO_DSA
if (RAND_status() != 1) {
RAND_seed(rnd_seed, sizeof rnd_seed);
diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index 28622f2..e96fb02 100644
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -286,7 +286,8 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
if ((flags & SMIME_DETACHED) && data) {
/* We want multipart/signed */
/* Generate a random boundary */
- RAND_pseudo_bytes((unsigned char *)bound, 32);
+ if (RAND_bytes((unsigned char *)bound, 32) <= 0)
+ return 0;
for (i = 0; i < 32; i++) {
c = bound[i] & 0xf;
if (c < 10)
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index d54b094..a65b659 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
sstr = ASN1_STRING_data(pbe->salt);
if (salt)
memcpy(sstr, salt, saltlen);
- else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
+ else if (RAND_bytes(sstr, saltlen) <= 0)
goto err;
if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) {
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index c56d850..60abbe2 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -120,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
if (EVP_CIPHER_iv_length(cipher)) {
if (aiv)
memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
- else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+ else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
goto err;
}
@@ -225,7 +225,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
if (salt)
memcpy(osalt->data, salt, saltlen);
- else if (RAND_pseudo_bytes(osalt->data, saltlen) < 0)
+ else if (RAND_bytes(osalt->data, saltlen) <= 0)
goto merr;
if (iter <= 0)
diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c
index 3af58bd..0ba6055 100644
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -136,7 +136,8 @@ static int nbiof_read(BIO *b, char *out, int outl)
return (0);
BIO_clear_retry_flags(b);
- RAND_pseudo_bytes(&n, 1);
+ if (RAND_bytes(&n, 1) <= 0)
+ return -1;
num = (n & 0x07);
if (outl > num)
@@ -172,7 +173,8 @@ static int nbiof_write(BIO *b, const char *in, int inl)
num = nt->lwn;
nt->lwn = 0;
} else {
- RAND_pseudo_bytes(&n, 1);
+ if (RAND_bytes(&n, 1) <= 0)
+ return -1;
num = (n & 7);
}
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index ba22f3a..a24ae7f 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -168,7 +168,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
* wouldn't be constructed with top!=dmax. */ \
BN_ULONG *_not_const; \
memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
- RAND_pseudo_bytes(&_tmp_char, 1); \
+ RAND_bytes(&_tmp_char, 1); /* Debug only - safe to ignore error return */\
memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
(_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
} \
diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c
index 9488454..be58a5a 100644
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -142,7 +142,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
RAND_add(&tim, sizeof(tim), 0.0);
if (pseudorand) {
- if (RAND_pseudo_bytes(buf, bytes) == -1)
+ if (RAND_bytes(buf, bytes) <= 0)
goto err;
} else {
if (RAND_bytes(buf, bytes) <= 0)
@@ -157,7 +157,8 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
unsigned char c;
for (i = 0; i < bytes; i++) {
- RAND_pseudo_bytes(&c, 1);
+ if (RAND_bytes(&c, 1) <= 0)
+ goto err;
if (c >= 128 && i > 0)
buf[i] = buf[i - 1];
else if (c < 42)
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 85ae928..ffa85fc 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
/* Generate a random IV if we need one */
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
if (ivlen > 0) {
- if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes(iv, ivlen) <= 0)
goto err;
piv = iv;
}
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c
index 8631a2e..8212560 100644
--- a/crypto/cms/cms_ess.c
+++ b/crypto/cms/cms_ess.c
@@ -107,8 +107,7 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
else {
if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
goto merr;
- if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32)
- <= 0)
+ if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0)
goto err;
}
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index dd5f636..83a65d2 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -131,7 +131,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
if (ivlen > 0) {
- if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes(iv, ivlen) <= 0)
goto err;
if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
@@ -299,8 +299,9 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen,
out[3] = in[2] ^ 0xFF;
memcpy(out + 4, in, inlen);
/* Add random padding to end */
- if (olen > inlen + 4)
- RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
+ if (olen > inlen + 4
+ && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0)
+ return 0;
/* Encrypt twice */
if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen)
|| !EVP_EncryptUpdate(ctx, out, &dummy, out, olen))
diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c
index b4eecc3..55cc7fc 100644
--- a/crypto/des/enc_writ.c
+++ b/crypto/des/enc_writ.c
@@ -132,7 +132,8 @@ int DES_enc_write(int fd, const void *_buf, int len,
if (len < 8) {
cp = shortbuf;
memcpy(shortbuf, buf, len);
- RAND_pseudo_bytes(shortbuf + len, 8 - len);
+ if (RAND_bytes(shortbuf + len, 8 - len) <= 0)
+ return -1;
rnum = 8;
} else {
cp = buf;
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 37b23c9..3506bc3 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -173,7 +173,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
goto err;
if (!seed_len) {
- if (RAND_pseudo_bytes(seed, qsize) < 0)
+ if (RAND_bytes(seed, qsize) <= 0)
goto err;
seed_is_random = 1;
} else {
@@ -448,7 +448,7 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
goto err;
if (!seed_in) {
- if (RAND_pseudo_bytes(seed, seed_len) < 0)
+ if (RAND_bytes(seed, seed_len) <= 0)
goto err;
}
/* step 2 */
diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c
index 31d9c84..c2132da 100644
--- a/crypto/ecdsa/ecdsatest.c
+++ b/crypto/ecdsa/ecdsatest.c
@@ -311,8 +311,7 @@ int test_builtin(BIO *out)
int nid, ret = 0;
/* fill digest values with some random data */
- if (!RAND_pseudo_bytes(digest, 20) ||
- !RAND_pseudo_bytes(wrong_digest, 20)) {
+ if (RAND_bytes(digest, 20) <= 0 || RAND_bytes(wrong_digest, 20) <= 0) {
BIO_printf(out, "ERROR: unable to get random data\n");
goto builtin_err;
}
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index b097a4d..ffdde6c 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -491,7 +491,8 @@ static int sig_out(BIO *b)
* FIXME: there's absolutely no guarantee this makes any sense at all,
* particularly now EVP_MD_CTX has been restructured.
*/
- RAND_pseudo_bytes(md->md_data, md->digest->md_size);
+ if (RAND_bytes(md->md_data, md->digest->md_size) <= 0)
+ goto berr;
memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size);
longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
ctx->buf_len += md->digest->md_size;
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index 73d7923..c720242 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -439,7 +439,8 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
memcpy(out + inl + 8, sha1tmp, 8);
OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
/* Generate random IV */
- RAND_bytes(ctx->iv, 8);
+ if (RAND_bytes(ctx->iv, 8) <= 0)
+ return -1;
memcpy(out, ctx->iv, 8);
/* Encrypt everything after IV in place */
des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index caabbf4..ba9dfff 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -82,8 +82,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
return 1;
if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
return 0;
- if (EVP_CIPHER_CTX_iv_length(ctx))
- RAND_pseudo_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx));
+ if (EVP_CIPHER_CTX_iv_length(ctx)
+ && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0)
+ return 0;
if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
return 0;
diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c
index 4c6edb1..b564259 100644
--- a/crypto/ocsp/ocsp_ext.c
+++ b/crypto/ocsp/ocsp_ext.c
@@ -319,8 +319,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
if (val)
memcpy(tmpval, val, len);
- else
- RAND_pseudo_bytes(tmpval, len);
+ else if (RAND_bytes(tmpval, len) <= 0)
+ goto err;
if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 410c2b2..70e6a70 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -387,7 +387,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
}
RAND_add(data, i, 0); /* put in the RSA key. */
OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
- if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */
+ if (RAND_bytes(iv, enc->iv_len) <= 0) /* Generate a salt */
goto err;
/*
* The 'iv' is used as the iv and as a salt. It is NOT taken from
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index d5eb8ff..252aca0 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -177,7 +177,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
return 0;
}
if (!salt) {
- if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0)
+ if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0)
return 0;
} else
memcpy(p12->mac->salt->data, salt, saltlen);
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 0200b3b..f77326b 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -340,7 +340,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
ivlen = EVP_CIPHER_iv_length(evp_cipher);
xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
if (ivlen > 0)
- if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes(iv, ivlen) <= 0)
goto err;
if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0)
goto err;
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index ef43966..27e785d 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -173,7 +173,9 @@ static int ssleay_rand_seed(const void *buf, int num);
static int ssleay_rand_add(const void *buf, int num, double add_entropy);
static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
+#ifndef OPENSSL_NO_DEPRECATED
static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+#endif
static int ssleay_rand_status(void);
static RAND_METHOD rand_ssleay_meth = {
@@ -181,7 +183,11 @@ static RAND_METHOD rand_ssleay_meth = {
ssleay_rand_nopseudo_bytes,
ssleay_rand_cleanup,
ssleay_rand_add,
+#ifndef OPENSSL_NO_DEPRECATED
ssleay_rand_pseudo_bytes,
+#else
+ NULL,
+#endif
ssleay_rand_status
};
@@ -601,6 +607,7 @@ static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
return ssleay_rand_bytes(buf, num, 0);
}
+#ifndef OPENSSL_NO_DEPRECATED
/*
* pseudo-random bytes that are guaranteed to be unique but not unpredictable
*/
@@ -608,6 +615,7 @@ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
{
return ssleay_rand_bytes(buf, num, 1);
}
+#endif
static int ssleay_rand_status(void)
{
diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h
index 145edb2..14b4793 100644
--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -95,7 +95,9 @@ int RAND_set_rand_engine(ENGINE *engine);
RAND_METHOD *RAND_SSLeay(void);
void RAND_cleanup(void);
int RAND_bytes(unsigned char *buf, int num);
-int RAND_pseudo_bytes(unsigned char *buf, int num);
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(int RAND_pseudo_bytes(unsigned char *buf, int num));
+#endif
void RAND_seed(const void *buf, int num);
void RAND_add(const void *buf, int num, double entropy);
int RAND_load_file(const char *file, long max_bytes);
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index 2f4dc09..0bbaf67 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -159,6 +159,7 @@ int RAND_bytes(unsigned char *buf, int num)
return (-1);
}
+#ifndef OPENSSL_NO_DEPRECATED
int RAND_pseudo_bytes(unsigned char *buf, int num)
{
const RAND_METHOD *meth = RAND_get_rand_method();
@@ -166,6 +167,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num)
return meth->pseudorand(buf, num);
return (-1);
}
+#endif
int RAND_status(void)
{
diff --git a/crypto/rand/randtest.c b/crypto/rand/randtest.c
index 267752e..67acf70 100644
--- a/crypto/rand/randtest.c
+++ b/crypto/rand/randtest.c
@@ -77,8 +77,8 @@ int main(int argc, char **argv)
*/
long d;
- i = RAND_pseudo_bytes(buf, 2500);
- if (i < 0) {
+ i = RAND_bytes(buf, 2500);
+ if (i <= 0) {
printf("init failed, the rand method is not properly installed\n");
err++;
goto err;
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 4aed5b4..9d83a8f 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -498,7 +498,8 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)
if (!SRP_user_pwd_set_ids(user, username, NULL))
goto err;
- RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH);
+ if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
+ goto err;
EVP_MD_CTX_init(&ctxt);
EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL);
EVP_DigestUpdate(&ctxt, vb->seed_key, strlen(vb->seed_key));
@@ -550,7 +551,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
}
if (*salt == NULL) {
- RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN);
+ if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0)
+ goto err;
s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
} else {
@@ -608,7 +610,8 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
goto err;
if (*salt == NULL) {
- RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN);
+ if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0)
+ goto err;
*salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
}
diff --git a/crypto/srp/srptest.c b/crypto/srp/srptest.c
index 17a8256..1d463cd 100644
--- a/crypto/srp/srptest.c
+++ b/crypto/srp/srptest.c
@@ -59,7 +59,7 @@ static int run_srp(const char *username, const char *client_pass,
showbn("Verifier", v);
/* Server random */
- RAND_pseudo_bytes(rand_tmp, sizeof(rand_tmp));
+ RAND_bytes(rand_tmp, sizeof(rand_tmp));
b = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);
/* TODO - check b != 0 */
showbn("b", b);
@@ -74,7 +74,7 @@ static int run_srp(const char *username, const char *client_pass,
}
/* Client random */
- RAND_pseudo_bytes(rand_tmp, sizeof(rand_tmp));
+ RAND_bytes(rand_tmp, sizeof(rand_tmp));
a = BN_bin2bn(rand_tmp, sizeof(rand_tmp), NULL);
/* TODO - check a != 0 */
showbn("a", a);
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c
index 33303cc..3475551 100644
--- a/demos/easy_tls/easy-tls.c
+++ b/demos/easy_tls/easy-tls.c
@@ -760,7 +760,8 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
if (tls_dhe1024 == NULL) {
int i;
- RAND_bytes((unsigned char *)&i, sizeof i);
+ if (RAND_bytes((unsigned char *)&i, sizeof i) <= 0)
+ goto err_return;
/*
* make sure that i is non-negative -- pick one of the provided
* seeds
diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod
index 1a9b91e..f3a5ed2 100644
--- a/doc/crypto/RAND_bytes.pod
+++ b/doc/crypto/RAND_bytes.pod
@@ -10,6 +10,8 @@ RAND_bytes, RAND_pseudo_bytes - generate random data
int RAND_bytes(unsigned char *buf, int num);
+Deprecated:
+
int RAND_pseudo_bytes(unsigned char *buf, int num);
=head1 DESCRIPTION
@@ -18,6 +20,7 @@ RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
into B<buf>. An error occurs if the PRNG has not been seeded with
enough randomness to ensure an unpredictable byte sequence.
+RAND_pseudo_bytes() has been deprecated. Users should use RAND_bytes() instead.
RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
unique if they are of sufficient length, but are not necessarily
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 22626f1..8d15f70 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1396,7 +1396,10 @@ int dtls1_process_heartbeat(SSL *s)
memcpy(bp, pl, payload);
bp += payload;
/* Random padding */
- RAND_pseudo_bytes(bp, padding);
+ if (RAND_bytes(bp, padding) <= 0) {
+ OPENSSL_free(buffer);
+ return -1;
+ }
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
@@ -1430,7 +1433,7 @@ int dtls1_process_heartbeat(SSL *s)
int dtls1_heartbeat(SSL *s)
{
unsigned char *buf, *p;
- int ret;
+ int ret = -1;
unsigned int payload = 18; /* Sequence number + random bytes */
unsigned int padding = 16; /* Use minimum padding */
@@ -1482,10 +1485,16 @@ int dtls1_heartbeat(SSL *s)
/* Sequence number */
s2n(s->tlsext_hb_seq, p);
/* 16 random bytes */
- RAND_pseudo_bytes(p, 16);
+ if (RAND_bytes(p, 16) <= 0) {
+ SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
p += 16;
/* Random padding */
- RAND_pseudo_bytes(p, padding);
+ if (RAND_bytes(p, padding) <= 0) {
+ SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
if (ret >= 0) {
@@ -1498,6 +1507,7 @@ int dtls1_heartbeat(SSL *s)
s->tlsext_hb_pending = 1;
}
+ err:
OPENSSL_free(buf);
return ret;
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 21a32bc..3451b7c 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -263,6 +263,7 @@ int ssl23_connect(SSL *s)
int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
{
int send_time = 0;
+
if (len < 4)
return 0;
if (server)
@@ -273,9 +274,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
unsigned long Time = (unsigned long)time(NULL);
unsigned char *p = result;
l2n(Time, p);
- return RAND_pseudo_bytes(p, len - 4);
+ return RAND_bytes(p, len - 4);
} else
- return RAND_pseudo_bytes(result, len);
+ return RAND_bytes(result, len);
}
static int ssl23_client_hello(SSL *s)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 27f03d4..bab95f3 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2810,7 +2810,12 @@ int ssl3_send_client_key_exchange(SSL *s)
EVP_PKEY_encrypt_init(pkey_ctx);
/* Generate session key */
- RAND_bytes(pms, pmslen);
+ if (RAND_bytes(pms, pmslen) <= 0) {
+ EVP_PKEY_CTX_free(pkey_ctx);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ };
/*
* If we have client certificate, use its secret as peer key
*/
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ce52854..05dc439 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2168,10 +2168,7 @@ int ssl3_get_client_key_exchange(SSL *s)
* fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
*/
- /*
- * should be RAND_bytes, but we cannot work around a failure.
- */
- if (RAND_pseudo_bytes(rand_premaster_secret,
+ if (RAND_bytes(rand_premaster_secret,
sizeof(rand_premaster_secret)) <= 0)
goto err;
decrypt_len =
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 54974df..29bbc03 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1957,7 +1957,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->tlsext_servername_callback = 0;
ret->tlsext_servername_arg = NULL;
/* Setup RFC4507 ticket keys */
- if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
+ if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0)
|| (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
|| (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
ret->options |= SSL_OP_NO_TICKET;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 22d2e66..9273eb6 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -257,7 +257,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
{
unsigned int retry = 0;
do
- if (RAND_pseudo_bytes(id, *id_len) <= 0)
+ if (RAND_bytes(id, *id_len) <= 0)
return 0;
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS)) ;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index dd28cd6..b5eb4bf 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3634,7 +3634,10 @@ int tls1_process_heartbeat(SSL *s)
memcpy(bp, pl, payload);
bp += payload;
/* Random padding */
- RAND_pseudo_bytes(bp, padding);
+ if (RAND_bytes(bp, padding) <= 0) {
+ OPENSSL_free(buffer);
+ return -1;
+ }
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3 + payload + padding);
@@ -3669,7 +3672,7 @@ int tls1_process_heartbeat(SSL *s)
int tls1_heartbeat(SSL *s)
{
unsigned char *buf, *p;
- int ret;
+ int ret = -1;
unsigned int payload = 18; /* Sequence number + random bytes */
unsigned int padding = 16; /* Use minimum padding */
@@ -3721,10 +3724,16 @@ int tls1_heartbeat(SSL *s)
/* Sequence number */
s2n(s->tlsext_hb_seq, p);
/* 16 random bytes */
- RAND_pseudo_bytes(p, 16);
+ if (RAND_bytes(p, 16) <= 0) {
+ SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
p += 16;
/* Random padding */
- RAND_pseudo_bytes(p, padding);
+ if (RAND_bytes(p, padding) <= 0) {
+ SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
if (ret >= 0) {
@@ -3736,8 +3745,8 @@ int tls1_heartbeat(SSL *s)
s->tlsext_hb_pending = 1;
}
+ err:
OPENSSL_free(buf);
-
return ret;
}
# endif
diff --git a/test/igetest.c b/test/igetest.c
index f3d10a9..96e9884 100644
--- a/test/igetest.c
+++ b/test/igetest.c
@@ -289,9 +289,9 @@ int main(int argc, char **argv)
assert(BIG_TEST_SIZE >= TEST_SIZE);
- RAND_pseudo_bytes(rkey, sizeof rkey);
- RAND_pseudo_bytes(plaintext, sizeof plaintext);
- RAND_pseudo_bytes(iv, sizeof iv);
+ RAND_bytes(rkey, sizeof rkey);
+ RAND_bytes(plaintext, sizeof plaintext);
+ RAND_bytes(iv, sizeof iv);
memcpy(saved_iv, iv, sizeof saved_iv);
/* Forward IGE only... */
@@ -390,7 +390,7 @@ int main(int argc, char **argv)
*/
/* possible with biIGE, so the IV is not updated. */
- RAND_pseudo_bytes(rkey2, sizeof rkey2);
+ RAND_bytes(rkey2, sizeof rkey2);
/* Straight encrypt/decrypt */
AES_set_encrypt_key(rkey, 8 * sizeof rkey, &key);
More information about the openssl-commits
mailing list