Check RAND_bytes() return value or use RAND_pseudo_bytes().
authorUlf Möller <ulf@openssl.org>
Fri, 21 Jan 2000 01:15:56 +0000 (01:15 +0000)
committerUlf Möller <ulf@openssl.org>
Fri, 21 Jan 2000 01:15:56 +0000 (01:15 +0000)
20 files changed:
CHANGES
apps/enc.c
crypto/asn1/p5_pbe.c
crypto/asn1/p5_pbev2.c
crypto/bio/bf_nbio.c
crypto/des/des.c
crypto/des/enc_writ.c
crypto/dsa/dsa_gen.c
crypto/evp/bio_ok.c
crypto/evp/p_seal.c
crypto/pem/pem_lib.c
crypto/pkcs12/p12_mutl.c
crypto/pkcs7/pk7_doit.c
crypto/rand/randfile.c
ssl/s23_clnt.c
ssl/s2_clnt.c
ssl/s2_srvr.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl_sess.c

diff --git a/CHANGES b/CHANGES
index ff4dfc3..9d96037 100644 (file)
--- a/CHANGES
+++ b/CHANGES
      (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
      error queue. New function RAND_pseudo_bytes() generates output that is
      guaranteed to be unique but not unpredictable.
-     (TO DO: always check the result of RAND_bytes when it is used in the
-     library, or use RAND_pseudo_bytes instead, because leaving the
-     error in the error queue but reporting success in a function that
-     uses RAND_bytes could confuse things considerably.)
      [Ulf Möller]
 
   *) Do more iterations of Rabin-Miller probable prime test (specifically,
index e584241..ca30276 100644 (file)
@@ -448,7 +448,11 @@ bad:
                                                                "invalid hex salt value\n");
                                                        goto end;
                                                }
-                                       } else RAND_bytes(salt, PKCS5_SALT_LEN);
+                                       } else if (RAND_bytes(salt, PKCS5_SALT_LEN) <= 0) {
+                                               BIO_printf(bio_err,
+                                                       "prng not seeded\n");
+                                               goto end;
+                                       }
                                        /* If -P option then don't bother writing */
                                        if((printkey != 2)
                                           && (BIO_write(wbio,magic,
index adb92e5..8cda4f6 100644 (file)
@@ -129,7 +129,8 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
        }
        pbe->salt->length = saltlen;
        if (salt) memcpy (pbe->salt->data, salt, saltlen);
-       else RAND_bytes (pbe->salt->data, saltlen);
+       else if (RAND_bytes (pbe->salt->data, saltlen) <= 0)
+               return NULL;
 
        if (!(astype = ASN1_TYPE_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
index 502a8c3..44d5b5b 100644 (file)
@@ -194,7 +194,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
 
        /* Create random IV */
-       RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+       RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher));
 
        /* Dummy cipherinit to just setup the IV */
        EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
@@ -212,7 +212,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if (!(osalt->data = Malloc (saltlen))) goto merr;
        osalt->length = saltlen;
        if (salt) memcpy (osalt->data, salt, saltlen);
-       else RAND_bytes (osalt->data, saltlen);
+       else if (RAND_bytes (osalt->data, saltlen) <= 0) goto merr;
 
        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
        if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
index cbec2ba..a525e79 100644 (file)
@@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
        BIO_clear_retry_flags(b);
 #if 0
-       RAND_bytes(&n,1);
+       RAND_pseudo_bytes(&n,1);
        num=(n&0x07);
 
        if (outl > num) outl=num;
@@ -178,7 +178,7 @@ static int nbiof_write(BIO *b, char *in, int inl)
                }
        else
                {
-               RAND_bytes(&n,1);
+               RAND_pseudo_bytes(&n,1);
                num=(n&7);
                }
 
index 5cd3373..aabd01c 100644 (file)
@@ -484,7 +484,7 @@ void doencryption(void)
                        if (feof(DES_IN))
                                {
                                for (i=7-rem; i>0; i--)
-                                       RAND_bytes(buf + l++, 1);
+                                       RAND_pseudo_bytes(buf + l++, 1);
                                buf[l++]=rem;
                                ex=1;
                                len+=rem;
index 8ded146..892f15e 100644 (file)
@@ -130,7 +130,7 @@ int des_enc_write(int fd, const void *_buf, int len,
                {
                cp=shortbuf;
                memcpy(shortbuf,buf,len);
-               RAND_bytes(shortbuf+len, 8-len);
+               RAND_pseudo_bytes(shortbuf+len, 8-len);
                rnum=8;
                }
        else
index b5e5ec0..57435a9 100644 (file)
@@ -121,7 +121,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                        if (callback != NULL) callback(0,m++,cb_arg);
 
                        if (!seed_len)
-                               RAND_bytes(seed,SHA_DIGEST_LENGTH);
+                               RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
                        else
                                seed_len=0;
 
index 101275d..a54384a 100644 (file)
@@ -451,7 +451,7 @@ static void sig_out(BIO* b)
        if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
 
        EVP_DigestInit(md, md->digest);
-       RAND_bytes(&(md->md.base[0]), md->digest->md_size);
+       RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
        memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
        longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
        ctx->buf_len+= md->digest->md_size;
index e372f13..d449e89 100644 (file)
@@ -73,9 +73,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
        int i;
        
        if (npubk <= 0) return(0);
-       if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) return(0);
+       if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+               return(0);
        if (type->iv_len > 0)
-               RAND_bytes(iv,type->iv_len);
+               RAND_pseudo_bytes(iv,type->iv_len);
 
        EVP_CIPHER_CTX_init(ctx);
        EVP_EncryptInit(ctx,type,key,iv);
index 449a1fe..49aeb62 100644 (file)
@@ -379,7 +379,8 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                        kstr=(unsigned char *)buf;
                        }
                RAND_add(data,i,0);/* put in the RSA key. */
-               RAND_bytes(iv,8);       /* Generate a salt */
+               if (RAND_bytes(iv,8) <= 0)      /* Generate a salt */
+                       goto err;
                /* The 'iv' is used as the iv and as a salt.  It is
                 * NOT taken from the BytesToKey function */
                EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
index 3cb782f..f1094b3 100644 (file)
@@ -156,7 +156,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                return 0;
        }
-       if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+       if (!salt) {
+               if (RAND_bytes (p12->mac->salt->data, saltlen) <= 0)
+                       return 0;
+       }
        else memcpy (p12->mac->salt->data, salt, saltlen);
        p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
        if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
index 78355c9..1403ff5 100644 (file)
@@ -164,7 +164,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                if (RAND_bytes(key,keylen) <= 0)
                        goto err;
                xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
-               if (ivlen > 0) RAND_bytes(iv,ivlen);
+               if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
                EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
 
                if (ivlen > 0) {
index 97c3ece..f95ecb0 100644 (file)
@@ -118,7 +118,7 @@ err:
 int RAND_write_file(const char *file)
        {
        unsigned char buf[BUFSIZE];
-       int i,ret=0;
+       int i,ret=0,err=0;
        FILE *out = NULL;
        int n;
 
@@ -156,7 +156,8 @@ int RAND_write_file(const char *file)
                {
                i=(n > BUFSIZE)?BUFSIZE:n;
                n-=BUFSIZE;
-               RAND_bytes(buf,i);
+               if (RAND_bytes(buf,i) <= 0)
+                       err=1;
                i=fwrite(buf,1,i,out);
                if (i <= 0)
                        {
@@ -169,7 +170,7 @@ int RAND_write_file(const char *file)
        fclose(out);
        memset(buf,0,BUFSIZE);
 err:
-       return(ret);
+       return(err ? -1 : ret);
        }
 
 char *RAND_file_name(char *buf, int size)
index 067216b..aaedf6a 100644 (file)
@@ -224,7 +224,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
                p=s->s3->client_random;
-               RAND_bytes(p,SSL3_RANDOM_SIZE);
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
 
                /* Do the message type and length last */
                d= &(buf[2]);
@@ -285,7 +285,7 @@ static int ssl23_client_hello(SSL *s)
                        i=ch_len;
                s2n(i,d);
                memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-               RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+               RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                p+=i;
 
index f05b76a..f813c50 100644 (file)
@@ -515,7 +515,7 @@ static int client_hello(SSL *s)
                s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
                s2n(SSL2_CHALLENGE_LENGTH,p);           /* challenge length */
                /*challenge id data*/
-               RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+               RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
                memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
                d+=SSL2_CHALLENGE_LENGTH;
 
@@ -557,12 +557,19 @@ static int client_master_key(SSL *s)
                /* make key_arg data */
                i=EVP_CIPHER_iv_length(c);
                sess->key_arg_length=i;
-               if (i > 0) RAND_bytes(sess->key_arg,i);
+               if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
 
                /* make a master key */
                i=EVP_CIPHER_key_length(c);
                sess->master_key_length=i;
-               if (i > 0) RAND_bytes(sess->master_key,i);
+               if (i > 0)
+                       {
+                       if (RAND_bytes(sess->master_key,i) <= 0)
+                               {
+                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+                               goto err;
+                               }
+                       }
 
                if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
                        enc=8;
index 811daa2..af300ba 100644 (file)
@@ -415,7 +415,7 @@ static int get_client_master_key(SSL *s)
                        i=ek;
                else
                        i=EVP_CIPHER_key_length(c);
-               RAND_bytes(p,i);
+               RAND_pseudo_bytes(p,i);
                }
 #else
        if (i < 0)
@@ -680,7 +680,7 @@ static int server_hello(SSL *s)
                /* make and send conn_id */
                s2n(SSL2_CONNECTION_ID_LENGTH,p);       /* add conn_id length */
                s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-               RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+               RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
                memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
                d+=SSL2_CONNECTION_ID_LENGTH;
 
@@ -798,7 +798,7 @@ static int request_certificate(SSL *s)
                p=(unsigned char *)s->init_buf->data;
                *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
                *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-               RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+               RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
                memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
                s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
index 9d85ba4..cec0e3b 100644 (file)
@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
                p=s->s3->client_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-               RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                
                        tmp_buf[0]=s->client_version>>8;
                        tmp_buf[1]=s->client_version&0xff;
-                       RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+                       if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+                                       goto err;
 
                        s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
 
index c6cc4f7..fd20f80 100644 (file)
@@ -816,7 +816,7 @@ static int ssl3_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-               RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
                /* Do the message type and length last */
                d=p= &(buf[4]);
 
@@ -1292,7 +1292,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                {
                                p[0]=(s->version>>8);
                                p[1]=(s->version & 0xff);
-                               RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+                               RAND_pseudo_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
                                i=SSL_MAX_MASTER_KEY_LENGTH;
                                }
                        /* else, an SSLeay bug, ssl only server, tls client */
index d675580..0573f2c 100644 (file)
@@ -184,7 +184,7 @@ int ssl_get_new_session(SSL *s, int session)
                        {
                        SSL_SESSION *r;
 
-                       RAND_bytes(ss->session_id,ss->session_id_length);
+                       RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
                        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                        r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
                                (char *)ss);