From e7f97e2d22e386df60c8da63277727a931bf22b7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ulf=20M=C3=B6ller?= Date: Fri, 21 Jan 2000 01:15:56 +0000 Subject: [PATCH] Check RAND_bytes() return value or use RAND_pseudo_bytes(). --- CHANGES | 4 ---- apps/enc.c | 6 +++++- crypto/asn1/p5_pbe.c | 3 ++- crypto/asn1/p5_pbev2.c | 4 ++-- crypto/bio/bf_nbio.c | 4 ++-- crypto/des/des.c | 2 +- crypto/des/enc_writ.c | 2 +- crypto/dsa/dsa_gen.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/evp/p_seal.c | 5 +++-- crypto/pem/pem_lib.c | 3 ++- crypto/pkcs12/p12_mutl.c | 5 ++++- crypto/pkcs7/pk7_doit.c | 2 +- crypto/rand/randfile.c | 7 ++++--- ssl/s23_clnt.c | 4 ++-- ssl/s2_clnt.c | 13 ++++++++++--- ssl/s2_srvr.c | 6 +++--- ssl/s3_clnt.c | 5 +++-- ssl/s3_srvr.c | 4 ++-- ssl/ssl_sess.c | 2 +- 20 files changed, 50 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index ff4dfc3620..9d96037cd4 100644 --- a/CHANGES +++ b/CHANGES @@ -31,10 +31,6 @@ (1 = ok, 0 = not seeded). Also an error is recorded on the thread's error queue. New function RAND_pseudo_bytes() generates output that is guaranteed to be unique but not unpredictable. - (TO DO: always check the result of RAND_bytes when it is used in the - library, or use RAND_pseudo_bytes instead, because leaving the - error in the error queue but reporting success in a function that - uses RAND_bytes could confuse things considerably.) [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, diff --git a/apps/enc.c b/apps/enc.c index e584241bf1..ca30276d29 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -448,7 +448,11 @@ bad: "invalid hex salt value\n"); goto end; } - } else RAND_bytes(salt, PKCS5_SALT_LEN); + } else if (RAND_bytes(salt, PKCS5_SALT_LEN) <= 0) { + BIO_printf(bio_err, + "prng not seeded\n"); + goto end; + } /* If -P option then don't bother writing */ if((printkey != 2) && (BIO_write(wbio,magic, diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index adb92e5fd0..8cda4f609a 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -129,7 +129,8 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, } pbe->salt->length = saltlen; if (salt) memcpy (pbe->salt->data, salt, saltlen); - else RAND_bytes (pbe->salt->data, saltlen); + else if (RAND_bytes (pbe->salt->data, saltlen) <= 0) + return NULL; if (!(astype = ASN1_TYPE_new())) { ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE); diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 502a8c399d..44d5b5bc6e 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -194,7 +194,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if(!(scheme->parameter = ASN1_TYPE_new())) goto merr; /* Create random IV */ - RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)); + RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)); /* Dummy cipherinit to just setup the IV */ EVP_CipherInit(&ctx, cipher, NULL, iv, 0); @@ -212,7 +212,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, if (!(osalt->data = Malloc (saltlen))) goto merr; osalt->length = saltlen; if (salt) memcpy (osalt->data, salt, saltlen); - else RAND_bytes (osalt->data, saltlen); + else if (RAND_bytes (osalt->data, saltlen) <= 0) goto merr; if(iter <= 0) iter = PKCS5_DEFAULT_ITER; if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr; diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index cbec2bae29..a525e79d4f 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); #if 0 - RAND_bytes(&n,1); + RAND_pseudo_bytes(&n,1); num=(n&0x07); if (outl > num) outl=num; @@ -178,7 +178,7 @@ static int nbiof_write(BIO *b, char *in, int inl) } else { - RAND_bytes(&n,1); + RAND_pseudo_bytes(&n,1); num=(n&7); } diff --git a/crypto/des/des.c b/crypto/des/des.c index 5cd337301a..aabd01cc8a 100644 --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -484,7 +484,7 @@ void doencryption(void) if (feof(DES_IN)) { for (i=7-rem; i>0; i--) - RAND_bytes(buf + l++, 1); + RAND_pseudo_bytes(buf + l++, 1); buf[l++]=rem; ex=1; len+=rem; diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 8ded146f8b..892f15e2d7 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -130,7 +130,7 @@ int des_enc_write(int fd, const void *_buf, int len, { cp=shortbuf; memcpy(shortbuf,buf,len); - RAND_bytes(shortbuf+len, 8-len); + RAND_pseudo_bytes(shortbuf+len, 8-len); rnum=8; } else diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index b5e5ec06e5..57435a9be2 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -121,7 +121,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, if (callback != NULL) callback(0,m++,cb_arg); if (!seed_len) - RAND_bytes(seed,SHA_DIGEST_LENGTH); + RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH); else seed_len=0; diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 101275d648..a54384a71c 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -451,7 +451,7 @@ static void sig_out(BIO* b) if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return; EVP_DigestInit(md, md->digest); - RAND_bytes(&(md->md.base[0]), md->digest->md_size); + RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size); memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); ctx->buf_len+= md->digest->md_size; diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index e372f138c7..d449e892bf 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -73,9 +73,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek, int i; if (npubk <= 0) return(0); - if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) return(0); + if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) + return(0); if (type->iv_len > 0) - RAND_bytes(iv,type->iv_len); + RAND_pseudo_bytes(iv,type->iv_len); EVP_CIPHER_CTX_init(ctx); EVP_EncryptInit(ctx,type,key,iv); diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 449a1fe984..49aeb62bde 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -379,7 +379,8 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, kstr=(unsigned char *)buf; } RAND_add(data,i,0);/* put in the RSA key. */ - RAND_bytes(iv,8); /* Generate a salt */ + if (RAND_bytes(iv,8) <= 0) /* Generate a salt */ + goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index 3cb782fa60..f1094b3840 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -156,7 +156,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen, PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE); return 0; } - if (!salt) RAND_bytes (p12->mac->salt->data, saltlen); + if (!salt) { + if (RAND_bytes (p12->mac->salt->data, saltlen) <= 0) + return 0; + } else memcpy (p12->mac->salt->data, salt, saltlen); p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type)); if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) { diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 78355c9387..1403ff591d 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -164,7 +164,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if (RAND_bytes(key,keylen) <= 0) goto err; xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); - if (ivlen > 0) RAND_bytes(iv,ivlen); + if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen); EVP_CipherInit(ctx, evp_cipher, key, iv, 1); if (ivlen > 0) { diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 97c3ece535..f95ecb0e00 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -118,7 +118,7 @@ err: int RAND_write_file(const char *file) { unsigned char buf[BUFSIZE]; - int i,ret=0; + int i,ret=0,err=0; FILE *out = NULL; int n; @@ -156,7 +156,8 @@ int RAND_write_file(const char *file) { i=(n > BUFSIZE)?BUFSIZE:n; n-=BUFSIZE; - RAND_bytes(buf,i); + if (RAND_bytes(buf,i) <= 0) + err=1; i=fwrite(buf,1,i,out); if (i <= 0) { @@ -169,7 +170,7 @@ int RAND_write_file(const char *file) fclose(out); memset(buf,0,BUFSIZE); err: - return(ret); + return(err ? -1 : ret); } char *RAND_file_name(char *buf, int size) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 067216b1a2..aaedf6a9bb 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -224,7 +224,7 @@ static int ssl23_client_hello(SSL *s) #endif p=s->s3->client_random; - RAND_bytes(p,SSL3_RANDOM_SIZE); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE); /* Do the message type and length last */ d= &(buf[2]); @@ -285,7 +285,7 @@ static int ssl23_client_hello(SSL *s) i=ch_len; s2n(i,d); memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); - RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); + RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); p+=i; diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index f05b76a66a..f813c504fe 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -515,7 +515,7 @@ static int client_hello(SSL *s) s->s2->challenge_length=SSL2_CHALLENGE_LENGTH; s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */ /*challenge id data*/ - RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); + RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH); d+=SSL2_CHALLENGE_LENGTH; @@ -557,12 +557,19 @@ static int client_master_key(SSL *s) /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; - if (i > 0) RAND_bytes(sess->key_arg,i); + if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ i=EVP_CIPHER_key_length(c); sess->master_key_length=i; - if (i > 0) RAND_bytes(sess->master_key,i); + if (i > 0) + { + if (RAND_bytes(sess->master_key,i) <= 0) + { + ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); + goto err; + } + } if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) enc=8; diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 811daa2e2c..af300bab8d 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -415,7 +415,7 @@ static int get_client_master_key(SSL *s) i=ek; else i=EVP_CIPHER_key_length(c); - RAND_bytes(p,i); + RAND_pseudo_bytes(p,i); } #else if (i < 0) @@ -680,7 +680,7 @@ static int server_hello(SSL *s) /* make and send conn_id */ s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; - RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); + RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); d+=SSL2_CONNECTION_ID_LENGTH; @@ -798,7 +798,7 @@ static int request_certificate(SSL *s) p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_REQUEST_CERTIFICATE; *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; - RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); + RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 9d85ba4fd9..cec0e3b35a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s) p=s->s3->client_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); @@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s) tmp_buf[0]=s->client_version>>8; tmp_buf[1]=s->client_version&0xff; - RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); + if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0) + goto err; s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c6cc4f73a9..fd20f8004a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -816,7 +816,7 @@ static int ssl3_send_server_hello(SSL *s) p=s->s3->server_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); @@ -1292,7 +1292,7 @@ static int ssl3_get_client_key_exchange(SSL *s) { p[0]=(s->version>>8); p[1]=(s->version & 0xff); - RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); + RAND_pseudo_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); i=SSL_MAX_MASTER_KEY_LENGTH; } /* else, an SSLeay bug, ssl only server, tls client */ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index d6755801cc..0573f2c836 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -184,7 +184,7 @@ int ssl_get_new_session(SSL *s, int session) { SSL_SESSION *r; - RAND_bytes(ss->session_id,ss->session_id_length); + RAND_pseudo_bytes(ss->session_id,ss->session_id_length); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, (char *)ss); -- 2.34.1