Change usage of RAND_pseudo_bytes to RAND_bytes
authorMatt Caswell <matt@openssl.org>
Mon, 25 Apr 2016 16:06:56 +0000 (17:06 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 27 Jun 2016 14:00:08 +0000 (15:00 +0100)
RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
28 files changed:
apps/enc.c
apps/passwd.c
apps/s_server.c
crypto/asn1/asn_mime.c
crypto/asn1/p5_pbe.c
crypto/asn1/p5_pbev2.c
crypto/bio/bf_nbio.c
crypto/bn/bn_rand.c
crypto/cms/cms_enc.c
crypto/cms/cms_ess.c
crypto/cms/cms_pwri.c
crypto/des/des.c
crypto/des/enc_writ.c
crypto/dsa/dsa_gen.c
crypto/evp/bio_ok.c
crypto/ocsp/ocsp_ext.c
crypto/pem/pem_lib.c
crypto/pkcs12/p12_mutl.c
crypto/pkcs7/pk7_doit.c
crypto/srp/srp_vfy.c
ssl/d1_both.c
ssl/s23_clnt.c
ssl/s2_clnt.c
ssl/s2_srvr.c
ssl/s3_srvr.c
ssl/ssl_lib.c
ssl/ssl_sess.c
ssl/t1_lib.c

index 7b7c70b..8e2ef27 100644 (file)
@@ -509,7 +509,7 @@ int MAIN(int argc, char **argv)
                             BIO_printf(bio_err, "invalid hex salt value\n");
                             goto end;
                         }
-                    } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+                    } else if (RAND_bytes(salt, sizeof salt) <= 0)
                         goto end;
                     /*
                      * If -P option then don't bother writing
index 5ff53b5..798a6d5 100644 (file)
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
                 if (*salt_malloc_p == NULL)
                     goto err;
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
                 goto err;
             (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
             (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
                 if (*salt_malloc_p == NULL)
                     goto err;
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
                 goto err;
 
             for (i = 0; i < 8; i++)
index d6c53d9..2c1e5ee 100644 (file)
@@ -3364,7 +3364,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
 {
     unsigned int count = 0;
     do {
-        if (RAND_pseudo_bytes(id, *id_len) < 0)
+        if (RAND_bytes(id, *id_len) <= 0)
             return 0;
         /*
          * Prefix the session_id with the required prefix. NB: If our prefix
index 96110c5..9fd5bef 100644 (file)
@@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
     if ((flags & SMIME_DETACHED) && data) {
         /* We want multipart/signed */
         /* Generate a random boundary */
-        if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0)
+        if (RAND_bytes((unsigned char *)bound, 32) <= 0)
             return 0;
         for (i = 0; i < 32; i++) {
             c = bound[i] & 0xf;
index bdbfdcd..e2a1def 100644 (file)
@@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     sstr = ASN1_STRING_data(pbe->salt);
     if (salt)
         memcpy(sstr, salt, saltlen);
-    else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
+    else if (RAND_bytes(sstr, saltlen) <= 0)
         goto err;
 
     if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) {
index 73ba4a3..388053e 100644 (file)
@@ -120,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
     if (EVP_CIPHER_iv_length(cipher)) {
         if (aiv)
             memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
-        else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+        else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0)
             goto err;
     }
 
@@ -225,7 +225,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
 
     if (salt)
         memcpy(osalt->data, salt, saltlen);
-    else if (RAND_pseudo_bytes(osalt->data, saltlen) < 0)
+    else if (RAND_bytes(osalt->data, saltlen) <= 0)
         goto merr;
 
     if (iter <= 0)
index a04f32a..4842bb4 100644 (file)
@@ -139,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
     BIO_clear_retry_flags(b);
 #if 1
-    if (RAND_pseudo_bytes(&n, 1) < 0)
+    if (RAND_bytes(&n, 1) <= 0)
         return -1;
     num = (n & 0x07);
 
@@ -179,7 +179,7 @@ static int nbiof_write(BIO *b, const char *in, int inl)
         num = nt->lwn;
         nt->lwn = 0;
     } else {
-        if (RAND_pseudo_bytes(&n, 1) < 0)
+        if (RAND_bytes(&n, 1) <= 0)
             return -1;
         num = (n & 7);
     }
index f9fb2e9..2266d22 100644 (file)
@@ -145,13 +145,9 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
     time(&tim);
     RAND_add(&tim, sizeof(tim), 0.0);
 
-    if (pseudorand) {
-        if (RAND_pseudo_bytes(buf, bytes) == -1)
-            goto err;
-    } else {
-        if (RAND_bytes(buf, bytes) <= 0)
-            goto err;
-    }
+    /* We ignore the value of pseudorand and always call RAND_bytes */
+    if (RAND_bytes(buf, bytes) <= 0)
+        goto err;
 
 #if 1
     if (pseudorand == 2) {
index e282c9d..90b1fcc 100644 (file)
@@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
         /* Generate a random IV if we need one */
         ivlen = EVP_CIPHER_CTX_iv_length(ctx);
         if (ivlen > 0) {
-            if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+            if (RAND_bytes(iv, ivlen) <= 0)
                 goto err;
             piv = iv;
         }
index 8631a2e..8212560 100644 (file)
@@ -107,8 +107,7 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
     else {
         if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
             goto merr;
-        if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32)
-            <= 0)
+        if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0)
             goto err;
     }
 
index b91c016..5c817ca 100644 (file)
@@ -134,7 +134,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
     ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
 
     if (ivlen > 0) {
-        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+        if (RAND_bytes(iv, ivlen) <= 0)
             goto err;
         if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
             CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
@@ -301,7 +301,7 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen,
         memcpy(out + 4, in, inlen);
         /* Add random padding to end */
         if (olen > inlen + 4
-            && RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen) < 0)
+            && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0)
             return 0;
         /* Encrypt twice */
         EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
index 586aed7..d737438 100644 (file)
@@ -456,7 +456,7 @@ void doencryption(void)
             len = l - rem;
             if (feof(DES_IN)) {
                 for (i = 7 - rem; i > 0; i--) {
-                    if (RAND_pseudo_bytes(buf + l++, 1) < 0)
+                    if (RAND_bytes(buf + l++, 1) <= 0)
                         goto problems;
                 }
                 buf[l++] = rem;
index bfaabde..c2aaa8e 100644 (file)
@@ -135,7 +135,7 @@ int DES_enc_write(int fd, const void *_buf, int len,
     if (len < 8) {
         cp = shortbuf;
         memcpy(shortbuf, buf, len);
-        if (RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) {
+        if (RAND_bytes(shortbuf + len, 8 - len) <= 0) {
             return -1;
         }
         rnum = 8;
index 15f3bb4..f6de684 100644 (file)
@@ -197,7 +197,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                 goto err;
 
             if (!seed_len || !seed_in) {
-                if (RAND_pseudo_bytes(seed, qsize) < 0)
+                if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
                 seed_is_random = 1;
             } else {
@@ -491,7 +491,7 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
                 goto err;
 
             if (!seed_in) {
-                if (RAND_pseudo_bytes(seed, seed_len) < 0)
+                if (RAND_bytes(seed, seed_len) <= 0)
                     goto err;
             }
             /* step 2 */
index 5c32e35..16e151f 100644 (file)
@@ -491,7 +491,7 @@ static int sig_out(BIO *b)
      * FIXME: there's absolutely no guarantee this makes any sense at all,
      * particularly now EVP_MD_CTX has been restructured.
      */
-    if (RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0)
+    if (RAND_bytes(md->md_data, md->digest->md_size) <= 0)
         goto berr;
     memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size);
     longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
index c19648c..55af31b 100644 (file)
@@ -361,7 +361,7 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
     ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
     if (val)
         memcpy(tmpval, val, len);
-    else if (RAND_pseudo_bytes(tmpval, len) < 0)
+    else if (RAND_bytes(tmpval, len) <= 0)
         goto err;
     if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                          &os, 0, X509V3_ADD_REPLACE))
index ac4faae..c82b3c0 100644 (file)
@@ -393,7 +393,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
         }
         RAND_add(data, i, 0);   /* put in the RSA key. */
         OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
-        if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */
+        if (RAND_bytes(iv, enc->iv_len) <= 0) /* Generate a salt */
             goto err;
         /*
          * The 'iv' is used as the iv and as a salt.  It is NOT taken from
index a927782..cbf34da 100644 (file)
@@ -179,7 +179,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
     }
     p12->mac->salt->length = saltlen;
     if (!salt) {
-        if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0)
+        if (RAND_bytes(p12->mac->salt->data, saltlen) <= 0)
             return 0;
     } else
         memcpy(p12->mac->salt->data, salt, saltlen);
index 946aaa6..1ab6d5a 100644 (file)
@@ -340,7 +340,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
         ivlen = EVP_CIPHER_iv_length(evp_cipher);
         xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
         if (ivlen > 0)
-            if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+            if (RAND_bytes(iv, ivlen) <= 0)
                 goto err;
         if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0)
             goto err;
index 26ad3e0..986babf 100644 (file)
@@ -544,7 +544,7 @@ SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
     if (!SRP_user_pwd_set_ids(user, username, NULL))
         goto err;
 
-    if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0)
+    if (RAND_bytes(digv, SHA_DIGEST_LENGTH) <= 0)
         goto err;
     EVP_MD_CTX_init(&ctxt);
     EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL);
@@ -597,7 +597,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
     }
 
     if (*salt == NULL) {
-        if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0)
+        if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0)
             goto err;
 
         s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
@@ -670,7 +670,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
     srp_bn_print(g);
 
     if (*salt == NULL) {
-        if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0)
+        if (RAND_bytes(tmp2, SRP_RANDOM_SALT_LEN) <= 0)
             goto err;
 
         salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
index 5d26c94..b5900de 100644 (file)
@@ -1469,7 +1469,7 @@ int dtls1_process_heartbeat(SSL *s)
         memcpy(bp, pl, payload);
         bp += payload;
         /* Random padding */
-        if (RAND_pseudo_bytes(bp, padding) < 0) {
+        if (RAND_bytes(bp, padding) <= 0) {
             OPENSSL_free(buffer);
             return -1;
         }
@@ -1554,11 +1554,11 @@ int dtls1_heartbeat(SSL *s)
     /* Sequence number */
     s2n(s->tlsext_hb_seq, p);
     /* 16 random bytes */
-    if (RAND_pseudo_bytes(p, 16) < 0)
+    if (RAND_bytes(p, 16) <= 0)
         goto err;
     p += 16;
     /* Random padding */
-    if (RAND_pseudo_bytes(p, padding) < 0)
+    if (RAND_bytes(p, padding) <= 0)
         goto err;
 
     ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
index f782010..6850dc0 100644 (file)
@@ -289,9 +289,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
         unsigned long Time = (unsigned long)time(NULL);
         unsigned char *p = result;
         l2n(Time, p);
-        return RAND_pseudo_bytes(p, len - 4);
+        return RAND_bytes(p, len - 4);
     } else
-        return RAND_pseudo_bytes(result, len);
+        return RAND_bytes(result, len);
 }
 
 static int ssl23_client_hello(SSL *s)
@@ -466,8 +466,8 @@ static int ssl23_client_hello(SSL *s)
                 i = ch_len;
             s2n(i, d);
             memset(&(s->s3->client_random[0]), 0, SSL3_RANDOM_SIZE);
-            if (RAND_pseudo_bytes
-                (&(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i) <= 0)
+            if (RAND_bytes (&(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i)
+                    <= 0)
                 return -1;
 
             memcpy(p, &(s->s3->client_random[SSL3_RANDOM_SIZE - i]), i);
index 69da6b1..20de1a8 100644 (file)
@@ -581,7 +581,7 @@ static int client_hello(SSL *s)
         /*
          * challenge id data
          */
-        if (RAND_pseudo_bytes(s->s2->challenge, SSL2_CHALLENGE_LENGTH) <= 0)
+        if (RAND_bytes(s->s2->challenge, SSL2_CHALLENGE_LENGTH) <= 0)
             return -1;
         memcpy(d, s->s2->challenge, SSL2_CHALLENGE_LENGTH);
         d += SSL2_CHALLENGE_LENGTH;
@@ -629,7 +629,7 @@ static int client_master_key(SSL *s)
             return -1;
         }
         if (i > 0)
-            if (RAND_pseudo_bytes(sess->key_arg, i) <= 0)
+            if (RAND_bytes(sess->key_arg, i) <= 0)
                 return -1;
 
         /* make a master key */
index 07e9df8..d3b243c 100644 (file)
@@ -526,11 +526,8 @@ static int get_client_master_key(SSL *s)
      * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
      */
 
-    /*
-     * should be RAND_bytes, but we cannot work around a failure.
-     */
-    if (RAND_pseudo_bytes(rand_premaster_secret,
-                          (int)num_encrypted_key_bytes) <= 0)
+    if (RAND_bytes(rand_premaster_secret,
+                  (int)num_encrypted_key_bytes) <= 0)
         return 0;
 
     i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
@@ -822,8 +819,7 @@ static int server_hello(SSL *s)
         /* make and send conn_id */
         s2n(SSL2_CONNECTION_ID_LENGTH, p); /* add conn_id length */
         s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH;
-        if (RAND_pseudo_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <=
-            0)
+        if (RAND_bytes(s->s2->conn_id, (int)s->s2->conn_id_length) <= 0)
             return -1;
         memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH);
         d += SSL2_CONNECTION_ID_LENGTH;
@@ -962,7 +958,7 @@ static int request_certificate(SSL *s)
         p = (unsigned char *)s->init_buf->data;
         *(p++) = SSL2_MT_REQUEST_CERTIFICATE;
         *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-        if (RAND_pseudo_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
+        if (RAND_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
             return -1;
         memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
index ab7f690..0c43c49 100644 (file)
@@ -2229,11 +2229,8 @@ int ssl3_get_client_key_exchange(SSL *s)
          * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
          */
 
-        /*
-         * should be RAND_bytes, but we cannot work around a failure.
-         */
-        if (RAND_pseudo_bytes(rand_premaster_secret,
-                              sizeof(rand_premaster_secret)) <= 0)
+        if (RAND_bytes(rand_premaster_secret,
+                       sizeof(rand_premaster_secret)) <= 0)
             goto err;
         decrypt_len =
             RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
index 714a31e..a707612 100644 (file)
@@ -2000,7 +2000,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     ret->tlsext_servername_callback = 0;
     ret->tlsext_servername_arg = NULL;
     /* Setup RFC4507 ticket keys */
-    if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
+    if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0)
         || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
         || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
         ret->options |= SSL_OP_NO_TICKET;
index 54ee783..ba5737f 100644 (file)
@@ -382,7 +382,7 @@ static int def_generate_session_id(const SSL *ssl, unsigned char *id,
 {
     unsigned int retry = 0;
     do
-        if (RAND_pseudo_bytes(id, *id_len) <= 0)
+        if (RAND_bytes(id, *id_len) <= 0)
             return 0;
     while (SSL_has_matching_session_id(ssl, id, *id_len) &&
            (++retry < MAX_SESS_ID_ATTEMPTS)) ;
index cdac011..8071b4a 100644 (file)
@@ -3906,7 +3906,7 @@ int tls1_process_heartbeat(SSL *s)
         memcpy(bp, pl, payload);
         bp += payload;
         /* Random padding */
-        if (RAND_pseudo_bytes(bp, padding) < 0) {
+        if (RAND_bytes(bp, padding) <= 0) {
             OPENSSL_free(buffer);
             return -1;
         }
@@ -3992,13 +3992,13 @@ int tls1_heartbeat(SSL *s)
     /* Sequence number */
     s2n(s->tlsext_hb_seq, p);
     /* 16 random bytes */
-    if (RAND_pseudo_bytes(p, 16) < 0) {
+    if (RAND_bytes(p, 16) <= 0) {
         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
         goto err;
     }
     p += 16;
     /* Random padding */
-    if (RAND_pseudo_bytes(p, padding) < 0) {
+    if (RAND_bytes(p, padding) <= 0) {
         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
         goto err;
     }