Check RAND_bytes() return value or use RAND_pseudo_bytes().

diff --git a/CHANGES b/CHANGES
index ff4dfc3620df9cd7b96afc82c7a26742efe981c5..9d96037cd4d164a80de2964a2aaf3d70c42a50d7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -31,10 +31,6 @@
      (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
      error queue. New function RAND_pseudo_bytes() generates output that is
      guaranteed to be unique but not unpredictable.
-     (TO DO: always check the result of RAND_bytes when it is used in the
-     library, or use RAND_pseudo_bytes instead, because leaving the
-     error in the error queue but reporting success in a function that
-     uses RAND_bytes could confuse things considerably.)
      [Ulf Möller]
 
   *) Do more iterations of Rabin-Miller probable prime test (specifically,

diff --git a/apps/enc.c b/apps/enc.c
index e584241bf1d2cf6c2caa61a41338bfeed3ff5f2e..ca30276d29d05a168ca5d7789b8cff0026505451 100644 (file)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -448,7 +448,11 @@ bad:
                                                                "invalid hex salt value\n");
                                                        goto end;
                                                }
-                                       } else RAND_bytes(salt, PKCS5_SALT_LEN);
+                                       } else if (RAND_bytes(salt, PKCS5_SALT_LEN) <= 0) {
+                                               BIO_printf(bio_err,
+                                                       "prng not seeded\n");
+                                               goto end;
+                                       }
                                        /* If -P option then don't bother writing */
                                        if((printkey != 2)
                                           && (BIO_write(wbio,magic,

diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index adb92e5fd057cb0e74968dd743f1b18a5918e716..8cda4f609a5762717b625834834e2dcf74716845 100644 (file)
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -129,7 +129,8 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
        }
        pbe->salt->length = saltlen;
        if (salt) memcpy (pbe->salt->data, salt, saltlen);
-       else RAND_bytes (pbe->salt->data, saltlen);
+       else if (RAND_bytes (pbe->salt->data, saltlen) <= 0)
+               return NULL;
 
        if (!(astype = ASN1_TYPE_new())) {
                ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);

diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 502a8c399d190570e68edafb8a77407c28f89d3a..44d5b5bc6eca621481ee97c02b7951ee35f143ed 100644 (file)
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -194,7 +194,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
 
        /* Create random IV */
-       RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+       RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher));
 
        /* Dummy cipherinit to just setup the IV */
        EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
@@ -212,7 +212,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
        if (!(osalt->data = Malloc (saltlen))) goto merr;
        osalt->length = saltlen;
        if (salt) memcpy (osalt->data, salt, saltlen);
-       else RAND_bytes (osalt->data, saltlen);
+       else if (RAND_bytes (osalt->data, saltlen) <= 0) goto merr;
 
        if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
        if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;

diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c
index cbec2bae29a8887c751e3de2217bc9654dc8eab7..a525e79d4fb28f68b82b62a094176da52c048cfd 100644 (file)
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
        BIO_clear_retry_flags(b);
 #if 0
-       RAND_bytes(&n,1);
+       RAND_pseudo_bytes(&n,1);
        num=(n&0x07);
 
        if (outl > num) outl=num;
@@ -178,7 +178,7 @@ static int nbiof_write(BIO *b, char *in, int inl)
                }
        else
                {
-               RAND_bytes(&n,1);
+               RAND_pseudo_bytes(&n,1);
                num=(n&7);
                }
 

diff --git a/crypto/des/des.c b/crypto/des/des.c
index 5cd337301a399c81e0793180119437fff885fce5..aabd01cc8a6aa8e79ffff50ede81ae5770776819 100644 (file)
--- a/crypto/des/des.c
+++ b/crypto/des/des.c
@@ -484,7 +484,7 @@ void doencryption(void)
                        if (feof(DES_IN))
                                {
                                for (i=7-rem; i>0; i--)
-                                       RAND_bytes(buf + l++, 1);
+                                       RAND_pseudo_bytes(buf + l++, 1);
                                buf[l++]=rem;
                                ex=1;
                                len+=rem;

diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c
index 8ded146f8b432d1ad33cd051e6d68364ec7cc5ea..892f15e2d709706a08fe4492af868986e9f532ac 100644 (file)
--- a/crypto/des/enc_writ.c
+++ b/crypto/des/enc_writ.c
@@ -130,7 +130,7 @@ int des_enc_write(int fd, const void *_buf, int len,
                {
                cp=shortbuf;
                memcpy(shortbuf,buf,len);
-               RAND_bytes(shortbuf+len, 8-len);
+               RAND_pseudo_bytes(shortbuf+len, 8-len);
                rnum=8;
                }
        else

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index b5e5ec06e5e49750cc233b5b5580826a32af195d..57435a9be2c397776506e4ada1f35eaf6ec94455 100644 (file)
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -121,7 +121,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                        if (callback != NULL) callback(0,m++,cb_arg);
 
                        if (!seed_len)
-                               RAND_bytes(seed,SHA_DIGEST_LENGTH);
+                               RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
                        else
                                seed_len=0;
 

diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index 101275d6487085c8e48f902ea604b3a8189b74de..a54384a71c8bf1e370b0adce1d0664a2a4198514 100644 (file)
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -451,7 +451,7 @@ static void sig_out(BIO* b)
        if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
 
        EVP_DigestInit(md, md->digest);
-       RAND_bytes(&(md->md.base[0]), md->digest->md_size);
+       RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
        memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
        longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
        ctx->buf_len+= md->digest->md_size;

diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index e372f138c70d508f0cb18bb68e0ebd5a95dce38c..d449e892bf7f7899f91e9621c06c674af86d1744 100644 (file)
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -73,9 +73,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
        int i;
        
        if (npubk <= 0) return(0);
-       if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) return(0);
+       if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+               return(0);
        if (type->iv_len > 0)
-               RAND_bytes(iv,type->iv_len);
+               RAND_pseudo_bytes(iv,type->iv_len);
 
        EVP_CIPHER_CTX_init(ctx);
        EVP_EncryptInit(ctx,type,key,iv);

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 449a1fe9849c9aaa2381f1880de784ad938b9c61..49aeb62bde52b17f805b24c29edadcd0726443e9 100644 (file)
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -379,7 +379,8 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                        kstr=(unsigned char *)buf;
                        }
                RAND_add(data,i,0);/* put in the RSA key. */
-               RAND_bytes(iv,8);       /* Generate a salt */
+               if (RAND_bytes(iv,8) <= 0)      /* Generate a salt */
+                       goto err;
                /* The 'iv' is used as the iv and as a salt.  It is
                 * NOT taken from the BytesToKey function */
                EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);

diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 3cb782fa6092c05a90766a969c48da69a358bae8..f1094b3840edcbc90dbac6daf615bfd950416f68 100644 (file)
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -156,7 +156,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                return 0;
        }
-       if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+       if (!salt) {
+               if (RAND_bytes (p12->mac->salt->data, saltlen) <= 0)
+                       return 0;
+       }
        else memcpy (p12->mac->salt->data, salt, saltlen);
        p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
        if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 78355c9387fed46b575418a2943f4cfbef679a4d..1403ff591d359970ac9385328a67d89762195c53 100644 (file)
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -164,7 +164,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                if (RAND_bytes(key,keylen) <= 0)
                        goto err;
                xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
-               if (ivlen > 0) RAND_bytes(iv,ivlen);
+               if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
                EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
 
                if (ivlen > 0) {

diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 97c3ece53565bf353ae8407e8fc54e858799bb6e..f95ecb0e00b4cb59c16d2e5277187a4721ba2d93 100644 (file)
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -118,7 +118,7 @@ err:
 int RAND_write_file(const char *file)
        {
        unsigned char buf[BUFSIZE];
-       int i,ret=0;
+       int i,ret=0,err=0;
        FILE *out = NULL;
        int n;
 
@@ -156,7 +156,8 @@ int RAND_write_file(const char *file)
                {
                i=(n > BUFSIZE)?BUFSIZE:n;
                n-=BUFSIZE;
-               RAND_bytes(buf,i);
+               if (RAND_bytes(buf,i) <= 0)
+                       err=1;
                i=fwrite(buf,1,i,out);
                if (i <= 0)
                        {
@@ -169,7 +170,7 @@ int RAND_write_file(const char *file)
        fclose(out);
        memset(buf,0,BUFSIZE);
 err:
-       return(ret);
+       return(err ? -1 : ret);
        }
 
 char *RAND_file_name(char *buf, int size)

diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 067216b1a229cdc6b1527f91d136510da6e357cc..aaedf6a9bbcb4f42a7822be91123c530dab79679 100644 (file)
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -224,7 +224,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
                p=s->s3->client_random;
-               RAND_bytes(p,SSL3_RANDOM_SIZE);
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
 
                /* Do the message type and length last */
                d= &(buf[2]);
@@ -285,7 +285,7 @@ static int ssl23_client_hello(SSL *s)
                        i=ch_len;
                s2n(i,d);
                memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-               RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+               RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
                p+=i;
 

diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index f05b76a66af85c0297485eea7e1f9e545570538c..f813c504fed215947174a0094781f8747fdc6e77 100644 (file)
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -515,7 +515,7 @@ static int client_hello(SSL *s)
                s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
                s2n(SSL2_CHALLENGE_LENGTH,p);           /* challenge length */
                /*challenge id data*/
-               RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+               RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
                memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
                d+=SSL2_CHALLENGE_LENGTH;
 
@@ -557,12 +557,19 @@ static int client_master_key(SSL *s)
                /* make key_arg data */
                i=EVP_CIPHER_iv_length(c);
                sess->key_arg_length=i;
-               if (i > 0) RAND_bytes(sess->key_arg,i);
+               if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
 
                /* make a master key */
                i=EVP_CIPHER_key_length(c);
                sess->master_key_length=i;
-               if (i > 0) RAND_bytes(sess->master_key,i);
+               if (i > 0)
+                       {
+                       if (RAND_bytes(sess->master_key,i) <= 0)
+                               {
+                               ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+                               goto err;
+                               }
+                       }
 
                if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
                        enc=8;

diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 811daa2e2cb8bc342ffd9bd135d22c655ffc39b1..af300bab8d2825f451cae52b8c8d4d2c5c5b1002 100644 (file)
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -415,7 +415,7 @@ static int get_client_master_key(SSL *s)
                        i=ek;
                else
                        i=EVP_CIPHER_key_length(c);
-               RAND_bytes(p,i);
+               RAND_pseudo_bytes(p,i);
                }
 #else
        if (i < 0)
@@ -680,7 +680,7 @@ static int server_hello(SSL *s)
                /* make and send conn_id */
                s2n(SSL2_CONNECTION_ID_LENGTH,p);       /* add conn_id length */
                s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-               RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+               RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
                memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
                d+=SSL2_CONNECTION_ID_LENGTH;
 
@@ -798,7 +798,7 @@ static int request_certificate(SSL *s)
                p=(unsigned char *)s->init_buf->data;
                *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
                *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-               RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+               RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
                memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
                s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9d85ba4fd9cd0a7a0f61b8f73f4667af840e90c7..cec0e3b35ae5e7b27649e444e9924aef3e077119 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
                p=s->s3->client_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-               RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 
                /* Do the message type and length last */
                d=p= &(buf[4]);
@@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                
                        tmp_buf[0]=s->client_version>>8;
                        tmp_buf[1]=s->client_version&0xff;
-                       RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+                       if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+                                       goto err;
 
                        s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
 

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c6cc4f73a9b65228bcb032c5b85955b73a6fa719..fd20f8004aff6a0df0dc14b211fbcf80e67ccd2e 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -816,7 +816,7 @@ static int ssl3_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=time(NULL);                        /* Time */
                l2n(Time,p);
-               RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
                /* Do the message type and length last */
                d=p= &(buf[4]);
 
@@ -1292,7 +1292,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                {
                                p[0]=(s->version>>8);
                                p[1]=(s->version & 0xff);
-                               RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+                               RAND_pseudo_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
                                i=SSL_MAX_MASTER_KEY_LENGTH;
                                }
                        /* else, an SSLeay bug, ssl only server, tls client */

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index d6755801cc6540443fecd25eac4c0bd8f20bb2bd..0573f2c836e05b4a9eaa854341a67bbca83fb536 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -184,7 +184,7 @@ int ssl_get_new_session(SSL *s, int session)
                        {
                        SSL_SESSION *r;
 
-                       RAND_bytes(ss->session_id,ss->session_id_length);
+                       RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
                        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
                        r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
                                (char *)ss);