Deprecate RAND_pseudo_bytes

The justification for RAND_pseudo_bytes is somewhat dubious, and the reality is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in the default implementation both end up calling ssleay_rand_bytes. Both may return -1 in an error condition. If there is insufficient entropy then both will return 0, but RAND_bytes will additionally add an error to the error queue. They both return 1 on success. Therefore the fundamental difference between the two is that one will add an error to the error queue with insufficient entory whilst the other will not. Frequently there are constructions of this form: if(RAND_pseudo_bytes(...) <= 1) goto err; In the above form insufficient entropy is treated as an error anyway, so RAND_bytes is probably the better form to use. This form is also seen: if(!RAND_pseudo_bytes(...)) goto err; This is technically not correct at all since a -1 return value is incorrectly handled - but this form will also treat insufficient entropy as an error. Within libssl it is required that you have correctly seeded your entropy pool and so there seems little benefit in using RAND_pseudo_bytes. Similarly in libcrypto many operations also require a correctly seeded entropy pool and so in most interesting cases you would be better off using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes being incorrectly used in scenarios where security can be compromised by insufficient entropy. If you are not using the default implementation, then most engines use the same function to implement RAND_bytes and RAND_pseudo_bytes in any case. Given its misuse, limited benefit, and potential to compromise security, RAND_pseudo_bytes has been deprecated. Reviewed-by: N Richard Levitte <levitte@openssl.org>

Deprecate RAND_pseudo_bytes
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in the default implementation both end up calling ssleay_rand_bytes. Both may return -1 in an error condition. If there is insufficient entropy then both will return 0, but RAND_bytes will additionally add an error to the error queue. They both return 1 on success. Therefore the fundamental difference between the two is that one will add an error to the error queue with insufficient entory whilst the other will not. Frequently there are constructions of this form: if(RAND_pseudo_bytes(...) <= 1) goto err; In the above form insufficient entropy is treated as an error anyway, so RAND_bytes is probably the better form to use. This form is also seen: if(!RAND_pseudo_bytes(...)) goto err; This is technically not correct at all since a -1 return value is incorrectly handled - but this form will also treat insufficient entropy as an error. Within libssl it is required that you have correctly seeded your entropy pool and so there seems little benefit in using RAND_pseudo_bytes. Similarly in libcrypto many operations also require a correctly seeded entropy pool and so in most interesting cases you would be better off using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes being incorrectly used in scenarios where security can be compromised by insufficient entropy. If you are not using the default implementation, then most engines use the same function to implement RAND_bytes and RAND_pseudo_bytes in any case. Given its misuse, limited benefit, and potential to compromise security, RAND_pseudo_bytes has been deprecated. Reviewed-by: N Richard Levitte <levitte@openssl.org>
302d38e3 · Matt Caswell · 266483d2 · 302d38e3 · 302d38e3 · 302d38e3
5 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,8 @@

 Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]

+  *) RAND_pseudo_bytes has been deprecated. Users should use RAND bytes instead.
+
  *) Added support for TLS extended master secret from
     draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
     initial patch which was a great help during development.

--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -173,7 +173,9 @@ static int ssleay_rand_seed(const void *buf, int num);
 static int ssleay_rand_add(const void *buf, int num, double add_entropy);
 static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
 static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
+#ifndef OPENSSL_NO_DEPRECATED
 static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
+#endif
 static int ssleay_rand_status(void);

 static RAND_METHOD rand_ssleay_meth = {
@@ -181,7 +183,11 @@ static RAND_METHOD rand_ssleay_meth = {
    ssleay_rand_nopseudo_bytes,
    ssleay_rand_cleanup,
    ssleay_rand_add,
+#ifndef OPENSSL_NO_DEPRECATED
    ssleay_rand_pseudo_bytes,
+#else
+    NULL,
+#endif
    ssleay_rand_status
 };

@@ -601,6 +607,7 @@ static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
    return ssleay_rand_bytes(buf, num, 0);
 }

+#ifndef OPENSSL_NO_DEPRECATED
 /*
 * pseudo-random bytes that are guaranteed to be unique but not unpredictable
 */
@@ -608,6 +615,7 @@ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
 {
    return ssleay_rand_bytes(buf, num, 1);
 }
+#endif

 static int ssleay_rand_status(void)
 {

--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -95,7 +95,9 @@ int RAND_set_rand_engine(ENGINE *engine);
 RAND_METHOD *RAND_SSLeay(void);
 void RAND_cleanup(void);
 int RAND_bytes(unsigned char *buf, int num);
-int RAND_pseudo_bytes(unsigned char *buf, int num);
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(int RAND_pseudo_bytes(unsigned char *buf, int num));
+#endif
 void RAND_seed(const void *buf, int num);
 void RAND_add(const void *buf, int num, double entropy);
 int RAND_load_file(const char *file, long max_bytes);

--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -159,6 +159,7 @@ int RAND_bytes(unsigned char *buf, int num)
    return (-1);
 }

+#ifndef OPENSSL_NO_DEPRECATED
 int RAND_pseudo_bytes(unsigned char *buf, int num)
 {
    const RAND_METHOD *meth = RAND_get_rand_method();
@@ -166,6 +167,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num)
        return meth->pseudorand(buf, num);
    return (-1);
 }
+#endif

 int RAND_status(void)
 {

--- a/doc/crypto/RAND_bytes.pod
+++ b/doc/crypto/RAND_bytes.pod
@@ -10,6 +10,8 @@ RAND_bytes, RAND_pseudo_bytes - generate random data

 int RAND_bytes(unsigned char *buf, int num);

+Deprecated:
+
 int RAND_pseudo_bytes(unsigned char *buf, int num);

 =head1 DESCRIPTION
@@ -18,6 +20,7 @@ RAND_bytes() puts B<num> cryptographically strong pseudo-random bytes
 into B<buf>. An error occurs if the PRNG has not been seeded with
 enough randomness to ensure an unpredictable byte sequence.

+RAND_pseudo_bytes() has been deprecated. Users should use RAND_bytes() instead.
 RAND_pseudo_bytes() puts B<num> pseudo-random bytes into B<buf>.
 Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be
 unique if they are of sufficient length, but are not necessarily