Check RAND_bytes() return value or use RAND_pseudo_bytes().

CHANGES

@@ -31,10 +31,6 @@
      (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
      error queue. New function RAND_pseudo_bytes() generates output that is
      guaranteed to be unique but not unpredictable.
-     (TO DO: always check the result of RAND_bytes when it is used in the
-     library, or use RAND_pseudo_bytes instead, because leaving the
-     error in the error queue but reporting success in a function that
-     uses RAND_bytes could confuse things considerably.)
      [Ulf Möller]
 
   *) Do more iterations of Rabin-Miller probable prime test (specifically,

apps/enc.c

@@ -448,7 +448,11 @@ bad:
 								"invalid hex salt value\n");
 							goto end;
 						}
-					} else RAND_bytes(salt, PKCS5_SALT_LEN);
+					} else if (RAND_bytes(salt, PKCS5_SALT_LEN) <= 0) {
+						BIO_printf(bio_err,
+							"prng not seeded\n");
+						goto end;
+					}
 					/* If -P option then don't bother writing */
 					if((printkey != 2)
 					   && (BIO_write(wbio,magic,

crypto/asn1/p5_pbe.c

@@ -129,7 +129,8 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	}
 	pbe->salt->length = saltlen;
 	if (salt) memcpy (pbe->salt->data, salt, saltlen);
-	else RAND_bytes (pbe->salt->data, saltlen);
+	else if (RAND_bytes (pbe->salt->data, saltlen) <= 0)
+		return NULL;
 
 	if (!(astype = ASN1_TYPE_new())) {
 		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);

crypto/asn1/p5_pbev2.c

@@ -194,7 +194,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;
 
 	/* Create random IV */
-	RAND_bytes(iv, EVP_CIPHER_iv_length(cipher));
+	RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher));
 
 	/* Dummy cipherinit to just setup the IV */
 	EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
@@ -212,7 +212,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if (!(osalt->data = Malloc (saltlen))) goto merr;
 	osalt->length = saltlen;
 	if (salt) memcpy (osalt->data, salt, saltlen);
-	else RAND_bytes (osalt->data, saltlen);
+	else if (RAND_bytes (osalt->data, saltlen) <= 0) goto merr;
 
 	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
 	if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;

crypto/bio/bf_nbio.c

@@ -137,7 +137,7 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
 	BIO_clear_retry_flags(b);
 #if 0
-	RAND_bytes(&n,1);
+	RAND_pseudo_bytes(&n,1);
 	num=(n&0x07);
 
 	if (outl > num) outl=num;
@@ -178,7 +178,7 @@ static int nbiof_write(BIO *b, char *in, int inl)
 		}
 	else
 		{
-		RAND_bytes(&n,1);
+		RAND_pseudo_bytes(&n,1);
 		num=(n&7);
 		}
 

crypto/des/des.c

@@ -484,7 +484,7 @@ void doencryption(void)
 			if (feof(DES_IN))
 				{
 				for (i=7-rem; i>0; i--)
-					RAND_bytes(buf + l++, 1);
+					RAND_pseudo_bytes(buf + l++, 1);
 				buf[l++]=rem;
 				ex=1;
 				len+=rem;

crypto/des/enc_writ.c

@@ -130,7 +130,7 @@ int des_enc_write(int fd, const void *_buf, int len,
 		{
 		cp=shortbuf;
 		memcpy(shortbuf,buf,len);
-		RAND_bytes(shortbuf+len, 8-len);
+		RAND_pseudo_bytes(shortbuf+len, 8-len);
 		rnum=8;
 		}
 	else

crypto/dsa/dsa_gen.c

@@ -121,7 +121,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
 			if (callback != NULL) callback(0,m++,cb_arg);
 
 			if (!seed_len)
-				RAND_bytes(seed,SHA_DIGEST_LENGTH);
+				RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH);
 			else
 				seed_len=0;
 

crypto/evp/bio_ok.c

@@ -451,7 +451,7 @@ static void sig_out(BIO* b)
 	if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
 
 	EVP_DigestInit(md, md->digest);
-	RAND_bytes(&(md->md.base[0]), md->digest->md_size);
+	RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
 	memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
 	longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
 	ctx->buf_len+= md->digest->md_size;

crypto/evp/p_seal.c

@@ -73,9 +73,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
 	int i;
 	
 	if (npubk <= 0) return(0);
-	if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) return(0);
+	if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
+		return(0);
 	if (type->iv_len > 0)
-		RAND_bytes(iv,type->iv_len);
+		RAND_pseudo_bytes(iv,type->iv_len);
 
 	EVP_CIPHER_CTX_init(ctx);
 	EVP_EncryptInit(ctx,type,key,iv);

crypto/pem/pem_lib.c

@@ -379,7 +379,8 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 			kstr=(unsigned char *)buf;
 			}
 		RAND_add(data,i,0);/* put in the RSA key. */
-		RAND_bytes(iv,8);	/* Generate a salt */
+		if (RAND_bytes(iv,8) <= 0)	/* Generate a salt */
+			goto err;
 		/* The 'iv' is used as the iv and as a salt.  It is
 		 * NOT taken from the BytesToKey function */
 		EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);

crypto/pkcs12/p12_mutl.c

@@ -156,7 +156,10 @@ int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
 		PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
-	if (!salt) RAND_bytes (p12->mac->salt->data, saltlen);
+	if (!salt) {
+		if (RAND_bytes (p12->mac->salt->data, saltlen) <= 0)
+			return 0;
+	}
 	else memcpy (p12->mac->salt->data, salt, saltlen);
 	p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
 	if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {

crypto/pkcs7/pk7_doit.c

@@ -164,7 +164,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
 		if (RAND_bytes(key,keylen) <= 0)
 			goto err;
 		xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
-		if (ivlen > 0) RAND_bytes(iv,ivlen);
+		if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
 		EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
 
 		if (ivlen > 0) {

crypto/rand/randfile.c

@@ -118,7 +118,7 @@ err:
 int RAND_write_file(const char *file)
 	{
 	unsigned char buf[BUFSIZE];
-	int i,ret=0;
+	int i,ret=0,err=0;
 	FILE *out = NULL;
 	int n;
 
@@ -156,7 +156,8 @@ int RAND_write_file(const char *file)
 		{
 		i=(n > BUFSIZE)?BUFSIZE:n;
 		n-=BUFSIZE;
-		RAND_bytes(buf,i);
+		if (RAND_bytes(buf,i) <= 0)
+			err=1;
 		i=fwrite(buf,1,i,out);
 		if (i <= 0)
 			{
@@ -169,7 +170,7 @@ int RAND_write_file(const char *file)
 	fclose(out);
 	memset(buf,0,BUFSIZE);
 err:
-	return(ret);
+	return(err ? -1 : ret);
 	}
 
 char *RAND_file_name(char *buf, int size)

ssl/s23_clnt.c

@@ -224,7 +224,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		RAND_bytes(p,SSL3_RANDOM_SIZE);
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
 
 		/* Do the message type and length last */
 		d= &(buf[2]);
@@ -285,7 +285,7 @@ static int ssl23_client_hello(SSL *s)
 			i=ch_len;
 		s2n(i,d);
 		memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
-		RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+		RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
 		memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
 		p+=i;
 

ssl/s2_clnt.c

@@ -515,7 +515,7 @@ static int client_hello(SSL *s)
 		s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
 		s2n(SSL2_CHALLENGE_LENGTH,p);		/* challenge length */
 		/*challenge id data*/
-		RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+		RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
 		memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
 		d+=SSL2_CHALLENGE_LENGTH;
 
@@ -557,12 +557,19 @@ static int client_master_key(SSL *s)
 		/* make key_arg data */
 		i=EVP_CIPHER_iv_length(c);
 		sess->key_arg_length=i;
-		if (i > 0) RAND_bytes(sess->key_arg,i);
+		if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
 
 		/* make a master key */
 		i=EVP_CIPHER_key_length(c);
 		sess->master_key_length=i;
-		if (i > 0) RAND_bytes(sess->master_key,i);
+		if (i > 0)
+			{
+			if (RAND_bytes(sess->master_key,i) <= 0)
+				{
+				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+				goto err;
+				}
+			}
 
 		if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
 			enc=8;

ssl/s2_srvr.c

@@ -415,7 +415,7 @@ static int get_client_master_key(SSL *s)
 			i=ek;
 		else
 			i=EVP_CIPHER_key_length(c);
-		RAND_bytes(p,i);
+		RAND_pseudo_bytes(p,i);
 		}
 #else
 	if (i < 0)
@@ -680,7 +680,7 @@ static int server_hello(SSL *s)
 		/* make and send conn_id */
 		s2n(SSL2_CONNECTION_ID_LENGTH,p);	/* add conn_id length */
 		s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
-		RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+		RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
 		memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
 		d+=SSL2_CONNECTION_ID_LENGTH;
 
@@ -798,7 +798,7 @@ static int request_certificate(SSL *s)
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
 		*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
-		RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+		RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 		memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
 		s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;

ssl/s3_clnt.c

@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
 		p=s->s3->client_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
 				
 			tmp_buf[0]=s->client_version>>8;
 			tmp_buf[1]=s->client_version&0xff;
-			RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+			if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+					goto err;
 
 			s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
 

ssl/s3_srvr.c

@@ -816,7 +816,7 @@ static int ssl3_send_server_hello(SSL *s)
 		p=s->s3->server_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
 
@@ -1292,7 +1292,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 				{
 				p[0]=(s->version>>8);
 				p[1]=(s->version & 0xff);
-				RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+				RAND_pseudo_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
 				i=SSL_MAX_MASTER_KEY_LENGTH;
 				}
 			/* else, an SSLeay bug, ssl only server, tls client */

ssl/ssl_sess.c

@@ -184,7 +184,7 @@ int ssl_get_new_session(SSL *s, int session)
 			{
 			SSL_SESSION *r;
 
-			RAND_bytes(ss->session_id,ss->session_id_length);
+			RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
 			CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
 			r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
 				(char *)ss);