Consistently use RAND_bytes and check for failure.
RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all
callers within the library call the new one and use the simpler failure check.
This fixes a few error checks that no longer work (< 0) and some missing ones.
Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6
Reviewed-on: https://boringssl-review.googlesource.com/2621
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/bn/random.c b/crypto/bn/random.c
index 924aad7..85fd447 100644
--- a/crypto/bn/random.c
+++ b/crypto/bn/random.c
@@ -136,9 +136,10 @@
goto err;
}
- /* make a random number and set the top and bottom bits */
- if (RAND_pseudo_bytes(buf, bytes) <= 0)
+ /* Make a random number and set the top and bottom bits. */
+ if (!RAND_bytes(buf, bytes)) {
goto err;
+ }
if (top != -1) {
if (top) {
@@ -286,7 +287,7 @@
for (attempt = 0;; attempt++) {
for (done = 0; done < num_k_bytes;) {
- if (RAND_pseudo_bytes(random_bytes, sizeof(random_bytes)) != 1) {
+ if (!RAND_bytes(random_bytes, sizeof(random_bytes))) {
goto err;
}
SHA512_Init(&sha);
diff --git a/crypto/cipher/e_aes.c b/crypto/cipher/e_aes.c
index 64a0ee8..e4d3b8a 100644
--- a/crypto/cipher/e_aes.c
+++ b/crypto/cipher/e_aes.c
@@ -448,8 +448,7 @@
if (arg) {
memcpy(gctx->iv, ptr, arg);
}
- if (c->encrypt &&
- RAND_pseudo_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0) {
+ if (c->encrypt && !RAND_bytes(gctx->iv + arg, gctx->ivlen - arg)) {
return 0;
}
gctx->iv_gen = 1;
diff --git a/crypto/dsa/dsa_impl.c b/crypto/dsa/dsa_impl.c
index 27232bb..d7463d5 100644
--- a/crypto/dsa/dsa_impl.c
+++ b/crypto/dsa/dsa_impl.c
@@ -530,7 +530,9 @@
goto err;
if (!seed_len) {
- RAND_pseudo_bytes(seed, qsize);
+ if (!RAND_bytes(seed, qsize)) {
+ goto err;
+ }
seed_is_random = 1;
} else {
seed_is_random = 0;
diff --git a/crypto/ecdsa/ecdsa_test.c b/crypto/ecdsa/ecdsa_test.c
index 127d76f..d48f9c3 100644
--- a/crypto/ecdsa/ecdsa_test.c
+++ b/crypto/ecdsa/ecdsa_test.c
@@ -77,7 +77,7 @@
int nid, ret = 0;
/* fill digest values with some random data */
- if (!RAND_pseudo_bytes(digest, 20) || !RAND_pseudo_bytes(wrong_digest, 20)) {
+ if (!RAND_bytes(digest, 20) || !RAND_bytes(wrong_digest, 20)) {
BIO_printf(out, "ERROR: unable to get random data\n");
goto builtin_err;
}
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index e16256e..0876008 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -340,7 +340,7 @@
kstr=(unsigned char *)buf;
}
assert(iv_len <= (int)sizeof(iv));
- if (RAND_pseudo_bytes(iv,iv_len) < 0) /* Generate a salt */
+ if (!RAND_bytes(iv, iv_len)) /* Generate a salt */
goto err;
/* The 'iv' is used as the iv and as a salt. It is
* NOT taken from the BytesToKey function */
diff --git a/crypto/pkcs8/p5_pbe.c b/crypto/pkcs8/p5_pbe.c
index 9cdff4c..7b18b6f 100644
--- a/crypto/pkcs8/p5_pbe.c
+++ b/crypto/pkcs8/p5_pbe.c
@@ -104,7 +104,7 @@
sstr = ASN1_STRING_data(pbe->salt);
if (salt)
memcpy(sstr, salt, saltlen);
- else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
+ else if (!RAND_bytes(sstr, saltlen))
goto err;
if(!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str))
diff --git a/crypto/pkcs8/p5_pbev2.c b/crypto/pkcs8/p5_pbev2.c
index 85170a4..1af2af2 100644
--- a/crypto/pkcs8/p5_pbev2.c
+++ b/crypto/pkcs8/p5_pbev2.c
@@ -141,7 +141,7 @@
{
if (aiv)
memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
- else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+ else if (!RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)))
goto err;
}
@@ -243,7 +243,7 @@
if (salt)
memcpy (osalt->data, salt, saltlen);
- else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
+ else if (!RAND_bytes(osalt->data, saltlen))
goto merr;
if(iter <= 0)
diff --git a/crypto/rsa/padding.c b/crypto/rsa/padding.c
index 4d29b07..70dafb2 100644
--- a/crypto/rsa/padding.c
+++ b/crypto/rsa/padding.c
@@ -181,13 +181,13 @@
/* pad out with non-zero random data */
j = tlen - 3 - flen;
- if (RAND_pseudo_bytes(p, j) <= 0) {
+ if (!RAND_bytes(p, j)) {
return 0;
}
for (i = 0; i < j; i++) {
while (*p == 0) {
- if (RAND_pseudo_bytes(p, 1) <= 0) {
+ if (!RAND_bytes(p, 1)) {
return 0;
}
}
@@ -411,7 +411,7 @@
memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1);
db[emlen - flen - mdlen - 1] = 0x01;
memcpy(db + emlen - flen - mdlen, from, flen);
- if (RAND_pseudo_bytes(seed, mdlen) <= 0) {
+ if (!RAND_bytes(seed, mdlen)) {
return 0;
}
@@ -718,7 +718,7 @@
ERR_R_MALLOC_FAILURE);
goto err;
}
- if (RAND_pseudo_bytes(salt, sLen) <= 0) {
+ if (!RAND_bytes(salt, sLen)) {
goto err;
}
}
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c200084..c2f2291 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1826,8 +1826,8 @@
pms[0]=s->client_version>>8;
pms[1]=s->client_version&0xff;
- if (RAND_bytes(&pms[2],SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
- goto err;
+ if (!RAND_bytes(&pms[2], SSL_MAX_MASTER_KEY_LENGTH - 2))
+ goto err;
s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index e980cdc..d675fe6 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -797,13 +797,7 @@
wr->input=p;
wr->data=p;
-
- if (eivlen)
- {
- /* if (RAND_pseudo_bytes(p, eivlen) <= 0)
- goto err; */
- wr->length += eivlen;
- }
+ wr->length += eivlen;
if (s->enc_method->enc(s, 1) < 1)
goto err;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c45cf71..170777b 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2057,8 +2057,8 @@
* the TLS RFC and generates a random premaster secret for the
* case that the decrypt fails. See
* https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */
- if (RAND_pseudo_bytes(rand_premaster_secret,
- sizeof(rand_premaster_secret)) <= 0)
+ if (!RAND_bytes(rand_premaster_secret,
+ sizeof(rand_premaster_secret)))
goto err;
/* Allocate a buffer large enough for an RSA decryption. */
@@ -2737,9 +2737,9 @@
}
else
{
- RAND_pseudo_bytes(iv, 16);
- if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv) ||
- !HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(), NULL))
+ if (!RAND_bytes(iv, 16) ||
+ !EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv) ||
+ !HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(), NULL))
{
OPENSSL_free(session);
EVP_CIPHER_CTX_cleanup(&ctx);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 47c91fc..877b874 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1922,9 +1922,9 @@
ret->tlsext_servername_callback = 0;
ret->tlsext_servername_arg = NULL;
/* Setup RFC4507 ticket keys */
- if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
- || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
- || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
+ if (!RAND_bytes(ret->tlsext_tick_key_name, 16) ||
+ !RAND_bytes(ret->tlsext_tick_hmac_key, 16) ||
+ !RAND_bytes(ret->tlsext_tick_aes_key, 16))
ret->options |= SSL_OP_NO_TICKET;
ret->tlsext_status_cb = 0;
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index fd340d9..cbfdb9a 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -237,8 +237,10 @@
{
unsigned int retry = 0;
do
- if (RAND_pseudo_bytes(id, *id_len) <= 0)
+ {
+ if (!RAND_bytes(id, *id_len))
return 0;
+ }
while(SSL_has_matching_session_id(ssl, id, *id_len) &&
(++retry < MAX_SESS_ID_ATTEMPTS));
if(retry < MAX_SESS_ID_ATTEMPTS)
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index f5a4b9f..28405b7 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -895,7 +895,7 @@
fprintf(stderr,
"%s:%d: rec->data != rec->input\n",
__FILE__, __LINE__);
- else if (RAND_bytes(rec->input, ivlen) <= 0)
+ else if (!RAND_bytes(rec->input, ivlen))
return -1;
}
}
