Use arc4random_buf() instead of RAND(_pseudo)?_bytes().

ok bcook@

8 files changed, 19 insertions, 36 deletions

diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 1a3b8f21b3..b5aaab9842 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.2 2014/09/01 20:54:37 doug Exp $ */
+/* $OpenBSD: enc.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,7 +69,6 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 int set_hex(char *in, unsigned char *out, int size);
@@ -461,8 +460,9 @@ enc_main(int argc, char **argv)
                                                             "invalid hex salt value\n");
                                                         goto end;
                                                 }
-                                        } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
-                                                goto end;
+                                        } else
+                                                arc4random_buf(salt,
+                                                    sizeof(salt));
                                         /*
                                          * If -P option then don't bother
                                          * writing
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index bcb9b56b74..76e1644f59 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: openssl.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,7 +123,6 @@
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -233,7 +232,6 @@ openssl_shutdown(void)
 
         CRYPTO_cleanup_all_ex_data();
         ERR_remove_thread_state(NULL);
-        RAND_cleanup();
         ERR_free_strings();
 }
 
diff --git a/src/usr.bin/openssl/passwd.c b/src/usr.bin/openssl/passwd.c
index fd5d062f57..c29cccf6cf 100644
--- a/src/usr.bin/openssl/passwd.c
+++ b/src/usr.bin/openssl/passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: passwd.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: passwd.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 
 #if defined OPENSSL_NO_MD5
 #define NO_MD5CRYPT_1
@@ -14,7 +14,6 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
@@ -384,8 +383,7 @@ do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
                                 if (*salt_malloc_p == NULL)
                                         goto err;
                         }
-                        if (RAND_pseudo_bytes((unsigned char *) *salt_p, 2) < 0)
-                                goto err;
+                        arc4random_buf(*salt_p, 2);
                         (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f];  /* 6 bits */
                         (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f];  /* 6 bits */
                         (*salt_p)[2] = 0;
@@ -401,8 +399,7 @@ do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
                                 if (*salt_malloc_p == NULL)
                                         goto err;
                         }
-                        if (RAND_pseudo_bytes((unsigned char *) *salt_p, 8) < 0)
-                                goto err;
+                        arc4random_buf(*salt_p, 8);
 
                         for (i = 0; i < 8; i++)
                                 (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f];  /* 6 bits */
diff --git a/src/usr.bin/openssl/rand.c b/src/usr.bin/openssl/rand.c
index dcc99e7392..6de2208b42 100644
--- a/src/usr.bin/openssl/rand.c
+++ b/src/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.4 2014/10/13 02:46:14 bcook Exp $ */
+/* $OpenBSD: rand.c,v 1.5 2014/10/22 13:54:03 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -61,7 +61,6 @@
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 
 struct {
         int base64;
@@ -171,9 +170,7 @@ rand_main(int argc, char **argv)
                 chunk = num;
                 if (chunk > (int) sizeof(buf))
                         chunk = sizeof(buf);
-                r = RAND_bytes(buf, chunk);
-                if (r <= 0)
-                        goto err;
+                arc4random_buf(buf, chunk);
                 if (rand_config.hex) {
                         for (i = 0; i < chunk; i++)
                                 BIO_printf(out, "%02x", buf[i]);
diff --git a/src/usr.bin/openssl/s_cb.c b/src/usr.bin/openssl/s_cb.c
index 2e00abe7f1..f7d8a323a6 100644
--- a/src/usr.bin/openssl/s_cb.c
+++ b/src/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: s_cb.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -121,7 +121,6 @@
 #include "apps.h"
 
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -728,11 +727,7 @@ generate_cookie_callback(SSL * ssl, unsigned char *cookie,
 
         /* Initialize a random secret */
         if (!cookie_initialized) {
-                if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) {
-                        BIO_printf(bio_err,
-                            "error setting random cookie secret\n");
-                        return 0;
-                }
+                arc4random_buf(cookie_secret, COOKIE_SECRET_LENGTH);
                 cookie_initialized = 1;
         }
         /* Read peer information */
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 9ca13dd335..6f87819d1e 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.2 2014/10/13 02:39:09 bcook Exp $ */
+/* $OpenBSD: s_server.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,7 +166,6 @@
 #include <openssl/lhash.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -2130,7 +2129,7 @@ generate_session_id(const SSL * ssl, unsigned char *id,
 {
         unsigned int count = 0;
         do {
-                RAND_pseudo_bytes(id, *id_len);
+                arc4random_buf(id, *id_len);
                 /*
                  * Prefix the session_id with the required prefix. NB: If our
                  * prefix is too long, clip it - but there will be worse
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 82a0f90f05..ccaef15f68 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: speed.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -98,7 +98,6 @@
 #include <openssl/evp.h>
 #include <openssl/modes.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_AES
@@ -1471,7 +1470,7 @@ speed_main(int argc, char **argv)
                         print_result(D_EVP, j, count, d);
                 }
         }
-        RAND_pseudo_bytes(buf, 36);
+        arc4random_buf(buf, 36);
         for (j = 0; j < RSA_NUM; j++) {
                 int ret;
                 if (!rsa_doit[j])
@@ -1543,7 +1542,7 @@ speed_main(int argc, char **argv)
                 }
         }
 
-        RAND_pseudo_bytes(buf, 20);
+        arc4random_buf(buf, 20);
         for (j = 0; j < DSA_NUM; j++) {
                 unsigned int kk;
                 int ret;
diff --git a/src/usr.bin/openssl/ts.c b/src/usr.bin/openssl/ts.c
index c765465c45..cd7d9cc81e 100644
--- a/src/usr.bin/openssl/ts.c
+++ b/src/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */
+/* $OpenBSD: ts.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -66,7 +66,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ts.h>
 
 /* Length of the nonce of the request in bits (must be a multiple of 8). */
@@ -593,8 +592,7 @@ create_nonce(int bits)
         /* Generating random byte sequence. */
         if (len > (int) sizeof(buf))
                 goto err;
-        if (RAND_bytes(buf, len) <= 0)
-                goto err;
+        arc4random_buf(buf, len);
 
         /* Find the first non-zero byte and creating ASN1_INTEGER object. */
         for (i = 0; i < len && !buf[i]; ++i)