diff options
| author | jsing <> | 2014-10-18 16:13:16 +0000 |
|---|---|---|
| committer | jsing <> | 2014-10-18 16:13:16 +0000 |
| commit | c7ab256a26b40c83b42c202488c01636a208c01c (patch) | |
| tree | 0ec0407532b236ff11b9134f214f8db715d84e63 | |
| parent | dd127b6b5a62ebd88f0cbb2e6d7d749d20363a16 (diff) | |
| download | openbsd-c7ab256a26b40c83b42c202488c01636a208c01c.tar.gz openbsd-c7ab256a26b40c83b42c202488c01636a208c01c.tar.bz2 openbsd-c7ab256a26b40c83b42c202488c01636a208c01c.zip | |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
34 files changed, 76 insertions, 130 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 1eda4aef72..10659a5136 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */ | 1 | /* $OpenBSD: d1_both.c,v 1.29 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -118,7 +118,6 @@ | |||
| 118 | #include <stdio.h> | 118 | #include <stdio.h> |
| 119 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 120 | #include <openssl/buffer.h> | 120 | #include <openssl/buffer.h> |
| 121 | #include <openssl/rand.h> | ||
| 122 | #include <openssl/objects.h> | 121 | #include <openssl/objects.h> |
| 123 | #include <openssl/evp.h> | 122 | #include <openssl/evp.h> |
| 124 | #include <openssl/x509.h> | 123 | #include <openssl/x509.h> |
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 0cc4016d11..4b71f01a6c 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */ | 1 | /* $OpenBSD: d1_clnt.c,v 1.36 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -116,7 +116,6 @@ | |||
| 116 | #include <stdio.h> | 116 | #include <stdio.h> |
| 117 | #include "ssl_locl.h" | 117 | #include "ssl_locl.h" |
| 118 | #include <openssl/buffer.h> | 118 | #include <openssl/buffer.h> |
| 119 | #include <openssl/rand.h> | ||
| 120 | #include <openssl/objects.h> | 119 | #include <openssl/objects.h> |
| 121 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 122 | #include <openssl/md5.h> | 121 | #include <openssl/md5.h> |
| @@ -779,7 +778,7 @@ dtls1_client_hello(SSL *s) | |||
| 779 | for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) | 778 | for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) |
| 780 | ; | 779 | ; |
| 781 | if (i == sizeof(s->s3->client_random)) | 780 | if (i == sizeof(s->s3->client_random)) |
| 782 | RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); | 781 | arc4random_buf(p, sizeof(s->s3->client_random)); |
| 783 | 782 | ||
| 784 | /* Do the message type and length last */ | 783 | /* Do the message type and length last */ |
| 785 | d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); | 784 | d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); |
| @@ -954,8 +953,7 @@ dtls1_send_client_key_exchange(SSL *s) | |||
| 954 | 953 | ||
| 955 | tmp_buf[0] = s->client_version >> 8; | 954 | tmp_buf[0] = s->client_version >> 8; |
| 956 | tmp_buf[1] = s->client_version&0xff; | 955 | tmp_buf[1] = s->client_version&0xff; |
| 957 | if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) | 956 | arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); |
| 958 | goto err; | ||
| 959 | 957 | ||
| 960 | s->session->master_key_length = sizeof tmp_buf; | 958 | s->session->master_key_length = sizeof tmp_buf; |
| 961 | 959 | ||
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c index fe8df15a94..32fcd333f6 100644 --- a/src/lib/libssl/d1_enc.c +++ b/src/lib/libssl/d1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_enc.c,v 1.6 2014/07/10 08:51:14 tedu Exp $ */ | 1 | /* $OpenBSD: d1_enc.c,v 1.7 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -118,7 +118,6 @@ | |||
| 118 | #include <openssl/evp.h> | 118 | #include <openssl/evp.h> |
| 119 | #include <openssl/hmac.h> | 119 | #include <openssl/hmac.h> |
| 120 | #include <openssl/md5.h> | 120 | #include <openssl/md5.h> |
| 121 | #include <openssl/rand.h> | ||
| 122 | 121 | ||
| 123 | /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | 122 | /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
| 124 | * | 123 | * |
| @@ -154,8 +153,8 @@ dtls1_enc(SSL *s, int send) | |||
| 154 | fprintf(stderr, "%s:%d: rec->data != rec->input\n", | 153 | fprintf(stderr, "%s:%d: rec->data != rec->input\n", |
| 155 | __FILE__, __LINE__); | 154 | __FILE__, __LINE__); |
| 156 | else if (EVP_CIPHER_block_size(ds->cipher) > 1) { | 155 | else if (EVP_CIPHER_block_size(ds->cipher) > 1) { |
| 157 | if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0) | 156 | arc4random_buf(rec->input, |
| 158 | return -1; | 157 | EVP_CIPHER_block_size(ds->cipher)); |
| 159 | } | 158 | } |
| 160 | } | 159 | } |
| 161 | } else { | 160 | } else { |
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 7b0d67bf15..6f3ee26217 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_pkt.c,v 1.34 2014/08/07 20:02:23 miod Exp $ */ | 1 | /* $OpenBSD: d1_pkt.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -119,7 +119,6 @@ | |||
| 119 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 120 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 121 | #include <openssl/buffer.h> | 121 | #include <openssl/buffer.h> |
| 122 | #include <openssl/rand.h> | ||
| 123 | 122 | ||
| 124 | #include "pqueue.h" | 123 | #include "pqueue.h" |
| 125 | 124 | ||
| @@ -1380,7 +1379,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
| 1380 | /* ssl3_enc can only have an error on read */ | 1379 | /* ssl3_enc can only have an error on read */ |
| 1381 | if (bs) /* bs != 0 in case of CBC */ | 1380 | if (bs) /* bs != 0 in case of CBC */ |
| 1382 | { | 1381 | { |
| 1383 | RAND_pseudo_bytes(p, bs); | 1382 | arc4random_buf(p, bs); |
| 1384 | /* master IV and last CBC residue stand for | 1383 | /* master IV and last CBC residue stand for |
| 1385 | * the rest of randomness */ | 1384 | * the rest of randomness */ |
| 1386 | wr->length += bs; | 1385 | wr->length += bs; |
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 68441fa63a..a85715753c 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.39 2014/09/27 11:03:43 jsing Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -116,7 +116,6 @@ | |||
| 116 | #include <stdio.h> | 116 | #include <stdio.h> |
| 117 | #include "ssl_locl.h" | 117 | #include "ssl_locl.h" |
| 118 | #include <openssl/buffer.h> | 118 | #include <openssl/buffer.h> |
| 119 | #include <openssl/rand.h> | ||
| 120 | #include <openssl/objects.h> | 119 | #include <openssl/objects.h> |
| 121 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 122 | #include <openssl/x509.h> | 121 | #include <openssl/x509.h> |
| @@ -902,8 +901,7 @@ dtls1_send_server_hello(SSL *s) | |||
| 902 | 901 | ||
| 903 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { | 902 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { |
| 904 | buf = (unsigned char *)s->init_buf->data; | 903 | buf = (unsigned char *)s->init_buf->data; |
| 905 | p = s->s3->server_random; | 904 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 906 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 907 | 905 | ||
| 908 | /* Do the message type and length last */ | 906 | /* Do the message type and length last */ |
| 909 | d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); | 907 | d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); |
| @@ -1513,7 +1511,7 @@ dtls1_send_newsession_ticket(SSL *s) | |||
| 1513 | return -1; | 1511 | return -1; |
| 1514 | } | 1512 | } |
| 1515 | } else { | 1513 | } else { |
| 1516 | RAND_pseudo_bytes(iv, 16); | 1514 | arc4random_buf(iv, 16); |
| 1517 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | 1515 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, |
| 1518 | tctx->tlsext_tick_aes_key, iv); | 1516 | tctx->tlsext_tick_aes_key, iv); |
| 1519 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | 1517 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, |
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 81683e5949..7967344e2a 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_clnt.c,v 1.32 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: s23_clnt.c,v 1.33 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -112,7 +112,6 @@ | |||
| 112 | #include <stdio.h> | 112 | #include <stdio.h> |
| 113 | #include "ssl_locl.h" | 113 | #include "ssl_locl.h" |
| 114 | #include <openssl/buffer.h> | 114 | #include <openssl/buffer.h> |
| 115 | #include <openssl/rand.h> | ||
| 116 | #include <openssl/objects.h> | 115 | #include <openssl/objects.h> |
| 117 | #include <openssl/evp.h> | 116 | #include <openssl/evp.h> |
| 118 | 117 | ||
| @@ -317,8 +316,7 @@ ssl23_client_hello(SSL *s) | |||
| 317 | 316 | ||
| 318 | buf = (unsigned char *)s->init_buf->data; | 317 | buf = (unsigned char *)s->init_buf->data; |
| 319 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { | 318 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { |
| 320 | p = s->s3->client_random; | 319 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
| 321 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 322 | 320 | ||
| 323 | if (version == TLS1_2_VERSION) { | 321 | if (version == TLS1_2_VERSION) { |
| 324 | version_major = TLS1_2_VERSION_MAJOR; | 322 | version_major = TLS1_2_VERSION_MAJOR; |
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 4733fc40a5..a278fe923b 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.34 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -112,7 +112,6 @@ | |||
| 112 | #include <stdio.h> | 112 | #include <stdio.h> |
| 113 | #include "ssl_locl.h" | 113 | #include "ssl_locl.h" |
| 114 | #include <openssl/buffer.h> | 114 | #include <openssl/buffer.h> |
| 115 | #include <openssl/rand.h> | ||
| 116 | #include <openssl/objects.h> | 115 | #include <openssl/objects.h> |
| 117 | #include <openssl/evp.h> | 116 | #include <openssl/evp.h> |
| 118 | 117 | ||
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index 6d108c295b..cd0a4b8013 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_both.c,v 1.30 2014/09/22 13:18:50 jsing Exp $ */ | 1 | /* $OpenBSD: s3_both.c,v 1.31 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -119,7 +119,6 @@ | |||
| 119 | #include <stdio.h> | 119 | #include <stdio.h> |
| 120 | #include "ssl_locl.h" | 120 | #include "ssl_locl.h" |
| 121 | #include <openssl/buffer.h> | 121 | #include <openssl/buffer.h> |
| 122 | #include <openssl/rand.h> | ||
| 123 | #include <openssl/objects.h> | 122 | #include <openssl/objects.h> |
| 124 | #include <openssl/evp.h> | 123 | #include <openssl/evp.h> |
| 125 | #include <openssl/x509.h> | 124 | #include <openssl/x509.h> |
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 9aa599a1c6..179e9400d4 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.91 2014/09/27 11:01:05 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.92 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -151,7 +151,6 @@ | |||
| 151 | #include <stdio.h> | 151 | #include <stdio.h> |
| 152 | #include "ssl_locl.h" | 152 | #include "ssl_locl.h" |
| 153 | #include <openssl/buffer.h> | 153 | #include <openssl/buffer.h> |
| 154 | #include <openssl/rand.h> | ||
| 155 | #include <openssl/objects.h> | 154 | #include <openssl/objects.h> |
| 156 | #include <openssl/evp.h> | 155 | #include <openssl/evp.h> |
| 157 | #include <openssl/md5.h> | 156 | #include <openssl/md5.h> |
| @@ -657,8 +656,7 @@ ssl3_client_hello(SSL *s) | |||
| 657 | } | 656 | } |
| 658 | /* else use the pre-loaded session */ | 657 | /* else use the pre-loaded session */ |
| 659 | 658 | ||
| 660 | p = s->s3->client_random; | 659 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
| 661 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 662 | 660 | ||
| 663 | /* Do the message type and length last */ | 661 | /* Do the message type and length last */ |
| 664 | d = p = &buf[4]; | 662 | d = p = &buf[4]; |
| @@ -1990,8 +1988,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 1990 | 1988 | ||
| 1991 | tmp_buf[0] = s->client_version >> 8; | 1989 | tmp_buf[0] = s->client_version >> 8; |
| 1992 | tmp_buf[1] = s->client_version & 0xff; | 1990 | tmp_buf[1] = s->client_version & 0xff; |
| 1993 | if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) | 1991 | arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); |
| 1994 | goto err; | ||
| 1995 | 1992 | ||
| 1996 | s->session->master_key_length = sizeof tmp_buf; | 1993 | s->session->master_key_length = sizeof tmp_buf; |
| 1997 | 1994 | ||
| @@ -2303,7 +2300,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2303 | 2300 | ||
| 2304 | EVP_PKEY_encrypt_init(pkey_ctx); | 2301 | EVP_PKEY_encrypt_init(pkey_ctx); |
| 2305 | /* Generate session key. */ | 2302 | /* Generate session key. */ |
| 2306 | RAND_bytes(premaster_secret, 32); | 2303 | arc4random_buf(premaster_secret, 32); |
| 2307 | /* | 2304 | /* |
| 2308 | * If we have client certificate, use its secret | 2305 | * If we have client certificate, use its secret |
| 2309 | * as peer key. | 2306 | * as peer key. |
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index cbd35ff7e3..62fc6fbce2 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */ | 1 | /* $OpenBSD: s3_pkt.c,v 1.51 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -114,7 +114,6 @@ | |||
| 114 | #include "ssl_locl.h" | 114 | #include "ssl_locl.h" |
| 115 | #include <openssl/evp.h> | 115 | #include <openssl/evp.h> |
| 116 | #include <openssl/buffer.h> | 116 | #include <openssl/buffer.h> |
| 117 | #include <openssl/rand.h> | ||
| 118 | 117 | ||
| 119 | static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | 118 | static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, |
| 120 | unsigned int len, int create_empty_fragment); | 119 | unsigned int len, int create_empty_fragment); |
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index c4a8442a3e..719b4c56c1 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.86 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -154,7 +154,6 @@ | |||
| 154 | #include <stdio.h> | 154 | #include <stdio.h> |
| 155 | #include "ssl_locl.h" | 155 | #include "ssl_locl.h" |
| 156 | #include <openssl/buffer.h> | 156 | #include <openssl/buffer.h> |
| 157 | #include <openssl/rand.h> | ||
| 158 | #include <openssl/objects.h> | 157 | #include <openssl/objects.h> |
| 159 | #include <openssl/evp.h> | 158 | #include <openssl/evp.h> |
| 160 | #include <openssl/hmac.h> | 159 | #include <openssl/hmac.h> |
| @@ -1106,11 +1105,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 1106 | * server_random before calling tls_session_secret_cb in order to allow | 1105 | * server_random before calling tls_session_secret_cb in order to allow |
| 1107 | * SessionTicket processing to use it in key derivation. | 1106 | * SessionTicket processing to use it in key derivation. |
| 1108 | */ | 1107 | */ |
| 1109 | { | 1108 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 1110 | unsigned char *pos; | ||
| 1111 | pos = s->s3->server_random; | ||
| 1112 | RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); | ||
| 1113 | } | ||
| 1114 | 1109 | ||
| 1115 | if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { | 1110 | if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { |
| 1116 | SSL_CIPHER *pref_cipher = NULL; | 1111 | SSL_CIPHER *pref_cipher = NULL; |
| @@ -1961,7 +1956,7 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1961 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1956 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1962 | p[0] = s->client_version >> 8; | 1957 | p[0] = s->client_version >> 8; |
| 1963 | p[1] = s->client_version & 0xff; | 1958 | p[1] = s->client_version & 0xff; |
| 1964 | RAND_bytes(p+2, i-2); | 1959 | arc4random_buf(p + 2, i - 2); |
| 1965 | } | 1960 | } |
| 1966 | 1961 | ||
| 1967 | s->session->master_key_length = | 1962 | s->session->master_key_length = |
| @@ -2774,7 +2769,7 @@ ssl3_send_newsession_ticket(SSL *s) | |||
| 2774 | return (-1); | 2769 | return (-1); |
| 2775 | } | 2770 | } |
| 2776 | } else { | 2771 | } else { |
| 2777 | RAND_pseudo_bytes(iv, 16); | 2772 | arc4random_buf(iv, 16); |
| 2778 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | 2773 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, |
| 2779 | tctx->tlsext_tick_aes_key, iv); | 2774 | tctx->tlsext_tick_aes_key, iv); |
| 2780 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | 2775 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, |
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 1eda4aef72..10659a5136 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */ | 1 | /* $OpenBSD: d1_both.c,v 1.29 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -118,7 +118,6 @@ | |||
| 118 | #include <stdio.h> | 118 | #include <stdio.h> |
| 119 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 120 | #include <openssl/buffer.h> | 120 | #include <openssl/buffer.h> |
| 121 | #include <openssl/rand.h> | ||
| 122 | #include <openssl/objects.h> | 121 | #include <openssl/objects.h> |
| 123 | #include <openssl/evp.h> | 122 | #include <openssl/evp.h> |
| 124 | #include <openssl/x509.h> | 123 | #include <openssl/x509.h> |
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c index 0cc4016d11..4b71f01a6c 100644 --- a/src/lib/libssl/src/ssl/d1_clnt.c +++ b/src/lib/libssl/src/ssl/d1_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */ | 1 | /* $OpenBSD: d1_clnt.c,v 1.36 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -116,7 +116,6 @@ | |||
| 116 | #include <stdio.h> | 116 | #include <stdio.h> |
| 117 | #include "ssl_locl.h" | 117 | #include "ssl_locl.h" |
| 118 | #include <openssl/buffer.h> | 118 | #include <openssl/buffer.h> |
| 119 | #include <openssl/rand.h> | ||
| 120 | #include <openssl/objects.h> | 119 | #include <openssl/objects.h> |
| 121 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 122 | #include <openssl/md5.h> | 121 | #include <openssl/md5.h> |
| @@ -779,7 +778,7 @@ dtls1_client_hello(SSL *s) | |||
| 779 | for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) | 778 | for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) |
| 780 | ; | 779 | ; |
| 781 | if (i == sizeof(s->s3->client_random)) | 780 | if (i == sizeof(s->s3->client_random)) |
| 782 | RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); | 781 | arc4random_buf(p, sizeof(s->s3->client_random)); |
| 783 | 782 | ||
| 784 | /* Do the message type and length last */ | 783 | /* Do the message type and length last */ |
| 785 | d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); | 784 | d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); |
| @@ -954,8 +953,7 @@ dtls1_send_client_key_exchange(SSL *s) | |||
| 954 | 953 | ||
| 955 | tmp_buf[0] = s->client_version >> 8; | 954 | tmp_buf[0] = s->client_version >> 8; |
| 956 | tmp_buf[1] = s->client_version&0xff; | 955 | tmp_buf[1] = s->client_version&0xff; |
| 957 | if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) | 956 | arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); |
| 958 | goto err; | ||
| 959 | 957 | ||
| 960 | s->session->master_key_length = sizeof tmp_buf; | 958 | s->session->master_key_length = sizeof tmp_buf; |
| 961 | 959 | ||
diff --git a/src/lib/libssl/src/ssl/d1_enc.c b/src/lib/libssl/src/ssl/d1_enc.c index fe8df15a94..32fcd333f6 100644 --- a/src/lib/libssl/src/ssl/d1_enc.c +++ b/src/lib/libssl/src/ssl/d1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_enc.c,v 1.6 2014/07/10 08:51:14 tedu Exp $ */ | 1 | /* $OpenBSD: d1_enc.c,v 1.7 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -118,7 +118,6 @@ | |||
| 118 | #include <openssl/evp.h> | 118 | #include <openssl/evp.h> |
| 119 | #include <openssl/hmac.h> | 119 | #include <openssl/hmac.h> |
| 120 | #include <openssl/md5.h> | 120 | #include <openssl/md5.h> |
| 121 | #include <openssl/rand.h> | ||
| 122 | 121 | ||
| 123 | /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | 122 | /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
| 124 | * | 123 | * |
| @@ -154,8 +153,8 @@ dtls1_enc(SSL *s, int send) | |||
| 154 | fprintf(stderr, "%s:%d: rec->data != rec->input\n", | 153 | fprintf(stderr, "%s:%d: rec->data != rec->input\n", |
| 155 | __FILE__, __LINE__); | 154 | __FILE__, __LINE__); |
| 156 | else if (EVP_CIPHER_block_size(ds->cipher) > 1) { | 155 | else if (EVP_CIPHER_block_size(ds->cipher) > 1) { |
| 157 | if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0) | 156 | arc4random_buf(rec->input, |
| 158 | return -1; | 157 | EVP_CIPHER_block_size(ds->cipher)); |
| 159 | } | 158 | } |
| 160 | } | 159 | } |
| 161 | } else { | 160 | } else { |
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c index 7b0d67bf15..6f3ee26217 100644 --- a/src/lib/libssl/src/ssl/d1_pkt.c +++ b/src/lib/libssl/src/ssl/d1_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_pkt.c,v 1.34 2014/08/07 20:02:23 miod Exp $ */ | 1 | /* $OpenBSD: d1_pkt.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -119,7 +119,6 @@ | |||
| 119 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 120 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 121 | #include <openssl/buffer.h> | 121 | #include <openssl/buffer.h> |
| 122 | #include <openssl/rand.h> | ||
| 123 | 122 | ||
| 124 | #include "pqueue.h" | 123 | #include "pqueue.h" |
| 125 | 124 | ||
| @@ -1380,7 +1379,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) | |||
| 1380 | /* ssl3_enc can only have an error on read */ | 1379 | /* ssl3_enc can only have an error on read */ |
| 1381 | if (bs) /* bs != 0 in case of CBC */ | 1380 | if (bs) /* bs != 0 in case of CBC */ |
| 1382 | { | 1381 | { |
| 1383 | RAND_pseudo_bytes(p, bs); | 1382 | arc4random_buf(p, bs); |
| 1384 | /* master IV and last CBC residue stand for | 1383 | /* master IV and last CBC residue stand for |
| 1385 | * the rest of randomness */ | 1384 | * the rest of randomness */ |
| 1386 | wr->length += bs; | 1385 | wr->length += bs; |
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c index 68441fa63a..a85715753c 100644 --- a/src/lib/libssl/src/ssl/d1_srvr.c +++ b/src/lib/libssl/src/ssl/d1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: d1_srvr.c,v 1.39 2014/09/27 11:03:43 jsing Exp $ */ | 1 | /* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * DTLS implementation written by Nagendra Modadugu | 3 | * DTLS implementation written by Nagendra Modadugu |
| 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
| @@ -116,7 +116,6 @@ | |||
| 116 | #include <stdio.h> | 116 | #include <stdio.h> |
| 117 | #include "ssl_locl.h" | 117 | #include "ssl_locl.h" |
| 118 | #include <openssl/buffer.h> | 118 | #include <openssl/buffer.h> |
| 119 | #include <openssl/rand.h> | ||
| 120 | #include <openssl/objects.h> | 119 | #include <openssl/objects.h> |
| 121 | #include <openssl/evp.h> | 120 | #include <openssl/evp.h> |
| 122 | #include <openssl/x509.h> | 121 | #include <openssl/x509.h> |
| @@ -902,8 +901,7 @@ dtls1_send_server_hello(SSL *s) | |||
| 902 | 901 | ||
| 903 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { | 902 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { |
| 904 | buf = (unsigned char *)s->init_buf->data; | 903 | buf = (unsigned char *)s->init_buf->data; |
| 905 | p = s->s3->server_random; | 904 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 906 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 907 | 905 | ||
| 908 | /* Do the message type and length last */ | 906 | /* Do the message type and length last */ |
| 909 | d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); | 907 | d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); |
| @@ -1513,7 +1511,7 @@ dtls1_send_newsession_ticket(SSL *s) | |||
| 1513 | return -1; | 1511 | return -1; |
| 1514 | } | 1512 | } |
| 1515 | } else { | 1513 | } else { |
| 1516 | RAND_pseudo_bytes(iv, 16); | 1514 | arc4random_buf(iv, 16); |
| 1517 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | 1515 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, |
| 1518 | tctx->tlsext_tick_aes_key, iv); | 1516 | tctx->tlsext_tick_aes_key, iv); |
| 1519 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | 1517 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, |
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c index 81683e5949..7967344e2a 100644 --- a/src/lib/libssl/src/ssl/s23_clnt.c +++ b/src/lib/libssl/src/ssl/s23_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_clnt.c,v 1.32 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: s23_clnt.c,v 1.33 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -112,7 +112,6 @@ | |||
| 112 | #include <stdio.h> | 112 | #include <stdio.h> |
| 113 | #include "ssl_locl.h" | 113 | #include "ssl_locl.h" |
| 114 | #include <openssl/buffer.h> | 114 | #include <openssl/buffer.h> |
| 115 | #include <openssl/rand.h> | ||
| 116 | #include <openssl/objects.h> | 115 | #include <openssl/objects.h> |
| 117 | #include <openssl/evp.h> | 116 | #include <openssl/evp.h> |
| 118 | 117 | ||
| @@ -317,8 +316,7 @@ ssl23_client_hello(SSL *s) | |||
| 317 | 316 | ||
| 318 | buf = (unsigned char *)s->init_buf->data; | 317 | buf = (unsigned char *)s->init_buf->data; |
| 319 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { | 318 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { |
| 320 | p = s->s3->client_random; | 319 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
| 321 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 322 | 320 | ||
| 323 | if (version == TLS1_2_VERSION) { | 321 | if (version == TLS1_2_VERSION) { |
| 324 | version_major = TLS1_2_VERSION_MAJOR; | 322 | version_major = TLS1_2_VERSION_MAJOR; |
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index 4733fc40a5..a278fe923b 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s23_srvr.c,v 1.34 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: s23_srvr.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -112,7 +112,6 @@ | |||
| 112 | #include <stdio.h> | 112 | #include <stdio.h> |
| 113 | #include "ssl_locl.h" | 113 | #include "ssl_locl.h" |
| 114 | #include <openssl/buffer.h> | 114 | #include <openssl/buffer.h> |
| 115 | #include <openssl/rand.h> | ||
| 116 | #include <openssl/objects.h> | 115 | #include <openssl/objects.h> |
| 117 | #include <openssl/evp.h> | 116 | #include <openssl/evp.h> |
| 118 | 117 | ||
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c index 6d108c295b..cd0a4b8013 100644 --- a/src/lib/libssl/src/ssl/s3_both.c +++ b/src/lib/libssl/src/ssl/s3_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_both.c,v 1.30 2014/09/22 13:18:50 jsing Exp $ */ | 1 | /* $OpenBSD: s3_both.c,v 1.31 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -119,7 +119,6 @@ | |||
| 119 | #include <stdio.h> | 119 | #include <stdio.h> |
| 120 | #include "ssl_locl.h" | 120 | #include "ssl_locl.h" |
| 121 | #include <openssl/buffer.h> | 121 | #include <openssl/buffer.h> |
| 122 | #include <openssl/rand.h> | ||
| 123 | #include <openssl/objects.h> | 122 | #include <openssl/objects.h> |
| 124 | #include <openssl/evp.h> | 123 | #include <openssl/evp.h> |
| 125 | #include <openssl/x509.h> | 124 | #include <openssl/x509.h> |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 9aa599a1c6..179e9400d4 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.91 2014/09/27 11:01:05 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.92 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -151,7 +151,6 @@ | |||
| 151 | #include <stdio.h> | 151 | #include <stdio.h> |
| 152 | #include "ssl_locl.h" | 152 | #include "ssl_locl.h" |
| 153 | #include <openssl/buffer.h> | 153 | #include <openssl/buffer.h> |
| 154 | #include <openssl/rand.h> | ||
| 155 | #include <openssl/objects.h> | 154 | #include <openssl/objects.h> |
| 156 | #include <openssl/evp.h> | 155 | #include <openssl/evp.h> |
| 157 | #include <openssl/md5.h> | 156 | #include <openssl/md5.h> |
| @@ -657,8 +656,7 @@ ssl3_client_hello(SSL *s) | |||
| 657 | } | 656 | } |
| 658 | /* else use the pre-loaded session */ | 657 | /* else use the pre-loaded session */ |
| 659 | 658 | ||
| 660 | p = s->s3->client_random; | 659 | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
| 661 | RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); | ||
| 662 | 660 | ||
| 663 | /* Do the message type and length last */ | 661 | /* Do the message type and length last */ |
| 664 | d = p = &buf[4]; | 662 | d = p = &buf[4]; |
| @@ -1990,8 +1988,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 1990 | 1988 | ||
| 1991 | tmp_buf[0] = s->client_version >> 8; | 1989 | tmp_buf[0] = s->client_version >> 8; |
| 1992 | tmp_buf[1] = s->client_version & 0xff; | 1990 | tmp_buf[1] = s->client_version & 0xff; |
| 1993 | if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) | 1991 | arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); |
| 1994 | goto err; | ||
| 1995 | 1992 | ||
| 1996 | s->session->master_key_length = sizeof tmp_buf; | 1993 | s->session->master_key_length = sizeof tmp_buf; |
| 1997 | 1994 | ||
| @@ -2303,7 +2300,7 @@ ssl3_send_client_key_exchange(SSL *s) | |||
| 2303 | 2300 | ||
| 2304 | EVP_PKEY_encrypt_init(pkey_ctx); | 2301 | EVP_PKEY_encrypt_init(pkey_ctx); |
| 2305 | /* Generate session key. */ | 2302 | /* Generate session key. */ |
| 2306 | RAND_bytes(premaster_secret, 32); | 2303 | arc4random_buf(premaster_secret, 32); |
| 2307 | /* | 2304 | /* |
| 2308 | * If we have client certificate, use its secret | 2305 | * If we have client certificate, use its secret |
| 2309 | * as peer key. | 2306 | * as peer key. |
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c index cbd35ff7e3..62fc6fbce2 100644 --- a/src/lib/libssl/src/ssl/s3_pkt.c +++ b/src/lib/libssl/src/ssl/s3_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */ | 1 | /* $OpenBSD: s3_pkt.c,v 1.51 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -114,7 +114,6 @@ | |||
| 114 | #include "ssl_locl.h" | 114 | #include "ssl_locl.h" |
| 115 | #include <openssl/evp.h> | 115 | #include <openssl/evp.h> |
| 116 | #include <openssl/buffer.h> | 116 | #include <openssl/buffer.h> |
| 117 | #include <openssl/rand.h> | ||
| 118 | 117 | ||
| 119 | static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | 118 | static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, |
| 120 | unsigned int len, int create_empty_fragment); | 119 | unsigned int len, int create_empty_fragment); |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index c4a8442a3e..719b4c56c1 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.86 2014/10/03 13:58:18 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -154,7 +154,6 @@ | |||
| 154 | #include <stdio.h> | 154 | #include <stdio.h> |
| 155 | #include "ssl_locl.h" | 155 | #include "ssl_locl.h" |
| 156 | #include <openssl/buffer.h> | 156 | #include <openssl/buffer.h> |
| 157 | #include <openssl/rand.h> | ||
| 158 | #include <openssl/objects.h> | 157 | #include <openssl/objects.h> |
| 159 | #include <openssl/evp.h> | 158 | #include <openssl/evp.h> |
| 160 | #include <openssl/hmac.h> | 159 | #include <openssl/hmac.h> |
| @@ -1106,11 +1105,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 1106 | * server_random before calling tls_session_secret_cb in order to allow | 1105 | * server_random before calling tls_session_secret_cb in order to allow |
| 1107 | * SessionTicket processing to use it in key derivation. | 1106 | * SessionTicket processing to use it in key derivation. |
| 1108 | */ | 1107 | */ |
| 1109 | { | 1108 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 1110 | unsigned char *pos; | ||
| 1111 | pos = s->s3->server_random; | ||
| 1112 | RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); | ||
| 1113 | } | ||
| 1114 | 1109 | ||
| 1115 | if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { | 1110 | if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { |
| 1116 | SSL_CIPHER *pref_cipher = NULL; | 1111 | SSL_CIPHER *pref_cipher = NULL; |
| @@ -1961,7 +1956,7 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1961 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1956 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1962 | p[0] = s->client_version >> 8; | 1957 | p[0] = s->client_version >> 8; |
| 1963 | p[1] = s->client_version & 0xff; | 1958 | p[1] = s->client_version & 0xff; |
| 1964 | RAND_bytes(p+2, i-2); | 1959 | arc4random_buf(p + 2, i - 2); |
| 1965 | } | 1960 | } |
| 1966 | 1961 | ||
| 1967 | s->session->master_key_length = | 1962 | s->session->master_key_length = |
| @@ -2774,7 +2769,7 @@ ssl3_send_newsession_ticket(SSL *s) | |||
| 2774 | return (-1); | 2769 | return (-1); |
| 2775 | } | 2770 | } |
| 2776 | } else { | 2771 | } else { |
| 2777 | RAND_pseudo_bytes(iv, 16); | 2772 | arc4random_buf(iv, 16); |
| 2778 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, | 2773 | EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, |
| 2779 | tctx->tlsext_tick_aes_key, iv); | 2774 | tctx->tlsext_tick_aes_key, iv); |
| 2780 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, | 2775 | HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, |
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index d3108f2663..3fa8f5039f 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -145,7 +145,6 @@ | |||
| 145 | #include <openssl/objects.h> | 145 | #include <openssl/objects.h> |
| 146 | #include <openssl/lhash.h> | 146 | #include <openssl/lhash.h> |
| 147 | #include <openssl/x509v3.h> | 147 | #include <openssl/x509v3.h> |
| 148 | #include <openssl/rand.h> | ||
| 149 | #include <openssl/ocsp.h> | 148 | #include <openssl/ocsp.h> |
| 150 | #include <openssl/dh.h> | 149 | #include <openssl/dh.h> |
| 151 | #ifndef OPENSSL_NO_ENGINE | 150 | #ifndef OPENSSL_NO_ENGINE |
| @@ -1786,11 +1785,11 @@ SSL_CTX_new(const SSL_METHOD *meth) | |||
| 1786 | 1785 | ||
| 1787 | ret->tlsext_servername_callback = 0; | 1786 | ret->tlsext_servername_callback = 0; |
| 1788 | ret->tlsext_servername_arg = NULL; | 1787 | ret->tlsext_servername_arg = NULL; |
| 1788 | |||
| 1789 | /* Setup RFC4507 ticket keys */ | 1789 | /* Setup RFC4507 ticket keys */ |
| 1790 | if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) | 1790 | arc4random_buf(ret->tlsext_tick_key_name, 16); |
| 1791 | || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) | 1791 | arc4random_buf(ret->tlsext_tick_hmac_key, 16); |
| 1792 | || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) | 1792 | arc4random_buf(ret->tlsext_tick_aes_key, 16); |
| 1793 | ret->options |= SSL_OP_NO_TICKET; | ||
| 1794 | 1793 | ||
| 1795 | ret->tlsext_status_cb = 0; | 1794 | ret->tlsext_status_cb = 0; |
| 1796 | ret->tlsext_status_arg = NULL; | 1795 | ret->tlsext_status_arg = NULL; |
diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index 3ffd7078a5..d76fb8b9c8 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.41 2014/09/22 14:26:22 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -136,7 +136,6 @@ | |||
| 136 | */ | 136 | */ |
| 137 | 137 | ||
| 138 | #include <openssl/lhash.h> | 138 | #include <openssl/lhash.h> |
| 139 | #include <openssl/rand.h> | ||
| 140 | 139 | ||
| 141 | #ifndef OPENSSL_NO_ENGINE | 140 | #ifndef OPENSSL_NO_ENGINE |
| 142 | #include <openssl/engine.h> | 141 | #include <openssl/engine.h> |
| @@ -258,8 +257,7 @@ def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) | |||
| 258 | unsigned int retry = 0; | 257 | unsigned int retry = 0; |
| 259 | 258 | ||
| 260 | do { | 259 | do { |
| 261 | if (RAND_pseudo_bytes(id, *id_len) <= 0) | 260 | arc4random_buf(id, *id_len); |
| 262 | return 0; | ||
| 263 | } while (SSL_has_matching_session_id(ssl, id, *id_len) && | 261 | } while (SSL_has_matching_session_id(ssl, id, *id_len) && |
| 264 | (++retry < MAX_SESS_ID_ATTEMPTS)); | 262 | (++retry < MAX_SESS_ID_ATTEMPTS)); |
| 265 | 263 | ||
diff --git a/src/lib/libssl/src/ssl/t1_clnt.c b/src/lib/libssl/src/ssl/t1_clnt.c index 3781063eb6..cb5f26a07c 100644 --- a/src/lib/libssl/src/ssl/t1_clnt.c +++ b/src/lib/libssl/src/ssl/t1_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_clnt.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: t1_clnt.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -59,7 +59,6 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> |
| 60 | #include "ssl_locl.h" | 60 | #include "ssl_locl.h" |
| 61 | #include <openssl/buffer.h> | 61 | #include <openssl/buffer.h> |
| 62 | #include <openssl/rand.h> | ||
| 63 | #include <openssl/objects.h> | 62 | #include <openssl/objects.h> |
| 64 | #include <openssl/evp.h> | 63 | #include <openssl/evp.h> |
| 65 | 64 | ||
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index a62d7a939c..ea5df0bf63 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.70 2014/10/18 03:04:28 doug Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.71 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -140,7 +140,6 @@ | |||
| 140 | #include <openssl/evp.h> | 140 | #include <openssl/evp.h> |
| 141 | #include <openssl/hmac.h> | 141 | #include <openssl/hmac.h> |
| 142 | #include <openssl/md5.h> | 142 | #include <openssl/md5.h> |
| 143 | #include <openssl/rand.h> | ||
| 144 | 143 | ||
| 145 | /* seed1 through seed5 are virtually concatenated */ | 144 | /* seed1 through seed5 are virtually concatenated */ |
| 146 | static int | 145 | static int |
| @@ -810,8 +809,8 @@ tls1_enc(SSL *s, int send) | |||
| 810 | fprintf(stderr, | 809 | fprintf(stderr, |
| 811 | "%s:%d: rec->data != rec->input\n", | 810 | "%s:%d: rec->data != rec->input\n", |
| 812 | __FILE__, __LINE__); | 811 | __FILE__, __LINE__); |
| 813 | else if (RAND_bytes(rec->input, ivlen) <= 0) | 812 | else |
| 814 | return -1; | 813 | arc4random_buf(rec->input, ivlen); |
| 815 | } | 814 | } |
| 816 | } | 815 | } |
| 817 | } else { | 816 | } else { |
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 22e84fe122..604187f2fe 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.64 2014/10/15 14:02:16 jsing Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.65 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -115,7 +115,6 @@ | |||
| 115 | #include <openssl/hmac.h> | 115 | #include <openssl/hmac.h> |
| 116 | #include <openssl/objects.h> | 116 | #include <openssl/objects.h> |
| 117 | #include <openssl/ocsp.h> | 117 | #include <openssl/ocsp.h> |
| 118 | #include <openssl/rand.h> | ||
| 119 | 118 | ||
| 120 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 121 | 120 | ||
diff --git a/src/lib/libssl/src/ssl/t1_srvr.c b/src/lib/libssl/src/ssl/t1_srvr.c index 99712b6fb6..ba579dd110 100644 --- a/src/lib/libssl/src/ssl/t1_srvr.c +++ b/src/lib/libssl/src/ssl/t1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_srvr.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: t1_srvr.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -59,7 +59,6 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> |
| 60 | #include "ssl_locl.h" | 60 | #include "ssl_locl.h" |
| 61 | #include <openssl/buffer.h> | 61 | #include <openssl/buffer.h> |
| 62 | #include <openssl/rand.h> | ||
| 63 | #include <openssl/objects.h> | 62 | #include <openssl/objects.h> |
| 64 | #include <openssl/evp.h> | 63 | #include <openssl/evp.h> |
| 65 | #include <openssl/x509.h> | 64 | #include <openssl/x509.h> |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index d3108f2663..3fa8f5039f 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -145,7 +145,6 @@ | |||
| 145 | #include <openssl/objects.h> | 145 | #include <openssl/objects.h> |
| 146 | #include <openssl/lhash.h> | 146 | #include <openssl/lhash.h> |
| 147 | #include <openssl/x509v3.h> | 147 | #include <openssl/x509v3.h> |
| 148 | #include <openssl/rand.h> | ||
| 149 | #include <openssl/ocsp.h> | 148 | #include <openssl/ocsp.h> |
| 150 | #include <openssl/dh.h> | 149 | #include <openssl/dh.h> |
| 151 | #ifndef OPENSSL_NO_ENGINE | 150 | #ifndef OPENSSL_NO_ENGINE |
| @@ -1786,11 +1785,11 @@ SSL_CTX_new(const SSL_METHOD *meth) | |||
| 1786 | 1785 | ||
| 1787 | ret->tlsext_servername_callback = 0; | 1786 | ret->tlsext_servername_callback = 0; |
| 1788 | ret->tlsext_servername_arg = NULL; | 1787 | ret->tlsext_servername_arg = NULL; |
| 1788 | |||
| 1789 | /* Setup RFC4507 ticket keys */ | 1789 | /* Setup RFC4507 ticket keys */ |
| 1790 | if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) | 1790 | arc4random_buf(ret->tlsext_tick_key_name, 16); |
| 1791 | || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) | 1791 | arc4random_buf(ret->tlsext_tick_hmac_key, 16); |
| 1792 | || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) | 1792 | arc4random_buf(ret->tlsext_tick_aes_key, 16); |
| 1793 | ret->options |= SSL_OP_NO_TICKET; | ||
| 1794 | 1793 | ||
| 1795 | ret->tlsext_status_cb = 0; | 1794 | ret->tlsext_status_cb = 0; |
| 1796 | ret->tlsext_status_arg = NULL; | 1795 | ret->tlsext_status_arg = NULL; |
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 3ffd7078a5..d76fb8b9c8 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.41 2014/09/22 14:26:22 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -136,7 +136,6 @@ | |||
| 136 | */ | 136 | */ |
| 137 | 137 | ||
| 138 | #include <openssl/lhash.h> | 138 | #include <openssl/lhash.h> |
| 139 | #include <openssl/rand.h> | ||
| 140 | 139 | ||
| 141 | #ifndef OPENSSL_NO_ENGINE | 140 | #ifndef OPENSSL_NO_ENGINE |
| 142 | #include <openssl/engine.h> | 141 | #include <openssl/engine.h> |
| @@ -258,8 +257,7 @@ def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) | |||
| 258 | unsigned int retry = 0; | 257 | unsigned int retry = 0; |
| 259 | 258 | ||
| 260 | do { | 259 | do { |
| 261 | if (RAND_pseudo_bytes(id, *id_len) <= 0) | 260 | arc4random_buf(id, *id_len); |
| 262 | return 0; | ||
| 263 | } while (SSL_has_matching_session_id(ssl, id, *id_len) && | 261 | } while (SSL_has_matching_session_id(ssl, id, *id_len) && |
| 264 | (++retry < MAX_SESS_ID_ATTEMPTS)); | 262 | (++retry < MAX_SESS_ID_ATTEMPTS)); |
| 265 | 263 | ||
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c index 3781063eb6..cb5f26a07c 100644 --- a/src/lib/libssl/t1_clnt.c +++ b/src/lib/libssl/t1_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_clnt.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: t1_clnt.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -59,7 +59,6 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> |
| 60 | #include "ssl_locl.h" | 60 | #include "ssl_locl.h" |
| 61 | #include <openssl/buffer.h> | 61 | #include <openssl/buffer.h> |
| 62 | #include <openssl/rand.h> | ||
| 63 | #include <openssl/objects.h> | 62 | #include <openssl/objects.h> |
| 64 | #include <openssl/evp.h> | 63 | #include <openssl/evp.h> |
| 65 | 64 | ||
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index a62d7a939c..ea5df0bf63 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.70 2014/10/18 03:04:28 doug Exp $ */ | 1 | /* $OpenBSD: t1_enc.c,v 1.71 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -140,7 +140,6 @@ | |||
| 140 | #include <openssl/evp.h> | 140 | #include <openssl/evp.h> |
| 141 | #include <openssl/hmac.h> | 141 | #include <openssl/hmac.h> |
| 142 | #include <openssl/md5.h> | 142 | #include <openssl/md5.h> |
| 143 | #include <openssl/rand.h> | ||
| 144 | 143 | ||
| 145 | /* seed1 through seed5 are virtually concatenated */ | 144 | /* seed1 through seed5 are virtually concatenated */ |
| 146 | static int | 145 | static int |
| @@ -810,8 +809,8 @@ tls1_enc(SSL *s, int send) | |||
| 810 | fprintf(stderr, | 809 | fprintf(stderr, |
| 811 | "%s:%d: rec->data != rec->input\n", | 810 | "%s:%d: rec->data != rec->input\n", |
| 812 | __FILE__, __LINE__); | 811 | __FILE__, __LINE__); |
| 813 | else if (RAND_bytes(rec->input, ivlen) <= 0) | 812 | else |
| 814 | return -1; | 813 | arc4random_buf(rec->input, ivlen); |
| 815 | } | 814 | } |
| 816 | } | 815 | } |
| 817 | } else { | 816 | } else { |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 22e84fe122..604187f2fe 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.64 2014/10/15 14:02:16 jsing Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.65 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -115,7 +115,6 @@ | |||
| 115 | #include <openssl/hmac.h> | 115 | #include <openssl/hmac.h> |
| 116 | #include <openssl/objects.h> | 116 | #include <openssl/objects.h> |
| 117 | #include <openssl/ocsp.h> | 117 | #include <openssl/ocsp.h> |
| 118 | #include <openssl/rand.h> | ||
| 119 | 118 | ||
| 120 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" |
| 121 | 120 | ||
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c index 99712b6fb6..ba579dd110 100644 --- a/src/lib/libssl/t1_srvr.c +++ b/src/lib/libssl/t1_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_srvr.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: t1_srvr.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -59,7 +59,6 @@ | |||
| 59 | #include <stdio.h> | 59 | #include <stdio.h> |
| 60 | #include "ssl_locl.h" | 60 | #include "ssl_locl.h" |
| 61 | #include <openssl/buffer.h> | 61 | #include <openssl/buffer.h> |
| 62 | #include <openssl/rand.h> | ||
| 63 | #include <openssl/objects.h> | 62 | #include <openssl/objects.h> |
| 64 | #include <openssl/evp.h> | 63 | #include <openssl/evp.h> |
| 65 | #include <openssl/x509.h> | 64 | #include <openssl/x509.h> |