Use arc4random_buf() instead of RAND_bytes().

This also removes return checks since arc4random_buf() does not fail.

3 files changed, 8 insertions, 12 deletions

diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index 09a0d155b4..cce6e95b5e 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.18 2019/08/11 10:50:23 jsing Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.19 2019/08/11 10:54:11 jsing Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -119,8 +119,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
                 /* Generate a random IV if we need one */
                 ivlen = EVP_CIPHER_CTX_iv_length(ctx);
                 if (ivlen > 0) {
-                        if (RAND_bytes(iv, ivlen) <= 0)
-                            goto err;
+                        arc4random_buf(iv, ivlen);
                         piv = iv;
                 }
         } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) {
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
index c460ba86e2..223612ca43 100644
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.18 2019/08/11 10:50:23 jsing Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.19 2019/08/11 10:54:11 jsing Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -129,8 +129,7 @@ CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst,
         else {
                 if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
                         goto merr;
-                if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0)
-                        goto err;
+                arc4random_buf(rr->signedContentIdentifier->data, 32);
         }
 
         sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index 6120cee4c9..6423ddeaf9 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.23 2019/08/11 10:50:23 jsing Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.24 2019/08/11 10:54:11 jsing Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -136,8 +136,7 @@ CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid,
         ivlen = EVP_CIPHER_CTX_iv_length(ctx);
 
         if (ivlen > 0) {
-                if (RAND_bytes(iv, ivlen) <= 0)
-                        goto err;
+                arc4random_buf(iv, ivlen);
                 if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) {
                         CMSerror(ERR_R_EVP_LIB);
                         goto err;
@@ -305,9 +304,8 @@ kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                 out[3] = in[2] ^ 0xFF;
                 memcpy(out + 4, in, inlen);
                 /* Add random padding to end */
-                if (olen > inlen + 4 &&
-                    RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0)
-                        return 0;
+                if (olen > inlen + 4)
+                        arc4random_buf(out + 4 + inlen, olen - 4 - inlen);
                 /* Encrypt twice */
                 if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen) ||
                     !EVP_EncryptUpdate(ctx, out, &dummy, out, olen))