From fa457604779ff38b511fdfdae3c6a78664281c22 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 22 Oct 2014 13:02:04 +0000 Subject: Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes(). arc4random_buf() is guaranteed to always succeed - it is worth noting that a number of the replaced function calls were already missing return value checks. ok deraadt@ --- src/lib/libcrypto/cms/cms_enc.c | 8 ++++---- src/lib/libcrypto/cms/cms_ess.c | 9 ++++----- src/lib/libcrypto/cms/cms_pwri.c | 10 +++++----- 3 files changed, 13 insertions(+), 14 deletions(-) (limited to 'src/lib/libcrypto/cms') diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c index efe19a3131..f97e4d5f34 100644 --- a/src/lib/libcrypto/cms/cms_enc.c +++ b/src/lib/libcrypto/cms/cms_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_enc.c,v 1.5 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: cms_enc.c,v 1.6 2014/10/22 13:02:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -51,11 +51,12 @@ * ==================================================================== */ +#include + #include #include #include #include -#include #include #include "cms_lcl.h" @@ -119,8 +120,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) - goto err; + arc4random_buf(iv, ivlen); piv = iv; } } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) { diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c index e3b7e7da4c..fca62e0627 100644 --- a/src/lib/libcrypto/cms/cms_ess.c +++ b/src/lib/libcrypto/cms/cms_ess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_ess.c,v 1.6 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: cms_ess.c,v 1.7 2014/10/22 13:02:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -51,11 +51,12 @@ * ==================================================================== */ +#include + #include #include #include #include -#include #include #include "cms_lcl.h" @@ -105,9 +106,7 @@ CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, else { if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) goto merr; - if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32) - <= 0) - goto err; + arc4random_buf(rr->signedContentIdentifier->data, 32); } sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c index b7c3038027..89f7925938 100644 --- a/src/lib/libcrypto/cms/cms_pwri.c +++ b/src/lib/libcrypto/cms/cms_pwri.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_pwri.c,v 1.7 2014/07/11 15:42:34 miod Exp $ */ +/* $OpenBSD: cms_pwri.c,v 1.8 2014/10/22 13:02:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -51,12 +51,13 @@ * ==================================================================== */ +#include + #include #include #include #include #include -#include #include #include "asn1_locl.h" @@ -130,8 +131,7 @@ CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid, ivlen = EVP_CIPHER_CTX_iv_length(&ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) - goto err; + arc4random_buf(iv, ivlen); if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) { CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB); @@ -297,7 +297,7 @@ kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, memcpy(out + 4, in, inlen); /* Add random padding to end */ if (olen > inlen + 4) - RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen); + arc4random_buf(out + 4 + inlen, olen - 4 - inlen); /* Encrypt twice */ EVP_EncryptUpdate(ctx, out, &dummy, out, olen); EVP_EncryptUpdate(ctx, out, &dummy, out, olen); -- cgit v1.2.3-55-g6feb