From fa457604779ff38b511fdfdae3c6a78664281c22 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 22 Oct 2014 13:02:04 +0000
Subject: Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random_buf() is guaranteed to always succeed - it is worth noting
that a number of the replaced function calls were already missing return
value checks.

ok deraadt@
---
 src/lib/libcrypto/pem/pem_lib.c | 7 +++----
 src/lib/libcrypto/pem/pvkfmt.c  | 7 +++----
 2 files changed, 6 insertions(+), 8 deletions(-)

(limited to 'src/lib/libcrypto/pem')

diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 26b1876f36..1ebae53e74 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.34 2014/07/23 20:43:56 miod Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.35 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,6 +58,7 @@
 
 #include <ctype.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_DES
@@ -390,8 +390,7 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 			kstr = (unsigned char *)buf;
 		}
 		OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
-		if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */
-			goto err;
+		arc4random_buf(iv, enc->iv_len); /* Generate a salt */
 		/* The 'iv' is used as the iv and as a salt.  It is
 		 * NOT taken from the BytesToKey function */
 		if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1,
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index ca7e908c29..2009c9db80 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.11 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.12 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -60,6 +60,7 @@
  * and PRIVATEKEYBLOB).
  */
 
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
 #include <openssl/dsa.h>
@@ -869,8 +869,7 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
 	write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
 	write_ledword(&p, pklen);
 	if (enclevel) {
-		if (RAND_bytes(p, PVK_SALTLEN) <= 0)
-			goto error;
+		arc4random_buf(p, PVK_SALTLEN);
 		salt = p;
 		p += PVK_SALTLEN;
 	}
-- 
cgit v1.2.3-55-g6feb