I don't think we want to do this yet. RAND_bytes and
RAND_pseudo_bytes will not be going away.
On Mon, Apr 21, 2014 at 9:24 PM, Jean-Philippe Ouellet
<jean-phili...@ouellet.biz> wrote:
> Here's another pass.
>
> This replaces RAND_{,pseudo_}bytes() calls with equivelant arc4random_buf(3)
> calls for apps/ and ssl/ (crypto/ still has a bunch).
>
> There was one that was commented out (in ssl/s3_pkt.c) which I wasn't sure
> about, so I made the accoring transformation and left it commented out.
>
> Feedback appreciated
>
>
> Index: apps/enc.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/enc.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 enc.c
> --- apps/enc.c 19 Apr 2014 16:18:22 -0000 1.25
> +++ apps/enc.c 22 Apr 2014 03:19:29 -0000
> @@ -476,8 +476,8 @@ enc_main(int argc, char **argv)
> "invalid hex salt
> value\n");
> goto end;
> }
> - } else if (RAND_pseudo_bytes(salt,
> sizeof salt) < 0)
> - goto end;
> + } else
> + arc4random_buf(salt, sizeof
> salt);
> /*
> * If -P option then don't bother
> * writing
> Index: apps/passwd.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/passwd.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 passwd.c
> --- apps/passwd.c 18 Apr 2014 04:17:16 -0000 1.14
> +++ apps/passwd.c 22 Apr 2014 03:19:29 -0000
> @@ -7,6 +7,7 @@
> #if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
>
> #include <assert.h>
> +#include <stdlib.h>
> #include <string.h>
>
> #include "apps.h"
> @@ -399,8 +400,7 @@ do_passwd(int passed_salt, char **salt_p
> if (*salt_malloc_p == NULL)
> goto err;
> }
> - if (RAND_pseudo_bytes((unsigned char *) *salt_p, 2) <
> 0)
> - goto err;
> + arc4random_buf(*salt_p, 2);
> (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6
> bits */
> (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6
> bits */
> (*salt_p)[2] = 0;
> @@ -416,8 +416,7 @@ do_passwd(int passed_salt, char **salt_p
> if (*salt_malloc_p == NULL)
> goto err;
> }
> - if (RAND_pseudo_bytes((unsigned char *) *salt_p, 8) <
> 0)
> - goto err;
> + arc4random_buf(*salt_p, 8);
>
> for (i = 0; i < 8; i++)
> (*salt_p)[i] = cov_2char[(*salt_p)[i] &
> 0x3f]; /* 6 bits */
> Index: apps/rand.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/rand.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 rand.c
> --- apps/rand.c 18 Apr 2014 19:54:57 -0000 1.14
> +++ apps/rand.c 22 Apr 2014 03:19:29 -0000
> @@ -57,6 +57,7 @@
>
> #include <ctype.h>
> #include <stdio.h>
> +#include <stdlib.h>
> #include <string.h>
>
> #include <openssl/bio.h>
> @@ -186,9 +187,7 @@ rand_main(int argc, char **argv)
> chunk = num;
> if (chunk > (int) sizeof(buf))
> chunk = sizeof buf;
> - r = RAND_bytes(buf, chunk);
> - if (r <= 0)
> - goto err;
> + arc4random_buf(buf, chunk);
> if (!hex)
> BIO_write(out, buf, chunk);
> else {
> Index: apps/s_cb.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/s_cb.c,v
> retrieving revision 1.16
> diff -u -p -r1.16 s_cb.c
> --- apps/s_cb.c 18 Apr 2014 14:37:41 -0000 1.16
> +++ apps/s_cb.c 22 Apr 2014 03:19:30 -0000
> @@ -730,11 +730,7 @@ generate_cookie_callback(SSL * ssl, unsi
>
> /* Initialize a random secret */
> if (!cookie_initialized) {
> - if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) {
> - BIO_printf(bio_err,
> - "error setting random cookie secret\n");
> - return 0;
> - }
> + arc4random_buf(cookie_secret, COOKIE_SECRET_LENGTH);
> cookie_initialized = 1;
> }
> /* Read peer information */
> Index: apps/s_server.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/s_server.c,v
> retrieving revision 1.36
> diff -u -p -r1.36 s_server.c
> --- apps/s_server.c 19 Apr 2014 16:46:08 -0000 1.36
> +++ apps/s_server.c 22 Apr 2014 03:19:30 -0000
> @@ -2556,7 +2556,7 @@ generate_session_id(const SSL * ssl, uns
> {
> unsigned int count = 0;
> do {
> - RAND_pseudo_bytes(id, *id_len);
> + arc4random_buf(id, *id_len);
> /*
> * Prefix the session_id with the required prefix. NB: If our
> * prefix is too long, clip it - but there will be worse
> Index: apps/speed.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/speed.c,v
> retrieving revision 1.33
> diff -u -p -r1.33 speed.c
> --- apps/speed.c 18 Apr 2014 18:01:06 -0000 1.33
> +++ apps/speed.c 22 Apr 2014 03:19:30 -0000
> @@ -1877,7 +1877,7 @@ speed_main(int argc, char **argv)
> print_result(D_EVP, j, count, d);
> }
> }
> - RAND_pseudo_bytes(buf, 36);
> + arc4random_buf(buf, 36);
> #ifndef OPENSSL_NO_RSA
> for (j = 0; j < RSA_NUM; j++) {
> int ret;
> @@ -1951,7 +1951,7 @@ speed_main(int argc, char **argv)
> }
> #endif
>
> - RAND_pseudo_bytes(buf, 20);
> + arc4random_buf(buf, 20);
> #ifndef OPENSSL_NO_DSA
> for (j = 0; j < DSA_NUM; j++) {
> unsigned int kk;
> Index: apps/ts.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/apps/ts.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 ts.c
> --- apps/ts.c 18 Apr 2014 19:54:57 -0000 1.9
> +++ apps/ts.c 22 Apr 2014 03:19:30 -0000
> @@ -610,8 +610,7 @@ create_nonce(int bits)
> /* Generating random byte sequence. */
> if (len > (int) sizeof(buf))
> goto err;
> - if (RAND_bytes(buf, len) <= 0)
> - goto err;
> + arc4random_buf(buf, len);
>
> /* Find the first non-zero byte and creating ASN1_INTEGER object. */
> for (i = 0; i < len && !buf[i]; ++i);
> Index: ssl/d1_clnt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/d1_clnt.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 d1_clnt.c
> --- ssl/d1_clnt.c 21 Apr 2014 16:34:43 -0000 1.15
> +++ ssl/d1_clnt.c 22 Apr 2014 03:19:59 -0000
> @@ -114,6 +114,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #ifndef OPENSSL_NO_KRB5
> #include "kssl_lcl.h"
> @@ -964,8 +966,7 @@ dtls1_send_client_key_exchange(SSL *s)
>
> tmp_buf[0] = s->client_version >> 8;
> tmp_buf[1] = s->client_version&0xff;
> - if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <=
> 0)
> - goto err;
> + arc4random_buf(&(tmp_buf[2]), sizeof tmp_buf - 2);
>
> s->session->master_key_length = sizeof tmp_buf;
>
> @@ -1087,8 +1088,7 @@ dtls1_send_client_key_exchange(SSL *s)
> n += 2;
> }
>
> - if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
> - goto err;
> + arc4random_buf(tmp_buf, sizeof tmp_buf);
>
> /* 20010420 VRS. Tried it this way; failed.
> ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
> Index: ssl/d1_enc.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/d1_enc.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 d1_enc.c
> --- ssl/d1_enc.c 14 Apr 2014 14:16:33 -0000 1.3
> +++ ssl/d1_enc.c 22 Apr 2014 03:19:59 -0000
> @@ -114,6 +114,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #ifndef OPENSSL_NO_COMP
> #include <openssl/comp.h>
> @@ -159,10 +161,9 @@ dtls1_enc(SSL *s, int send)
> /* we can't write into the input stream */
> fprintf(stderr, "%s:%d: rec->data !=
> rec->input\n",
> __FILE__, __LINE__);
> - else if (EVP_CIPHER_block_size(ds->cipher) > 1) {
> - if (RAND_bytes(rec->input,
> EVP_CIPHER_block_size(ds->cipher)) <= 0)
> - return -1;
> - }
> + else if (EVP_CIPHER_block_size(ds->cipher) > 1)
> + arc4random_buf(rec->input,
> + EVP_CIPHER_block_size(ds->cipher));
> }
> } else {
> if (EVP_MD_CTX_md(s->read_hash)) {
> Index: ssl/d1_pkt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/d1_pkt.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 d1_pkt.c
> --- ssl/d1_pkt.c 17 Apr 2014 23:35:40 -0000 1.15
> +++ ssl/d1_pkt.c 22 Apr 2014 03:19:59 -0000
> @@ -114,6 +114,7 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> #include <errno.h>
> #include "ssl_locl.h"
> #include <openssl/evp.h>
> @@ -1522,7 +1523,7 @@ do_dtls1_write(SSL *s, int type, const u
> /* ssl3_enc can only have an error on read */
> if (bs) /* bs != 0 in case of CBC */
> {
> - RAND_pseudo_bytes(p, bs);
> + arc4random_buf(p, bs);
> /* master IV and last CBC residue stand for
> * the rest of randomness */
> wr->length += bs;
> Index: ssl/d1_srvr.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/d1_srvr.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 d1_srvr.c
> --- ssl/d1_srvr.c 21 Apr 2014 16:34:43 -0000 1.17
> +++ ssl/d1_srvr.c 22 Apr 2014 03:19:59 -0000
> @@ -114,6 +114,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include <openssl/buffer.h>
> #include <openssl/rand.h>
> @@ -1574,7 +1576,7 @@ dtls1_send_newsession_ticket(SSL *s)
> return -1;
> }
> } else {
> - RAND_pseudo_bytes(iv, 16);
> + arc4random_buf(iv, 16);
> EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
> tctx->tlsext_tick_aes_key, iv);
> HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
> Index: ssl/s23_clnt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/s23_clnt.c,v
> retrieving revision 1.23
> diff -u -p -r1.23 s23_clnt.c
> --- ssl/s23_clnt.c 19 Apr 2014 17:07:35 -0000 1.23
> +++ ssl/s23_clnt.c 22 Apr 2014 03:19:59 -0000
> @@ -110,6 +110,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include <openssl/buffer.h>
> #include <openssl/rand.h>
> @@ -268,9 +270,10 @@ ssl_fill_hello_random(SSL *s, int server
> unsigned long Time = (unsigned long)time(NULL);
> unsigned char *p = result;
> l2n(Time, p);
> - return RAND_pseudo_bytes(p, len - 4);
> + arc4random_buf(p, len - 4);
> } else
> - return RAND_pseudo_bytes(result, len);
> + arc4random_buf(result, len);
> + return 1;
> }
>
> static int
> Index: ssl/s3_clnt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/s3_clnt.c,v
> retrieving revision 1.41
> diff -u -p -r1.41 s3_clnt.c
> --- ssl/s3_clnt.c 21 Apr 2014 16:34:43 -0000 1.41
> +++ ssl/s3_clnt.c 22 Apr 2014 03:19:59 -0000
> @@ -149,6 +149,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include "kssl_lcl.h"
> #include <openssl/buffer.h>
> @@ -2035,8 +2037,7 @@ ssl3_send_client_key_exchange(SSL *s)
>
> tmp_buf[0] = s->client_version >> 8;
> tmp_buf[1] = s->client_version & 0xff;
> - if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <=
> 0)
> - goto err;
> + arc4random_buf(&(tmp_buf[2]), sizeof tmp_buf - 2);
>
> s->session->master_key_length = sizeof tmp_buf;
>
> @@ -2160,8 +2161,7 @@ ssl3_send_client_key_exchange(SSL *s)
>
> tmp_buf[0] = s->client_version >> 8;
> tmp_buf[1] = s->client_version&0xff;
> - if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <=
> 0)
> - goto err;
> + arc4random_buf(&(tmp_buf[2]), sizeof tmp_buf - 2);
>
> /* 20010420 VRS. Tried it this way; failed.
> ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
> @@ -2457,7 +2457,7 @@ ssl3_send_client_key_exchange(SSL *s)
>
> EVP_PKEY_encrypt_init(pkey_ctx);
> /* Generate session key */
> - RAND_bytes(premaster_secret, 32);
> + arc4random_buf(premaster_secret, 32);
> /* If we have client certificate, use its secret as
> peer key */
> if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
> if (EVP_PKEY_derive_set_peer(pkey_ctx,
> s->cert->key->privatekey) <=0) {
> Index: ssl/s3_pkt.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/s3_pkt.c,v
> retrieving revision 1.32
> diff -u -p -r1.32 s3_pkt.c
> --- ssl/s3_pkt.c 19 Apr 2014 19:40:11 -0000 1.32
> +++ ssl/s3_pkt.c 22 Apr 2014 03:19:59 -0000
> @@ -109,8 +109,10 @@
> *
> */
>
> -#include <stdio.h>
> #include <errno.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include <openssl/evp.h>
> #include <openssl/buffer.h>
> @@ -756,9 +758,8 @@ do_ssl3_write(SSL *s, int type, const un
> wr->data = p;
>
> if (eivlen) {
> - /* if (RAND_pseudo_bytes(p, eivlen) <= 0)
> - goto err;
> - */
> + /* XXX why was this commented out? */
> + /* arc4random_buf(p, eivlen); */
> wr->length += eivlen;
> }
>
> Index: ssl/s3_srvr.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/s3_srvr.c,v
> retrieving revision 1.44
> diff -u -p -r1.44 s3_srvr.c
> --- ssl/s3_srvr.c 21 Apr 2014 16:34:43 -0000 1.44
> +++ ssl/s3_srvr.c 22 Apr 2014 03:19:59 -0000
> @@ -152,6 +152,8 @@
> #define NETSCAPE_HANG_BUG
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include "kssl_lcl.h"
> #include <openssl/buffer.h>
> @@ -2216,12 +2218,7 @@ ssl3_get_client_key_exchange(SSL *s)
> i = SSL_MAX_MASTER_KEY_LENGTH;
> p[0] = s->client_version >> 8;
> p[1] = s->client_version & 0xff;
> - /*
> - * Should be RAND_bytes, but we cannot work around a
> - * failure.
> - */
> - if (RAND_pseudo_bytes(p+2, i-2) <= 0)
> - goto err;
> + arc4random_buf(p + 2, i - 2);
> }
>
> s->session->master_key_length =
> @@ -3340,7 +3337,7 @@ ssl3_send_newsession_ticket(SSL *s)
> return -1;
> }
> } else {
> - RAND_pseudo_bytes(iv, 16);
> + arc4random_buf(iv, 16);
> EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
> tctx->tlsext_tick_aes_key, iv);
> HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
> Index: ssl/ssl_lib.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/ssl_lib.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 ssl_lib.c
> --- ssl/ssl_lib.c 21 Apr 2014 16:34:43 -0000 1.39
> +++ ssl/ssl_lib.c 22 Apr 2014 03:19:59 -0000
> @@ -143,6 +143,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #include "kssl_lcl.h"
> #include <openssl/objects.h>
> @@ -1781,10 +1783,9 @@ SSL_CTX_new(const SSL_METHOD *meth)
> ret->tlsext_servername_callback = 0;
> ret->tlsext_servername_arg = NULL;
> /* Setup RFC4507 ticket keys */
> - if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0)
> - || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0)
> - || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0))
> - ret->options |= SSL_OP_NO_TICKET;
> + arc4random_buf(ret->tlsext_tick_key_name, 16);
> + arc4random_buf(ret->tlsext_tick_hmac_key, 16);
> + arc4random_buf(ret->tlsext_tick_aes_key, 16);
>
> ret->tlsext_status_cb = 0;
> ret->tlsext_status_arg = NULL;
> Index: ssl/ssl_sess.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/ssl_sess.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 ssl_sess.c
> --- ssl/ssl_sess.c 21 Apr 2014 16:34:43 -0000 1.25
> +++ ssl/ssl_sess.c 22 Apr 2014 03:19:59 -0000
> @@ -136,6 +136,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include <openssl/lhash.h>
> #include <openssl/rand.h>
> #ifndef OPENSSL_NO_ENGINE
> @@ -258,11 +260,10 @@ def_generate_session_id(const SSL *ssl,
> unsigned int *id_len)
> {
> unsigned int retry = 0;
> - do
> - if (RAND_pseudo_bytes(id, *id_len) <= 0)
> - return 0;
> - while (SSL_has_matching_session_id(ssl, id, *id_len) &&
> - (++retry < MAX_SESS_ID_ATTEMPTS));
> + do {
> + arc4random_buf(id, *id_len);
> + } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
> + (++retry < MAX_SESS_ID_ATTEMPTS));
> if (retry < MAX_SESS_ID_ATTEMPTS)
> return 1;
> /* else - woops a session_id match */
> Index: ssl/t1_enc.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/t1_enc.c,v
> retrieving revision 1.26
> diff -u -p -r1.26 t1_enc.c
> --- ssl/t1_enc.c 21 Apr 2014 16:34:43 -0000 1.26
> +++ ssl/t1_enc.c 22 Apr 2014 03:19:59 -0000
> @@ -136,6 +136,8 @@
> */
>
> #include <stdio.h>
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #ifndef OPENSSL_NO_COMP
> #include <openssl/comp.h>
> @@ -692,8 +694,8 @@ tls1_enc(SSL *s, int send)
> fprintf(stderr,
> "%s:%d: rec->data !=
> rec->input\n",
> __FILE__, __LINE__);
> - else if (RAND_bytes(rec->input, ivlen) <= 0)
> - return -1;
> + else
> + arc4random_buf(rec->input, ivlen);
> }
> }
> } else {
> Index: ssl/tls_srp.c
> ===================================================================
> RCS file: /cvs/src/lib/libssl/src/ssl/tls_srp.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 tls_srp.c
> --- ssl/tls_srp.c 19 Apr 2014 17:05:00 -0000 1.7
> +++ ssl/tls_srp.c 22 Apr 2014 03:19:59 -0000
> @@ -56,6 +56,9 @@
> * Hudson (t...@cryptsoft.com).
> *
> */
> +
> +#include <stdlib.h>
> +
> #include "ssl_locl.h"
> #ifndef OPENSSL_NO_SRP
>
> @@ -244,8 +247,7 @@ SSL_srp_server_param_with_username(SSL *
> (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
> return SSL3_AL_FATAL;
>
> - if (RAND_bytes(b, sizeof(b)) <= 0)
> - return SSL3_AL_FATAL;
> + arc4random_buf(b, sizeof(b));
> s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
> OPENSSL_cleanse(b, sizeof(b));
>
> @@ -415,7 +417,7 @@ SRP_Calc_A_param(SSL *s)
> !SRP_check_known_gN_param(s->srp_ctx.g, s->srp_ctx.N))
> return -1;
>
> - RAND_bytes(rnd, sizeof(rnd));
> + arc4random_buf(rnd, sizeof(rnd));
> s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
> OPENSSL_cleanse(rnd, sizeof(rnd));
>
>
