Use arc4random_buf() instead of RAND(_pseudo)?_bytes().

ok bcook@

8 files changed, 19 insertions, 36 deletions

diff --git a/usr.bin/openssl/enc.c b/usr.bin/openssl/enc.c
index 1a3b8f21b33..b5aaab9842d 100644
--- a/usr.bin/openssl/enc.c
+++ b/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.2 2014/09/01 20:54:37 doug Exp $ */
+/* $OpenBSD: enc.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,7 +69,6 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 int set_hex(char *in, unsigned char *out, int size);
@@ -461,8 +460,9 @@ enc_main(int argc, char **argv)
 							    "invalid hex salt value\n");
 							goto end;
 						}
-					} else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
-						goto end;
+					} else
+						arc4random_buf(salt,
+						    sizeof(salt));
 					/*
 					 * If -P option then don't bother
 					 * writing
diff --git a/usr.bin/openssl/openssl.c b/usr.bin/openssl/openssl.c
index bcb9b56b744..76e1644f592 100644
--- a/usr.bin/openssl/openssl.c
+++ b/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: openssl.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -123,7 +123,6 @@
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -233,7 +232,6 @@ openssl_shutdown(void)
 
 	CRYPTO_cleanup_all_ex_data();
 	ERR_remove_thread_state(NULL);
-	RAND_cleanup();
 	ERR_free_strings();
 }
 
diff --git a/usr.bin/openssl/passwd.c b/usr.bin/openssl/passwd.c
index fd5d062f57d..c29cccf6cf8 100644
--- a/usr.bin/openssl/passwd.c
+++ b/usr.bin/openssl/passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: passwd.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: passwd.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 
 #if defined OPENSSL_NO_MD5
 #define NO_MD5CRYPT_1
@@ -14,7 +14,6 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
@@ -384,8 +383,7 @@ do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 				if (*salt_malloc_p == NULL)
 					goto err;
 			}
-			if (RAND_pseudo_bytes((unsigned char *) *salt_p, 2) < 0)
-				goto err;
+			arc4random_buf(*salt_p, 2);
 			(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f];	/* 6 bits */
 			(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f];	/* 6 bits */
 			(*salt_p)[2] = 0;
@@ -401,8 +399,7 @@ do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 				if (*salt_malloc_p == NULL)
 					goto err;
 			}
-			if (RAND_pseudo_bytes((unsigned char *) *salt_p, 8) < 0)
-				goto err;
+			arc4random_buf(*salt_p, 8);
 
 			for (i = 0; i < 8; i++)
 				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f];	/* 6 bits */
diff --git a/usr.bin/openssl/rand.c b/usr.bin/openssl/rand.c
index dcc99e73921..6de2208b425 100644
--- a/usr.bin/openssl/rand.c
+++ b/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.4 2014/10/13 02:46:14 bcook Exp $ */
+/* $OpenBSD: rand.c,v 1.5 2014/10/22 13:54:03 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -61,7 +61,6 @@
 
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 
 struct {
 	int base64;
@@ -171,9 +170,7 @@ rand_main(int argc, char **argv)
 		chunk = num;
 		if (chunk > (int) sizeof(buf))
 			chunk = sizeof(buf);
-		r = RAND_bytes(buf, chunk);
-		if (r <= 0)
-			goto err;
+		arc4random_buf(buf, chunk);
 		if (rand_config.hex) {
 			for (i = 0; i < chunk; i++)
 				BIO_printf(out, "%02x", buf[i]);
diff --git a/usr.bin/openssl/s_cb.c b/usr.bin/openssl/s_cb.c
index 2e00abe7f15..f7d8a323a61 100644
--- a/usr.bin/openssl/s_cb.c
+++ b/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: s_cb.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -121,7 +121,6 @@
 #include "apps.h"
 
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -728,11 +727,7 @@ generate_cookie_callback(SSL * ssl, unsigned char *cookie,
 
 	/* Initialize a random secret */
 	if (!cookie_initialized) {
-		if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) {
-			BIO_printf(bio_err,
-			    "error setting random cookie secret\n");
-			return 0;
-		}
+		arc4random_buf(cookie_secret, COOKIE_SECRET_LENGTH);
 		cookie_initialized = 1;
 	}
 	/* Read peer information */
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index 9ca13dd3354..6f87819d1eb 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.2 2014/10/13 02:39:09 bcook Exp $ */
+/* $OpenBSD: s_server.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,7 +166,6 @@
 #include <openssl/lhash.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
@@ -2130,7 +2129,7 @@ generate_session_id(const SSL * ssl, unsigned char *id,
 {
 	unsigned int count = 0;
 	do {
-		RAND_pseudo_bytes(id, *id_len);
+		arc4random_buf(id, *id_len);
 		/*
 		 * Prefix the session_id with the required prefix. NB: If our
 		 * prefix is too long, clip it - but there will be worse
diff --git a/usr.bin/openssl/speed.c b/usr.bin/openssl/speed.c
index 82a0f90f054..ccaef15f682 100644
--- a/usr.bin/openssl/speed.c
+++ b/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
+/* $OpenBSD: speed.c,v 1.2 2014/10/22 13:54:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -98,7 +98,6 @@
 #include <openssl/evp.h>
 #include <openssl/modes.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_AES
@@ -1471,7 +1470,7 @@ speed_main(int argc, char **argv)
 			print_result(D_EVP, j, count, d);
 		}
 	}
-	RAND_pseudo_bytes(buf, 36);
+	arc4random_buf(buf, 36);
 	for (j = 0; j < RSA_NUM; j++) {
 		int ret;
 		if (!rsa_doit[j])
@@ -1543,7 +1542,7 @@ speed_main(int argc, char **argv)
 		}
 	}
 
-	RAND_pseudo_bytes(buf, 20);
+	arc4random_buf(buf, 20);
 	for (j = 0; j < DSA_NUM; j++) {
 		unsigned int kk;
 		int ret;
diff --git a/usr.bin/openssl/ts.c b/usr.bin/openssl/ts.c
index c765465c452..cd7d9cc81e0 100644
--- a/usr.bin/openssl/ts.c
+++ b/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */
+/* $OpenBSD: ts.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -66,7 +66,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/ts.h>
 
 /* Length of the nonce of the request in bits (must be a multiple of 8). */
@@ -593,8 +592,7 @@ create_nonce(int bits)
 	/* Generating random byte sequence. */
 	if (len > (int) sizeof(buf))
 		goto err;
-	if (RAND_bytes(buf, len) <= 0)
-		goto err;
+	arc4random_buf(buf, len);
 
 	/* Find the first non-zero byte and creating ASN1_INTEGER object. */
 	for (i = 0; i < len && !buf[i]; ++i)