diff options
| -rw-r--r-- | lib/libssl/d1_both.c | 3 | ||||
| -rw-r--r-- | lib/libssl/d1_clnt.c | 8 | ||||
| -rw-r--r-- | lib/libssl/d1_enc.c | 7 | ||||
| -rw-r--r-- | lib/libssl/d1_pkt.c | 5 | ||||
| -rw-r--r-- | lib/libssl/d1_srvr.c | 8 | ||||
| -rw-r--r-- | lib/libssl/s23_clnt.c | 6 | ||||
| -rw-r--r-- | lib/libssl/s23_srvr.c | 3 | ||||
| -rw-r--r-- | lib/libssl/s3_both.c | 3 | ||||
| -rw-r--r-- | lib/libssl/s3_clnt.c | 11 | ||||
| -rw-r--r-- | lib/libssl/s3_pkt.c | 3 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 13 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 11 | ||||
| -rw-r--r-- | lib/libssl/ssl_sess.c | 6 | ||||
| -rw-r--r-- | lib/libssl/t1_clnt.c | 3 | ||||
| -rw-r--r-- | lib/libssl/t1_enc.c | 7 | ||||
| -rw-r--r-- | lib/libssl/t1_lib.c | 3 | ||||
| -rw-r--r-- | lib/libssl/t1_srvr.c | 3 |
17 files changed, 38 insertions, 65 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 1eda4aef726..10659a51366 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */ +/* $OpenBSD: d1_both.c,v 1.29 2014/10/18 16:13:16 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -118,7 +118,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index 0cc4016d114..4b71f01a6ca 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.35 2014/09/07 12:16:23 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.36 2014/10/18 16:13:16 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -116,7 +116,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> @@ -779,7 +778,7 @@ dtls1_client_hello(SSL *s) for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) ; if (i == sizeof(s->s3->client_random)) - RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); + arc4random_buf(p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); @@ -954,8 +953,7 @@ dtls1_send_client_key_exchange(SSL *s) tmp_buf[0] = s->client_version >> 8; tmp_buf[1] = s->client_version&0xff; - if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) - goto err; + arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); s->session->master_key_length = sizeof tmp_buf; diff --git a/lib/libssl/d1_enc.c b/lib/libssl/d1_enc.c index fe8df15a94b..32fcd333f61 100644 --- a/lib/libssl/d1_enc.c +++ b/lib/libssl/d1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_enc.c,v 1.6 2014/07/10 08:51:14 tedu Exp $ */ +/* $OpenBSD: d1_enc.c,v 1.7 2014/10/18 16:13:16 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -118,7 +118,6 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> -#include <openssl/rand.h> /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. * @@ -154,8 +153,8 @@ dtls1_enc(SSL *s, int send) fprintf(stderr, "%s:%d: rec->data != rec->input\n", __FILE__, __LINE__); else if (EVP_CIPHER_block_size(ds->cipher) > 1) { - if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0) - return -1; + arc4random_buf(rec->input, + EVP_CIPHER_block_size(ds->cipher)); } } } else { diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index 7b0d67bf151..6f3ee262175 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.34 2014/08/07 20:02:23 miod Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -119,7 +119,6 @@ #include "ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> -#include <openssl/rand.h> #include "pqueue.h" @@ -1380,7 +1379,7 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) /* ssl3_enc can only have an error on read */ if (bs) /* bs != 0 in case of CBC */ { - RAND_pseudo_bytes(p, bs); + arc4random_buf(p, bs); /* master IV and last CBC residue stand for * the rest of randomness */ wr->length += bs; diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index 68441fa63a4..a85715753ca 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.39 2014/09/27 11:03:43 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.40 2014/10/18 16:13:16 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -116,7 +116,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> @@ -902,8 +901,7 @@ dtls1_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; - p = s->s3->server_random; - RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); @@ -1513,7 +1511,7 @@ dtls1_send_newsession_ticket(SSL *s) return -1; } } else { - RAND_pseudo_bytes(iv, 16); + arc4random_buf(iv, 16); EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv); HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c index 81683e59490..7967344e2ae 100644 --- a/lib/libssl/s23_clnt.c +++ b/lib/libssl/s23_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_clnt.c,v 1.32 2014/08/10 14:42:56 jsing Exp $ */ +/* $OpenBSD: s23_clnt.c,v 1.33 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -112,7 +112,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> @@ -317,8 +316,7 @@ ssl23_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { - p = s->s3->client_random; - RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); if (version == TLS1_2_VERSION) { version_major = TLS1_2_VERSION_MAJOR; diff --git a/lib/libssl/s23_srvr.c b/lib/libssl/s23_srvr.c index 4733fc40a58..a278fe923be 100644 --- a/lib/libssl/s23_srvr.c +++ b/lib/libssl/s23_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s23_srvr.c,v 1.34 2014/08/10 14:42:56 jsing Exp $ */ +/* $OpenBSD: s23_srvr.c,v 1.35 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -112,7 +112,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c index 6d108c295bb..cd0a4b8013a 100644 --- a/lib/libssl/s3_both.c +++ b/lib/libssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.30 2014/09/22 13:18:50 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.31 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -119,7 +119,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index 9aa599a1c6c..179e9400d4f 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.91 2014/09/27 11:01:05 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.92 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -151,7 +151,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/md5.h> @@ -657,8 +656,7 @@ ssl3_client_hello(SSL *s) } /* else use the pre-loaded session */ - p = s->s3->client_random; - RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d = p = &buf[4]; @@ -1990,8 +1988,7 @@ ssl3_send_client_key_exchange(SSL *s) tmp_buf[0] = s->client_version >> 8; tmp_buf[1] = s->client_version & 0xff; - if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) - goto err; + arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2); s->session->master_key_length = sizeof tmp_buf; @@ -2303,7 +2300,7 @@ ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key. */ - RAND_bytes(premaster_secret, 32); + arc4random_buf(premaster_secret, 32); /* * If we have client certificate, use its secret * as peer key. diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index cbd35ff7e3e..62fc6fbce24 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_pkt.c,v 1.50 2014/07/12 13:11:53 jsing Exp $ */ +/* $OpenBSD: s3_pkt.c,v 1.51 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -114,7 +114,6 @@ #include "ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> -#include <openssl/rand.h> static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment); diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index c4a8442a3e0..719b4c56c1d 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.86 2014/10/03 13:58:18 jsing Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -154,7 +154,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/hmac.h> @@ -1106,11 +1105,7 @@ ssl3_get_client_hello(SSL *s) * server_random before calling tls_session_secret_cb in order to allow * SessionTicket processing to use it in key derivation. */ - { - unsigned char *pos; - pos = s->s3->server_random; - RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); - } + arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { SSL_CIPHER *pref_cipher = NULL; @@ -1961,7 +1956,7 @@ ssl3_get_client_key_exchange(SSL *s) i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; - RAND_bytes(p+2, i-2); + arc4random_buf(p + 2, i - 2); } s->session->master_key_length = @@ -2774,7 +2769,7 @@ ssl3_send_newsession_ticket(SSL *s) return (-1); } } else { - RAND_pseudo_bytes(iv, 16); + arc4random_buf(iv, 16); EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, tctx->tlsext_tick_aes_key, iv); HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index d3108f2663d..3fa8f5039f8 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.86 2014/10/15 17:39:34 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.87 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -145,7 +145,6 @@ #include <openssl/objects.h> #include <openssl/lhash.h> #include <openssl/x509v3.h> -#include <openssl/rand.h> #include <openssl/ocsp.h> #include <openssl/dh.h> #ifndef OPENSSL_NO_ENGINE @@ -1786,11 +1785,11 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; + /* Setup RFC4507 ticket keys */ - if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) - || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) - || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) - ret->options |= SSL_OP_NO_TICKET; + arc4random_buf(ret->tlsext_tick_key_name, 16); + arc4random_buf(ret->tlsext_tick_hmac_key, 16); + arc4random_buf(ret->tlsext_tick_aes_key, 16); ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index 3ffd7078a52..d76fb8b9c85 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.41 2014/09/22 14:26:22 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.42 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -136,7 +136,6 @@ */ #include <openssl/lhash.h> -#include <openssl/rand.h> #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> @@ -258,8 +257,7 @@ def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len) unsigned int retry = 0; do { - if (RAND_pseudo_bytes(id, *id_len) <= 0) - return 0; + arc4random_buf(id, *id_len); } while (SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)); diff --git a/lib/libssl/t1_clnt.c b/lib/libssl/t1_clnt.c index 3781063eb66..cb5f26a07c8 100644 --- a/lib/libssl/t1_clnt.c +++ b/lib/libssl/t1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_clnt.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ +/* $OpenBSD: t1_clnt.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,7 +59,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index a62d7a939c8..ea5df0bf632 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.70 2014/10/18 03:04:28 doug Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.71 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -140,7 +140,6 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> -#include <openssl/rand.h> /* seed1 through seed5 are virtually concatenated */ static int @@ -810,8 +809,8 @@ tls1_enc(SSL *s, int send) fprintf(stderr, "%s:%d: rec->data != rec->input\n", __FILE__, __LINE__); - else if (RAND_bytes(rec->input, ivlen) <= 0) - return -1; + else + arc4random_buf(rec->input, ivlen); } } } else { diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 22e84fe1223..604187f2feb 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.64 2014/10/15 14:02:16 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.65 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -115,7 +115,6 @@ #include <openssl/hmac.h> #include <openssl/objects.h> #include <openssl/ocsp.h> -#include <openssl/rand.h> #include "ssl_locl.h" diff --git a/lib/libssl/t1_srvr.c b/lib/libssl/t1_srvr.c index 99712b6fb69..ba579dd110a 100644 --- a/lib/libssl/t1_srvr.c +++ b/lib/libssl/t1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_srvr.c,v 1.14 2014/08/10 14:42:56 jsing Exp $ */ +/* $OpenBSD: t1_srvr.c,v 1.15 2014/10/18 16:13:16 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,7 +59,6 @@ #include <stdio.h> #include "ssl_locl.h" #include <openssl/buffer.h> -#include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> |