diff options
author | Pauli <pauli@openssl.org> | 2021-05-28 14:45:57 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-05-29 17:17:12 +1000 |
commit | 0f8815aace625f869a42cfc5c254c08d5a668077 (patch) | |
tree | 3bbf7b2aaec23023be2232920f5b0011744e4126 /ssl | |
parent | 23e97567be012ff1b5082bf149810c72816c29bd (diff) |
ssl: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/ssl3_record.c | 2 | ||||
-rw-r--r-- | ssl/record/tls_pad.c | 2 | ||||
-rw-r--r-- | ssl/s3_lib.c | 4 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 8 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 8 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 6 | ||||
-rw-r--r-- | ssl/tls_srp.c | 4 |
8 files changed, 18 insertions, 18 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index ec7d448d39..8788d49e4c 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -997,7 +997,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } else if (RAND_bytes_ex(s->ctx->libctx, recs[ctr].input, - ivlen) <= 0) { + ivlen, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/ssl/record/tls_pad.c b/ssl/record/tls_pad.c index 8383ce8d1c..54ff9cdf36 100644 --- a/ssl/record/tls_pad.c +++ b/ssl/record/tls_pad.c @@ -253,7 +253,7 @@ static int ssl3_cbc_copy_mac(size_t *reclen, } /* Create the random MAC we will emit if padding is bad */ - if (!RAND_bytes_ex(libctx, randmac, mac_size)) + if (!RAND_bytes_ex(libctx, randmac, mac_size, 0)) return 0; if (!ossl_assert(mac != NULL && alloced != NULL)) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 7839a4d318..348d02d8bd 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4552,9 +4552,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len, unsigned char *p = result; l2n(Time, p); - ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4); + ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4, 0); } else { - ret = RAND_bytes_ex(s->ctx->libctx, result, len); + ret = RAND_bytes_ex(s->ctx->libctx, result, len, 0); } if (ret > 0) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f35eaf07c5..af95f2e056 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3284,15 +3284,15 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, /* Setup RFC5077 ticket keys */ if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name, - sizeof(ret->ext.tick_key_name)) <= 0) + sizeof(ret->ext.tick_key_name), 0) <= 0) || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key, - sizeof(ret->ext.secure->tick_hmac_key)) <= 0) + sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0) || (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key, - sizeof(ret->ext.secure->tick_aes_key)) <= 0)) + sizeof(ret->ext.secure->tick_aes_key), 0) <= 0)) ret->options |= SSL_OP_NO_TICKET; if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key, - sizeof(ret->ext.cookie_hmac_key)) <= 0) + sizeof(ret->ext.cookie_hmac_key), 0) <= 0) goto err; #ifndef OPENSSL_NO_SRP diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 88bdd14dc8..3409795628 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -264,7 +264,7 @@ static int def_generate_session_id(SSL *ssl, unsigned char *id, { unsigned int retry = 0; do - if (RAND_bytes_ex(ssl->ctx->libctx, id, *id_len) <= 0) + if (RAND_bytes_ex(ssl->ctx->libctx, id, *id_len, 0) <= 0) return 0; while (SSL_has_matching_session_id(ssl, id, *id_len) && (++retry < MAX_SESS_ID_ATTEMPTS)) ; diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ad1d0e7e05..c10a1e46b2 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1191,7 +1191,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) session_id = s->tmp_session_id; if (s->hello_retry_request == SSL_HRR_NONE && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id, - sess_id_len) <= 0) { + sess_id_len, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -2853,7 +2853,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; /* TODO(size_t): Convert this function */ - if (RAND_bytes_ex(s->ctx->libctx, pms + 2, (int)(pmslen - 2)) <= 0) { + if (RAND_bytes_ex(s->ctx->libctx, pms + 2, (int)(pmslen - 2), 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); goto err; } @@ -3060,7 +3060,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) /* Generate session key * TODO(size_t): Convert this function */ - || RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen) <= 0) { + || RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; }; @@ -3185,7 +3185,7 @@ static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) goto err; } - if (RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen) <= 0) { + if (RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen, 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 56d4b4591a..bf4a486a8d 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2738,7 +2738,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) return 0; } if (RAND_bytes_ex(s->ctx->libctx, s->pha_context, - s->pha_context_len) <= 0 + s->pha_context_len, 0) <= 0 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -3778,7 +3778,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, } iv_len = EVP_CIPHER_iv_length(cipher); - if (RAND_bytes_ex(s->ctx->libctx, iv, iv_len) <= 0 + if (RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0 || !EVP_EncryptInit_ex(ctx, cipher, NULL, tctx->ext.secure->tick_aes_key, iv) || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, @@ -3905,7 +3905,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) goto err; } if (RAND_bytes_ex(s->ctx->libctx, age_add_u.age_add_c, - sizeof(age_add_u)) <= 0) { + sizeof(age_add_u), 0) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 430cd7dae8..0ce3290dc4 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -203,7 +203,7 @@ int ssl_srp_server_param_with_username_intern(SSL *s, int *ad) (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b)) <= 0) + if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b), 0) <= 0) return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL); OPENSSL_cleanse(b, sizeof(b)); @@ -420,7 +420,7 @@ int ssl_srp_calc_a_param_intern(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd)) <= 0) + if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd), 0) <= 0) return 0; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); |