From 266483d2f56b0764849797f31866bfd84f9c3aa8 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 26 Feb 2015 11:57:37 +0000
Subject: RAND_bytes updates

Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
---
 crypto/cms/cms_enc.c  | 2 +-
 crypto/cms/cms_ess.c  | 3 +--
 crypto/cms/cms_pwri.c | 7 ++++---
 3 files changed, 6 insertions(+), 6 deletions(-)

(limited to 'crypto/cms')

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 85ae928a49..ffa85fc0dd 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
         /* Generate a random IV if we need one */
         ivlen = EVP_CIPHER_CTX_iv_length(ctx);
         if (ivlen > 0) {
-            if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+            if (RAND_bytes(iv, ivlen) <= 0)
                 goto err;
             piv = iv;
         }
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c
index 8631a2eb2b..8212560628 100644
--- a/crypto/cms/cms_ess.c
+++ b/crypto/cms/cms_ess.c
@@ -107,8 +107,7 @@ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
     else {
         if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
             goto merr;
-        if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32)
-            <= 0)
+        if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0)
             goto err;
     }
 
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index dd5f636145..83a65d2f59 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -131,7 +131,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
     ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
 
     if (ivlen > 0) {
-        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
+        if (RAND_bytes(iv, ivlen) <= 0)
             goto err;
         if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
             CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
@@ -299,8 +299,9 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen,
         out[3] = in[2] ^ 0xFF;
         memcpy(out + 4, in, inlen);
         /* Add random padding to end */
-        if (olen > inlen + 4)
-            RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
+        if (olen > inlen + 4
+            && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0)
+            return 0;
         /* Encrypt twice */
         if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen)
             || !EVP_EncryptUpdate(ctx, out, &dummy, out, olen))
-- 
cgit v1.2.3