mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
ssl: add zero strenght arguments to BN and RAND RNG calls
Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15513)
This commit is contained in:
parent
23e97567be
commit
0f8815aace
@ -997,7 +997,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
} else if (RAND_bytes_ex(s->ctx->libctx, recs[ctr].input,
|
||||
ivlen) <= 0) {
|
||||
ivlen, 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
@ -253,7 +253,7 @@ static int ssl3_cbc_copy_mac(size_t *reclen,
|
||||
}
|
||||
|
||||
/* Create the random MAC we will emit if padding is bad */
|
||||
if (!RAND_bytes_ex(libctx, randmac, mac_size))
|
||||
if (!RAND_bytes_ex(libctx, randmac, mac_size, 0))
|
||||
return 0;
|
||||
|
||||
if (!ossl_assert(mac != NULL && alloced != NULL))
|
||||
|
@ -4552,9 +4552,9 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
|
||||
unsigned char *p = result;
|
||||
|
||||
l2n(Time, p);
|
||||
ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4);
|
||||
ret = RAND_bytes_ex(s->ctx->libctx, p, len - 4, 0);
|
||||
} else {
|
||||
ret = RAND_bytes_ex(s->ctx->libctx, result, len);
|
||||
ret = RAND_bytes_ex(s->ctx->libctx, result, len, 0);
|
||||
}
|
||||
|
||||
if (ret > 0) {
|
||||
|
@ -3284,15 +3284,15 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
|
||||
|
||||
/* Setup RFC5077 ticket keys */
|
||||
if ((RAND_bytes_ex(libctx, ret->ext.tick_key_name,
|
||||
sizeof(ret->ext.tick_key_name)) <= 0)
|
||||
sizeof(ret->ext.tick_key_name), 0) <= 0)
|
||||
|| (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_hmac_key,
|
||||
sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
|
||||
sizeof(ret->ext.secure->tick_hmac_key), 0) <= 0)
|
||||
|| (RAND_priv_bytes_ex(libctx, ret->ext.secure->tick_aes_key,
|
||||
sizeof(ret->ext.secure->tick_aes_key)) <= 0))
|
||||
sizeof(ret->ext.secure->tick_aes_key), 0) <= 0))
|
||||
ret->options |= SSL_OP_NO_TICKET;
|
||||
|
||||
if (RAND_priv_bytes_ex(libctx, ret->ext.cookie_hmac_key,
|
||||
sizeof(ret->ext.cookie_hmac_key)) <= 0)
|
||||
sizeof(ret->ext.cookie_hmac_key), 0) <= 0)
|
||||
goto err;
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
|
@ -264,7 +264,7 @@ static int def_generate_session_id(SSL *ssl, unsigned char *id,
|
||||
{
|
||||
unsigned int retry = 0;
|
||||
do
|
||||
if (RAND_bytes_ex(ssl->ctx->libctx, id, *id_len) <= 0)
|
||||
if (RAND_bytes_ex(ssl->ctx->libctx, id, *id_len, 0) <= 0)
|
||||
return 0;
|
||||
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
|
||||
(++retry < MAX_SESS_ID_ATTEMPTS)) ;
|
||||
|
@ -1191,7 +1191,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
|
||||
session_id = s->tmp_session_id;
|
||||
if (s->hello_retry_request == SSL_HRR_NONE
|
||||
&& RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id,
|
||||
sess_id_len) <= 0) {
|
||||
sess_id_len, 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
@ -2853,7 +2853,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
|
||||
pms[0] = s->client_version >> 8;
|
||||
pms[1] = s->client_version & 0xff;
|
||||
/* TODO(size_t): Convert this function */
|
||||
if (RAND_bytes_ex(s->ctx->libctx, pms + 2, (int)(pmslen - 2)) <= 0) {
|
||||
if (RAND_bytes_ex(s->ctx->libctx, pms + 2, (int)(pmslen - 2), 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
@ -3060,7 +3060,7 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
|
||||
/* Generate session key
|
||||
* TODO(size_t): Convert this function
|
||||
*/
|
||||
|| RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen) <= 0) {
|
||||
|| RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen, 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
};
|
||||
@ -3185,7 +3185,7 @@ static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen) <= 0) {
|
||||
if (RAND_bytes_ex(s->ctx->libctx, pms, (int)pmslen, 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
@ -2738,7 +2738,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
|
||||
return 0;
|
||||
}
|
||||
if (RAND_bytes_ex(s->ctx->libctx, s->pha_context,
|
||||
s->pha_context_len) <= 0
|
||||
s->pha_context_len, 0) <= 0
|
||||
|| !WPACKET_sub_memcpy_u8(pkt, s->pha_context,
|
||||
s->pha_context_len)) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
@ -3778,7 +3778,7 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
|
||||
}
|
||||
|
||||
iv_len = EVP_CIPHER_iv_length(cipher);
|
||||
if (RAND_bytes_ex(s->ctx->libctx, iv, iv_len) <= 0
|
||||
if (RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0
|
||||
|| !EVP_EncryptInit_ex(ctx, cipher, NULL,
|
||||
tctx->ext.secure->tick_aes_key, iv)
|
||||
|| !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
|
||||
@ -3905,7 +3905,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|
||||
goto err;
|
||||
}
|
||||
if (RAND_bytes_ex(s->ctx->libctx, age_add_u.age_add_c,
|
||||
sizeof(age_add_u)) <= 0) {
|
||||
sizeof(age_add_u), 0) <= 0) {
|
||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
@ -203,7 +203,7 @@ int ssl_srp_server_param_with_username_intern(SSL *s, int *ad)
|
||||
(s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
|
||||
return SSL3_AL_FATAL;
|
||||
|
||||
if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b)) <= 0)
|
||||
if (RAND_priv_bytes_ex(s->ctx->libctx, b, sizeof(b), 0) <= 0)
|
||||
return SSL3_AL_FATAL;
|
||||
s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
|
||||
OPENSSL_cleanse(b, sizeof(b));
|
||||
@ -420,7 +420,7 @@ int ssl_srp_calc_a_param_intern(SSL *s)
|
||||
{
|
||||
unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
|
||||
|
||||
if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd)) <= 0)
|
||||
if (RAND_priv_bytes_ex(s->ctx->libctx, rnd, sizeof(rnd), 0) <= 0)
|
||||
return 0;
|
||||
s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
|
||||
OPENSSL_cleanse(rnd, sizeof(rnd));
|
||||
|
Loading…
Reference in New Issue
Block a user