From 3ad6030948ac999de165f6185116459d74644e8d Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Sat, 3 Apr 2021 12:53:51 +0200
Subject: [PATCH] APPS: make apps strict on app_RAND_load() and
 app_RAND_write() failure

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14840)
---
 apps/ca.c           |  3 ++-
 apps/cmp.c          |  2 ++
 apps/cms.c          |  4 +++-
 apps/dgst.c         |  4 +++-
 apps/dhparam.c      |  4 ++--
 apps/dsaparam.c     |  3 ++-
 apps/ecparam.c      |  4 +++-
 apps/enc.c          |  3 ++-
 apps/gendsa.c       |  4 +++-
 apps/genrsa.c       |  4 +++-
 apps/include/apps.h |  2 +-
 apps/include/opt.h  |  2 +-
 apps/lib/app_rand.c | 11 ++++++-----
 apps/openssl.c      |  3 ++-
 apps/passwd.c       |  4 +++-
 apps/pkcs12.c       |  4 +++-
 apps/pkcs8.c        |  4 +++-
 apps/pkeyutl.c      |  3 ++-
 apps/rand.c         |  4 +++-
 apps/req.c          |  4 +++-
 apps/rsautl.c       |  4 +++-
 apps/s_client.c     |  3 ++-
 apps/s_server.c     |  4 +++-
 apps/smime.c        |  4 +++-
 apps/speed.c        |  4 +++-
 apps/srp.c          |  4 +++-
 apps/ts.c           |  4 +++-
 apps/x509.c         |  4 +++-
 28 files changed, 75 insertions(+), 32 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 268bd76912..cec5c8f1ac 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -521,7 +521,8 @@ end_of_options:
         goto end;
 
     app_RAND_load_conf(conf, BASE_SECTION);
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
 
     f = NCONF_get_string(conf, section, STRING_MASK);
     if (f == NULL)
diff --git a/apps/cmp.c b/apps/cmp.c
index 8a996f6dce..135c509831 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -2603,6 +2603,8 @@ int cmp_main(int argc, char **argv)
     if (ret <= 0)
         goto err;
     ret = 0;
+    if (!app_RAND_load())
+        goto err;
 
     if (opt_batch)
         set_base_ui_method(UI_null());
diff --git a/apps/cms.c b/apps/cms.c
index b03e981a56..56f0b37bbf 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -697,7 +697,9 @@ int cms_main(int argc, char **argv)
             break;
         }
     }
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &sign_md))
             goto end;
diff --git a/apps/dgst.c b/apps/dgst.c
index 891cf79279..20626c2b32 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -225,7 +225,9 @@ int dgst_main(int argc, char **argv)
         BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
         goto end;
     }
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &md))
             goto opthelp;
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 136dbcff64..b43935eb7f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -158,8 +158,8 @@ int dhparam_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
-    app_RAND_load();
-
+    if (!app_RAND_load())
+        goto end;
 
     if (g && !num)
         num = DEFBITS;
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index c83d1fff41..a38dceb255 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -135,7 +135,8 @@ int dsaparam_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
 
     /* generate a key */
     numbits = num;
diff --git a/apps/ecparam.c b/apps/ecparam.c
index fc19ab6bf9..c99b8cc909 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -190,7 +190,9 @@ int ecparam_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     private = genkey ? 1 : 0;
 
     in = bio_open_default(infile, 'r', informat);
diff --git a/apps/enc.c b/apps/enc.c
index 498d0d500b..3647a1ce61 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -293,7 +293,8 @@ int enc_main(int argc, char **argv)
     argc = opt_num_rest();
     if (argc != 0)
         goto opthelp;
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
 
     /* Get the cipher name, either from progname (if set) or flag. */
     if (ciphername != NULL) {
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 482191d8bf..97904d2c82 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -107,7 +107,9 @@ int gendsa_main(int argc, char **argv)
         goto opthelp;
     dsaparams = argv[0];
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (ciphername != NULL) {
         if (!opt_cipher(ciphername, &enc))
             goto end;
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 469b0a0b2f..ab991d2385 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -163,7 +163,9 @@ opthelp:
         goto opthelp;
     }
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     private = 1;
     if (ciphername != NULL) {
         if (!opt_cipher(ciphername, &enc))
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 96b37ef95c..2709b0ccaf 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -46,7 +46,7 @@
 # define _UC(c) ((unsigned char)(c))
 
 void app_RAND_load_conf(CONF *c, const char *section);
-void app_RAND_write(void);
+int app_RAND_write(void);
 int app_RAND_load(void);
 
 extern char *default_config_file; /* may be "" */
diff --git a/apps/include/opt.h b/apps/include/opt.h
index d23bf262fc..3d79224d04 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -258,7 +258,7 @@
 
 # define OPT_R_OPTIONS \
     OPT_SECTION("Random state"), \
-    {"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \
+    {"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
     {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
 
 # define OPT_R_CASES \
diff --git a/apps/lib/app_rand.c b/apps/lib/app_rand.c
index c521979570..e38d3a72fc 100644
--- a/apps/lib/app_rand.c
+++ b/apps/lib/app_rand.c
@@ -63,9 +63,6 @@ int app_RAND_load(void)
     char *p;
     int i, ret = 1;
 
-    if (randfiles == NULL)
-        return 1;
-
     for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) {
         p = sk_OPENSSL_STRING_value(randfiles, i);
         if (!loadfiles(p))
@@ -75,16 +72,20 @@ int app_RAND_load(void)
     return ret;
 }
 
-void app_RAND_write(void)
+int app_RAND_write(void)
 {
+    int ret = 1;
+
     if (save_rand_file == NULL)
-        return;
+        return 1;
     if (RAND_write_file(save_rand_file) == -1) {
         BIO_printf(bio_err, "Cannot write random bytes:\n");
         ERR_print_errors(bio_err);
+        ret = 0;
     }
     OPENSSL_free(save_rand_file);
     save_rand_file =  NULL;
+    return ret;
 }
 
 
diff --git a/apps/openssl.c b/apps/openssl.c
index 6ef7d0ace1..30e1e755e0 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -298,7 +298,8 @@ int main(int argc, char *argv[])
     OPENSSL_free(default_config_file);
     lh_FUNCTION_free(prog);
     OPENSSL_free(arg.argv);
-    app_RAND_write();
+    if (!app_RAND_write())
+        ret = EXIT_FAILURE;
 
     BIO_free(bio_in);
     BIO_free_all(bio_out);
diff --git a/apps/passwd.c b/apps/passwd.c
index 6e58112363..1203b7443e 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -195,7 +195,9 @@ int passwd_main(int argc, char **argv)
         passwds = argv;
     }
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (mode == passwd_unset) {
         /* use default */
         mode = passwd_md5;
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 0a88140880..8c515870de 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -345,7 +345,9 @@ int pkcs12_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (ciphername != NULL) {
         if (!opt_cipher(ciphername, &enc))
             goto opthelp;
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index b8b56f1c80..cfcb341787 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -199,7 +199,9 @@ int pkcs8_main(int argc, char **argv)
         goto opthelp;
 
     private = 1;
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (ciphername != NULL) {
         if (!opt_cipher(ciphername, &cipher))
             goto opthelp;
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 27ade9f079..fd1cdf8f4b 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -255,7 +255,8 @@ int pkeyutl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
 
     if (rawin && pkey_op != EVP_PKEY_OP_SIGN && pkey_op != EVP_PKEY_OP_VERIFY) {
         BIO_printf(bio_err,
diff --git a/apps/rand.c b/apps/rand.c
index b439216886..24f8c64d43 100644
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -99,7 +99,9 @@ int rand_main(int argc, char **argv)
         goto opthelp;
     }
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     out = bio_open_default(outfile, 'w', format);
     if (out == NULL)
         goto end;
diff --git a/apps/req.c b/apps/req.c
index 04774db399..1b17adb6f4 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -478,7 +478,9 @@ int req_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &md_alg))
             goto opthelp;
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 05b2b189af..57a3f8b4fc 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -173,7 +173,9 @@ int rsautl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (need_priv && (key_type != KEY_PRIVKEY)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
diff --git a/apps/s_client.c b/apps/s_client.c
index ac744ccbd5..7b3cf87620 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1475,7 +1475,8 @@ int s_client_main(int argc, char **argv)
     } else if (argc != 0) {
         goto opthelp;
     }
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
 
     if (count4or6 >= 2) {
         BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
diff --git a/apps/s_server.c b/apps/s_server.c
index 34b28736a1..b00303630f 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1610,7 +1610,9 @@ int s_server_main(int argc, char *argv[])
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
 #ifndef OPENSSL_NO_NEXTPROTONEG
     if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
         BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
diff --git a/apps/smime.c b/apps/smime.c
index dcef6b3b49..98a2f32b4a 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -359,7 +359,9 @@ int smime_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &sign_md))
             goto opthelp;
diff --git a/apps/speed.c b/apps/speed.c
index 56c896c31e..d867e87e45 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1648,7 +1648,9 @@ int speed_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     for (; *argv; argv++) {
         const char *algo = *argv;
 
diff --git a/apps/srp.c b/apps/srp.c
index 375ae1327c..af62e7e200 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -309,7 +309,9 @@ int srp_main(int argc, char **argv)
     argc = opt_num_rest();
     argv = opt_rest();
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (srpvfile != NULL && configfile != NULL) {
         BIO_printf(bio_err,
                    "-srpvfile and -configfile cannot be specified together.\n");
diff --git a/apps/ts.c b/apps/ts.c
index cc69a7de72..b4a5e85fea 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -292,7 +292,9 @@ int ts_main(int argc, char **argv)
     if (argc != 0 || mode == OPT_ERR)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &md))
             goto opthelp;
diff --git a/apps/x509.c b/apps/x509.c
index abbffe37ab..18c0ce90d8 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -578,7 +578,9 @@ int x509_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
     if (digestname != NULL) {
         if (!opt_md(digestname, &digest))
             goto opthelp;
-- 
2.39.2