Assert on _all_ failures from RAND_bytes().

Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.

Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation.  Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

diff --git a/changes/ticket40390 b/changes/ticket40390
new file mode 100644 (file)
index 0000000..b56fa4d
--- /dev/null
+++ b/changes/ticket40390
@@ -0,0 +1,8 @@
+  o Major bugfixes (security, defense-in-depth):
+    - Detect a wider variety of failure conditions from the OpenSSL RNG
+      code. Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation.
+      Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

diff --git a/src/lib/crypt_ops/crypto_rand.c b/src/lib/crypt_ops/crypto_rand.c
index 915fe0870ded01d6765c35a98ee4af3cee26bbba..206929d6b380ac8f1a677cd8daab224a53c9ef87 100644 (file)
--- a/src/lib/crypt_ops/crypto_rand.c
+++ b/src/lib/crypt_ops/crypto_rand.c
@@ -525,7 +525,7 @@ crypto_rand_unmocked(char *to, size_t n)
   /* We consider a PRNG failure non-survivable. Let's assert so that we get a
    * stack trace about where it happened.
    */
-  tor_assert(r >= 0);
+  tor_assert(r == 1);
 #endif
 }