Assert on _all_ failures from RAND_bytes().

Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

Assert on _all_ failures from RAND_bytes().
c0aa9e0a · Nick Mathewson · e2c1ac21 · c0aa9e0a · c0aa9e0a
Commit c0aa9e0a authored 3 years ago by Nick Mathewson
--- a/changes/ticket40390
+++ b/changes/ticket40390
+  o Major bugfixes (security, defense-in-depth):
+    - Detect a wider variety of failure conditions from the OpenSSL RNG
+      code. Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation.
+      Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
--- a/src/lib/crypt_ops/crypto_rand.c
+++ b/src/lib/crypt_ops/crypto_rand.c
@@ -525,7 +525,7 @@ crypto_rand_unmocked(char *to, size_t n)
  /* We consider a PRNG failure non-survivable. Let's assert so that we get a
   * stack trace about where it happened.
   */
-  tor_assert(r >= 0);
+  tor_assert(r == 1);
 #endif
 }