Use NSS for random number generation

2 files changed, 19 insertions, 11 deletions

diff --git a/lib/ncrypto_local.c b/lib/ncrypto_local.c
index c4af43a..07823e3 100644
--- a/lib/ncrypto_local.c
+++ b/lib/ncrypto_local.c
@@ -33,7 +33,6 @@ Red Hat author: Miloslav Trmač <mitr@redhat.com> */
 #include <glib.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include <openssl/rand.h>
 
 #include <ncrypto/ncrypto.h>
 
@@ -48,16 +47,6 @@ ckr_openssl (void)
   return CKR_GENERAL_ERROR;
 }
 
- /* Random numbers */
-
-CK_RV
-ncr_get_random_bytes (void *dest, size_t size)
-{
-  /* This is not strong enough, we need cryptographically strong random
-     numbers! */
-  return RAND_pseudo_bytes (dest, size) != 0 ? CKR_OK : ckr_openssl ();
-}
-
  /* Symmetric keys */
 
 CK_RV
diff --git a/lib/ncrypto_nss.c b/lib/ncrypto_nss.c
index a430c3f..46716ea 100644
--- a/lib/ncrypto_nss.c
+++ b/lib/ncrypto_nss.c
@@ -114,6 +114,25 @@ ncr_close (void)
   return res;
 }
 
+ /* Random numbers */
+
+CK_RV
+ncr_get_random_bytes (void *dest, size_t size)
+{
+  CK_RV res;
+
+  g_return_val_if_fail (dest != NULL, CKR_ARGUMENTS_BAD);
+  g_return_val_if_fail (size <= INT_MAX, CKR_ARGUMENTS_BAD);
+
+  res = ensure_ncr_is_open ();
+  if (res != CKR_OK)
+    return res;
+
+  if (PK11_GenerateRandom (dest, size) != SECSuccess)
+    return CKR_GENERAL_ERROR;
+  return CKR_OK;
+}
+
  /* Asymmetric keys */
 
 struct ncr_public_key