summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2014-06-07 22:23:13 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2014-06-07 22:23:13 +0000
commit03f954672632bb6771359fe14ed9755dde86ddd7 (patch)
tree2cf253324935eed59659b3ace469ab7be9cdd0ec
parentdb37dd011c635f593b39c0ba38da3ad4656aa372 (diff)
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162ec30718b5e7480add42598158
Don't know the full story, but it looks like a "can't do random perfectly, so do it god awful" problem was found in 2013, and replaced with "only do it badly if a flag is set". New flags (SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME) were added [Ben Laurie?] to support the old scheme of "use time_t for first 4 bytes of the random buffer". Nothing uses these flags [ecosystem scan by sthen] Fully discourage use of these flags in the future by removing support & definition of them. The buflen < 4 check is also interesting, because no entropy would be returned. No callers passed such small buffers. ok miod sthen
-rw-r--r--lib/libssl/src/ssl/d1_clnt.c3
-rw-r--r--lib/libssl/src/ssl/d1_srvr.c3
-rw-r--r--lib/libssl/src/ssl/s23_clnt.c27
-rw-r--r--lib/libssl/src/ssl/s3_clnt.c4
-rw-r--r--lib/libssl/src/ssl/s3_srvr.c5
-rw-r--r--lib/libssl/src/ssl/ssl.h6
-rw-r--r--lib/libssl/src/ssl/ssl_locl.h1
7 files changed, 6 insertions, 43 deletions
diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c
index 8ff4d8e3694..976b753a87f 100644
--- a/lib/libssl/src/ssl/d1_clnt.c
+++ b/lib/libssl/src/ssl/d1_clnt.c
@@ -791,8 +791,7 @@ dtls1_client_hello(SSL *s)
for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
;
if (i == sizeof(s->s3->client_random))
- ssl_fill_hello_random(s, 0, p,
- sizeof(s->s3->client_random));
+ RAND_pseudo_bytes(p, sizeof(s->s3->client_random));
/* Do the message type and length last */
d = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c
index 24f0a2e86ea..a118e8e82f8 100644
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -909,7 +909,8 @@ dtls1_send_server_hello(SSL *s)
if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
buf = (unsigned char *)s->init_buf->data;
p = s->s3->server_random;
- ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
+ RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE);
+
/* Do the message type and length last */
d = p= &(buf[DTLS1_HM_HEADER_LENGTH]);
diff --git a/lib/libssl/src/ssl/s23_clnt.c b/lib/libssl/src/ssl/s23_clnt.c
index 16c30c083ab..1bc582364bd 100644
--- a/lib/libssl/src/ssl/s23_clnt.c
+++ b/lib/libssl/src/ssl/s23_clnt.c
@@ -285,30 +285,6 @@ end:
return (ret);
}
-/*
- * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
- * on failure, 1 on success.
- */
-int
-ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
-{
- int send_time = 0;
-
- if (len < 4)
- return 0;
- if (server)
- send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
- else
- send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
- if (send_time) {
- unsigned long Time = (unsigned long)time(NULL);
- unsigned char *p = result;
- l2n(Time, p);
- return RAND_pseudo_bytes(p, len - 4);
- } else
- return RAND_pseudo_bytes(result, len);
-}
-
static int
ssl23_client_hello(SSL *s)
{
@@ -352,8 +328,7 @@ ssl23_client_hello(SSL *s)
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
p = s->s3->client_random;
- if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
- return -1;
+ RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE);
if (version == TLS1_2_VERSION) {
version_major = TLS1_2_VERSION_MAJOR;
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index f2c7dd24421..45dfb64f927 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -674,9 +674,7 @@ ssl3_client_hello(SSL *s)
/* else use the pre-loaded session */
p = s->s3->client_random;
-
- if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
- goto err;
+ RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE);
/* Do the message type and length last */
d = p = &(buf[4]);
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index bd22569ef0a..c948045ae40 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1130,10 +1130,7 @@ ssl3_get_client_hello(SSL *s)
{
unsigned char *pos;
pos = s->s3->server_random;
- if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
- al = SSL_AD_INTERNAL_ERROR;
- goto f_err;
- }
+ RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE);
}
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index fd01ac98064..0c5d76bc238 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -611,12 +611,6 @@ struct ssl_session_st {
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-/* Send the current time in the Random fields of the ClientHello and
- * ServerHello records for compatibility with hypothetical implementations
- * that require it.
- */
-#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
-#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index 4aa2911da70..a96402ec5cd 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -621,7 +621,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
-int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);