diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-07 22:23:13 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2014-06-07 22:23:13 +0000 |
| commit | 9ce3a7d021f0e0f96a9805e9582e2809aec597f0 (patch) | |
| tree | dd7004eec69aae747096015ecf9ab313333ce39e /lib | |
| parent | a2cfdec3a1bfecda7ad4862563f61969598f3c47 (diff) | |
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162ec30718b5e7480add42598158
Don't know the full story, but it looks like a "can't do random
perfectly, so do it god awful" problem was found in 2013, and
replaced with "only do it badly if a flag is set". New flags
(SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME)
were added [Ben Laurie?] to support the old scheme of "use time_t
for first 4 bytes of the random buffer".
Nothing uses these flags [ecosystem scan by sthen]
Fully discourage use of these flags in the future by removing
support & definition of them. The buflen < 4 check is also interesting,
because no entropy would be returned. No callers passed such small
buffers.
ok miod sthen
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/d1_clnt.c | 3 | ||||
| -rw-r--r-- | lib/libssl/d1_srvr.c | 3 | ||||
| -rw-r--r-- | lib/libssl/s23_clnt.c | 27 | ||||
| -rw-r--r-- | lib/libssl/s3_clnt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 5 | ||||
| -rw-r--r-- | lib/libssl/ssl.h | 6 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 1 |
7 files changed, 6 insertions, 43 deletions
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c index 8ff4d8e3694..976b753a87f 100644 --- a/lib/libssl/d1_clnt.c +++ b/lib/libssl/d1_clnt.c @@ -791,8 +791,7 @@ dtls1_client_hello(SSL *s) for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) ; if (i == sizeof(s->s3->client_random)) - ssl_fill_hello_random(s, 0, p, - sizeof(s->s3->client_random)); + RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index 24f0a2e86ea..a118e8e82f8 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -909,7 +909,8 @@ dtls1_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; p = s->s3->server_random; - ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + /* Do the message type and length last */ d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/lib/libssl/s23_clnt.c b/lib/libssl/s23_clnt.c index 16c30c083ab..1bc582364bd 100644 --- a/lib/libssl/s23_clnt.c +++ b/lib/libssl/s23_clnt.c @@ -285,30 +285,6 @@ end: return (ret); } -/* - * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 - * on failure, 1 on success. - */ -int -ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) -{ - int send_time = 0; - - if (len < 4) - return 0; - if (server) - send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; - else - send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; - if (send_time) { - unsigned long Time = (unsigned long)time(NULL); - unsigned char *p = result; - l2n(Time, p); - return RAND_pseudo_bytes(p, len - 4); - } else - return RAND_pseudo_bytes(result, len); -} - static int ssl23_client_hello(SSL *s) { @@ -352,8 +328,7 @@ ssl23_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { p = s->s3->client_random; - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - return -1; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); if (version == TLS1_2_VERSION) { version_major = TLS1_2_VERSION_MAJOR; diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index f2c7dd24421..45dfb64f927 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -674,9 +674,7 @@ ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p = s->s3->client_random; - - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - goto err; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d = p = &(buf[4]); diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index bd22569ef0a..c948045ae40 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1130,10 +1130,7 @@ ssl3_get_client_hello(SSL *s) { unsigned char *pos; pos = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } + RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); } if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index fd01ac98064..0c5d76bc238 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -611,12 +611,6 @@ struct ssl_session_st { * TLS only.) "Released" buffers are put onto a free-list in the context * or just freed (depending on the context's setting for freelist_max_len). */ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L -/* Send the current time in the Random fields of the ClientHello and - * ServerHello records for compatibility with hypothetical implementations - * that require it. - */ -#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L -#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 4aa2911da70..a96402ec5cd 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -621,7 +621,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); -int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); |