From fbbc137e481f092be7bdc3fedb505f5c2d89eba0 Mon Sep 17 00:00:00 2001 From: deraadt <> Date: Mon, 14 Apr 2014 17:45:38 +0000 Subject: So the OpenSSL codebase does "get the time, add it as a random seed" in a bunch of places inside the TLS engine, to try to keep entropy high. I wonder if their moto is "If you can't solve a problem, at least try to do it badly". ok miod --- src/lib/libcrypto/bn/bn_rand.c | 3 --- src/lib/libssl/d1_clnt.c | 2 -- src/lib/libssl/d1_srvr.c | 2 -- src/lib/libssl/s23_clnt.c | 2 -- src/lib/libssl/s23_srvr.c | 2 -- src/lib/libssl/s3_clnt.c | 2 -- src/lib/libssl/s3_srvr.c | 3 +-- src/lib/libssl/src/crypto/bn/bn_rand.c | 3 --- src/lib/libssl/src/ssl/d1_clnt.c | 2 -- src/lib/libssl/src/ssl/d1_srvr.c | 2 -- src/lib/libssl/src/ssl/s23_clnt.c | 2 -- src/lib/libssl/src/ssl/s23_srvr.c | 2 -- src/lib/libssl/src/ssl/s2_clnt.c | 2 -- src/lib/libssl/src/ssl/s2_srvr.c | 2 -- src/lib/libssl/src/ssl/s3_clnt.c | 2 -- src/lib/libssl/src/ssl/s3_srvr.c | 3 +-- 16 files changed, 2 insertions(+), 34 deletions(-) diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c index b376c28ff3..5cbb1f33c1 100644 --- a/src/lib/libcrypto/bn/bn_rand.c +++ b/src/lib/libcrypto/bn/bn_rand.c @@ -119,7 +119,6 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf=NULL; int ret=0,bit,bytes,mask; - time_t tim; if (bits == 0) { @@ -139,8 +138,6 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) } /* make a random number and set the top and bottom bits */ - time(&tim); - RAND_add(&tim,sizeof(tim),0.0); if (pseudorand) { diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 15c4bca58c..4c6aac7536 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -147,7 +147,6 @@ int dtls1_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; @@ -156,7 +155,6 @@ dtls1_connect(SSL *s) char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; #endif - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 95dffe9484..164fcfbf1f 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -145,7 +145,6 @@ int dtls1_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; unsigned long alg_k; int ret = -1; @@ -156,7 +155,6 @@ dtls1_accept(SSL *s) char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; #endif - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 0fd388a05a..8ed79c3d55 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -145,12 +145,10 @@ int ssl23_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 35db7b4992..2aad21e93c 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -147,12 +147,10 @@ int ssl23_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index b9ca6b6f9b..4ad8d3943e 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -186,12 +186,10 @@ int ssl3_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index eeadb160d1..14066031ca 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -210,12 +210,11 @@ int ssl3_accept(SSL *s) { BUF_MEM *buf; - unsigned long alg_k, Time = (unsigned long)time(NULL); + unsigned long alg_k; void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c index b376c28ff3..5cbb1f33c1 100644 --- a/src/lib/libssl/src/crypto/bn/bn_rand.c +++ b/src/lib/libssl/src/crypto/bn/bn_rand.c @@ -119,7 +119,6 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) { unsigned char *buf=NULL; int ret=0,bit,bytes,mask; - time_t tim; if (bits == 0) { @@ -139,8 +138,6 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) } /* make a random number and set the top and bottom bits */ - time(&tim); - RAND_add(&tim,sizeof(tim),0.0); if (pseudorand) { diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c index 15c4bca58c..4c6aac7536 100644 --- a/src/lib/libssl/src/ssl/d1_clnt.c +++ b/src/lib/libssl/src/ssl/d1_clnt.c @@ -147,7 +147,6 @@ int dtls1_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; @@ -156,7 +155,6 @@ dtls1_connect(SSL *s) char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; #endif - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c index 95dffe9484..164fcfbf1f 100644 --- a/src/lib/libssl/src/ssl/d1_srvr.c +++ b/src/lib/libssl/src/ssl/d1_srvr.c @@ -145,7 +145,6 @@ int dtls1_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; unsigned long alg_k; int ret = -1; @@ -156,7 +155,6 @@ dtls1_accept(SSL *s) char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; #endif - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c index 0fd388a05a..8ed79c3d55 100644 --- a/src/lib/libssl/src/ssl/s23_clnt.c +++ b/src/lib/libssl/src/ssl/s23_clnt.c @@ -145,12 +145,10 @@ int ssl23_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index 35db7b4992..2aad21e93c 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c @@ -147,12 +147,10 @@ int ssl23_accept(SSL *s) { BUF_MEM *buf; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s2_clnt.c b/src/lib/libssl/src/ssl/s2_clnt.c index a1cfab6f2d..6c48c25064 100644 --- a/src/lib/libssl/src/ssl/s2_clnt.c +++ b/src/lib/libssl/src/ssl/s2_clnt.c @@ -146,13 +146,11 @@ IMPLEMENT_ssl2_meth_func(SSLv2_client_method, int ssl2_connect(SSL *s) { - unsigned long l = (unsigned long)time(NULL); BUF_MEM *buf = NULL; int ret = -1; void (*cb)(const SSL *ssl, int type, int val) = NULL; int new_state, state; - RAND_add(&l, sizeof(l), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s2_srvr.c b/src/lib/libssl/src/ssl/s2_srvr.c index aa63fe85ba..8023243e9a 100644 --- a/src/lib/libssl/src/ssl/s2_srvr.c +++ b/src/lib/libssl/src/ssl/s2_srvr.c @@ -146,14 +146,12 @@ IMPLEMENT_ssl2_meth_func(SSLv2_server_method, int ssl2_accept(SSL *s) { - unsigned long l = (unsigned long)time(NULL); BUF_MEM *buf = NULL; int ret = -1; long num1; void (*cb)(const SSL *ssl, int type, int val) = NULL; int new_state, state; - RAND_add(&l, sizeof(l), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index b9ca6b6f9b..4ad8d3943e 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -186,12 +186,10 @@ int ssl3_connect(SSL *s) { BUF_MEM *buf = NULL; - unsigned long Time = (unsigned long)time(NULL); void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index eeadb160d1..14066031ca 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c @@ -210,12 +210,11 @@ int ssl3_accept(SSL *s) { BUF_MEM *buf; - unsigned long alg_k, Time = (unsigned long)time(NULL); + unsigned long alg_k; void (*cb)(const SSL *ssl, int type, int val) = NULL; int ret = -1; int new_state, state, skip = 0; - RAND_add(&Time, sizeof(Time), 0); ERR_clear_error(); errno = 0; -- cgit v1.2.3-55-g6feb