From de48c77a08514ed654e05e710444452ffab6d0aa Mon Sep 17 00:00:00 2001 From: deraadt <> Date: Sat, 7 Jun 2014 22:23:12 +0000 Subject: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162ec30718b5e7480add42598158 Don't know the full story, but it looks like a "can't do random perfectly, so do it god awful" problem was found in 2013, and replaced with "only do it badly if a flag is set". New flags (SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME) were added [Ben Laurie?] to support the old scheme of "use time_t for first 4 bytes of the random buffer". Nothing uses these flags [ecosystem scan by sthen] Fully discourage use of these flags in the future by removing support & definition of them. The buflen < 4 check is also interesting, because no entropy would be returned. No callers passed such small buffers. ok miod sthen --- src/lib/libssl/d1_clnt.c | 3 +-- src/lib/libssl/d1_srvr.c | 3 ++- src/lib/libssl/s23_clnt.c | 27 +-------------------------- src/lib/libssl/s3_clnt.c | 4 +--- src/lib/libssl/s3_srvr.c | 5 +---- src/lib/libssl/src/ssl/d1_clnt.c | 3 +-- src/lib/libssl/src/ssl/d1_srvr.c | 3 ++- src/lib/libssl/src/ssl/s23_clnt.c | 27 +-------------------------- src/lib/libssl/src/ssl/s3_clnt.c | 4 +--- src/lib/libssl/src/ssl/s3_srvr.c | 5 +---- src/lib/libssl/src/ssl/ssl.h | 6 ------ src/lib/libssl/src/ssl/ssl_locl.h | 1 - src/lib/libssl/ssl.h | 6 ------ src/lib/libssl/ssl_locl.h | 1 - 14 files changed, 12 insertions(+), 86 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 8ff4d8e369..976b753a87 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -791,8 +791,7 @@ dtls1_client_hello(SSL *s) for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) ; if (i == sizeof(s->s3->client_random)) - ssl_fill_hello_random(s, 0, p, - sizeof(s->s3->client_random)); + RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 24f0a2e86e..a118e8e82f 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -909,7 +909,8 @@ dtls1_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; p = s->s3->server_random; - ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + /* Do the message type and length last */ d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 16c30c083a..1bc582364b 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -285,30 +285,6 @@ end: return (ret); } -/* - * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 - * on failure, 1 on success. - */ -int -ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) -{ - int send_time = 0; - - if (len < 4) - return 0; - if (server) - send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; - else - send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; - if (send_time) { - unsigned long Time = (unsigned long)time(NULL); - unsigned char *p = result; - l2n(Time, p); - return RAND_pseudo_bytes(p, len - 4); - } else - return RAND_pseudo_bytes(result, len); -} - static int ssl23_client_hello(SSL *s) { @@ -352,8 +328,7 @@ ssl23_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { p = s->s3->client_random; - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - return -1; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); if (version == TLS1_2_VERSION) { version_major = TLS1_2_VERSION_MAJOR; diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index f2c7dd2442..45dfb64f92 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -674,9 +674,7 @@ ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p = s->s3->client_random; - - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - goto err; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d = p = &(buf[4]); diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index bd22569ef0..c948045ae4 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -1130,10 +1130,7 @@ ssl3_get_client_hello(SSL *s) { unsigned char *pos; pos = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } + RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); } if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c index 8ff4d8e369..976b753a87 100644 --- a/src/lib/libssl/src/ssl/d1_clnt.c +++ b/src/lib/libssl/src/ssl/d1_clnt.c @@ -791,8 +791,7 @@ dtls1_client_hello(SSL *s) for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++) ; if (i == sizeof(s->s3->client_random)) - ssl_fill_hello_random(s, 0, p, - sizeof(s->s3->client_random)); + RAND_pseudo_bytes(p, sizeof(s->s3->client_random)); /* Do the message type and length last */ d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c index 24f0a2e86e..a118e8e82f 100644 --- a/src/lib/libssl/src/ssl/d1_srvr.c +++ b/src/lib/libssl/src/ssl/d1_srvr.c @@ -909,7 +909,8 @@ dtls1_send_server_hello(SSL *s) if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf = (unsigned char *)s->init_buf->data; p = s->s3->server_random; - ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); + /* Do the message type and length last */ d = p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c index 16c30c083a..1bc582364b 100644 --- a/src/lib/libssl/src/ssl/s23_clnt.c +++ b/src/lib/libssl/src/ssl/s23_clnt.c @@ -285,30 +285,6 @@ end: return (ret); } -/* - * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 - * on failure, 1 on success. - */ -int -ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) -{ - int send_time = 0; - - if (len < 4) - return 0; - if (server) - send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; - else - send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; - if (send_time) { - unsigned long Time = (unsigned long)time(NULL); - unsigned char *p = result; - l2n(Time, p); - return RAND_pseudo_bytes(p, len - 4); - } else - return RAND_pseudo_bytes(result, len); -} - static int ssl23_client_hello(SSL *s) { @@ -352,8 +328,7 @@ ssl23_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { p = s->s3->client_random; - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - return -1; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); if (version == TLS1_2_VERSION) { version_major = TLS1_2_VERSION_MAJOR; diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index f2c7dd2442..45dfb64f92 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c @@ -674,9 +674,7 @@ ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p = s->s3->client_random; - - if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) - goto err; + RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d = p = &(buf[4]); diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index bd22569ef0..c948045ae4 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c @@ -1130,10 +1130,7 @@ ssl3_get_client_hello(SSL *s) { unsigned char *pos; pos = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } + RAND_pseudo_bytes(pos, SSL3_RANDOM_SIZE); } if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) { diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index fd01ac9806..0c5d76bc23 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h @@ -611,12 +611,6 @@ struct ssl_session_st { * TLS only.) "Released" buffers are put onto a free-list in the context * or just freed (depending on the context's setting for freelist_max_len). */ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L -/* Send the current time in the Random fields of the ClientHello and - * ServerHello records for compatibility with hypothetical implementations - * that require it. - */ -#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L -#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 4aa2911da7..a96402ec5c 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h @@ -621,7 +621,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); -int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index fd01ac9806..0c5d76bc23 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -611,12 +611,6 @@ struct ssl_session_st { * TLS only.) "Released" buffers are put onto a free-list in the context * or just freed (depending on the context's setting for freelist_max_len). */ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L -/* Send the current time in the Random fields of the ClientHello and - * ServerHello records for compatibility with hypothetical implementations - * that require it. - */ -#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L -#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 4aa2911da7..a96402ec5c 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -621,7 +621,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); -int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); -- cgit v1.2.3-55-g6feb