Do not include a timestamp in the ClientHello Random field.

Instead, send random bytes. While the gmt_unix_time record was added in an ostensible attempt to mitigate the dangers of a bad RNG, its presence leaks the host's view of the current time in the clear. This minor leak can help fingerprint TLS instances across networks and protocols... and what's worse, it's doubtful thet the gmt_unix_time record does any good at all for its intended purpose, since: * It's quite possible to open two TLS connections in one second. * If the PRNG output is prone to repeat itself, ephemeral * handshakes (and who knows what else besides) are broken.
author: Nick Mathewson <nickm@torproject.org> 2013-09-07 20:40:59 -0400
committer: Nick Mathewson <nickm@torproject.org> 2013-09-16 13:44:10 -0400
commit: 4af793036f6ef4f0a1078e5d7155426a98d50e37 (patch)
tree: 610acd22f68d760448939691b2603fb8c5e8a082 /ssl/s23_clnt.c
parent: 46ebd9e3bb623d3c15ef2203038956f3f7213620 (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 47673e740a..c9ef0f5cfc 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -274,7 +274,7 @@ static int ssl23_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	int i,ch_len;
-	unsigned long Time,l;
+	unsigned long l;
 	int ssl2_compat;
 	int version = 0, version_major, version_minor;
 #ifndef OPENSSL_NO_COMP
@@ -355,9 +355,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);		/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
 			return -1;
 
 		if (version == TLS1_2_VERSION)
author	Nick Mathewson <nickm@torproject.org>	2013-09-07 20:40:59 -0400
committer	Nick Mathewson <nickm@torproject.org>	2013-09-16 13:44:10 -0400
commit	4af793036f6ef4f0a1078e5d7155426a98d50e37 (patch)
tree	610acd22f68d760448939691b2603fb8c5e8a082 /ssl/s23_clnt.c
parent	46ebd9e3bb623d3c15ef2203038956f3f7213620 (diff)