diff options
author | Nick Mathewson <nickm@torproject.org> | 2013-10-20 15:03:24 -0700 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2013-10-20 15:03:24 -0700 |
commit | d757097bbca11f677dd8204b6364db3764cfe17c (patch) | |
tree | ef6cddb163147d95e5075b5b6b20c360e666dd5a /ssl/s3_srvr.c | |
parent | 7b112c2766a1e12c9f95ac70f1b3ed90649827ee (diff) |
Do not include a timestamp in the Client/ServerHello Random field.
Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
is set.
This is a forward-port of commits:
4af793036f6ef4f0a1078e5d7155426a98d50e37
f4c93b46edb51da71f09eda99e83eaf193a33c08
3da721dac9382c48812c8eba455528fd59af2eef
2583270191a8b27eed303c03ece1da97b9b69fd3
While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear. This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:
* It's quite possible to open two TLS connections in one second.
* If the PRNG output is prone to repeat itself, ephemeral
handshakes (and who knows what else besides) are broken.
Diffstat (limited to 'ssl/s3_srvr.c')
-rw-r--r-- | ssl/s3_srvr.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 09af9ae1cf..06e90dcd52 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1236,12 +1236,9 @@ int ssl3_get_client_hello(SSL *s) * server_random before calling tls_session_secret_cb in order to allow * SessionTicket processing to use it in key derivation. */ { - unsigned long Time; unsigned char *pos; - Time=(unsigned long)time(NULL); /* Time */ pos=s->s3->server_random; - l2n(Time,pos); - if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) + if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { goto f_err; } |