Do not include a timestamp in the Client/ServerHello Random field.

Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE is set. This is a forward-port of commits: 4af793036f f4c93b46ed 3da721dac9 2583270191 While the gmt_unix_time record was added in an ostensible attempt to mitigate the dangers of a bad RNG, its presence leaks the host's view of the current time in the clear. This minor leak can help fingerprint TLS instances across networks and protocols... and what's worse, it's doubtful thet the gmt_unix_time record does any good at all for its intended purpose, since: * It's quite possible to open two TLS connections in one second. * If the PRNG output is prone to repeat itself, ephemeral handshakes (and who knows what else besides) are broken.
2013-10-20 15:03:24 -07:00
parent 7b112c2766
commit d757097bbc
5 changed files with 34 additions and 14 deletions
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -269,6 +269,28 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
 	return 1;
 	}

+/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
+ * on failure, 1 on success. */
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
+	{
+		int send_time = 0;
+		if (len < 4)
+			return 0;
+		if (server)
+			send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
+		else
+			send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
+		if (send_time)
+			{
+			unsigned long Time = time(NULL);
+			unsigned char *p = result;
+			l2n(Time, p);
+			return RAND_pseudo_bytes(p, len-4);
+			}
+		else
+			return RAND_pseudo_bytes(result, len);
+	}
+
 static int ssl23_client_hello(SSL *s)
 	{
 	unsigned char *buf;
@@ -359,9 +381,7 @@ static int ssl23_client_hello(SSL *s)
 #endif

 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);		/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
 			return -1;

 		if (version == TLS1_2_VERSION)