Skip to content

Commit

Permalink
Prevent handshake with unseeded PRNG
Browse files Browse the repository at this point in the history
Fix security issue where under certain conditions a client can complete a
handshake with an unseeded PRNG. The conditions are:
- Client is on a platform where the PRNG has not been seeded, and the
user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data
from the PRNG beyond the initial ClientHello client random
(e.g. PSK-RC4-SHA)

If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore
the output may be predictable.

For example using the following command with an unseeded openssl will
succeed on an unpatched platform:

openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA

CVE-2015-0285

Reviewed-by: Richard Levitte <levitte@openssl.org>
  • Loading branch information
mattcaswell committed Mar 10, 2015
1 parent 0b142f0 commit e1b568d
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions ssl/s3_clnt.c
Original file line number Diff line number Diff line change
Expand Up @@ -719,8 +719,9 @@ int ssl3_client_hello(SSL *s)
} else
i = 1;

if (i)
ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
if (i && ssl_fill_hello_random(s, 0, p,
sizeof(s->s3->client_random)) <= 0)
goto err;

/* Do the message type and length last */
d = p = ssl_handshake_start(s);
Expand Down

0 comments on commit e1b568d

Please sign in to comment.