Skip to content

Commit e1b568d

Browse files
committed
Prevent handshake with unseeded PRNG
Fix security issue where under certain conditions a client can complete a handshake with an unseeded PRNG. The conditions are: - Client is on a platform where the PRNG has not been seeded, and the user has not seeded manually - A protocol specific client method version has been used (i.e. not SSL_client_methodv23) - A ciphersuite is used that does not require additional random data from the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA) If the handshake succeeds then the client random that has been used will have been generated from a PRNG with insufficient entropy and therefore the output may be predictable. For example using the following command with an unseeded openssl will succeed on an unpatched platform: openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA CVE-2015-0285 Reviewed-by: Richard Levitte <levitte@openssl.org>
1 parent 0b142f0 commit e1b568d

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

Diff for: ssl/s3_clnt.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -719,8 +719,9 @@ int ssl3_client_hello(SSL *s)
719719
} else
720720
i = 1;
721721

722-
if (i)
723-
ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
722+
if (i && ssl_fill_hello_random(s, 0, p,
723+
sizeof(s->s3->client_random)) <= 0)
724+
goto err;
724725

725726
/* Do the message type and length last */
726727
d = p = ssl_handshake_start(s);

0 commit comments

Comments
 (0)