diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 0af45996..4fb4dd9f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -429,13 +429,6 @@ OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); * TODO(davidben): Remove this behavior. https://crbug.com/486295. */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L -/* SSL_MODE_SEND_CLIENTHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME send the - * current time in the random fields of the ClientHello and ServerHello records, - * respectively, for compatibility with hypothetical implementations that - * require it. */ -#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L -#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L - /* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before * receipt of CCS and Finished. This mode enables full-handshakes to 'complete' * in one RTT. See draft-bmoeller-tls-falsestart-01. */ @@ -470,6 +463,8 @@ OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl); * compile code with BoringSSL. */ #define SSL_MODE_AUTO_RETRY 0 #define SSL_MODE_RELEASE_BUFFERS 0 +#define SSL_MODE_SEND_CLIENTHELLO_TIME 0 +#define SSL_MODE_SEND_SERVERHELLO_TIME 0 /* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask diff --git a/ssl/internal.h b/ssl/internal.h index 0c0ecc32..4ca36f33 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -855,7 +855,10 @@ void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k, STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); -int ssl_fill_hello_random(SSL *s, int server, uint8_t *field, size_t len); + +/* ssl_fill_hello_random fills a client_random or server_random field of length + * |len|. It returns one on success and zero on failure. */ +int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server); const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value); uint16_t ssl3_get_cipher_value(const SSL_CIPHER *c); diff --git a/ssl/s3_both.c b/ssl/s3_both.c index b78f6d39..2222c06c 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -667,20 +667,10 @@ int ssl3_release_read_buffer(SSL *s) { return 1; } -/* ssl_fill_hello_random fills a client_random or server_random field of length - * |len|. Returns 0 on failure or 1 on success. */ -int ssl_fill_hello_random(SSL *s, int server, uint8_t *result, size_t len) { - int send_time = 0; - - if (server) { - send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; - } else { - send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; - } - - if (send_time) { +int ssl_fill_hello_random(uint8_t *out, size_t len, int is_server) { + if (is_server) { const uint32_t current_time = time(NULL); - uint8_t *p = result; + uint8_t *p = out; if (len < 4) { return 0; @@ -691,6 +681,6 @@ int ssl_fill_hello_random(SSL *s, int server, uint8_t *result, size_t len) { p[3] = current_time; return RAND_bytes(p + 4, len - 4); } else { - return RAND_bytes(result, len); + return RAND_bytes(out, len); } } diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 662077bd..789abbdb 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -610,7 +610,8 @@ int ssl3_send_client_hello(SSL *s) { /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't * renegerate the client_random. The random must be reused. */ if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) && - !ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random))) { + !ssl_fill_hello_random(p, sizeof(s->s3->client_random), + 0 /* client */)) { goto err; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 9ce889a8..d543874e 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1144,7 +1144,8 @@ int ssl3_send_server_hello(SSL *s) { *(p++) = s->version & 0xff; /* Random stuff */ - if (!ssl_fill_hello_random(s, 1, s->s3->server_random, SSL3_RANDOM_SIZE)) { + if (!ssl_fill_hello_random(s->s3->server_random, SSL3_RANDOM_SIZE, + 1 /* server */)) { OPENSSL_PUT_ERROR(SSL, ssl3_send_server_hello, ERR_R_INTERNAL_ERROR); return -1; }