From 4af793036f6ef4f0a1078e5d7155426a98d50e37 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sat, 7 Sep 2013 20:40:59 -0400
Subject: [PATCH] Do not include a timestamp in the ClientHello Random field.

Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
---
 ssl/d1_clnt.c  | 6 ++----
 ssl/s23_clnt.c | 6 ++----
 ssl/s3_clnt.c  | 6 ++----
 3 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index a6ed09c51d..bfde14e09f 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -773,7 +773,7 @@ int dtls1_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	unsigned int i,j;
-	unsigned long Time,l;
+	unsigned long l;
 	SSL_COMP *comp;
 
 	buf=(unsigned char *)s->init_buf->data;
@@ -801,9 +801,7 @@ int dtls1_client_hello(SSL *s)
 		for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
 		if (i==sizeof(s->s3->client_random))
 			{
-			Time=(unsigned long)time(NULL);	/* Time */
-			l2n(Time,p);
-			RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
+			RAND_pseudo_bytes(p,sizeof(s->s3->client_random));
 			}
 
 		/* Do the message type and length last */
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 47673e740a..c9ef0f5cfc 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -274,7 +274,7 @@ static int ssl23_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	int i,ch_len;
-	unsigned long Time,l;
+	unsigned long l;
 	int ssl2_compat;
 	int version = 0, version_major, version_minor;
 #ifndef OPENSSL_NO_COMP
@@ -355,9 +355,7 @@ static int ssl23_client_hello(SSL *s)
 #endif
 
 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);		/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
 			return -1;
 
 		if (version == TLS1_2_VERSION)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 344e2eb1af..1b54011252 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -655,7 +655,7 @@ int ssl3_client_hello(SSL *s)
 	unsigned char *buf;
 	unsigned char *p,*d;
 	int i;
-	unsigned long Time,l;
+	unsigned long l;
 #ifndef OPENSSL_NO_COMP
 	int j;
 	SSL_COMP *comp;
@@ -680,9 +680,7 @@ int ssl3_client_hello(SSL *s)
 		/* else use the pre-loaded session */
 
 		p=s->s3->client_random;
-		Time=(unsigned long)time(NULL);			/* Time */
-		l2n(Time,p);
-		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+		if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE) <= 0)
 			goto err;
 
 		/* Do the message type and length last */
-- 
2.34.1