From 61823b6a7421acf982ddf540e2f0a479a3f852af Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 22 Mar 2005 14:10:32 +0000
Subject: [PATCH] Ensure (SSL_RANDOM_BYTES - 4) of pseudo random data is used
 for server and client random values.

---
 CHANGES       | 24 +++++++++++++++++++++++-
 ssl/s3_clnt.c |  2 +-
 ssl/s3_srvr.c |  2 +-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index e8222c200c..33e1911fcb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,29 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.7e and 0.9.7f  [XX xxx XXXX]
+ Changes between 0.9.7Ae and 0.9.7f  [XX xxx XXXX]
+
+  *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
+     server and client random values. Previously
+     (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
+     less random data when sizeof(time_t) > 4 (some 64 bit platforms).
+
+     This change has negligible security impact because:
+
+     1. Server and client random values still have 24 bytes of pseudo random
+        data.
+
+     2. Server and client random values are sent in the clear in the initial
+        handshake.
+
+     3. The master secret is derived using the premaster secret (48 bytes in
+        size for static RSA ciphersuites) as well as client server and random
+        values.
+
+     The OpenSSL team would like to thank the UK NISCC for bringing this issue
+     to our attention. 
+
+     [Stephen Henson, reported by UK NISCC]
 
   *) Use Windows randomness collection on Cygwin.
      [Ulf Möller]
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index a475033f01..0969476b25 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -535,7 +535,7 @@ static int ssl3_client_hello(SSL *s)
 		p=s->s3->client_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)) <= 0)
+		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
 		    goto err;
 
 		/* Do the message type and length last */
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 0a573c6a48..5f3aada1d6 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -956,7 +956,7 @@ static int ssl3_send_server_hello(SSL *s)
 		p=s->s3->server_random;
 		Time=time(NULL);			/* Time */
 		l2n(Time,p);
-		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)) <= 0)
+		if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
 			return -1;
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
-- 
2.25.1