| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Sep 23 13:24:25 2005
From: jas at extundo.com (Simon Josefsson)
Subject: SecureW2 TLS security problem
Hi everyone! I was looking at the code for a TLS implementation, an
open source implementation "SecureW2" by Alfa & Ariss, see:
http://www.securew2.com/uk/index.htm
I found that it uses weak random numbers when generating the
pre-master-secret. The code is in "./Components/Common/release
3/version 0/source/CommonTLS.c" and quoted below.
It appear to be using the weak srand/rand functions seeded by the
milliseconds field from the system clock. That doesn't provide you
with 48 bytes of strong randomness, you are lucky to get even a few
bytes.
Regards,
Simon
//
// Name: TLSGenPMS
// Description: Generate the 48 random bytes for the PMS (Pre Master Secret)
// Author: Tom Rixom
// Created: 17 December 2002
//
DWORD
TLSGenPMS( IN OUT BYTE pbPMS[TLS_PMS_SIZE] )
{
int i = 0;
SYSTEMTIME SystemTime;
DWORD dwRet;
dwRet = NO_ERROR;
AA_TRACE( ( TEXT( "TLSGenPMS" ) ) );
pbPMS[0] = 0x03;
pbPMS[1] = 0x01;
//
// Time (DWORD)
//
GetLocalTime( &SystemTime );
srand( ( unsigned int ) SystemTime.wMilliseconds );
//srand( ( unsigned )time( NULL ) );
//
// Random bytes
//
for( i=2; i < TLS_PMS_SIZE; i++ )
pbPMS[i] = ( BYTE ) ( rand() % 255 );
AA_TRACE( ( TEXT( "TLSGenPMS::random bytes: %s" ), AA_ByteToHex( pbPMS, TLS_PMS_SIZE ) ) );
return dwRet;
}
Powered by blists - more mailing lists