Check return value of time() when getting additional data for the DRBG (60595292) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

crypto/rand/rand_lib.c

+12 −4

Original line number	Diff line number	Diff line
		@@ -229,9 +229,11 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
		}

		/*
		* Find a suitable system time. Start with the highest resolution source
		* Find a suitable source of time. Start with the highest resolution source
		* and work down to the slower ones. This is added as additional data and
		* isn't counted as randomness, so any result is acceptable.
		*
		* Returns 0 when we weren't able to find any time source
		*/
		static uint64_t get_timer_bits(void)
		{
		@@ -286,7 +288,12 @@ static uint64_t get_timer_bits(void)
		return TWO32TO64(tv.tv_sec, tv.tv_usec);
		}
		# endif
		return time(NULL);
		{
		time_t t = time(NULL);
		if (t == (time_t)-1)
		return 0;
		return t;
		}
		#endif
		}

		@@ -329,6 +336,7 @@ size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len)
		RAND_POOL_add(pool, (unsigned char *)&thread_id, sizeof(thread_id), 0);

		tbits = get_timer_bits();
		if (tbits != 0)
		RAND_POOL_add(pool, (unsigned char *)&tbits, sizeof(tbits), 0);

		/* TODO: Use RDSEED? */