From 9443f7a2a78125ad3f806efbd6cbcf6ae02b4008 Mon Sep 17 00:00:00 2001 From: Dexter Gerig Date: Tue, 24 Feb 2026 09:33:39 +0000 Subject: [PATCH] [tls] Remove current time from client random bytes TLS versions 1.2 and earlier define a 4-byte gmt_unix_time field as part of the 32-byte ClientHello random data block, as a (minimal) form of protection against a broken random number generator. iPXE has never set this field to a correct value. Early versions had only relative timers and so set this field to zero. Commit 5da7123 ("[tls] Include current time within the client random bytes") did set this field to the current time, but neglected to use the correct byte ordering. TLS version 1.3 (defined in RFC 8446) omits the gmt_unix_time field completely and just defines the whole 32-byte value as random data. Simplify the code by using the approach defined in RFC 8446. Modified-by: Michael Brown Signed-off-by: Michael Brown --- src/include/ipxe/tls.h | 4 +--- src/net/tls.c | 2 -- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index b4a92a044..6985ae63f 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -309,10 +309,8 @@ struct tls_signature_hash_algorithm { /** TLS client random data */ struct tls_client_random { - /** GMT Unix time */ - uint32_t gmt_unix_time; /** Random data */ - uint8_t random[28]; + uint8_t random[32]; } __attribute__ (( packed )); /** An MD5+SHA1 context */ diff --git a/src/net/tls.c b/src/net/tls.c index 4f8ea2692..73d470221 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -30,7 +30,6 @@ FILE_SECBOOT ( PERMITTED ); #include #include #include -#include #include #include #include @@ -3986,7 +3985,6 @@ int add_tls ( struct interface *xfer, const char *name, tls_clear_cipher ( tls, &tls->rx.cipherspec.active ); tls_clear_cipher ( tls, &tls->rx.cipherspec.pending ); tls_clear_handshake ( tls ); - tls->client.random.gmt_unix_time = time ( NULL ); iob_populate ( &tls->rx.iobuf, &tls->rx.header, 0, sizeof ( tls->rx.header ) ); INIT_LIST_HEAD ( &tls->rx.data );