Protect setting of hello_random flag
The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index a1d2e19..6b95cfa 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -687,7 +687,7 @@
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t t;
#endif
-
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
/*
* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
*/
@@ -713,13 +713,19 @@
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
- if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
- ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 ) ) != 0 )
+ ret = mbedtls_ssl_conf_get_frng( ssl->conf )
+ ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 );
+ if( ret == 0 )
{
- return( ret );
+ mbedtls_platform_enforce_volatile_reads();
+ if( ret == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ return( 0 );
+ }
}
- return( 0 );
+ return( ret );
}
/**
@@ -1719,8 +1725,15 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
(unsigned long)mbedtls_platform_get_uint32_be( &buf[2] ) ) );
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
+
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 2, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
+
n = buf[34];
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 2, 32 );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8d14374..e349ed8 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1223,8 +1223,14 @@
mbedtls_platform_memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
p += sess_len;
+
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
memset( ssl->handshake->randbytes, 0, 64 );
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
/*
* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
@@ -1717,10 +1723,14 @@
/*
* Save client random (inc. Unix time)
*/
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
mbedtls_platform_memcpy( ssl->handshake->randbytes, buf + 2, 32 );
-
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes, buf + 2, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
/*
* Check the session ID length and save session ID
*/
@@ -2814,8 +2824,12 @@
}
p += 28;
-
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+ if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 6, 32 ) == 0 )
+ {
+ ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+ }
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );