ssl: Disallow modification of hello.random by export

Make client_random and server_random const in
mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
from modifying the client/server hello.

Update examples and tests use const for hello.random as well, to ensure
that the export callbacks are of the proper type.

Fixes #2759
This commit is contained in:
Jaeden Amero 2019-09-12 10:09:57 +01:00
parent 37600837d3
commit 63d813d258
3 changed files with 12 additions and 11 deletions

View file

@ -970,7 +970,8 @@ struct mbedtls_ssl_config
* tls_prf and random bytes. Should replace f_export_keys */
int (*f_export_keys_ext)( void *, const unsigned char *,
const unsigned char *, size_t, size_t, size_t,
unsigned char[32], unsigned char[32], mbedtls_tls_prf_types );
const unsigned char[32], const unsigned char[32],
mbedtls_tls_prf_types );
void *p_export_keys; /*!< context for key export callback */
#endif
@ -1925,8 +1926,8 @@ typedef int mbedtls_ssl_export_keys_ext_t( void *p_expkey,
size_t maclen,
size_t keylen,
size_t ivlen,
unsigned char client_random[32],
unsigned char server_random[32],
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */

View file

@ -526,8 +526,8 @@ static int eap_tls_key_derivation ( void *p_expkey,
size_t maclen,
size_t keylen,
size_t ivlen,
unsigned char client_random[32],
unsigned char server_random[32],
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
eap_tls_keys *keys = (eap_tls_keys *)p_expkey;
@ -553,8 +553,8 @@ static int nss_keylog_export( void *p_expkey,
size_t maclen,
size_t keylen,
size_t ivlen,
unsigned char client_random[32],
unsigned char server_random[32],
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
char nss_keylog_line[ 200 ];

View file

@ -637,8 +637,8 @@ static int eap_tls_key_derivation ( void *p_expkey,
size_t maclen,
size_t keylen,
size_t ivlen,
unsigned char client_random[32],
unsigned char server_random[32],
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
eap_tls_keys *keys = (eap_tls_keys *)p_expkey;
@ -664,8 +664,8 @@ static int nss_keylog_export( void *p_expkey,
size_t maclen,
size_t keylen,
size_t ivlen,
unsigned char client_random[32],
unsigned char server_random[32],
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type )
{
char nss_keylog_line[ 200 ];