ssl: Disallow modification of hello.random by export

Make client_random and server_random const in mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged from modifying the client/server hello. Update examples and tests use const for hello.random as well, to ensure that the export callbacks are of the proper type. Fixes #2759
2025-08-08 17:42:09 +03:00 · 2019-09-12 10:09:57 +01:00
parent 37600837d3
commit 63d813d258
3 changed files with 12 additions and 11 deletions
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -637,8 +637,8 @@ static int eap_tls_key_derivation ( void *p_expkey,
                                    size_t maclen,
                                    size_t keylen,
                                    size_t ivlen,
-                                    unsigned char client_random[32],
-                                    unsigned char server_random[32],
+                                    const unsigned char client_random[32],
+                                    const unsigned char server_random[32],
                                    mbedtls_tls_prf_types tls_prf_type )
 {
    eap_tls_keys *keys = (eap_tls_keys *)p_expkey;
@@ -664,8 +664,8 @@ static int nss_keylog_export( void *p_expkey,
                              size_t maclen,
                              size_t keylen,
                              size_t ivlen,
-                              unsigned char client_random[32],
-                              unsigned char server_random[32],
+                              const unsigned char client_random[32],
+                              const unsigned char server_random[32],
                              mbedtls_tls_prf_types tls_prf_type )
 {
    char nss_keylog_line[ 200 ];