Protect setting of hello_random flag

The handshake flag tells when the handshake hello.random
is set and can be used later to decide if we have the correct
keys.

library/ssl_cli.c

@@ -687,7 +687,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_HAVE_TIME)
     mbedtls_time_t t;
 #endif
-
+    ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
     /*
      * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
      */
@@ -713,13 +713,19 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
     p += 4;
 #endif /* MBEDTLS_HAVE_TIME */
 
-    if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
+    ret = mbedtls_ssl_conf_get_frng( ssl->conf )
-          ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 ) ) != 0 )
+            ( mbedtls_ssl_conf_get_prng( ssl->conf ), p, 28 );
+    if( ret == 0 )
     {
-        return( ret );
+        mbedtls_platform_enforce_volatile_reads();
+        if( ret == 0 )
+        {
+            ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+            return( 0 );
+        }
     }
 
-    return( 0 );
+    return( ret );
 }
 
 /**
@@ -1719,8 +1725,15 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
         (unsigned long)mbedtls_platform_get_uint32_be( &buf[2] ) ) );
 
+    ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
+
     mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
 
+    if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 2, 32 ) == 0 )
+    {
+        ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+    }
+
     n = buf[34];
 
     MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 2, 32 );

library/ssl_srv.c

@@ -1223,8 +1223,14 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
     mbedtls_platform_memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
 
     p += sess_len;
+
+    ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
     memset( ssl->handshake->randbytes, 0, 64 );
     mbedtls_platform_memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+    if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32 - chal_len, p, chal_len ) == 0 )
+    {
+        ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+    }
 
     /*
      * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
@@ -1717,10 +1723,14 @@ read_record_header:
     /*
      * Save client random (inc. Unix time)
      */
+    ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
 
     mbedtls_platform_memcpy( ssl->handshake->randbytes, buf + 2, 32 );
-
+    if( mbedtls_platform_memcmp( ssl->handshake->randbytes, buf + 2, 32 ) == 0 )
+    {
+        ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+    }
     /*
      * Check the session ID length and save session ID
      */
@@ -2814,8 +2824,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
     }
 
     p += 28;
-
+    ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_UNSET;
     mbedtls_platform_memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+    if( mbedtls_platform_memcmp( ssl->handshake->randbytes + 32, buf + 6, 32 ) == 0 )
+    {
+        ssl->handshake->hello_random_set = MBEDTLS_SSL_FI_FLAG_SET;
+    }
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );