From 8c4887c166bb0b13ded2de6c838c30da1fc656e6 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 22 Apr 2022 15:54:04 +0200 Subject: [PATCH 1/3] Free session in `wolfSSL_clear` - Define `NO_SESSION_CACHE_REF` in wpa build --- configure.ac | 1 + src/ssl.c | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 9f5198f25..7d551e816 100644 --- a/configure.ac +++ b/configure.ac @@ -1393,6 +1393,7 @@ then AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT" AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT" AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL" + AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF" fi if test "$ENABLED_FORTRESS" = "yes" diff --git a/src/ssl.c b/src/ssl.c index 1282c36e6..1e0a51c99 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17989,14 +17989,17 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, if (ssl->hsHashes) (void)InitHandshakeHashes(ssl); -#ifdef SESSION_CERTS - ssl->session->chain.count = 0; -#endif #ifdef KEEP_PEER_CERT FreeX509(&ssl->peerCert); InitX509(&ssl->peerCert, 0, ssl->heap); #endif + wolfSSL_SESSION_free(ssl->session); + ssl->session = wolfSSL_NewSession(ssl->heap); + if (ssl->session == NULL) { + return WOLFSSL_FAILURE; + } + return WOLFSSL_SUCCESS; } From 4013f83e4fca08cf7b504c83781a1d05722c703a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 25 Apr 2022 15:59:07 +0200 Subject: [PATCH 2/3] Add some missing logs and implement WOLFSSL_MSG_EX() WOLFSSL_MSG_EX() uses XVSNPRINTF to allow for formatted strings to be printed. It uses a 100 byte internal stack buffer to format the log message. --- src/internal.c | 6 ++++++ src/ssl.c | 6 ++++++ wolfcrypt/src/logging.c | 21 +++++++++++++++++++++ wolfssl/wolfcrypt/logging.h | 7 ++++++- 4 files changed, 39 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 8c1efa770..cf3e5eb15 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12114,6 +12114,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->exts[args->totalCerts].buffer = input + args->idx; args->idx += extSz; listSz -= extSz + OPAQUE16_LEN; + WOLFSSL_MSG_EX("\tParsing %d bytes of cert extensions", + args->exts[args->totalCerts].length); ret = TLSX_Parse(ssl, args->exts[args->totalCerts].buffer, (word16)args->exts[args->totalCerts].length, certificate, NULL); @@ -12601,12 +12603,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (args->fatal == 0 && ret == 0) { int doLookup = 1; + WOLFSSL_MSG("Checking if ocsp needed"); + if (ssl->options.side == WOLFSSL_CLIENT_END) { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { args->fatal = (TLSX_CSR_InitRequest(ssl->extensions, args->dCert, ssl->heap) != 0); doLookup = 0; + WOLFSSL_MSG("\tHave status request"); #if defined(WOLFSSL_TLS13) if (ssl->options.tls1_3) { TLSX* ext = TLSX_Find(ssl->extensions, @@ -12635,6 +12640,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->fatal = (TLSX_CSR2_InitRequests(ssl->extensions, args->dCert, 1, ssl->heap) != 0); doLookup = 0; + WOLFSSL_MSG("\tHave status request v2"); } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ } diff --git a/src/ssl.c b/src/ssl.c index 1e0a51c99..c159b283b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2709,6 +2709,8 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options) { + WOLFSSL_ENTER("wolfSSL_UseOCSPStapling"); + if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; @@ -2720,6 +2722,8 @@ int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options) int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type, byte options) { + WOLFSSL_ENTER("wolfSSL_CTX_UseOCSPStapling"); + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; @@ -17966,6 +17970,8 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) int wolfSSL_clear(WOLFSSL* ssl) { + WOLFSSL_ENTER("wolfSSL_clear"); + if (ssl == NULL) { return WOLFSSL_FAILURE; } diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 0d1874c8e..905509fa0 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -364,6 +364,27 @@ static void wolfssl_log(const int logLevel, const char *const logMessage) } #ifndef WOLFSSL_DEBUG_ERRORS_ONLY +#ifdef __clang__ +/* tell clang argument 1 is format */ +__attribute__((__format__ (__printf__, 1, 0))) +#endif +#if !defined(_WIN32) && defined(XVSNPRINTF) +#include /* for var args */ +void WOLFSSL_MSG_EX(const char* fmt, ...) +{ + if (loggingEnabled) { + char msg[100]; + int written; + va_list args; + va_start(args, fmt); + written = XVSNPRINTF(msg, sizeof(msg), fmt, args); + va_end(args); + if (written > 0) + wolfssl_log(INFO_LOG , msg); + } +} +#endif + void WOLFSSL_MSG(const char* msg) { if (loggingEnabled) diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index fbf772139..547c58683 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -162,7 +162,11 @@ WOLFSSL_API void wolfSSL_Debugging_OFF(void); #define WOLFSSL_STUB(m) \ WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void); - +#if !defined(_WIN32) && defined(XVSNPRINTF) + WOLFSSL_API void WOLFSSL_MSG_EX(const char* fmt, ...); +#else + #define WOLFSSL_MSG_EX(m, ...) +#endif WOLFSSL_API void WOLFSSL_MSG(const char* msg); WOLFSSL_API void WOLFSSL_BUFFER(const byte* buffer, word32 length); @@ -173,6 +177,7 @@ WOLFSSL_API void wolfSSL_Debugging_OFF(void); #define WOLFSSL_STUB(m) #define WOLFSSL_IS_DEBUG_ON() 0 + #define WOLFSSL_MSG_EX(m, ...) #define WOLFSSL_MSG(m) #define WOLFSSL_BUFFER(b, l) From 7e9896d162eb5e284a172c57f3c6c6ddcc09fd1f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 27 Apr 2022 22:04:32 +0200 Subject: [PATCH 3/3] Only clear session when we didn't complete a handshake - Allow overriding buffer size with `WOLFSSL_MSG_EX_BUF_SZ` - Allow disabling `WOLFSSL_MSG_EX` by defining `NO_WOLFSSL_MSG_EX` --- src/ssl.c | 15 +++++++++------ wolfcrypt/src/logging.c | 10 +++++++--- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index c159b283b..563a14168 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17976,6 +17976,15 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return WOLFSSL_FAILURE; } + if (!ssl->options.handShakeDone) { + /* Only reset the session if we didn't complete a handshake */ + wolfSSL_SESSION_free(ssl->session); + ssl->session = wolfSSL_NewSession(ssl->heap); + if (ssl->session == NULL) { + return WOLFSSL_FAILURE; + } + } + ssl->options.isClosed = 0; ssl->options.connReset = 0; ssl->options.sentNotify = 0; @@ -18000,12 +18009,6 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, InitX509(&ssl->peerCert, 0, ssl->heap); #endif - wolfSSL_SESSION_free(ssl->session); - ssl->session = wolfSSL_NewSession(ssl->heap); - if (ssl->session == NULL) { - return WOLFSSL_FAILURE; - } - return WOLFSSL_SUCCESS; } diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 905509fa0..ec4173653 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -364,16 +364,20 @@ static void wolfssl_log(const int logLevel, const char *const logMessage) } #ifndef WOLFSSL_DEBUG_ERRORS_ONLY + +#if !defined(_WIN32) && defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) +#include /* for var args */ +#ifndef WOLFSSL_MSG_EX_BUF_SZ +#define WOLFSSL_MSG_EX_BUF_SZ 100 +#endif #ifdef __clang__ /* tell clang argument 1 is format */ __attribute__((__format__ (__printf__, 1, 0))) #endif -#if !defined(_WIN32) && defined(XVSNPRINTF) -#include /* for var args */ void WOLFSSL_MSG_EX(const char* fmt, ...) { if (loggingEnabled) { - char msg[100]; + char msg[WOLFSSL_MSG_EX_BUF_SZ]; int written; va_list args; va_start(args, fmt);