forked from wolfSSL/wolfssl
Merge pull request #4532 from embhorn/zd13139
Fix mem leak in HandleTlsResumption
This commit is contained in:
@ -29131,25 +29131,31 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
* Session tickets are checked for validity based on the time each ticket
|
* Session tickets are checked for validity based on the time each ticket
|
||||||
* was created, timeout value and the current time. If the tickets are
|
* was created, timeout value and the current time. If the tickets are
|
||||||
* judged expired, falls back to full-handshake. If you want disable this
|
* judged expired, falls back to full-handshake. If you want disable this
|
||||||
* sessin ticket validation check in TLS1.2 and below, define
|
* session ticket validation check in TLS1.2 and below, define
|
||||||
* WOLFSSL_NO_TICKET_EXPRE.
|
* WOLFSSL_NO_TICKET_EXPRE.
|
||||||
*/
|
*/
|
||||||
int HandleTlsResumption(WOLFSSL* ssl, int bogusID, Suites* clSuites)
|
int HandleTlsResumption(WOLFSSL* ssl, int bogusID, Suites* clSuites)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
WOLFSSL_SESSION* session;
|
WOLFSSL_SESSION* session;
|
||||||
|
#ifdef HAVE_EXT_CACHE
|
||||||
|
byte gotSess = 0;
|
||||||
|
#endif
|
||||||
(void)bogusID;
|
(void)bogusID;
|
||||||
|
#ifdef HAVE_SESSION_TICKET
|
||||||
session = GetSession(ssl, ssl->arrays->masterSecret, 1);
|
if (ssl->options.useTicket == 1) {
|
||||||
#ifdef HAVE_SESSION_TICKET
|
session = &ssl->session;
|
||||||
if (ssl->options.useTicket == 1) {
|
} else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
|
||||||
session = &ssl->session;
|
WOLFSSL_MSG("Bogus session ID without session ticket");
|
||||||
} else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
|
return BUFFER_ERROR;
|
||||||
WOLFSSL_MSG("Bogus session ID without session ticket");
|
} else
|
||||||
return BUFFER_ERROR;
|
#endif
|
||||||
}
|
{
|
||||||
|
session = GetSession(ssl, ssl->arrays->masterSecret, 1);
|
||||||
|
#ifdef HAVE_EXT_CACHE
|
||||||
|
gotSess = 1;
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
if (!session) {
|
if (!session) {
|
||||||
WOLFSSL_MSG("Session lookup for resume failed");
|
WOLFSSL_MSG("Session lookup for resume failed");
|
||||||
ssl->options.resuming = 0;
|
ssl->options.resuming = 0;
|
||||||
@ -29180,14 +29186,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
#ifdef WOLFSSL_EXTRA_ALERTS
|
#ifdef WOLFSSL_EXTRA_ALERTS
|
||||||
SendAlert(ssl, alert_fatal, handshake_failure);
|
SendAlert(ssl, alert_fatal, handshake_failure);
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_EXT_CACHE
|
ret = EXT_MASTER_SECRET_NEEDED_E;
|
||||||
wolfSSL_SESSION_free(session);
|
|
||||||
#endif
|
|
||||||
return EXT_MASTER_SECRET_NEEDED_E;
|
|
||||||
}
|
}
|
||||||
#ifdef HAVE_EXT_CACHE
|
|
||||||
wolfSSL_SESSION_free(session);
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#ifndef NO_RESUME_SUITE_CHECK
|
#ifndef NO_RESUME_SUITE_CHECK
|
||||||
@ -29205,36 +29205,41 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
#ifdef WOLFSSL_EXTRA_ALERTS
|
#ifdef WOLFSSL_EXTRA_ALERTS
|
||||||
SendAlert(ssl, alert_fatal, illegal_parameter);
|
SendAlert(ssl, alert_fatal, illegal_parameter);
|
||||||
#endif
|
#endif
|
||||||
return UNSUPPORTED_SUITE;
|
ret = UNSUPPORTED_SUITE;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_EXT_CACHE
|
if (ret == 0) {
|
||||||
wolfSSL_SESSION_free(session);
|
if (MatchSuite(ssl, clSuites) < 0) {
|
||||||
#endif
|
WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
|
||||||
if (MatchSuite(ssl, clSuites) < 0) {
|
ret = UNSUPPORTED_SUITE;
|
||||||
WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
|
}
|
||||||
return UNSUPPORTED_SUITE;
|
|
||||||
}
|
}
|
||||||
|
if (ret == 0) {
|
||||||
ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
|
ret = wc_RNG_GenerateBlock(ssl->rng,
|
||||||
RAN_LEN);
|
ssl->arrays->serverRandom, RAN_LEN);
|
||||||
if (ret != 0)
|
}
|
||||||
return ret;
|
if (ret == 0) {
|
||||||
|
#ifdef NO_OLD_TLS
|
||||||
#ifdef NO_OLD_TLS
|
ret = DeriveTlsKeys(ssl);
|
||||||
ret = DeriveTlsKeys(ssl);
|
#else
|
||||||
#else
|
#ifndef NO_TLS
|
||||||
#ifndef NO_TLS
|
if (ssl->options.tls)
|
||||||
if (ssl->options.tls)
|
ret = DeriveTlsKeys(ssl);
|
||||||
ret = DeriveTlsKeys(ssl);
|
#endif
|
||||||
|
if (!ssl->options.tls)
|
||||||
|
ret = DeriveKeys(ssl);
|
||||||
#endif
|
#endif
|
||||||
if (!ssl->options.tls)
|
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
||||||
ret = DeriveKeys(ssl);
|
}
|
||||||
#endif
|
|
||||||
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_EXT_CACHE
|
||||||
|
if (gotSess) {
|
||||||
|
wolfSSL_SESSION_free(session);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user