diff --git a/configure.ac b/configure.ac index c2da7e6d6..ce331a967 100644 --- a/configure.ac +++ b/configure.ac @@ -2794,6 +2794,10 @@ then AM_CFLAGS="-DWOLFSSL_EARLY_DATA $AM_CFLAGS" fi +if test "$ENABLED_TLSV12" = "no" && test "$ENABLED_TLS13" = "yes" && test "x$ENABLED_SESSION_TICKET" = "xno" +then + AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE" +fi # PKCS7 AC_ARG_ENABLE([pkcs7], diff --git a/examples/client/client.c b/examples/client/client.c index 391d6fce6..4635e49d6 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -721,6 +721,56 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead) } } +#ifdef WOLFSSL_EARLY_DATA +static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, char* msg, int msgSz, + char* buffer) +{ + int err; + int ret; + + do { + err = 0; /* reset error */ + ret = wolfSSL_write_early_data(ssl, msg, msgSz, &msgSz); + if (ret <= 0) { + err = wolfSSL_get_error(ssl, 0); + #ifdef WOLFSSL_ASYNC_CRYPT + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + #endif + } + } while (err == WC_PENDING_E); + if (ret != msgSz) { + printf("SSL_write_early_data msg error %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("SSL_write_early_data failed"); + } + do { + err = 0; /* reset error */ + ret = wolfSSL_write_early_data(ssl, msg, msgSz, &msgSz); + if (ret <= 0) { + err = wolfSSL_get_error(ssl, 0); + #ifdef WOLFSSL_ASYNC_CRYPT + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + #endif + } + } while (err == WC_PENDING_E); + if (ret != msgSz) { + printf("SSL_write_early_data msg error %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("SSL_write_early_data failed"); + } +} +#endif + static void Usage(void) { printf("wolfSSL client " LIBWOLFSSL_VERSION_STRING @@ -2139,6 +2189,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ret = NonBlockingSSL_Connect(ssl); } else { +#ifdef WOLFSSL_EARLY_DATA + #ifndef HAVE_SESSION_TICKET + if (!usePsk) { + } + else + #endif + if (earlyData) { + EarlyData(ctx, ssl, msg, msgSz, buffer); + } +#endif do { err = 0; /* reset error */ ret = wolfSSL_connect(ssl); @@ -2403,50 +2463,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) else #endif if (earlyData) { - do { - err = 0; /* reset error */ - ret = wolfSSL_write_early_data(sslResume, msg, msgSz, - &msgSz); - if (ret <= 0) { - err = wolfSSL_get_error(sslResume, 0); - #ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(sslResume, - WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) break; - } - #endif - } - } while (err == WC_PENDING_E); - if (ret != msgSz) { - printf("SSL_write_early_data msg error %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(sslResume); sslResume = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("SSL_write_early_data failed"); - } - do { - err = 0; /* reset error */ - ret = wolfSSL_write_early_data(sslResume, msg, msgSz, - &msgSz); - if (ret <= 0) { - err = wolfSSL_get_error(sslResume, 0); - #ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(sslResume, - WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) break; - } - #endif - } - } while (err == WC_PENDING_E); - if (ret != msgSz) { - printf("SSL_write_early_data msg error %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(sslResume); sslResume = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("SSL_write_early_data failed"); - } + EarlyData(ctx, sslResume, msg, msgSz, buffer); } #endif do { diff --git a/scripts/external.test b/scripts/external.test index 9681677d9..9557a0b43 100755 --- a/scripts/external.test +++ b/scripts/external.test @@ -7,22 +7,28 @@ ca=./certs/wolfssl-website-ca.pem [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 -# cloudflare seems to change CAs quickly, disabled by default -if test -n "$WOLFSSL_EXTERNAL_TEST"; then - echo "WOLFSSL_EXTERNAL_TEST set, running test..." -else - echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run" - exit 0 +# www.wolfssl.com isn't using RFC 8446 yet but the draft instead. +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -ne 0 ]; then + + # cloudflare seems to change CAs quickly, disabled by default + if test -n "$WOLFSSL_EXTERNAL_TEST"; then + echo "WOLFSSL_EXTERNAL_TEST set, running test..." + else + echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run" + exit 0 + fi + + # is our desired server there? + ./scripts/ping.test $server 2 + RESULT=$? + [ $RESULT -ne 0 ] && exit 0 + + # client test against the server + ./examples/client/client -X -C -h $server -p 443 -g -A $ca + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + fi -# is our desired server there? -./scripts/ping.test $server 2 -RESULT=$? -[ $RESULT -ne 0 ] && exit 0 - -# client test against the server -./examples/client/client -X -C -h $server -p 443 -g -A $ca -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 - exit 0 diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index a043ba809..963f01849 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,6 +1,15 @@ #!/bin/bash # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + WORKSPACE=`pwd` CERT_DIR="./certs/ocsp" resume_port=0 diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 7d7b93cab..1652ae713 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -2,6 +2,15 @@ # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + # create a unique ready file ending in PID for the script instance ($$) to take # advantage of port zero solution WORKSPACE=`pwd` diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 7fa4b1092..f0d9d2a58 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,6 +1,15 @@ #!/bin/bash # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + WORKSPACE=`pwd` CERT_DIR="certs/ocsp" diff --git a/scripts/ocsp.test b/scripts/ocsp.test index 09c98546e..e16aa8f22 100755 --- a/scripts/ocsp.test +++ b/scripts/ocsp.test @@ -8,6 +8,13 @@ ca=certs/external/ca-globalsign-root.pem [ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \ && exit 1 +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + # is our desired server there? ./scripts/ping.test $server 2 RESULT=$? diff --git a/scripts/resume.test b/scripts/resume.test index c4bd80f1e..cbae7ebbb 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -119,6 +119,11 @@ if [ $? -ne 0 ]; then fi fi +./examples/client/client -? 2>&1 | grep -- 'Resume session' +if [ $? -ne 0 ]; then + RUN_TEST="Y" +fi + if [ "$RUN_TEST" = "Y" ]; then do_test diff --git a/src/internal.c b/src/internal.c index ee24ce84f..52701667a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6539,7 +6539,8 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl } -#if !defined(WOLFSSL_NO_TLS12) || defined(HAVE_SESSION_TICKET) +#if !defined(WOLFSSL_NO_TLS12) || (defined(HAVE_SESSION_TICKET) && \ + !defined(NO_WOLFSSL_SERVER)) /* add handshake header for message */ static void AddHandShakeHeader(byte* output, word32 length, word32 fragOffset, word32 fragLength, @@ -6586,7 +6587,7 @@ static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl) AddRecordHeader(output, length + lengthAdj, handshake, ssl); AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl); } -#endif /* !WOLFSSL_NO_TLS12 || HAVE_SESSION_TICKET */ +#endif /* !WOLFSSL_NO_TLS12 || (HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER) */ #ifndef WOLFSSL_NO_TLS12