From 487c60df78d2302ad85f5193912d5653954546dc Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Tue, 28 Aug 2018 15:37:15 +1000 Subject: [PATCH] Fixes to work when compiled with TLS 1.3 only TLS 1.3 Early Data can be used with PSK and not session tickets. If only TLS 1.3 and no session tickets then no resumption. External sites don't support TLS 1.3 yet. --- configure.ac | 4 + examples/client/client.c | 105 ++++++++++-------- scripts/external.test | 38 ++++--- .../ocsp-stapling-with-ca-as-responder.test | 9 ++ scripts/ocsp-stapling.test | 9 ++ scripts/ocsp-stapling2.test | 9 ++ scripts/ocsp.test | 7 ++ scripts/resume.test | 5 + src/internal.c | 5 +- 9 files changed, 129 insertions(+), 62 deletions(-) diff --git a/configure.ac b/configure.ac index c2da7e6d6..ce331a967 100644 --- a/configure.ac +++ b/configure.ac @@ -2794,6 +2794,10 @@ then AM_CFLAGS="-DWOLFSSL_EARLY_DATA $AM_CFLAGS" fi +if test "$ENABLED_TLSV12" = "no" && test "$ENABLED_TLS13" = "yes" && test "x$ENABLED_SESSION_TICKET" = "xno" +then + AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE" +fi # PKCS7 AC_ARG_ENABLE([pkcs7], diff --git a/examples/client/client.c b/examples/client/client.c index 391d6fce6..4635e49d6 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -721,6 +721,56 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead) } } +#ifdef WOLFSSL_EARLY_DATA +static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, char* msg, int msgSz, + char* buffer) +{ + int err; + int ret; + + do { + err = 0; /* reset error */ + ret = wolfSSL_write_early_data(ssl, msg, msgSz, &msgSz); + if (ret <= 0) { + err = wolfSSL_get_error(ssl, 0); + #ifdef WOLFSSL_ASYNC_CRYPT + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + #endif + } + } while (err == WC_PENDING_E); + if (ret != msgSz) { + printf("SSL_write_early_data msg error %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("SSL_write_early_data failed"); + } + do { + err = 0; /* reset error */ + ret = wolfSSL_write_early_data(ssl, msg, msgSz, &msgSz); + if (ret <= 0) { + err = wolfSSL_get_error(ssl, 0); + #ifdef WOLFSSL_ASYNC_CRYPT + if (err == WC_PENDING_E) { + ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); + if (ret < 0) break; + } + #endif + } + } while (err == WC_PENDING_E); + if (ret != msgSz) { + printf("SSL_write_early_data msg error %d, %s\n", err, + wolfSSL_ERR_error_string(err, buffer)); + wolfSSL_free(ssl); ssl = NULL; + wolfSSL_CTX_free(ctx); ctx = NULL; + err_sys("SSL_write_early_data failed"); + } +} +#endif + static void Usage(void) { printf("wolfSSL client " LIBWOLFSSL_VERSION_STRING @@ -2139,6 +2189,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ret = NonBlockingSSL_Connect(ssl); } else { +#ifdef WOLFSSL_EARLY_DATA + #ifndef HAVE_SESSION_TICKET + if (!usePsk) { + } + else + #endif + if (earlyData) { + EarlyData(ctx, ssl, msg, msgSz, buffer); + } +#endif do { err = 0; /* reset error */ ret = wolfSSL_connect(ssl); @@ -2403,50 +2463,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) else #endif if (earlyData) { - do { - err = 0; /* reset error */ - ret = wolfSSL_write_early_data(sslResume, msg, msgSz, - &msgSz); - if (ret <= 0) { - err = wolfSSL_get_error(sslResume, 0); - #ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(sslResume, - WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) break; - } - #endif - } - } while (err == WC_PENDING_E); - if (ret != msgSz) { - printf("SSL_write_early_data msg error %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(sslResume); sslResume = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("SSL_write_early_data failed"); - } - do { - err = 0; /* reset error */ - ret = wolfSSL_write_early_data(sslResume, msg, msgSz, - &msgSz); - if (ret <= 0) { - err = wolfSSL_get_error(sslResume, 0); - #ifdef WOLFSSL_ASYNC_CRYPT - if (err == WC_PENDING_E) { - ret = wolfSSL_AsyncPoll(sslResume, - WOLF_POLL_FLAG_CHECK_HW); - if (ret < 0) break; - } - #endif - } - } while (err == WC_PENDING_E); - if (ret != msgSz) { - printf("SSL_write_early_data msg error %d, %s\n", err, - wolfSSL_ERR_error_string(err, buffer)); - wolfSSL_free(sslResume); sslResume = NULL; - wolfSSL_CTX_free(ctx); ctx = NULL; - err_sys("SSL_write_early_data failed"); - } + EarlyData(ctx, sslResume, msg, msgSz, buffer); } #endif do { diff --git a/scripts/external.test b/scripts/external.test index 9681677d9..9557a0b43 100755 --- a/scripts/external.test +++ b/scripts/external.test @@ -7,22 +7,28 @@ ca=./certs/wolfssl-website-ca.pem [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 -# cloudflare seems to change CAs quickly, disabled by default -if test -n "$WOLFSSL_EXTERNAL_TEST"; then - echo "WOLFSSL_EXTERNAL_TEST set, running test..." -else - echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run" - exit 0 +# www.wolfssl.com isn't using RFC 8446 yet but the draft instead. +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -ne 0 ]; then + + # cloudflare seems to change CAs quickly, disabled by default + if test -n "$WOLFSSL_EXTERNAL_TEST"; then + echo "WOLFSSL_EXTERNAL_TEST set, running test..." + else + echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run" + exit 0 + fi + + # is our desired server there? + ./scripts/ping.test $server 2 + RESULT=$? + [ $RESULT -ne 0 ] && exit 0 + + # client test against the server + ./examples/client/client -X -C -h $server -p 443 -g -A $ca + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + fi -# is our desired server there? -./scripts/ping.test $server 2 -RESULT=$? -[ $RESULT -ne 0 ] && exit 0 - -# client test against the server -./examples/client/client -X -C -h $server -p 443 -g -A $ca -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 - exit 0 diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test index a043ba809..963f01849 100755 --- a/scripts/ocsp-stapling-with-ca-as-responder.test +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -1,6 +1,15 @@ #!/bin/bash # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + WORKSPACE=`pwd` CERT_DIR="./certs/ocsp" resume_port=0 diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 7d7b93cab..1652ae713 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -2,6 +2,15 @@ # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + # create a unique ready file ending in PID for the script instance ($$) to take # advantage of port zero solution WORKSPACE=`pwd` diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 7fa4b1092..f0d9d2a58 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -1,6 +1,15 @@ #!/bin/bash # ocsp-stapling.test + +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + + WORKSPACE=`pwd` CERT_DIR="certs/ocsp" diff --git a/scripts/ocsp.test b/scripts/ocsp.test index 09c98546e..e16aa8f22 100755 --- a/scripts/ocsp.test +++ b/scripts/ocsp.test @@ -8,6 +8,13 @@ ca=certs/external/ca-globalsign-root.pem [ ! -x ./examples/client/client ] && printf '\n\n%s\n' "Client doesn't exist" \ && exit 1 +./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' +if [ $? -eq 0 ]; then + echo "TLS 1.2 or lower required" + echo "Skipped" + exit 0 +fi + # is our desired server there? ./scripts/ping.test $server 2 RESULT=$? diff --git a/scripts/resume.test b/scripts/resume.test index c4bd80f1e..cbae7ebbb 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -119,6 +119,11 @@ if [ $? -ne 0 ]; then fi fi +./examples/client/client -? 2>&1 | grep -- 'Resume session' +if [ $? -ne 0 ]; then + RUN_TEST="Y" +fi + if [ "$RUN_TEST" = "Y" ]; then do_test diff --git a/src/internal.c b/src/internal.c index ee24ce84f..52701667a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6539,7 +6539,8 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl } -#if !defined(WOLFSSL_NO_TLS12) || defined(HAVE_SESSION_TICKET) +#if !defined(WOLFSSL_NO_TLS12) || (defined(HAVE_SESSION_TICKET) && \ + !defined(NO_WOLFSSL_SERVER)) /* add handshake header for message */ static void AddHandShakeHeader(byte* output, word32 length, word32 fragOffset, word32 fragLength, @@ -6586,7 +6587,7 @@ static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl) AddRecordHeader(output, length + lengthAdj, handshake, ssl); AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl); } -#endif /* !WOLFSSL_NO_TLS12 || HAVE_SESSION_TICKET */ +#endif /* !WOLFSSL_NO_TLS12 || (HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER) */ #ifndef WOLFSSL_NO_TLS12