From 68f71d0d968e4a26d7a2af63a2c5a59fa22bb3b7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 17 Aug 2022 18:19:28 +0200 Subject: [PATCH] Remove WOLFSSL_SESSION_TYPE_REF buffers from WOLFSSL_SESSION --- src/internal.c | 4 ++-- src/ssl.c | 46 +++++++++++++++++----------------------------- wolfssl/internal.h | 23 ++++------------------- 3 files changed, 23 insertions(+), 50 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1add79966..f620fb22a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -29497,11 +29497,11 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length) /* Free old dynamic ticket if we already had one */ if (ssl->session->ticketLenAlloc > 0) { XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session->ticket = ssl->session->_staticTicket; + ssl->session->ticket = ssl->session->staticTicket; ssl->session->ticketLenAlloc = 0; } - if (length > sizeof(ssl->session->_staticTicket)) { + if (length > sizeof(ssl->session->staticTicket)) { byte* sessionTicket = (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); if (sessionTicket == NULL) diff --git a/src/ssl.c b/src/ssl.c index dc629deed..870383023 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3418,7 +3418,7 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, XFREE(ssl->session->ticket, ssl->session->heap, DYNAMIC_TYPE_SESSION_TICK); ssl->session->ticketLenAlloc = 0; - ssl->session->ticket = ssl->session->_staticTicket; + ssl->session->ticket = ssl->session->staticTicket; } } else { /* Ticket requires dynamic ticket storage */ @@ -3430,7 +3430,7 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, ssl->session->ticket = (byte*)XMALLOC(bufSz, ssl->session->heap, DYNAMIC_TYPE_SESSION_TICK); if(ssl->session->ticket == NULL) { - ssl->session->ticket = ssl->session->_staticTicket; + ssl->session->ticket = ssl->session->staticTicket; ssl->session->ticketLenAlloc = 0; return MEMORY_ERROR; } @@ -13599,7 +13599,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output) WOLFSSL_MSG("Session cache row lock failure"); #ifdef HAVE_SESSION_TICKET if (tmpBufSet) { - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; } #ifdef WOLFSSL_SMALL_STACK @@ -13672,18 +13672,18 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output) DYNAMIC_TYPE_SESSION_TICK); if (output->ticket == NULL) { error = WOLFSSL_FAILURE; - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; output->ticketLen = 0; } } else { - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; } } else { - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; output->ticketLen = 0; } @@ -14101,7 +14101,9 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, * ticBuff at all making it a very cheap malloc/free. The page on a modern * OS will most likely not even be allocated to the process. */ if (ticBuff != NULL && cacheSession->ticketLenAlloc < ticLen) { - cacheTicBuff = cacheSession->ticket; + /* Save pointer only if separately allocated */ + if (cacheSession->ticket != cacheSession->staticTicket) + cacheTicBuff = cacheSession->ticket; ticBuffUsed = 1; cacheSession->ticket = ticBuff; cacheSession->ticketLenAlloc = (word16) ticLen; @@ -14143,7 +14145,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, #ifdef HAVE_SESSION_TICKET else if (ticBuffUsed) { /* Error occured. Need to clean up the ticket buffer. */ - cacheSession->ticket = cacheSession->_staticTicket; + cacheSession->ticket = cacheSession->staticTicket; cacheSession->ticketLenAlloc = 0; cacheSession->ticketLen = 0; } @@ -19902,19 +19904,12 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap) #endif ret->type = WOLFSSL_SESSION_TYPE_HEAP; ret->heap = heap; - ret->masterSecret = ret->_masterSecret; #ifdef WOLFSSL_CHECK_MEM_ZERO wc_MemZero_Add("SESSION master secret", ret->masterSecret, SECRET_LEN); wc_MemZero_Add("SESSION id", ret->sessionID, ID_LEN); #endif - #ifndef NO_CLIENT_CACHE - ret->serverID = ret->_serverID; - #endif - #ifdef OPENSSL_EXTRA - ret->sessionCtx = ret->_sessionCtx; - #endif #ifdef HAVE_SESSION_TICKET - ret->ticket = ret->_staticTicket; + ret->ticket = ret->staticTicket; #endif #ifdef HAVE_STUNNEL /* stunnel has this funny mechanism of storing the "is_authenticated" @@ -20001,7 +19996,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, } #ifdef HAVE_SESSION_TICKET - if (output->ticket != output->_staticTicket) { + if (output->ticket != output->staticTicket) { ticBuff = output->ticket; ticLenAlloc = output->ticketLenAlloc; } @@ -20022,8 +20017,8 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, sizeof(WOLFSSL_SESSION) - copyOffset); /* Set sane values for copy */ - if (output->type != WOLFSSL_SESSION_TYPE_CACHE) #ifndef NO_SESSION_CACHE + if (output->type != WOLFSSL_SESSION_TYPE_CACHE) output->cacheRow = INVALID_SESSION_ROW; #endif #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) @@ -20038,13 +20033,6 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, else /* output->peer is not that important to copy */ output->peer = NULL; -#endif - output->masterSecret = output->_masterSecret; -#ifndef NO_CLIENT_CACHE - output->serverID = output->_serverID; -#endif -#ifdef OPENSSL_EXTRA - output->sessionCtx = output->_sessionCtx; #endif #ifdef HAVE_SESSION_TICKET if (input->ticketLen > SESSION_TICKET_LEN) { @@ -20090,7 +20078,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, * the static buffer. */ if (ticBuff != NULL) { if (ticLenAlloc >= input->ticketLen) { - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; } else { @@ -20103,14 +20091,14 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, } } else { - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; } } else { if (ticBuff != NULL) XFREE(ticBuff, output->heap, DYNAMIC_TYPE_SESSION_TICK); - output->ticket = output->_staticTicket; + output->ticket = output->staticTicket; output->ticketLenAlloc = 0; } if (input->ticketLenAlloc > 0 && ret == WOLFSSL_SUCCESS) { @@ -25763,7 +25751,7 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess, XFREE(s->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); } if (s->ticketLen <= SESSION_TICKET_LEN) - s->ticket = s->_staticTicket; + s->ticket = s->staticTicket; else { s->ticket = (byte*)XMALLOC(s->ticketLen, NULL, DYNAMIC_TYPE_SESSION_TICK); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 39744f996..6af978e48 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3585,7 +3585,7 @@ struct WOLFSSL_SESSION { * ID for TLS 1.3 */ byte sessionIDSz; - byte* masterSecret; /* stored secret */ + byte masterSecret[SECRET_LEN]; /* stored secret */ word16 haveEMS; /* ext master secret flag */ #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) WOLFSSL_X509* peer; /* peer cert */ @@ -3601,11 +3601,11 @@ struct WOLFSSL_SESSION { #endif #ifndef NO_CLIENT_CACHE word16 idLen; /* serverID length */ - byte* serverID; /* for easier client lookup */ + byte serverID[SERVER_ID_LEN]; /* for easier client lookup */ #endif #ifdef OPENSSL_EXTRA byte sessionCtxSz; /* sessionCtx length */ - byte* sessionCtx; /* app specific context id */ + byte sessionCtx[ID_LEN]; /* app specific context id */ #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) byte peerVerifyRet; /* cert verify error */ @@ -3624,6 +3624,7 @@ struct WOLFSSL_SESSION { #endif #endif #ifdef HAVE_SESSION_TICKET + byte staticTicket[SESSION_TICKET_LEN]; byte* ticket; word16 ticketLen; word16 ticketLenAlloc; /* is dynamic */ @@ -3638,22 +3639,6 @@ struct WOLFSSL_SESSION { #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; #endif - - /* Below buffers are not allocated for the WOLFSSL_SESSION_TYPE_REF, instead - * the above pointers reference the session cache for backwards - * compatibility. For all other session types the above pointers reference - * these buffers directly. Keep these buffers at the end so that they don't - * get copied into the WOLFSSL_SESSION_TYPE_REF object. */ - byte _masterSecret[SECRET_LEN]; -#ifndef NO_CLIENT_CACHE - byte _serverID[SERVER_ID_LEN]; -#endif -#ifdef HAVE_SESSION_TICKET - byte _staticTicket[SESSION_TICKET_LEN]; -#endif -#ifdef OPENSSL_EXTRA - byte _sessionCtx[ID_LEN]; -#endif }; WOLFSSL_LOCAL int wolfSSL_RAND_Init(void);