diff --git a/src/crl.c b/src/crl.c index 9e980e97e..76a7a67f2 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1446,7 +1446,7 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) pathLen = (word32)XSTRLEN(path); pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR); if (pathBuf) { - XSTRNCPY(pathBuf, path, pathLen+1); + XMEMCPY(pathBuf, path, pathLen+1); if (type == WOLFSSL_FILETYPE_PEM) { /* free old path before setting a new one */ diff --git a/src/dtls.c b/src/dtls.c index 7341b967f..dfb3ece12 100644 --- a/src/dtls.c +++ b/src/dtls.c @@ -492,7 +492,7 @@ static void FindPskSuiteFromExt(const WOLFSSL* ssl, TLSX* extensions, break; } if (ret == WOLFSSL_TICKET_RET_OK) { - if (DoClientTicketCheck(current, ssl->timeout, + if (DoClientTicketCheck(ssl, current, ssl->timeout, suites->suites + i) != 0) { continue; } diff --git a/src/internal.c b/src/internal.c index 67ca31535..c0e98e45c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6691,6 +6691,8 @@ int ReinitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) (void)ctx; ssl->options.shutdownDone = 0; + if (ssl->session != NULL) + ssl->session->side = (byte)ssl->options.side; return ret; } @@ -34652,8 +34654,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } /* Return 0 when check successful. <0 on failure. */ - int DoClientTicketCheck(const PreSharedKey* psk, sword64 timeout, - const byte* suite) + int DoClientTicketCheck(const WOLFSSL* ssl, const PreSharedKey* psk, + sword64 timeout, const byte* suite) { word32 ticketAdd; #ifdef WOLFSSL_32BIT_MILLI_TIME @@ -34702,13 +34704,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (diff < -1000 || diff - MAX_TICKET_AGE_DIFF * 1000 > 1000) return -1; -#ifndef WOLFSSL_PSK_ONE_ID +#if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK) /* Check whether resumption is possible based on suites in SSL and * ciphersuite in ticket. */ + (void)ssl; if (XMEMCMP(suite, psk->it->suite, SUITE_LEN) != 0) return -1; #else + (void)suite; if (!FindSuiteSSL(ssl, psk->it->suite)) return -1; #endif diff --git a/src/ssl.c b/src/ssl.c index adc3c1eb4..3a5e7d98a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -15035,8 +15035,8 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session) } else { #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_ERROR_CODE_OPENSSL) - WOLFSSL_MSG("Session is expired but return success for \ - OpenSSL compatibility"); + WOLFSSL_MSG("Session is expired but return success for " + "OpenSSL compatibility"); ret = WOLFSSL_SUCCESS; #else ret = WOLFSSL_FAILURE; /* session timed out */ diff --git a/src/tls13.c b/src/tls13.c index e5747e933..c05421701 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -3242,14 +3242,14 @@ exit_buildmsg: #if !defined(NO_WOLFSSL_CLIENT) || (!defined(NO_WOLFSSL_SERVER) && \ (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ - defined(WOLFSSL_PSK_ONE_ID)) \ + (defined(WOLFSSL_PSK_ONE_ID) || defined(WOLFSSL_PRIORITIZE_PSK))) /* Find the cipher suite in the suites set in the SSL. * * ssl SSL/TLS object. * suite Cipher suite to look for. * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise. */ -static int FindSuiteSSL(const WOLFSSL* ssl, byte* suite) +int FindSuiteSSL(const WOLFSSL* ssl, byte* suite) { word16 i; const Suites* suites = WOLFSSL_SUITES(ssl); @@ -5676,10 +5676,8 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, #endif if (ret == WOLFSSL_TICKET_RET_OK) { - if (DoClientTicketCheck(current, ssl->timeout, suite) != 0) { - current = current->next; + if (DoClientTicketCheck(ssl, current, ssl->timeout, suite) != 0) continue; - } DoClientTicketFinalize(ssl, current->it); diff --git a/tests/api.c b/tests/api.c index 0911ba943..c4182ccbf 100644 --- a/tests/api.c +++ b/tests/api.c @@ -62845,7 +62845,8 @@ static int test_wolfSSL_CRL_CERT_REVOKED_alert(void) #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) \ && defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_AESGCM) && \ !defined(NO_SHA256) && defined(WOLFSSL_AES_128) && \ - defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256) + defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256) && \ + !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) static WOLFSSL_CTX* test_TLS_13_ticket_different_ciphers_ctx = NULL; static WOLFSSL_SESSION* test_TLS_13_ticket_different_ciphers_session = NULL; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ba27555cd..8482b55ab 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5651,8 +5651,8 @@ WOLFSSL_LOCAL int SendTicket(WOLFSSL* ssl); WOLFSSL_LOCAL int DoDecryptTicket(const WOLFSSL* ssl, const byte* input, word32 len, InternalTicket **it); /* Return 0 when check successful. <0 on failure. */ -WOLFSSL_LOCAL int DoClientTicketCheck(const PreSharedKey* psk, sword64 timeout, - const byte* suite); +WOLFSSL_LOCAL int DoClientTicketCheck(const WOLFSSL* ssl, + const PreSharedKey* psk, sword64 timeout, const byte* suite); WOLFSSL_LOCAL void DoClientTicketFinalize(WOLFSSL* ssl, InternalTicket* it); WOLFSSL_LOCAL void CleanupClientTickets(PreSharedKey* psk); WOLFSSL_LOCAL int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len); @@ -5892,10 +5892,11 @@ WOLFSSL_LOCAL int cipherExtraData(WOLFSSL* ssl); WOLFSSL_LOCAL sword64 TimeNowInMilliseconds(void); #endif - WOLFSSL_LOCAL int FindSuiteMac(WOLFSSL* ssl, byte* suite); #endif WOLFSSL_LOCAL word32 LowResTimer(void); +WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite); + #ifndef NO_CERTS WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap);