diff --git a/scripts/include.am b/scripts/include.am index 0e1bffe52..1701ad97e 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -53,7 +53,7 @@ if BUILD_EXAMPLE_CLIENTS if !BUILD_IPV6 dist_noinst_SCRIPTS+= scripts/external.test dist_noinst_SCRIPTS+= scripts/google.test -#dist_noinst_SCRIPTS+= scripts/openssl.test +dist_noinst_SCRIPTS+= scripts/openssl.test endif endif diff --git a/scripts/openssl.test b/scripts/openssl.test index 8f068309c..c457c1281 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -3,7 +3,15 @@ #openssl.test # need a unique port since may run the same time as testsuite -openssl_port=11114 +generate_port() { + openssl_port=`tr -cd 0-9 /dev/null + then + echo "s_server started successfully on port $openssl_port" + found_free_port=1 + break + else + #port already started, try a different port + counter=$((counter+ 1)) + generate_port + fi +done + +if [ $found_free_port = 0 ] +then + echo -e "Couldn't find free port for server" + do_cleanup + exit 1 +fi # get wolfssl ciphers wolf_ciphers=`./examples/client/client -e` @@ -99,7 +130,7 @@ if [ $server_ready = 0 ] then echo -e "Couldn't verify openssl server is running, timeout error" do_cleanup - exit -1 + exit 1 fi OIFS=$IFS # store old seperator to reset diff --git a/src/internal.c b/src/internal.c index 06fa29237..4bfe3ffbc 100755 --- a/src/internal.c +++ b/src/internal.c @@ -2648,6 +2648,10 @@ void SSL_ResourceFree(WOLFSSL* ssl) #if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) FreeX509(&ssl->peerCert); #endif +#ifdef HAVE_SESSION_TICKET + if (ssl->session.dynTicket) + XFREE(ssl->session.dynTicket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); +#endif } #ifdef WOLFSSL_TI_HASH @@ -11349,9 +11353,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.resuming && ssl->session.ticketLen > 0) { SessionTicket* ticket; + byte* ticketData; + + ticketData = ssl->session.isDynamic ? + ssl->session.dynTicket : + ssl->session.ticket; ticket = TLSX_SessionTicket_Create(0, - ssl->session.ticket, ssl->session.ticketLen); + ticketData, ssl->session.ticketLen); if (ticket == NULL) return MEMORY_E; ret = TLSX_UseSessionTicket(&ssl->extensions, ticket); @@ -14285,8 +14294,16 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if (length > sizeof(ssl->session.ticket)) - return SESSION_TICKET_LEN_E; + if (length > sizeof(ssl->session.ticket)) { + ssl->session.isDynamic = 1; + + ssl->session.dynTicket = (byte*)XMALLOC( + length, ssl->heap, + DYNAMIC_TYPE_SESSION_TICK); + if (ssl->session.dynTicket == NULL) { + return MEMORY_E; + } + } if ((*inOutIdx - begin) + length > size) return BUFFER_ERROR; @@ -14294,7 +14311,11 @@ int DoSessionTicket(WOLFSSL* ssl, /* If the received ticket including its length is greater than * a length value, the save it. Otherwise, don't save it. */ if (length > 0) { - XMEMCPY(ssl->session.ticket, input + *inOutIdx, length); + if (ssl->session.isDynamic) + XMEMCPY(ssl->session.dynTicket, input + *inOutIdx, length); + else + XMEMCPY(ssl->session.ticket, input + *inOutIdx, length); + *inOutIdx += length; ssl->session.ticketLen = length; ssl->timeout = lifetime; @@ -14305,7 +14326,12 @@ int DoSessionTicket(WOLFSSL* ssl, } /* Create a fake sessionID based on the ticket, this will * supercede the existing session cache info. */ - ssl->options.haveSessionId = 1; + ssl->options.haveSessionId = 1; + + if (ssl->session.isDynamic) + XMEMCPY(ssl->arrays->sessionID, + ssl->session.dynTicket + length - ID_LEN, ID_LEN); + else XMEMCPY(ssl->arrays->sessionID, ssl->session.ticket + length - ID_LEN, ID_LEN); #ifndef NO_SESSION_CACHE @@ -16618,7 +16644,9 @@ int DoSessionTicket(WOLFSSL* ssl, static int CreateTicket(WOLFSSL* ssl) { InternalTicket it; - ExternalTicket* et = (ExternalTicket*)ssl->session.ticket; + ExternalTicket* et = ssl->session.isDynamic ? + (ExternalTicket*)ssl->session.dynTicket : + (ExternalTicket*)ssl->session.ticket; int encLen; int ret; byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */ diff --git a/src/ssl.c b/src/ssl.c index 1dab84730..8f6ade691 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1251,7 +1251,10 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, return BAD_FUNC_ARG; if (ssl->session.ticketLen <= *bufSz) { - XMEMCPY(buf, ssl->session.ticket, ssl->session.ticketLen); + if (ssl->session.isDynamic) + XMEMCPY(buf, ssl->session.dynTicket, ssl->session.ticketLen); + else + XMEMCPY(buf, ssl->session.ticket, ssl->session.ticketLen); *bufSz = ssl->session.ticketLen; } else @@ -1262,12 +1265,17 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, byte* buf, word32 bufSz) { - if (ssl == NULL || (buf == NULL && bufSz > 0)) + if (ssl == NULL || (buf == NULL && bufSz > 0) || bufSz > SESSION_TICKET_LEN) return BAD_FUNC_ARG; if (bufSz > 0) XMEMCPY(ssl->session.ticket, buf, bufSz); ssl->session.ticketLen = (word16)bufSz; + /* session ticket should only be size of static buffer. Delete dynamic buffer*/ + if (ssl->session.isDynamic) { + XFREE(ssl->session.dynTicket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + ssl->session.isDynamic = 0; + } return SSL_SUCCESS; } @@ -7067,9 +7075,29 @@ int AddSession(WOLFSSL* ssl) SessionCache[row].Sessions[idx].bornOn = LowResTimer(); #ifdef HAVE_SESSION_TICKET - SessionCache[row].Sessions[idx].ticketLen = ssl->session.ticketLen; - XMEMCPY(SessionCache[row].Sessions[idx].ticket, + if (ssl->session.isDynamic) { + if (!SessionCache[row].Sessions[idx].dynTicket) { + SessionCache[row].Sessions[idx].dynTicket = XMALLOC( + ssl->session.ticketLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + if (!SessionCache[row].Sessions[idx].dynTicket) + return MEMORY_E; + } else if (SessionCache[row].Sessions[idx].ticketLen < ssl->session.ticketLen) { + XFREE(SessionCache[row].Sessions[idx].dynTicket, + ssl->heap, DYNAMIC_TYPE_SESS_TICK); + SessionCache[row].Sessions[idx].dynTicket = XMALLOC( + ssl->session.ticketLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + if (!SessionCache[row].Sessions[idx].dynTicket) + return MEMORY_E; + } + XMEMCPY(SessionCache[row].Sessions[idx].dynTicket, + ssl->session.dynTicket, ssl->session.ticketLen); + SessionCache[row].Sessions[idx].isDynamic = 1; + } + else { + XMEMCPY(SessionCache[row].Sessions[idx].ticket, ssl->session.ticket, ssl->session.ticketLen); + } + SessionCache[row].Sessions[idx].ticketLen = ssl->session.ticketLen; #endif #ifdef SESSION_CERTS diff --git a/src/tls.c b/src/tls.c index 3b6e0a879..482c8f58d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3212,9 +3212,11 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) #define STK_GET_SIZE TLSX_SessionTicket_GetSize #define STK_WRITE TLSX_SessionTicket_Write #define STK_PARSE TLSX_SessionTicket_Parse +#define STK_FREE(stk) TLSX_SessionTicket_Free((SessionTicket*)stk) #else +#define STK_FREE(a) #define STK_VALIDATE_REQUEST(a) #define STK_GET_SIZE(a, b) 0 #define STK_WRITE(a, b, c) 0 @@ -3865,6 +3867,7 @@ void TLSX_FreeAll(TLSX* list) case TLSX_SESSION_TICKET: /* Nothing to do. */ + STK_FREE(extension->data); break; case TLSX_QUANTUM_SAFE_HYBRID: diff --git a/wolfssl/internal.h b/wolfssl/internal.h index eea8b2908..ca473bede 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2181,6 +2181,8 @@ struct WOLFSSL_SESSION { #endif #ifdef HAVE_SESSION_TICKET word16 ticketLen; + byte *dynTicket; + byte isDynamic; byte ticket[SESSION_TICKET_LEN]; #endif #ifdef HAVE_STUNNEL diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index db9897a1d..b8237d6ec 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -302,7 +302,8 @@ DYNAMIC_TYPE_X509_CTX = 53, DYNAMIC_TYPE_URL = 54, DYNAMIC_TYPE_DTLS_FRAG = 55, - DYNAMIC_TYPE_DTLS_BUFFER = 56 + DYNAMIC_TYPE_DTLS_BUFFER = 56, + DYNAMIC_TYPE_SESSION_TICK = 57 }; /* max error buffer string size */