diff --git a/examples/server/server.c b/examples/server/server.c index 535fbf7f8..64e30f4e8 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -802,7 +802,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, /* 4. add the same message into Japanese section */ /* (will be translated later) */ /* 5. add printf() into suitable position of Usage() */ -static const char* server_usage_msg[][60] = { +static const char* server_usage_msg[][63] = { /* English */ { " NOTE: All files relative to wolfSSL home dir\n", /* 0 */ diff --git a/src/internal.c b/src/internal.c index 8ba08423e..ba8291d76 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8974,7 +8974,8 @@ retry: return -1; case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */ - if (ssl->ctx->autoRetry && !ssl->options.handShakeDone) + if (ssl->ctx->autoRetry && !ssl->options.handShakeDone && + !ssl->options.dtls) goto retry; return WANT_READ; @@ -12498,13 +12499,18 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Failed to verify Peer's cert"); #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (ssl->peerVerifyRet == 0) { /* Return first cert error here */ - if (ret == ASN_BEFORE_DATE_E) - ssl->peerVerifyRet = X509_V_ERR_CERT_NOT_YET_VALID; - else if (ret == ASN_AFTER_DATE_E) - ssl->peerVerifyRet = X509_V_ERR_CERT_HAS_EXPIRED; + if (ret == ASN_BEFORE_DATE_E) { + ssl->peerVerifyRet = + (unsigned long)X509_V_ERR_CERT_NOT_YET_VALID; + } + else if (ret == ASN_AFTER_DATE_E) { + ssl->peerVerifyRet = + (unsigned long)X509_V_ERR_CERT_HAS_EXPIRED; + } else { ssl->peerVerifyRet = - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + (unsigned long) + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; } } #endif @@ -29188,7 +29194,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->arrays->masterSecret, 1); #ifdef HAVE_SESSION_TICKET if (ssl->options.useTicket == 1) { - session = &ssl->session; + session = ssl->session; } #endif @@ -30605,24 +30611,44 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef WOLFSSL_TICKET_HAVE_ID { const byte* id = NULL; - if (ssl->session->haveAltSessionID) + byte idSz = 0; + if (ssl->session->haveAltSessionID) { id = ssl->session->altSessionID; - else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) + idSz = ID_LEN; + } + else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) { id = ssl->arrays->sessionID; - else + idSz = ssl->arrays->sessionIDSz; + } + else { id = ssl->session->sessionID; + idSz = ssl->session->sessionIDSz; + } + if (idSz == 0) { + ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID, + ID_LEN); + if (ret != 0) + return ret; + ssl->session->haveAltSessionID = 1; + id = ssl->session->altSessionID; + idSz = ID_LEN; + } XMEMCPY(it.id, id, ID_LEN); } #endif /* encrypt */ encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */ - if (ssl->ctx->ticketEncCb == NULL || + if (ssl->ctx->ticketEncCb == NULL +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) + || /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces * "stateful" tickets for 1.3 so just use the regular * stateless ones. */ (!IsAtLeastTLSv1_3(ssl->version) && - (ssl->options.mask & SSL_OP_NO_TICKET) != 0)) { + (ssl->options.mask & SSL_OP_NO_TICKET) != 0) +#endif + ) { ret = WOLFSSL_TICKET_RET_FATAL; } else { @@ -30717,12 +30743,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } outLen = inLen; /* may be reduced by user padding */ - if (ssl->ctx->ticketEncCb == NULL || + if (ssl->ctx->ticketEncCb == NULL +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) + || /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces * "stateful" tickets for 1.3 so just use the regular * stateless ones. */ (!IsAtLeastTLSv1_3(ssl->version) && - (ssl->options.mask & SSL_OP_NO_TICKET) != 0)) { + (ssl->options.mask & SSL_OP_NO_TICKET) != 0) +#endif + ) { ret = WOLFSSL_TICKET_RET_FATAL; } else { diff --git a/src/ssl.c b/src/ssl.c index a14e27af0..208877007 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4398,8 +4398,12 @@ void wolfSSL_ERR_print_errors_cb (int (*cb)(const char *str, size_t len, #endif #endif +/* + * TODO This ssl parameter needs to be changed to const once our ABI checker + * stops flagging qualifier additions as ABI breaking. + */ WOLFSSL_ABI -int wolfSSL_pending(const WOLFSSL* ssl) +int wolfSSL_pending(WOLFSSL* ssl) { WOLFSSL_ENTER("SSL_pending"); if (ssl == NULL) @@ -6130,13 +6134,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #ifdef WOLFSSL_TRUST_PEER_CERT else if (type == TRUSTED_PEER_TYPE) { - if (ctx == NULL) { - WOLFSSL_MSG("Need context for trusted peer cert load"); - FreeDer(&der); - return BAD_FUNC_ARG; - } /* add trusted peer cert. der is freed within */ - ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone); + if (ctx != NULL) + ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone); + else + ret = AddTrustedPeer(SSL_CM(ssl), &der, !ssl->options.verifyNone); if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error adding trusted peer"); } @@ -6322,9 +6324,12 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \ - defined(HAVE_PQC) + defined(HAVE_PQC) || !defined(NO_RSA) if (ssl) { + #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \ + (defined(HAVE_CURVE448) && defined(HAVE_ED448)) ssl->pkCurveOID = cert->pkCurveOID; + #endif #ifndef WC_STRICT_SIG if (cert->keyOID == ECDSAk) { ssl->options.haveECC = 1; @@ -6355,7 +6360,9 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif } else if (ctx) { + #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) ctx->pkCurveOID = cert->pkCurveOID; + #endif #ifndef WC_STRICT_SIG if (cert->keyOID == ECDSAk) { ctx->haveECC = 1; @@ -7620,6 +7627,18 @@ int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type) return ProcessFile(ctx, file, type, TRUSTED_PEER_TYPE, NULL, 0, NULL, GET_VERIFY_SETTING_CTX(ctx)); } + +int wolfSSL_trust_peer_cert(WOLFSSL* ssl, const char* file, int type) +{ + WOLFSSL_ENTER("wolfSSL_trust_peer_cert"); + + if (ssl == NULL || file == NULL) { + return WOLFSSL_FAILURE; + } + + return ProcessFile(NULL, file, type, TRUSTED_PEER_TYPE, ssl, 0, NULL, + GET_VERIFY_SETTING_SSL(ssl)); +} #endif /* WOLFSSL_TRUST_PEER_CERT */ @@ -15769,7 +15788,7 @@ int AddSessionToClientCache(int side, int row, int idx, byte* serverID, } #endif -int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id, +int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id, byte idSz, int* sessionIndex, int side, word16 useTicket) { WOLFSSL_SESSION* cacheSession = NULL; @@ -15790,8 +15809,10 @@ int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id, (void)sessionIndex; (void)useTicket; - if (addSession == NULL) + if (addSession == NULL || idSz == 0) { + WOLFSSL_MSG("addSession NULL or idSz == 0"); return BAD_FUNC_ARG; + } /* Find a position for the new session in cache and use that */ #ifdef HAVE_SESSION_TICKET @@ -15916,6 +15937,7 @@ int AddSession(WOLFSSL* ssl) { int error = 0; const byte* id = NULL; + byte idSz = 0; WOLFSSL_SESSION* session = ssl->session; #ifdef HAVE_EXT_CACHE int cbRet = 0; @@ -15941,8 +15963,10 @@ int AddSession(WOLFSSL* ssl) } #endif - if (session->haveAltSessionID) + if (session->haveAltSessionID) { id = session->altSessionID; + idSz = ID_LEN; + } else { if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) { /* Make sure the session ID is available when the user calls any @@ -15951,15 +15975,9 @@ int AddSession(WOLFSSL* ssl) session->sessionIDSz = ssl->arrays->sessionIDSz; } id = session->sessionID; + idSz = session->sessionIDSz; } - - if (id == NULL) { - WOLFSSL_MSG("No Session ID"); - return BAD_FUNC_ARG; - } - - /* Setup the ssl->session object */ session->timeout = ssl->timeout; session->side = (byte)ssl->options.side; if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) @@ -15993,7 +16011,7 @@ int AddSession(WOLFSSL* ssl) if (!ssl->options.internalCacheOff) #endif { - error = AddSessionToCache(session, id, + error = AddSessionToCache(session, id, idSz, #ifdef SESSION_INDEX &ssl->sessionIndex, #else @@ -17203,6 +17221,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return wolfSSL_CertManagerUnload_trust_peers(ctx->cm); } + +#ifdef WOLFSSL_LOCAL_X509_STORE + int wolfSSL_Unload_trust_peers(WOLFSSL* ssl) + { + WOLFSSL_ENTER("wolfSSL_CTX_Unload_trust_peers"); + + if (ssl == NULL) + return BAD_FUNC_ARG; + + return wolfSSL_CertManagerUnload_trust_peers(SSL_CM(ssl)); + } +#endif /* WOLFSSL_LOCAL_X509_STORE */ #endif /* WOLFSSL_TRUST_PEER_CERT */ /* old NO_FILESYSTEM end */ #endif /* !NO_CERTS */ @@ -23670,7 +23700,9 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap) } #endif ret->refCount = 1; +#ifndef NO_SESSION_CACHE ret->cacheRow = INVALID_SESSION_ROW; /* not in cache */ +#endif ret->type = WOLFSSL_SESSION_TYPE_HEAP; ret->heap = heap; ret->masterSecret = ret->_masterSecret; @@ -23782,7 +23814,9 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, /* Set sane values for copy */ if (output->type != WOLFSSL_SESSION_TYPE_CACHE) +#ifndef NO_SESSION_CACHE output->cacheRow = INVALID_SESSION_ROW; +#endif #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) if (input->peer != NULL && input->peer->dynamicMemory) { if (wolfSSL_X509_up_ref(input->peer) != WOLFSSL_SUCCESS) { @@ -23971,10 +24005,12 @@ void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) wolfSSL_FreeSession(session); } +#ifndef NO_SESSION_CACHE int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) { int error = 0; const byte* id = NULL; + byte idSz = 0; WOLFSSL_ENTER("wolfSSL_CTX_add_session"); @@ -23985,10 +24021,13 @@ int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) (void)ctx; id = session->sessionID; - if (session->haveAltSessionID) + idSz = session->sessionIDSz; + if (session->haveAltSessionID) { id = session->altSessionID; + idSz = ID_LEN; + } - error = AddSessionToCache(session, id, + error = AddSessionToCache(session, id, idSz, NULL, session->side, #ifdef HAVE_SESSION_TICKET session->ticketLen > 0 @@ -23999,6 +24038,7 @@ int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) return error == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } +#endif #if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE) @@ -32484,6 +32524,7 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess, (void)p; (void)i; (void)ret; + (void)sess; #ifdef HAVE_EXT_CACHE if (p == NULL || *p == NULL) @@ -34467,11 +34508,16 @@ int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p, /* free existing internal DH structure and recreate with new p / g */ if (dh->inSet) { +#ifndef HAVE_SELFTEST ret = wc_FreeDhKey((DhKey*)dh->internal); if (ret != 0) { WOLFSSL_MSG("Unable to free internal DH key"); return WOLFSSL_FAILURE; } +#else + /* Selftest code has this API with a void return type */ + wc_FreeDhKey((DhKey*)dh->internal); +#endif } wolfSSL_BN_free(dh->p); @@ -40498,7 +40544,6 @@ int wolfSSL_i2d_ECDSA_SIG(const WOLFSSL_ECDSA_SIG *sig, unsigned char **pp) } /* End ECDSA_SIG */ - /* Remove this prototype when code is reorganized. */ static int wolfSSL_RAND_Init(void); @@ -45760,16 +45805,20 @@ err: #ifdef WOLFSSL_HAVE_ERROR_QUEUE unsigned long err; CLEAR_ASN_NO_PEM_HEADER_ERROR(err); + if (ERR_GET_LIB(err) != ERR_LIB_PEM || + ERR_GET_REASON(err) != PEM_R_NO_START_LINE) { + ret = WOLFSSL_FAILURE; + } #else if (wolfSSL_sk_X509_INFO_num(localSk) > 0) { WOLFSSL_MSG("At least one X509_INFO object on stack." "Assuming error means EOF or no more PEM" "headers found."); } -#endif else { ret = WOLFSSL_FAILURE; } +#endif break; } } @@ -48708,6 +48757,7 @@ void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB))) +#ifdef HAVE_EX_DATA int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1, void* cb2, CRYPTO_free_func* cb3) { @@ -48719,6 +48769,7 @@ int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1, (void)data; return get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION); } +#endif #if defined(USE_WOLFSSL_MEMORY) && !defined(WOLFSSL_DEBUG_MEMORY) static wolfSSL_OSSL_Malloc_cb ossl_malloc = NULL; @@ -51914,7 +51965,8 @@ int wolfSSL_sk_WOLFSSL_STRING_num(WOLF_STACK_OF(WOLFSSL_STRING)* strings) #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ + defined(KEEP_PEER_CERT) WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) { WOLFSSL_ENTER("wolfSSL_X509_dup"); @@ -63779,7 +63831,7 @@ WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, WC_PKCS12** pkcs12) if (mem != NULL && localPkcs12 != NULL) { if (wolfSSL_BIO_read(bio, mem, (int)memSz) == memSz) { - ret = wc_d2i_PKCS12(mem, memSz, localPkcs12); + ret = wc_d2i_PKCS12(mem, (word32)memSz, localPkcs12); if (ret < 0) { WOLFSSL_MSG("Failed to get PKCS12 sequence"); } diff --git a/tests/api.c b/tests/api.c index 7053ba89f..e47cf6352 100644 --- a/tests/api.c +++ b/tests/api.c @@ -914,47 +914,66 @@ static void test_wolfSSL_CTX_trust_peer_cert(void) #if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) && \ !defined(NO_WOLFSSL_CLIENT) WOLFSSL_CTX *ctx; + WOLFSSL* ssl; AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + AssertNotNull(ssl = wolfSSL_new(ctx)); #if !defined(NO_FILESYSTEM) /* invalid file */ - assert(wolfSSL_CTX_trust_peer_cert(ctx, NULL, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS); - assert(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile, - WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS); - assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, - WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, NULL, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* success */ - assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, WOLFSSL_FILETYPE_PEM) - == WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); /* unload cert */ - assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS); - assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS); + + /* invalid file */ + AssertIntNE(wolfSSL_trust_peer_cert(ssl, NULL, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_trust_peer_cert(ssl, bogusFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_trust_peer_cert(ssl, cliCertFile, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + + /* success */ + AssertIntEQ(wolfSSL_trust_peer_cert(ssl, cliCertFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + + /* unload cert */ + AssertIntNE(wolfSSL_Unload_trust_peers(NULL), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_Unload_trust_peers(ssl), WOLFSSL_SUCCESS); #endif /* Test of loading certs from buffers */ /* invalid buffer */ - assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1, - WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1, + WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); /* success */ #ifdef USE_CERT_BUFFERS_1024 - assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024, - sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024, + sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); #endif #ifdef USE_CERT_BUFFERS_2048 - assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048, - sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048, + sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); #endif /* unload cert */ - assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS); - assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS); + wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); #endif } @@ -4488,7 +4507,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) goto done; } - if (cbf != NULL && !cbf->ticNoInit) { + if (cbf == NULL || !cbf->ticNoInit) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) #if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) @@ -4693,7 +4712,7 @@ done: wc_ecc_fp_free(); /* free per thread cache */ #endif - if (cbf != NULL && !cbf->ticNoInit) { + if (cbf == NULL || !cbf->ticNoInit) { #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) #if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC) @@ -6238,9 +6257,16 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) if (*sess == NULL) { AssertNotNull(*sess = wolfSSL_get1_session(ssl)); /* Now save the session in the internal store to make it available - * for lookup */ - AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), *sess), - WOLFSSL_SUCCESS); + * for lookup. For TLS 1.3, we can't save the session without + * WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the + * session from cache. */ + if (wolfSSL_is_server(ssl) +#ifndef WOLFSSL_TICKET_HAVE_ID + && wolfSSL_version(ssl) != TLS1_3_VERSION +#endif + ) + AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl), + *sess), WOLFSSL_SUCCESS); } else { /* If we have a session retrieved then remaining connections should be @@ -6292,7 +6318,10 @@ static void test_wolfSSL_CTX_add_session(void) callback_functions client_cb; callback_functions server_cb; method_provider methods[][2] = { -#ifndef NO_OLD_TLS +#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \ + !defined(NO_DES3)) + /* Without AES there are almost no ciphersuites available. This leads + * to no ciphersuites being available and an error. */ { wolfTLSv1_1_client_method, wolfTLSv1_1_server_method }, #endif #ifndef WOLFSSL_NO_TLS12 @@ -50000,13 +50029,13 @@ static void test_wolfSSL_CTX_LoadCRL(void) FAIL_T1(wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor); - #ifndef NO_WOLFSSL_CLIENT +#ifndef NO_WOLFSSL_CLIENT AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #elif !defined(NO_WOLFSSL_SERVER) +#elif !defined(NO_WOLFSSL_SERVER) AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #else +#else return; - #endif +#endif SUCC_T (wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor); SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, pemType, monitor); @@ -50014,13 +50043,25 @@ static void test_wolfSSL_CTX_LoadCRL(void) wolfSSL_CTX_free(ctx); - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method())); +#ifndef NO_WOLFSSL_CLIENT + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#elif !defined(NO_WOLFSSL_SERVER) + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + return; +#endif AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS); wolfSSL_CTX_free(ctx); - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method())); +#ifndef NO_WOLFSSL_CLIENT + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#elif !defined(NO_WOLFSSL_SERVER) + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#else + return; +#endif AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), WOLFSSL_SUCCESS); AssertNotNull(ssl = wolfSSL_new(ctx)); @@ -52326,8 +52367,8 @@ void ApiTest(void) #endif #ifdef HAVE_IO_TESTS_DEPENDENCIES test_wolfSSL_get_finished(); -#endif test_wolfSSL_CTX_add_session(); +#endif test_SSL_CIPHER_get_xxx(); test_wolfSSL_ERR_strings(); test_wolfSSL_EVP_shake128(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 76f9162b3..41df10959 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3314,7 +3314,9 @@ struct WOLFSSL_SESSION { /* WARNING Do not add fields here. They will be ignored in * wolfSSL_DupSession. */ WOLFSSL_SESSION_TYPE type; +#ifndef NO_SESSION_CACHE int cacheRow; /* row in session cache */ +#endif int refCount; /* reference count */ #ifndef SINGLE_THREADED wolfSSL_Mutex refMutex; /* ref count mutex */ @@ -4767,7 +4769,7 @@ WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL* ssl); WOLFSSL_LOCAL int AddSession(WOLFSSL* ssl); WOLFSSL_LOCAL int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id, - int* sessionIndex, int side, word16 useTicket); + byte idSz, int* sessionIndex, int side, word16 useTicket); WOLFSSL_LOCAL int AddSessionToClientCache(int side, int row, int idx, byte* serverID, word16 idLen, word16 useTicket); WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index bad886e80..e78a2134b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -970,6 +970,8 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_load_verify_locations( #ifdef WOLFSSL_TRUST_PEER_CERT WOLFSSL_API int wolfSSL_CTX_trust_peer_cert( WOLFSSL_CTX* ctx, const char* file, int type); +WOLFSSL_API int wolfSSL_trust_peer_cert( + WOLFSSL* ssl, const char* file, int type); #endif WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file( WOLFSSL_CTX* ctx, const char* file); @@ -1193,7 +1195,7 @@ WOLFSSL_API int wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val); WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx); -WOLFSSL_ABI WOLFSSL_API int wolfSSL_pending(const WOLFSSL* ssl); +WOLFSSL_ABI WOLFSSL_API int wolfSSL_pending(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_has_pending(const WOLFSSL* ssl); WOLFSSL_API void wolfSSL_load_error_strings(void); @@ -1509,6 +1511,7 @@ WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa); WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509); @@ -2837,6 +2840,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len, WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX* ctx); #ifdef WOLFSSL_TRUST_PEER_CERT WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx); +#ifdef WOLFSSL_LOCAL_X509_STORE + WOLFSSL_API int wolfSSL_Unload_trust_peers(WOLFSSL* ssl); +#endif WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, const unsigned char*, long, int); #endif @@ -4011,7 +4017,6 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_delete_entry( WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x, const WOLFSSL_X509_NAME* y); WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME* name); WOLFSSL_API int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to); WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);