mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-30 02:37:28 +02:00
Merge pull request #4807 from julek-wolfssl/stunnel-5.61
stunnel 5.61 support
This commit is contained in:
David Garske
GitHub
13
configure.ac
13
configure.ac
@ -5224,6 +5224,7 @@ then
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI -DHAVE_EX_DATA"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DWOLFSSL_SIGNER_DER_CERT"
|
||||
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_TICKET_HAVE_ID"
|
||||
fi
|
||||
|
||||
# curl Support
|
||||
@ -6841,6 +6842,16 @@ AC_ARG_ENABLE([optflags],
|
||||
AS_CASE(["$CFLAGS $CPPFLAGS"],[*'WOLFSSL_TRUST_PEER_CERT'*],[ENABLED_TRUSTED_PEER_CERT=yes])
|
||||
|
||||
|
||||
AS_CASE(["$CFLAGS $CPPFLAGS $AM_CFLAGS"],[*'OPENSSL_COMPATIBLE_DEFAULTS'*],
|
||||
[ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=yes])
|
||||
if test "x$ENABLED_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes"
|
||||
then
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT"
|
||||
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE"
|
||||
ENABLED_TRUSTED_PEER_CERT=yes
|
||||
fi
|
||||
|
||||
# dertermine if we have key validation mechanism
|
||||
if test "x$ENABLED_ECC" != "xno" || test "x$ENABLED_RSA" = "xyes"
|
||||
then
|
||||
@ -7122,7 +7133,7 @@ then
|
||||
fi
|
||||
|
||||
AS_IF([test "x$ENABLED_OPENSSLALL" = "xyes"],
|
||||
[AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT"])
|
||||
[AM_CFLAGS="$AM_CFLAGS -DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE -DWC_RSA_NO_PADDING -DWC_RSA_PSS -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_TICKET_HAVE_ID"])
|
||||
|
||||
AS_IF([test "x$ENABLED_AESSIV" = "xyes"], [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_SIV"])
|
||||
|
||||
|
||||
@ -11166,7 +11166,7 @@ WOLFSSL_API int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx);
|
||||
if(wolfSSL_get_SessionTicket(ssl, buf, bufSz) <= 0){
|
||||
// Nothing was written to the buffer
|
||||
} else {
|
||||
// the buffer holds the content from ssl->session.ticket
|
||||
// the buffer holds the content from ssl->session->ticket
|
||||
}
|
||||
\endcode
|
||||
|
||||
|
||||
@ -802,7 +802,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
|
||||
/* 4. add the same message into Japanese section */
|
||||
/* (will be translated later) */
|
||||
/* 5. add printf() into suitable position of Usage() */
|
||||
static const char* server_usage_msg[][60] = {
|
||||
static const char* server_usage_msg[][63] = {
|
||||
/* English */
|
||||
{
|
||||
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
|
||||
|
||||
338
src/internal.c
338
src/internal.c
@ -5952,6 +5952,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
ssl->options.downgrade = ctx->method->downgrade;
|
||||
ssl->options.minDowngrade = ctx->minDowngrade;
|
||||
|
||||
ssl->options.haveRSA = ctx->haveRSA;
|
||||
ssl->options.haveDH = ctx->haveDH;
|
||||
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
|
||||
ssl->options.haveECC = ctx->haveECC;
|
||||
@ -5998,6 +5999,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
ssl->options.internalCacheOff = ctx->internalCacheOff;
|
||||
ssl->options.internalCacheLookupOff = ctx->internalCacheLookupOff;
|
||||
#endif
|
||||
|
||||
ssl->options.verifyPeer = ctx->verifyPeer;
|
||||
@ -6627,16 +6629,14 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
}
|
||||
#endif /*OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
|
||||
|
||||
ssl->session.masterSecret = ssl->session._masterSecret;
|
||||
#ifndef NO_CLIENT_CACHE
|
||||
ssl->session.serverID = ssl->session._serverID;
|
||||
#endif
|
||||
#ifdef OPENSSL_EXTRA
|
||||
ssl->session.sessionCtx = ssl->session._sessionCtx;
|
||||
#endif
|
||||
ssl->session = wolfSSL_NewSession(ssl->heap);
|
||||
if (ssl->session == NULL) {
|
||||
WOLFSSL_MSG("SSL Session Memory error");
|
||||
return MEMORY_E;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
ssl->options.noTicketTls12 = ctx->noTicketTls12;
|
||||
ssl->session.ticket = ssl->session._staticTicket;
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_MULTICAST
|
||||
@ -6683,10 +6683,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
|
||||
void FreeArrays(WOLFSSL* ssl, int keep)
|
||||
{
|
||||
if (ssl->arrays) {
|
||||
if (keep) {
|
||||
if (keep && !IsAtLeastTLSv1_3(ssl->version)) {
|
||||
/* keeps session id for user retrieval */
|
||||
XMEMCPY(ssl->session.sessionID, ssl->arrays->sessionID, ID_LEN);
|
||||
ssl->session.sessionIDSz = ssl->arrays->sessionIDSz;
|
||||
XMEMCPY(ssl->session->sessionID, ssl->arrays->sessionID, ID_LEN);
|
||||
ssl->session->sessionIDSz = ssl->arrays->sessionIDSz;
|
||||
}
|
||||
if (ssl->arrays->preMasterSecret) {
|
||||
XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
|
||||
@ -7014,6 +7014,13 @@ void SSL_ResourceFree(WOLFSSL* ssl)
|
||||
* example with the RNG, it isn't used beyond the handshake except when
|
||||
* using stream ciphers where it is retained. */
|
||||
|
||||
if (ssl->options.side == WOLFSSL_SERVER_END) {
|
||||
WOLFSSL_MSG("Free'ing server ssl");
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("Free'ing client ssl");
|
||||
}
|
||||
|
||||
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
|
||||
wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data);
|
||||
#endif
|
||||
@ -7213,17 +7220,8 @@ void SSL_ResourceFree(WOLFSSL* ssl)
|
||||
FreeX509(&ssl->peerCert);
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->session.ticketLenAlloc > 0) {
|
||||
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
|
||||
ssl->session.ticket = ssl->session._staticTicket;
|
||||
ssl->session.ticketLenAlloc = 0;
|
||||
ssl->session.ticketLen = 0;
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
wolfSSL_SESSION_free(ssl->extSession);
|
||||
#endif
|
||||
if (ssl->session != NULL)
|
||||
wolfSSL_FreeSession(ssl->session);
|
||||
#ifdef HAVE_WRITE_DUP
|
||||
if (ssl->dupWrite) {
|
||||
FreeWriteDup(ssl);
|
||||
@ -7490,15 +7488,6 @@ void FreeHandshakeResources(WOLFSSL* ssl)
|
||||
}
|
||||
#endif /* HAVE_PK_CALLBACKS */
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->session.ticketLenAlloc > 0) {
|
||||
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
|
||||
ssl->session.ticket = ssl->session._staticTicket;
|
||||
ssl->session.ticketLenAlloc = 0;
|
||||
ssl->session.ticketLen = 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_TLS_EXTENSIONS) && !defined(HAVE_SNI) && \
|
||||
!defined(HAVE_ALPN) && !defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
||||
/* Some extensions need to be kept for post-handshake querying. */
|
||||
@ -8960,6 +8949,7 @@ static int SendHandshakeMsg(WOLFSSL* ssl, byte* input, word32 inputSz,
|
||||
static int wolfSSLReceive(WOLFSSL* ssl, byte* buf, word32 sz)
|
||||
{
|
||||
int recvd;
|
||||
int retryLimit = WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS;
|
||||
|
||||
if (ssl->CBIORecv == NULL) {
|
||||
WOLFSSL_MSG("Your IO Recv callback is null, please set");
|
||||
@ -8985,8 +8975,11 @@ retry:
|
||||
return -1;
|
||||
|
||||
case WOLFSSL_CBIO_ERR_WANT_READ: /* want read, would block */
|
||||
if (ssl->ctx->autoRetry)
|
||||
if (retryLimit > 0 && ssl->ctx->autoRetry &&
|
||||
!ssl->options.handShakeDone && !ssl->options.dtls) {
|
||||
retryLimit--;
|
||||
goto retry;
|
||||
}
|
||||
return WANT_READ;
|
||||
|
||||
case WOLFSSL_CBIO_ERR_CONN_RST: /* connection reset */
|
||||
@ -11358,7 +11351,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
|
||||
}
|
||||
#endif
|
||||
#ifdef SESSION_CERTS
|
||||
store->sesChain = &ssl->session.chain;
|
||||
store->sesChain = &ssl->session->chain;
|
||||
#endif
|
||||
}
|
||||
#ifndef NO_WOLFSSL_CM_VERIFY
|
||||
@ -11428,9 +11421,9 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
|
||||
#ifdef SESSION_CERTS
|
||||
if ((ssl != NULL) && (store->discardSessionCerts)) {
|
||||
WOLFSSL_MSG("Verify callback requested discard sess certs");
|
||||
ssl->session.chain.count = 0;
|
||||
ssl->session->chain.count = 0;
|
||||
#ifdef WOLFSSL_ALT_CERT_CHAINS
|
||||
ssl->session.altChain.count = 0;
|
||||
ssl->session->altChain.count = 0;
|
||||
#endif
|
||||
}
|
||||
#endif /* SESSION_CERTS */
|
||||
@ -12070,7 +12063,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
args->certs[args->totalCerts].buffer = input + args->idx;
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
AddSessionCertToChain(&ssl->session.chain,
|
||||
AddSessionCertToChain(&ssl->session->chain,
|
||||
input + args->idx, certSz);
|
||||
#endif /* SESSION_CERTS */
|
||||
|
||||
@ -12155,7 +12148,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
if (args->certIdx == 0) {
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
TrustedPeerCert* tp;
|
||||
int matchType = WC_MATCH_NAME;
|
||||
#endif
|
||||
|
||||
ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, NO_VERIFY,
|
||||
@ -12172,11 +12164,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
#ifndef NO_SKID
|
||||
if (args->dCert->extAuthKeyIdSet)
|
||||
matchType = WC_MATCH_SKID;
|
||||
#endif
|
||||
tp = GetTrustedPeer(SSL_CM(ssl), subjectHash, matchType);
|
||||
tp = GetTrustedPeer(SSL_CM(ssl), args->dCert);
|
||||
WOLFSSL_MSG("Checking for trusted peer cert");
|
||||
|
||||
if (tp && MatchTrustedPeer(tp, args->dCert)) {
|
||||
@ -12370,7 +12358,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
|
||||
/* if using alternate chain, store the cert used */
|
||||
if (ssl->options.usingAltCertChain) {
|
||||
AddSessionCertToChain(&ssl->session.altChain,
|
||||
AddSessionCertToChain(&ssl->session->altChain,
|
||||
cert->buffer, cert->length);
|
||||
}
|
||||
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
|
||||
@ -12466,7 +12454,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
/* if using alternate chain, store the cert used */
|
||||
if (ssl->options.usingAltCertChain) {
|
||||
buffer* cert = &args->certs[args->certIdx];
|
||||
AddSessionCertToChain(&ssl->session.altChain,
|
||||
AddSessionCertToChain(&ssl->session->altChain,
|
||||
cert->buffer, cert->length);
|
||||
}
|
||||
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
|
||||
@ -12512,13 +12500,18 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
WOLFSSL_MSG("Failed to verify Peer's cert");
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
|
||||
if (ret == ASN_BEFORE_DATE_E)
|
||||
ssl->peerVerifyRet = X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
else if (ret == ASN_AFTER_DATE_E)
|
||||
ssl->peerVerifyRet = X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
if (ret == ASN_BEFORE_DATE_E) {
|
||||
ssl->peerVerifyRet =
|
||||
(unsigned long)X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
}
|
||||
else if (ret == ASN_AFTER_DATE_E) {
|
||||
ssl->peerVerifyRet =
|
||||
(unsigned long)X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
}
|
||||
else {
|
||||
ssl->peerVerifyRet =
|
||||
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
|
||||
(unsigned long)
|
||||
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@ -13263,9 +13256,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
/* Reset the session cert chain count in case the session resume failed. */
|
||||
ssl->session.chain.count = 0;
|
||||
ssl->session->chain.count = 0;
|
||||
#ifdef WOLFSSL_ALT_CERT_CHAINS
|
||||
ssl->session.altChain.count = 0;
|
||||
ssl->session->altChain.count = 0;
|
||||
#endif
|
||||
#endif /* SESSION_CERTS */
|
||||
|
||||
@ -18872,8 +18865,10 @@ int SendCertificate(WOLFSSL* ssl)
|
||||
WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
|
||||
WOLFSSL_ENTER("SendCertificate");
|
||||
|
||||
if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
|
||||
if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) {
|
||||
WOLFSSL_MSG("Not sending certificate msg. Using PSK or ANON cipher.");
|
||||
return 0; /* not needed */
|
||||
}
|
||||
|
||||
if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
||||
#ifdef OPENSSL_EXTRA
|
||||
@ -20212,8 +20207,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
|
||||
case SIDE_ERROR :
|
||||
return "wrong client/server type";
|
||||
|
||||
case NO_PEER_CERT :
|
||||
return "peer didn't send cert";
|
||||
case NO_PEER_CERT : /* OpenSSL compatibility expects this exact text */
|
||||
return "peer did not return a certificate";
|
||||
|
||||
case UNKNOWN_HANDSHAKE_TYPE :
|
||||
return "weird handshake type";
|
||||
@ -20527,8 +20522,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
|
||||
case MISSING_HANDSHAKE_DATA:
|
||||
return "The handshake message is missing required data";
|
||||
|
||||
case BAD_BINDER:
|
||||
return "Binder value does not match value server calculated";
|
||||
case BAD_BINDER: /* OpenSSL compatibility expects this exact text */
|
||||
return "binder does not verify";
|
||||
|
||||
case EXT_NOT_ALLOWED:
|
||||
return "Extension type not allowed in handshake message type";
|
||||
@ -22743,7 +22738,7 @@ exit_dpk:
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
idSz = ssl->options.resuming ? ssl->session.sessionIDSz : 0;
|
||||
idSz = ssl->options.resuming ? ssl->session->sessionIDSz : 0;
|
||||
|
||||
#ifdef WOLFSSL_TLS13
|
||||
if (IsAtLeastTLSv1_3(ssl->version))
|
||||
@ -22759,11 +22754,11 @@ exit_dpk:
|
||||
}
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.resuming && ssl->session.ticketLen > 0) {
|
||||
if (ssl->options.resuming && ssl->session->ticketLen > 0) {
|
||||
SessionTicket* ticket;
|
||||
|
||||
ticket = TLSX_SessionTicket_Create(0, ssl->session.ticket,
|
||||
ssl->session.ticketLen, ssl->heap);
|
||||
ticket = TLSX_SessionTicket_Create(0, ssl->session->ticket,
|
||||
ssl->session->ticketLen, ssl->heap);
|
||||
if (ticket == NULL) return MEMORY_E;
|
||||
|
||||
ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap);
|
||||
@ -22852,9 +22847,9 @@ exit_dpk:
|
||||
/* then session id */
|
||||
output[idx++] = (byte)idSz;
|
||||
if (idSz) {
|
||||
XMEMCPY(output + idx, ssl->session.sessionID,
|
||||
ssl->session.sessionIDSz);
|
||||
idx += ssl->session.sessionIDSz;
|
||||
XMEMCPY(output + idx, ssl->session->sessionID,
|
||||
ssl->session->sessionIDSz);
|
||||
idx += ssl->session->sessionIDSz;
|
||||
}
|
||||
|
||||
/* then DTLS cookie */
|
||||
@ -23051,12 +23046,12 @@ exit_dpk:
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
/* server may send blank ticket which may not be expected to indicate
|
||||
* existing one ok but will also be sending a new one */
|
||||
ret = ret || (ssl->session.ticketLen > 0);
|
||||
ret = ret || (ssl->session->ticketLen > 0);
|
||||
#endif
|
||||
|
||||
ret = ret ||
|
||||
(ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID,
|
||||
ssl->session.sessionID, ID_LEN) == 0);
|
||||
ssl->session->sessionID, ID_LEN) == 0);
|
||||
|
||||
return ret;
|
||||
}
|
||||
@ -23394,7 +23389,7 @@ exit_dpk:
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
if (ssl->sessionSecretCb != NULL) {
|
||||
int secretSz = SECRET_LEN;
|
||||
ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
|
||||
ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
|
||||
&secretSz, ssl->sessionSecretCtx);
|
||||
if (ret != 0 || secretSz != SECRET_LEN)
|
||||
return SESSION_SECRET_CB_E;
|
||||
@ -23452,7 +23447,7 @@ exit_dpk:
|
||||
if (SetCipherSpecs(ssl) == 0) {
|
||||
|
||||
XMEMCPY(ssl->arrays->masterSecret,
|
||||
ssl->session.masterSecret, SECRET_LEN);
|
||||
ssl->session->masterSecret, SECRET_LEN);
|
||||
#ifdef NO_OLD_TLS
|
||||
ret = DeriveTlsKeys(ssl);
|
||||
#else
|
||||
@ -26724,27 +26719,27 @@ exit_scv:
|
||||
int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
|
||||
{
|
||||
/* Free old dynamic ticket if we already had one */
|
||||
if (ssl->session.ticketLenAlloc > 0) {
|
||||
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
|
||||
ssl->session.ticket = ssl->session._staticTicket;
|
||||
ssl->session.ticketLenAlloc = 0;
|
||||
if (ssl->session->ticketLenAlloc > 0) {
|
||||
XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
|
||||
ssl->session->ticket = ssl->session->_staticTicket;
|
||||
ssl->session->ticketLenAlloc = 0;
|
||||
}
|
||||
|
||||
if (length > sizeof(ssl->session._staticTicket)) {
|
||||
if (length > sizeof(ssl->session->_staticTicket)) {
|
||||
byte* sessionTicket =
|
||||
(byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
|
||||
if (sessionTicket == NULL)
|
||||
return MEMORY_E;
|
||||
ssl->session.ticket = sessionTicket;
|
||||
ssl->session.ticketLenAlloc = (word16)length;
|
||||
ssl->session->ticket = sessionTicket;
|
||||
ssl->session->ticketLenAlloc = (word16)length;
|
||||
}
|
||||
ssl->session.ticketLen = (word16)length;
|
||||
ssl->session->ticketLen = (word16)length;
|
||||
|
||||
if (length > 0) {
|
||||
XMEMCPY(ssl->session.ticket, ticket, length);
|
||||
XMEMCPY(ssl->session->ticket, ticket, length);
|
||||
if (ssl->session_ticket_cb != NULL) {
|
||||
ssl->session_ticket_cb(ssl,
|
||||
ssl->session.ticket, ssl->session.ticketLen,
|
||||
ssl->session->ticket, ssl->session->ticketLen,
|
||||
ssl->session_ticket_ctx);
|
||||
}
|
||||
/* Create a fake sessionID based on the ticket, this will
|
||||
@ -26752,13 +26747,13 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
|
||||
ssl->options.haveSessionId = 1;
|
||||
#ifdef WOLFSSL_TLS13
|
||||
if (ssl->options.tls1_3) {
|
||||
XMEMCPY(ssl->session.sessionID,
|
||||
ssl->session.ticket + length - ID_LEN, ID_LEN);
|
||||
XMEMCPY(ssl->session->sessionID,
|
||||
ssl->session->ticket + length - ID_LEN, ID_LEN);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
XMEMCPY(ssl->arrays->sessionID,
|
||||
ssl->session.ticket + length - ID_LEN, ID_LEN);
|
||||
ssl->session->ticket + length - ID_LEN, ID_LEN);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -28841,7 +28836,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
*/
|
||||
static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)
|
||||
{
|
||||
int haveRSA = !ssl->options.haveStaticECC;
|
||||
#ifndef NO_PSK
|
||||
int havePSK = ssl->options.havePSK;
|
||||
#endif
|
||||
@ -28860,7 +28854,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
|
||||
if (CipherRequires(first, second, REQUIRES_RSA)) {
|
||||
WOLFSSL_MSG("Requires RSA");
|
||||
if (haveRSA == 0) {
|
||||
if (ssl->options.haveRSA == 0) {
|
||||
WOLFSSL_MSG("Don't have RSA");
|
||||
return 0;
|
||||
}
|
||||
@ -29193,7 +29187,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ssl->arrays->masterSecret, 1);
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.useTicket == 1) {
|
||||
session = &ssl->session;
|
||||
session = ssl->session;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -29251,13 +29245,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
{
|
||||
int ret = 0;
|
||||
WOLFSSL_SESSION* session;
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
byte gotSess = 0;
|
||||
#endif
|
||||
(void)bogusID;
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.useTicket == 1) {
|
||||
session = &ssl->session;
|
||||
session = ssl->session;
|
||||
} else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
|
||||
WOLFSSL_MSG("Bogus session ID without session ticket");
|
||||
return BUFFER_ERROR;
|
||||
@ -29265,9 +29256,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
{
|
||||
session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
gotSess = 1;
|
||||
#endif
|
||||
}
|
||||
if (!session) {
|
||||
WOLFSSL_MSG("Session lookup for resume failed");
|
||||
@ -29357,12 +29345,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
if (gotSess) {
|
||||
wolfSSL_SESSION_free(session);
|
||||
}
|
||||
#endif
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -29966,7 +29948,14 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
#endif
|
||||
|
||||
ret = MatchSuite(ssl, &clSuites);
|
||||
#ifdef OPENSSL_EXTRA
|
||||
/* Give user last chance to provide a cert for cipher selection */
|
||||
if (ret == 0 && ssl->ctx->certSetupCb != NULL)
|
||||
ret = CertSetupCbWrapper(ssl);
|
||||
#endif
|
||||
if (ret == 0)
|
||||
ret = MatchSuite(ssl, &clSuites);
|
||||
|
||||
#ifdef WOLFSSL_EXTRA_ALERTS
|
||||
if (ret == BUFFER_ERROR)
|
||||
SendAlert(ssl, alert_fatal, decode_error);
|
||||
@ -29994,11 +29983,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
wc_HmacFree(&cookieHmac);
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
if (ret == 0)
|
||||
ret = CertSetupCbWrapper(ssl);
|
||||
#endif
|
||||
|
||||
WOLFSSL_LEAVE("DoClientHello", ret);
|
||||
WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
|
||||
|
||||
@ -30511,20 +30495,25 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
WOLFSSL_TICKET_IV_SZ + WOLFSSL_TICKET_MAC_SZ + LENGTH_SZ)
|
||||
#define WOLFSSL_TICKET_ENC_SZ (SESSION_TICKET_LEN - WOLFSSL_TICKET_FIXED_SZ)
|
||||
|
||||
/* our ticket format */
|
||||
/* Our ticket format. All members need to be a byte or array of byte to
|
||||
* avoid alignment issues */
|
||||
typedef struct InternalTicket {
|
||||
ProtocolVersion pv; /* version when ticket created */
|
||||
byte suite[SUITE_LEN]; /* cipher suite when created */
|
||||
byte msecret[SECRET_LEN]; /* master secret */
|
||||
word32 timestamp; /* born on */
|
||||
word16 haveEMS; /* have extended master secret */
|
||||
byte timestamp[TIMESTAMP_LEN]; /* born on */
|
||||
byte haveEMS; /* have extended master secret */
|
||||
#ifdef WOLFSSL_TLS13
|
||||
word32 ageAdd; /* Obfuscation of age */
|
||||
word16 namedGroup; /* Named group used */
|
||||
byte ageAdd[AGEADD_LEN]; /* Obfuscation of age */
|
||||
byte namedGroup[NAMEDGREOUP_LEN]; /* Named group used */
|
||||
TicketNonce ticketNonce; /* Ticket nonce */
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
word32 maxEarlyDataSz; /* Max size of early data */
|
||||
byte maxEarlyDataSz[MAXEARLYDATASZ_LEN]; /* Max size of
|
||||
* early data */
|
||||
#endif
|
||||
#endif
|
||||
#ifdef WOLFSSL_TICKET_HAVE_ID
|
||||
byte id[ID_LEN];
|
||||
#endif
|
||||
} InternalTicket;
|
||||
|
||||
@ -30570,7 +30559,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
int CreateTicket(WOLFSSL* ssl)
|
||||
{
|
||||
InternalTicket it;
|
||||
ExternalTicket* et = (ExternalTicket*)ssl->session.ticket;
|
||||
ExternalTicket* et = (ExternalTicket*)ssl->session->ticket;
|
||||
int encLen;
|
||||
int ret;
|
||||
byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */
|
||||
@ -30585,7 +30574,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
it.suite[1] = ssl->options.cipherSuite;
|
||||
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
it.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
||||
c32toa(ssl->options.maxEarlyDataSz, it.maxEarlyDataSz);
|
||||
#endif
|
||||
|
||||
if (!ssl->options.tls1_3) {
|
||||
@ -30602,19 +30591,57 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
sizeof(it.ageAdd));
|
||||
if (ret != 0)
|
||||
return BAD_TICKET_ENCRYPT;
|
||||
ssl->session.ticketAdd = it.ageAdd;
|
||||
it.namedGroup = ssl->session.namedGroup;
|
||||
it.timestamp = TimeNowInMilliseconds();
|
||||
ato32(it.ageAdd, &ssl->session->ticketAdd);
|
||||
c16toa(ssl->session->namedGroup, it.namedGroup);
|
||||
c32toa(TimeNowInMilliseconds(), it.timestamp);
|
||||
/* Resumption master secret. */
|
||||
XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN);
|
||||
XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce,
|
||||
XMEMCPY(it.msecret, ssl->session->masterSecret, SECRET_LEN);
|
||||
XMEMCPY(&it.ticketNonce, &ssl->session->ticketNonce,
|
||||
sizeof(TicketNonce));
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TICKET_HAVE_ID
|
||||
{
|
||||
const byte* id = NULL;
|
||||
byte idSz = 0;
|
||||
if (ssl->session->haveAltSessionID) {
|
||||
id = ssl->session->altSessionID;
|
||||
idSz = ID_LEN;
|
||||
}
|
||||
else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
|
||||
id = ssl->arrays->sessionID;
|
||||
idSz = ssl->arrays->sessionIDSz;
|
||||
}
|
||||
else {
|
||||
id = ssl->session->sessionID;
|
||||
idSz = ssl->session->sessionIDSz;
|
||||
}
|
||||
if (idSz == 0) {
|
||||
ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
|
||||
ID_LEN);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
ssl->session->haveAltSessionID = 1;
|
||||
id = ssl->session->altSessionID;
|
||||
idSz = ID_LEN;
|
||||
}
|
||||
XMEMCPY(it.id, id, ID_LEN);
|
||||
}
|
||||
#endif
|
||||
|
||||
/* encrypt */
|
||||
encLen = WOLFSSL_TICKET_ENC_SZ; /* max size user can use */
|
||||
if (ssl->ctx->ticketEncCb == NULL) {
|
||||
if (ssl->ctx->ticketEncCb == NULL
|
||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
|
||||
||
|
||||
/* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
|
||||
* "stateful" tickets for 1.3 so just use the regular
|
||||
* stateless ones. */
|
||||
(!IsAtLeastTLSv1_3(ssl->version) &&
|
||||
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)
|
||||
#endif
|
||||
) {
|
||||
ret = WOLFSSL_TICKET_RET_FATAL;
|
||||
}
|
||||
else {
|
||||
@ -30672,7 +30699,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
|
||||
/* set size */
|
||||
c16toa((word16)encLen, et->enc_len);
|
||||
ssl->session.ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
|
||||
ssl->session->ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
|
||||
if (encLen < WOLFSSL_TICKET_ENC_SZ) {
|
||||
/* move mac up since whole enc buffer not used */
|
||||
XMEMMOVE(et->enc_ticket +encLen, et->mac,WOLFSSL_TICKET_MAC_SZ);
|
||||
@ -30687,7 +30714,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len)
|
||||
{
|
||||
ExternalTicket* et;
|
||||
InternalTicket it;
|
||||
InternalTicket* it;
|
||||
int ret;
|
||||
int outLen;
|
||||
word16 inLen;
|
||||
@ -30709,7 +30736,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
}
|
||||
outLen = inLen; /* may be reduced by user padding */
|
||||
|
||||
if (ssl->ctx->ticketEncCb == NULL) {
|
||||
if (ssl->ctx->ticketEncCb == NULL
|
||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
|
||||
||
|
||||
/* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
|
||||
* "stateful" tickets for 1.3 so just use the regular
|
||||
* stateless ones. */
|
||||
(!IsAtLeastTLSv1_3(ssl->version) &&
|
||||
(ssl->options.mask & SSL_OP_NO_TICKET) != 0)
|
||||
#endif
|
||||
) {
|
||||
ret = WOLFSSL_TICKET_RET_FATAL;
|
||||
}
|
||||
else {
|
||||
@ -30724,19 +30760,17 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
return BAD_TICKET_KEY_CB_SZ;
|
||||
}
|
||||
|
||||
/* copy the decrypted ticket to avoid alignment issues */
|
||||
XMEMCPY(&it, et->enc_ticket, sizeof(InternalTicket));
|
||||
ForceZero(et->enc_ticket, sizeof(it));
|
||||
it = (InternalTicket*)et->enc_ticket;
|
||||
|
||||
/* get master secret */
|
||||
if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) {
|
||||
if (ssl->version.minor < it.pv.minor) {
|
||||
if (ssl->version.minor < it->pv.minor) {
|
||||
ForceZero(&it, sizeof(it));
|
||||
WOLFSSL_MSG("Ticket has greater version");
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
else if (ssl->version.minor > it.pv.minor) {
|
||||
if (IsAtLeastTLSv1_3(it.pv) != IsAtLeastTLSv1_3(ssl->version)) {
|
||||
else if (ssl->version.minor > it->pv.minor) {
|
||||
if (IsAtLeastTLSv1_3(it->pv) != IsAtLeastTLSv1_3(ssl->version)) {
|
||||
ForceZero(&it, sizeof(it));
|
||||
WOLFSSL_MSG("Tickets cannot be shared between "
|
||||
"TLS 1.3 and TLS 1.2 and lower");
|
||||
@ -30751,40 +30785,54 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
|
||||
WOLFSSL_MSG("Downgrading protocol due to ticket");
|
||||
|
||||
if (it.pv.minor < ssl->options.minDowngrade) {
|
||||
if (it->pv.minor < ssl->options.minDowngrade) {
|
||||
ForceZero(&it, sizeof(it));
|
||||
return VERSION_ERROR;
|
||||
}
|
||||
ssl->version.minor = it.pv.minor;
|
||||
ssl->version.minor = it->pv.minor;
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_TICKET_HAVE_ID
|
||||
{
|
||||
ssl->session->haveAltSessionID = 1;
|
||||
XMEMCPY(ssl->session->altSessionID, it->id, ID_LEN);
|
||||
if (wolfSSL_GetSession(ssl, NULL, 1) != NULL) {
|
||||
WOLFSSL_MSG("Found session matching the session id"
|
||||
" found in the ticket");
|
||||
}
|
||||
else {
|
||||
WOLFSSL_MSG("Can't find session matching the session id"
|
||||
" found in the ticket");
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!IsAtLeastTLSv1_3(ssl->version)) {
|
||||
XMEMCPY(ssl->arrays->masterSecret, it.msecret, SECRET_LEN);
|
||||
XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
|
||||
/* Copy the haveExtendedMasterSecret property from the ticket to
|
||||
* the saved session, so the property may be checked later. */
|
||||
ssl->session.haveEMS = it.haveEMS;
|
||||
ato32((const byte*)&it.timestamp, &ssl->session.bornOn);
|
||||
ssl->session->haveEMS = it->haveEMS;
|
||||
ato32((const byte*)&it->timestamp, &ssl->session->bornOn);
|
||||
#ifndef NO_RESUME_SUITE_CHECK
|
||||
ssl->session.cipherSuite0 = it.suite[0];
|
||||
ssl->session.cipherSuite = it.suite[1];
|
||||
ssl->session->cipherSuite0 = it->suite[0];
|
||||
ssl->session->cipherSuite = it->suite[1];
|
||||
#endif
|
||||
}
|
||||
else {
|
||||
#ifdef WOLFSSL_TLS13
|
||||
/* Restore information to renegotiate. */
|
||||
ssl->session.ticketSeen = it.timestamp;
|
||||
ssl->session.ticketAdd = it.ageAdd;
|
||||
ssl->session.cipherSuite0 = it.suite[0];
|
||||
ssl->session.cipherSuite = it.suite[1];
|
||||
ato32(it->timestamp, &ssl->session->ticketSeen);
|
||||
ato32(it->ageAdd, &ssl->session->ticketAdd);
|
||||
ssl->session->cipherSuite0 = it->suite[0];
|
||||
ssl->session->cipherSuite = it->suite[1];
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
ssl->session.maxEarlyDataSz = it.maxEarlyDataSz;
|
||||
ato32(it->maxEarlyDataSz, &ssl->session->maxEarlyDataSz);
|
||||
#endif
|
||||
/* Resumption master secret. */
|
||||
XMEMCPY(ssl->session.masterSecret, it.msecret, SECRET_LEN);
|
||||
XMEMCPY(&ssl->session.ticketNonce, &it.ticketNonce,
|
||||
XMEMCPY(ssl->session->masterSecret, it->msecret, SECRET_LEN);
|
||||
XMEMCPY(&ssl->session->ticketNonce, &it->ticketNonce,
|
||||
sizeof(TicketNonce));
|
||||
ssl->session.namedGroup = it.namedGroup;
|
||||
ato16(it->namedGroup, &ssl->session->namedGroup);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
@ -30815,7 +30863,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
if (ret != 0) return ret;
|
||||
}
|
||||
|
||||
length += ssl->session.ticketLen;
|
||||
length += ssl->session->ticketLen;
|
||||
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
||||
|
||||
if (!ssl->options.dtls) {
|
||||
@ -30847,12 +30895,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
idx += SESSION_HINT_SZ;
|
||||
|
||||
/* length */
|
||||
c16toa(ssl->session.ticketLen, output + idx);
|
||||
c16toa(ssl->session->ticketLen, output + idx);
|
||||
idx += LENGTH_SZ;
|
||||
|
||||
/* ticket */
|
||||
XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
|
||||
idx += ssl->session.ticketLen;
|
||||
XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
|
||||
idx += ssl->session->ticketLen;
|
||||
|
||||
if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
|
||||
byte* input;
|
||||
@ -31207,6 +31255,8 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
|
||||
byte* p = aad;
|
||||
int keyIdx = 0;
|
||||
|
||||
WOLFSSL_ENTER("DefTicketEncCb");
|
||||
|
||||
/* Check we have setup the RNG, name and primary key. */
|
||||
if (keyCtx->expirary[0] == 0) {
|
||||
#ifndef SINGLE_THREADED
|
||||
|
||||
@ -3044,9 +3044,9 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
|
||||
*sslBytes -= OPAQUE8_LEN;
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
/* store nonce in server for DeriveResumptionPSK */
|
||||
session->sslServer->session.ticketNonce.len = len;
|
||||
session->sslServer->session->ticketNonce.len = len;
|
||||
if (len > 0)
|
||||
XMEMCPY(&session->sslServer->session.ticketNonce.data, input, len);
|
||||
XMEMCPY(&session->sslServer->session->ticketNonce.data, input, len);
|
||||
#endif
|
||||
input += len;
|
||||
*sslBytes -= len;
|
||||
@ -3123,7 +3123,7 @@ static int DoResume(SnifferSession* session, char* error)
|
||||
#ifdef WOLFSSL_TLS13
|
||||
if (IsAtLeastTLSv1_3(session->sslServer->version)) {
|
||||
resume = wolfSSL_GetSession(session->sslServer,
|
||||
session->sslServer->session.masterSecret, 0);
|
||||
session->sslServer->session->masterSecret, 0);
|
||||
if (resume == NULL) {
|
||||
/* TLS v1.3 with hello_retry uses session_id even for new session,
|
||||
so ignore error here */
|
||||
@ -3147,8 +3147,8 @@ static int DoResume(SnifferSession* session, char* error)
|
||||
/* make sure client has master secret too */
|
||||
#ifdef WOLFSSL_TLS13
|
||||
if (IsAtLeastTLSv1_3(session->sslServer->version)) {
|
||||
XMEMCPY(session->sslClient->session.masterSecret,
|
||||
session->sslServer->session.masterSecret, SECRET_LEN);
|
||||
XMEMCPY(session->sslClient->session->masterSecret,
|
||||
session->sslServer->session->masterSecret, SECRET_LEN);
|
||||
}
|
||||
else
|
||||
#endif
|
||||
@ -3179,8 +3179,8 @@ static int DoResume(SnifferSession* session, char* error)
|
||||
session->sslServer->arrays->psk_keySz = session->sslServer->specs.hash_size;
|
||||
session->sslClient->arrays->psk_keySz = session->sslClient->specs.hash_size;
|
||||
ret = DeriveResumptionPSK(session->sslServer,
|
||||
session->sslServer->session.ticketNonce.data,
|
||||
session->sslServer->session.ticketNonce.len,
|
||||
session->sslServer->session->ticketNonce.data,
|
||||
session->sslServer->session->ticketNonce.len,
|
||||
session->sslServer->arrays->psk_key);
|
||||
/* Copy resumption PSK to client */
|
||||
XMEMCPY(session->sslClient->arrays->psk_key,
|
||||
@ -3266,7 +3266,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
}
|
||||
if (b) {
|
||||
#ifdef WOLFSSL_TLS13
|
||||
XMEMCPY(session->sslServer->session.sessionID, input, ID_LEN);
|
||||
XMEMCPY(session->sslServer->session->sessionID, input, ID_LEN);
|
||||
#endif
|
||||
XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN);
|
||||
session->sslServer->options.haveSessionId = 1;
|
||||
@ -3370,10 +3370,10 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
session->sslClient->options.resuming = 1;
|
||||
#ifdef WOLFSSL_TLS13
|
||||
/* default nonce to len = 1, data = 0 */
|
||||
session->sslServer->session.ticketNonce.len = 1;
|
||||
session->sslServer->session.ticketNonce.data[0] = 0;
|
||||
session->sslClient->session.ticketNonce.len = 1;
|
||||
session->sslClient->session.ticketNonce.data[0] = 0;
|
||||
session->sslServer->session->ticketNonce.len = 1;
|
||||
session->sslServer->session->ticketNonce.data[0] = 0;
|
||||
session->sslClient->session->ticketNonce.len = 1;
|
||||
session->sslClient->session->ticketNonce.data[0] = 0;
|
||||
#endif
|
||||
break;
|
||||
#endif
|
||||
@ -3595,7 +3595,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
}
|
||||
Trace(CLIENT_RESUME_TRY_STR);
|
||||
#ifdef WOLFSSL_TLS13
|
||||
XMEMCPY(session->sslClient->session.sessionID, input, ID_LEN);
|
||||
XMEMCPY(session->sslClient->session->sessionID, input, ID_LEN);
|
||||
#endif
|
||||
if (session->sslClient->arrays)
|
||||
XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN);
|
||||
@ -4014,14 +4014,14 @@ static int ProcessFinished(const byte* input, int size, int* sslBytes,
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
/* derive resumption secret for next session - on finished (from client) */
|
||||
ret += DeriveResumptionSecret(session->sslClient,
|
||||
session->sslClient->session.masterSecret);
|
||||
session->sslClient->session->masterSecret);
|
||||
|
||||
/* copy resumption secret to server */
|
||||
XMEMCPY(session->sslServer->session.masterSecret,
|
||||
session->sslClient->session.masterSecret, SECRET_LEN);
|
||||
XMEMCPY(session->sslServer->session->masterSecret,
|
||||
session->sslClient->session->masterSecret, SECRET_LEN);
|
||||
#ifdef SHOW_SECRETS
|
||||
PrintSecret("resumption secret",
|
||||
session->sslClient->session.masterSecret, SECRET_LEN);
|
||||
session->sslClient->session->masterSecret, SECRET_LEN);
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
26
src/tls.c
26
src/tls.c
@ -7698,7 +7698,7 @@ static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
|
||||
int ret;
|
||||
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
ssl->session.namedGroup = (byte)keyShareEntry->group;
|
||||
ssl->session->namedGroup = (byte)keyShareEntry->group;
|
||||
#endif
|
||||
/* reset the pre master secret size */
|
||||
if (ssl->arrays->preMasterSz == 0)
|
||||
@ -7943,7 +7943,7 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
/* Process the entry to calculate the secret. */
|
||||
ret = TLSX_KeyShare_Process(ssl, keyShareEntry);
|
||||
if (ret == 0)
|
||||
ssl->session.namedGroup = ssl->namedGroup = group;
|
||||
ssl->session->namedGroup = ssl->namedGroup = group;
|
||||
}
|
||||
else if (msgType == hello_retry_request) {
|
||||
if (length != OPAQUE16_LEN)
|
||||
@ -9122,10 +9122,10 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (list->resumption) {
|
||||
/* Check that the session's details are the same as the server's. */
|
||||
if (ssl->options.cipherSuite0 != ssl->session.cipherSuite0 ||
|
||||
ssl->options.cipherSuite != ssl->session.cipherSuite ||
|
||||
ssl->session.version.major != ssl->ctx->method->version.major ||
|
||||
ssl->session.version.minor != ssl->ctx->method->version.minor) {
|
||||
if (ssl->options.cipherSuite0 != ssl->session->cipherSuite0 ||
|
||||
ssl->options.cipherSuite != ssl->session->cipherSuite ||
|
||||
ssl->session->version.major != ssl->ctx->method->version.major ||
|
||||
ssl->session->version.minor != ssl->ctx->method->version.minor) {
|
||||
return PSK_KEY_ERROR;
|
||||
}
|
||||
}
|
||||
@ -9636,7 +9636,7 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
return BUFFER_E;
|
||||
ato32(input, &maxSz);
|
||||
|
||||
ssl->session.maxEarlyDataSz = maxSz;
|
||||
ssl->session->maxEarlyDataSz = maxSz;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -10195,8 +10195,8 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
|
||||
int ret = WOLFSSL_SUCCESS;
|
||||
#ifdef WOLFSSL_TLS13
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
if (ssl->options.resuming && ssl->session.namedGroup != 0) {
|
||||
return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup,
|
||||
if (ssl->options.resuming && ssl->session->namedGroup != 0) {
|
||||
return TLSX_UseSupportedCurve(extensions, ssl->session->namedGroup,
|
||||
ssl->heap);
|
||||
}
|
||||
#endif
|
||||
@ -10600,8 +10600,8 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
|
||||
extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
|
||||
if (extension == NULL) {
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
if (ssl->options.resuming && ssl->session.namedGroup != 0)
|
||||
namedGroup = ssl->session.namedGroup;
|
||||
if (ssl->options.resuming && ssl->session->namedGroup != 0)
|
||||
namedGroup = ssl->session->namedGroup;
|
||||
else
|
||||
#endif
|
||||
if (ssl->numGroups > 0) {
|
||||
@ -10647,8 +10647,8 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
|
||||
TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap);
|
||||
#endif
|
||||
#if defined(HAVE_SESSION_TICKET)
|
||||
if (ssl->options.resuming && ssl->session.ticketLen > 0) {
|
||||
WOLFSSL_SESSION* sess = &ssl->session;
|
||||
if (ssl->options.resuming && ssl->session->ticketLen > 0) {
|
||||
WOLFSSL_SESSION* sess = ssl->session;
|
||||
word32 now, milli;
|
||||
|
||||
if (sess->ticketLen > MAX_PSK_ID_LEN) {
|
||||
|
||||
160
src/tls13.c
160
src/tls13.c
@ -807,7 +807,7 @@ int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
|
||||
masterSecret = ssl->arrays->masterSecret;
|
||||
}
|
||||
else {
|
||||
masterSecret = ssl->session.masterSecret;
|
||||
masterSecret = ssl->session->masterSecret;
|
||||
}
|
||||
return DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
|
||||
RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1);
|
||||
@ -1014,7 +1014,7 @@ int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
|
||||
|
||||
PRIVATE_KEY_UNLOCK();
|
||||
ret = wc_Tls13_HKDF_Expand_Label(secret, ssl->specs.hash_size,
|
||||
ssl->session.masterSecret, ssl->specs.hash_size,
|
||||
ssl->session->masterSecret, ssl->specs.hash_size,
|
||||
protocol, protocolLen, resumptionLabel,
|
||||
RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
|
||||
PRIVATE_KEY_LOCK();
|
||||
@ -2772,13 +2772,13 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello)
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
if (ssl->session.maxEarlyDataSz == 0)
|
||||
if (ssl->session->maxEarlyDataSz == 0)
|
||||
ssl->earlyData = no_early_data;
|
||||
#endif
|
||||
/* Resumption PSK is master secret. */
|
||||
ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
||||
if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
|
||||
ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
|
||||
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
|
||||
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
@ -3049,15 +3049,15 @@ int SendTls13ClientHello(WOLFSSL* ssl)
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.resuming &&
|
||||
(ssl->session.version.major != ssl->version.major ||
|
||||
ssl->session.version.minor != ssl->version.minor)) {
|
||||
(ssl->session->version.major != ssl->version.major ||
|
||||
ssl->session->version.minor != ssl->version.minor)) {
|
||||
#ifndef WOLFSSL_NO_TLS12
|
||||
if (ssl->session.version.major == ssl->version.major &&
|
||||
ssl->session.version.minor < ssl->version.minor) {
|
||||
if (ssl->session->version.major == ssl->version.major &&
|
||||
ssl->session->version.minor < ssl->version.minor) {
|
||||
/* Cannot resume with a different protocol version. */
|
||||
ssl->options.resuming = 0;
|
||||
ssl->version.major = ssl->session.version.major;
|
||||
ssl->version.minor = ssl->session.version.minor;
|
||||
ssl->version.major = ssl->session->version.major;
|
||||
ssl->version.minor = ssl->session->version.minor;
|
||||
return SendClientHello(ssl);
|
||||
}
|
||||
else
|
||||
@ -3097,8 +3097,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)
|
||||
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
|
||||
args->length += ID_LEN;
|
||||
#else
|
||||
if (ssl->session.sessionIDSz > 0)
|
||||
args->length += ssl->session.sessionIDSz;
|
||||
if (ssl->session->sessionIDSz > 0)
|
||||
args->length += ssl->session->sessionIDSz;
|
||||
#endif
|
||||
|
||||
/* Advance state and proceed */
|
||||
@ -3179,11 +3179,11 @@ int SendTls13ClientHello(WOLFSSL* ssl)
|
||||
XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN);
|
||||
args->idx += RAN_LEN;
|
||||
|
||||
if (ssl->session.sessionIDSz > 0) {
|
||||
if (ssl->session->sessionIDSz > 0) {
|
||||
/* Session resumption for old versions of protocol. */
|
||||
args->output[args->idx++] = ID_LEN;
|
||||
XMEMCPY(args->output + args->idx, ssl->session.sessionID,
|
||||
ssl->session.sessionIDSz);
|
||||
XMEMCPY(args->output + args->idx, ssl->session->sessionID,
|
||||
ssl->session->sessionIDSz);
|
||||
args->idx += ID_LEN;
|
||||
}
|
||||
else {
|
||||
@ -3255,7 +3255,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
|
||||
#endif
|
||||
ret = SendBuffered(ssl);
|
||||
|
||||
break;
|
||||
break;
|
||||
}
|
||||
default:
|
||||
ret = INPUT_CASE_ERROR;
|
||||
@ -3514,7 +3514,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#ifdef HAVE_SECRET_CALLBACK
|
||||
if (ssl->sessionSecretCb != NULL) {
|
||||
int secretSz = SECRET_LEN;
|
||||
ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
|
||||
ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
|
||||
&secretSz, ssl->sessionSecretCtx);
|
||||
if (ret != 0 || secretSz != SECRET_LEN) {
|
||||
return SESSION_SECRET_CB_E;
|
||||
@ -3562,22 +3562,26 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
case TLS_ASYNC_FINALIZE:
|
||||
{
|
||||
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
|
||||
if (args->sessIdSz == 0)
|
||||
if (args->sessIdSz == 0) {
|
||||
WOLFSSL_MSG("args->sessIdSz == 0");
|
||||
return INVALID_PARAMETER;
|
||||
if (ssl->session.sessionIDSz != 0) {
|
||||
if (ssl->session.sessionIDSz != args->sessIdSz ||
|
||||
XMEMCMP(ssl->session.sessionID, args->sessId,
|
||||
}
|
||||
if (ssl->session->sessionIDSz != 0) {
|
||||
if (ssl->session->sessionIDSz != args->sessIdSz ||
|
||||
XMEMCMP(ssl->session->sessionID, args->sessId,
|
||||
args->sessIdSz) != 0) {
|
||||
WOLFSSL_MSG("session id doesn't match");
|
||||
return INVALID_PARAMETER;
|
||||
}
|
||||
}
|
||||
else if (XMEMCMP(ssl->arrays->clientRandom, args->sessId,
|
||||
args->sessIdSz) != 0) {
|
||||
WOLFSSL_MSG("session id doesn't match client random");
|
||||
return INVALID_PARAMETER;
|
||||
}
|
||||
#else
|
||||
if (args->sessIdSz != ssl->session.sessionIDSz || (args->sessIdSz > 0 &&
|
||||
XMEMCMP(ssl->session.sessionID, args->sessId, args->sessIdSz) != 0))
|
||||
if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
|
||||
XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
|
||||
{
|
||||
WOLFSSL_MSG("Server sent different session id");
|
||||
return INVALID_PARAMETER;
|
||||
@ -3940,7 +3944,7 @@ static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, byte* suite, int* err)
|
||||
ssl->options.verifyPeer = 0;
|
||||
|
||||
/* PSK age is always zero. */
|
||||
if (psk->ticketAge != ssl->session.ticketAdd) {
|
||||
if (psk->ticketAge != ssl->session->ticketAdd) {
|
||||
ret = PSK_KEY_ERROR;
|
||||
}
|
||||
}
|
||||
@ -4012,7 +4016,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
|
||||
/* Difference between now and time ticket constructed
|
||||
* (from decrypted ticket). */
|
||||
diff = now;
|
||||
diff -= ssl->session.ticketSeen;
|
||||
diff -= ssl->session->ticketSeen;
|
||||
if (diff > (sword64)ssl->timeout * 1000 ||
|
||||
diff > (sword64)TLS13_MAX_TICKET_AGE * 1000) {
|
||||
current = current->next;
|
||||
@ -4020,7 +4024,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
|
||||
}
|
||||
/* Subtract client's ticket age and unobfuscate. */
|
||||
diff -= current->ticketAge;
|
||||
diff += ssl->session.ticketAdd;
|
||||
diff += ssl->session->ticketAdd;
|
||||
/* Check session and ticket age timeout.
|
||||
* Allow +/- 1000 milliseconds on ticket age.
|
||||
*/
|
||||
@ -4033,14 +4037,14 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
|
||||
/* Check whether resumption is possible based on suites in SSL and
|
||||
* ciphersuite in ticket.
|
||||
*/
|
||||
if ((suite[0] != ssl->session.cipherSuite0) ||
|
||||
(suite[1] != ssl->session.cipherSuite)) {
|
||||
if ((suite[0] != ssl->session->cipherSuite0) ||
|
||||
(suite[1] != ssl->session->cipherSuite)) {
|
||||
current = current->next;
|
||||
continue;
|
||||
}
|
||||
#else
|
||||
suite[0] = ssl->session.cipherSuite0;
|
||||
suite[1] = ssl->session.cipherSuite;
|
||||
suite[0] = ssl->session->cipherSuite0;
|
||||
suite[1] = ssl->session->cipherSuite;
|
||||
if (!FindSuiteSSL(ssl, suite)) {
|
||||
current = current->next;
|
||||
continue;
|
||||
@ -4048,19 +4052,19 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
|
||||
#endif
|
||||
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
|
||||
ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz;
|
||||
#endif
|
||||
/* Use the same cipher suite as before and set up for use. */
|
||||
ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
|
||||
ssl->options.cipherSuite = ssl->session.cipherSuite;
|
||||
ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
|
||||
ssl->options.cipherSuite = ssl->session->cipherSuite;
|
||||
ret = SetCipherSpecs(ssl);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
||||
/* Resumption PSK is resumption master secret. */
|
||||
ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
||||
if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
|
||||
ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
|
||||
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
|
||||
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -4269,7 +4273,7 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
|
||||
if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
|
||||
ext != NULL) {
|
||||
/* Only use named group used in last session. */
|
||||
ssl->namedGroup = ssl->session.namedGroup;
|
||||
ssl->namedGroup = ssl->session->namedGroup;
|
||||
|
||||
*usingPSK = 2; /* generate new ephemeral key */
|
||||
}
|
||||
@ -4400,7 +4404,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
|
||||
return ret;
|
||||
|
||||
/* Reconstruct the HelloRetryMessage for handshake hash. */
|
||||
length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz +
|
||||
length = HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz +
|
||||
HRR_COOKIE_HDR_SZ + cookie->len;
|
||||
length += HRR_VERSIONS_SZ;
|
||||
if (cookieDataSz > hashSz + OPAQUE16_LEN) {
|
||||
@ -4421,10 +4425,10 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
|
||||
XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
|
||||
hrrIdx += RAN_LEN;
|
||||
|
||||
hrr[hrrIdx++] = ssl->session.sessionIDSz;
|
||||
if (ssl->session.sessionIDSz > 0) {
|
||||
XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz);
|
||||
hrrIdx += ssl->session.sessionIDSz;
|
||||
hrr[hrrIdx++] = ssl->session->sessionIDSz;
|
||||
if (ssl->session->sessionIDSz > 0) {
|
||||
XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
|
||||
hrrIdx += ssl->session->sessionIDSz;
|
||||
}
|
||||
|
||||
/* Cipher Suite */
|
||||
@ -4435,7 +4439,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
|
||||
hrr[hrrIdx++] = 0;
|
||||
|
||||
/* Extensions' length */
|
||||
length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz;
|
||||
length -= HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz;
|
||||
c16toa(length, hrr + hrrIdx);
|
||||
hrrIdx += 2;
|
||||
|
||||
@ -4713,9 +4717,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ERROR_OUT(BUFFER_ERROR, exit_dch);
|
||||
}
|
||||
|
||||
ssl->session.sessionIDSz = sessIdSz;
|
||||
ssl->session->sessionIDSz = sessIdSz;
|
||||
if (sessIdSz == ID_LEN) {
|
||||
XMEMCPY(ssl->session.sessionID, input + args->idx, sessIdSz);
|
||||
XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
|
||||
args->idx += ID_LEN;
|
||||
}
|
||||
|
||||
@ -4969,7 +4973,7 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
|
||||
/* Protocol version, server random, session id, cipher suite, compression
|
||||
* and extensions.
|
||||
*/
|
||||
length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz +
|
||||
length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
|
||||
SUITE_LEN + COMP_LEN;
|
||||
ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
|
||||
if (ret != 0)
|
||||
@ -5010,10 +5014,10 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
|
||||
WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
|
||||
#endif
|
||||
|
||||
output[idx++] = ssl->session.sessionIDSz;
|
||||
if (ssl->session.sessionIDSz > 0) {
|
||||
XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
|
||||
idx += ssl->session.sessionIDSz;
|
||||
output[idx++] = ssl->session->sessionIDSz;
|
||||
if (ssl->session->sessionIDSz > 0) {
|
||||
XMEMCPY(output + idx, ssl->session->sessionID, ssl->session->sessionIDSz);
|
||||
idx += ssl->session->sessionIDSz;
|
||||
}
|
||||
|
||||
/* Chosen cipher suite */
|
||||
@ -7140,7 +7144,7 @@ static int SendTls13Finished(WOLFSSL* ssl)
|
||||
return ret;
|
||||
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
||||
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
#endif
|
||||
@ -7472,18 +7476,18 @@ static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
|
||||
return now;
|
||||
/* Copy in ticket data (server identity). */
|
||||
ssl->timeout = lifetime;
|
||||
ssl->session.timeout = lifetime;
|
||||
ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
|
||||
ssl->session.cipherSuite = ssl->options.cipherSuite;
|
||||
ssl->session.ticketSeen = now;
|
||||
ssl->session.ticketAdd = ageAdd;
|
||||
ssl->session->timeout = lifetime;
|
||||
ssl->session->cipherSuite0 = ssl->options.cipherSuite0;
|
||||
ssl->session->cipherSuite = ssl->options.cipherSuite;
|
||||
ssl->session->ticketSeen = now;
|
||||
ssl->session->ticketAdd = ageAdd;
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
||||
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
||||
#endif
|
||||
ssl->session.ticketNonce.len = nonceLength;
|
||||
ssl->session->ticketNonce.len = nonceLength;
|
||||
if (nonceLength > 0)
|
||||
XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength);
|
||||
ssl->session.namedGroup = ssl->namedGroup;
|
||||
XMEMCPY(&ssl->session->ticketNonce.data, nonce, nonceLength);
|
||||
ssl->session->namedGroup = ssl->namedGroup;
|
||||
|
||||
if ((*inOutIdx - begin) + EXTS_SZ > size)
|
||||
return BUFFER_ERROR;
|
||||
@ -7588,7 +7592,7 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl)
|
||||
if ((ret = HashRaw(ssl, mac, finishedSz)) != 0)
|
||||
return ret;
|
||||
|
||||
if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
|
||||
if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0)
|
||||
return ret;
|
||||
|
||||
/* Restore the hash inline with currently seen messages. */
|
||||
@ -7652,12 +7656,12 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
||||
#endif
|
||||
|
||||
/* Start ticket nonce at 0 and go up to 255. */
|
||||
if (ssl->session.ticketNonce.len == 0) {
|
||||
ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ;
|
||||
ssl->session.ticketNonce.data[0] = 0;
|
||||
if (ssl->session->ticketNonce.len == 0) {
|
||||
ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ;
|
||||
ssl->session->ticketNonce.data[0] = 0;
|
||||
}
|
||||
else
|
||||
ssl->session.ticketNonce.data[0]++;
|
||||
ssl->session->ticketNonce.data[0]++;
|
||||
|
||||
if (!ssl->options.noTicketTls13) {
|
||||
if ((ret = CreateTicket(ssl)) != 0)
|
||||
@ -7665,9 +7669,9 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
||||
}
|
||||
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
||||
if (ssl->session.maxEarlyDataSz > 0)
|
||||
TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
|
||||
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
||||
if (ssl->session->maxEarlyDataSz > 0)
|
||||
TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz);
|
||||
extSz = 0;
|
||||
ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
|
||||
if (ret != 0)
|
||||
@ -7678,7 +7682,7 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
||||
|
||||
/* Lifetime | Age Add | Ticket | Extensions */
|
||||
length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
|
||||
ssl->session.ticketLen + extSz;
|
||||
ssl->session->ticketLen + extSz;
|
||||
/* Nonce */
|
||||
length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
|
||||
sendSz = idx + length + MAX_MSG_EXTRA;
|
||||
@ -7698,18 +7702,18 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
||||
c32toa(ssl->ctx->ticketHint, output + idx);
|
||||
idx += SESSION_HINT_SZ;
|
||||
/* Age add - obfuscator */
|
||||
c32toa(ssl->session.ticketAdd, output + idx);
|
||||
c32toa(ssl->session->ticketAdd, output + idx);
|
||||
idx += SESSION_ADD_SZ;
|
||||
|
||||
output[idx++] = ssl->session.ticketNonce.len;
|
||||
output[idx++] = ssl->session.ticketNonce.data[0];
|
||||
output[idx++] = ssl->session->ticketNonce.len;
|
||||
output[idx++] = ssl->session->ticketNonce.data[0];
|
||||
|
||||
/* length */
|
||||
c16toa(ssl->session.ticketLen, output + idx);
|
||||
c16toa(ssl->session->ticketLen, output + idx);
|
||||
idx += LENGTH_SZ;
|
||||
/* ticket */
|
||||
XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
|
||||
idx += ssl->session.ticketLen;
|
||||
XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
|
||||
idx += ssl->session->ticketLen;
|
||||
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
extSz = 0;
|
||||
@ -8405,7 +8409,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
#ifndef NO_WOLFSSL_SERVER
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
|
||||
ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
||||
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
}
|
||||
@ -9929,8 +9933,8 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
|
||||
if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
|
||||
#ifdef OPENSSL_EXTRA
|
||||
/* when processed early data exceeds max size */
|
||||
if (ssl->session.maxEarlyDataSz > 0 &&
|
||||
(ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz)) {
|
||||
if (ssl->session->maxEarlyDataSz > 0 &&
|
||||
(ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) {
|
||||
ssl->error = TOO_MUCH_EARLY_DATA;
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
|
||||
352
tests/api.c
352
tests/api.c
@ -914,47 +914,66 @@ static void test_wolfSSL_CTX_trust_peer_cert(void)
|
||||
#if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) && \
|
||||
!defined(NO_WOLFSSL_CLIENT)
|
||||
WOLFSSL_CTX *ctx;
|
||||
WOLFSSL* ssl;
|
||||
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
AssertNotNull(ssl = wolfSSL_new(ctx));
|
||||
|
||||
#if !defined(NO_FILESYSTEM)
|
||||
/* invalid file */
|
||||
assert(wolfSSL_CTX_trust_peer_cert(ctx, NULL,
|
||||
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS);
|
||||
assert(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile,
|
||||
WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS);
|
||||
assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, NULL,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, bogusFile,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
|
||||
/* success */
|
||||
assert(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile, WOLFSSL_FILETYPE_PEM)
|
||||
== WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_trust_peer_cert(ctx, cliCertFile,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
/* unload cert */
|
||||
assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS);
|
||||
assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS);
|
||||
|
||||
/* invalid file */
|
||||
AssertIntNE(wolfSSL_trust_peer_cert(ssl, NULL,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_trust_peer_cert(ssl, bogusFile,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_trust_peer_cert(ssl, cliCertFile,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
|
||||
/* success */
|
||||
AssertIntEQ(wolfSSL_trust_peer_cert(ssl, cliCertFile,
|
||||
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
/* unload cert */
|
||||
AssertIntNE(wolfSSL_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_Unload_trust_peers(ssl), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
/* Test of loading certs from buffers */
|
||||
|
||||
/* invalid buffer */
|
||||
assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
|
||||
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
|
||||
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
|
||||
/* success */
|
||||
#ifdef USE_CERT_BUFFERS_1024
|
||||
assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024,
|
||||
sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_1024,
|
||||
sizeof_client_cert_der_1024, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
#ifdef USE_CERT_BUFFERS_2048
|
||||
assert(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048,
|
||||
sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_trust_peer_buffer(ctx, client_cert_der_2048,
|
||||
sizeof_client_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
#endif
|
||||
|
||||
/* unload cert */
|
||||
assert(wolfSSL_CTX_Unload_trust_peers(NULL) != WOLFSSL_SUCCESS);
|
||||
assert(wolfSSL_CTX_Unload_trust_peers(ctx) == WOLFSSL_SUCCESS);
|
||||
AssertIntNE(wolfSSL_CTX_Unload_trust_peers(NULL), WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_Unload_trust_peers(ctx), WOLFSSL_SUCCESS);
|
||||
|
||||
wolfSSL_free(ssl);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
#endif
|
||||
}
|
||||
@ -2423,6 +2442,7 @@ static int test_wolfSSL_CTX_use_certificate_chain_file_format(void)
|
||||
int ret = 0;
|
||||
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_RSA)
|
||||
const char* server_chain_der = "./certs/server-cert-chain.der";
|
||||
const char* client_single_pem = "./certs/client-cert.pem";
|
||||
WOLFSSL_CTX* ctx;
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
@ -2435,6 +2455,8 @@ static int test_wolfSSL_CTX_use_certificate_chain_file_format(void)
|
||||
|
||||
AssertIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx,
|
||||
server_chain_der, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_use_certificate_chain_file_format(ctx,
|
||||
client_single_pem, WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
|
||||
|
||||
wolfSSL_CTX_free(ctx);
|
||||
#endif
|
||||
@ -4446,6 +4468,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
callback_functions* cbf;
|
||||
WOLFSSL_CTX* ctx = 0;
|
||||
WOLFSSL* ssl = 0;
|
||||
func_args* opts = (func_args*)args;
|
||||
|
||||
char msg[] = "I hear you fa shizzle!";
|
||||
char input[1024];
|
||||
@ -4460,8 +4483,8 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
fdOpenSession(Task_self());
|
||||
#endif
|
||||
|
||||
((func_args*)args)->return_code = TEST_FAIL;
|
||||
cbf = ((func_args*)args)->callbacks;
|
||||
opts->return_code = TEST_FAIL;
|
||||
cbf = opts->callbacks;
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
|
||||
if (cbf != NULL && cbf->ctx) {
|
||||
@ -4484,19 +4507,21 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (cbf == NULL || !cbf->ticNoInit) {
|
||||
#if defined(HAVE_SESSION_TICKET) && \
|
||||
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
|
||||
#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC)
|
||||
OpenSSLTicketInit();
|
||||
wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL);
|
||||
OpenSSLTicketInit();
|
||||
wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL);
|
||||
#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
|
||||
TicketInit();
|
||||
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
|
||||
TicketInit();
|
||||
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(USE_WINDOWS_API)
|
||||
port = ((func_args*)args)->signal->port;
|
||||
port = opts->signal->port;
|
||||
#elif defined(NO_MAIN_DRIVER) && !defined(WOLFSSL_SNIFFER) && \
|
||||
!defined(WOLFSSL_MDK_SHELL) && !defined(WOLFSSL_TIRTOS)
|
||||
/* Let tcp_listen assign port */
|
||||
@ -4507,7 +4532,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
#endif
|
||||
|
||||
/* do it here to detect failure */
|
||||
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0);
|
||||
tcp_accept(&sockfd, &clientfd, opts, port, 0, 0, 0, 0, 1, 0, 0);
|
||||
CloseSocket(sockfd);
|
||||
|
||||
wolfSSL_CTX_set_verify(ctx,
|
||||
@ -4557,7 +4582,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
|
||||
#ifdef WOLFSSL_SESSION_EXPORT
|
||||
/* only add in more complex nonblocking case with session export tests */
|
||||
if (args && ((func_args*)args)->argc > 0) {
|
||||
if (args && opts->argc > 0) {
|
||||
/* set as nonblock and time out for waiting on read/write */
|
||||
tcp_set_nonblocking(&clientfd);
|
||||
wolfSSL_dtls_set_using_nonblock(ssl, 1);
|
||||
@ -4604,10 +4629,10 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
|
||||
#ifdef WOLFSSL_SESSION_EXPORT
|
||||
/* only add in more complex nonblocking case with session export tests */
|
||||
if (((func_args*)args)->argc > 0) {
|
||||
if (opts->argc > 0) {
|
||||
ret = nonblocking_accept_read(args, ssl, &clientfd);
|
||||
if (ret >= 0) {
|
||||
((func_args*)args)->return_code = TEST_SUCCESS;
|
||||
opts->return_code = TEST_SUCCESS;
|
||||
}
|
||||
#ifdef WOLFSSL_TIRTOS
|
||||
Task_yield();
|
||||
@ -4668,7 +4693,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
|
||||
Task_yield();
|
||||
#endif
|
||||
|
||||
((func_args*)args)->return_code = TEST_SUCCESS;
|
||||
opts->return_code = TEST_SUCCESS;
|
||||
|
||||
done:
|
||||
wolfSSL_shutdown(ssl);
|
||||
@ -4687,14 +4712,16 @@ done:
|
||||
wc_ecc_fp_free(); /* free per thread cache */
|
||||
#endif
|
||||
|
||||
if (cbf == NULL || !cbf->ticNoInit) {
|
||||
#if defined(HAVE_SESSION_TICKET) && \
|
||||
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
|
||||
#if defined(OPENSSL_EXTRA) && defined(HAVE_AES_CBC)
|
||||
OpenSSLTicketCleanup();
|
||||
OpenSSLTicketCleanup();
|
||||
#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
|
||||
TicketCleanup();
|
||||
TicketCleanup();
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_TIRTOS
|
||||
return 0;
|
||||
@ -5072,6 +5099,9 @@ static void test_client_nofail(void* args, cbType cb)
|
||||
printf("Server response: %s\n", reply);
|
||||
}
|
||||
|
||||
if (cbf != NULL && cbf->on_result != NULL)
|
||||
cbf->on_result(ssl);
|
||||
|
||||
((func_args*)args)->return_code = TEST_SUCCESS;
|
||||
|
||||
done:
|
||||
@ -6199,6 +6229,191 @@ static void test_wolfSSL_get_finished(void)
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \
|
||||
!defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \
|
||||
!defined(NO_SESSION_CACHE)
|
||||
|
||||
/* Sessions to restore/store */
|
||||
static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_client_sess;
|
||||
static WOLFSSL_SESSION* test_wolfSSL_CTX_add_session_server_sess;
|
||||
static WOLFSSL_CTX* test_wolfSSL_CTX_add_session_server_ctx;
|
||||
|
||||
static void test_wolfSSL_CTX_add_session_ctx_ready(WOLFSSL_CTX* ctx)
|
||||
{
|
||||
/* Don't store sessions. Lookup is still enabled. */
|
||||
AssertIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx,
|
||||
WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS);
|
||||
/* Require both peers to provide certs */
|
||||
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
|
||||
}
|
||||
|
||||
static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
|
||||
{
|
||||
WOLFSSL_SESSION** sess;
|
||||
if (wolfSSL_is_server(ssl))
|
||||
sess = &test_wolfSSL_CTX_add_session_server_sess;
|
||||
else
|
||||
sess = &test_wolfSSL_CTX_add_session_client_sess;
|
||||
if (*sess == NULL) {
|
||||
#ifdef NO_SESSION_CACHE_REF
|
||||
AssertNotNull(*sess = wolfSSL_get1_session(ssl));
|
||||
#else
|
||||
/* Test for backwards compatibility */
|
||||
if (wolfSSL_is_server(ssl)) {
|
||||
AssertNotNull(*sess = wolfSSL_get1_session(ssl));
|
||||
}
|
||||
else {
|
||||
AssertNotNull(*sess = wolfSSL_get_session(ssl));
|
||||
}
|
||||
#endif
|
||||
/* Now save the session in the internal store to make it available
|
||||
* for lookup. For TLS 1.3, we can't save the session without
|
||||
* WOLFSSL_TICKET_HAVE_ID because there is no way to retrieve the
|
||||
* session from cache. */
|
||||
if (wolfSSL_is_server(ssl)
|
||||
#ifndef WOLFSSL_TICKET_HAVE_ID
|
||||
&& wolfSSL_version(ssl) != TLS1_3_VERSION
|
||||
#endif
|
||||
)
|
||||
AssertIntEQ(wolfSSL_CTX_add_session(wolfSSL_get_SSL_CTX(ssl),
|
||||
*sess), WOLFSSL_SUCCESS);
|
||||
}
|
||||
else {
|
||||
/* If we have a session retrieved then remaining connections should be
|
||||
* resuming on that session */
|
||||
AssertIntEQ(wolfSSL_session_reused(ssl), 1);
|
||||
}
|
||||
/* Save CTX to be able to decrypt tickets */
|
||||
if (wolfSSL_is_server(ssl) &&
|
||||
test_wolfSSL_CTX_add_session_server_ctx == NULL) {
|
||||
AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx
|
||||
= wolfSSL_get_SSL_CTX(ssl));
|
||||
AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
|
||||
WOLFSSL_SUCCESS);
|
||||
}
|
||||
#ifdef SESSION_CERTS
|
||||
#ifndef WOLFSSL_TICKET_HAVE_ID
|
||||
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
|
||||
wolfSSL_session_reused(ssl))
|
||||
#endif
|
||||
{
|
||||
/* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available
|
||||
* for all connections. TLS 1.3 only has tickets so if we don't
|
||||
* include the session id in the ticket then the certificates
|
||||
* will not be available on resumption. */
|
||||
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
|
||||
AssertNotNull(peer);
|
||||
wolfSSL_X509_free(peer);
|
||||
AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
|
||||
AssertNotNull(wolfSSL_SESSION_get0_peer(*sess));
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl)
|
||||
{
|
||||
/* Set the session to reuse for the client */
|
||||
AssertIntEQ(wolfSSL_set_session(ssl,
|
||||
test_wolfSSL_CTX_add_session_client_sess), WOLFSSL_SUCCESS);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void test_wolfSSL_CTX_add_session(void)
|
||||
{
|
||||
#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(HAVE_EXT_CACHE) && \
|
||||
!defined(SINGLE_THREADED) && defined(WOLFSSL_TLS13) && \
|
||||
!defined(NO_SESSION_CACHE)
|
||||
tcp_ready ready;
|
||||
func_args client_args;
|
||||
func_args server_args;
|
||||
THREAD_TYPE serverThread;
|
||||
callback_functions client_cb;
|
||||
callback_functions server_cb;
|
||||
method_provider methods[][2] = {
|
||||
#if !defined(NO_OLD_TLS) && ((!defined(NO_AES) && !defined(NO_AES_CBC)) || \
|
||||
!defined(NO_DES3))
|
||||
/* Without AES there are almost no ciphersuites available. This leads
|
||||
* to no ciphersuites being available and an error. */
|
||||
{ wolfTLSv1_1_client_method, wolfTLSv1_1_server_method },
|
||||
#endif
|
||||
#ifndef WOLFSSL_NO_TLS12
|
||||
{ wolfTLSv1_2_client_method, wolfTLSv1_2_server_method },
|
||||
#endif
|
||||
/* Needs the default ticket callback since it is tied to the
|
||||
* connection context and this makes it easy to carry over the ticket
|
||||
* crypto context between connections */
|
||||
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \
|
||||
defined(HAVE_SESSION_TICKET)
|
||||
{ wolfTLSv1_3_client_method, wolfTLSv1_3_server_method },
|
||||
#endif
|
||||
};
|
||||
const size_t methodsLen = sizeof(methods)/sizeof(*methods);
|
||||
size_t i, j;
|
||||
|
||||
printf(testingFmt, "wolfSSL_CTX_add_session()");
|
||||
|
||||
for (i = 0; i < methodsLen; i++) {
|
||||
/* First run creates a connection while the second+ run will attempt
|
||||
* to resume the connection. The trick is that the internal cache
|
||||
* is turned off. wolfSSL_CTX_add_session should put the session in
|
||||
* the cache anyway. */
|
||||
test_wolfSSL_CTX_add_session_client_sess = NULL;
|
||||
test_wolfSSL_CTX_add_session_server_sess = NULL;
|
||||
test_wolfSSL_CTX_add_session_server_ctx = NULL;
|
||||
|
||||
for (j = 0; j < 5; j++) {
|
||||
#ifdef WOLFSSL_TIRTOS
|
||||
fdOpenSession(Task_self());
|
||||
#endif
|
||||
|
||||
StartTCP();
|
||||
InitTcpReady(&ready);
|
||||
|
||||
XMEMSET(&client_args, 0, sizeof(func_args));
|
||||
XMEMSET(&server_args, 0, sizeof(func_args));
|
||||
|
||||
XMEMSET(&client_cb, 0, sizeof(callback_functions));
|
||||
XMEMSET(&server_cb, 0, sizeof(callback_functions));
|
||||
client_cb.method = methods[i][0];
|
||||
server_cb.method = methods[i][1];
|
||||
|
||||
server_args.signal = &ready;
|
||||
server_args.callbacks = &server_cb;
|
||||
client_args.signal = &ready;
|
||||
client_args.callbacks = &client_cb;
|
||||
|
||||
if (test_wolfSSL_CTX_add_session_server_ctx != NULL) {
|
||||
server_cb.ctx = test_wolfSSL_CTX_add_session_server_ctx;
|
||||
server_cb.isSharedCtx = 1;
|
||||
}
|
||||
server_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready;
|
||||
client_cb.ctx_ready = test_wolfSSL_CTX_add_session_ctx_ready;
|
||||
if (j != 0)
|
||||
client_cb.ssl_ready = test_wolfSSL_CTX_add_session_ssl_ready;
|
||||
server_cb.on_result = test_wolfSSL_CTX_add_session_on_result;
|
||||
client_cb.on_result = test_wolfSSL_CTX_add_session_on_result;
|
||||
server_cb.ticNoInit = 1; /* Use default builtin */
|
||||
|
||||
start_thread(test_server_nofail, &server_args, &serverThread);
|
||||
wait_tcp_ready(&server_args);
|
||||
test_client_nofail(&client_args, NULL);
|
||||
join_thread(serverThread);
|
||||
|
||||
AssertTrue(client_args.return_code);
|
||||
AssertTrue(server_args.return_code);
|
||||
|
||||
FreeTcpReady(&ready);
|
||||
}
|
||||
wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_client_sess);
|
||||
wolfSSL_SESSION_free(test_wolfSSL_CTX_add_session_server_sess);
|
||||
wolfSSL_CTX_free(test_wolfSSL_CTX_add_session_server_ctx);
|
||||
}
|
||||
|
||||
printf(resultFmt, passed);
|
||||
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SESSION_EXPORT)
|
||||
/* canned export of a session using older version 3 */
|
||||
static unsigned char version_3[] = {
|
||||
@ -7961,6 +8176,7 @@ static void test_wolfSSL_PKCS12(void)
|
||||
AssertNotNull(pkcs12);
|
||||
PKCS12_free(pkcs12);
|
||||
|
||||
AssertIntEQ(BIO_write(bio, buf, bytes), bytes); /* d2i consumes BIO */
|
||||
d2i_PKCS12_bio(bio, &pkcs12);
|
||||
AssertNotNull(pkcs12);
|
||||
BIO_free(bio);
|
||||
@ -33656,10 +33872,12 @@ static void post_auth_version_cb(WOLFSSL* ssl)
|
||||
|
||||
static void post_auth_cb(WOLFSSL* ssl)
|
||||
{
|
||||
WOLFSSL_X509* x509;
|
||||
/* do handshake and then test version error */
|
||||
AssertIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS);
|
||||
AssertStrEQ("TLSv1.3", wolfSSL_get_version(ssl));
|
||||
AssertNull(wolfSSL_get_peer_certificate(ssl));
|
||||
AssertNull(x509 = wolfSSL_get_peer_certificate(ssl));
|
||||
wolfSSL_X509_free(x509);
|
||||
AssertIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS);
|
||||
}
|
||||
|
||||
@ -39080,7 +39298,10 @@ static void test_wolfSSL_SESSION(void)
|
||||
|
||||
AssertPtrNE((sess = wolfSSL_get1_session(ssl)), NULL); /* ref count 1 */
|
||||
AssertPtrNE((sess_copy = wolfSSL_get1_session(ssl)), NULL); /* ref count 2 */
|
||||
AssertPtrEq(sess, sess_copy); /* they should be the same pointer */
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
AssertPtrEq(sess, sess_copy); /* they should be the same pointer but without
|
||||
* HAVE_EXT_CACHE we get new objects each time */
|
||||
#endif
|
||||
wolfSSL_SESSION_free(sess_copy); sess_copy = NULL;
|
||||
wolfSSL_SESSION_free(sess); sess = NULL; /* free session ref */
|
||||
|
||||
@ -39101,6 +39322,9 @@ static void test_wolfSSL_SESSION(void)
|
||||
#endif
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
/* Retain copy of the session for later testing */
|
||||
AssertNotNull(sess = wolfSSL_get1_session(ssl));
|
||||
|
||||
wolfSSL_shutdown(ssl);
|
||||
wolfSSL_free(ssl);
|
||||
|
||||
@ -49804,11 +50028,15 @@ static void test_wolfSSL_CTX_LoadCRL(void)
|
||||
{
|
||||
#ifdef HAVE_CRL
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
WOLFSSL* ssl = NULL;
|
||||
const char* badPath = "dummypath";
|
||||
const char* validPath = "./certs/crl";
|
||||
const char* validFilePath = "./certs/crl/cliCrl.pem";
|
||||
const char* issuerCert = "./certs/client-cert.pem";
|
||||
int derType = WOLFSSL_FILETYPE_ASN1;
|
||||
int pemType = WOLFSSL_FILETYPE_PEM;
|
||||
int monitor = WOLFSSL_CRL_MONITOR;
|
||||
WOLFSSL_CERT_MANAGER* cm = NULL;
|
||||
|
||||
#define FAIL_T1(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \
|
||||
BAD_FUNC_ARG)
|
||||
@ -49817,20 +50045,52 @@ static void test_wolfSSL_CTX_LoadCRL(void)
|
||||
|
||||
FAIL_T1(wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor);
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
#elif !defined(NO_WOLFSSL_SERVER)
|
||||
#elif !defined(NO_WOLFSSL_SERVER)
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
||||
#else
|
||||
#else
|
||||
return;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
SUCC_T (wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor);
|
||||
SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, pemType, monitor);
|
||||
SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, derType, monitor);
|
||||
|
||||
wolfSSL_CTX_free(ctx);
|
||||
ctx = NULL;
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
#elif !defined(NO_WOLFSSL_SERVER)
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
||||
#else
|
||||
return;
|
||||
#endif
|
||||
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL),
|
||||
WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
|
||||
#ifndef NO_WOLFSSL_CLIENT
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
||||
#elif !defined(NO_WOLFSSL_SERVER)
|
||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
||||
#else
|
||||
return;
|
||||
#endif
|
||||
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL),
|
||||
WOLFSSL_SUCCESS);
|
||||
AssertNotNull(ssl = wolfSSL_new(ctx));
|
||||
AssertIntEQ(wolfSSL_LoadCRLFile(ssl, validFilePath, pemType), WOLFSSL_SUCCESS);
|
||||
wolfSSL_free(ssl);
|
||||
wolfSSL_CTX_free(ctx);
|
||||
|
||||
AssertNotNull(cm = wolfSSL_CertManagerNew());
|
||||
AssertIntEQ(wolfSSL_CertManagerLoadCA(cm, issuerCert, NULL),
|
||||
WOLFSSL_SUCCESS);
|
||||
AssertIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, validFilePath, pemType), WOLFSSL_SUCCESS);
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -50924,9 +51184,7 @@ static void test_wolfSSL_CRYPTO_get_ex_new_index(void)
|
||||
|
||||
printf(testingFmt, "test_wolfSSL_CRYPTO_get_ex_new_index()");
|
||||
|
||||
/* test for unsupported flass index */
|
||||
AssertIntEQ(wolfSSL_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
|
||||
0,NULL, NULL, NULL, NULL ), -1);
|
||||
/* test for unsupported class index */
|
||||
AssertIntEQ(wolfSSL_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE,
|
||||
0,NULL, NULL, NULL, NULL ), -1);
|
||||
AssertIntEQ(wolfSSL_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX,
|
||||
@ -50978,6 +51236,15 @@ static void test_wolfSSL_CRYPTO_get_ex_new_index(void)
|
||||
AssertIntNE(idx2, -1);
|
||||
AssertIntNE(idx1, idx2);
|
||||
|
||||
|
||||
idx1 = wolfSSL_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
|
||||
0,NULL, NULL, NULL, NULL );
|
||||
idx2 = wolfSSL_CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
|
||||
0,NULL, NULL, NULL, NULL );
|
||||
AssertIntNE(idx1, -1);
|
||||
AssertIntNE(idx2, -1);
|
||||
AssertIntNE(idx1, idx2);
|
||||
|
||||
printf(resultFmt, "passed");
|
||||
#endif /* HAVE_EX_DATA */
|
||||
}
|
||||
@ -52116,6 +52383,7 @@ void ApiTest(void)
|
||||
#endif
|
||||
#ifdef HAVE_IO_TESTS_DEPENDENCIES
|
||||
test_wolfSSL_get_finished();
|
||||
test_wolfSSL_CTX_add_session();
|
||||
#endif
|
||||
test_SSL_CIPHER_get_xxx();
|
||||
test_wolfSSL_ERR_strings();
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
# Both client and server use -E [path] for trusted peer
|
||||
# server TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-V
|
||||
-v 3
|
||||
-l DHE-RSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/client-int-cert.pem
|
||||
@ -7,6 +8,7 @@
|
||||
-c ./certs/intermediate/server-int-cert.pem
|
||||
|
||||
# client TLSv1.2 DHE-RSA-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-C
|
||||
-v 3
|
||||
-l DHE-RSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/server-int-cert.pem
|
||||
@ -14,6 +16,7 @@
|
||||
-c ./certs/intermediate/client-int-cert.pem
|
||||
|
||||
# server TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-V
|
||||
-v 3
|
||||
-l ECDHE-RSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/client-int-cert.pem
|
||||
@ -21,6 +24,7 @@
|
||||
-c ./certs/intermediate/server-int-cert.pem
|
||||
|
||||
# client TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-C
|
||||
-v 3
|
||||
-l ECDHE-RSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/server-int-cert.pem
|
||||
@ -28,6 +32,7 @@
|
||||
-c ./certs/intermediate/client-int-cert.pem
|
||||
|
||||
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Trusted Peer
|
||||
-V
|
||||
-v 3
|
||||
-l ECDHE-ECDSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/client-int-ecc-cert.pem
|
||||
@ -35,6 +40,7 @@
|
||||
-c ./certs/intermediate/server-int-ecc-cert.pem
|
||||
|
||||
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Trusted Peer
|
||||
-C
|
||||
-v 3
|
||||
-l ECDHE-ECDSA-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/server-int-ecc-cert.pem
|
||||
@ -42,6 +48,7 @@
|
||||
-c ./certs/intermediate/client-int-ecc-cert.pem
|
||||
|
||||
# server TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-V
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/client-int-cert.pem
|
||||
@ -49,6 +56,7 @@
|
||||
-c ./certs/intermediate/server-int-cert.pem
|
||||
|
||||
# client TLSv1.3 TLS13-AES128-GCM-SHA256 RSA Trusted Peer
|
||||
-C
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/server-int-cert.pem
|
||||
@ -56,6 +64,7 @@
|
||||
-c ./certs/intermediate/client-int-cert.pem
|
||||
|
||||
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Trusted Peer
|
||||
-V
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/client-int-ecc-cert.pem
|
||||
@ -63,6 +72,7 @@
|
||||
-c ./certs/intermediate/server-int-ecc-cert.pem
|
||||
|
||||
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Trusted Peer
|
||||
-C
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/intermediate/server-int-ecc-cert.pem
|
||||
@ -71,6 +81,7 @@
|
||||
|
||||
# Test for ECC self signed certificate as trusted peer
|
||||
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Trusted Peer (self signed)
|
||||
-V
|
||||
-v 3
|
||||
-l ECDHE-ECDSA-AES128-GCM-SHA256
|
||||
-E ./certs/client-ecc-cert.pem
|
||||
@ -78,6 +89,7 @@
|
||||
-c ./certs/server-ecc-self.pem
|
||||
|
||||
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 ECC Trusted Peer (self signed)
|
||||
-C
|
||||
-v 3
|
||||
-l ECDHE-ECDSA-AES128-GCM-SHA256
|
||||
-E ./certs/server-ecc-self.pem
|
||||
@ -85,6 +97,7 @@
|
||||
-c ./certs/client-ecc-cert.pem
|
||||
|
||||
# server TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Trusted Peer (self signed)
|
||||
-V
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/client-ecc-cert.pem
|
||||
@ -92,6 +105,7 @@
|
||||
-c ./certs/server-ecc-self.pem
|
||||
|
||||
# client TLSv1.3 TLS13-AES128-GCM-SHA256 ECC Trusted Peer (self signed)
|
||||
-C
|
||||
-v 4
|
||||
-l TLS13-AES128-GCM-SHA256
|
||||
-E ./certs/server-ecc-self.pem
|
||||
|
||||
@ -252,7 +252,11 @@ const char* wc_GetErrorString(int error)
|
||||
return "Bad alignment error, no alloc help";
|
||||
|
||||
case ASN_NO_SIGNER_E :
|
||||
#ifndef OPENSSL_EXTRA
|
||||
return "ASN no signer error to confirm failure";
|
||||
#else
|
||||
return "certificate verify failed";
|
||||
#endif
|
||||
|
||||
case ASN_CRL_CONFIRM_E :
|
||||
return "ASN CRL sig error, confirm failure";
|
||||
|
||||
@ -1185,6 +1185,14 @@ enum Misc {
|
||||
HELLO_EXT_EXTMS = 0x0017, /* ID for the extended master secret ext */
|
||||
SECRET_LEN = WOLFSSL_MAX_MASTER_KEY_LENGTH,
|
||||
/* pre RSA and all master */
|
||||
TIMESTAMP_LEN = 4, /* timestamp size in ticket */
|
||||
#ifdef WOLFSSL_TLS13
|
||||
AGEADD_LEN = 4, /* ageAdd size in ticket */
|
||||
NAMEDGREOUP_LEN = 2, /* namedGroup size in ticket */
|
||||
#ifdef WOLFSSL_EARLY_DATA
|
||||
MAXEARLYDATASZ_LEN = 4, /* maxEarlyDataSz size in ticket */
|
||||
#endif
|
||||
#endif
|
||||
#ifdef HAVE_PQC
|
||||
ENCRYPT_LEN = 1500, /* allow 1500 bit static buffer for falcon */
|
||||
#else
|
||||
@ -1567,6 +1575,10 @@ enum Misc {
|
||||
#define SESSION_TICKET_LEN 256
|
||||
#endif
|
||||
|
||||
#ifndef PREALLOC_SESSION_TICKET_LEN
|
||||
#define PREALLOC_SESSION_TICKET_LEN 512
|
||||
#endif
|
||||
|
||||
#ifndef SESSION_TICKET_HINT_DEFAULT
|
||||
#define SESSION_TICKET_HINT_DEFAULT 300
|
||||
#endif
|
||||
@ -1678,6 +1690,8 @@ typedef WOLFSSL_BUFFER_INFO buffer;
|
||||
|
||||
typedef struct Suites Suites;
|
||||
|
||||
/* Declare opaque struct for API to use */
|
||||
typedef struct ClientSession ClientSession;
|
||||
|
||||
/* defaults to client */
|
||||
WOLFSSL_LOCAL void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv);
|
||||
@ -2758,6 +2772,7 @@ struct WOLFSSL_CTX {
|
||||
byte sessionCacheFlushOff:1;
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
byte internalCacheOff:1;
|
||||
byte internalCacheLookupOff:1;
|
||||
#endif
|
||||
byte sendVerify:2; /* for client side (can not be single bit) */
|
||||
byte haveRSA:1; /* RSA available */
|
||||
@ -3083,7 +3098,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
WOLFSSL_LOCAL
|
||||
int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify);
|
||||
WOLFSSL_LOCAL
|
||||
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash);
|
||||
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DecodedCert* cert);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
@ -3291,33 +3306,40 @@ struct WOLFSSL_X509_CHAIN {
|
||||
x509_buffer certs[MAX_CHAIN_DEPTH]; /* only allow max depth 4 for now */
|
||||
};
|
||||
|
||||
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_SESSION_CACHE_REF)
|
||||
/* enable allocation of a smaller reference for the internal cache,
|
||||
* to prevent client from using internal cache reference. */
|
||||
#define ENABLE_CLIENT_SESSION_REF
|
||||
#endif
|
||||
|
||||
typedef enum WOLFSSL_SESSION_TYPE {
|
||||
WOLFSSL_SESSION_TYPE_UNKNOWN,
|
||||
WOLFSSL_SESSION_TYPE_SSL, /* in ssl->session */
|
||||
WOLFSSL_SESSION_TYPE_CACHE, /* pointer to internal cache */
|
||||
WOLFSSL_SESSION_TYPE_HEAP /* allocated from heap SESSION_new */
|
||||
#ifdef ENABLE_CLIENT_SESSION_REF
|
||||
,WOLFSSL_SESSION_TYPE_REF /* smaller allocation with reference to internal cache */
|
||||
#endif
|
||||
} WOLFSSL_SESSION_TYPE;
|
||||
|
||||
/* wolfSSL session type */
|
||||
struct WOLFSSL_SESSION {
|
||||
/* WARNING Do not add fields here. They will be ignored in
|
||||
* wolfSSL_DupSession. */
|
||||
WOLFSSL_SESSION_TYPE type;
|
||||
#ifndef NO_SESSION_CACHE
|
||||
int cacheRow; /* row in session cache */
|
||||
#endif
|
||||
int refCount; /* reference count */
|
||||
#ifndef SINGLE_THREADED
|
||||
wolfSSL_Mutex refMutex; /* ref count mutex */
|
||||
#endif
|
||||
byte altSessionID[ID_LEN];
|
||||
byte haveAltSessionID:1;
|
||||
void* heap;
|
||||
/* WARNING The above fields (up to and including the heap) are not copied
|
||||
* in wolfSSL_DupSession. Place new fields after the heap
|
||||
* member */
|
||||
|
||||
byte side; /* Either WOLFSSL_CLIENT_END or
|
||||
WOLFSSL_SERVER_END */
|
||||
|
||||
int cacheRow; /* row in session cache */
|
||||
word32 bornOn; /* create time in seconds */
|
||||
word32 timeout; /* timeout in seconds */
|
||||
|
||||
byte sessionID[ID_LEN]; /* id for protocol */
|
||||
byte sessionID[ID_LEN]; /* id for protocol or bogus
|
||||
* ID for TLS 1.3 */
|
||||
byte sessionIDSz;
|
||||
|
||||
byte* masterSecret; /* stored secret */
|
||||
@ -3363,28 +3385,6 @@ struct WOLFSSL_SESSION {
|
||||
word16 ticketLen;
|
||||
word16 ticketLenAlloc; /* is dynamic */
|
||||
#endif
|
||||
int refCount; /* reference count */
|
||||
void* heap;
|
||||
|
||||
#ifdef ENABLE_CLIENT_SESSION_REF
|
||||
/* pointer to WOLFSSL_SESSION in internal cache (for WOLFSSL_SESSION_TYPE_REF) */
|
||||
void* refPtr;
|
||||
#endif
|
||||
|
||||
/* Below buffers are not allocated for the WOLFSSL_SESSION_TYPE_REF, instead
|
||||
* the above pointers reference the session cache for backwards
|
||||
* compatibility. For all other session types the above pointers reference
|
||||
* these buffers directly */
|
||||
byte _masterSecret[SECRET_LEN];
|
||||
#ifndef NO_CLIENT_CACHE
|
||||
byte _serverID[SERVER_ID_LEN];
|
||||
#endif
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
byte _staticTicket[SESSION_TICKET_LEN];
|
||||
#endif
|
||||
#ifdef OPENSSL_EXTRA
|
||||
byte _sessionCtx[ID_LEN];
|
||||
#endif
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */
|
||||
@ -3395,20 +3395,46 @@ struct WOLFSSL_SESSION {
|
||||
#ifdef HAVE_EX_DATA
|
||||
WOLFSSL_CRYPTO_EX_DATA ex_data;
|
||||
#endif
|
||||
|
||||
/* Below buffers are not allocated for the WOLFSSL_SESSION_TYPE_REF, instead
|
||||
* the above pointers reference the session cache for backwards
|
||||
* compatibility. For all other session types the above pointers reference
|
||||
* these buffers directly. Keep these buffers at the end so that they don't
|
||||
* get copied into the WOLFSSL_SESSION_TYPE_REF object. */
|
||||
byte _masterSecret[SECRET_LEN];
|
||||
#ifndef NO_CLIENT_CACHE
|
||||
byte _serverID[SERVER_ID_LEN];
|
||||
#endif
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
byte _staticTicket[SESSION_TICKET_LEN];
|
||||
#endif
|
||||
#ifdef OPENSSL_EXTRA
|
||||
#ifndef SINGLE_THREADED
|
||||
wolfSSL_Mutex refMutex; /* ref count mutex */
|
||||
#endif
|
||||
byte _sessionCtx[ID_LEN];
|
||||
#endif
|
||||
};
|
||||
|
||||
WOLFSSL_LOCAL int wolfSSL_RAND_Init(void);
|
||||
|
||||
WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_NewSession(void* heap);
|
||||
WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_GetSession(
|
||||
WOLFSSL* ssl, byte* masterSecret, byte restoreSessionCerts);
|
||||
WOLFSSL_LOCAL WOLFSSL_SESSION* wolfSSL_GetSessionRef(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL void AddSession(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id,
|
||||
byte idSz, int* sessionIndex, int side, word16 useTicket,
|
||||
ClientSession** clientCacheEntry);
|
||||
#ifndef NO_CLIENT_CACHE
|
||||
WOLFSSL_LOCAL ClientSession* AddSessionToClientCache(int side, int row, int idx,
|
||||
byte* serverID, word16 idLen, const byte* sessionID,
|
||||
word16 useTicket);
|
||||
#endif
|
||||
WOLFSSL_LOCAL
|
||||
WOLFSSL_SESSION* ClientSessionToSession(const WOLFSSL_SESSION* session);
|
||||
WOLFSSL_LOCAL int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output);
|
||||
WOLFSSL_LOCAL int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session);
|
||||
WOLFSSL_LOCAL void wolfSSL_FreeSession(WOLFSSL_SESSION* session);
|
||||
WOLFSSL_LOCAL int wolfSSL_DupSession(const WOLFSSL_SESSION* input,
|
||||
WOLFSSL_SESSION* output, int avoidSysCalls);
|
||||
|
||||
|
||||
typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int, int);
|
||||
|
||||
@ -3598,6 +3624,7 @@ typedef struct Options {
|
||||
word16 sessionCacheFlushOff:1;
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
word16 internalCacheOff:1;
|
||||
word16 internalCacheLookupOff:1;
|
||||
#endif
|
||||
word16 side:2; /* client, server or neither end */
|
||||
word16 verifyPeer:1;
|
||||
@ -4231,9 +4258,9 @@ struct WOLFSSL {
|
||||
Ciphers encrypt;
|
||||
Ciphers decrypt;
|
||||
Buffers buffers;
|
||||
WOLFSSL_SESSION session;
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
WOLFSSL_SESSION* extSession;
|
||||
WOLFSSL_SESSION* session;
|
||||
#ifndef NO_CLIENT_CACHE
|
||||
ClientSession* clientSession;
|
||||
#endif
|
||||
WOLFSSL_ALERT_HISTORY alert_history;
|
||||
int error;
|
||||
@ -4390,6 +4417,8 @@ struct WOLFSSL {
|
||||
WOLFSSL_X509_STORE* x509_store_pt; /* take ownership of external store */
|
||||
#endif
|
||||
#ifdef KEEP_PEER_CERT
|
||||
/* TODO put this on the heap so we can properly use the
|
||||
* reference counter and not have to duplicate it. */
|
||||
WOLFSSL_X509 peerCert; /* X509 peer cert */
|
||||
#endif
|
||||
#ifdef KEEP_OUR_CERT
|
||||
@ -4572,6 +4601,22 @@ struct WOLFSSL {
|
||||
#endif
|
||||
};
|
||||
|
||||
/*
|
||||
* wolfSSL_PEM_read_bio_X509 pushes an ASN_NO_PEM_HEADER error
|
||||
* to the error queue on file end. This should not be left
|
||||
* for the caller to find so we clear the last error.
|
||||
*/
|
||||
#ifdef WOLFSSL_HAVE_ERROR_QUEUE
|
||||
#define CLEAR_ASN_NO_PEM_HEADER_ERROR(err) \
|
||||
err = wolfSSL_ERR_peek_last_error(); \
|
||||
if (ERR_GET_LIB(err) == ERR_LIB_PEM && \
|
||||
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { \
|
||||
wc_RemoveErrorNode(-1); \
|
||||
}
|
||||
#else
|
||||
#define CLEAR_ASN_NO_PEM_HEADER_ERROR(err) (void)err;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The SSL object may have its own certificate store. The below macros simplify
|
||||
* logic for choosing which WOLFSSL_CERT_MANAGER and WOLFSSL_X509_STORE to use.
|
||||
@ -4740,7 +4785,6 @@ WOLFSSL_LOCAL const char* AlertTypeToString(int type);
|
||||
WOLFSSL_LOCAL int SetCipherSpecs(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL* ssl);
|
||||
|
||||
WOLFSSL_LOCAL int AddSession(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl);
|
||||
WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side);
|
||||
|
||||
@ -4827,8 +4871,7 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG,
|
||||
#define WC_MATCH_SKID 0
|
||||
#define WC_MATCH_NAME 1
|
||||
|
||||
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash,
|
||||
int type);
|
||||
WOLFSSL_LOCAL TrustedPeerCert* GetTrustedPeer(void* vp, DecodedCert* cert);
|
||||
WOLFSSL_LOCAL int MatchTrustedPeer(TrustedPeerCert* tp,
|
||||
DecodedCert* cert);
|
||||
#endif
|
||||
|
||||
@ -32,7 +32,7 @@
|
||||
/* valid version */
|
||||
#elif defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIBEST) || \
|
||||
defined(WOLFSSL_BIND) || defined(WOLFSSL_NGINX) || \
|
||||
defined(WOLFSSL_RSYSLOG) || defined(WOLFSSL_KRB)
|
||||
defined(WOLFSSL_RSYSLOG) || defined(WOLFSSL_KRB) || defined(HAVE_STUNNEL)
|
||||
/* For Apache httpd, Use 1.1.0 compatibility */
|
||||
#define OPENSSL_VERSION_NUMBER 0x10100003L
|
||||
#elif defined(WOLFSSL_QT) || defined(WOLFSSL_PYTHON)
|
||||
@ -40,7 +40,7 @@
|
||||
#define OPENSSL_VERSION_NUMBER 0x10101000L
|
||||
#elif defined(WOLFSSL_HAPROXY)
|
||||
#define OPENSSL_VERSION_NUMBER 0x1010000fL
|
||||
#elif defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) || \
|
||||
#elif defined(OPENSSL_ALL) || defined(HAVE_LIGHTY) || \
|
||||
defined(WOLFSSL_NGINX) || defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_OPENVPN)
|
||||
/* version number can be increased for Lighty after compatibility for ECDH
|
||||
is added */
|
||||
@ -49,7 +49,7 @@
|
||||
#define OPENSSL_VERSION_NUMBER 0x0090810fL
|
||||
#endif
|
||||
|
||||
#define OPENSSL_VERSION_TEXT LIBWOLFSSL_VERSION_STRING
|
||||
#define OPENSSL_VERSION_TEXT "wolfSSL " LIBWOLFSSL_VERSION_STRING
|
||||
#define OPENSSL_VERSION 0
|
||||
|
||||
#endif /* header */
|
||||
|
||||
@ -319,6 +319,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
|
||||
#define SSL_set_post_handshake_auth wolfSSL_set_post_handshake_auth
|
||||
#define SSL_CTX_set_post_handshake_auth wolfSSL_CTX_set_post_handshake_auth
|
||||
#define SSL_pending wolfSSL_pending
|
||||
#define SSL_has_pending wolfSSL_has_pending
|
||||
#define SSL_load_error_strings wolfSSL_load_error_strings
|
||||
#define SSL_library_init wolfSSL_library_init
|
||||
#define OPENSSL_cleanup (void)wolfSSL_Cleanup
|
||||
@ -1268,15 +1269,6 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE;
|
||||
|
||||
#define SSL3_RANDOM_SIZE 32 /* same as RAN_LEN in internal.h */
|
||||
|
||||
#define SSL2_VERSION 0x0002
|
||||
#define SSL3_VERSION 0x0300
|
||||
#define TLS1_VERSION 0x0301
|
||||
#define TLS1_1_VERSION 0x0302
|
||||
#define TLS1_2_VERSION 0x0303
|
||||
#define TLS1_3_VERSION 0x0304
|
||||
#define DTLS1_VERSION 0xFEFF
|
||||
#define DTLS1_2_VERSION 0xFEFD
|
||||
|
||||
/* Used as message callback types */
|
||||
#define SSL3_RT_CHANGE_CIPHER_SPEC 20
|
||||
#define SSL3_RT_ALERT 21
|
||||
|
||||
@ -32,10 +32,11 @@
|
||||
/* for users not using preprocessor flags*/
|
||||
#include <wolfssl/wolfcrypt/settings.h>
|
||||
#include <wolfssl/version.h>
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
#include <wolfssl/wolfcrypt/asn_public.h>
|
||||
#include <wolfssl/wolfcrypt/types.h>
|
||||
#include <wolfssl/wolfcrypt/error-crypt.h>
|
||||
#include <wolfssl/wolfcrypt/logging.h>
|
||||
#include <wolfssl/wolfcrypt/memory.h>
|
||||
#include <wolfssl/wolfcrypt/types.h>
|
||||
|
||||
/* For the types */
|
||||
#include <wolfssl/openssl/compat_types.h>
|
||||
@ -809,6 +810,9 @@ enum Tls13Secret {
|
||||
};
|
||||
#endif
|
||||
|
||||
#ifndef WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS
|
||||
#define WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS 10
|
||||
#endif
|
||||
|
||||
typedef WOLFSSL_METHOD* (*wolfSSL_method_func)(void* heap);
|
||||
|
||||
@ -969,6 +973,8 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_load_verify_locations(
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_API int wolfSSL_CTX_trust_peer_cert(
|
||||
WOLFSSL_CTX* ctx, const char* file, int type);
|
||||
WOLFSSL_API int wolfSSL_trust_peer_cert(
|
||||
WOLFSSL* ssl, const char* file, int type);
|
||||
#endif
|
||||
WOLFSSL_ABI WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_file(
|
||||
WOLFSSL_CTX* ctx, const char* file);
|
||||
@ -996,8 +1002,8 @@ WOLFSSL_API int wolfSSL_use_RSAPrivateKey_file(
|
||||
|
||||
WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap);
|
||||
WOLFSSL_ABI WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD* method);
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLFSSL_API int wolfSSL_CTX_up_ref(WOLFSSL_CTX* ctx);
|
||||
#ifdef OPENSSL_EXTRA
|
||||
WOLFSSL_API int wolfSSL_CTX_set_ecdh_auto(WOLFSSL_CTX* ctx, int onoff);
|
||||
WOLFSSL_API int wolfSSL_get_signature_nid(WOLFSSL* ssl, int* nid);
|
||||
WOLFSSL_API int wolfSSL_CTX_set1_sigalgs_list(WOLFSSL_CTX* ctx,
|
||||
@ -1193,6 +1199,7 @@ WOLFSSL_API int wolfSSL_set_post_handshake_auth(WOLFSSL* ssl, int val);
|
||||
WOLFSSL_API void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx);
|
||||
|
||||
WOLFSSL_ABI WOLFSSL_API int wolfSSL_pending(WOLFSSL* ssl);
|
||||
WOLFSSL_API int wolfSSL_has_pending(const WOLFSSL* ssl);
|
||||
|
||||
WOLFSSL_API void wolfSSL_load_error_strings(void);
|
||||
WOLFSSL_API int wolfSSL_library_init(void);
|
||||
@ -1482,6 +1489,8 @@ WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session);
|
||||
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void);
|
||||
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new_ex(void* heap);
|
||||
WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session);
|
||||
WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx,
|
||||
WOLFSSL_SESSION* session);
|
||||
WOLFSSL_API int wolfSSL_SESSION_set_cipher(WOLFSSL_SESSION* session,
|
||||
const WOLFSSL_CIPHER* cipher);
|
||||
WOLFSSL_API int wolfSSL_is_init_finished(WOLFSSL* ssl);
|
||||
@ -1499,12 +1508,13 @@ WOLFSSL_API int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher);
|
||||
WOLFSSL_API int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher);
|
||||
WOLFSSL_API int wolfSSL_CIPHER_is_aead(const WOLFSSL_CIPHER* cipher);
|
||||
WOLFSSL_API const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value);
|
||||
WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session);
|
||||
WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(const WOLFSSL_SESSION* session);
|
||||
WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL* ssl);
|
||||
WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
|
||||
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl);
|
||||
|
||||
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void);
|
||||
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);
|
||||
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
|
||||
WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa);
|
||||
WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509);
|
||||
@ -2191,7 +2201,10 @@ enum {
|
||||
SSL_MODE_ENABLE_PARTIAL_WRITE = 2,
|
||||
SSL_MODE_AUTO_RETRY = 3, /* wolfSSL default is to return WANT_{READ|WRITE}
|
||||
* to the user. This is set by default with
|
||||
* OPENSSL_COMPATIBLE_DEFAULTS. */
|
||||
* OPENSSL_COMPATIBLE_DEFAULTS. The macro
|
||||
* WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS is used to
|
||||
* limit the possibility of an infinite retry loop
|
||||
*/
|
||||
SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */
|
||||
|
||||
BIO_CLOSE = 1,
|
||||
@ -2201,12 +2214,12 @@ enum {
|
||||
|
||||
X509_V_OK = 0,
|
||||
X509_V_ERR_CRL_SIGNATURE_FAILURE = 8,
|
||||
X509_V_ERR_CERT_HAS_EXPIRED = 10,
|
||||
X509_V_ERR_CERT_HAS_EXPIRED = ASN_AFTER_DATE_E,
|
||||
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14,
|
||||
X509_V_ERR_CRL_HAS_EXPIRED = 15,
|
||||
X509_V_ERR_CERT_CHAIN_TOO_LONG = 17,
|
||||
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18,
|
||||
X509_V_ERR_CERT_NOT_YET_VALID = 19,
|
||||
X509_V_ERR_CERT_NOT_YET_VALID = ASN_BEFORE_DATE_E,
|
||||
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20,
|
||||
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22,
|
||||
X509_V_ERR_CERT_REVOKED = 23,
|
||||
@ -2216,7 +2229,7 @@ enum {
|
||||
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 26,
|
||||
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 27,
|
||||
X509_V_ERR_CERT_UNTRUSTED = 28,
|
||||
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 29,
|
||||
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = ASN_NO_SIGNER_E,
|
||||
X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 30,
|
||||
/* additional X509_V_ERR_* enums not used in wolfSSL */
|
||||
X509_V_ERR_UNABLE_TO_GET_CRL,
|
||||
@ -2835,6 +2848,9 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len,
|
||||
WOLFSSL_API int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX* ctx);
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
WOLFSSL_API int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx);
|
||||
#ifdef WOLFSSL_LOCAL_X509_STORE
|
||||
WOLFSSL_API int wolfSSL_Unload_trust_peers(WOLFSSL* ssl);
|
||||
#endif
|
||||
WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx,
|
||||
const unsigned char*, long, int);
|
||||
#endif
|
||||
@ -3350,6 +3366,8 @@ WOLFSSL_API void* wolfSSL_GetVerifyMacCtx(WOLFSSL* ssl);
|
||||
VerifyCallback vc);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm,
|
||||
const char* path, int type, int monitor);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm,
|
||||
const char* file, int type);
|
||||
WOLFSSL_API int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
|
||||
const unsigned char* buff, long sz, int type);
|
||||
WOLFSSL_API int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm,
|
||||
@ -3391,6 +3409,7 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(
|
||||
WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options);
|
||||
WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl);
|
||||
WOLFSSL_API int wolfSSL_LoadCRL(WOLFSSL* ssl, const char* path, int type, int monitor);
|
||||
WOLFSSL_API int wolfSSL_LoadCRLFile(WOLFSSL* ssl, const char* file, int type);
|
||||
WOLFSSL_API int wolfSSL_LoadCRLBuffer(WOLFSSL* ssl,
|
||||
const unsigned char* buff, long sz, int type);
|
||||
WOLFSSL_API int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb);
|
||||
@ -3407,6 +3426,7 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(
|
||||
WOLFSSL_API int wolfSSL_CTX_EnableCRL(WOLFSSL_CTX* ctx, int options);
|
||||
WOLFSSL_API int wolfSSL_CTX_DisableCRL(WOLFSSL_CTX* ctx);
|
||||
WOLFSSL_API int wolfSSL_CTX_LoadCRL(WOLFSSL_CTX* ctx, const char* path, int type, int monitor);
|
||||
WOLFSSL_API int wolfSSL_CTX_LoadCRLFile(WOLFSSL_CTX* ctx, const char* path, int type);
|
||||
WOLFSSL_API int wolfSSL_CTX_LoadCRLBuffer(WOLFSSL_CTX* ctx,
|
||||
const unsigned char* buff, long sz, int type);
|
||||
WOLFSSL_API int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb);
|
||||
@ -4005,7 +4025,6 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_delete_entry(
|
||||
WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x,
|
||||
const WOLFSSL_X509_NAME* y);
|
||||
WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void);
|
||||
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);
|
||||
WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME* name);
|
||||
WOLFSSL_API int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to);
|
||||
WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);
|
||||
@ -4315,9 +4334,9 @@ WOLFSSL_API WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type(
|
||||
#include <wolfssl/openssl/crypto.h>
|
||||
|
||||
WOLFSSL_API int wolfSSL_CRYPTO_set_mem_functions(
|
||||
wolfSSL_Malloc_cb m,
|
||||
wolfSSL_Realloc_cb r,
|
||||
wolfSSL_Free_cb f);
|
||||
wolfSSL_OSSL_Malloc_cb m,
|
||||
wolfSSL_OSSL_Realloc_cb r,
|
||||
wolfSSL_OSSL_Free_cb f);
|
||||
WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int),
|
||||
void *(*r) (void *, size_t, const char *, int), void (*f) (void *));
|
||||
|
||||
@ -4432,13 +4451,11 @@ WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set_bit(
|
||||
WOLFSSL_ASN1_BIT_STRING* str, int pos, int val);
|
||||
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
|
||||
|
||||
WOLFSSL_API int wolfSSL_version(WOLFSSL* ssl);
|
||||
|
||||
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
|
||||
|| defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
|
||||
|
||||
WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session);
|
||||
|
||||
WOLFSSL_API int wolfSSL_version(WOLFSSL* ssl);
|
||||
|
||||
WOLFSSL_API int wolfSSL_get_state(const WOLFSSL* ssl);
|
||||
|
||||
WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)*, int i);
|
||||
@ -4467,8 +4484,8 @@ WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup(
|
||||
WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long idx,void* data,void* cb1,void* cb2,
|
||||
CRYPTO_free_func* cb3);
|
||||
|
||||
WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess,
|
||||
unsigned int* idLen);
|
||||
WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(
|
||||
const WOLFSSL_SESSION* sess, unsigned int* idLen);
|
||||
|
||||
WOLFSSL_API int wolfSSL_SESSION_print(WOLFSSL_BIO* bp, const WOLFSSL_SESSION* session);
|
||||
|
||||
@ -4897,6 +4914,17 @@ WOLFSSL_API int wolfSSL_CRYPTO_get_ex_new_index(int class_index, long argl, void
|
||||
WOLFSSL_CRYPTO_EX_dup* dup_func,
|
||||
WOLFSSL_CRYPTO_EX_free* free_func);
|
||||
#endif /* HAVE_EX_DATA || WOLFSSL_WPAS_SMALL */
|
||||
|
||||
/* */
|
||||
#define SSL2_VERSION 0x0002
|
||||
#define SSL3_VERSION 0x0300
|
||||
#define TLS1_VERSION 0x0301
|
||||
#define TLS1_1_VERSION 0x0302
|
||||
#define TLS1_2_VERSION 0x0303
|
||||
#define TLS1_3_VERSION 0x0304
|
||||
#define DTLS1_VERSION 0xFEFF
|
||||
#define DTLS1_2_VERSION 0xFEFD
|
||||
|
||||
#ifdef __cplusplus
|
||||
} /* extern "C" */
|
||||
#endif
|
||||
|
||||
@ -518,6 +518,7 @@ typedef struct callback_functions {
|
||||
int return_code;
|
||||
unsigned char isSharedCtx:1;
|
||||
unsigned char loadToSSL:1;
|
||||
unsigned char ticNoInit:1;
|
||||
} callback_functions;
|
||||
|
||||
#if defined(WOLFSSL_SRTP) && !defined(SINGLE_THREADED) && defined(_POSIX_THREADS)
|
||||
|
||||
@ -1741,7 +1741,7 @@ struct TrustedPeerCert {
|
||||
/* sha hash of names in certificate */
|
||||
#ifndef NO_SKID
|
||||
byte subjectKeyIdHash[SIGNER_DIGEST_SIZE];
|
||||
/* sha hash of names in certificate */
|
||||
/* sha hash of SKID in certificate */
|
||||
#endif
|
||||
word32 sigLen;
|
||||
byte* sig;
|
||||
|
||||
@ -45,6 +45,12 @@
|
||||
WOLFSSL_API void wolfSSL_SetMemFailCount(int memFailCount);
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
typedef void *(*wolfSSL_OSSL_Malloc_cb)(size_t, const char *, int);
|
||||
typedef void (*wolfSSL_OSSL_Free_cb)(void *, const char *, int);
|
||||
typedef void *(*wolfSSL_OSSL_Realloc_cb)(void *, size_t, const char *, int);
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
#ifdef WOLFSSL_STATIC_MEMORY
|
||||
#ifdef WOLFSSL_DEBUG_MEMORY
|
||||
typedef void *(*wolfSSL_Malloc_cb)(size_t size, void* heap, int type, const char* func, unsigned int line);
|
||||
|
||||
Reference in New Issue
Block a user