mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 03:34:39 +02:00
Server ID - long id, TLS 1.3 - cache client session for tickets
Long server IDs were being truncated. Hash long IDs instead. TLS 1.3 session ticket on client side no longer added session to client cache. Explicit call added.
This commit is contained in:
Sean Parkinson
17
src/ssl.c
17
src/ssl.c
@@ -11495,12 +11495,25 @@ int wolfSSL_set_session(WOLFSSL* ssl, WOLFSSL_SESSION* session)
|
||||
int wolfSSL_SetServerID(WOLFSSL* ssl, const byte* id, int len, int newSession)
|
||||
{
|
||||
WOLFSSL_SESSION* session = NULL;
|
||||
byte idHash[SERVER_ID_LEN];
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_SetServerID");
|
||||
|
||||
if (ssl == NULL || id == NULL || len <= 0)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (len > SERVER_ID_LEN) {
|
||||
#if defined(NO_SHA) && !defined(NO_SHA256)
|
||||
if (wc_Sha256Hash(id, len, idHash) != 0)
|
||||
return WOLFSSL_FAILURE;
|
||||
#else
|
||||
if (wc_ShaHash(id, len, idHash) != 0)
|
||||
return WOLFSSL_FAILURE;
|
||||
#endif
|
||||
id = idHash;
|
||||
len = SERVER_ID_LEN;
|
||||
}
|
||||
|
||||
if (newSession == 0) {
|
||||
session = wolfSSL_GetSessionClient(ssl, id, len);
|
||||
if (session) {
|
||||
@@ -11517,8 +11530,8 @@ int wolfSSL_SetServerID(WOLFSSL* ssl, const byte* id, int len, int newSession)
|
||||
if (session == NULL) {
|
||||
WOLFSSL_MSG("Valid ServerID not cached already");
|
||||
|
||||
ssl->session->idLen = (word16)min(SERVER_ID_LEN, (word32)len);
|
||||
XMEMCPY(ssl->session->serverID, id, ssl->session->idLen);
|
||||
ssl->session->idLen = (word16)len;
|
||||
XMEMCPY(ssl->session->serverID, id, len);
|
||||
}
|
||||
#ifdef HAVE_EXT_CACHE
|
||||
else {
|
||||
|
||||
12
src/tls13.c
12
src/tls13.c
@@ -10016,6 +10016,10 @@ static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
|
||||
#endif
|
||||
const byte* nonce;
|
||||
byte nonceLength;
|
||||
#ifndef NO_SESSION_CACHE
|
||||
const byte* id;
|
||||
byte idSz;
|
||||
#endif
|
||||
|
||||
WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
|
||||
WOLFSSL_ENTER("DoTls13NewSessionTicket");
|
||||
@@ -10113,6 +10117,14 @@ static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
|
||||
|
||||
#ifndef NO_SESSION_CACHE
|
||||
AddSession(ssl);
|
||||
id = ssl->session->sessionID;
|
||||
idSz = ssl->session->sessionIDSz;
|
||||
if (ssl->session->haveAltSessionID) {
|
||||
id = ssl->session->altSessionID;
|
||||
idSz = ID_LEN;
|
||||
}
|
||||
AddSessionToCache(ssl->ctx, ssl->session, id, idSz, NULL,
|
||||
ssl->session->side, 1, &ssl->clientSession);
|
||||
#endif
|
||||
|
||||
/* Always encrypted. */
|
||||
|
||||
12
tests/api.c
12
tests/api.c
@@ -42702,7 +42702,8 @@ static int clientSessRemCountFree = 0;
|
||||
static int serverSessRemCountFree = 0;
|
||||
static WOLFSSL_CTX* serverSessCtx = NULL;
|
||||
static WOLFSSL_SESSION* serverSess = NULL;
|
||||
#ifndef NO_SESSION_CACHE_REF
|
||||
#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
|
||||
!defined(NO_SESSION_CACHE_REF)
|
||||
static WOLFSSL_CTX* clientSessCtx = NULL;
|
||||
static WOLFSSL_SESSION* clientSess = NULL;
|
||||
#endif
|
||||
@@ -42744,7 +42745,8 @@ static void SessRemSslSetupCb(WOLFSSL* ssl)
|
||||
*mallocedData = SSL_is_server(ssl);
|
||||
if (!*mallocedData) {
|
||||
clientSessRemCountMalloc++;
|
||||
#ifndef NO_SESSION_CACHE_REF
|
||||
#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
|
||||
!defined(NO_SESSION_CACHE_REF)
|
||||
AssertNotNull(clientSess = SSL_get1_session(ssl));
|
||||
AssertIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)),
|
||||
SSL_SUCCESS);
|
||||
@@ -42815,7 +42817,8 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void)
|
||||
/* Both should have been allocated */
|
||||
AssertIntEQ(clientSessRemCountMalloc, 1);
|
||||
AssertIntEQ(serverSessRemCountMalloc, 1);
|
||||
#ifdef NO_SESSION_CACHE_REF
|
||||
#if (!defined(WOLFSSL_TLS13) || !defined(HAVE_SESSION_TICKET)) && \
|
||||
defined(NO_SESSION_CACHE_REF)
|
||||
/* Client session should not be added to cache so this should be free'd when
|
||||
* the SSL object was being free'd */
|
||||
AssertIntEQ(clientSessRemCountFree, 1);
|
||||
@@ -42848,7 +42851,8 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void)
|
||||
/* Need to free the references that we kept */
|
||||
SSL_CTX_free(serverSessCtx);
|
||||
SSL_SESSION_free(serverSess);
|
||||
#ifndef NO_SESSION_CACHE_REF
|
||||
#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
|
||||
!defined(NO_SESSION_CACHE_REF)
|
||||
SSL_CTX_free(clientSessCtx);
|
||||
SSL_SESSION_free(clientSess);
|
||||
#endif
|
||||
|
||||
@@ -1449,7 +1449,11 @@ enum Misc {
|
||||
COMP_LEN = 1, /* compression length */
|
||||
CURVE_LEN = 2, /* ecc named curve length */
|
||||
KE_GROUP_LEN = 2, /* key exchange group length */
|
||||
SERVER_ID_LEN = 20, /* server session id length */
|
||||
#if defined(NO_SHA) && !defined(NO_SHA256)
|
||||
SERVER_ID_LEN = WC_SHA256_DIGEST_SIZE,
|
||||
#else
|
||||
SERVER_ID_LEN = WC_SHA_DIGEST_SIZE,
|
||||
#endif
|
||||
|
||||
HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */
|
||||
RECORD_HEADER_SZ = 5, /* type + version + len(2) */
|
||||
|
||||
Reference in New Issue
Block a user