From 2479346f5c2a40d6819f676dd5b965d268709145 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 2 Aug 2021 23:47:53 +0700 Subject: [PATCH 1/6] add set num tickets compat function --- src/internal.c | 3 ++- src/ssl.c | 23 +++++++++++++++++++++++ src/tls13.c | 30 +++++++++++++++++++++--------- wolfssl/internal.h | 2 ++ wolfssl/openssl/ssl.h | 2 ++ wolfssl/ssl.h | 2 ++ 6 files changed, 52 insertions(+), 10 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5d6a8fe3a..095b1331d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6264,7 +6264,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifdef WOLFSSL_TLS13 #ifdef HAVE_SESSION_TICKET - ssl->options.noTicketTls13 = ctx->noTicketTls13; + ssl->options.maxTicketTls13 = ctx->maxTicketTls13; + ssl->options.noTicketTls13 = ctx->noTicketTls13; #endif ssl->options.noPskDheKe = ctx->noPskDheKe; #if defined(WOLFSSL_POST_HANDSHAKE_AUTH) diff --git a/src/ssl.c b/src/ssl.c index 86731953c..e404eafda 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3029,6 +3029,29 @@ void* wolfSSL_CTX_get_TicketEncCtx(WOLFSSL_CTX* ctx) return ctx->ticketEncCtx; } + +/* set the maximum number of tickets to send + * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on fail + */ +int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t max) +{ + if (ctx == NULL) + return WOLFSSL_FAILURE; + + ctx->maxTicketTls13 = max; + return WOLFSSL_SUCCESS; +} + +/* get the maximum number of tickets to send + * return number of tickets set to be sent + */ +size_t wolfSSL_CTX_get_num_tickets(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) + return 0; + + return ctx->maxTicketTls13; +} #endif /* !NO_WOLFSSL_SERVER */ #if !defined(NO_WOLFSSL_CLIENT) diff --git a/src/tls13.c b/src/tls13.c index 524b751b4..574e2c6a6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -9168,6 +9168,9 @@ const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash) */ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) { +#ifdef HAVE_SESSION_TICKET + byte ticketsSent; /* count for number of tickets sent */ +#endif #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) word16 havePSK = 0; #endif @@ -9448,15 +9451,24 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) case TLS13_ACCEPT_FINISHED_DONE : #ifdef HAVE_SESSION_TICKET - #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED - if (!ssl->options.verifyPeer) { - } - else - #endif - if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) { - if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; + for (ticketsSent = 0; ticketsSent < ssl->options.maxTicketTls13; + ticketsSent++) { + #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED + if (!ssl->options.verifyPeer) { + } + else + #endif + if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb + != NULL) { + if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { + WOLFSSL_ERROR(ssl->error); + return WOLFSSL_FATAL_ERROR; + } + } + + /* only one session ticket is sent on session resumption */ + if (ssl->options.resuming) { + break; } } #endif /* HAVE_SESSION_TICKET */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index bfdb605c8..69c1aee40 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2841,6 +2841,7 @@ struct WOLFSSL_CTX { byte noTicketTls12:1; /* TLS 1.2 server won't send ticket */ #endif #ifdef WOLFSSL_TLS13 + byte maxTicketTls13; /* maximum number of tickets to send */ byte noTicketTls13:1; /* TLS 1.3 Server won't create new Ticket */ byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */ #endif @@ -3626,6 +3627,7 @@ typedef struct Options { word16 rejectTicket:1; /* Callback rejected ticket */ word16 noTicketTls12:1; /* TLS 1.2 server won't send ticket */ #ifdef WOLFSSL_TLS13 + byte maxTicketTls13; /* maximum number of tickets to send */ word16 noTicketTls13:1; /* Server won't create new Ticket */ #endif #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 2f1cbb4b9..257aaad8d 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1131,6 +1131,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_tlsext_ticket_keys wolfSSL_CTX_set_tlsext_ticket_keys #define SSL_CTX_get_tlsext_status_cb wolfSSL_CTX_get_tlsext_status_cb #define SSL_CTX_set_tlsext_status_cb wolfSSL_CTX_set_tlsext_status_cb +#define SSL_CTX_set_num_tickets wolfSSL_CTX_set_num_tickets +#define SSL_CTX_get_num_tickets wolfSSL_CTX_get_num_tickets #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d9b0812fe..056e143ee 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3531,6 +3531,8 @@ WOLFSSL_API int wolfSSL_CTX_set_TicketEncCb(WOLFSSL_CTX* ctx, WOLFSSL_API int wolfSSL_CTX_set_TicketHint(WOLFSSL_CTX* ctx, int); WOLFSSL_API int wolfSSL_CTX_set_TicketEncCtx(WOLFSSL_CTX* ctx, void*); WOLFSSL_API void* wolfSSL_CTX_get_TicketEncCtx(WOLFSSL_CTX* ctx); +WOLFSSL_API size_t wolfSSL_CTX_get_num_tickets(WOLFSSL_CTX* ctx); +WOLFSSL_API int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t max); #endif /* NO_WOLFSSL_SERVER */ From b1212ff979dd570c80b656553c200c1e4ecbdd1b Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 4 Aug 2021 14:40:17 +0700 Subject: [PATCH 2/6] set the default number of tickets to 1 --- src/internal.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/internal.c b/src/internal.c index 095b1331d..d2d424223 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2087,6 +2087,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) ctx->ticketEncCtx = (void*)&ctx->ticketKeyCtx; #endif ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT; +#if defined(WOLFSSL_TLS13) + ctx->maxTicketTls13 = 1; /* default to sending a session ticket if compiled + in */ +#endif #endif #ifdef WOLFSSL_EARLY_DATA From 1a8109f77d966abc31d82094891cc3cfdf412754 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 9 Aug 2021 22:52:45 +0700 Subject: [PATCH 3/6] rename function parameter --- src/ssl.c | 4 ++-- wolfssl/ssl.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index e404eafda..9efbe1e9c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3033,12 +3033,12 @@ void* wolfSSL_CTX_get_TicketEncCtx(WOLFSSL_CTX* ctx) /* set the maximum number of tickets to send * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on fail */ -int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t max) +int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t mxTickets) { if (ctx == NULL) return WOLFSSL_FAILURE; - ctx->maxTicketTls13 = max; + ctx->maxTicketTls13 = mxTickets; return WOLFSSL_SUCCESS; } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 056e143ee..eaebbc777 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3532,7 +3532,7 @@ WOLFSSL_API int wolfSSL_CTX_set_TicketHint(WOLFSSL_CTX* ctx, int); WOLFSSL_API int wolfSSL_CTX_set_TicketEncCtx(WOLFSSL_CTX* ctx, void*); WOLFSSL_API void* wolfSSL_CTX_get_TicketEncCtx(WOLFSSL_CTX* ctx); WOLFSSL_API size_t wolfSSL_CTX_get_num_tickets(WOLFSSL_CTX* ctx); -WOLFSSL_API int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t max); +WOLFSSL_API int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t mxTickets); #endif /* NO_WOLFSSL_SERVER */ From a52df87c8ad6a8b6dbbf96a1327bc8ba0c7d752d Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 26 Aug 2021 15:45:21 -0600 Subject: [PATCH 4/6] adjust type for max tickets variable and number sent with WOLFSSL_TLS13_TICKET_BEFORE_FINISHED macro --- src/ssl.c | 4 ++-- src/tls13.c | 13 +++---------- wolfssl/internal.h | 9 +++++++-- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 9efbe1e9c..22baea8a4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3038,7 +3038,7 @@ int wolfSSL_CTX_set_num_tickets(WOLFSSL_CTX* ctx, size_t mxTickets) if (ctx == NULL) return WOLFSSL_FAILURE; - ctx->maxTicketTls13 = mxTickets; + ctx->maxTicketTls13 = (unsigned int)mxTickets; return WOLFSSL_SUCCESS; } @@ -3050,7 +3050,7 @@ size_t wolfSSL_CTX_get_num_tickets(WOLFSSL_CTX* ctx) if (ctx == NULL) return 0; - return ctx->maxTicketTls13; + return (size_t)ctx->maxTicketTls13; } #endif /* !NO_WOLFSSL_SERVER */ diff --git a/src/tls13.c b/src/tls13.c index 574e2c6a6..6af1656f8 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -9168,9 +9168,6 @@ const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash) */ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) { -#ifdef HAVE_SESSION_TICKET - byte ticketsSent; /* count for number of tickets sent */ -#endif #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) word16 havePSK = 0; #endif @@ -9432,6 +9429,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } } + ssl->options.ticketsSent = 1; #endif #endif /* HAVE_SESSION_TICKET */ ssl->options.acceptState = TLS13_PRE_TICKET_SENT; @@ -9451,13 +9449,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) case TLS13_ACCEPT_FINISHED_DONE : #ifdef HAVE_SESSION_TICKET - for (ticketsSent = 0; ticketsSent < ssl->options.maxTicketTls13; - ticketsSent++) { - #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED - if (!ssl->options.verifyPeer) { - } - else - #endif + while (ssl->options.ticketsSent < ssl->options.maxTicketTls13) { if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) { if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { @@ -9465,6 +9457,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } } + ssl->options.ticketsSent++; /* only one session ticket is sent on session resumption */ if (ssl->options.resuming) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 69c1aee40..9e90ff8a3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2841,7 +2841,9 @@ struct WOLFSSL_CTX { byte noTicketTls12:1; /* TLS 1.2 server won't send ticket */ #endif #ifdef WOLFSSL_TLS13 - byte maxTicketTls13; /* maximum number of tickets to send */ + #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) + unsigned int maxTicketTls13; /* maximum number of tickets to send */ + #endif byte noTicketTls13:1; /* TLS 1.3 Server won't create new Ticket */ byte noPskDheKe:1; /* Don't use (EC)DHE with PSK */ #endif @@ -3568,6 +3570,10 @@ typedef struct Options { #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) unsigned long mask; /* store SSL_OP_ flags */ #endif +#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TLS13) + unsigned int maxTicketTls13; /* maximum number of tickets to send */ + unsigned int ticketsSent; /* keep track of the total sent */ +#endif /* on/off or small bit flags, optimize layout */ #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) @@ -3627,7 +3633,6 @@ typedef struct Options { word16 rejectTicket:1; /* Callback rejected ticket */ word16 noTicketTls12:1; /* TLS 1.2 server won't send ticket */ #ifdef WOLFSSL_TLS13 - byte maxTicketTls13; /* maximum number of tickets to send */ word16 noTicketTls13:1; /* Server won't create new Ticket */ #endif #endif From ff9fed08a336a7259b684477ec57ee6368cb8f8e Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 26 Aug 2021 21:17:45 -0600 Subject: [PATCH 5/6] fix count on number of tickets sent --- src/tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index 6af1656f8..1054f4794 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -9428,8 +9428,8 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } + ssl->options.ticketsSent = 1; } - ssl->options.ticketsSent = 1; #endif #endif /* HAVE_SESSION_TICKET */ ssl->options.acceptState = TLS13_PRE_TICKET_SENT; From 40a4015491a2eda1a97d1be9dfdab63f6d032e45 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 27 Aug 2021 08:28:50 -0600 Subject: [PATCH 6/6] add no server macro guard --- src/internal.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index d2d424223..8c01ac52d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6267,8 +6267,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #ifdef WOLFSSL_TLS13 - #ifdef HAVE_SESSION_TICKET + #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) ssl->options.maxTicketTls13 = ctx->maxTicketTls13; + #endif + #ifdef HAVE_SESSION_TICKET ssl->options.noTicketTls13 = ctx->noTicketTls13; #endif ssl->options.noPskDheKe = ctx->noPskDheKe;