wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove WOLFSSL_SESSION_TYPE_REF buffers from WOLFSSL_SESSION

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2022-08-17 18:19:28 +02:00
parent 3f7d56d957
commit 68f71d0d96
3 changed files with 23 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/internal.c
View File

@@ -29497,11 +29497,11 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
/* Free old dynamic ticket if we already had one */ /* Free old dynamic ticket if we already had one */
if (ssl->session->ticketLenAlloc > 0) { if (ssl->session->ticketLenAlloc > 0) {
XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
ssl->session->ticket = ssl->session->_staticTicket; ssl->session->ticket = ssl->session->staticTicket;
ssl->session->ticketLenAlloc = 0; ssl->session->ticketLenAlloc = 0;
} }
if (length > sizeof(ssl->session->_staticTicket)) { if (length > sizeof(ssl->session->staticTicket)) {
byte* sessionTicket = byte* sessionTicket =
(byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
if (sessionTicket == NULL) if (sessionTicket == NULL)

46
src/ssl.c
View File

@@ -3418,7 +3418,7 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf,
XFREE(ssl->session->ticket, ssl->session->heap, XFREE(ssl->session->ticket, ssl->session->heap,
DYNAMIC_TYPE_SESSION_TICK); DYNAMIC_TYPE_SESSION_TICK);
ssl->session->ticketLenAlloc = 0; ssl->session->ticketLenAlloc = 0;
ssl->session->ticket = ssl->session->_staticTicket; ssl->session->ticket = ssl->session->staticTicket;
} }
} }
else { /* Ticket requires dynamic ticket storage */ else { /* Ticket requires dynamic ticket storage */
@@ -3430,7 +3430,7 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf,
ssl->session->ticket = (byte*)XMALLOC(bufSz, ssl->session->heap, ssl->session->ticket = (byte*)XMALLOC(bufSz, ssl->session->heap,
DYNAMIC_TYPE_SESSION_TICK); DYNAMIC_TYPE_SESSION_TICK);
if(ssl->session->ticket == NULL) { if(ssl->session->ticket == NULL) {
ssl->session->ticket = ssl->session->_staticTicket; ssl->session->ticket = ssl->session->staticTicket;
ssl->session->ticketLenAlloc = 0; ssl->session->ticketLenAlloc = 0;
return MEMORY_ERROR; return MEMORY_ERROR;
} }
@@ -13599,7 +13599,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
WOLFSSL_MSG("Session cache row lock failure"); WOLFSSL_MSG("Session cache row lock failure");
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
if (tmpBufSet) { if (tmpBufSet) {
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
} }
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@@ -13672,18 +13672,18 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
DYNAMIC_TYPE_SESSION_TICK); DYNAMIC_TYPE_SESSION_TICK);
if (output->ticket == NULL) { if (output->ticket == NULL) {
error = WOLFSSL_FAILURE; error = WOLFSSL_FAILURE;
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
output->ticketLen = 0; output->ticketLen = 0;
} }
} }
else { else {
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
} }
} }
else { else {
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
output->ticketLen = 0; output->ticketLen = 0;
} }
@@ -14101,7 +14101,9 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession,
* ticBuff at all making it a very cheap malloc/free. The page on a modern * ticBuff at all making it a very cheap malloc/free. The page on a modern
* OS will most likely not even be allocated to the process. */ * OS will most likely not even be allocated to the process. */
if (ticBuff != NULL && cacheSession->ticketLenAlloc < ticLen) { if (ticBuff != NULL && cacheSession->ticketLenAlloc < ticLen) {
cacheTicBuff = cacheSession->ticket; /* Save pointer only if separately allocated */
if (cacheSession->ticket != cacheSession->staticTicket)
cacheTicBuff = cacheSession->ticket;
ticBuffUsed = 1; ticBuffUsed = 1;
cacheSession->ticket = ticBuff; cacheSession->ticket = ticBuff;
cacheSession->ticketLenAlloc = (word16) ticLen; cacheSession->ticketLenAlloc = (word16) ticLen;
@@ -14143,7 +14145,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession,
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
else if (ticBuffUsed) { else if (ticBuffUsed) {
/* Error occured. Need to clean up the ticket buffer. */ /* Error occured. Need to clean up the ticket buffer. */
cacheSession->ticket = cacheSession->_staticTicket; cacheSession->ticket = cacheSession->staticTicket;
cacheSession->ticketLenAlloc = 0; cacheSession->ticketLenAlloc = 0;
cacheSession->ticketLen = 0; cacheSession->ticketLen = 0;
} }
@@ -19902,19 +19904,12 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap)
#endif #endif
ret->type = WOLFSSL_SESSION_TYPE_HEAP; ret->type = WOLFSSL_SESSION_TYPE_HEAP;
ret->heap = heap; ret->heap = heap;
ret->masterSecret = ret->_masterSecret;
#ifdef WOLFSSL_CHECK_MEM_ZERO #ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("SESSION master secret", ret->masterSecret, SECRET_LEN); wc_MemZero_Add("SESSION master secret", ret->masterSecret, SECRET_LEN);
wc_MemZero_Add("SESSION id", ret->sessionID, ID_LEN); wc_MemZero_Add("SESSION id", ret->sessionID, ID_LEN);
#endif #endif
#ifndef NO_CLIENT_CACHE
ret->serverID = ret->_serverID;
#endif
#ifdef OPENSSL_EXTRA
ret->sessionCtx = ret->_sessionCtx;
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
ret->ticket = ret->_staticTicket; ret->ticket = ret->staticTicket;
#endif #endif
#ifdef HAVE_STUNNEL #ifdef HAVE_STUNNEL
/* stunnel has this funny mechanism of storing the "is_authenticated" /* stunnel has this funny mechanism of storing the "is_authenticated"
@@ -20001,7 +19996,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
} }
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
if (output->ticket != output->_staticTicket) { if (output->ticket != output->staticTicket) {
ticBuff = output->ticket; ticBuff = output->ticket;
ticLenAlloc = output->ticketLenAlloc; ticLenAlloc = output->ticketLenAlloc;
} }
@@ -20022,8 +20017,8 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
sizeof(WOLFSSL_SESSION) - copyOffset); sizeof(WOLFSSL_SESSION) - copyOffset);
/* Set sane values for copy */ /* Set sane values for copy */
if (output->type != WOLFSSL_SESSION_TYPE_CACHE)
#ifndef NO_SESSION_CACHE #ifndef NO_SESSION_CACHE
if (output->type != WOLFSSL_SESSION_TYPE_CACHE)
output->cacheRow = INVALID_SESSION_ROW; output->cacheRow = INVALID_SESSION_ROW;
#endif #endif
#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
@@ -20038,13 +20033,6 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
else else
/* output->peer is not that important to copy */ /* output->peer is not that important to copy */
output->peer = NULL; output->peer = NULL;
#endif
output->masterSecret = output->_masterSecret;
#ifndef NO_CLIENT_CACHE
output->serverID = output->_serverID;
#endif
#ifdef OPENSSL_EXTRA
output->sessionCtx = output->_sessionCtx;
#endif #endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
if (input->ticketLen > SESSION_TICKET_LEN) { if (input->ticketLen > SESSION_TICKET_LEN) {
@@ -20090,7 +20078,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
* the static buffer. */ * the static buffer. */
if (ticBuff != NULL) { if (ticBuff != NULL) {
if (ticLenAlloc >= input->ticketLen) { if (ticLenAlloc >= input->ticketLen) {
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
} }
else { else {
@@ -20103,14 +20091,14 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output,
} }
} }
else { else {
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
} }
} }
else { else {
if (ticBuff != NULL) if (ticBuff != NULL)
XFREE(ticBuff, output->heap, DYNAMIC_TYPE_SESSION_TICK); XFREE(ticBuff, output->heap, DYNAMIC_TYPE_SESSION_TICK);
output->ticket = output->_staticTicket; output->ticket = output->staticTicket;
output->ticketLenAlloc = 0; output->ticketLenAlloc = 0;
} }
if (input->ticketLenAlloc > 0 && ret == WOLFSSL_SUCCESS) { if (input->ticketLenAlloc > 0 && ret == WOLFSSL_SUCCESS) {
@@ -25763,7 +25751,7 @@ WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess,
XFREE(s->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); XFREE(s->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK);
} }
if (s->ticketLen <= SESSION_TICKET_LEN) if (s->ticketLen <= SESSION_TICKET_LEN)
s->ticket = s->_staticTicket; s->ticket = s->staticTicket;
else { else {
s->ticket = (byte*)XMALLOC(s->ticketLen, NULL, s->ticket = (byte*)XMALLOC(s->ticketLen, NULL,
DYNAMIC_TYPE_SESSION_TICK); DYNAMIC_TYPE_SESSION_TICK);

23
wolfssl/internal.h
View File

@@ -3585,7 +3585,7 @@ struct WOLFSSL_SESSION {
* ID for TLS 1.3 */ * ID for TLS 1.3 */
byte sessionIDSz; byte sessionIDSz;
byte* masterSecret; /* stored secret */ byte masterSecret[SECRET_LEN]; /* stored secret */
word16 haveEMS; /* ext master secret flag */ word16 haveEMS; /* ext master secret flag */
#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
WOLFSSL_X509* peer; /* peer cert */ WOLFSSL_X509* peer; /* peer cert */
@@ -3601,11 +3601,11 @@ struct WOLFSSL_SESSION {
#endif #endif
#ifndef NO_CLIENT_CACHE #ifndef NO_CLIENT_CACHE
word16 idLen; /* serverID length */ word16 idLen; /* serverID length */
byte* serverID; /* for easier client lookup */ byte serverID[SERVER_ID_LEN]; /* for easier client lookup */
#endif #endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
byte sessionCtxSz; /* sessionCtx length */ byte sessionCtxSz; /* sessionCtx length */
byte* sessionCtx; /* app specific context id */ byte sessionCtx[ID_LEN]; /* app specific context id */
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
byte peerVerifyRet; /* cert verify error */ byte peerVerifyRet; /* cert verify error */
@@ -3624,6 +3624,7 @@ struct WOLFSSL_SESSION {
#endif #endif
#endif #endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
byte staticTicket[SESSION_TICKET_LEN];
byte* ticket; byte* ticket;
word16 ticketLen; word16 ticketLen;
word16 ticketLenAlloc; /* is dynamic */ word16 ticketLenAlloc; /* is dynamic */
@@ -3638,22 +3639,6 @@ struct WOLFSSL_SESSION {
#ifdef HAVE_EX_DATA #ifdef HAVE_EX_DATA
WOLFSSL_CRYPTO_EX_DATA ex_data; WOLFSSL_CRYPTO_EX_DATA ex_data;
#endif #endif
/* Below buffers are not allocated for the WOLFSSL_SESSION_TYPE_REF, instead
* the above pointers reference the session cache for backwards
* compatibility. For all other session types the above pointers reference
* these buffers directly. Keep these buffers at the end so that they don't
* get copied into the WOLFSSL_SESSION_TYPE_REF object. */
byte _masterSecret[SECRET_LEN];
#ifndef NO_CLIENT_CACHE
byte _serverID[SERVER_ID_LEN];
#endif
#ifdef HAVE_SESSION_TICKET
byte _staticTicket[SESSION_TICKET_LEN];
#endif
#ifdef OPENSSL_EXTRA
byte _sessionCtx[ID_LEN];
#endif
}; };
WOLFSSL_LOCAL int wolfSSL_RAND_Init(void); WOLFSSL_LOCAL int wolfSSL_RAND_Init(void);