wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allocate ssl->session separately on the heap

Browse Source 
- Refactor session cache access into `AddSessionToCache` and `wolfSSL_GetSessionFromCache`
This commit is contained in:
Juliusz Sosinowicz
2022-02-07 16:54:42 +01:00
parent 1d712d47ba
commit 91b08fb691
9 changed files with 536 additions and 640 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/dox_comments/header_files/ssl.h
View File

@@ -11166,7 +11166,7 @@ WOLFSSL_API int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx);
if(wolfSSL_get_SessionTicket(ssl, buf, bufSz) <= 0){
// Nothing was written to the buffer
} else {
// the buffer holds the content from ssl->session.ticket
// the buffer holds the content from ssl->session->ticket
}
\endcode

164
src/internal.c
View File

@@ -6629,18 +6629,14 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
}
#endif /*OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
ssl->session.heap = ssl->heap;
ssl->session.type = WOLFSSL_SESSION_TYPE_SSL;
ssl->session.masterSecret = ssl->session._masterSecret;
#ifndef NO_CLIENT_CACHE
ssl->session.serverID = ssl->session._serverID;
#endif
#ifdef OPENSSL_EXTRA
ssl->session.sessionCtx = ssl->session._sessionCtx;
#endif
ssl->session = wolfSSL_NewSession(ssl->heap);
if (ssl->session == NULL) {
WOLFSSL_MSG("SSL Session Memory error");
return MEMORY_E;
}
#ifdef HAVE_SESSION_TICKET
ssl->options.noTicketTls12 = ctx->noTicketTls12;
ssl->session.ticket = ssl->session._staticTicket;
#endif
#ifdef WOLFSSL_MULTICAST
@@ -6687,10 +6683,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
void FreeArrays(WOLFSSL* ssl, int keep)
{
if (ssl->arrays) {
if (keep) {
if (keep && !IsAtLeastTLSv1_3(ssl->version)) {
/* keeps session id for user retrieval */
XMEMCPY(ssl->session.sessionID, ssl->arrays->sessionID, ID_LEN);
ssl->session.sessionIDSz = ssl->arrays->sessionIDSz;
XMEMCPY(ssl->session->sessionID, ssl->arrays->sessionID, ID_LEN);
ssl->session->sessionIDSz = ssl->arrays->sessionIDSz;
}
if (ssl->arrays->preMasterSecret) {
XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
@@ -7224,17 +7220,8 @@ void SSL_ResourceFree(WOLFSSL* ssl)
FreeX509(&ssl->peerCert);
#endif
#ifdef HAVE_SESSION_TICKET
if (ssl->session.ticketLenAlloc > 0) {
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
ssl->session.ticket = ssl->session._staticTicket;
ssl->session.ticketLenAlloc = 0;
ssl->session.ticketLen = 0;
}
#endif
#ifdef HAVE_EXT_CACHE
wolfSSL_SESSION_free(ssl->extSession);
#endif
if (ssl->session != NULL)
wolfSSL_FreeSession(ssl->session);
#ifdef HAVE_WRITE_DUP
if (ssl->dupWrite) {
FreeWriteDup(ssl);
@@ -7501,15 +7488,6 @@ void FreeHandshakeResources(WOLFSSL* ssl)
}
#endif /* HAVE_PK_CALLBACKS */
#ifdef HAVE_SESSION_TICKET
if (ssl->session.ticketLenAlloc > 0) {
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
ssl->session.ticket = ssl->session._staticTicket;
ssl->session.ticketLenAlloc = 0;
ssl->session.ticketLen = 0;
}
#endif
#if defined(HAVE_TLS_EXTENSIONS) && !defined(HAVE_SNI) && \
!defined(HAVE_ALPN) && !defined(WOLFSSL_POST_HANDSHAKE_AUTH)
/* Some extensions need to be kept for post-handshake querying. */
@@ -11369,7 +11347,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
}
#endif
#ifdef SESSION_CERTS
store->sesChain = &ssl->session.chain;
store->sesChain = &ssl->session->chain;
#endif
}
#ifndef NO_WOLFSSL_CM_VERIFY
@@ -11439,9 +11417,9 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
#ifdef SESSION_CERTS
if ((ssl != NULL) && (store->discardSessionCerts)) {
WOLFSSL_MSG("Verify callback requested discard sess certs");
ssl->session.chain.count = 0;
ssl->session->chain.count = 0;
#ifdef WOLFSSL_ALT_CERT_CHAINS
ssl->session.altChain.count = 0;
ssl->session->altChain.count = 0;
#endif
}
#endif /* SESSION_CERTS */
@@ -12083,7 +12061,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->certs[args->totalCerts].buffer = input + args->idx;
#ifdef SESSION_CERTS
AddSessionCertToChain(&ssl->session.chain,
AddSessionCertToChain(&ssl->session->chain,
input + args->idx, certSz);
#endif /* SESSION_CERTS */
@@ -12378,7 +12356,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
/* if using alternate chain, store the cert used */
if (ssl->options.usingAltCertChain) {
AddSessionCertToChain(&ssl->session.altChain,
AddSessionCertToChain(&ssl->session->altChain,
cert->buffer, cert->length);
}
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
@@ -12474,7 +12452,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* if using alternate chain, store the cert used */
if (ssl->options.usingAltCertChain) {
buffer* cert = &args->certs[args->certIdx];
AddSessionCertToChain(&ssl->session.altChain,
AddSessionCertToChain(&ssl->session->altChain,
cert->buffer, cert->length);
}
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
@@ -13271,9 +13249,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef SESSION_CERTS
/* Reset the session cert chain count in case the session resume failed. */
ssl->session.chain.count = 0;
ssl->session->chain.count = 0;
#ifdef WOLFSSL_ALT_CERT_CHAINS
ssl->session.altChain.count = 0;
ssl->session->altChain.count = 0;
#endif
#endif /* SESSION_CERTS */
@@ -22761,7 +22739,7 @@ exit_dpk:
return BAD_FUNC_ARG;
}
idSz = ssl->options.resuming ? ssl->session.sessionIDSz : 0;
idSz = ssl->options.resuming ? ssl->session->sessionIDSz : 0;
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->version))
@@ -22777,11 +22755,11 @@ exit_dpk:
}
#ifdef HAVE_SESSION_TICKET
if (ssl->options.resuming && ssl->session.ticketLen > 0) {
if (ssl->options.resuming && ssl->session->ticketLen > 0) {
SessionTicket* ticket;
ticket = TLSX_SessionTicket_Create(0, ssl->session.ticket,
ssl->session.ticketLen, ssl->heap);
ticket = TLSX_SessionTicket_Create(0, ssl->session->ticket,
ssl->session->ticketLen, ssl->heap);
if (ticket == NULL) return MEMORY_E;
ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap);
@@ -22870,9 +22848,9 @@ exit_dpk:
/* then session id */
output[idx++] = (byte)idSz;
if (idSz) {
XMEMCPY(output + idx, ssl->session.sessionID,
ssl->session.sessionIDSz);
idx += ssl->session.sessionIDSz;
XMEMCPY(output + idx, ssl->session->sessionID,
ssl->session->sessionIDSz);
idx += ssl->session->sessionIDSz;
}
/* then DTLS cookie */
@@ -23069,12 +23047,12 @@ exit_dpk:
#ifdef HAVE_SESSION_TICKET
/* server may send blank ticket which may not be expected to indicate
* existing one ok but will also be sending a new one */
ret = ret || (ssl->session.ticketLen > 0);
ret = ret || (ssl->session->ticketLen > 0);
#endif
ret = ret ||
(ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID,
ssl->session.sessionID, ID_LEN) == 0);
ssl->session->sessionID, ID_LEN) == 0);
return ret;
}
@@ -23412,7 +23390,7 @@ exit_dpk:
#ifdef HAVE_SECRET_CALLBACK
if (ssl->sessionSecretCb != NULL) {
int secretSz = SECRET_LEN;
ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
&secretSz, ssl->sessionSecretCtx);
if (ret != 0 || secretSz != SECRET_LEN)
return SESSION_SECRET_CB_E;
@@ -23470,7 +23448,7 @@ exit_dpk:
if (SetCipherSpecs(ssl) == 0) {
XMEMCPY(ssl->arrays->masterSecret,
ssl->session.masterSecret, SECRET_LEN);
ssl->session->masterSecret, SECRET_LEN);
#ifdef NO_OLD_TLS
ret = DeriveTlsKeys(ssl);
#else
@@ -26742,27 +26720,27 @@ exit_scv:
int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
{
/* Free old dynamic ticket if we already had one */
if (ssl->session.ticketLenAlloc > 0) {
XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
ssl->session.ticket = ssl->session._staticTicket;
ssl->session.ticketLenAlloc = 0;
if (ssl->session->ticketLenAlloc > 0) {
XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
ssl->session->ticket = ssl->session->_staticTicket;
ssl->session->ticketLenAlloc = 0;
}
if (length > sizeof(ssl->session._staticTicket)) {
if (length > sizeof(ssl->session->_staticTicket)) {
byte* sessionTicket =
(byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
if (sessionTicket == NULL)
return MEMORY_E;
ssl->session.ticket = sessionTicket;
ssl->session.ticketLenAlloc = (word16)length;
ssl->session->ticket = sessionTicket;
ssl->session->ticketLenAlloc = (word16)length;
}
ssl->session.ticketLen = (word16)length;
ssl->session->ticketLen = (word16)length;
if (length > 0) {
XMEMCPY(ssl->session.ticket, ticket, length);
XMEMCPY(ssl->session->ticket, ticket, length);
if (ssl->session_ticket_cb != NULL) {
ssl->session_ticket_cb(ssl,
ssl->session.ticket, ssl->session.ticketLen,
ssl->session->ticket, ssl->session->ticketLen,
ssl->session_ticket_ctx);
}
/* Create a fake sessionID based on the ticket, this will
@@ -26770,13 +26748,13 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
ssl->options.haveSessionId = 1;
#ifdef WOLFSSL_TLS13
if (ssl->options.tls1_3) {
XMEMCPY(ssl->session.sessionID,
ssl->session.ticket + length - ID_LEN, ID_LEN);
XMEMCPY(ssl->session->sessionID,
ssl->session->ticket + length - ID_LEN, ID_LEN);
}
else
#endif
XMEMCPY(ssl->arrays->sessionID,
ssl->session.ticket + length - ID_LEN, ID_LEN);
ssl->session->ticket + length - ID_LEN, ID_LEN);
}
return 0;
@@ -29271,7 +29249,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
(void)bogusID;
#ifdef HAVE_SESSION_TICKET
if (ssl->options.useTicket == 1) {
session = &ssl->session;
session = ssl->session;
} else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
WOLFSSL_MSG("Bogus session ID without session ticket");
return BUFFER_ERROR;
@@ -30582,7 +30560,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
int CreateTicket(WOLFSSL* ssl)
{
InternalTicket it;
ExternalTicket* et = (ExternalTicket*)ssl->session.ticket;
ExternalTicket* et = (ExternalTicket*)ssl->session->ticket;
int encLen;
int ret;
byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */
@@ -30614,12 +30592,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
sizeof(it.ageAdd));
if (ret != 0)
return BAD_TICKET_ENCRYPT;
ssl->session.ticketAdd = it.ageAdd;
it.namedGroup = ssl->session.namedGroup;
ssl->session->ticketAdd = it.ageAdd;
it.namedGroup = ssl->session->namedGroup;
it.timestamp = TimeNowInMilliseconds();
/* Resumption master secret. */
XMEMCPY(it.msecret, ssl->session.masterSecret, SECRET_LEN);
XMEMCPY(&it.ticketNonce, &ssl->session.ticketNonce,
XMEMCPY(it.msecret, ssl->session->masterSecret, SECRET_LEN);
XMEMCPY(&it.ticketNonce, &ssl->session->ticketNonce,
sizeof(TicketNonce));
#endif
}
@@ -30627,12 +30605,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TICKET_HAVE_ID
{
const byte* id = NULL;
if (ssl->options.haveTicketSessionID)
id = ssl->ticketSessionID;
if (ssl->session->haveAltSessionID)
id = ssl->session->altSessionID;
else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
id = ssl->arrays->sessionID;
else
id = ssl->session.sessionID;
id = ssl->session->sessionID;
XMEMCPY(it.id, id, ID_LEN);
}
#endif
@@ -30702,7 +30680,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* set size */
c16toa((word16)encLen, et->enc_len);
ssl->session.ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
ssl->session->ticketLen = (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
if (encLen < WOLFSSL_TICKET_ENC_SZ) {
/* move mac up since whole enc buffer not used */
XMEMMOVE(et->enc_ticket +encLen, et->mac,WOLFSSL_TICKET_MAC_SZ);
@@ -30795,8 +30773,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TICKET_HAVE_ID
{
ssl->options.haveTicketSessionID = 1;
XMEMCPY(ssl->ticketSessionID, it.id, ID_LEN);
ssl->session->haveAltSessionID = 1;
XMEMCPY(ssl->session->altSessionID, it.id, ID_LEN);
if (wolfSSL_GetSession(ssl, NULL, 1) != NULL) {
WOLFSSL_MSG("Found session matching the session id"
" found in the ticket");
@@ -30812,28 +30790,28 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
XMEMCPY(ssl->arrays->masterSecret, it.msecret, SECRET_LEN);
/* Copy the haveExtendedMasterSecret property from the ticket to
* the saved session, so the property may be checked later. */
ssl->session.haveEMS = it.haveEMS;
ato32((const byte*)&it.timestamp, &ssl->session.bornOn);
ssl->session->haveEMS = it.haveEMS;
ato32((const byte*)&it.timestamp, &ssl->session->bornOn);
#ifndef NO_RESUME_SUITE_CHECK
ssl->session.cipherSuite0 = it.suite[0];
ssl->session.cipherSuite = it.suite[1];
ssl->session->cipherSuite0 = it.suite[0];
ssl->session->cipherSuite = it.suite[1];
#endif
}
else {
#ifdef WOLFSSL_TLS13
/* Restore information to renegotiate. */
ssl->session.ticketSeen = it.timestamp;
ssl->session.ticketAdd = it.ageAdd;
ssl->session.cipherSuite0 = it.suite[0];
ssl->session.cipherSuite = it.suite[1];
ssl->session->ticketSeen = it.timestamp;
ssl->session->ticketAdd = it.ageAdd;
ssl->session->cipherSuite0 = it.suite[0];
ssl->session->cipherSuite = it.suite[1];
#ifdef WOLFSSL_EARLY_DATA
ssl->session.maxEarlyDataSz = it.maxEarlyDataSz;
ssl->session->maxEarlyDataSz = it.maxEarlyDataSz;
#endif
/* Resumption master secret. */
XMEMCPY(ssl->session.masterSecret, it.msecret, SECRET_LEN);
XMEMCPY(&ssl->session.ticketNonce, &it.ticketNonce,
XMEMCPY(ssl->session->masterSecret, it.msecret, SECRET_LEN);
XMEMCPY(&ssl->session->ticketNonce, &it.ticketNonce,
sizeof(TicketNonce));
ssl->session.namedGroup = it.namedGroup;
ssl->session->namedGroup = it.namedGroup;
#endif
}
}
@@ -30864,7 +30842,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (ret != 0) return ret;
}
length += ssl->session.ticketLen;
length += ssl->session->ticketLen;
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
if (!ssl->options.dtls) {
@@ -30896,12 +30874,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
idx += SESSION_HINT_SZ;
/* length */
c16toa(ssl->session.ticketLen, output + idx);
c16toa(ssl->session->ticketLen, output + idx);
idx += LENGTH_SZ;
/* ticket */
XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
idx += ssl->session.ticketLen;
XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
idx += ssl->session->ticketLen;
if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
byte* input;

34
src/sniffer.c
View File

@@ -3044,9 +3044,9 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
*sslBytes -= OPAQUE8_LEN;
#ifdef HAVE_SESSION_TICKET
/* store nonce in server for DeriveResumptionPSK */
session->sslServer->session.ticketNonce.len = len;
session->sslServer->session->ticketNonce.len = len;
if (len > 0)
XMEMCPY(&session->sslServer->session.ticketNonce.data, input, len);
XMEMCPY(&session->sslServer->session->ticketNonce.data, input, len);
#endif
input += len;
*sslBytes -= len;
@@ -3123,7 +3123,7 @@ static int DoResume(SnifferSession* session, char* error)
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(session->sslServer->version)) {
resume = wolfSSL_GetSession(session->sslServer,
session->sslServer->session.masterSecret, 0);
session->sslServer->session->masterSecret, 0);
if (resume == NULL) {
/* TLS v1.3 with hello_retry uses session_id even for new session,
so ignore error here */
@@ -3147,8 +3147,8 @@ static int DoResume(SnifferSession* session, char* error)
/* make sure client has master secret too */
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(session->sslServer->version)) {
XMEMCPY(session->sslClient->session.masterSecret,
session->sslServer->session.masterSecret, SECRET_LEN);
XMEMCPY(session->sslClient->session->masterSecret,
session->sslServer->session->masterSecret, SECRET_LEN);
}
else
#endif
@@ -3179,8 +3179,8 @@ static int DoResume(SnifferSession* session, char* error)
session->sslServer->arrays->psk_keySz = session->sslServer->specs.hash_size;
session->sslClient->arrays->psk_keySz = session->sslClient->specs.hash_size;
ret = DeriveResumptionPSK(session->sslServer,
session->sslServer->session.ticketNonce.data,
session->sslServer->session.ticketNonce.len,
session->sslServer->session->ticketNonce.data,
session->sslServer->session->ticketNonce.len,
session->sslServer->arrays->psk_key);
/* Copy resumption PSK to client */
XMEMCPY(session->sslClient->arrays->psk_key,
@@ -3266,7 +3266,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
}
if (b) {
#ifdef WOLFSSL_TLS13
XMEMCPY(session->sslServer->session.sessionID, input, ID_LEN);
XMEMCPY(session->sslServer->session->sessionID, input, ID_LEN);
#endif
XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN);
session->sslServer->options.haveSessionId = 1;
@@ -3370,10 +3370,10 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
session->sslClient->options.resuming = 1;
#ifdef WOLFSSL_TLS13
/* default nonce to len = 1, data = 0 */
session->sslServer->session.ticketNonce.len = 1;
session->sslServer->session.ticketNonce.data[0] = 0;
session->sslClient->session.ticketNonce.len = 1;
session->sslClient->session.ticketNonce.data[0] = 0;
session->sslServer->session->ticketNonce.len = 1;
session->sslServer->session->ticketNonce.data[0] = 0;
session->sslClient->session->ticketNonce.len = 1;
session->sslClient->session->ticketNonce.data[0] = 0;
#endif
break;
#endif
@@ -3595,7 +3595,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
}
Trace(CLIENT_RESUME_TRY_STR);
#ifdef WOLFSSL_TLS13
XMEMCPY(session->sslClient->session.sessionID, input, ID_LEN);
XMEMCPY(session->sslClient->session->sessionID, input, ID_LEN);
#endif
if (session->sslClient->arrays)
XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN);
@@ -4014,14 +4014,14 @@ static int ProcessFinished(const byte* input, int size, int* sslBytes,
#ifdef HAVE_SESSION_TICKET
/* derive resumption secret for next session - on finished (from client) */
ret += DeriveResumptionSecret(session->sslClient,
session->sslClient->session.masterSecret);
session->sslClient->session->masterSecret);
/* copy resumption secret to server */
XMEMCPY(session->sslServer->session.masterSecret,
session->sslClient->session.masterSecret, SECRET_LEN);
XMEMCPY(session->sslServer->session->masterSecret,
session->sslClient->session->masterSecret, SECRET_LEN);
#ifdef SHOW_SECRETS
PrintSecret("resumption secret",
session->sslClient->session.masterSecret, SECRET_LEN);
session->sslClient->session->masterSecret, SECRET_LEN);
#endif
#endif
}

771
src/ssl.c
View File

File diff suppressed because it is too large Load Diff

26
src/tls.c
View File

@@ -7698,7 +7698,7 @@ static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
int ret;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->session.namedGroup = (byte)keyShareEntry->group;
ssl->session->namedGroup = (byte)keyShareEntry->group;
#endif
/* reset the pre master secret size */
if (ssl->arrays->preMasterSz == 0)
@@ -7943,7 +7943,7 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
/* Process the entry to calculate the secret. */
ret = TLSX_KeyShare_Process(ssl, keyShareEntry);
if (ret == 0)
ssl->session.namedGroup = ssl->namedGroup = group;
ssl->session->namedGroup = ssl->namedGroup = group;
}
else if (msgType == hello_retry_request) {
if (length != OPAQUE16_LEN)
@@ -9122,10 +9122,10 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
#ifdef HAVE_SESSION_TICKET
if (list->resumption) {
/* Check that the session's details are the same as the server's. */
if (ssl->options.cipherSuite0 != ssl->session.cipherSuite0 ||
ssl->options.cipherSuite != ssl->session.cipherSuite ||
ssl->session.version.major != ssl->ctx->method->version.major ||
ssl->session.version.minor != ssl->ctx->method->version.minor) {
if (ssl->options.cipherSuite0 != ssl->session->cipherSuite0 ||
ssl->options.cipherSuite != ssl->session->cipherSuite ||
ssl->session->version.major != ssl->ctx->method->version.major ||
ssl->session->version.minor != ssl->ctx->method->version.minor) {
return PSK_KEY_ERROR;
}
}
@@ -9636,7 +9636,7 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, const byte* input, word16 length,
return BUFFER_E;
ato32(input, &maxSz);
ssl->session.maxEarlyDataSz = maxSz;
ssl->session->maxEarlyDataSz = maxSz;
return 0;
}
@@ -10195,8 +10195,8 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
int ret = WOLFSSL_SUCCESS;
#ifdef WOLFSSL_TLS13
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming && ssl->session.namedGroup != 0) {
return TLSX_UseSupportedCurve(extensions, ssl->session.namedGroup,
if (ssl->options.resuming && ssl->session->namedGroup != 0) {
return TLSX_UseSupportedCurve(extensions, ssl->session->namedGroup,
ssl->heap);
}
#endif
@@ -10600,8 +10600,8 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
if (extension == NULL) {
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.resuming && ssl->session.namedGroup != 0)
namedGroup = ssl->session.namedGroup;
if (ssl->options.resuming && ssl->session->namedGroup != 0)
namedGroup = ssl->session->namedGroup;
else
#endif
if (ssl->numGroups > 0) {
@@ -10647,8 +10647,8 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap);
#endif
#if defined(HAVE_SESSION_TICKET)
if (ssl->options.resuming && ssl->session.ticketLen > 0) {
WOLFSSL_SESSION* sess = &ssl->session;
if (ssl->options.resuming && ssl->session->ticketLen > 0) {
WOLFSSL_SESSION* sess = ssl->session;
word32 now, milli;
if (sess->ticketLen > MAX_PSK_ID_LEN) {

152
src/tls13.c
View File

@@ -807,7 +807,7 @@ int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
masterSecret = ssl->arrays->masterSecret;
}
else {
masterSecret = ssl->session.masterSecret;
masterSecret = ssl->session->masterSecret;
}
return DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1);
@@ -1014,7 +1014,7 @@ int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
PRIVATE_KEY_UNLOCK();
ret = wc_Tls13_HKDF_Expand_Label(secret, ssl->specs.hash_size,
ssl->session.masterSecret, ssl->specs.hash_size,
ssl->session->masterSecret, ssl->specs.hash_size,
protocol, protocolLen, resumptionLabel,
RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
PRIVATE_KEY_LOCK();
@@ -2772,13 +2772,13 @@ static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello)
}
#ifdef WOLFSSL_EARLY_DATA
if (ssl->session.maxEarlyDataSz == 0)
if (ssl->session->maxEarlyDataSz == 0)
ssl->earlyData = no_early_data;
#endif
/* Resumption PSK is master secret. */
ssl->arrays->psk_keySz = ssl->specs.hash_size;
if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
return ret;
}
}
@@ -3049,15 +3049,15 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#ifdef HAVE_SESSION_TICKET
if (ssl->options.resuming &&
(ssl->session.version.major != ssl->version.major ||
ssl->session.version.minor != ssl->version.minor)) {
(ssl->session->version.major != ssl->version.major ||
ssl->session->version.minor != ssl->version.minor)) {
#ifndef WOLFSSL_NO_TLS12
if (ssl->session.version.major == ssl->version.major &&
ssl->session.version.minor < ssl->version.minor) {
if (ssl->session->version.major == ssl->version.major &&
ssl->session->version.minor < ssl->version.minor) {
/* Cannot resume with a different protocol version. */
ssl->options.resuming = 0;
ssl->version.major = ssl->session.version.major;
ssl->version.minor = ssl->session.version.minor;
ssl->version.major = ssl->session->version.major;
ssl->version.minor = ssl->session->version.minor;
return SendClientHello(ssl);
}
else
@@ -3097,8 +3097,8 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
args->length += ID_LEN;
#else
if (ssl->session.sessionIDSz > 0)
args->length += ssl->session.sessionIDSz;
if (ssl->session->sessionIDSz > 0)
args->length += ssl->session->sessionIDSz;
#endif
/* Advance state and proceed */
@@ -3179,11 +3179,11 @@ int SendTls13ClientHello(WOLFSSL* ssl)
XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN);
args->idx += RAN_LEN;
if (ssl->session.sessionIDSz > 0) {
if (ssl->session->sessionIDSz > 0) {
/* Session resumption for old versions of protocol. */
args->output[args->idx++] = ID_LEN;
XMEMCPY(args->output + args->idx, ssl->session.sessionID,
ssl->session.sessionIDSz);
XMEMCPY(args->output + args->idx, ssl->session->sessionID,
ssl->session->sessionIDSz);
args->idx += ID_LEN;
}
else {
@@ -3514,7 +3514,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#ifdef HAVE_SECRET_CALLBACK
if (ssl->sessionSecretCb != NULL) {
int secretSz = SECRET_LEN;
ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
&secretSz, ssl->sessionSecretCtx);
if (ret != 0 || secretSz != SECRET_LEN) {
return SESSION_SECRET_CB_E;
@@ -3566,9 +3566,9 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("args->sessIdSz == 0");
return INVALID_PARAMETER;
}
if (ssl->session.sessionIDSz != 0) {
if (ssl->session.sessionIDSz != args->sessIdSz ||
XMEMCMP(ssl->session.sessionID, args->sessId,
if (ssl->session->sessionIDSz != 0) {
if (ssl->session->sessionIDSz != args->sessIdSz ||
XMEMCMP(ssl->session->sessionID, args->sessId,
args->sessIdSz) != 0) {
WOLFSSL_MSG("session id doesn't match");
return INVALID_PARAMETER;
@@ -3580,8 +3580,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return INVALID_PARAMETER;
}
#else
if (args->sessIdSz != ssl->session.sessionIDSz || (args->sessIdSz > 0 &&
XMEMCMP(ssl->session.sessionID, args->sessId, args->sessIdSz) != 0))
if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
{
WOLFSSL_MSG("Server sent different session id");
return INVALID_PARAMETER;
@@ -3944,7 +3944,7 @@ static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, byte* suite, int* err)
ssl->options.verifyPeer = 0;
/* PSK age is always zero. */
if (psk->ticketAge != ssl->session.ticketAdd) {
if (psk->ticketAge != ssl->session->ticketAdd) {
ret = PSK_KEY_ERROR;
}
}
@@ -4016,7 +4016,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
/* Difference between now and time ticket constructed
* (from decrypted ticket). */
diff = now;
diff -= ssl->session.ticketSeen;
diff -= ssl->session->ticketSeen;
if (diff > (sword64)ssl->timeout * 1000 ||
diff > (sword64)TLS13_MAX_TICKET_AGE * 1000) {
current = current->next;
@@ -4024,7 +4024,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
}
/* Subtract client's ticket age and unobfuscate. */
diff -= current->ticketAge;
diff += ssl->session.ticketAdd;
diff += ssl->session->ticketAdd;
/* Check session and ticket age timeout.
* Allow +/- 1000 milliseconds on ticket age.
*/
@@ -4037,14 +4037,14 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
/* Check whether resumption is possible based on suites in SSL and
* ciphersuite in ticket.
*/
if ((suite[0] != ssl->session.cipherSuite0) ||
(suite[1] != ssl->session.cipherSuite)) {
if ((suite[0] != ssl->session->cipherSuite0) ||
(suite[1] != ssl->session->cipherSuite)) {
current = current->next;
continue;
}
#else
suite[0] = ssl->session.cipherSuite0;
suite[1] = ssl->session.cipherSuite;
suite[0] = ssl->session->cipherSuite0;
suite[1] = ssl->session->cipherSuite;
if (!FindSuiteSSL(ssl, suite)) {
current = current->next;
continue;
@@ -4052,19 +4052,19 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
#endif
#ifdef WOLFSSL_EARLY_DATA
ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz;
#endif
/* Use the same cipher suite as before and set up for use. */
ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
ssl->options.cipherSuite = ssl->session.cipherSuite;
ssl->options.cipherSuite0 = ssl->session->cipherSuite0;
ssl->options.cipherSuite = ssl->session->cipherSuite;
ret = SetCipherSpecs(ssl);
if (ret != 0)
return ret;
/* Resumption PSK is resumption master secret. */
ssl->arrays->psk_keySz = ssl->specs.hash_size;
if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data,
ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) {
if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
return ret;
}
@@ -4273,7 +4273,7 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
ext != NULL) {
/* Only use named group used in last session. */
ssl->namedGroup = ssl->session.namedGroup;
ssl->namedGroup = ssl->session->namedGroup;
*usingPSK = 2; /* generate new ephemeral key */
}
@@ -4404,7 +4404,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
return ret;
/* Reconstruct the HelloRetryMessage for handshake hash. */
length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz +
length = HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz +
HRR_COOKIE_HDR_SZ + cookie->len;
length += HRR_VERSIONS_SZ;
if (cookieDataSz > hashSz + OPAQUE16_LEN) {
@@ -4425,10 +4425,10 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
hrrIdx += RAN_LEN;
hrr[hrrIdx++] = ssl->session.sessionIDSz;
if (ssl->session.sessionIDSz > 0) {
XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz);
hrrIdx += ssl->session.sessionIDSz;
hrr[hrrIdx++] = ssl->session->sessionIDSz;
if (ssl->session->sessionIDSz > 0) {
XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, ssl->session->sessionIDSz);
hrrIdx += ssl->session->sessionIDSz;
}
/* Cipher Suite */
@@ -4439,7 +4439,7 @@ static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
hrr[hrrIdx++] = 0;
/* Extensions' length */
length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz;
length -= HRR_BODY_SZ - ID_LEN + ssl->session->sessionIDSz;
c16toa(length, hrr + hrrIdx);
hrrIdx += 2;
@@ -4717,9 +4717,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ERROR_OUT(BUFFER_ERROR, exit_dch);
}
ssl->session.sessionIDSz = sessIdSz;
ssl->session->sessionIDSz = sessIdSz;
if (sessIdSz == ID_LEN) {
XMEMCPY(ssl->session.sessionID, input + args->idx, sessIdSz);
XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
args->idx += ID_LEN;
}
@@ -4973,7 +4973,7 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
/* Protocol version, server random, session id, cipher suite, compression
* and extensions.
*/
length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz +
length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
SUITE_LEN + COMP_LEN;
ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
if (ret != 0)
@@ -5014,10 +5014,10 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
#endif
output[idx++] = ssl->session.sessionIDSz;
if (ssl->session.sessionIDSz > 0) {
XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz);
idx += ssl->session.sessionIDSz;
output[idx++] = ssl->session->sessionIDSz;
if (ssl->session->sessionIDSz > 0) {
XMEMCPY(output + idx, ssl->session->sessionID, ssl->session->sessionIDSz);
idx += ssl->session->sessionIDSz;
}
/* Chosen cipher suite */
@@ -7144,7 +7144,7 @@ static int SendTls13Finished(WOLFSSL* ssl)
return ret;
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
if (ret != 0)
return ret;
#endif
@@ -7476,18 +7476,18 @@ static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
return now;
/* Copy in ticket data (server identity). */
ssl->timeout = lifetime;
ssl->session.timeout = lifetime;
ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
ssl->session.cipherSuite = ssl->options.cipherSuite;
ssl->session.ticketSeen = now;
ssl->session.ticketAdd = ageAdd;
ssl->session->timeout = lifetime;
ssl->session->cipherSuite0 = ssl->options.cipherSuite0;
ssl->session->cipherSuite = ssl->options.cipherSuite;
ssl->session->ticketSeen = now;
ssl->session->ticketAdd = ageAdd;
#ifdef WOLFSSL_EARLY_DATA
ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
#endif
ssl->session.ticketNonce.len = nonceLength;
ssl->session->ticketNonce.len = nonceLength;
if (nonceLength > 0)
XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength);
ssl->session.namedGroup = ssl->namedGroup;
XMEMCPY(&ssl->session->ticketNonce.data, nonce, nonceLength);
ssl->session->namedGroup = ssl->namedGroup;
if ((*inOutIdx - begin) + EXTS_SZ > size)
return BUFFER_ERROR;
@@ -7592,7 +7592,7 @@ static int ExpectedResumptionSecret(WOLFSSL* ssl)
if ((ret = HashRaw(ssl, mac, finishedSz)) != 0)
return ret;
if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0)
return ret;
/* Restore the hash inline with currently seen messages. */
@@ -7656,12 +7656,12 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
#endif
/* Start ticket nonce at 0 and go up to 255. */
if (ssl->session.ticketNonce.len == 0) {
ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ;
ssl->session.ticketNonce.data[0] = 0;
if (ssl->session->ticketNonce.len == 0) {
ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ;
ssl->session->ticketNonce.data[0] = 0;
}
else
ssl->session.ticketNonce.data[0]++;
ssl->session->ticketNonce.data[0]++;
if (!ssl->options.noTicketTls13) {
if ((ret = CreateTicket(ssl)) != 0)
@@ -7669,9 +7669,9 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
}
#ifdef WOLFSSL_EARLY_DATA
ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
if (ssl->session.maxEarlyDataSz > 0)
TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
if (ssl->session->maxEarlyDataSz > 0)
TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz);
extSz = 0;
ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
if (ret != 0)
@@ -7682,7 +7682,7 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
/* Lifetime | Age Add | Ticket | Extensions */
length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
ssl->session.ticketLen + extSz;
ssl->session->ticketLen + extSz;
/* Nonce */
length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
sendSz = idx + length + MAX_MSG_EXTRA;
@@ -7702,18 +7702,18 @@ static int SendTls13NewSessionTicket(WOLFSSL* ssl)
c32toa(ssl->ctx->ticketHint, output + idx);
idx += SESSION_HINT_SZ;
/* Age add - obfuscator */
c32toa(ssl->session.ticketAdd, output + idx);
c32toa(ssl->session->ticketAdd, output + idx);
idx += SESSION_ADD_SZ;
output[idx++] = ssl->session.ticketNonce.len;
output[idx++] = ssl->session.ticketNonce.data[0];
output[idx++] = ssl->session->ticketNonce.len;
output[idx++] = ssl->session->ticketNonce.data[0];
/* length */
c16toa(ssl->session.ticketLen, output + idx);
c16toa(ssl->session->ticketLen, output + idx);
idx += LENGTH_SZ;
/* ticket */
XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
idx += ssl->session.ticketLen;
XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
idx += ssl->session->ticketLen;
#ifdef WOLFSSL_EARLY_DATA
extSz = 0;
@@ -8409,7 +8409,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifndef NO_WOLFSSL_SERVER
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
if (ret != 0)
return ret;
}
@@ -9933,8 +9933,8 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
#ifdef OPENSSL_EXTRA
/* when processed early data exceeds max size */
if (ssl->session.maxEarlyDataSz > 0 &&
(ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz)) {
if (ssl->session->maxEarlyDataSz > 0 &&
(ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) {
ssl->error = TOO_MUCH_EARLY_DATA;
return WOLFSSL_FATAL_ERROR;
}

5
tests/api.c
View File

@@ -6257,13 +6257,14 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
}
#ifdef SESSION_CERTS
#ifndef WOLFSSL_TICKET_HAVE_ID
if (wolfSSL_version(ssl) != TLS1_3_VERSION)
if (wolfSSL_version(ssl) != TLS1_3_VERSION &&
wolfSSL_session_reused(ssl))
#endif
{
/* With WOLFSSL_TICKET_HAVE_ID the peer certs should be available
* for all connections. TLS 1.3 only has tickets so if we don't
* include the session id in the ticket then the certificates
* will not be available. */
* will not be available on resumption. */
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
AssertNotNull(peer);
wolfSSL_X509_free(peer);

17
wolfssl/internal.h
View File

@@ -3319,6 +3319,8 @@ struct WOLFSSL_SESSION {
#ifndef SINGLE_THREADED
wolfSSL_Mutex refMutex; /* ref count mutex */
#endif
byte altSessionID[ID_LEN];
byte haveAltSessionID:1;
void* heap;
/* WARNING The above fields (up to and including the heap) are not copied
* in wolfSSL_DupSession. Place new fields after the heap
@@ -3711,9 +3713,6 @@ typedef struct Options {
word16 startedETMRead:1; /* Doing Encrypt-Then-MAC read */
word16 startedETMWrite:1; /* Doing Encrypt-Then-MAC write */
#endif
#ifdef WOLFSSL_TICKET_HAVE_ID
word16 haveTicketSessionID:1;
#endif
/* need full byte values for this section */
byte processReply; /* nonblocking resume */
@@ -4242,13 +4241,7 @@ struct WOLFSSL {
Ciphers encrypt;
Ciphers decrypt;
Buffers buffers;
WOLFSSL_SESSION session;
#ifdef HAVE_EXT_CACHE
WOLFSSL_SESSION* extSession;
#endif
#ifdef WOLFSSL_TICKET_HAVE_ID
byte ticketSessionID[ID_LEN];
#endif
WOLFSSL_SESSION* session;
WOLFSSL_ALERT_HISTORY alert_history;
int error;
int rfd; /* read file descriptor */
@@ -4773,6 +4766,10 @@ WOLFSSL_LOCAL int SetCipherSpecs(WOLFSSL* ssl);
WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL* ssl);
WOLFSSL_LOCAL int AddSession(WOLFSSL* ssl);
WOLFSSL_LOCAL int AddSessionToCache(WOLFSSL_SESSION* addSession, const byte* id,
int* sessionIndex, int side, word16 useTicket);
WOLFSSL_LOCAL int AddSessionToClientCache(int side, int row, int idx,
byte* serverID, word16 idLen, word16 useTicket);
WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl);
WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side);

5
wolfssl/ssl.h
View File

@@ -1484,6 +1484,8 @@ WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session);
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void);
WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new_ex(void* heap);
WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session);
WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx,
WOLFSSL_SESSION* session);
WOLFSSL_API int wolfSSL_SESSION_set_cipher(WOLFSSL_SESSION* session,
const WOLFSSL_CIPHER* cipher);
WOLFSSL_API int wolfSSL_is_init_finished(WOLFSSL* ssl);
@@ -4441,9 +4443,6 @@ WOLFSSL_API int wolfSSL_version(WOLFSSL* ssl);
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
|| defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session);
WOLFSSL_API int wolfSSL_get_state(const WOLFSSL* ssl);
WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)*, int i);