Add support for dynamic session tickets, add openssl.test to testuiste

scripts/include.am

@@ -53,7 +53,7 @@ if BUILD_EXAMPLE_CLIENTS
 if !BUILD_IPV6
 dist_noinst_SCRIPTS+= scripts/external.test
 dist_noinst_SCRIPTS+= scripts/google.test
-#dist_noinst_SCRIPTS+= scripts/openssl.test
+dist_noinst_SCRIPTS+= scripts/openssl.test
 endif
 endif
 

scripts/openssl.test

@@ -3,7 +3,15 @@
 #openssl.test
 
 # need a unique port since may run the same time as testsuite
-openssl_port=11114
+generate_port() {
+    openssl_port=`tr -cd 0-9 </dev/urandom | head -c 7`
+    openssl_port=$((`tr -cd 1-9 </dev/urandom | head -c 1`$openssl_port))
+    openssl_port=$(($openssl_port % (65535-49512)))
+    openssl_port=$(($openssl_port + 49512))
+}
+
+
+generate_port
 no_pid=-1
 server_pid=$no_pid
 wolf_suites_tested=0
@@ -44,7 +52,7 @@ do_cleanup() {
 do_trap() {
     echo "got trap"
     do_cleanup
-    exit -1
+    exit 1
 }
 
 trap do_trap INT TERM
@@ -68,12 +76,35 @@ then
     cd ..
 fi
 
-echo -e "\nStarting openssl server...\n"
-
-openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem  -quiet -CAfile ./certs/client-cert.pem -www  -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem -Verify 10 -verify_return_error &
-server_pid=$!
 
 
+found_free_port=0
+while [ "$counter" -lt 20 ]; do
+    echo -e "\nTrying to start openssl server on port $openssl_port...\n"
+
+    openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem  -quiet -CAfile ./certs/client-cert.pem -www  -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem -Verify 10 -verify_return_error -cipher "ALL:eNULL" &
+    server_pid=$!
+    # wait to see if s_server successfully starts before continuing
+    sleep 0.1
+
+    if ps -p $server_pid > /dev/null
+    then
+        echo "s_server started successfully on port $openssl_port"
+        found_free_port=1
+        break
+    else
+        #port already started, try a different port
+        counter=$((counter+ 1))
+        generate_port
+    fi
+done
+
+if [ $found_free_port = 0 ]
+then
+    echo -e "Couldn't find free port for server"
+    do_cleanup
+    exit 1
+fi
 
 # get wolfssl ciphers
 wolf_ciphers=`./examples/client/client -e`
@@ -99,7 +130,7 @@ if [ $server_ready = 0 ]
 then
     echo -e "Couldn't verify openssl server is running, timeout error"
     do_cleanup
-    exit -1
+    exit 1
 fi
 
 OIFS=$IFS # store old seperator to reset

src/internal.c

@@ -2648,6 +2648,10 @@ void SSL_ResourceFree(WOLFSSL* ssl)
 #if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
     FreeX509(&ssl->peerCert);
 #endif
+#ifdef HAVE_SESSION_TICKET
+    if (ssl->session.dynTicket)
+        XFREE(ssl->session.dynTicket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
+#endif
 }
 
 #ifdef WOLFSSL_TI_HASH
@@ -11349,9 +11353,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
 #ifdef HAVE_SESSION_TICKET
         if (ssl->options.resuming && ssl->session.ticketLen > 0) {
             SessionTicket* ticket;
+            byte* ticketData;
+
+            ticketData = ssl->session.isDynamic ?
+                         ssl->session.dynTicket :
+                         ssl->session.ticket;
 
             ticket = TLSX_SessionTicket_Create(0,
-                                   ssl->session.ticket, ssl->session.ticketLen);
+                                   ticketData, ssl->session.ticketLen);
             if (ticket == NULL) return MEMORY_E;
 
             ret = TLSX_UseSessionTicket(&ssl->extensions, ticket);
@@ -14285,8 +14294,16 @@ int DoSessionTicket(WOLFSSL* ssl,
     ato16(input + *inOutIdx, &length);
     *inOutIdx += OPAQUE16_LEN;
 
-    if (length > sizeof(ssl->session.ticket))
-        return SESSION_TICKET_LEN_E;
+    if (length > sizeof(ssl->session.ticket)) {
+        ssl->session.isDynamic = 1;
+
+        ssl->session.dynTicket = (byte*)XMALLOC(
+                length, ssl->heap,
+                DYNAMIC_TYPE_SESSION_TICK);
+        if (ssl->session.dynTicket == NULL) {
+            return MEMORY_E;
+        }
+    }
 
     if ((*inOutIdx - begin) + length > size)
         return BUFFER_ERROR;
@@ -14294,7 +14311,11 @@ int DoSessionTicket(WOLFSSL* ssl,
     /* If the received ticket including its length is greater than
      * a length value, the save it. Otherwise, don't save it. */
     if (length > 0) {
-        XMEMCPY(ssl->session.ticket, input + *inOutIdx, length);
+        if (ssl->session.isDynamic)
+            XMEMCPY(ssl->session.dynTicket, input + *inOutIdx, length);
+        else
+            XMEMCPY(ssl->session.ticket, input + *inOutIdx, length);
+
         *inOutIdx += length;
         ssl->session.ticketLen = length;
         ssl->timeout = lifetime;
@@ -14305,7 +14326,12 @@ int DoSessionTicket(WOLFSSL* ssl,
         }
         /* Create a fake sessionID based on the ticket, this will
          * supercede the existing session cache info. */
-        ssl->options.haveSessionId = 1;
+    ssl->options.haveSessionId = 1;
+
+    if (ssl->session.isDynamic)
+        XMEMCPY(ssl->arrays->sessionID,
+                                 ssl->session.dynTicket + length - ID_LEN, ID_LEN);
+    else
         XMEMCPY(ssl->arrays->sessionID,
                                  ssl->session.ticket + length - ID_LEN, ID_LEN);
 #ifndef NO_SESSION_CACHE
@@ -16618,7 +16644,9 @@ int DoSessionTicket(WOLFSSL* ssl,
     static int CreateTicket(WOLFSSL* ssl)
     {
         InternalTicket  it;
-        ExternalTicket* et = (ExternalTicket*)ssl->session.ticket;
+        ExternalTicket* et = ssl->session.isDynamic ?
+            (ExternalTicket*)ssl->session.dynTicket :
+            (ExternalTicket*)ssl->session.ticket;
         int encLen;
         int ret;
         byte zeros[WOLFSSL_TICKET_MAC_SZ];   /* biggest cmp size */

src/ssl.c

@@ -1251,7 +1251,10 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl,
         return BAD_FUNC_ARG;
 
     if (ssl->session.ticketLen <= *bufSz) {
-        XMEMCPY(buf, ssl->session.ticket, ssl->session.ticketLen);
+        if (ssl->session.isDynamic)
+            XMEMCPY(buf, ssl->session.dynTicket, ssl->session.ticketLen);
+        else
+            XMEMCPY(buf, ssl->session.ticket, ssl->session.ticketLen);
         *bufSz = ssl->session.ticketLen;
     }
     else
@@ -1262,12 +1265,17 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl,
 
 WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, byte* buf, word32 bufSz)
 {
-    if (ssl == NULL || (buf == NULL && bufSz > 0))
+    if (ssl == NULL || (buf == NULL && bufSz > 0) || bufSz > SESSION_TICKET_LEN)
         return BAD_FUNC_ARG;
 
     if (bufSz > 0)
         XMEMCPY(ssl->session.ticket, buf, bufSz);
     ssl->session.ticketLen = (word16)bufSz;
+    /* session ticket should only be size of static buffer. Delete dynamic buffer*/
+    if (ssl->session.isDynamic) {
+        XFREE(ssl->session.dynTicket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
+        ssl->session.isDynamic = 0;
+    }
 
     return SSL_SUCCESS;
 }
@@ -7067,9 +7075,29 @@ int AddSession(WOLFSSL* ssl)
     SessionCache[row].Sessions[idx].bornOn  = LowResTimer();
 
 #ifdef HAVE_SESSION_TICKET
-    SessionCache[row].Sessions[idx].ticketLen     = ssl->session.ticketLen;
-    XMEMCPY(SessionCache[row].Sessions[idx].ticket,
+    if (ssl->session.isDynamic) {
+        if (!SessionCache[row].Sessions[idx].dynTicket) {
+            SessionCache[row].Sessions[idx].dynTicket = XMALLOC(
+                ssl->session.ticketLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
+            if (!SessionCache[row].Sessions[idx].dynTicket)
+                return MEMORY_E;
+        } else if (SessionCache[row].Sessions[idx].ticketLen < ssl->session.ticketLen) {
+            XFREE(SessionCache[row].Sessions[idx].dynTicket,
+                   ssl->heap, DYNAMIC_TYPE_SESS_TICK);
+            SessionCache[row].Sessions[idx].dynTicket = XMALLOC(
+                ssl->session.ticketLen, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
+            if (!SessionCache[row].Sessions[idx].dynTicket)
+                return MEMORY_E;
+        }
+        XMEMCPY(SessionCache[row].Sessions[idx].dynTicket,
+                                   ssl->session.dynTicket, ssl->session.ticketLen);
+        SessionCache[row].Sessions[idx].isDynamic = 1;
+    }
+    else {
+        XMEMCPY(SessionCache[row].Sessions[idx].ticket,
                                    ssl->session.ticket, ssl->session.ticketLen);
+    }
+    SessionCache[row].Sessions[idx].ticketLen     = ssl->session.ticketLen;
 #endif
 
 #ifdef SESSION_CERTS

src/tls.c

@@ -3212,9 +3212,11 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
 #define STK_GET_SIZE         TLSX_SessionTicket_GetSize
 #define STK_WRITE            TLSX_SessionTicket_Write
 #define STK_PARSE            TLSX_SessionTicket_Parse
+#define STK_FREE(stk)        TLSX_SessionTicket_Free((SessionTicket*)stk)
 
 #else
 
+#define STK_FREE(a)
 #define STK_VALIDATE_REQUEST(a)
 #define STK_GET_SIZE(a, b)      0
 #define STK_WRITE(a, b, c)      0
@@ -3865,6 +3867,7 @@ void TLSX_FreeAll(TLSX* list)
 
             case TLSX_SESSION_TICKET:
                 /* Nothing to do. */
+                STK_FREE(extension->data);
                 break;
 
             case TLSX_QUANTUM_SAFE_HYBRID:

wolfssl/internal.h

@@ -2181,6 +2181,8 @@ struct WOLFSSL_SESSION {
 #endif
 #ifdef HAVE_SESSION_TICKET
     word16       ticketLen;
+    byte         *dynTicket;
+    byte         isDynamic;
     byte         ticket[SESSION_TICKET_LEN];
 #endif
 #ifdef HAVE_STUNNEL

wolfssl/wolfcrypt/types.h

@@ -302,7 +302,8 @@
         DYNAMIC_TYPE_X509_CTX     = 53,
         DYNAMIC_TYPE_URL          = 54,
         DYNAMIC_TYPE_DTLS_FRAG    = 55,
-        DYNAMIC_TYPE_DTLS_BUFFER  = 56
+        DYNAMIC_TYPE_DTLS_BUFFER  = 56,
+        DYNAMIC_TYPE_SESSION_TICK = 57
 	};
 
 	/* max error buffer string size */