diff --git a/src/internal.c b/src/internal.c index e323acf6c..816301935 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8017,12 +8017,6 @@ void SSL_ResourceFree(WOLFSSL* ssl) ssl->dtls13ClientHello = NULL; ssl->dtls13ClientHelloSz = 0; } -#ifdef WOLFSSL_DTLS_CH_FRAG - if (ssl->dtls13KSE != NULL) { - TLSX_KeyShare_FreeAll(ssl->dtls13KSE, ssl->heap); - ssl->dtls13KSE = NULL; - } -#endif #endif /* WOLFSSL_DTLS13 */ #endif /* WOLFSSL_DTLS */ diff --git a/src/tls.c b/src/tls.c index ede90f857..e4f2452e2 100644 --- a/src/tls.c +++ b/src/tls.c @@ -67,6 +67,7 @@ #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) static int TLSX_KeyShare_IsSupported(int namedGroup); +static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap); #endif #ifdef HAVE_SUPPORTED_CURVES @@ -7768,7 +7769,7 @@ int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse) * list The linked list of key share entry objects. * heap The heap used for allocation. */ -void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap) +static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap) { KeyShareEntry* current; @@ -8783,50 +8784,24 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length, if (ssl->error != WC_PENDING_E) #endif { - /* Check the selected group was supported by ClientHello - * extensions. */ + /* Check the selected group was supported by ClientHello extensions. */ if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) { WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); return BAD_KEY_SHARE_DATA; } -#ifdef WOLFSSL_DTLS_CH_FRAG - /* If we sent an empty key share then we can just limit the keyshare - * to the one selected by the server. */ - if (ssl->options.dtlsSentEmptyKS) { - if (!TLSX_KeyShare_SelectGroup(ssl, group)) { - /* Clear out all groups if not found */ - ret = TLSX_KeyShare_Empty(ssl); - if (ret != 0) - return ret; - } - } - else -#endif - { - /* Check if the group was sent. */ - if (TLSX_KeyShare_Find(ssl, group)) { - WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); - return BAD_KEY_SHARE_DATA; - } - - /* Clear out unusable key shares. */ - ret = TLSX_KeyShare_Empty(ssl); - if (ret != 0) - return ret; + /* Check if the group was sent. */ + if (TLSX_KeyShare_Find(ssl, group)) { + WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); + return BAD_KEY_SHARE_DATA; } + /* Clear out unusable key shares. */ + ret = TLSX_KeyShare_Empty(ssl); + if (ret != 0) + return ret; } - -#ifdef WOLFSSL_DTLS_CH_FRAG - /* Check if we were able to limit the keyshare entries to one group */ - if (ssl->options.dtlsSentEmptyKS && - TLSX_KeyShare_SelectGroup(ssl, group)) { - /* Nothing to do */ - } - else -#endif #ifdef HAVE_PQC /* For post-quantum groups, do this in TLSX_PopulateExtensions(). */ if (!WOLFSSL_NAMED_GROUP_IS_PQC(group)) @@ -9127,38 +9102,6 @@ int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data, return 0; } -/* Clear out all entries except for group - * - * ssl The SSL/TLS object. - * returns 1 when the group was found and 0 when it wasn't found. - * */ -int TLSX_KeyShare_SelectGroup(WOLFSSL* ssl, word16 group) -{ - TLSX* extension; - KeyShareEntry* list; - KeyShareEntry** prev; - - /* Find the KeyShare extension if it exists. */ - extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); - if (extension != NULL) { - for (prev = (KeyShareEntry**)&extension->data, - list = (KeyShareEntry*)extension->data; list != NULL; - prev = &list->next, list = list->next) { - if (list->group == group) { - /* Unlink it from the list */ - *prev = list->next; - list->next = NULL; - /* Free the list */ - TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, - ssl->heap); - extension->data = list; - return 1; - } - } - } - return 0; -} - /* Set an empty Key Share extension. * * ssl The SSL/TLS object. diff --git a/src/tls13.c b/src/tls13.c index 9a23bb2a0..c5fb53caa 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4426,29 +4426,18 @@ int SendTls13ClientHello(WOLFSSL* ssl) TLSX_Find(ssl->extensions, TLSX_COOKIE) == NULL) { /* Try again with an empty key share if we would be fragmenting * without a cookie */ - TLSX* ks = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); - if (ks == NULL) { - WOLFSSL_MSG("No key share and CH can't fit in one fragment."); - return BUFFER_ERROR; - } - args->length = lenWithoutExts; - if (ssl->dtls13KSE != NULL) - TLSX_KeyShare_FreeAll(ssl->dtls13KSE, ssl->heap); - ssl->dtls13KSE = (KeyShareEntry*)ks->data; - ks->data = NULL; - ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); - if (ret != 0) { - /* Restore key share data */ - ks->data = ssl->dtls13KSE; - ssl->dtls13KSE = NULL; + ret = TLSX_KeyShare_Empty(ssl); + if (ret != 0) + return ret; + args->length = lenWithoutExts; + ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); + if (ret != 0) return ret; - } if (args->length > maxFrag) { WOLFSSL_MSG("Can't fit first CH in one fragment."); return BUFFER_ERROR; } WOLFSSL_MSG("Sending empty key share so we don't fragment CH1"); - ssl->options.dtlsSentEmptyKS = 1; } #endif } @@ -4691,19 +4680,6 @@ int SendTls13ClientHello(WOLFSSL* ssl) if (ret == 0) FreeAsyncCtx(ssl, 0); #endif -#ifdef WOLFSSL_DTLS_CH_FRAG - if ((ret == 0 || ret == WANT_WRITE) && ssl->dtls13KSE != NULL) { - /* Restore the keyshare */ - TLSX* ks = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); - if (ks == NULL || ks->data != NULL) { - WOLFSSL_MSG("Missing key share or key share data not NULL"); - return BUFFER_ERROR; - } - WOLFSSL_MSG("Restored key share"); - ks->data = ssl->dtls13KSE; - ssl->dtls13KSE = NULL; - } -#endif WOLFSSL_LEAVE("SendTls13ClientHello", ret); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND); diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index eacc6b09d..1adf85ae6 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -169,7 +169,7 @@ wolfSSL_Logging_cb wolfSSL_GetLoggingCb(void) int wolfSSL_Debugging_ON(void) { #ifdef DEBUG_WOLFSSL - loggingEnabled = 1; + loggingEnabled = 0; #if defined(WOLFSSL_APACHE_MYNEWT) log_register("wolfcrypt", &mynewt_log, &log_console_handler, NULL, LOG_SYSLEVEL); #endif /* WOLFSSL_APACHE_MYNEWT */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index dd1aeaf3f..32ccb8979 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3353,10 +3353,8 @@ typedef struct KeyShareEntry { struct KeyShareEntry* next; /* List pointer */ } KeyShareEntry; -WOLFSSL_LOCAL void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap); WOLFSSL_LOCAL int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data, KeyShareEntry **kse, TLSX** extensions); -WOLFSSL_LOCAL int TLSX_KeyShare_SelectGroup(WOLFSSL* ssl, word16 group); WOLFSSL_LOCAL int TLSX_KeyShare_Empty(WOLFSSL* ssl); WOLFSSL_LOCAL int TLSX_KeyShare_SetSupported(const WOLFSSL* ssl, TLSX** extensions); @@ -4620,9 +4618,6 @@ struct Options { word16 dtls:1; /* using datagrams ? */ #ifdef WOLFSSL_DTLS word16 dtlsStateful:1; /* allow stateful processing ? */ -#endif -#ifdef WOLFSSL_DTLS_CH_FRAG - word16 dtlsSentEmptyKS:1; /* did we send an empty key share ? */ #endif word16 connReset:1; /* has the peer reset */ word16 isClosed:1; /* if we consider conn closed */ @@ -5621,9 +5616,6 @@ struct WOLFSSL { Dtls13Rtx dtls13Rtx; byte *dtls13ClientHello; word16 dtls13ClientHelloSz; -#ifdef WOLFSSL_DTLS_CH_FRAG - KeyShareEntry* dtls13KSE; -#endif #endif /* WOLFSSL_DTLS13 */ #ifdef WOLFSSL_DTLS_CID