From e1ccc5acadd1177a0f3b6841917c9a97d0d6a219 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 28 Jul 2017 14:27:24 -0600 Subject: [PATCH 1/2] update DTLS export session version and tests --- src/internal.c | 57 +++++++++++++++++++++++++++------ tests/api.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++ wolfssl/internal.h | 6 ++-- 3 files changed, 130 insertions(+), 12 deletions(-) diff --git a/src/internal.c b/src/internal.c index a93aaf193..7aa4bf068 100755 --- a/src/internal.c +++ b/src/internal.c @@ -908,14 +908,30 @@ static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver) int idx = 0; Options* options = &ssl->options; - if (ver != DTLS_EXPORT_VERSION) { - WOLFSSL_MSG("Export version not supported"); + switch (ver) { + case DTLS_EXPORT_VERSION: + if (len < DTLS_EXPORT_OPT_SZ) { + WOLFSSL_MSG("Sanity check on buffer size failed"); + return BAD_FUNC_ARG; + } + break; + + case DTLS_EXPORT_VERSION_3: + if (len < DTLS_EXPORT_OPT_SZ_3) { + WOLFSSL_MSG("Sanity check on buffer size failed"); + return BAD_FUNC_ARG; + } + break; + + default: + WOLFSSL_MSG("Export version not supported"); + return BAD_FUNC_ARG; + } + + if (exp == NULL || options == NULL) { return BAD_FUNC_ARG; } - if (exp == NULL || options == NULL || len < DTLS_EXPORT_OPT_SZ) { - return BAD_FUNC_ARG; - } /* these options are kept and sent to indicate verify status and strength * of handshake */ @@ -988,13 +1004,17 @@ static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver) options->createTicket = exp[idx++]; /* Server to create new Ticket */ options->useTicket = exp[idx++]; /* Use Ticket not session cache */ #ifdef WOLFSSL_TLS13 - options->noTicketTls13 = exp[idx++]; /* Server won't create new Ticket */ + if (ver > DTLS_EXPORT_VERSION_3) { + options->noTicketTls13 = exp[idx++];/* Server won't create new Ticket */ + } #endif #else idx++; idx++; #ifdef WOLFSSL_TLS13 - idx++; + if (ver > DTLS_EXPORT_VERSION_3) { + idx++; + } #endif #endif options->processReply = exp[idx++]; @@ -1067,7 +1087,7 @@ static int ImportPeerInfo(WOLFSSL* ssl, byte* buf, word32 len, byte ver) word16 port; char ip[DTLS_EXPORT_IP]; - if (ver != DTLS_EXPORT_VERSION) { + if (ver != DTLS_EXPORT_VERSION && ver != DTLS_EXPORT_VERSION_3) { WOLFSSL_MSG("Export version not supported"); return BAD_FUNC_ARG; } @@ -1200,6 +1220,7 @@ int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, word32 sz) word16 length = 0; int version; int ret; + int optSz; WOLFSSL_ENTER("wolfSSL_dtls_import_internal"); /* check at least enough room for protocol and length */ @@ -1233,12 +1254,28 @@ int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf, word32 sz) #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */ /* perform sanity checks and extract Options information used */ - if (DTLS_EXPORT_LEN + DTLS_EXPORT_OPT_SZ + idx > sz) { + switch (version) { + case DTLS_EXPORT_VERSION: + optSz = DTLS_EXPORT_OPT_SZ; + break; + + case DTLS_EXPORT_VERSION_3: + WOLFSSL_MSG("Importing older version 3"); + optSz = DTLS_EXPORT_OPT_SZ_3; + break; + + default: + WOLFSSL_MSG("Bad export version"); + return BAD_FUNC_ARG; + + } + + if (DTLS_EXPORT_LEN + optSz + idx > sz) { WOLFSSL_MSG("Import Options struct error"); return BUFFER_E; } ato16(buf + idx, &length); idx += DTLS_EXPORT_LEN; - if (length != DTLS_EXPORT_OPT_SZ) { + if (length != optSz) { WOLFSSL_MSG("Import Options struct error"); return BUFFER_E; } diff --git a/tests/api.c b/tests/api.c index 856434644..5ce7f0376 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1297,6 +1297,64 @@ static void test_wolfSSL_read_write(void) } +#if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \ + defined(WOLFSSL_SESSION_EXPORT) +/* canned export of a session using older version 3 */ +static unsigned char version_3[] = { + 0xA5, 0xA3, 0x01, 0x87, 0x00, 0x39, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, + 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xC0, 0x30, 0x05, 0x09, 0x0A, + 0x01, 0x01, 0x00, 0x0D, 0x05, 0xFE, 0xFD, 0x01, + 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, + 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, + 0x01, 0x00, 0x07, 0x00, 0x00, 0x00, 0x30, 0x00, + 0x00, 0x00, 0x10, 0x01, 0x01, 0x00, 0x02, 0x00, + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x20, 0x05, 0x12, 0xCF, 0x22, + 0xA1, 0x9F, 0x1C, 0x39, 0x1D, 0x31, 0x11, 0x12, + 0x1D, 0x11, 0x18, 0x0D, 0x0B, 0xF3, 0xE1, 0x4D, + 0xDC, 0xB1, 0xF1, 0x39, 0x98, 0x91, 0x6C, 0x48, + 0xE5, 0xED, 0x11, 0x12, 0xA0, 0x00, 0xF2, 0x25, + 0x4C, 0x09, 0x26, 0xD1, 0x74, 0xDF, 0x23, 0x40, + 0x15, 0x6A, 0x42, 0x2A, 0x26, 0xA5, 0xAC, 0x56, + 0xD5, 0x4A, 0x20, 0xB7, 0xE9, 0xEF, 0xEB, 0xAF, + 0xA8, 0x1E, 0x23, 0x7C, 0x04, 0xAA, 0xA1, 0x6D, + 0x92, 0x79, 0x7B, 0xFA, 0x80, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x0C, 0x79, 0x7B, + 0xFA, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xAA, 0xA1, 0x6D, 0x92, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, + 0x00, 0x20, 0x00, 0x04, 0x00, 0x10, 0x00, 0x10, + 0x08, 0x02, 0x05, 0x08, 0x01, 0x30, 0x28, 0x00, + 0x00, 0x0F, 0x00, 0x02, 0x00, 0x09, 0x31, 0x32, + 0x37, 0x2E, 0x30, 0x2E, 0x30, 0x2E, 0x31, 0xED, + 0x4F +}; +#endif /* defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \ + defined(WOLFSSL_SESSION_EXPORT) */ + static void test_wolfSSL_dtls_export(void) { #if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) && \ @@ -1344,6 +1402,27 @@ static void test_wolfSSL_dtls_export(void) #ifdef WOLFSSL_TIRTOS fdOpenSession(Task_self()); #endif + + { + WOLFSSL_CTX* ctx; + WOLFSSL* ssl; + + /* Set ctx to DTLS 1.2 */ + AssertNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method())); + AssertNotNull(ssl = wolfSSL_new(ctx)); + + /* test importing version 3 */ + AssertIntGE(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); + + /* test importing bad length and bad version */ + version_3[2] += 1; + AssertIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); + version_3[2] -= 1; version_3[1] = 0XA0; + AssertIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + } + printf(testingFmt, "wolfSSL_dtls_export()"); printf(resultFmt, passed); #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3875c47e7..60b8f35fe 100755 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1040,8 +1040,10 @@ enum Misc { DTLS_HANDSHAKE_FRAG_SZ = 3, /* fragment offset and length are 24 bit */ DTLS_POOL_SZ = 255,/* allowed number of list items in TX pool */ DTLS_EXPORT_PRO = 165,/* wolfSSL protocol for serialized session */ - DTLS_EXPORT_VERSION = 3, /* wolfSSL version for serialized session */ - DTLS_EXPORT_OPT_SZ = 57, /* amount of bytes used from Options */ + DTLS_EXPORT_VERSION = 4, /* wolfSSL version for serialized session */ + DTLS_EXPORT_OPT_SZ = 58, /* amount of bytes used from Options */ + DTLS_EXPORT_VERSION_3 = 3, /* wolfSSL version before TLS 1.3 addition */ + DTLS_EXPORT_OPT_SZ_3 = 57, /* amount of bytes used from Options */ DTLS_EXPORT_KEY_SZ = 325 + (DTLS_SEQ_SZ * 2), /* max amount of bytes used from Keys */ DTLS_EXPORT_MIN_KEY_SZ = 78 + (DTLS_SEQ_SZ * 2), From c93d348ecd2977ef4ebc53bdd1f67b8de2a6ba36 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 1 Aug 2017 14:19:06 -0600 Subject: [PATCH 2/2] fix sesion export buffer to be not dependent on macros defined --- src/internal.c | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/src/internal.c b/src/internal.c index 7aa4bf068..a240a4276 100755 --- a/src/internal.c +++ b/src/internal.c @@ -861,14 +861,20 @@ static int dtls_export_new(WOLFSSL* ssl, byte* exp, word32 len, byte ver) exp[idx++] = options->createTicket; exp[idx++] = options->useTicket; #ifdef WOLFSSL_TLS13 - exp[idx++] = options->noTicketTls13; + if (ver > DTLS_EXPORT_VERSION_3) { + exp[idx++] = options->noTicketTls13; + } +#else + if (ver > DTLS_EXPORT_VERSION_3) { + exp[idx++] = 0; + } #endif #else exp[idx++] = 0; exp[idx++] = 0; -#ifdef WOLFSSL_TLS13 - exp[idx++] = 0; -#endif + if (ver > DTLS_EXPORT_VERSION_3) { + exp[idx++] = 0; + } #endif exp[idx++] = options->processReply; exp[idx++] = options->cipherSuite0; @@ -887,12 +893,26 @@ static int dtls_export_new(WOLFSSL* ssl, byte* exp, word32 len, byte ver) exp[idx++] = ssl->version.minor; (void)zero; - (void)ver; /* check if changes were made and notify of need to update export version */ - if (idx != DTLS_EXPORT_OPT_SZ) { - WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of wolfSSL export"); - return DTLS_EXPORT_VER_E; + switch (ver) { + case DTLS_EXPORT_VERSION_3: + if (idx != DTLS_EXPORT_OPT_SZ_3) { + WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export"); + return DTLS_EXPORT_VER_E; + } + break; + + case DTLS_EXPORT_VERSION: + if (idx != DTLS_EXPORT_OPT_SZ) { + WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export"); + return DTLS_EXPORT_VER_E; + } + break; + + default: + WOLFSSL_MSG("New version case needs added to wolfSSL export"); + return DTLS_EXPORT_VER_E; } WOLFSSL_LEAVE("dtls_export_new", idx); @@ -1007,15 +1027,17 @@ static int dtls_export_load(WOLFSSL* ssl, byte* exp, word32 len, byte ver) if (ver > DTLS_EXPORT_VERSION_3) { options->noTicketTls13 = exp[idx++];/* Server won't create new Ticket */ } +#else + if (ver > DTLS_EXPORT_VERSION_3) { + exp[idx++] = 0; + } #endif #else idx++; idx++; -#ifdef WOLFSSL_TLS13 if (ver > DTLS_EXPORT_VERSION_3) { idx++; } -#endif #endif options->processReply = exp[idx++]; options->cipherSuite0 = exp[idx++];