diff --git a/src/internal.c b/src/internal.c index 0aeb4f962..fb69476b8 100755 --- a/src/internal.c +++ b/src/internal.c @@ -3307,8 +3307,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifndef NO_PSK if (ctx->server_hint[0]) { /* set in CTX */ - XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,MAX_PSK_ID_LEN); - ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; + XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, + sizeof(ssl->arrays->server_hint)); + ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ } #endif /* NO_PSK */ @@ -15319,10 +15320,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, } /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); + srvHintLen = min(length, MAX_PSK_ID_LEN); XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; + ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ args->idx += length; break; } @@ -15497,10 +15498,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, } /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); + srvHintLen = min(length, MAX_PSK_ID_LEN); XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; + ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ args->idx += length; /* p */ @@ -15608,9 +15609,10 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, } /* get PSK server hint from the wire */ - srvHintLen = min(length, MAX_PSK_ID_LEN - 1); - XMEMCPY(ssl->arrays->server_hint, input + args->idx, srvHintLen); - ssl->arrays->server_hint[srvHintLen] = 0; + srvHintLen = min(length, MAX_PSK_ID_LEN); + XMEMCPY(ssl->arrays->server_hint, input + args->idx, + srvHintLen); + ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */ args->idx += length; @@ -21376,8 +21378,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, input + args->idx, ci_sz); args->idx += ci_sz; - ssl->arrays->client_identity[ - min(ci_sz, MAX_PSK_ID_LEN-1)] = 0; + ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */ ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, ssl->arrays->client_identity, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); @@ -21583,8 +21584,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(ssl->arrays->client_identity, input + args->idx, clientSz); args->idx += clientSz; - ssl->arrays->client_identity[ - min(clientSz, MAX_PSK_ID_LEN-1)] = 0; + ssl->arrays->client_identity[clientSz] = '\0'; /* null term */ /* Read in the DHE business */ if ((args->idx - args->begin) + OPAQUE16_LEN > size) { @@ -21637,8 +21637,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(ssl->arrays->client_identity, input + args->idx, clientSz); args->idx += clientSz; - ssl->arrays->client_identity[ - min(clientSz, MAX_PSK_ID_LEN-1)] = 0; + ssl->arrays->client_identity[clientSz] = '\0'; /* null term */ /* import peer ECC key */ if ((args->idx - args->begin) + OPAQUE8_LEN > size) { diff --git a/src/ssl.c b/src/ssl.c index fee006231..53ee3d019 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -9836,8 +9836,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (hint == 0) ctx->server_hint[0] = 0; else { - XSTRNCPY(ctx->server_hint, hint, MAX_PSK_ID_LEN); - ctx->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; + XSTRNCPY(ctx->server_hint, hint, sizeof(ctx->server_hint)); + ctx->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ } return SSL_SUCCESS; } @@ -9853,8 +9853,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (hint == 0) ssl->arrays->server_hint[0] = 0; else { - XSTRNCPY(ssl->arrays->server_hint, hint, MAX_PSK_ID_LEN); - ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; + XSTRNCPY(ssl->arrays->server_hint, hint, + sizeof(ssl->arrays->server_hint)); + ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ } return SSL_SUCCESS; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index df26a7ec5..1e826ab56 100755 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1054,7 +1054,8 @@ enum Misc { DTLS_TIMEOUT_MAX = 64, /* default max timeout for DTLS receive */ DTLS_TIMEOUT_MULTIPLIER = 2, /* default timeout multiplier for DTLS recv */ - MAX_PSK_ID_LEN = 129, /* max psk identity/hint supported */ + MAX_PSK_ID_LEN = 128, /* max psk identity/hint supported */ + NULL_TERM_LEN = 1, /* length of null '\0' termination character */ MAX_PSK_KEY_LEN = 64, /* max psk key supported */ MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */ @@ -2015,7 +2016,7 @@ struct WOLFSSL_CTX { byte havePSK; /* psk key set by user */ wc_psk_client_callback client_psk_cb; /* client callback */ wc_psk_server_callback server_psk_cb; /* server callback */ - char server_hint[MAX_PSK_ID_LEN]; + char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN]; #endif /* NO_PSK */ #ifdef HAVE_ANON byte haveAnon; /* User wants to allow Anon suites */ @@ -2523,8 +2524,8 @@ typedef struct Arrays { word32 pendingMsgOffset; /* current offset into defrag buffer */ #ifndef NO_PSK word32 psk_keySz; /* actual size */ - char client_identity[MAX_PSK_ID_LEN]; - char server_hint[MAX_PSK_ID_LEN]; + char client_identity[MAX_PSK_ID_LEN + NULL_TERM_LEN]; + char server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN]; byte psk_key[MAX_PSK_KEY_LEN]; #endif byte clientRandom[RAN_LEN]; diff --git a/wolfssl/test.h b/wolfssl/test.h index 08e347788..488964789 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1008,6 +1008,9 @@ static INLINE void tcp_set_nonblocking(SOCKET_T* sockfd) #ifndef NO_PSK +/* identity is OpenSSL testing default for openssl s_client, keep same */ +static const char* kIdentityStr = "Client_identity"; + static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint, char* identity, unsigned int id_max_len, unsigned char* key, unsigned int key_max_len) @@ -1016,9 +1019,9 @@ static INLINE unsigned int my_psk_client_cb(WOLFSSL* ssl, const char* hint, (void)hint; (void)key_max_len; - /* identity is OpenSSL testing default for openssl s_client, keep same */ - strncpy(identity, "Client_identity", id_max_len); - + /* id_max_len allows + 1 for null termination */ + /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ + strncpy(identity, kIdentityStr, id_max_len + 1); /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using unsigned binary */ @@ -1037,8 +1040,8 @@ static INLINE unsigned int my_psk_server_cb(WOLFSSL* ssl, const char* identity, (void)ssl; (void)key_max_len; - /* identity is OpenSSL testing default for openssl s_client, keep same */ - if (strncmp(identity, "Client_identity", 15) != 0) + /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ + if (strncmp(identity, kIdentityStr, strlen(kIdentityStr) + 1) != 0) return 0; /* test key in hex is 0x1a2b3c4d , in decimal 439,041,101 , we're using