mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-07 07:30:49 +02:00
e5f569ad7c
Per RFC 8446 section 8, a server MUST ensure that any instance of it
would accept 0-RTT for the same 0-RTT handshake at most once. Without
this, the same ClientHello could be replayed to re-accept early data on
a subsequent connection.
After the PSK is authenticated (binder verified) in DoPreSharedKeys,
call wolfSSL_SSL_CTX_remove_session on ssl->session when the client
offered 0-RTT and the session permits it. That evicts the entry from
the internal cache (under the row's write lock) and invokes the
application's ctx->rem_sess_cb so any external cache can drop its copy
too. The session's timeout is also cleared so the live reference held
by the current handshake cannot be resumed again.
The mutation is paid only when the client actually included the
early_data extension on a 0-RTT-capable session, so normal resumptions
are unaffected and the existing remove-callback counts in
test_wolfSSL_CTX_add_session_ext_{tls13,dtls13} stay correct.
wolfSSL_SSL_CTX_remove_session was previously declared and defined only
under the OpenSSL compatibility layer. Because it is now called from
the core TLS 1.3 PSK path, the declaration in wolfssl/ssl.h and the
definition in src/ssl_sess.c are moved out of that block to match the
existing !NO_SESSION_CACHE gate under which the function is meaningful.
wolfSSL_SSL_get0_session stays in the compat block.
test_tls13_early_data_0rtt_replay verifies the behaviour. It does a
full TLS 1.3 handshake with stateful tickets (SSL_OP_NO_TICKET) and
max_early_data > 0, then tries to resume the saved session twice while
offering 0-RTT each time. A minimal single-slot external session cache
is wired up via wolfSSL_CTX_sess_set_{new,get,remove}_cb to confirm
both caches are cleared. Round 0 must resume and deliver the early
data, and rem_calls must hit 1 (the fix's single eviction). Round 1
must fall back to a full handshake (session_reused == 0), deliver no
early data, and leave rem_calls at 1.
Verified against multiple configurations (incl. --enable-all
--enable-earlydata, the no-compat -DHAVE_EXT_CACHE build, and the
os-check.yml combo). Valgrind under -g2 -O0 with OPENSSL_EXTRA +
HAVE_EXT_CACHE + HAVE_EX_DATA reports no errors and no
definitely-lost bytes.
Refs wolfSSL/wolfssl#10197
75 lines
3.3 KiB
C
75 lines
3.3 KiB
C
/* test_tls13.h
|
|
*
|
|
* Copyright (C) 2006-2026 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfSSL.
|
|
*
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
#ifndef WOLFCRYPT_TEST_TLS13_H
|
|
#define WOLFCRYPT_TEST_TLS13_H
|
|
|
|
#include <tests/api/api_decl.h>
|
|
|
|
int test_tls13_apis(void);
|
|
int test_tls13_cipher_suites(void);
|
|
int test_tls13_bad_psk_binder(void);
|
|
int test_tls13_rpk_handshake(void);
|
|
int test_tls13_pq_groups(void);
|
|
int test_tls13_early_data(void);
|
|
int test_tls13_same_ch(void);
|
|
int test_tls13_hrr_different_cs(void);
|
|
int test_tls13_ch2_different_cs(void);
|
|
int test_tls13_sg_missing(void);
|
|
int test_tls13_ks_missing(void);
|
|
int test_tls13_duplicate_extension(void);
|
|
int test_key_share_mismatch(void);
|
|
int test_tls13_middlebox_compat_empty_session_id(void);
|
|
int test_tls13_plaintext_alert(void);
|
|
int test_tls13_warning_alert_is_fatal(void);
|
|
int test_tls13_unknown_ext_rejected(void);
|
|
int test_tls13_cert_req_sigalgs(void);
|
|
int test_tls13_derive_keys_no_key(void);
|
|
int test_tls13_pqc_hybrid_truncated_keyshare(void);
|
|
int test_tls13_short_session_ticket(void);
|
|
int test_tls13_early_data_0rtt_replay(void);
|
|
|
|
#define TEST_TLS13_DECLS \
|
|
TEST_DECL_GROUP("tls13", test_tls13_apis), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cipher_suites), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_bad_psk_binder), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_rpk_handshake), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_pq_groups), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_early_data), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_same_ch), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_hrr_different_cs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_ch2_different_cs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_sg_missing), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_ks_missing), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_duplicate_extension), \
|
|
TEST_DECL_GROUP("tls13", test_key_share_mismatch), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_middlebox_compat_empty_session_id), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_plaintext_alert), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_warning_alert_is_fatal), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_cert_req_sigalgs), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_derive_keys_no_key), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_pqc_hybrid_truncated_keyshare), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_short_session_ticket), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_early_data_0rtt_replay), \
|
|
TEST_DECL_GROUP("tls13", test_tls13_unknown_ext_rejected)
|
|
|
|
#endif /* WOLFCRYPT_TEST_TLS13_H */
|