Fixes for sniffer session ticket resumption with TLS v1.2. ZD14531.
This commit is contained in:
David Garske
parent
b46a308544
commit
1c7f64cce9
@ -30963,14 +30963,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ssl->options.haveSessionId = 1;
|
||||
/* DoClientHello uses same resume code */
|
||||
if (ssl->options.resuming) { /* let's try */
|
||||
WOLFSSL_SESSION* session = wolfSSL_GetSession(ssl,
|
||||
ssl->arrays->masterSecret, 1);
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.useTicket == 1) {
|
||||
session = ssl->session;
|
||||
}
|
||||
#endif
|
||||
|
||||
WOLFSSL_SESSION* session;
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.useTicket == 1) {
|
||||
session = ssl->session;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
|
||||
}
|
||||
if (!session) {
|
||||
WOLFSSL_MSG("Session lookup for resume failed");
|
||||
ssl->options.resuming = 0;
|
||||
@ -31028,10 +31030,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
if (ssl->options.useTicket == 1) {
|
||||
session = ssl->session;
|
||||
} else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
|
||||
}
|
||||
else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
|
||||
WOLFSSL_MSG("Bogus session ID without session ticket");
|
||||
return BUFFER_ERROR;
|
||||
} else
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
|
||||
|
||||
@ -3362,6 +3362,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
|
||||
if (session->sslServer->arrays) {
|
||||
XMEMCPY(session->sslServer->arrays->sessionID,
|
||||
input + len - ID_LEN, ID_LEN);
|
||||
session->sslServer->arrays->sessionIDSz = ID_LEN;
|
||||
}
|
||||
}
|
||||
|
||||
@ -3386,6 +3387,11 @@ static int DoResume(SnifferSession* session, char* error)
|
||||
else
|
||||
#endif
|
||||
{
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
/* make sure "useTicket" is not set, otherwise the session will not be
|
||||
* properly retrieved */
|
||||
session->sslServer->options.useTicket = 0;
|
||||
#endif
|
||||
resume = wolfSSL_GetSession(session->sslServer,
|
||||
session->sslServer->arrays->masterSecret, 0);
|
||||
if (resume == NULL) {
|
||||
@ -3698,6 +3704,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
if (session->ticketID && doResume) {
|
||||
/* use ticketID to retrieve from session, prefer over sessionID */
|
||||
XMEMCPY(session->sslServer->arrays->sessionID,session->ticketID,ID_LEN);
|
||||
session->sslServer->arrays->sessionIDSz = ID_LEN;
|
||||
session->sslServer->options.haveSessionId = 1; /* may not have
|
||||
actual sessionID */
|
||||
}
|
||||
@ -4085,8 +4092,10 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
ssl->options.useTicket = 1;
|
||||
/* do not set "ssl->options.useTicket", since the sniffer uses
|
||||
* the cache differently for retaining the master secret only */
|
||||
#endif
|
||||
XMEMCPY(session->ticketID, input + extLen - ID_LEN, ID_LEN);
|
||||
}
|
||||
|
||||
@ -330,7 +330,7 @@ static int myStoreDataCb(const unsigned char* decryptBuf,
|
||||
|
||||
/* try and load as both static ephemeral and private key */
|
||||
/* only fail if no key is loaded */
|
||||
/* Allow comma seperated list of files */
|
||||
/* Allow comma separated list of files */
|
||||
static int load_key(const char* name, const char* server, int port,
|
||||
const char* keyFiles, const char* passwd, char* err)
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user