Merge pull request #5078 from julek-wolfssl/wpas-tls13

Clean up wolfSSL_clear() and add some more logging

configure.ac

@@ -1393,6 +1393,7 @@ then
     AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT"
     AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT"
     AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL"
+    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
 fi
 
 if test "$ENABLED_FORTRESS" = "yes"

src/internal.c

@@ -12121,6 +12121,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     args->exts[args->totalCerts].buffer = input + args->idx;
                     args->idx += extSz;
                     listSz -= extSz + OPAQUE16_LEN;
+                    WOLFSSL_MSG_EX("\tParsing %d bytes of cert extensions",
+                            args->exts[args->totalCerts].length);
                     ret = TLSX_Parse(ssl, args->exts[args->totalCerts].buffer,
                         (word16)args->exts[args->totalCerts].length,
                         certificate, NULL);
@@ -12608,12 +12610,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 if (args->fatal == 0 && ret == 0) {
                     int doLookup = 1;
 
+                    WOLFSSL_MSG("Checking if ocsp needed");
+
                     if (ssl->options.side == WOLFSSL_CLIENT_END) {
                 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
                         if (ssl->status_request) {
                             args->fatal = (TLSX_CSR_InitRequest(ssl->extensions,
                                                 args->dCert, ssl->heap) != 0);
                             doLookup = 0;
+                            WOLFSSL_MSG("\tHave status request");
                         #if defined(WOLFSSL_TLS13)
                             if (ssl->options.tls1_3) {
                                 TLSX* ext = TLSX_Find(ssl->extensions,
@@ -12642,6 +12647,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             args->fatal = (TLSX_CSR2_InitRequests(ssl->extensions,
                                                  args->dCert, 1, ssl->heap) != 0);
                             doLookup = 0;
+                            WOLFSSL_MSG("\tHave status request v2");
                         }
                 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
                     }

src/ssl.c

@@ -2709,6 +2709,8 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
 
 int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options)
 {
+    WOLFSSL_ENTER("wolfSSL_UseOCSPStapling");
+
     if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END)
         return BAD_FUNC_ARG;
 
@@ -2720,6 +2722,8 @@ int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options)
 int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type,
                                                                    byte options)
 {
+    WOLFSSL_ENTER("wolfSSL_CTX_UseOCSPStapling");
+
     if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END)
         return BAD_FUNC_ARG;
 
@@ -17970,10 +17974,21 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
     int wolfSSL_clear(WOLFSSL* ssl)
     {
+        WOLFSSL_ENTER("wolfSSL_clear");
+
         if (ssl == NULL) {
             return WOLFSSL_FAILURE;
         }
 
+        if (!ssl->options.handShakeDone) {
+            /* Only reset the session if we didn't complete a handshake */
+            wolfSSL_SESSION_free(ssl->session);
+            ssl->session = wolfSSL_NewSession(ssl->heap);
+            if (ssl->session == NULL) {
+                return WOLFSSL_FAILURE;
+            }
+        }
+
         ssl->options.isClosed = 0;
         ssl->options.connReset = 0;
         ssl->options.sentNotify = 0;
@@ -17993,9 +18008,6 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
         if (ssl->hsHashes)
             (void)InitHandshakeHashes(ssl);
 
-#ifdef SESSION_CERTS
-        ssl->session->chain.count = 0;
-#endif
 #ifdef KEEP_PEER_CERT
         FreeX509(&ssl->peerCert);
         InitX509(&ssl->peerCert, 0, ssl->heap);

wolfcrypt/src/logging.c

@@ -364,6 +364,31 @@ static void wolfssl_log(const int logLevel, const char *const logMessage)
 }
 
 #ifndef WOLFSSL_DEBUG_ERRORS_ONLY
+
+#if !defined(_WIN32) && defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX)
+#include <stdarg.h> /* for var args */
+#ifndef WOLFSSL_MSG_EX_BUF_SZ
+#define WOLFSSL_MSG_EX_BUF_SZ 100
+#endif
+#ifdef __clang__
+/* tell clang argument 1 is format */
+__attribute__((__format__ (__printf__, 1, 0)))
+#endif
+void WOLFSSL_MSG_EX(const char* fmt, ...)
+{
+    if (loggingEnabled) {
+        char msg[WOLFSSL_MSG_EX_BUF_SZ];
+        int written;
+        va_list args;
+        va_start(args, fmt);
+        written = XVSNPRINTF(msg, sizeof(msg), fmt, args);
+        va_end(args);
+        if (written > 0)
+            wolfssl_log(INFO_LOG , msg);
+    }
+}
+#endif
+
 void WOLFSSL_MSG(const char* msg)
 {
     if (loggingEnabled)

wolfssl/wolfcrypt/logging.h

@@ -162,7 +162,11 @@ WOLFSSL_API void wolfSSL_Debugging_OFF(void);
     #define WOLFSSL_STUB(m) \
         WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented))
     WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void);
-
+#if !defined(_WIN32) && defined(XVSNPRINTF)
+    WOLFSSL_API void WOLFSSL_MSG_EX(const char* fmt, ...);
+#else
+    #define WOLFSSL_MSG_EX(m, ...)
+#endif
     WOLFSSL_API void WOLFSSL_MSG(const char* msg);
     WOLFSSL_API void WOLFSSL_BUFFER(const byte* buffer, word32 length);
 
@@ -173,6 +177,7 @@ WOLFSSL_API void wolfSSL_Debugging_OFF(void);
     #define WOLFSSL_STUB(m)
     #define WOLFSSL_IS_DEBUG_ON() 0
 
+    #define WOLFSSL_MSG_EX(m, ...)
     #define WOLFSSL_MSG(m)
     #define WOLFSSL_BUFFER(b, l)