Merge pull request #3075 from julek-wolfssl/dtls-no-cookie

DTLS session resumption fixes
2020-07-15 14:07:34 -07:00 · 2020-07-15 14:07:34 -07:00 · 925e9d9213
parent edf88c3da1 03c5359fcd
commit 925e9d9213
6 changed files with 1070 additions and 9 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -3416,8 +3416,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)

        (void)ClientRead(sslResume, reply, sizeof(reply)-1, sendGET,
                         "Server resume: ", 0);
-        /* try to send session break */
-        (void)ClientWrite(sslResume, msg, msgSz, " resume 2", 0);

        ret = wolfSSL_shutdown(sslResume);
        if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE)
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -2141,6 +2141,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
                       dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen);
        doListen = 0; /* Don't listen next time */

+        if (port == 0) {
+            port = readySignal->port;
+        }
+
        if (SSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) {
            err_sys_ex(catastrophic, "error in setting fd");
        }
--- a/src/internal.c
+++ b/src/internal.c
@ -16641,7 +16641,10 @@ int SendFinished(WOLFSSL* ssl)
    ret = SendBuffered(ssl);

 #ifdef WOLFSSL_DTLS
-    if (ssl->options.side == WOLFSSL_SERVER_END) {
+    if ((!ssl->options.resuming &&
+            ssl->options.side == WOLFSSL_SERVER_END) ||
+        (ssl->options.resuming &&
+            ssl->options.side == WOLFSSL_CLIENT_END)) {
        ssl->keys.dtls_handshake_number = 0;
        ssl->keys.dtls_expected_peer_handshake_number = 0;
    }
@ -27028,7 +27031,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
        XMEMCPY(&pv, input + i, OPAQUE16_LEN);
        ssl->chVersion = pv;   /* store */
 #ifdef WOLFSSL_DTLS
-        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) {
+        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) {
            #if defined(NO_SHA) && defined(NO_SHA256)
                #error "DTLS needs either SHA or SHA-256"
            #endif /* NO_SHA && NO_SHA256 */
@ -27178,7 +27181,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
        /* random */
        XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
 #ifdef WOLFSSL_DTLS
-        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) {
+        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) {
            ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN);
            if (ret != 0) return ret;
        }
@ -27211,7 +27214,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,

            XMEMCPY(ssl->arrays->sessionID, input + i, b);
 #ifdef WOLFSSL_DTLS
-            if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) {
+            if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) &&
+                    !ssl->options.resuming) {
                ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1);
                if (ret != 0) return ret;
            }
@ -27296,7 +27300,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 #endif

 #ifdef WOLFSSL_DTLS
-        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl)) {
+        if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) {
            ret = wc_HmacUpdate(&cookieHmac,
                                    input + i - OPAQUE16_LEN,
                                    clSuites.suiteSz + OPAQUE16_LEN);
@ -27322,7 +27326,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,

 #ifdef WOLFSSL_DTLS
        if (IsDtlsNotSctpMode(ssl)) {
-            if (!IsSCR(ssl)) {
+            if (!IsSCR(ssl) && !ssl->options.resuming) {
                byte newCookie[MAX_COOKIE_LEN];

                ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1);
--- a/tests/include.am
+++ b/tests/include.am
@ -34,6 +34,7 @@ EXTRA_DIST += tests/test.conf \
              tests/test-dtls-group.conf \
              tests/test-dtls-reneg-client.conf \
              tests/test-dtls-reneg-server.conf \
+              tests/test-dtls-resume.conf \
              tests/test-dtls-sha2.conf \
              tests/test-sctp.conf \
              tests/test-sctp-sha2.conf \
--- a/tests/suites.c
+++ b/tests/suites.c
@ -833,7 +833,7 @@ int SuiteTest(int argc, char** argv)
        args.return_code = EXIT_FAILURE;
        goto exit;
    }
-    /* add dtls grouping suites */
+    /* add dtls grouping tests */
    strcpy(argv0[1], "tests/test-dtls-group.conf");
    printf("starting dtls message grouping tests\n");
    test_harness(&args);
@ -842,6 +842,15 @@ int SuiteTest(int argc, char** argv)
        args.return_code = EXIT_FAILURE;
        goto exit;
    }
+    /* add dtls session resumption tests */
+    strcpy(argv0[1], "tests/test-dtls-resume.conf");
+    printf("starting dtls session resumption tests\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
 #ifdef HAVE_SECURE_RENEGOTIATION
    /* add dtls renegotiation tests */
    strcpy(argv0[1], "tests/test-dtls-reneg-client.conf");
--- a/tests/test-dtls-resume.conf
+++ b/tests/test-dtls-resume.conf