Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -41667,9 +41667,13 @@ static int TicketEncCbCtx_ChooseKey(TicketEncCbCtx* keyCtx, int ticketHint,
else if (keyCtx->expirary[1] < now) {
genKey = 1;
}
/* Timeouts and expirary should not allow this to happen. */
/* Both keys are still valid for decrypt but neither covers the ticket
* hint. Regenerate the one that expires first. */
else if (keyCtx->expirary[0] <= keyCtx->expirary[1]) {
genKey = 0;
}
Comment on lines +41670 to +41674
else {
return BAD_STATE_E;
genKey = 1;
}

/* Generate the required key */
Expand Down
75 changes: 75 additions & 0 deletions tests/api/test_ssl_ext.c
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,81 @@ int test_wolfSSL_CTX_set_TicketHint_ext(void)
return EXPECT_RESULT();
}

/* A reused server WOLFSSL_CTX must keep issuing tickets across handshakes even
* when the lifetime hint exceeds the default ticket key lifetime. */
int test_wolfSSL_CTX_set_TicketHint_key_rotation(void)
{
EXPECT_DECLS;
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \
!defined(NO_WOLFSSL_SERVER)
method_provider methods[][2] = {
#ifndef WOLFSSL_NO_TLS12
{ wolfTLSv1_2_client_method, wolfTLSv1_2_server_method },
#endif
#ifdef WOLFSSL_TLS13
{ wolfTLSv1_3_client_method, wolfTLSv1_3_server_method },
#endif
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12)
{ wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method },
#endif
#ifdef WOLFSSL_DTLS13
{ wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method },
#endif
};
size_t i;
int round;

for (i = 0; i < sizeof(methods) / sizeof(*methods); i++) {
struct test_memio_ctx test_ctx;
WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
char buf[64];

XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
methods[i][0], methods[i][1]), 0);

/* Push the hint past the key lifetime */
ExpectIntEQ(wolfSSL_CTX_set_TicketHint(ctx_s,
WOLFSSL_TICKET_KEY_LIFETIME + 1), WOLFSSL_SUCCESS);

for (round = 0; round < 4; round++) {
/* Set up two new connections using the same contexts */
if (round > 0) {
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
ExpectNotNull(ssl_c = wolfSSL_new(ctx_c));
ExpectNotNull(ssl_s = wolfSSL_new(ctx_s));
wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
wolfSSL_SetIOReadCtx(ssl_s, &test_ctx);
wolfSSL_SetIOWriteCtx(ssl_s, &test_ctx);
Comment on lines +241 to +246
}

/* The client has to opt into pre-1.3 tickets; ignored for 1.3 */
ExpectIntEQ(wolfSSL_UseSessionTicket(ssl_c), WOLFSSL_SUCCESS);

ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);

/* Consume any NewSessionTicket and confirm one was issued */
ExpectIntEQ(wolfSSL_read(ssl_c, buf, sizeof(buf)), -1);
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
ExpectNotNull(ssl_c->session);
ExpectIntGT(ssl_c->session->ticketLen, 0);

wolfSSL_free(ssl_c);
ssl_c = NULL;
wolfSSL_free(ssl_s);
ssl_s = NULL;
}

wolfSSL_CTX_free(ctx_c);
wolfSSL_CTX_free(ctx_s);
}
#endif
return EXPECT_RESULT();
}

int test_wolfSSL_tlsext_max_fragment_length_ext(void)
{
EXPECT_DECLS;
Expand Down
3 changes: 3 additions & 0 deletions tests/api/test_ssl_ext.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ int test_wolfSSL_CTX_num_tickets_ext(void);
int test_wolfSSL_set1_groups_ext(void);
int test_wolfSSL_set1_groups_list_ext(void);
int test_wolfSSL_CTX_set_TicketHint_ext(void);
int test_wolfSSL_CTX_set_TicketHint_key_rotation(void);
int test_wolfSSL_tlsext_max_fragment_length_ext(void);
int test_wolfSSL_DisableExtendedMasterSecret_ext(void);
int test_wolfSSL_set_tlsext_host_name_ext(void);
Expand Down Expand Up @@ -57,6 +58,8 @@ int test_wolfSSL_CTX_set_alpn_protos_inval_ext(void);
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_groups_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_set1_groups_list_ext), \
TEST_DECL_GROUP("ssl_ext", test_wolfSSL_CTX_set_TicketHint_ext), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_CTX_set_TicketHint_key_rotation), \
TEST_DECL_GROUP("ssl_ext", \
test_wolfSSL_tlsext_max_fragment_length_ext), \
TEST_DECL_GROUP("ssl_ext", \
Expand Down
Loading