From 01a16851590daa2adda5b4afcaf5b041b47e7a45 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 22 May 2024 15:43:13 -0600 Subject: [PATCH 01/13] updating socat support to version 1.8.0.0 --- src/internal.c | 3 +++ src/ssl.c | 11 +++++++++++ src/ssl_sess.c | 11 +++++++++++ wolfssl/internal.h | 3 +++ wolfssl/openssl/ssl.h | 7 +++++++ wolfssl/ssl.h | 6 ++++++ 6 files changed, 41 insertions(+) diff --git a/src/internal.c b/src/internal.c index 56e72376ff..8a2a584b25 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7605,6 +7605,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) "err = %d", ret); return MEMORY_E; } +#ifdef HAVE_MAX_FRAGMENT + ssl->session->maxFragmentSz = ssl->max_fragment; +#endif /* HAVE_MAX_FRAGMENT */ #ifdef HAVE_SESSION_TICKET ssl->options.noTicketTls12 = ctx->noTicketTls12; #endif diff --git a/src/ssl.c b/src/ssl.c index 5fd3364b90..e80267139f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14939,6 +14939,17 @@ int wolfSSL_COMP_add_compression_method(int method, void* data) } #endif +#ifndef NO_WOLFSSL_STUB +const char* wolfSSL_COMP_get_name(const void* comp) +{ + static const char ret[] = "not supported"; + + (void)comp; + WOLFSSL_STUB("wolfSSL_COMP_get_name"); + return ret; +} +#endif + /* wolfSSL_set_dynlock_create_callback * CRYPTO_set_dynlock_create_callback has been deprecated since openSSL 1.0.1. * This function exists for compatibility purposes because wolfSSL satisfies diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 23b595be8b..695eb0677a 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -747,6 +747,17 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) } #ifdef OPENSSL_EXTRA +/* return the max fragment size set when handshake was negotiated */ +uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) +{ + if (session == NULL) { + return 0; + } + + return session->maxFragmentSz; +} + + /* Get the session cache mode for CTX * * ctx WOLFSSL_CTX struct to get cache mode from diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 15c1c7489d..f9160b6930 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4432,6 +4432,9 @@ struct WOLFSSL_SESSION { #endif #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; +#endif +#ifdef OPENSSL_EXTRA + word32 maxFragmentSz; #endif byte isSetup:1; }; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index d26cfdbb1d..14f222c34f 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -367,6 +367,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define SSL_SESSION_dup wolfSSL_SESSION_dup #define SSL_SESSION_free wolfSSL_SESSION_free #define SSL_SESSION_set_cipher wolfSSL_SESSION_set_cipher +#define SSL_SESSION_get_max_fragment_length \ + wolfSSL_SESSION_get_max_fragment_length #define SSL_is_init_finished wolfSSL_is_init_finished #define SSL_SESSION_set1_id wolfSSL_SESSION_set1_id @@ -834,6 +836,10 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define COMP_rle wolfSSL_COMP_rle #define SSL_COMP_add_compression_method wolfSSL_COMP_add_compression_method +#define SSL_get_current_compression(ssl) 0 +#define SSL_get_current_expansion(ssl) 0 +#define SSL_COMP_get_name wolfSSL_COMP_get_name + #define SSL_get_ex_new_index wolfSSL_get_ex_new_index #define RSA_get_ex_new_index wolfSSL_get_ex_new_index @@ -1227,6 +1233,7 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define TLSEXT_STATUSTYPE_ocsp 1 +#define TLSEXT_max_fragment_length_DISABLED WOLFSSL_MFL_DISABLED #define TLSEXT_max_fragment_length_512 WOLFSSL_MFL_2_9 #define TLSEXT_max_fragment_length_1024 WOLFSSL_MFL_2_10 #define TLSEXT_max_fragment_length_2048 WOLFSSL_MFL_2_11 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f12d32a23d..ba13f5ce59 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1681,6 +1681,10 @@ WOLFSSL_API int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned cha WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL* ssl); WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_session_reused(WOLFSSL* ssl); +#ifdef OPENSSL_EXTRA +WOLFSSL_API uint8_t wolfSSL_SESSION_get_max_fragment_length( + WOLFSSL_SESSION* session); +#endif WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void); @@ -3916,6 +3920,7 @@ WOLFSSL_API int wolfSSL_ALPN_FreePeerProtocol(WOLFSSL* ssl, char **list); /* Fragment lengths */ enum { + WOLFSSL_MFL_DISABLED = 0, WOLFSSL_MFL_2_9 = 1, /* 512 bytes */ WOLFSSL_MFL_2_10 = 2, /* 1024 bytes */ WOLFSSL_MFL_2_11 = 3, /* 2048 bytes */ @@ -5197,6 +5202,7 @@ WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a) WOLFSSL_API int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp); WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength)); WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); +WOLFSSL_API const char* wolfSSL_COMP_get_name(const void* comp); WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, const char *file, const char *dir); WOLFSSL_API int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *ctx, WOLFSSL_X509_CRL *x); WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p); From ff7626419e5733c9b10ce30229fde7dbc611066f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 22 May 2024 17:03:47 -0600 Subject: [PATCH 02/13] add some simple test cases --- tests/api.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/api.c b/tests/api.c index ecf9b36a48..f8833139f6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -47961,6 +47961,12 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void) ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); ExpectIntEQ(serverSessRemCountFree, 1); + /* check on the max fragment size */ +#ifdef HAVE_MAX_FRAGMENT + ExpectIntEQ(SSL_SESSION_get_max_fragment_length(serverSess), + MAX_RECORD_SIZE); +#endif + /* Need to free the references that we kept */ SSL_CTX_free(serverSessCtx); SSL_SESSION_free(serverSess); @@ -63202,8 +63208,15 @@ static int test_stubs_are_stubs(void) CHECKZERO_RET(wolfSSL_CTX_sess_misses, ctx, ctxN); CHECKZERO_RET(wolfSSL_CTX_sess_timeouts, ctx, ctxN); + /* when implemented this should take WOLFSSL object insted, right now + * always returns 0 */ + CHECKZERO_RET(SSL_get_current_expansion, ctx, ctxN); + wolfSSL_CTX_free(ctx); ctx = NULL; + + ExpectStrEQ(SSL_COMP_get_name(NULL), "not supported"); + ExpectIntEQ(SSL_get_current_expansion(), 0); #endif /* OPENSSL_EXTRA && !NO_WOLFSSL_STUB && (!NO_WOLFSSL_CLIENT || * !NO_WOLFSSL_SERVER) */ return EXPECT_RESULT(); From 2caee1c7c54bb80734c28dfd00afc0934eab75c2 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 31 May 2024 11:54:53 -0600 Subject: [PATCH 03/13] add support for spaces around '=' with x509 name print --- src/x509.c | 23 ++++++++++++++++++----- tests/api.c | 12 ++++++++++++ wolfssl/openssl/x509.h | 2 +- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/x509.c b/src/x509.c index 19c145ce24..b3a1b03deb 100644 --- a/src/x509.c +++ b/src/x509.c @@ -13051,6 +13051,7 @@ static int wolfSSL_EscapeString_RFC2253(char* in, word32 inSz, * RFC22523 currently implemented. * XN_FLAG_DN_REV - print name reversed. Automatically done by * XN_FLAG_RFC2253. + * XN_FLAG_SPC_EQ - spaces before and after '=' character * * Returns WOLFSSL_SUCCESS (1) on success, WOLFSSL_FAILURE (0) on failure. */ @@ -13058,6 +13059,8 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { int i, count = 0, nameStrSz = 0, escapeSz = 0; + int eqSpace = 0; + char eqStr[4]; char* tmp = NULL; char* nameStr = NULL; const char *buf = NULL; @@ -13070,6 +13073,15 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if ((name == NULL) || (name->sz == 0) || (bio == NULL)) return WOLFSSL_FAILURE; + XMEMSET(eqStr, 0, sizeof(eqStr)); + if (flags & XN_FLAG_SPC_EQ) { + eqSpace = 2; + XSTRNCPY(eqStr, " = ", 4); + } + else { + XSTRNCPY(eqStr, "=", 4); + } + for (i = 0; i < indent; i++) { if (wolfSSL_BIO_write(bio, " ", 1) != 1) return WOLFSSL_FAILURE; @@ -13114,14 +13126,15 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if (len == 0 || buf == NULL) return WOLFSSL_FAILURE; - tmpSz = nameStrSz + len + 4; /* + 4 for '=', comma space and '\0'*/ + /* + 4 for '=', comma space and '\0'*/ + tmpSz = nameStrSz + len + 4 + eqSpace; tmp = (char*)XMALLOC(tmpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { return WOLFSSL_FAILURE; } if (i < count - 1) { - if (XSNPRINTF(tmp, (size_t)tmpSz, "%s=%s, ", buf, nameStr) + if (XSNPRINTF(tmp, (size_t)tmpSz, "%s%s%s, ", buf, eqStr, nameStr) >= tmpSz) { WOLFSSL_MSG("buffer overrun"); @@ -13129,17 +13142,17 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, return WOLFSSL_FAILURE; } - tmpSz = len + nameStrSz + 3; /* 3 for '=', comma space */ + tmpSz = len + nameStrSz + 3 + eqSpace; /* 3 for '=', comma space */ } else { - if (XSNPRINTF(tmp, (size_t)tmpSz, "%s=%s", buf, nameStr) + if (XSNPRINTF(tmp, (size_t)tmpSz, "%s%s%s", buf, eqStr, nameStr) >= tmpSz) { WOLFSSL_MSG("buffer overrun"); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_FAILURE; } - tmpSz = len + nameStrSz + 1; /* 1 for '=' */ + tmpSz = len + nameStrSz + 1 + eqSpace; /* 1 for '=' */ if (bio->type != WOLFSSL_BIO_FILE && bio->type != WOLFSSL_BIO_MEMORY) ++tmpSz; /* include the terminating null when not writing to a * file. diff --git a/tests/api.c b/tests/api.c index f8833139f6..1f9fb52cbf 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33467,6 +33467,7 @@ static int test_wolfSSL_X509_NAME_print_ex(void) X509_NAME* name = NULL; const char* expNormal = "C=US, CN=wolfssl.com"; + const char* expEqSpace = "C = US, CN = wolfssl.com"; const char* expReverse = "CN=wolfssl.com, C=US"; const char* expNotEscaped = "C= US,+\"\\ , CN=#wolfssl.com<>;"; @@ -33524,6 +33525,17 @@ static int test_wolfSSL_X509_NAME_print_ex(void) BIO_free(membio); membio = NULL; + /* Test with XN_FLAG_ONELINE which should enable XN_FLAG_SPC_EQ for + spaces aroun '=' */ + ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, XN_FLAG_ONELINE), + WOLFSSL_SUCCESS); + ExpectIntGE((memSz = BIO_get_mem_data(membio, &mem)), 0); + ExpectIntEQ(memSz, XSTRLEN(expEqSpace)); + ExpectIntEQ(XSTRNCMP((char*)mem, expEqSpace, XSTRLEN(expEqSpace)), 0); + BIO_free(membio); + membio = NULL; + /* Test flags: XN_FLAG_RFC2253 - should be reversed */ ExpectNotNull(membio = BIO_new(BIO_s_mem())); ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h index a603ce681f..9afb8e01c1 100644 --- a/wolfssl/openssl/x509.h +++ b/wolfssl/openssl/x509.h @@ -50,7 +50,6 @@ #define X509_FLAG_NO_IDS (1UL << 12) #define XN_FLAG_FN_SN 0 -#define XN_FLAG_ONELINE 0 #define XN_FLAG_COMPAT 0 #define XN_FLAG_RFC2253 1 #define XN_FLAG_SEP_COMMA_PLUS (1 << 16) @@ -68,6 +67,7 @@ #define XN_FLAG_FN_ALIGN (1 << 25) #define XN_FLAG_MULTILINE 0xFFFF +#define XN_FLAG_ONELINE (XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) /* * All of these aren't actually used in wolfSSL. Some are included to From 2445fe844a7758ae509d2a5b7bf275ae22f8b45f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 31 May 2024 16:45:50 -0600 Subject: [PATCH 04/13] rework get max fragment length --- src/internal.c | 3 --- src/ssl_sess.c | 2 +- src/tls.c | 2 ++ tests/api.c | 34 +++++++++++++++++++++++++++------- wolfssl/internal.h | 3 ++- 5 files changed, 32 insertions(+), 12 deletions(-) diff --git a/src/internal.c b/src/internal.c index 8a2a584b25..56e72376ff 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7605,9 +7605,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) "err = %d", ret); return MEMORY_E; } -#ifdef HAVE_MAX_FRAGMENT - ssl->session->maxFragmentSz = ssl->max_fragment; -#endif /* HAVE_MAX_FRAGMENT */ #ifdef HAVE_SESSION_TICKET ssl->options.noTicketTls12 = ctx->noTicketTls12; #endif diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 695eb0677a..f2f4baaf10 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -754,7 +754,7 @@ uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) return 0; } - return session->maxFragmentSz; + return session->mfl; } diff --git a/src/tls.c b/src/tls.c index 1a347a7579..03df15674b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2988,6 +2988,8 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, const byte* input, word16 length, WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E); return UNKNOWN_MAX_FRAG_LEN_E; } + if (ssl->session != NULL) + ssl->session->mfl = *input; #ifndef NO_WOLFSSL_SERVER if (isRequest) { diff --git a/tests/api.c b/tests/api.c index 1f9fb52cbf..4ecc5fa6f3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -11307,6 +11307,31 @@ static int test_wolfSSL_UseMaxFragment(void) wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); + +#if defined(OPENSSL_EXTRA) && defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) + /* check negotiated max fragment size */ + { + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfTLSv1_2_client_method, wolfTLSv1_2_server_method), 0); + ExpectIntEQ(wolfSSL_UseMaxFragment(ssl_c, WOLFSSL_MFL_2_8), + WOLFSSL_SUCCESS); + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + ExpectIntEQ(SSL_SESSION_get_max_fragment_length( + wolfSSL_get_session(ssl_c)), WOLFSSL_MFL_2_8); + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); + } +#endif #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ #endif return EXPECT_RESULT(); @@ -47946,6 +47971,7 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void) /* Both should have been allocated */ ExpectIntEQ(clientSessRemCountMalloc, 1); ExpectIntEQ(serverSessRemCountMalloc, 1); + /* This should not be called yet. Session wasn't evicted from cache yet. */ ExpectIntEQ(clientSessRemCountFree, 0); #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ @@ -47972,13 +47998,6 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void) ExpectIntEQ(SSL_CTX_remove_session(serverSessCtx, serverSess), 0); ExpectNull(SSL_SESSION_get_ex_data(serverSess, serverSessRemIdx)); ExpectIntEQ(serverSessRemCountFree, 1); - - /* check on the max fragment size */ -#ifdef HAVE_MAX_FRAGMENT - ExpectIntEQ(SSL_SESSION_get_max_fragment_length(serverSess), - MAX_RECORD_SIZE); -#endif - /* Need to free the references that we kept */ SSL_CTX_free(serverSessCtx); SSL_SESSION_free(serverSess); @@ -67062,6 +67081,7 @@ static int test_wolfSSL_dtls_stateless_maxfrag(void) /* CH without cookie shouldn't change state */ ExpectIntEQ(ssl_s->max_fragment, max_fragment); ExpectIntNE(test_ctx.c_len, 0); + /* consume HRR from buffer */ test_ctx.c_len = 0; ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f9160b6930..7213016ea0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4434,7 +4434,8 @@ struct WOLFSSL_SESSION { WOLFSSL_CRYPTO_EX_DATA ex_data; #endif #ifdef OPENSSL_EXTRA - word32 maxFragmentSz; + byte mfl; /* max fragment length negotiated i.e. + * WOLFSSL_MFL_2_8 (6) */ #endif byte isSetup:1; }; From 533aa48b14f3a10346d25039a7dbc28b36cc5350 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 31 May 2024 16:52:31 -0600 Subject: [PATCH 05/13] adjust macro guards around get max fragment --- src/ssl_sess.c | 2 ++ wolfssl/internal.h | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl_sess.c b/src/ssl_sess.c index f2f4baaf10..0d5178c662 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -747,6 +747,7 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) } #ifdef OPENSSL_EXTRA +#ifdef HAVE_MAX_FRAGMENT /* return the max fragment size set when handshake was negotiated */ uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) { @@ -756,6 +757,7 @@ uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) return session->mfl; } +#endif /* Get the session cache mode for CTX diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7213016ea0..fa0c260702 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4433,7 +4433,7 @@ struct WOLFSSL_SESSION { #ifdef HAVE_EX_DATA WOLFSSL_CRYPTO_EX_DATA ex_data; #endif -#ifdef OPENSSL_EXTRA +#ifdef HAVE_MAX_FRAGMENT byte mfl; /* max fragment length negotiated i.e. * WOLFSSL_MFL_2_8 (6) */ #endif From 119d2a5da1dfeaefaa7091685c1ae8c695bc961e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 4 Jun 2024 14:41:01 -0600 Subject: [PATCH 06/13] do session conversion dance --- src/ssl_sess.c | 5 +++++ src/tls.c | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 0d5178c662..4afd2b97bb 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -751,6 +751,7 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) /* return the max fragment size set when handshake was negotiated */ uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) { + session = ClientSessionToSession(session); if (session == NULL) { return 0; } @@ -3908,6 +3909,10 @@ static int wolfSSL_DupSessionEx(const WOLFSSL_SESSION* input, } ticBuff = NULL; +#ifdef HAVE_MAX_FRAGMENT + output->mfl = input->mfl; +#endif + #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) if (preallocUsed != NULL) diff --git a/src/tls.c b/src/tls.c index 03df15674b..8188183d7b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2988,8 +2988,9 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, const byte* input, word16 length, WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E); return UNKNOWN_MAX_FRAG_LEN_E; } - if (ssl->session != NULL) + if (ssl->session != NULL) { ssl->session->mfl = *input; + } #ifndef NO_WOLFSSL_SERVER if (isRequest) { From 3d33c78e9d08cb6cb374b1a8b6bbdce3dfd4980b Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 6 Jun 2024 16:30:40 -0600 Subject: [PATCH 07/13] use unsigned char instead of uint8_t --- src/ssl_sess.c | 2 +- wolfssl/ssl.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 4afd2b97bb..0600d4760e 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -749,7 +749,7 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) #ifdef OPENSSL_EXTRA #ifdef HAVE_MAX_FRAGMENT /* return the max fragment size set when handshake was negotiated */ -uint8_t wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) +unsigned char wolfSSL_SESSION_get_max_fragment_length(WOLFSSL_SESSION* session) { session = ClientSessionToSession(session); if (session == NULL) { diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ba13f5ce59..f21eb749e8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1682,7 +1682,8 @@ WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL* ssl); WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_session_reused(WOLFSSL* ssl); #ifdef OPENSSL_EXTRA -WOLFSSL_API uint8_t wolfSSL_SESSION_get_max_fragment_length( +/* using unsigned char instead of uint8_t here to avoid stdint include */ +WOLFSSL_API unsigned char wolfSSL_SESSION_get_max_fragment_length( WOLFSSL_SESSION* session); #endif WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session); From b9e5c0252d48a4fa9fdee1e3ec6c62f7e0e681c4 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 10 Jun 2024 16:19:27 -0600 Subject: [PATCH 08/13] remove extra asign and use ExpectIntEQ test directly --- src/ssl_sess.c | 4 ---- tests/api.c | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 0600d4760e..0a5da2f9b8 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -3909,10 +3909,6 @@ static int wolfSSL_DupSessionEx(const WOLFSSL_SESSION* input, } ticBuff = NULL; -#ifdef HAVE_MAX_FRAGMENT - output->mfl = input->mfl; -#endif - #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) if (preallocUsed != NULL) diff --git a/tests/api.c b/tests/api.c index 4ecc5fa6f3..2a8e864f9b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -63241,7 +63241,7 @@ static int test_stubs_are_stubs(void) /* when implemented this should take WOLFSSL object insted, right now * always returns 0 */ - CHECKZERO_RET(SSL_get_current_expansion, ctx, ctxN); + ExpectIntEQ(SSL_get_current_expansion(NULL), 0); wolfSSL_CTX_free(ctx); ctx = NULL; From 30dbf7c047c6d3ca64bb54f524d19042fb07ec14 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 10 Jun 2024 16:56:54 -0600 Subject: [PATCH 09/13] add socat yml CI test --- .github/workflows/socat.yml | 53 +++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/socat.yml diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml new file mode 100644 index 0000000000..7c0dd97085 --- /dev/null +++ b/.github/workflows/socat.yml @@ -0,0 +1,53 @@ +name: socat Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + socat_check: + strategy: + fail-fast: false + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 30 + steps: + - name: Install prereqs + run: + sudo apt-get install build-essential autoconf libtool pkg-config clang libc++-dev + + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS' + install: true + + - name: Download socat + run: curl -O http://www.dest-unreach.org/socat/download/socat-1.8.0.0.tar.gz && tar xvf socat-1.8.0.0.tar.gz + + - name: Checkout OSP + uses: actions/checkout@v4 + with: + repository: wolfssl/osp + path: osp + + - name: Build socat + working-directory: ./socat-1.8.0.0 + run: | + patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch + autoreconf -vfi + ./configure --with-wolfssl=/usr/local + make + + - name: Run socat tests + working-directory: ./socat-1.8.0.0 + run: ./test.sh --expect-fail 146,216,309,310,386,402,459,460 From 3d70fb1d50c6022824bf67828774da1f24d3c960 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 13 Jun 2024 12:51:51 -0600 Subject: [PATCH 10/13] adjust test yml file --- .github/workflows/socat.yml | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index 7c0dd97085..f18161809f 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -3,7 +3,7 @@ name: socat Tests # START OF COMMON SECTION on: push: - branches: [ 'master' ] + branches: [ 'master', 'main', 'release/**' ] pull_request: branches: [ '*' ] @@ -13,23 +13,41 @@ concurrency: # END OF COMMON SECTION jobs: + build_wolfssl: + runs-on: ubuntu-latest + timeout-minutes: 4 + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS' + install: true + + - name: Upload built lib + uses: actions/upload-artifact@v4 + with: + name: wolf-install-socat + path: build-dir + retention-days: 3 + + socat_check: strategy: fail-fast: false runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 30 + needs: build_wolfssl steps: - name: Install prereqs run: sudo apt-get install build-essential autoconf libtool pkg-config clang libc++-dev - - name: Build wolfSSL - uses: wolfSSL/actions-build-autotools-project@v1 + - name: Download lib + uses: actions/download-artifact@v4 with: - path: wolfssl - configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS' - install: true + name: wolf-install-socat + path: build-dir - name: Download socat run: curl -O http://www.dest-unreach.org/socat/download/socat-1.8.0.0.tar.gz && tar xvf socat-1.8.0.0.tar.gz @@ -45,7 +63,7 @@ jobs: run: | patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch autoreconf -vfi - ./configure --with-wolfssl=/usr/local + ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir make - name: Run socat tests From 98d2ca1d426b4c6d0e9f92819c20c601a1379059 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 13 Jun 2024 12:55:41 -0600 Subject: [PATCH 11/13] fix updated socat yml file --- .github/workflows/socat.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index f18161809f..b7c692ec4d 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -14,16 +14,18 @@ concurrency: jobs: build_wolfssl: + name: Build wolfSSL runs-on: ubuntu-latest timeout-minutes: 4 - - name: Build wolfSSL + steps: + - name: Build wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 with: path: wolfssl configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS' install: true - - name: Upload built lib + - name: Upload built lib uses: actions/upload-artifact@v4 with: name: wolf-install-socat From 512b468dbba7d280c70d85ee122cc1f0a8a8a610 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 13 Jun 2024 13:15:31 -0600 Subject: [PATCH 12/13] explicit socat path with test --- .github/workflows/socat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index b7c692ec4d..ac90a87ec3 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -70,4 +70,4 @@ jobs: - name: Run socat tests working-directory: ./socat-1.8.0.0 - run: ./test.sh --expect-fail 146,216,309,310,386,402,459,460 + run: SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh --expect-fail 146,216,309,310,386,402,459,460 From 9175355c812f47045bdce893047798c34cf35b05 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 14 Jun 2024 11:24:27 -0600 Subject: [PATCH 13/13] set LD_LIBRARY_PATH for socat test work around hang from test 373 to 374 add setting SHELL env for socat test remove some tests for exec sniffing and sorted address options failing with actions but not locally --- .github/workflows/socat.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index ac90a87ec3..98c612d840 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -70,4 +70,7 @@ jobs: - name: Run socat tests working-directory: ./socat-1.8.0.0 - run: SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh --expect-fail 146,216,309,310,386,402,459,460 + run: | + export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH + export SHELL=/bin/bash + SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 146,216,309,310,386,399,402,459,460,467,468,478,492,528,530