WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Refactor and code review 

- Refactor object hashing into one function
- Allow multiple WOLFSSL_ASSERT_SIZEOF_GE in one function
pull/5476/head
Juliusz Sosinowicz 2022-08-19 11:31:00 +02:00
parent 06022e85a3
commit e565d0d7de
5 changed files with 61 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
src/internal.c
View File

@ -33340,31 +33340,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif /* !WOLFSSL_NO_TLS12 */
#ifdef HAVE_SESSION_TICKET
/* Make a work from the front of random hash */
static WC_INLINE word32 MakeWordFromHash(const byte* hashID)
{
return ((word32)hashID[0] << 24) | ((word32)hashID[1] << 16) |
((word32)hashID[2] << 8) | (word32)hashID[3];
}
/* Check to make sure that the callback has actually encrypted the ticket */
static word32 compute_InternalTicket_hash(InternalTicket *a)
{
byte digest[WC_MAX_DIGEST_SIZE];
int error;
#ifndef NO_MD5
error = wc_Md5Hash((byte*)a, sizeof(*a), digest);
#elif !defined(NO_SHA)
error = wc_ShaHash((byte*)a, sizeof(*a), digest);
#elif !defined(NO_SHA256)
error = wc_Sha256Hash((byte*)a, sizeof(*a), digest);
#else
#error "We need a digest to hash the InternalTicket"
#endif
return error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */
}
/* create a new session ticket, 0 on success */
int CreateTicket(WOLFSSL* ssl)
@ -33373,6 +33348,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ExternalTicket* et;
int encLen;
int ret;
int error;
word32 itHash = 0;
byte zeros[WOLFSSL_TICKET_MAC_SZ]; /* biggest cmp size */
@ -33476,10 +33452,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ret = BAD_TICKET_ENCRYPT;
}
else {
itHash = compute_InternalTicket_hash(it);
ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1,
et->enc_ticket, sizeof(InternalTicket),
&encLen, ssl->ctx->ticketEncCtx);
itHash = HashObject((byte*)it, sizeof(*it), &error);
if (error == 0) {
ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
1, et->enc_ticket, sizeof(InternalTicket), &encLen,
ssl->ctx->ticketEncCtx);
}
else {
ret = WOLFSSL_TICKET_RET_FATAL;
}
}
if (ret != WOLFSSL_TICKET_RET_OK) {
#ifdef WOLFSSL_ASYNC_CRYPT
@ -33498,9 +33479,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* sanity checks on encrypt callback */
/* internal ticket can't be the same if encrypted */
if (itHash == compute_InternalTicket_hash(it))
if (itHash == HashObject((byte*)it, sizeof(*it), &error) || error != 0)
{
WOLFSSL_MSG("User ticket encrypt didn't encrypt");
WOLFSSL_MSG("User ticket encrypt didn't encrypt or hash failed");
ret = BAD_TICKET_ENCRYPT;
goto error;
}

50
src/ssl.c
View File

@ -4731,19 +4731,6 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
}
#endif /* !leanpsk */
#if !defined(NO_CERTS) || !defined(NO_SESSION_CACHE)
/* Make a work from the front of random hash */
static WC_INLINE word32 MakeWordFromHash(const byte* hashID)
{
return ((word32)hashID[0] << 24) | ((word32)hashID[1] << 16) |
((word32)hashID[2] << 8) | (word32)hashID[3];
}
#endif /* !NO_CERTS || !NO_SESSION_CACHE */
#ifndef NO_CERTS
/* hash is the SHA digest of name, just use first 32 bits as hash */
@ -13249,25 +13236,6 @@ int wolfSSL_Cleanup(void)
#ifndef NO_SESSION_CACHE
/* some session IDs aren't random after all, let's make them random */
static WC_INLINE word32 HashSession(const byte* sessionID, word32 len, int* error)
{
byte digest[WC_MAX_DIGEST_SIZE];
#ifndef NO_MD5
*error = wc_Md5Hash(sessionID, len, digest);
#elif !defined(NO_SHA)
*error = wc_ShaHash(sessionID, len, digest);
#elif !defined(NO_SHA256)
*error = wc_Sha256Hash(sessionID, len, digest);
#else
#error "We need a digest to hash the session IDs"
#endif
return *error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */
}
WOLFSSL_ABI
void wolfSSL_flush_sessions(WOLFSSL_CTX* ctx, long tm)
{
@ -13396,7 +13364,7 @@ WOLFSSL_SESSION* wolfSSL_GetSessionClient(WOLFSSL* ssl, const byte* id, int len)
}
#endif
row = HashSession(id, len, &error) % CLIENT_SESSION_ROWS;
row = HashObject(id, len, &error) % CLIENT_SESSION_ROWS;
if (error != 0) {
WOLFSSL_MSG("Hash session failed");
return NULL;
@ -13559,7 +13527,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
}
#endif
row = HashSession(id, ID_LEN, &error) % SESSION_ROWS;
row = HashObject(id, ID_LEN, &error) % SESSION_ROWS;
if (error != 0) {
WOLFSSL_MSG("Hash session failed");
return WOLFSSL_FAILURE;
@ -13851,11 +13819,11 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI
WOLFSSL_MSG("Trying to add client cache entry");
if (idLen) {
clientRow = HashSession(serverID,
clientRow = HashObject(serverID,
idLen, &error) % CLIENT_SESSION_ROWS;
}
else if (serverID != NULL) {
clientRow = HashSession(sessionID,
clientRow = HashObject(sessionID,
ID_LEN, &error) % CLIENT_SESSION_ROWS;
}
else {
@ -13869,7 +13837,7 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI
ClientCache[clientRow].Clients[clientIdx].serverIdx =
(word16)idx;
if (sessionID != NULL) {
sessionIDHash = HashSession(sessionID, ID_LEN, &error);
sessionIDHash = HashObject(sessionID, ID_LEN, &error);
if (error == 0) {
ClientCache[clientRow].Clients[clientIdx].sessionIDHash
= sessionIDHash;
@ -13963,7 +13931,7 @@ WOLFSSL_SESSION* ClientSessionToSession(const WOLFSSL_SESSION* session)
}
if (error == 0) {
/* Calculate the hash of the session ID */
sessionIDHash = HashSession(cacheSession->sessionID, ID_LEN,
sessionIDHash = HashObject(cacheSession->sessionID, ID_LEN,
&error);
}
if (error == 0) {
@ -14041,7 +14009,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession,
}
#endif
/* Use the session object in the cache for external cache if required */
row = (int)(HashSession(id, ID_LEN, &ret) % SESSION_ROWS);
row = (int)(HashObject(id, ID_LEN, &ret) % SESSION_ROWS);
if (ret != 0) {
WOLFSSL_MSG("Hash session failed");
#ifdef HAVE_SESSION_TICKET
@ -31226,7 +31194,7 @@ static void SESSION_ex_data_cache_update(WOLFSSL_SESSION* session, int idx,
if (session->haveAltSessionID)
id = session->altSessionID;
row = (int)(HashSession(id, ID_LEN, &error) % SESSION_ROWS);
row = (int)(HashObject(id, ID_LEN, &error) % SESSION_ROWS);
if (error != 0) {
WOLFSSL_MSG("Hash session failed");
return;
@ -33038,7 +33006,7 @@ int wolfSSL_SSL_CTX_remove_session(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *s)
if (s->haveAltSessionID)
id = s->altSessionID;
row = (int)(HashSession(id, ID_LEN, &ret) % SESSION_ROWS);
row = (int)(HashObject(id, ID_LEN, &ret) % SESSION_ROWS);
if (ret != 0) {
WOLFSSL_MSG("Hash session failed");
return ret;

34
wolfcrypt/src/misc.c
View File

@ -802,6 +802,40 @@ WC_STATIC WC_INLINE byte w64LT(w64wrapper a, w64wrapper b)
#endif /* WORD64_AVAILABLE && !WOLFSSL_W64_WRAPPER_TEST */
#endif /* WOLFSSL_W64_WRAPPER */
#if defined(HAVE_SESSION_TICKET) || !defined(NO_CERTS) || \
!defined(NO_SESSION_CACHE)
/* Make a word from the front of random hash */
WC_STATIC WC_INLINE word32 MakeWordFromHash(const byte* hashID)
{
return ((word32)hashID[0] << 24) | ((word32)hashID[1] << 16) |
((word32)hashID[2] << 8) | (word32)hashID[3];
}
#endif /* HAVE_SESSION_TICKET || !NO_CERTS || !NO_SESSION_CACHE */
#if !defined(NO_SESSION_CACHE) || defined(HAVE_SESSION_TICKET)
#include <wolfssl/wolfcrypt/hash.h>
/* some session IDs aren't random after all, let's make them random */
WC_STATIC WC_INLINE word32 HashObject(const byte* o, word32 len, int* error)
{
byte digest[WC_MAX_DIGEST_SIZE];
#ifndef NO_MD5
*error = wc_Md5Hash(o, len, digest);
#elif !defined(NO_SHA)
*error = wc_ShaHash(o, len, digest);
#elif !defined(NO_SHA256)
*error = wc_Sha256Hash(o, len, digest);
#else
#error "We need a digest to hash the session IDs"
#endif
return *error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */
}
#endif /* !NO_SESSION_CACHE || HAVE_SESSION_TICKET */
#undef WC_STATIC
#endif /* !WOLFSSL_MISC_INCLUDED && !NO_INLINE */

7
wolfssl/internal.h
View File

@ -1706,9 +1706,10 @@ enum Misc {
#define MAX_ENCRYPT_SZ ENCRYPT_LEN
#define WOLFSSL_ASSERT_SIZEOF_GE(x, y) \
typedef char _args_test[sizeof((x)) >= sizeof((y)) ? 1 : -1]; \
(void)sizeof(_args_test)
#define WOLFSSL_ASSERT_SIZEOF_GE(x, y) do { \
typedef char _args_test_[sizeof((x)) >= sizeof((y)) ? 1 : -1]; \
(void)sizeof(_args_test_); \
} while(0)
/* states. Adding state before HANDSHAKE_DONE will break session importing */
enum states {

2
wolfssl/wolfcrypt/misc.h
View File

@ -127,6 +127,8 @@ WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b);
WOLFSSL_LOCAL int ctMaskSelInt(byte m, int a, int b);
WOLFSSL_LOCAL byte ctSetLTE(int a, int b);
WOLFSSL_LOCAL void ctMaskCopy(byte mask, byte* dst, byte* src, word16 size);
WOLFSSL_LOCAL word32 MakeWordFromHash(const byte* hashID);
WOLFSSL_LOCAL word32 HashObject(const byte* o, word32 len, int* error);
#endif /* NO_INLINE */