search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.31k stars 823 forks source link

[Bug]: `wolfSSL_get_session` behavior changed with session cache #6061

Open embhorn opened 1 year ago

embhorn commented 1 year ago

Contact Details

eric@wolfssl.com

Version

master

Description

wolfSSL_get_session is marked with WOLFSSL_ABI. In that case it will need different logic based on NO_SESSION_CACHE_REF

The resume example fails with --enable-all, but works with only --enable-session-ticket. Is this because of session cache? Is it expected not to work? https://github.com/wolfSSL/wolfssl-examples/blob/master/tls/client-tls-resume.c Failure:

wolfSSL Entering ClientSessionToSession
Setting session for wrong role

It uses wolfSSL_get_session which gets a reference to the ssl->session pointer but that gets free'd with wolfSSL_free.

The example as is won't work with NO_SESSION_CACHE_REF defined.

To make things more interesting: without NO_SESSION_CACHE_REF wolfSSL_get_session returns a pointer to the ClientCache. That is why it works without --enable-all .

--enable-all turns on NO_SESSION_CACHE_REF

If we have changed behavior for some of our existing API’s especially ones marked with WOLFSSL_ABI we need to review this more closely. Forcing our examples to use get1 vs get seems wrong. If there is a build case (like with NO_SESSION_CACHE_REF that needs to use get1 then the example should have macro logic for each supported case.

wolfSSL_get_session is marked with WOLFSSL_ABI. In that case it will need different logic based on NO_SESSION_CACHE_REF .

Reproduction steps

No response

Relevant log output

No response

dgarske commented 1 year ago

https://github.com/wolfSSL/wolfssl-examples/pull/368