From 2d36eca90e9409915cd1c9e808d1d70616aece29 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 3 Jun 2026 00:24:46 +0200 Subject: [PATCH] F-4868: reject trailing bytes in TLS 1.3 CertificateRequest DoTls13CertificateRequest advanced past the certificate_request_context and extensions blocks but never verified the whole message body was consumed, silently ignoring trailing bytes. RFC 8446 Section 4.3.2 fixes the wire format; enforce that the consumed length equals the message size and return BUFFER_ERROR (decode_error) otherwise. --- src/tls13.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index 4bc22f1cb1..4f6e1d3f64 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6168,6 +6168,10 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, } *inOutIdx += len; + /* No trailing bytes allowed (RFC 8446 4.3.2). */ + if ((*inOutIdx - begin) != size) + return BUFFER_ERROR; + /* RFC 8446 Section 4.3.2: the signature_algorithms extension MUST be * present in a CertificateRequest. */ if (peerSuites.hashSigAlgoSz == 0) { @@ -6175,7 +6179,6 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); return INVALID_PARAMETER; } - #ifdef WOLFSSL_CERT_SETUP_CB if ((ret = CertSetupCbWrapper(ssl)) != 0) return ret;