harden TLS handshake validation

This commit is contained in:
Jeremiah Mackey
2026-05-04 04:13:51 +00:00
parent 980fc51ea7
commit b5cff8dcca
2 changed files with 23 additions and 5 deletions
+15 -5
View File
@@ -1270,7 +1270,8 @@ static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
}
sz = exp[idx++];
if (sz > sizeof(keys->client_write_IV) || (sz * 2) + idx > len) {
if (sz > sizeof(keys->client_write_IV) ||
(sz * 2) + idx + AEAD_MAX_EXP_SZ + OPAQUE8_LEN > len) {
WOLFSSL_MSG("Buffer not large enough for write IV import");
return BUFFER_E;
}
@@ -16898,10 +16899,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = KEYUSE_ENCIPHER_E;
WOLFSSL_ERROR_VERBOSE(ret);
}
if ((ssl->specs.kea != rsa_kea) &&
(ssl->specs.sig_algo == rsa_sa_algo ||
(ssl->specs.sig_algo == ecc_dsa_sa_algo &&
!ssl->specs.static_ecdh)) &&
/* TLS 1.3 decouples sig algorithm from cipher suite, so
* specs.sig_algo is any_sa_algo. RFC 8446 4.4.2.4 still
* requires digital_signature when keyUsage is present on
* the cert that drives CertificateVerify. */
if (((ssl->specs.kea != rsa_kea) &&
(IsAtLeastTLSv1_3(ssl->version) ||
ssl->specs.sig_algo == rsa_sa_algo ||
(ssl->specs.sig_algo == ecc_dsa_sa_algo &&
!ssl->specs.static_ecdh))) &&
(args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
WOLFSSL_MSG("KeyUse Digital Sig not set");
ret = KEYUSE_SIGNATURE_E;
@@ -24240,6 +24246,8 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest)
#ifdef WOLFSSL_SMALL_STACK
wc_Md5* md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), ssl->heap,
DYNAMIC_TYPE_HASHCTX);
if (md5 == NULL)
return MEMORY_E;
#else
wc_Md5 md5[1];
#endif
@@ -24284,6 +24292,8 @@ static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest)
#ifdef WOLFSSL_SMALL_STACK
wc_Sha* sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), ssl->heap,
DYNAMIC_TYPE_HASHCTX);
if (sha == NULL)
return MEMORY_E;
#else
wc_Sha sha[1];
#endif
+8
View File
@@ -9291,6 +9291,14 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
}
#endif
/* RFC 8446 Section 4.2.8.1: FFDHE key_exchange values are left-padded with
* zeros to the size of the named-group prime. Reject any peer key share
* whose byte length does not match the expected prime size. */
if (keyShareEntry->keLen != pSz) {
WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
return PEER_KEY_ERROR;
}
/* if DhKey is not setup, do it now */
if (keyShareEntry->key == NULL) {
keyShareEntry->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap,