Merge pull request #9930 from julek-wolfssl/fenrir/260903

Fenrir fixes
This commit is contained in:
Daniel Pouzzner
2026-03-10 19:32:56 -05:00
committed by GitHub
10 changed files with 23 additions and 34 deletions
+1 -1
View File
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/checkout@v4
- name: Install alire
uses: alire-project/setup-alire@v5
+2 -2
View File
@@ -27,7 +27,7 @@ jobs:
steps:
- name: Pull wolfssl
uses: actions/checkout@master
uses: actions/checkout@v4
with:
repository: wolfssl/wolfssl
path: wolfssl
@@ -41,7 +41,7 @@ jobs:
echo $null >> wolfcrypt\src\wolfcrypt_last.c
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v1
uses: microsoft/setup-msbuild@v2
- name: Build
working-directory: ${{env.GITHUB_WORKSPACE}}
+1 -1
View File
@@ -43,7 +43,7 @@ RUN mkdir /var/empty
RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
# Install udp/tcp-proxy
RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main https://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
# Install libbacktrace
RUN cd /opt/sources && git clone --depth=1 --single-branch https://github.com/ianlancetaylor/libbacktrace.git && cd libbacktrace && mkdir build && cd build && ../configure && make && make install
+1 -1
View File
@@ -591,7 +591,7 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
if (cbRet == WC_NO_ERR_TRACE(WOLFSSL_CBIO_ERR_WANT_READ)) {
ret = OCSP_WANT_READ;
}
else if (ret >= 0) {
else if (cbRet >= 0) {
/* try again */
ret = CheckCertCRLList(crl, issuerHash, serial, serialSz,
serialHash, &foundEntry);
+1 -1
View File
@@ -228,7 +228,7 @@ const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
{
QuicTransportParam* tp;
if (len > 65353) return NULL;
if (len > 65535) return NULL;
tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
if (!tp) return NULL;
tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
+12 -2
View File
@@ -3478,7 +3478,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
/* TLS v1.3 has hint age and nonce */
if (IsAtLeastTLSv1_3(ssl->version)) {
/* make sure can read through hint age and nonce len */
if (TICKET_HINT_AGE_LEN + 1 > *sslBytes) {
if (TICKET_HINT_AGE_LEN + OPAQUE8_LEN > *sslBytes) {
SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
@@ -3487,7 +3487,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
/* ticket nonce */
len = input[0];
if (len > MAX_TICKET_NONCE_STATIC_SZ) {
if (len > MAX_TICKET_NONCE_STATIC_SZ || len + OPAQUE8_LEN > *sslBytes) {
SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
@@ -3847,6 +3847,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
case EXT_MAX_FRAGMENT_LENGTH:
{
word16 max_fragment = MAX_RECORD_SIZE;
if (extLen != 1) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
switch (input[0]) {
case WOLFSSL_MFL_2_8 : max_fragment = 256; break;
case WOLFSSL_MFL_2_9 : max_fragment = 512; break;
@@ -3862,6 +3867,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
}
#endif
case EXT_SUPPORTED_VERSIONS:
if (extLen != 2) {
SetError(SERVER_HELLO_INPUT_STR, error, session,
FATAL_ERROR_STATE);
return WOLFSSL_FATAL_ERROR;
}
session->sslServer->version.major = input[0];
session->sslServer->version.minor = input[1];
session->sslClient->version.major = input[0];
-21
View File
@@ -6173,24 +6173,6 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
#ifdef HAVE_SESSION_TICKET
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
{
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET);
SessionTicket* ticket = extension ?
(SessionTicket*)extension->data : NULL;
if (ticket) {
/* TODO validate ticket timeout here! */
if (ticket->lifetime == 0xfffffff) {
/* send empty ticket on timeout */
TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
}
}
}
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
{
(void)isRequest;
@@ -6369,7 +6351,6 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
return WOLFSSL_SUCCESS;
}
#define WOLF_STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest
#define WOLF_STK_GET_SIZE TLSX_SessionTicket_GetSize
#define WOLF_STK_WRITE TLSX_SessionTicket_Write
#define WOLF_STK_PARSE TLSX_SessionTicket_Parse
@@ -15402,7 +15383,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength)
if (msgType == client_hello) {
EC_VALIDATE_REQUEST(ssl, semaphore);
PF_VALIDATE_REQUEST(ssl, semaphore);
WOLF_STK_VALIDATE_REQUEST(ssl);
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
@@ -15579,7 +15559,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset)
if (msgType == client_hello) {
EC_VALIDATE_REQUEST(ssl, semaphore);
PF_VALIDATE_REQUEST(ssl, semaphore);
WOLF_STK_VALIDATE_REQUEST(ssl);
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
-4
View File
@@ -6869,11 +6869,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
sessIdSz = input[args->idx++];
#ifndef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
if (sessIdSz > ID_LEN)
#else
if (sessIdSz != ID_LEN && sessIdSz != 0)
#endif
{
ERROR_OUT(INVALID_PARAMETER, exit_dch);
}
+1 -1
View File
@@ -9641,7 +9641,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
WOLFSSL_MSG("Not Dilithium Level 5 DER key");
}
}
else {
if (*algoID == 0) {
WOLFSSL_MSG("GetKeyOID dilithium initialization failed");
}
wc_dilithium_free(dilithium);
+4
View File
@@ -119,6 +119,10 @@ int wc_ChaCha20Poly1305_Decrypt(
if (ret == 0)
ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag);
if (ret != 0) {
/* zero plaintext on error */
ForceZero(outPlaintext, inCiphertextLen);
}
WC_FREE_VAR_EX(aead, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;