mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 18:30:48 +02:00
@@ -13,7 +13,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@master
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Install alire
|
||||
uses: alire-project/setup-alire@v5
|
||||
|
||||
@@ -27,7 +27,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Pull wolfssl
|
||||
uses: actions/checkout@master
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
repository: wolfssl/wolfssl
|
||||
path: wolfssl
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
echo $null >> wolfcrypt\src\wolfcrypt_last.c
|
||||
|
||||
- name: Add MSBuild to PATH
|
||||
uses: microsoft/setup-msbuild@v1
|
||||
uses: microsoft/setup-msbuild@v2
|
||||
|
||||
- name: Build
|
||||
working-directory: ${{env.GITHUB_WORKSPACE}}
|
||||
|
||||
+1
-1
@@ -43,7 +43,7 @@ RUN mkdir /var/empty
|
||||
RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
|
||||
|
||||
# Install udp/tcp-proxy
|
||||
RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
|
||||
RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main https://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
|
||||
# Install libbacktrace
|
||||
RUN cd /opt/sources && git clone --depth=1 --single-branch https://github.com/ianlancetaylor/libbacktrace.git && cd libbacktrace && mkdir build && cd build && ../configure && make && make install
|
||||
|
||||
|
||||
@@ -591,7 +591,7 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
|
||||
if (cbRet == WC_NO_ERR_TRACE(WOLFSSL_CBIO_ERR_WANT_READ)) {
|
||||
ret = OCSP_WANT_READ;
|
||||
}
|
||||
else if (ret >= 0) {
|
||||
else if (cbRet >= 0) {
|
||||
/* try again */
|
||||
ret = CheckCertCRLList(crl, issuerHash, serial, serialSz,
|
||||
serialHash, &foundEntry);
|
||||
|
||||
+1
-1
@@ -228,7 +228,7 @@ const QuicTransportParam* QuicTransportParam_new(const uint8_t* data,
|
||||
{
|
||||
QuicTransportParam* tp;
|
||||
|
||||
if (len > 65353) return NULL;
|
||||
if (len > 65535) return NULL;
|
||||
tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX);
|
||||
if (!tp) return NULL;
|
||||
tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX);
|
||||
|
||||
+12
-2
@@ -3478,7 +3478,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
|
||||
/* TLS v1.3 has hint age and nonce */
|
||||
if (IsAtLeastTLSv1_3(ssl->version)) {
|
||||
/* make sure can read through hint age and nonce len */
|
||||
if (TICKET_HINT_AGE_LEN + 1 > *sslBytes) {
|
||||
if (TICKET_HINT_AGE_LEN + OPAQUE8_LEN > *sslBytes) {
|
||||
SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
@@ -3487,7 +3487,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes,
|
||||
|
||||
/* ticket nonce */
|
||||
len = input[0];
|
||||
if (len > MAX_TICKET_NONCE_STATIC_SZ) {
|
||||
if (len > MAX_TICKET_NONCE_STATIC_SZ || len + OPAQUE8_LEN > *sslBytes) {
|
||||
SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
@@ -3847,6 +3847,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
case EXT_MAX_FRAGMENT_LENGTH:
|
||||
{
|
||||
word16 max_fragment = MAX_RECORD_SIZE;
|
||||
if (extLen != 1) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
switch (input[0]) {
|
||||
case WOLFSSL_MFL_2_8 : max_fragment = 256; break;
|
||||
case WOLFSSL_MFL_2_9 : max_fragment = 512; break;
|
||||
@@ -3862,6 +3867,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
|
||||
}
|
||||
#endif
|
||||
case EXT_SUPPORTED_VERSIONS:
|
||||
if (extLen != 2) {
|
||||
SetError(SERVER_HELLO_INPUT_STR, error, session,
|
||||
FATAL_ERROR_STATE);
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
session->sslServer->version.major = input[0];
|
||||
session->sslServer->version.minor = input[1];
|
||||
session->sslClient->version.major = input[0];
|
||||
|
||||
@@ -6173,24 +6173,6 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
|
||||
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
|
||||
static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
|
||||
{
|
||||
TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET);
|
||||
SessionTicket* ticket = extension ?
|
||||
(SessionTicket*)extension->data : NULL;
|
||||
|
||||
if (ticket) {
|
||||
/* TODO validate ticket timeout here! */
|
||||
if (ticket->lifetime == 0xfffffff) {
|
||||
/* send empty ticket on timeout */
|
||||
TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
|
||||
|
||||
|
||||
static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
|
||||
{
|
||||
(void)isRequest;
|
||||
@@ -6369,7 +6351,6 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
#define WOLF_STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest
|
||||
#define WOLF_STK_GET_SIZE TLSX_SessionTicket_GetSize
|
||||
#define WOLF_STK_WRITE TLSX_SessionTicket_Write
|
||||
#define WOLF_STK_PARSE TLSX_SessionTicket_Parse
|
||||
@@ -15402,7 +15383,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength)
|
||||
if (msgType == client_hello) {
|
||||
EC_VALIDATE_REQUEST(ssl, semaphore);
|
||||
PF_VALIDATE_REQUEST(ssl, semaphore);
|
||||
WOLF_STK_VALIDATE_REQUEST(ssl);
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
|
||||
if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
|
||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||
@@ -15579,7 +15559,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset)
|
||||
if (msgType == client_hello) {
|
||||
EC_VALIDATE_REQUEST(ssl, semaphore);
|
||||
PF_VALIDATE_REQUEST(ssl, semaphore);
|
||||
WOLF_STK_VALIDATE_REQUEST(ssl);
|
||||
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
|
||||
if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
|
||||
TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
|
||||
|
||||
@@ -6869,11 +6869,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#endif
|
||||
|
||||
sessIdSz = input[args->idx++];
|
||||
#ifndef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
|
||||
if (sessIdSz > ID_LEN)
|
||||
#else
|
||||
if (sessIdSz != ID_LEN && sessIdSz != 0)
|
||||
#endif
|
||||
{
|
||||
ERROR_OUT(INVALID_PARAMETER, exit_dch);
|
||||
}
|
||||
|
||||
+1
-1
@@ -9641,7 +9641,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz,
|
||||
WOLFSSL_MSG("Not Dilithium Level 5 DER key");
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (*algoID == 0) {
|
||||
WOLFSSL_MSG("GetKeyOID dilithium initialization failed");
|
||||
}
|
||||
wc_dilithium_free(dilithium);
|
||||
|
||||
@@ -119,6 +119,10 @@ int wc_ChaCha20Poly1305_Decrypt(
|
||||
if (ret == 0)
|
||||
ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag);
|
||||
|
||||
if (ret != 0) {
|
||||
/* zero plaintext on error */
|
||||
ForceZero(outPlaintext, inCiphertextLen);
|
||||
}
|
||||
WC_FREE_VAR_EX(aead, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
|
||||
return ret;
|
||||
|
||||
Reference in New Issue
Block a user