F-2144
SetStaticEphemeralKey loaded a private key file into keyBuf and freed it
without ForceZero. Static ephemeral keys are long-lived, so zeroize the
buffer before XFREE.
F-2143
ssl_SetWatchKey_file loaded a private key file into a heap buffer and
freed it without ForceZero on both error and success paths. Zeroize
before XFREE.
F-2142
wolfSSL_RSA_To_Der could free a buffer holding RSA private key material
when the DER encoding step failed. Record the allocation size and
ForceZero the buffer before XFREE on the private key path.
F-2140
wolfSSL_PEM_write_mem_DSAPrivateKey serializes the DSA private key to a
heap DER buffer and freed it on five paths without ForceZero. Zeroize
the buffer before each XFREE.
F-2139
Previously the plaintext private key DER buffer was freed via XFREE
without a preceding ForceZero when no password encryption was requested.
Track the actual allocation size and zeroize the buffer before release.
* Fix OOB heap reads via TLSX_ExtractEch() by preemptively rejecting oversized
SNI names in TLSX_UseSNI().
* In TLSX_EchChangeSNI(), don't attempt to truncate if an oversized name is
seen, just return error.
* Move definition of WOLFSSL_HOST_NAME_MAX to an ungated context in ssl.h, and
use it consistently in tls.c, eliminating the duplicative
WOLFSSL_HOST_NAME_MAX.
ExportKeyState was writing ssl->specs.iv_size bytes from
keys->aead_enc_imp_IV (always sized AEAD_MAX_IMP_SZ). ssl->specs.iv_size
carries a different meaning depending on the cipher suite: in AEAD
suites it's the implicit IV / nonce size, but in CBC it's the block
cipher's IV size (16). In CBC this overran the size of aead_enc_imp_IV
(12).
Per RFC 8446 section 8, a server MUST ensure that any instance of it
would accept 0-RTT for the same 0-RTT handshake at most once. Without
this, the same ClientHello could be replayed to re-accept early data on
a subsequent connection.
After the PSK is authenticated (binder verified) in DoPreSharedKeys,
call wolfSSL_SSL_CTX_remove_session on ssl->session when the client
offered 0-RTT and the session permits it. That evicts the entry from
the internal cache (under the row's write lock) and invokes the
application's ctx->rem_sess_cb so any external cache can drop its copy
too. The session's timeout is also cleared so the live reference held
by the current handshake cannot be resumed again.
The mutation is paid only when the client actually included the
early_data extension on a 0-RTT-capable session, so normal resumptions
are unaffected and the existing remove-callback counts in
test_wolfSSL_CTX_add_session_ext_{tls13,dtls13} stay correct.
wolfSSL_SSL_CTX_remove_session was previously declared and defined only
under the OpenSSL compatibility layer. Because it is now called from
the core TLS 1.3 PSK path, the declaration in wolfssl/ssl.h and the
definition in src/ssl_sess.c are moved out of that block to match the
existing !NO_SESSION_CACHE gate under which the function is meaningful.
wolfSSL_SSL_get0_session stays in the compat block.
test_tls13_early_data_0rtt_replay verifies the behaviour. It does a
full TLS 1.3 handshake with stateful tickets (SSL_OP_NO_TICKET) and
max_early_data > 0, then tries to resume the saved session twice while
offering 0-RTT each time. A minimal single-slot external session cache
is wired up via wolfSSL_CTX_sess_set_{new,get,remove}_cb to confirm
both caches are cleared. Round 0 must resume and deliver the early
data, and rem_calls must hit 1 (the fix's single eviction). Round 1
must fall back to a full handshake (session_reused == 0), deliver no
early data, and leave rem_calls at 1.
Verified against multiple configurations (incl. --enable-all
--enable-earlydata, the no-compat -DHAVE_EXT_CACHE build, and the
os-check.yml combo). Valgrind under -g2 -O0 with OPENSSL_EXTRA +
HAVE_EXT_CACHE + HAVE_EX_DATA reports no errors and no
definitely-lost bytes.
Refs wolfSSL/wolfssl#10197
crl.c:
- wolfSSL_X509_CRL_dup: add NULL check on input before dereferencing crl->cm
- DupX509_CRL: distinguish empty source CRL list from allocation failure so
duplicating a CRL with no entries no longer returns MEMORY_E
- wolfSSL_X509_STORE_add_crl: free newly-allocated CRL when wc_LockRwLock_Rd
fails to avoid leaking it
- InitCRL: propagate wolfSSL_RefInit failure in OPENSSL_ALL +
WOLFSSL_REFCNT_ERROR_RETURN builds, freeing crlLock (and cond when
HAVE_CRL_MONITOR is enabled) on the error path
keys.c:
- GetCipherSpec: remove duplicate usingPSK_cipher assignment in
BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 case
- GetCipherSpec: return UNSUPPORTED_SUITE for unknown cipher suite bytes in
the TLS13_BYTE, ECDHE_PSK_BYTE, and SM_BYTE switch blocks, matching the
behavior of the ECC_BYTE, CHACHA_BYTE, and normal suite switches
- SetKeys: fix misleading indentation on the AESCCM and SM4-CCM dec->aes
NULL-check return statements
ssl_certman.c / internal.h:
- AddTrustedPeer: remove dead code that checked peerCert->permittedNames
and peerCert->excludedNames immediately after XMEMSET zeroed the struct
- AddTrustedPeer: use cm->heap (matching allocation) instead of NULL when
freeing cert on the ParseCert failure path
- Extract the body of wolfSSL_CertManagerFree into a new static helper
DoCertManagerFree that unconditionally disposes of the certificate
manager, bypassing the reference count check. wolfSSL_CertManagerFree
now delegates to it after the RefDec check.
- Add caLockInit, tpLockInit, and refInit bitfield members to
WOLFSSL_CERT_MANAGER that track which sub-resources were successfully
initialized. DoCertManagerFree consults these flags so that it only
destroys mutexes and the reference count that were actually set up,
which makes partial-construction cleanup safe without relying on
platform-specific behavior of free-on-zeroed-storage.
- wolfSSL_CertManagerNew_ex: set the init flags as each sub-resource is
initialized, and on failure call DoCertManagerFree directly to free
exactly the resources that succeeded. Set cm->heap immediately after
XMEMSET so the forceful free path can use it.