Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Hardening and cleanup changes across TLS/QUIC parsing, crypto error handling, and CI/container tooling to improve security and robustness.
Changes:
- Strengthen input/length validation in TLS 1.3 parsing and sniffer logic; remove dead session ticket validation code.
- Improve security posture by clearing plaintext on AEAD failure and tightening CRL callback return handling.
- Update CI and Docker dependencies (pin/upgrade actions, switch Docker git clone to HTTPS).
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
wolfcrypt/src/chacha20_poly1305.c |
Clears plaintext buffer on decrypt error to avoid returning unauthenticated data. |
wolfcrypt/src/asn.c |
Adjusts Dilithium-related logging condition in wc_GetKeyOID. |
src/tls13.c |
Relaxes TLS 1.3 ClientHello legacy session ID length check. |
src/tls.c |
Removes dead session ticket request validation hook and macro usage. |
src/sniffer.c |
Adds additional bounds checks for TLS 1.3 ticket nonce and ServerHello extensions. |
src/quic.c |
Updates QUIC transport parameter length upper bound. |
src/crl.c |
Fixes retry condition to check cbRet after callback. |
Docker/Dockerfile |
Switches git clone URL from HTTP to HTTPS. |
.github/workflows/win-csharp-test.yml |
Pins/updates actions/checkout and setup-msbuild. |
.github/workflows/ada.yml |
Pins actions/checkout version. |
Comments suppressed due to low confidence (1)
wolfcrypt/src/asn.c:1
- The logging condition depends on the current value of
*algoID, which may be influenced by its prior value rather than the Dilithium init result in this call. To make the behavior deterministic and easier to reason about, prefer logging based on the initialization return status (or explicitly initialize/reset*algoIDbefore attempting initialization so*algoID == 0reliably reflects 'init failed').
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
retest this please |
`ticket->lifetime` is never set to 0xfffffff anywhere F-430
julek-wolfssl
force-pushed
the
fenrir/260903
branch
from
ddba7f1 to
afed9d4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
actions/checkoutversioncbRetafter callback