diff --git a/.github/workflows/ada.yml b/.github/workflows/ada.yml index d1d51d82b47..8e892e69cc8 100644 --- a/.github/workflows/ada.yml +++ b/.github/workflows/ada.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v4 - name: Install alire uses: alire-project/setup-alire@v5 diff --git a/.github/workflows/win-csharp-test.yml b/.github/workflows/win-csharp-test.yml index 12b294b6b2b..c2c10582c1f 100644 --- a/.github/workflows/win-csharp-test.yml +++ b/.github/workflows/win-csharp-test.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Pull wolfssl - uses: actions/checkout@master + uses: actions/checkout@v4 with: repository: wolfssl/wolfssl path: wolfssl @@ -41,7 +41,7 @@ jobs: echo $null >> wolfcrypt\src\wolfcrypt_last.c - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1 + uses: microsoft/setup-msbuild@v2 - name: Build working-directory: ${{env.GITHUB_WORKSPACE}} diff --git a/Docker/Dockerfile b/Docker/Dockerfile index d2c01b05d3a..9ae6f1ec525 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -43,7 +43,7 @@ RUN mkdir /var/empty RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install # Install udp/tcp-proxy -RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/. +RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main https://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/. # Install libbacktrace RUN cd /opt/sources && git clone --depth=1 --single-branch https://github.com/ianlancetaylor/libbacktrace.git && cd libbacktrace && mkdir build && cd build && ../configure && make && make install diff --git a/src/crl.c b/src/crl.c index c6a9632603c..b382ef7baf5 100644 --- a/src/crl.c +++ b/src/crl.c @@ -591,7 +591,7 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial, if (cbRet == WC_NO_ERR_TRACE(WOLFSSL_CBIO_ERR_WANT_READ)) { ret = OCSP_WANT_READ; } - else if (ret >= 0) { + else if (cbRet >= 0) { /* try again */ ret = CheckCertCRLList(crl, issuerHash, serial, serialSz, serialHash, &foundEntry); diff --git a/src/quic.c b/src/quic.c index f8512542188..be8c53ee38e 100644 --- a/src/quic.c +++ b/src/quic.c @@ -228,7 +228,7 @@ const QuicTransportParam* QuicTransportParam_new(const uint8_t* data, { QuicTransportParam* tp; - if (len > 65353) return NULL; + if (len > 65535) return NULL; tp = (QuicTransportParam*)XMALLOC(sizeof(*tp), heap, DYNAMIC_TYPE_TLSX); if (!tp) return NULL; tp->data = (uint8_t*)XMALLOC(len, heap, DYNAMIC_TYPE_TLSX); diff --git a/src/sniffer.c b/src/sniffer.c index 9c061c8fce8..9b07b4ef94a 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -3478,7 +3478,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes, /* TLS v1.3 has hint age and nonce */ if (IsAtLeastTLSv1_3(ssl->version)) { /* make sure can read through hint age and nonce len */ - if (TICKET_HINT_AGE_LEN + 1 > *sslBytes) { + if (TICKET_HINT_AGE_LEN + OPAQUE8_LEN > *sslBytes) { SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } @@ -3487,7 +3487,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes, /* ticket nonce */ len = input[0]; - if (len > MAX_TICKET_NONCE_STATIC_SZ) { + if (len > MAX_TICKET_NONCE_STATIC_SZ || len + OPAQUE8_LEN > *sslBytes) { SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_FATAL_ERROR; } @@ -3847,6 +3847,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, case EXT_MAX_FRAGMENT_LENGTH: { word16 max_fragment = MAX_RECORD_SIZE; + if (extLen != 1) { + SetError(SERVER_HELLO_INPUT_STR, error, session, + FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } switch (input[0]) { case WOLFSSL_MFL_2_8 : max_fragment = 256; break; case WOLFSSL_MFL_2_9 : max_fragment = 512; break; @@ -3862,6 +3867,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, } #endif case EXT_SUPPORTED_VERSIONS: + if (extLen != 2) { + SetError(SERVER_HELLO_INPUT_STR, error, session, + FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } session->sslServer->version.major = input[0]; session->sslServer->version.minor = input[1]; session->sslClient->version.major = input[0]; diff --git a/src/tls.c b/src/tls.c index 5ddb1ca40c5..0d2e677a57c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -6173,24 +6173,6 @@ int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap) #ifdef HAVE_SESSION_TICKET -#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) -static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) -{ - TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); - SessionTicket* ticket = extension ? - (SessionTicket*)extension->data : NULL; - - if (ticket) { - /* TODO validate ticket timeout here! */ - if (ticket->lifetime == 0xfffffff) { - /* send empty ticket on timeout */ - TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); - } - } -} -#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ - - static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest) { (void)isRequest; @@ -6369,7 +6351,6 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap) return WOLFSSL_SUCCESS; } -#define WOLF_STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest #define WOLF_STK_GET_SIZE TLSX_SessionTicket_GetSize #define WOLF_STK_WRITE TLSX_SessionTicket_Write #define WOLF_STK_PARSE TLSX_SessionTicket_Parse @@ -15402,7 +15383,6 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength) if (msgType == client_hello) { EC_VALIDATE_REQUEST(ssl, semaphore); PF_VALIDATE_REQUEST(ssl, semaphore); - WOLF_STK_VALIDATE_REQUEST(ssl); #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); @@ -15579,7 +15559,6 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset) if (msgType == client_hello) { EC_VALIDATE_REQUEST(ssl, semaphore); PF_VALIDATE_REQUEST(ssl, semaphore); - WOLF_STK_VALIDATE_REQUEST(ssl); #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0) TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); diff --git a/src/tls13.c b/src/tls13.c index f7a97efffb1..d3432ccf6cb 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6869,11 +6869,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif sessIdSz = input[args->idx++]; -#ifndef WOLFSSL_TLS13_MIDDLEBOX_COMPAT if (sessIdSz > ID_LEN) -#else - if (sessIdSz != ID_LEN && sessIdSz != 0) -#endif { ERROR_OUT(INVALID_PARAMETER, exit_dch); } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index bfa90e54233..eff52251713 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -9641,7 +9641,7 @@ int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID, word32* oidSz, WOLFSSL_MSG("Not Dilithium Level 5 DER key"); } } - else { + if (*algoID == 0) { WOLFSSL_MSG("GetKeyOID dilithium initialization failed"); } wc_dilithium_free(dilithium); diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index 8911b4d53d3..a7acd6acfaa 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -119,6 +119,10 @@ int wc_ChaCha20Poly1305_Decrypt( if (ret == 0) ret = wc_ChaCha20Poly1305_CheckTag(inAuthTag, calculatedAuthTag); + if (ret != 0) { + /* zero plaintext on error */ + ForceZero(outPlaintext, inCiphertextLen); + } WC_FREE_VAR_EX(aead, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret;