DTLS 1.3 write dup support

- Copy TLS 1.3 traffic secrets and DTLS 1.3 epoch/cipher state to the
  write-dup side in DupSSL so key updates can be performed.
- Delegate KeyUpdate responses from the read side to the write side via
  the shared WriteDup struct, for both peer-initiated and local key
  updates.
- Delegate DTLS 1.3 ACK sending from the read side to the write side.
- Track DTLS 1.3 KeyUpdate ACKs: write side records the in-flight
  KeyUpdate epoch/seq, read side sets keyUpdateAcked when the matching
  ACK arrives.
- Delegate post-handshake certificate authentication (CertificateRequest
  processing) from the read side to the write side, transferring
  transcript hashes, cert context, and signature parameters.
- Reset prevSent/plainSz to prevent stale values from SendData to think
  that data was already sent.
- Refactor FreeHandshakeHashes into Free_HS_Hashes for reuse.
- Move DTLS 1.3 epoch initialization earlier in InitSSL so the
  write-dup early-return path has valid epoch state.
- Add tests for write dup with all protocol versions, key update,
  post-handshake auth, and WANT_WRITE recovery.
- Add --enable-all --enable-writedup to CI os-check matrix.

Author: julek-wolfssl

.github/workflows/os-check.yml

@@ -98,6 +98,7 @@ jobs:
           '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
           '--enable-ocsp --enable-ocsp-responder --enable-ocspstapling CPPFLAGS="-DWOLFSSL_NONBLOCK_OCSP" --enable-maxfragment',
+          '--enable-all --enable-writedup',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

src/dtls13.c

@@ -2034,8 +2034,21 @@ int Dtls13HandshakeSend(WOLFSSL* ssl, byte* message, word16 outputSize,
     maxFrag = wolfssl_local_GetMaxPlaintextSize(ssl);
     maxLen = length;
 
-    if (handshakeType == key_update)
+    if (handshakeType == key_update) {
         ssl->dtls13WaitKeyUpdateAck = 1;
+#ifdef HAVE_WRITE_DUP
+        /* Notify the read side so it can watch for the ACK on our behalf. */
+        if (ssl->dupWrite != NULL && ssl->dupSide == WRITE_DUP_SIDE) {
+            if (wc_LockMutex(&ssl->dupWrite->dupMutex) == 0) {
+                ssl->dupWrite->keyUpdateEpoch = ssl->dtls13Epoch;
+                ssl->dupWrite->keyUpdateSeq =
+                    ssl->dtls13EncryptEpoch->nextSeqNumber;
+                ssl->dupWrite->keyUpdateWaiting = 1;
+                wc_UnLockMutex(&ssl->dupWrite->dupMutex);
+            }
+        }
+#endif /* HAVE_WRITE_DUP */
+    }
 
     if (maxLen < maxFrag) {
         ret = Dtls13SendOneFragmentRtx(ssl, handshakeType, outputSize, message,
@@ -2656,7 +2669,7 @@ static void Dtls13PrintRtxRecord(Dtls13RtxRecord* r)
 }
 #endif /* WOLFSSL_DEBUG_TLS */
 
-static void Dtls13RtxRemoveRecord(WOLFSSL* ssl, w64wrapper epoch,
+void Dtls13RtxRemoveRecord(WOLFSSL* ssl, w64wrapper epoch,
     w64wrapper seq)
 {
     Dtls13RtxRecord *r, **prevNext;
@@ -2706,9 +2719,28 @@ int Dtls13DoScheduledWork(WOLFSSL* ssl)
     ret = wc_UnLockMutex(&ssl->dtls13Rtx.mutex);
 #endif
     if (sendAcks) {
-        ret = SendDtls13Ack(ssl);
-        if (ret != 0)
-            return ret;
+#ifdef HAVE_WRITE_DUP
+        /* The read side cannot encrypt.  Transfer the seenRecords list to the
+         * shared WriteDup struct so the write side sends the ACK instead. */
+        if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
+            if (wc_LockMutex(&ssl->dupWrite->dupMutex) == 0) {
+                struct Dtls13RecordNumber** tail =
+                    (struct Dtls13RecordNumber**)&ssl->dupWrite->sendAckList;
+                while (*tail != NULL)
+                    tail = &(*tail)->next;
+                *tail = ssl->dtls13Rtx.seenRecords;
+                ssl->dtls13Rtx.seenRecords = NULL;
+                ssl->dupWrite->sendAcks = 1;
+                wc_UnLockMutex(&ssl->dupWrite->dupMutex);
+            }
+        }
+        else
+#endif /* HAVE_WRITE_DUP */
+        {
+            ret = SendDtls13Ack(ssl);
+            if (ret != 0)
+                return ret;
+        }
     }
 
     if (ssl->dtls13Rtx.retransmit) {
@@ -2824,6 +2856,22 @@ int DoDtls13Ack(WOLFSSL* ssl, const byte* input, word32 inputSize,
         ato64(ackMessage + i + OPAQUE64_LEN, &seq);
         WOLFSSL_MSG_EX("epoch %d seq %d", epoch, seq);
         Dtls13RtxRemoveRecord(ssl, epoch, seq);
+#ifdef HAVE_WRITE_DUP
+        /* Read side: check if this ACK covers the write side's pending KeyUpdate.
+         * Match on both epoch AND seq to avoid false positives from data records
+         * in the same epoch (sent while dtls13WaitKeyUpdateAck == 1). */
+        if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
+            if (wc_LockMutex(&ssl->dupWrite->dupMutex) == 0) {
+                if (ssl->dupWrite->keyUpdateWaiting &&
+                        w64Equal(epoch, ssl->dupWrite->keyUpdateEpoch) &&
+                        w64Equal(seq,   ssl->dupWrite->keyUpdateSeq)) {
+                    ssl->dupWrite->keyUpdateAcked = 1;
+                    ssl->dupWrite->keyUpdateWaiting = 0;
+                }
+                wc_UnLockMutex(&ssl->dupWrite->dupMutex);
+            }
+        }
+#endif /* HAVE_WRITE_DUP */
     }
 
     /* last client flight was completely acknowledged by the server. Handshake

src/internal.c

@@ -7462,43 +7462,49 @@ int InitHandshakeHashes(WOLFSSL* ssl)
     return ret;
 }
 
-void FreeHandshakeHashes(WOLFSSL* ssl)
+void Free_HS_Hashes(HS_Hashes* hsHashes, void* heap)
 {
-    if (ssl->hsHashes) {
+    if (hsHashes) {
     #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
-        wc_Md5Free(&ssl->hsHashes->hashMd5);
+        wc_Md5Free(&hsHashes->hashMd5);
     #endif
     #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
                               defined(WOLFSSL_ALLOW_TLS_SHA1))
-        wc_ShaFree(&ssl->hsHashes->hashSha);
+        wc_ShaFree(&hsHashes->hashSha);
     #endif
     #ifndef NO_SHA256
-        wc_Sha256Free(&ssl->hsHashes->hashSha256);
+        wc_Sha256Free(&hsHashes->hashSha256);
     #endif
     #ifdef WOLFSSL_SHA384
-        wc_Sha384Free(&ssl->hsHashes->hashSha384);
+        wc_Sha384Free(&hsHashes->hashSha384);
     #endif
     #ifdef WOLFSSL_SHA512
-        wc_Sha512Free(&ssl->hsHashes->hashSha512);
+        wc_Sha512Free(&hsHashes->hashSha512);
     #endif
     #ifdef WOLFSSL_SM3
-        wc_Sm3Free(&ssl->hsHashes->hashSm3);
+        wc_Sm3Free(&hsHashes->hashSm3);
     #endif
     #if (defined(HAVE_ED25519) || defined(HAVE_ED448) || \
          (defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3))) && \
         !defined(WOLFSSL_NO_CLIENT_AUTH)
-        if (ssl->hsHashes->messages != NULL) {
-            ForceZero(ssl->hsHashes->messages, (word32)ssl->hsHashes->length);
-            XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
-            ssl->hsHashes->messages = NULL;
+        if (hsHashes->messages != NULL) {
+            ForceZero(hsHashes->messages, (word32)hsHashes->length);
+            XFREE(hsHashes->messages, heap, DYNAMIC_TYPE_HASHES);
+            hsHashes->messages = NULL;
          }
     #endif
 
-        XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
-        ssl->hsHashes = NULL;
+        XFREE(hsHashes, heap, DYNAMIC_TYPE_HASHES);
+        hsHashes = NULL;
     }
 }
 
+void FreeHandshakeHashes(WOLFSSL* ssl)
+{
+    Free_HS_Hashes(ssl->hsHashes, ssl->heap);
+    ssl->hsHashes = NULL;
+}
+
 /* copy the hashes from source to a newly made destination return status */
 int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,
   HS_Hashes** destination)
@@ -7509,15 +7515,8 @@ int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,
         return BAD_FUNC_ARG;
 
     /* If *destination is already allocated, its constituent hashes need to be
-     * freed, else they would leak.  To keep things simple, we reuse
-     * FreeHandshakeHashes(), which deallocates *destination.
-     */
-    if (*destination != NULL) {
-        HS_Hashes* tmp = ssl->hsHashes;
-        ssl->hsHashes = *destination;
-        FreeHandshakeHashes(ssl);
-        ssl->hsHashes = tmp;
-    }
+     * freed, else they would leak. */
+    Free_HS_Hashes(*destination, ssl->heap);
 
     /* allocate handshake hashes */
     *destination = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap,
@@ -8065,6 +8064,24 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     }
     ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
 
+
+#ifdef WOLFSSL_DTLS13
+    /* setup 0 (un-protected) epoch */
+    ssl->dtls13Epochs[0].isValid = 1;
+    ssl->dtls13Epochs[0].side = ENCRYPT_AND_DECRYPT_SIDE;
+    ssl->dtls13EncryptEpoch = &ssl->dtls13Epochs[0];
+    ssl->dtls13DecryptEpoch = &ssl->dtls13Epochs[0];
+    ssl->options.dtls13SendMoreAcks = WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT;
+    ssl->dtls13Rtx.rtxRecordTailPtr = &ssl->dtls13Rtx.rtxRecords;
+
+#ifdef WOLFSSL_RW_THREADED
+    ret = wc_InitMutex(&ssl->dtls13Rtx.mutex);
+    if (ret < 0) {
+        return ret;
+    }
+#endif
+#endif /* WOLFSSL_DTLS13 */
+
 #ifdef HAVE_WRITE_DUP
     if (writeDup) {
         /* all done */
@@ -8176,24 +8193,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     }
 #endif /* HAVE_SECURE_RENEGOTIATION */
 
-
-#ifdef WOLFSSL_DTLS13
-    /* setup 0 (un-protected) epoch */
-    ssl->dtls13Epochs[0].isValid = 1;
-    ssl->dtls13Epochs[0].side = ENCRYPT_AND_DECRYPT_SIDE;
-    ssl->dtls13EncryptEpoch = &ssl->dtls13Epochs[0];
-    ssl->dtls13DecryptEpoch = &ssl->dtls13Epochs[0];
-    ssl->options.dtls13SendMoreAcks = WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT;
-    ssl->dtls13Rtx.rtxRecordTailPtr = &ssl->dtls13Rtx.rtxRecords;
-
-#ifdef WOLFSSL_RW_THREADED
-    ret = wc_InitMutex(&ssl->dtls13Rtx.mutex);
-    if (ret < 0) {
-        return ret;
-    }
-#endif
-#endif /* WOLFSSL_DTLS13 */
-
 #ifdef WOLFSSL_QUIC
     if (ctx->quic.method) {
         ret = wolfSSL_set_quic_method(ssl, ctx->quic.method);
@@ -26082,6 +26081,10 @@ static int CheckTLS13AEADSendLimit(WOLFSSL* ssl)
     }
 #ifdef WOLFSSL_DTLS13
     if (ssl->options.dtls) {
+        if (ssl->dtls13EncryptEpoch == NULL) {
+            WOLFSSL_MSG("DTLS 1.3 encrypt epoch not set");
+            return BAD_STATE_E;
+        }
         seq = ssl->dtls13EncryptEpoch->nextSeqNumber;
     }
     else
@@ -26312,6 +26315,8 @@ int SendData(WOLFSSL* ssl, const void* data, size_t sz)
         else {
             /* advance sent to previous sent + plain size just sent */
             sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
+            ssl->buffers.prevSent = 0;
+            ssl->buffers.plainSz = 0;
             WOLFSSL_MSG("sent write buffered data");
 
             if (sent > (word32)sz) {