From 9365248d6d39ad95d599c2b63b9b3d549dfa86bb Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Thu, 16 Apr 2026 12:58:08 +0300 Subject: [PATCH 1/9] Refactor - allow configurating more than 99 , since large platforms which use high scale of operations require more than 99 index options back from SSL_get_ex_new_index --- configure.ac | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index e782ced3e98..50417674968 100644 --- a/configure.ac +++ b/configure.ac @@ -10376,9 +10376,10 @@ case "$ENABLED_EX_DATA" in no) ;; yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" ;; -[[1-9]]|[[1-9]][[0-9]]) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA" +[[1-9]]|[[1-9]][[0-9]]|[[1-9]][[0-9]][[0-9]]|[[1-9]][[0-9]][[0-9]][[0-9]]) + AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA" ;; -*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 99]) +*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999]) ;; esac From e64305f9ffb1552783ef342dfabb049fa4bb154b Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Thu, 16 Apr 2026 13:03:08 +0300 Subject: [PATCH 2/9] Refactor - when crafting a DTLS packet max external cookie length (for hijacking) can be more than 32 in size based on RFC6347 --- wolfssl/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 576492d05d7..86fb9ab80c4 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1569,7 +1569,7 @@ enum Misc { SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 32, /* max dtls cookie size */ + MAX_COOKIE_LEN = 255, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) */ COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ From 564248891e7addfca7484168380b97168b046d0d Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Thu, 16 Apr 2026 13:24:11 +0300 Subject: [PATCH 3/9] Refactor - Change note to support maximum of 255 (based on RFC) for that we define maximum copy of <=254 to avoid buffer overflow attempts upon exactly 255.. --- wolfssl/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 86fb9ab80c4..620fb5cea2a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1569,7 +1569,7 @@ enum Misc { SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 255, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) */ + MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 */ COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ From ca018078f821108f27a70bf4605c702e960e003d Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Thu, 16 Apr 2026 14:20:37 +0300 Subject: [PATCH 4/9] Cosmetic - fix documentation --- wolfssl/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 620fb5cea2a..d7ac7211e6e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1569,7 +1569,7 @@ enum Misc { SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 */ + MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 can be malfored / malicious */ COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ From 31111287d4057b39bfd9dc9c6d3b0031aecdd1f5 Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Thu, 16 Apr 2026 15:04:34 +0300 Subject: [PATCH 5/9] Cosmetic - fixed mispell --- wolfssl/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d7ac7211e6e..74514a67eb9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1569,7 +1569,7 @@ enum Misc { SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 can be malfored / malicious */ + MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 can be malformed / malicious */ COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ From a8ca71be95befdaff95b971300fc94c08d4cc490 Mon Sep 17 00:00:00 2001 From: roy Date: Fri, 17 Apr 2026 15:14:26 +0300 Subject: [PATCH 6/9] Fix: Julek PR notes --- wolfssl/internal.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 74514a67eb9..382b8c04879 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1446,6 +1446,11 @@ enum { #define TLS13_TICKET_NONCE_MAX_SZ 255 +#ifndef WOLFSSL_COOKIE_LEN +/* Maximum size for a DTLS cookie */ +#define WOLFSSL_COOKIE_LEN 32 +#endif + #if (defined(HAVE_FIPS) && \ !(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) && \ defined(TLS13_TICKET_NONCE_STATIC_SZ) @@ -1569,7 +1574,7 @@ enum Misc { SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ COOKIE_SECRET_SZ = 14, /* dtls cookie secret size */ - MAX_COOKIE_LEN = 254, /* max dtls cookie size per RFC 6347 (opaque<0..2^8-1>) more than 254 can be malformed / malicious */ + MAX_COOKIE_LEN = WOLFSSL_COOKIE_LEN, /* max dtls cookie size */ COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ From 46de2b3cfd489596a0aaffe1417b7d4b5f8bbb43 Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Fri, 17 Apr 2026 18:40:33 +0300 Subject: [PATCH 7/9] Fix: move define to be before the define check for TLS & PSK --- wolfssl/internal.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 382b8c04879..82fb3a8a56e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1442,15 +1442,15 @@ enum { */ #define AEAD_SM4_CCM_LIMIT w64From32(0, (1 << 10) - 1) -#if defined(WOLFSSL_TLS13) || !defined(NO_PSK) - -#define TLS13_TICKET_NONCE_MAX_SZ 255 - #ifndef WOLFSSL_COOKIE_LEN /* Maximum size for a DTLS cookie */ #define WOLFSSL_COOKIE_LEN 32 #endif +#if defined(WOLFSSL_TLS13) || !defined(NO_PSK) + +#define TLS13_TICKET_NONCE_MAX_SZ 255 + #if (defined(HAVE_FIPS) && \ !(defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) && \ defined(TLS13_TICKET_NONCE_STATIC_SZ) From 8342738f022cb0cb1cc1f4f6830955aef556f209 Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Fri, 17 Apr 2026 22:24:48 +0300 Subject: [PATCH 8/9] Fix: PR notes fixes --- configure.ac | 2 +- wolfssl/internal.h | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 50417674968..5a2c80e53ec 100644 --- a/configure.ac +++ b/configure.ac @@ -10379,7 +10379,7 @@ yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" [[1-9]]|[[1-9]][[0-9]]|[[1-9]][[0-9]][[0-9]]|[[1-9]][[0-9]][[0-9]][[0-9]]) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA" ;; -*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999]) +*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)]) ;; esac diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 82fb3a8a56e..6bb51f117ce 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1444,9 +1444,13 @@ enum { #ifndef WOLFSSL_COOKIE_LEN /* Maximum size for a DTLS cookie */ -#define WOLFSSL_COOKIE_LEN 32 +#define WOLFSSL_COOKIE_LEN 32 #endif +#if WOLFSSL_COOKIE_LEN > 255 +#error "WOLFSSL_COOKIE_LEN must be <= 255 per RFC 6347 (opaque<0..2^8-1>)" +#endif + #if defined(WOLFSSL_TLS13) || !defined(NO_PSK) #define TLS13_TICKET_NONCE_MAX_SZ 255 From 16fd8d4910fbdea27bbd494c12ea3333e8031cb3 Mon Sep 17 00:00:00 2001 From: Roy Carter Date: Sat, 18 Apr 2026 11:15:05 +0300 Subject: [PATCH 9/9] FIx: trailing white spaces fails the job --- configure.ac | 2 +- wolfssl/internal.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 5a2c80e53ec..040a77b9925 100644 --- a/configure.ac +++ b/configure.ac @@ -10379,7 +10379,7 @@ yes) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" [[1-9]]|[[1-9]][[0-9]]|[[1-9]][[0-9]][[0-9]]|[[1-9]][[0-9]][[0-9]][[0-9]]) AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DMAX_EX_DATA=$ENABLED_EX_DATA" ;; -*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)]) +*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)]) ;; esac diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 6bb51f117ce..1f99957d251 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1445,7 +1445,7 @@ enum { #ifndef WOLFSSL_COOKIE_LEN /* Maximum size for a DTLS cookie */ #define WOLFSSL_COOKIE_LEN 32 -#endif +#endif #if WOLFSSL_COOKIE_LEN > 255 #error "WOLFSSL_COOKIE_LEN must be <= 255 per RFC 6347 (opaque<0..2^8-1>)"