F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side#10627
Merged
dgarske merged 1 commit intoJun 10, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates wolfSSL’s DTLS 1.3 KeyUpdate receive-path epoch handling to align with RFC 9147 by no longer enforcing the 2^48-1 ceiling on received epochs (while still preventing the dangerous wrap-to-zero), and it also includes several TLS/DTLS conformance and crypto hardening follow-up changes that are noted as coming from the dependent PR.
Changes:
- DTLS 1.3: adjust KeyUpdate receive-side epoch advancement to only reject wrap-to-zero, while keeping sender-side epoch ceiling checks.
- TLS 1.3: tighten CertificateRequest validation (context rules, duplicate context rejection for post-handshake auth, and require
signature_algorithms). - OpenSSL-compat / protocol hardening fixes:
wolfSSL_get_verify_result(NULL)returns a non-zero X509-style error, chunkedwolfSSL_CRYPTO_memcmp, stricter ALPN/MFL response parsing, DH shared-secret right-justification fix, Camellia key schedule free, and DTLS 1.3 epoch slot eviction fix.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
wolfssl/ssl.h |
Adds an OpenSSL-compatible verify error code used by wolfSSL_get_verify_result(NULL). |
wolfssl/internal.h |
Introduces DTLS 1.3 epoch max constants used by sender-side KeyUpdate gating. |
tests/api.c |
Updates API test expectations for wolfSSL_get_verify_result(NULL). |
src/tls13.c |
Tightens TLS 1.3 CertificateRequest parsing and adjusts DTLS 1.3 KeyUpdate receive epoch logic. |
src/tls.c |
Adds stricter input validation for group setters and hardens ALPN/MFL response parsing. |
src/ssl.c |
Changes OpenSSL-compat behaviors (get_verify_result, CRYPTO_memcmp) and group count validation message. |
src/pk.c |
Fixes DH padded shared-secret right-justification for short outputs. |
src/internal.c |
Ensures Camellia key schedule is freed/zeroized before deallocation. |
src/dtls13.c |
Fixes epoch slot eviction selection and hardens sender epoch increment validation on KeyUpdate ACK. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
julek-wolfssl
force-pushed
the
fenrir-fixes-20260601-dtls13-recv-epoch
branch
from
a933eba to
5c72732
Compare
|
retest this please |
dgarske
previously approved these changes
Jun 9, 2026
dgarske
reviewed
Jun 9, 2026
dgarske
left a comment
dgarske
left a comment
Member
There was a problem hiding this comment.
Skoll Code Review
Scan type: reviewOverall recommendation: COMMENT
Findings: 2 total — 1 posted, 1 skipped
1 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Low] Removed local-copy rationale comment loses intent documentation —
src/tls13.c:12414-12422
Skipped findings
- [Medium]
Behavior change to receive-side epoch guard has no test coverage
Review generated by Skoll
RFC 9147 Section 8's 2^48-1 epoch ceiling is a sender-only rule; the same paragraph says receiving implementations MUST NOT enforce it. The KeyUpdate receive path was rejecting a peer epoch that crossed 2^48-1, violating that. Guard only the genuine wrap-to-zero (Section 4.2.1) and let the receiving epoch advance past 2^48-1. The sender-side gates are unchanged.
julek-wolfssl
force-pushed
the
fenrir-fixes-20260601-dtls13-recv-epoch
branch
from
5c72732 to
6853bf1
Compare
dgarske
approved these changes
Jun 9, 2026
dgarske
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to F-5606 (#10575). RFC 9147 Section 8's
2^48-1epoch ceiling is a sender-only rule; the same paragraph states that receiving implementations MUST NOT enforce it ("In order to allow this value to be changed later").The KeyUpdate receive path in
DoTls13KeyUpdatewas rejecting a peer epoch that crossed2^48-1, which violates that requirement. This changes the receive-side guard to catch only the genuine wrap-to-zero (RFC 9147 Section 4.2.1) — which would alias epoch 0 and reuse keys — and otherwise lets the receiving (peer) epoch advance past2^48-1.The sender-side gates that keep our own epoch at or below
2^48-1(SendTls13KeyUpdate,Dtls13KeyUpdateAckReceived) are unchanged.Testing
./configure --enable-dtls13 --enable-dtlsand rebuild — compiles cleanly under-Wall -Wextra.Depends on #10575, which introduces the F-5606 code this corrects. The other commits shown here belong to #10575 and will drop out of this diff once it merges to
master.