Enhance extra user data value and external cookie length max size#10236
Enhance extra user data value and external cookie length max size#10236Roy-Carter wants to merge 9 commits intowolfSSL:masterfrom
Conversation
…hich use high scale of operations require more than 99 index options back from SSL_get_ex_new_index
…r hijacking) can be more than 32 in size based on RFC6347
…hat we define maximum copy of <=254 to avoid buffer overflow attempts upon exactly 255..
|
@julek-wolfssl if you can please take a look , as part of the integration i've come across these 2 minor issues :) |
|
Can one of the admins verify this patch? |
|
@Roy-Carter is an approved contributor. |
|
ok to test |
|
|
@julek-wolfssl can you re run the workflows ? |
|
@Roy-Carter please address test failures. |
|
@julek-wolfssl can we re-run workflows ? |
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 7 total — 6 posted, 1 skipped
Posted findings
- [High] WOLFSSL_COOKIE_LEN defined inside wrong preprocessor guard — breaks build for DTLS without TLS13/PSK —
wolfssl/internal.h:1449-1452 - [Medium] PR description vs. code mismatch — default MAX_COOKIE_LEN not actually raised —
wolfssl/internal.h:1451 - [Medium] cookieSz is a
bytebut WOLFSSL_COOKIE_LEN is unbounded — silent truncation risk when override exceeds 255 —wolfssl/internal.h:5290-5291 - [Medium] No new tests for the expanded configure range or overridable cookie length —
configure.ac:10376-10382, wolfssl/internal.h:1449-1452 - [Low] Trailing whitespace in new #define and #endif —
wolfssl/internal.h:1451-1452 - [Low] Error message wording — 'a number from 1 to 9999' is accurate but consider clarifying the memory tradeoff —
configure.ac:10382
Skipped findings
- [Medium] MAX_EX_DATA=9999 yields very large fixed arrays (~80 KB per object) — document memory cost
Review generated by Skoll via openclaw
|
@dgarske can you re run the workflows ? fixed your notes |
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
trailing whitespace:
./wolfssl/internal.h:1448:#endif·
./configure.ac:10428:*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)])··
|
@dgarske fixed the trailing whitespace , can we run the workflow ? |
|
Hey @dgarske i see tests are failing on http requests and curl setups , do you have a way to look into it and re run tests after ? |
The errors appear to be network related. I retried the failing tests. Your PR code is probably fine |
4 participants
Description
Enhance configuration limits and fix max size constants to align with RFCs and large-scale deployment needs.
SSL_get_ex_new_index limit raised - --enable-context-extra-user-data now accepts values up to 9999 (was 99). Large platforms with high-scale operations need more than 99 ex_data indices. I've encountered it since my code uses :
SSL_EX_DATA_IND_DTLS_SESSION = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
SSL_EX_DATA_IND_PSK = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
and on "Strong" machines in which i had 50+ cores running it which means (2x50) I failed to initialize an index for a DTLS session.
DTLS MAX_COOKIE_LEN raised to 254 - RFC 6347 defines cookie as opaque<0..2^8-1>, so max valid length is 255. Set to 254 to prevent buffer overflow attempts at boundary. Previous value of 32 was too restrictive for legitimate external cookie use. I've encountered it while trying to inject an external cookie which had valid length of more than 32 .
Testing
Build configuration tested with --enable-context-extra-user-data values: 1, 99, 100, 999, 9999
Verified configure.ac pattern matching rejects invalid inputs (0, 10000, strings)
DTLS cookie handling reviewed for buffer safety with new MAX_COOKIE_LEN