Skip to content

Prevent replaying ClientHello messages when Finished message are epoch 0 #9205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
douzzer merged 2 commits into from
Oct 1, 2025
Merged

Prevent replaying ClientHello messages when Finished message are epoch 0 #9205

douzzer merged 2 commits into from
Oct 1, 2025

Conversation

@gasbytes
Copy link
Contributor

@gasbytes gasbytes commented Sep 16, 2025
edited
Loading

Description

Prevent DTLS clients from replaying ClientHello messages when receiving bogus Finished messages in epoch 0 by ensuring Finished messages are only ignored in encrypted epochs (1).

Testing

Added test case named test_dtls_bogus_finished_epoch_zero in the file tests/api/test_dtls.c.

configuration:
AM_CFLAGS='-DHAVE_AES_CBC -DWOLFSSL_AES_128 -DWOLFSSL_DEBUG_TLS' ./configure --enable-dtls --enable-dtls13 --enable-keylog-export --enable-psk --enable-rsa --enable-sha --enable-debug C_EXTRA_FLAGS=-DWOLFSSL_STATIC_PSK

issue can be seen by running the client like so:
examples/client/client -i -x -p ${some_port} -s -u -l PSK-AES128-CBC-SHA256

Addresses: #9188

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@gasbytes gasbytes self-assigned this Sep 16, 2025
@gasbytes
Copy link
Contributor Author

gasbytes commented Sep 16, 2025

Jenkins retest this please

For AgentOfflineException: Unable to create live FilePath for wolf-linux-cloud-node-[n]; wolf-linux-cloud-node-[n] was marked offline: Connection was broken

@gasbytes gasbytes marked this pull request as ready for review September 17, 2025 11:40
@gasbytes gasbytes mentioned this pull request Sep 17, 2025
Closed
JacobBarthelmeh
JacobBarthelmeh previously approved these changes Sep 17, 2025
View reviewed changes
Copy link
Contributor

@JacobBarthelmeh JacobBarthelmeh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@julek-wolfssl please also review, and merge if passing review. Thanks.

julek-wolfssl
julek-wolfssl requested changes Sep 17, 2025
View reviewed changes
@gasbytes
Prevent DTLS clients from replaying ClientHello
8f47b4b 
messages when receiving bogus Finished messages in epoch 0 by
ensuring Finished messages are only ignored in encrypted epochs (1).
@gasbytes
Copy link
Contributor Author

gasbytes commented Sep 18, 2025

Jenkins retest this please

For AgentOfflineException: Unable to create live FilePath for wolf-linux-cloud-node-[n]; wolf-linux-cloud-node-[n] was marked offline: Connection was broken

julek-wolfssl
julek-wolfssl requested changes Sep 22, 2025
View reviewed changes
@gasbytes
Copy link
Contributor Author

gasbytes commented Sep 22, 2025

Jenkins retest this please

For AgentOfflineException: Unable to create live FilePath for wolf-linux-cloud-node-[n]; wolf-linux-cloud-node-[n] was marked offline: Connection was broken

@julek-wolfssl julek-wolfssl removed their assignment Sep 22, 2025
@douzzer douzzer merged commit b3a5c96 into wolfSSL:master Oct 1, 2025
342 of 345 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@douzzer douzzer douzzer approved these changes

@julek-wolfssl julek-wolfssl julek-wolfssl approved these changes

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

@JacobBarthelmeh JacobBarthelmeh Awaiting requested review from JacobBarthelmeh

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gasbytes @douzzer @JacobBarthelmeh @julek-wolfssl @wolfSSL-Bot