Skip to content

F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
julek-wolfssl wants to merge 1 commit into from
+3 −6
Closed

F-5606: don't enforce DTLS 1.3 2^48-1 epoch cap on the receive side #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions src/tls13.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12351,12 +12351,9 @@ static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
w64wrapper newEpoch = ssl->dtls13PeerEpoch;
w64Increment(&newEpoch);

/* RFC 9147 Section 4.2.1: the epoch must not exceed 2^48-1. Reject a
* peer KeyUpdate that would advance the receiving epoch past the
* limit. Validate on a local copy so ssl->dtls13PeerEpoch is left
* untouched when the check fails. */
if (w64GT(newEpoch,
w64From32(DTLS13_EPOCH_MAX_HI32, DTLS13_EPOCH_MAX_LO32)))
/* RFC 9147 Section 8: the 2^48-1 cap is sender-only; receivers MUST
* NOT enforce it. Guard only the wrap-to-zero (Section 4.2.1). */
if (w64IsZero(newEpoch))
return BAD_STATE_E;

ssl->dtls13PeerEpoch = newEpoch;
Expand Down