Enhance extra user data value and external cookie length max size#10236
Open
Roy-Carter wants to merge 8 commits intowolfSSL:masterfrom
Open
Enhance extra user data value and external cookie length max size#10236Roy-Carter wants to merge 8 commits intowolfSSL:masterfrom
Roy-Carter wants to merge 8 commits intowolfSSL:masterfrom
Conversation
…hich use high scale of operations require more than 99 index options back from SSL_get_ex_new_index
…r hijacking) can be more than 32 in size based on RFC6347
…hat we define maximum copy of <=254 to avoid buffer overflow attempts upon exactly 255..
Author
|
@julek-wolfssl if you can please take a look , as part of the integration i've come across these 2 minor issues :) |
|
Can one of the admins verify this patch? |
Member
|
@Roy-Carter is an approved contributor. |
Member
|
ok to test |
|
julek-wolfssl
requested changes
Apr 16, 2026
Author
|
@julek-wolfssl can you re run the workflows ? |
Member
|
@Roy-Carter please address test failures. |
julek-wolfssl
previously approved these changes
Apr 17, 2026
Author
|
@julek-wolfssl can we re-run workflows ? |
dgarske
requested changes
Apr 17, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 7 total — 6 posted, 1 skipped
Posted findings
- [High] WOLFSSL_COOKIE_LEN defined inside wrong preprocessor guard — breaks build for DTLS without TLS13/PSK —
wolfssl/internal.h:1449-1452 - [Medium] PR description vs. code mismatch — default MAX_COOKIE_LEN not actually raised —
wolfssl/internal.h:1451 - [Medium] cookieSz is a
bytebut WOLFSSL_COOKIE_LEN is unbounded — silent truncation risk when override exceeds 255 —wolfssl/internal.h:5290-5291 - [Medium] No new tests for the expanded configure range or overridable cookie length —
configure.ac:10376-10382, wolfssl/internal.h:1449-1452 - [Low] Trailing whitespace in new #define and #endif —
wolfssl/internal.h:1451-1452 - [Low] Error message wording — 'a number from 1 to 9999' is accurate but consider clarifying the memory tradeoff —
configure.ac:10382
Skipped findings
- [Medium] MAX_EX_DATA=9999 yields very large fixed arrays (~80 KB per object) — document memory cost
Review generated by Skoll via openclaw
Author
|
@dgarske can you re run the workflows ? fixed your notes |
dgarske
requested changes
Apr 17, 2026
Contributor
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
trailing whitespace:
./wolfssl/internal.h:1448:#endif·
./configure.ac:10428:*) AC_MSG_ERROR([Invalid argument to --enable-context-extra-user-data -- must be yes, no, or a number from 1 to 9999 (note: each index reserves one pointer per object, so large values increase memory use)])··
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Enhance configuration limits and fix max size constants to align with RFCs and large-scale deployment needs.
SSL_get_ex_new_index limit raised - --enable-context-extra-user-data now accepts values up to 9999 (was 99). Large platforms with high-scale operations need more than 99 ex_data indices. I've encountered it since my code uses :
SSL_EX_DATA_IND_DTLS_SESSION = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
SSL_EX_DATA_IND_PSK = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
and on "Strong" machines in which i had 50+ cores running it which means (2x50) I failed to initialize an index for a DTLS session.
DTLS MAX_COOKIE_LEN raised to 254 - RFC 6347 defines cookie as opaque<0..2^8-1>, so max valid length is 255. Set to 254 to prevent buffer overflow attempts at boundary. Previous value of 32 was too restrictive for legitimate external cookie use. I've encountered it while trying to inject an external cookie which had valid length of more than 32 .
Testing
Build configuration tested with --enable-context-extra-user-data values: 1, 99, 100, 999, 9999
Verified configure.ac pattern matching rejects invalid inputs (0, 10000, strings)
DTLS cookie handling reviewed for buffer safety with new MAX_COOKIE_LEN