More various fixes to reports from static analyzers#100
Open
gasbytes wants to merge 1 commit intowolfSSL:masterfrom
Open
More various fixes to reports from static analyzers#100gasbytes wants to merge 1 commit intowolfSSL:masterfrom
gasbytes wants to merge 1 commit intowolfSSL:masterfrom
Conversation
Contributor
gasbytes
commented
Apr 14, 2026
gasbytes
commented
- add esp encapsulation to tcp_send_empty_immediate so pure acks on ipsec
- basedd connections are not sent in plaintext when the tx fifo is full
- (and the link layer is being used)
- add esp encapsulation to tcp_send_zero_wnd_probe so zero_window probes on ipsec-protected connections are not sent in plaintext
- add esp encapsulation to wolfip_forwad_packet so forwarded ip packets
- are not sent in plaintext when the egresse interface has esp sa
- ocnfigureed
- reset sift-sdown cursor to root on each iteration of
- timers_binheapp_poop so that skipping cancelled timers does not b reak
- the min-heap invariant
- send syn-ack immediately in the listen to syn_rcvd transition instead of deferring it until accept() or the ctrl_rto timer fires.
- validate arp reply sender ip against broadcast, multicast, zero and own address before caching, matching the existing arp request handler checks
- deconfigure the offered ip address when dhcp request retries are exhausted so the device does not keep using unconfirmed lease.
- extend multicast classification tests to cover the 225-239 range and boundaries so mask constant mutations are detected
- add ssrr source routine drop test to cover 0x89 variant type branch alongside the existing lsrr test
- add multicast source address test for ip_recv to cover the wolfip_ip_is_multicast branch of the rfc 1122 source validation
- add multicast sender test for arp request validation to cover the wolfip_ip_is_multicast branch of the cache poisoning guard.
- add esp encapsulation to tcp_send_reset_reply so rst segments toward esp_protected peers are not sent in plaintext
- nclude tcp timestamp option in zero-window probes when timestamps are negotiated, per rfc 7323 (around section 3.2)
- process ack+fin segments in syn_rcvd state per rfc 9293 instead of silently discarding non-pure acks.
- Compute ICMP TTL exceeded and destination unreachable original packet
- quote size from the actual IP header length so packets with IP options
- include the full header plus 8 bytes of transport data.
- seed ipcounter with a random value at init so ip identification fields on non-df packets are not predictable from zero
- set the df bit on tcp rst replies to match the normal tcp output patch and prevent ip id observability
- zero hmac hash buffers on the stack after icv comparison and copy to prevent residual keyed hash output from persisting
- zero gcm/gmac nonce buffers on the stack after use to prevent residual implicit salt bytes from persisting
gasbytes
force-pushed
the
2026-04-14-various-fixes
branch
from
6c9bb04 to
7022abc
Compare
…psec - basedd connections are not sent in plaintext when the tx fifo is full - (and the link layer is being used) - add esp encapsulation to tcp_send_zero_wnd_probe so zero_window probes on ipsec-protected connections are not sent in plaintext - add esp encapsulation to wolfip_forwad_packet so forwarded ip packets - are not sent in plaintext when the egresse interface has esp sa - ocnfigureed - reset sift-sdown cursor to root on each iteration of - timers_binheapp_poop so that skipping cancelled timers does not b reak - the min-heap invariant - send syn-ack immediately in the listen to syn_rcvd transition instead of deferring it until accept() or the ctrl_rto timer fires. - validate arp reply sender ip against broadcast, multicast, zero and own address before caching, matching the existing arp request handler checks - deconfigure the offered ip address when dhcp request retries are exhausted so the device does not keep using unconfirmed lease. - extend multicast classification tests to cover the 225-239 range and boundaries so mask constant mutations are detected - add ssrr source routine drop test to cover 0x89 variant type branch alongside the existing lsrr test - add multicast source address test for ip_recv to cover the wolfip_ip_is_multicast branch of the rfc 1122 source validation - add multicast sender test for arp request validation to cover the wolfip_ip_is_multicast branch of the cache poisoning guard. - add esp encapsulation to tcp_send_reset_reply so rst segments toward esp_protected peers are not sent in plaintext - nclude tcp timestamp option in zero-window probes when timestamps are negotiated, per rfc 7323 (around section 3.2) - process ack+fin segments in syn_rcvd state per rfc 9293 instead of silently discarding non-pure acks. - Compute ICMP TTL exceeded and destination unreachable original packet - quote size from the actual IP header length so packets with IP options - include the full header plus 8 bytes of transport data. - seed ipcounter with a random value at init so ip identification fields on non-df packets are not predictable from zero - set the df bit on tcp rst replies to match the normal tcp output patch and prevent ip id observability - zero hmac hash buffers on the stack after icv comparison and copy to prevent residual keyed hash output from persisting - zero gcm/gmac nonce buffers on the stack after use to prevent residual implicit salt bytes from persisting
gasbytes
force-pushed
the
2026-04-14-various-fixes
branch
from
7022abc to
d0b0188
Compare
philljj
reviewed
Apr 14, 2026
| if (err == 0) { | ||
| memcpy(icv, hash, esp_sa->icv_len); | ||
| } | ||
| wc_ForceZero(hash, sizeof(hash)); |
Contributor
There was a problem hiding this comment.
I don't think force zeroing this hash is necessary.
The ICV is a public value, and is calculated from public material (the transmitted payload).
philljj
reviewed
Apr 14, 2026
| } | ||
|
|
||
| rfc4106_dec_out: | ||
| wc_ForceZero(nonce, sizeof(nonce)); |
Contributor
There was a problem hiding this comment.
Not sure this is necessary.
The nonce is
| 4 byte salt | 8 byte iv|
The iv is public, and transmitted in the packet.
The salt has no secrecy requirement per RFC4106:
Salt
The salt field is a four-octet value that is assigned at the
beginning of the security association, and then remains constant
for the life of the security association. The salt SHOULD be
unpredictable (i.e., chosen at random) before it is selected, but
need not be secret.
I guess force zeroing just the 4 byte salt portion could be justified.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.