Skip to content

nginx 1.28.1 fixes #9711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
julek-wolfssl wants to merge 1 commit into
base: master
Choose a base branch
from
Open

nginx 1.28.1 fixes #9711

julek-wolfssl wants to merge 1 commit into from
+670 −284

Conversation

@julek-wolfssl
Copy link
Member

@julek-wolfssl julek-wolfssl commented Jan 23, 2026
edited
Loading

Depends on wolfSSL/wolfssl-nginx#31

wolfssl/internal.h

  • InternalTicket struct gains a flexible array member: A new peerCert[] field (with a preceding peerCertLen[2]) is added to InternalTicket. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
  • ExternalTicket struct becomes variable-length: The enc_ticket field is changed from a fixed-size array to a flexible array member (byte enc_ticket[]). The mac field is removed from the struct — the MAC is now placed dynamically after the encrypted data in enc_ticket.

src/internal.c

  • The GetRecordHeader function now only adds MAX_COMP_EXTRA to the maximum allowed record size when ssl->options.usingCompression is true, tightening the length validation. The max fragment length extension check is now much stricter.
  • Peer certificate is serialized into the ticket: During ticket creation, the code attempts to find the peer certificate from ssl->peerCert or from ssl->session->chain (fallback). If found and within MAX_TICKET_PEER_CERT_SZ, it's copied into it->peerCert. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If HAVE_MAX_FRAGMENT is defined and max fragment is not MAX_RECORD_SIZE for TLS 1.3, the cert is also skipped since SendTls13NewSessionTicket doesn't support fragmentation yet.
  • Peer certificate restoration from ticket: On successful ticket decryption, if the ticket contains a peer certificate (peerCertLen > 0), it is decoded back into ssl->peerCert via ParseCertRelative/CopyDecodedToX509, and also added to ssl->session->chain via AddSessionCertToChain.
  • The CLEAR_ASN_NO_PEM_HEADER_ERROR macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a do { ... } while(0) for safety.
  • The SendTicket function is simplified to use SendHandshakeMsg to support fragmenting the larger ticket.

src/x509.c

  • loadX509orX509REQFromPemBio now accepts TRUSTED_CERT_TYPE in addition to CERT_TYPE and CERTREQ_TYPE.
  • Streaming BIO support: When wolfSSL_BIO_get_len() returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of MAX_X509_SIZE and dynamically grows (doubling) up to MAX_BIO_READ_BUFFER (MAX_X509_SIZE * 16) as data is read byte-by-byte.
  • Alternate footer detection: For TRUSTED_CERT_TYPE, the PEM reader also checks for the regular CERT_TYPE footer (-----END CERTIFICATE-----) in addition to the trusted cert footer (-----END TRUSTED CERTIFICATE-----), so it can parse either format.
  • Removed two lines that set cert->srcIdx to SIGALGO_SEQ offset. This makes cert->srcIdx reflect the end of parsed certificate data. This is used by loadX509orX509REQFromBuffer to detect where auxiliary trust data begins in trusted certificates.

src/ssl_sk.c

  • Added a STACK_TYPE_X509_CRL case to wolfssl_sk_dup_data that calls wolfSSL_X509_CRL_dup for deep-copying CRL stack elements. Previously, STACK_TYPE_X509_CRL fell through to the unsupported default case.

wolfssl/openssl/ssl.h

  • sk_X509_dup now maps to wolfSSL_shallow_sk_dup (was wolfSSL_sk_dup/deep copy). This matches OpenSSL's behavior where sk_X509_dup does a shallow copy.
  • sk_SSL_CIPHER_dup similarly changed to wolfSSL_shallow_sk_dup.

src/ssl_api_cert.c

  • When ssl->ourCert is NULL and the SSL owns its cert, the function now checks if ssl->ctx->ourCert points to the same certificate (by comparing DER buffers). If so, it returns the ctx's X509 pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the X509* from SSL_CTX_use_certificate as a lookup key.

src/bio.c

  • When wolfssl_file_len returns WOLFSSL_BAD_FILETYPE (now returned for pipes/FIFOs), wolfSSL_BIO_get_len treats it as length 0 instead of propagating the error.

tests/test-maxfrag.conf and tests/test-maxfrag-dtls.conf

  • Removed DHE-RSA-AES256-GCM-SHA384 test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.

@julek-wolfssl julek-wolfssl force-pushed the nginx-1.28.0 branch 3 times, most recently from 5f54234 to c37bd2f Compare February 5, 2026 18:55
@julek-wolfssl
Copy link
Member Author

julek-wolfssl commented Feb 5, 2026

Retest this please AgentOfflineException

@julek-wolfssl julek-wolfssl force-pushed the nginx-1.28.0 branch 2 times, most recently from 622feb1 to 1814bce Compare February 6, 2026 15:43
@julek-wolfssl julek-wolfssl marked this pull request as ready for review February 6, 2026 15:46
@julek-wolfssl julek-wolfssl self-assigned this Feb 6, 2026
@julek-wolfssl
nginx 1.28.1
9192db1 
### `wolfssl/internal.h`

- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.

### `src/internal.c`

- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.

---

### `src/x509.c`

- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.

---

### `src/ssl_sk.c`

- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.

---

### `wolfssl/openssl/ssl.h`

- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.

---

### `src/ssl_api_cert.c`

- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.

### `src/bio.c`

- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.

---

### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`

- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julek-wolfssl @wolfSSL-Bot