[go] crypto/tls: reject trailing messages after client/server hello

0 views
Skip to first unread message

Roland Shoemaker (Gerrit)

unread,
Dec 16, 2025, 2:23:08 PM (14 hours ago) Dec 16
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Michael Knyszek, Go LUCI, Coia Prant, Daniel McCarney, Filippo Valsorda, golang-co...@googlegroups.com

Roland Shoemaker submitted the change with unreviewed changes

Unreviewed changes

4 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: src/crypto/tls/handshake_test.go
Insertions: 71, Deletions: 39.

The diff is too large to show. Please review the diff.
```
```
The name of the file: src/crypto/tls/quic.go
Insertions: 1, Deletions: 1.

The diff is too large to show. Please review the diff.
```
```
The name of the file: src/crypto/tls/conn.go
Insertions: 1, Deletions: 1.

The diff is too large to show. Please review the diff.
```

Change information

Commit message:
crypto/tls: reject trailing messages after client/server hello

For TLS 1.3, after procesesing the server/client hello, if there isn't a
CCS message, reject the trailing messages which were appended to the
hello messages. This prevents an on-path attacker from injecting
plaintext messages into the handshake.

Additionally, check that we don't have any buffered messages before we
switch the read traffic secret regardless, since any buffered messages
would have been under an old key which is no longer appropriate.

We also invert the ordering of setting the read/write secrets so that if
we fail when changing the read secret we send the alert using the
correct write secret.

Fixes #76443
Fixes CVE-2025-61730
Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52
Reviewed-by: Michael Knyszek <mkny...@google.com>
Reviewed-by: Daniel McCarney <dan...@binaryparadox.net>
Reviewed-by: Coia Prant <coia...@gmail.com>
Files:
  • M src/crypto/tls/conn.go
  • M src/crypto/tls/handshake_client_tls13.go
  • M src/crypto/tls/handshake_server_tls13.go
  • M src/crypto/tls/handshake_test.go
  • M src/crypto/tls/quic.go
Change size: M
Delta: 5 files changed, 218 insertions(+), 31 deletions(-)
Branch: refs/heads/master
Submit Requirements:
  • requirement satisfiedCode-Review: +2 by Daniel McCarney, +1 by Coia Prant, +1 by Michael Knyszek
  • requirement satisfiedTryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52
Gerrit-Change-Number: 724120
Gerrit-PatchSet: 8
Gerrit-Owner: Roland Shoemaker <rol...@golang.org>
Gerrit-Reviewer: Coia Prant <coia...@gmail.com>
Gerrit-Reviewer: Daniel McCarney <dan...@binaryparadox.net>
Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
Gerrit-Reviewer: Michael Knyszek <mkny...@google.com>
Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages