[go] crypto/tls: panic on all-zero session ticket keys

21 views
Skip to first unread message

Filippo Valsorda (Gerrit)

unread,
May 8, 2021, 1:08:10 AM5/8/21
to goph...@pubsubhelper.golang.org, Filippo Valsorda, golang-co...@googlegroups.com

Filippo Valsorda has uploaded this change for review.

View Change

crypto/tls: panic on all-zero session ticket keys

This is a somewhat common bug in other implementations that completely
removes any security provided by TLS 1.0–1.2, so it feels worth refusing
to operate for.

Change-Id: I56e586b44d1eb2c68684f6ce2232a698b0286072
---
M src/crypto/tls/common.go
M src/crypto/tls/ticket.go
2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 5b68742..aa01e67 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -751,6 +751,9 @@
 // ticket key to a ticketKey. Externally, session ticket keys are 32 random
 // bytes and this function expands that into sufficient name and key material.
 func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey) {
+	if b == [32]byte{} {
+		panic("tls: session ticket key is all zeroes")
+	}
 	hashed := sha512.Sum512(b[:])
 	copy(key.keyName[:], hashed[:ticketKeyNameLen])
 	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
@@ -906,7 +909,7 @@
 // The first key will be used when creating new tickets, while all keys can be
 // used for decrypting tickets. It is safe to call this function while the
 // server is running in order to rotate the session ticket keys. The function
-// will panic if keys is empty.
+// will panic if keys is empty or any of the keys is all zeroes.
 //
 // Calling this function will turn off automatic session ticket key rotation.
 //
diff --git a/src/crypto/tls/ticket.go b/src/crypto/tls/ticket.go
index 6c1d20d..1a630b7 100644
--- a/src/crypto/tls/ticket.go
+++ b/src/crypto/tls/ticket.go
@@ -130,6 +130,9 @@
 		return nil, err
 	}
 	key := c.ticketKeys[0]
+	if key.aesKey == [16]byte{} || key.hmacKey == [16]byte{} {
+		panic("tls: internal error: session ticket keys are all zeroes")
+	}
 	copy(keyName, key.keyName[:])
 	block, err := aes.NewCipher(key.aesKey[:])
 	if err != nil {

To view, visit change 318130. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I56e586b44d1eb2c68684f6ce2232a698b0286072
Gerrit-Change-Number: 318130
Gerrit-PatchSet: 1
Gerrit-Owner: Filippo Valsorda <fil...@golang.org>
Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
Gerrit-MessageType: newchange

Filippo Valsorda (Gerrit)

unread,
Aug 27, 2021, 8:52:50 AM8/27/21
to Filippo Valsorda, goph...@pubsubhelper.golang.org, Go Bot, golang-co...@googlegroups.com

Patch set 2:Run-TryBot +1Trust +1

View Change

    To view, visit change 318130. To unsubscribe, or for help writing mail filters, visit settings.

    Gerrit-Project: go
    Gerrit-Branch: master
    Gerrit-Change-Id: I56e586b44d1eb2c68684f6ce2232a698b0286072
    Gerrit-Change-Number: 318130
    Gerrit-PatchSet: 2
    Gerrit-Owner: Filippo Valsorda <fil...@golang.org>
    Gerrit-Reviewer: Filippo Valsorda <fil...@golang.org>
    Gerrit-Reviewer: Go Bot <go...@golang.org>
    Gerrit-Comment-Date: Fri, 27 Aug 2021 12:52:45 +0000
    Gerrit-HasComments: No
    Gerrit-Has-Labels: Yes
    Gerrit-MessageType: comment
    Reply all
    Reply to author
    Forward
    0 new messages