Roland Shoemaker (Gerrit)

unread,

Nov 24, 2025, 5:05:13 PMNov 24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Roland Shoemaker has uploaded the change for review

Commit message

crypto/tls: reject trailing messages after client/server hello

For TLS 1.3, after procesesing the server/client hello, if there isn't a
CCS message, reject the trailing messages which were appended to the
hello messages. This prevents an on-path attacker from injecting
plaintext messages into the handshake.

Fixes #76443
Fixes CVE-2025-61730

Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52

Change diff

diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
index 7018bb2..3458f42 100644
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@@ -507,6 +507,11 @@
 	}
 	c.curveID = hs.serverHello.serverShare.group
 
+	if c.hand.Len() != 0 {
+		c.sendAlert(alertUnexpectedMessage)
+		return errors.New("tls: handshake buffer not empty before setting traffic keys")
+	}
+
 	earlySecret := hs.earlySecret
 	if !hs.usingPSK {
 		earlySecret = tls13.NewEarlySecret(hs.suite.hash.New, nil)
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index c5b0552..fe887a8 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -767,6 +767,11 @@
 		return err
 	}
 
+	if c.hand.Len() != 0 {
+		c.sendAlert(alertUnexpectedMessage)
+		return errors.New("tls: handshake buffer not empty before setting traffic keys")
+	}
+
 	earlySecret := hs.earlySecret
 	if earlySecret == nil {
 		earlySecret = tls13.NewEarlySecret(hs.suite.hash.New, nil)
diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go
index 3e2c566..0c0cbb3 100644
--- a/src/crypto/tls/handshake_test.go
+++ b/src/crypto/tls/handshake_test.go
@@ -7,6 +7,7 @@
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"crypto/ed25519"
 	"crypto/x509"
 	"encoding/hex"
@@ -634,3 +635,110 @@
 -----BEGIN TESTING KEY-----
 MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I
 -----END TESTING KEY-----`)
+
+func TestServerHelloTrailingMessage(t *testing.T) {
+	c, s := localPipe(t)
+	go func() {
+		ctx := context.Background()
+		srv := Server(s, testConfig)
+		clientHello, _, err := srv.readClientHello(ctx)
+		if err != nil {
+			testFatal(t, err)
+		}
+
+		hs := serverHandshakeStateTLS13{
+			c:           srv,
+			ctx:         ctx,
+			clientHello: clientHello,
+		}
+		if err := hs.processClientHello(); err != nil {
+			testFatal(t, err)
+		}
+		if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
+			testFatal(t, err)
+		}
+
+		data, err := hs.hello.marshal()
+		if err != nil {
+			testFatal(t, err)
+		}
+		hs.transcript.Write(data)
+
+		eem := encryptedExtensionsMsg{alpnProtocol: "h2"}
+		eemData, err := eem.marshal()
+		if err != nil {
+			testFatal(t, err)
+		}
+
+		m := len(data) + len(eemData)
+		outBuf := make([]byte, recordHeaderLen)
+		outBuf[0] = byte(recordTypeHandshake)
+		vers := VersionTLS12
+		outBuf[1] = byte(vers >> 8)
+		outBuf[2] = byte(vers)
+		outBuf[3] = byte(m >> 8)
+		outBuf[4] = byte(m)
+		outBuf = append(outBuf, data...)
+		outBuf = append(outBuf, eemData...)
+
+		if _, err := s.Write(outBuf); err != nil {
+			testFatal(t, err)
+		}
+		srv.Close()
+	}()
+
+	cli := Client(c, testConfig)
+	expectedErr := "tls: handshake buffer not empty before setting traffic keys"
+	if err := cli.Handshake(); err == nil {
+		t.Fatal("expected error from incomplete handshake, got nil")
+	} else if err.Error() != expectedErr {
+		t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
+	}
+}
+
+func TestClientHelloTrailingMessage(t *testing.T) {
+	c, s := localPipe(t)
+	go func() {
+		cli := Client(c, testConfig)
+
+		hello, _, _, err := cli.makeClientHello()
+		if err != nil {
+			testFatal(t, err)
+		}
+
+		data, err := hello.marshal()
+		if err != nil {
+			testFatal(t, err)
+		}
+
+		csm := &certificateMsgTLS13{}
+		csmData, err := csm.marshal()
+		if err != nil {
+			testFatal(t, err)
+		}
+
+		m := len(data) + len(csmData)
+		outBuf := make([]byte, recordHeaderLen)
+		outBuf[0] = byte(recordTypeHandshake)
+		vers := VersionTLS12
+		outBuf[1] = byte(vers >> 8)
+		outBuf[2] = byte(vers)
+		outBuf[3] = byte(m >> 8)
+		outBuf[4] = byte(m)
+		outBuf = append(outBuf, data...)
+		outBuf = append(outBuf, csmData...)
+
+		if _, err := c.Write(outBuf); err != nil {
+			testFatal(t, err)
+		}
+		cli.Close()
+	}()
+
+	srv := Server(s, testConfig)
+	expectedErr := "tls: handshake buffer not empty before setting traffic keys"
+	if err := srv.Handshake(); err == nil {
+		t.Fatal("expected error from incomplete handshake, got nil")
+	} else if err.Error() != expectedErr {
+		t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
+	}
+}

Change information

Files:

M src/crypto/tls/handshake_client_tls13.go
M src/crypto/tls/handshake_server_tls13.go
M src/crypto/tls/handshake_test.go

Change size: M

Delta: 3 files changed, 118 insertions(+), 0 deletions(-)

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Nov 24, 2025, 5:05:30 PMNov 24

to goph...@pubsubhelper.golang.org, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Nov 24, 2025, 7:34:14 PMNov 24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #2 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Nov 24, 2025, 7:35:25 PMNov 24

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #3 to this change.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Nov 24, 2025, 7:35:37 PMNov 24

to goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 25, 2025, 1:07:55 AMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/conn.go

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . unresolved

I have some concerns about the current fix.

`setReadTrafficSecret` is invoked before `setWriteTrafficKeys`, which means any alert generated during this window may be sent under older traffic keys (or even plaintext). 
 
Also, adding checks during early traffic is unnecessary, since no handshake messages have been processed yet.

A more reliable approach would be:

1. Add a guard at the very beginning of the HRR handling path to ensure we never process a second ClientHello that arrived as leftover fragments from a previous handshake.

2. Perform the unexpected-message check only after `setWriteTrafficKeys`, ensuring any alert is always encrypted under the correct traffic keys.

This avoids sending plaintext alerts and ensures correctness across both HRR and main handshake flows.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 25, 2025, 4:51:43 AMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/conn.go

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . unresolved

I have some concerns about the current fix.
`setReadTrafficSecret` is invoked before `setWriteTrafficKeys`, which means any alert generated during this window may be sent under older traffic keys (or even plaintext). 
 
Also, adding checks during early traffic is unnecessary, since no handshake messages have been processed yet.
A more reliable approach would be:
1. Add a guard at the very beginning of the HRR handling path to ensure we never process a second ClientHello that arrived as leftover fragments from a previous handshake.
2. Perform the unexpected-message check only after `setWriteTrafficKeys`, ensuring any alert is always encrypted under the correct traffic keys.
This avoids sending plaintext alerts and ensures correctness across both HRR and main handshake flows.

Coia Prant

And, since ServerHello has been sent/received and the client or server has changed the key at this time, sending a plaintext Alert will cause the peer to throw a `bad_record_mac` alert (decrypt failed)

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Nov 25, 2025, 12:07:50 PMNov 25

to goph...@pubsubhelper.golang.org, Coia Prant, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Coia Prant and Filippo Valsorda

Roland Shoemaker added 1 comment

File src/crypto/tls/conn.go

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . unresolved

I have some concerns about the current fix.
`setReadTrafficSecret` is invoked before `setWriteTrafficKeys`, which means any alert generated during this window may be sent under older traffic keys (or even plaintext). 
 
Also, adding checks during early traffic is unnecessary, since no handshake messages have been processed yet.
A more reliable approach would be:
1. Add a guard at the very beginning of the HRR handling path to ensure we never process a second ClientHello that arrived as leftover fragments from a previous handshake.
2. Perform the unexpected-message check only after `setWriteTrafficKeys`, ensuring any alert is always encrypted under the correct traffic keys.
This avoids sending plaintext alerts and ensures correctness across both HRR and main handshake flows.

Coia Prant

And, since ServerHello has been sent/received and the client or server has changed the key at this time, sending a plaintext Alert will cause the peer to throw a `bad_record_mac` alert (decrypt failed)

Roland Shoemaker

Good catch on the alert, I think just inverting the read/write secret calls fixes this issue.

I don't think there is a downside to doing this at all of the read secret callsite changes though. While this has the most impact when switching from plaintext to encrypted records, we really shouldn't be consuming messages at that were encrypted under one secret after we have switched to another and are expecting subsequent messages to be using that secret. While there isn't as explicit abuse that can be used, it is still an unexpected behavior that violates the protocol expectations.

Open in Gerrit

Related details

Attention is currently required from:

Coia Prant
Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 25, 2025, 12:19:53 PMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/conn.go

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . unresolved

I have some concerns about the current fix.
`setReadTrafficSecret` is invoked before `setWriteTrafficKeys`, which means any alert generated during this window may be sent under older traffic keys (or even plaintext). 
 
Also, adding checks during early traffic is unnecessary, since no handshake messages have been processed yet.
A more reliable approach would be:
1. Add a guard at the very beginning of the HRR handling path to ensure we never process a second ClientHello that arrived as leftover fragments from a previous handshake.
2. Perform the unexpected-message check only after `setWriteTrafficKeys`, ensuring any alert is always encrypted under the correct traffic keys.
This avoids sending plaintext alerts and ensures correctness across both HRR and main handshake flows.

Coia Prant

And, since ServerHello has been sent/received and the client or server has changed the key at this time, sending a plaintext Alert will cause the peer to throw a `bad_record_mac` alert (decrypt failed)

Roland Shoemaker

Good catch on the alert, I think just inverting the read/write secret calls fixes this issue.
I don't think there is a downside to doing this at all of the read secret callsite changes though. While this has the most impact when switching from plaintext to encrypted records, we really shouldn't be consuming messages at that were encrypted under one secret after we have switched to another and are expecting subsequent messages to be using that secret. While there isn't as explicit abuse that can be used, it is still an unexpected behavior that violates the protocol expectations.

Coia Prant

Yes, exactly.

During the HRR path we never switch the read-traffic secret, so it is crucial that we do not accidentally consume leftover fragments from the previous handshake as if they belonged to the second ClientHello. Any such fragments must be rejected before entering the HRR processing path.

Please take special care to ensure that no pre-HRR residual data is interpreted as part of the new ClientHello.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 25, 2025, 12:30:18 PMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/handshake_client_tls13.go

Line 510, Patchset 3 (Latest): if c.hand.Len() != 0 {

Coia Prant . unresolved

This check is performed in `setReadTrafficSecret`, which is unnecessary here; please remove it.

unsatisfied_requirement

satisfied_requirement

open

diffy

Filippo Valsorda (Gerrit)

unread,

Nov 25, 2025, 7:12:00 PMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Coia Prant, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Filippo Valsorda added 7 comments

File src/crypto/tls/conn.go

Line 227, Patchset 3 (Latest):func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {

Filippo Valsorda . unresolved

Add a comment saying this must not be called directly, but only through the Conn wrappers.

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Filippo Valsorda . unresolved

Add a comment saying this must always be called after setWriteTrafficSecret, if they are both being called.

Line 1678, Patchset 3 (Latest):func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . unresolved

I have some concerns about the current fix.
`setReadTrafficSecret` is invoked before `setWriteTrafficKeys`, which means any alert generated during this window may be sent under older traffic keys (or even plaintext). 
 
Also, adding checks during early traffic is unnecessary, since no handshake messages have been processed yet.
A more reliable approach would be:
1. Add a guard at the very beginning of the HRR handling path to ensure we never process a second ClientHello that arrived as leftover fragments from a previous handshake.
2. Perform the unexpected-message check only after `setWriteTrafficKeys`, ensuring any alert is always encrypted under the correct traffic keys.
This avoids sending plaintext alerts and ensures correctness across both HRR and main handshake flows.

Coia Prant

And, since ServerHello has been sent/received and the client or server has changed the key at this time, sending a plaintext Alert will cause the peer to throw a `bad_record_mac` alert (decrypt failed)

Roland Shoemaker

Good catch on the alert, I think just inverting the read/write secret calls fixes this issue.
I don't think there is a downside to doing this at all of the read secret callsite changes though. While this has the most impact when switching from plaintext to encrypted records, we really shouldn't be consuming messages at that were encrypted under one secret after we have switched to another and are expecting subsequent messages to be using that secret. While there isn't as explicit abuse that can be used, it is still an unexpected behavior that violates the protocol expectations.

Coia Prant

Yes, exactly.
During the HRR path we never switch the read-traffic secret, so it is crucial that we do not accidentally consume leftover fragments from the previous handshake as if they belonged to the second ClientHello. Any such fragments must be rejected before entering the HRR processing path.
Please take special care to ensure that no pre-HRR residual data is interpreted as part of the new ClientHello.

Filippo Valsorda

I am not sure I understand why the pre-HRR check matters. Since there is no encryption either before or after, any attacker can reorder

Client -> Server: [CH, EXTRA_MSG]
Server -> Client: [HRR]
Client -> Server: [CH]

to

Client -> Server: [CH]
Server -> Client: [HRR]
Client -> Server: [EXTRA_MSG, CH]

to get the exact same server behavior, even if the server checks there are no extra messages in the first flight, right?

(We can still add the check, but I would like to make sure I understand the attack correctly. Also, I'd like to understand if the check in setReadTrafficSecret is sufficient for security.)

File src/crypto/tls/handshake_client_tls13.go

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

setWriteTrafficSecret doesn't do the check, so this check is being removed.

I don't actually get why this check is here, since we are changing write secrets, but we should be sure we don't need it / know why it was there.

File src/crypto/tls/handshake_server_tls13.go

Line 773, Patchset 3 (Latest): }

Filippo Valsorda . unresolved

This is also redundant with setReadTrafficSecret.

Line 936, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

Same.

File src/crypto/tls/quic.go

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 25, 2025, 11:54:49 PMNov 25

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/conn.go

Coia Prant

If the client sends the [CH, CH2] fragments inside the same record:

Client → Server: [CH, CH2]
Server → Client: [HRR] [SH] …

then having two ClientHello messages in a single record is a protocol
violation. Without the check, the server will process CH2 and perform
unnecessary ECDHE/key schedule work (a minor DoS and a state-machine
violation).

However, an active attacker can still do:

Client → Server: [CH], [CH2]
Server → Client: [HRR] [SH] …

and this cannot be prevented under the current plaintext architecture.

So the pre-HRR check is not cryptographic protection; it only enforces
state-machine correctness and avoids unnecessary work.

This applies to the client side as well.

Alternatively, adding a cookie to HRR would also address both issues at
once.

For your assessment.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 12:02:11 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

File src/crypto/tls/conn.go

Coia Prant

The HRR cookie is indeed designed to prevent the client from “predicting”
the HRR and sending a second ClientHello (CH2) before actually receiving it.
However, an active attacker can simply avoid triggering HRR entirely by sending a supported key share, which bypasses the cookie mechanism altogether.

So whether we add this pre-HRR check or rely on the HRR cookie, both options only address specific malformed-flight cases.
These remarks are only about state-machine correctness and minor DoS hardening.

Both comments are for your consideration.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 12:25:42 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 2 comments

File src/crypto/tls/handshake_client_tls13.go

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

setWriteTrafficSecret doesn't do the check, so this check is being removed.
I don't actually get why this check is here, since we are changing write secrets, but we should be sure we don't need it / know why it was there.

Coia Prant

I also have doubts about this check.
Even though it exists, it lacked return, so the flow continues as if nothing happened.

For QUIC, `sendAlert` only calls `c.out.setErrorLocked`, and this error is
checked only in `(*Conn).Write`, not in `writeRecordLocked`.
In other words,
there is no actual alert transmission or handshake abort at this point.

So this check never prevented any behavior in practice.
It looked like a state validation, but without a return (or a QUIC-level abort), it had no real effect.

File src/crypto/tls/quic.go

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 12:28:05 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/handshake_client_tls13.go

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

setWriteTrafficSecret doesn't do the check, so this check is being removed.
I don't actually get why this check is here, since we are changing write secrets, but we should be sure we don't need it / know why it was there.

Coia Prant

I also have doubts about this check.
Even though it exists, it lacked return, so the flow continues as if nothing happened.
For QUIC, `sendAlert` only calls `c.out.setErrorLocked`, and this error is
checked only in `(*Conn).Write`, not in `writeRecordLocked`.
In other words,
there is no actual alert transmission or handshake abort at this point.
So this check never prevented any behavior in practice.
It looked like a state validation, but without a return (or a QUIC-level abort), it had no real effect.

Coia Prant

This check is still present in other places where it was removed, and the same lack of return does not interrupt the handshake process.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 1:01:20 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/conn.go

Line 983, Patchset 3 (Latest): if !c.buffering {

Coia Prant . unresolved

I don't understand why this branch exists.

`c.flush` will attempt to flush the out buffer into `c.conn`.

But for QUIC:

we never use the record-layer buffer, and
`c.conn` is always nil, if `c.flush` calling `c.conn.Write` would panic.

This path should be unreachable for QUIC, and its presence is confusing.
I think we probably need a separate CL to clean this up.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 1:28:32 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/handshake_client_tls13.go

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

setWriteTrafficSecret doesn't do the check, so this check is being removed.
I don't actually get why this check is here, since we are changing write secrets, but we should be sure we don't need it / know why it was there.

Coia Prant

I also have doubts about this check.
Even though it exists, it lacked return, so the flow continues as if nothing happened.
For QUIC, `sendAlert` only calls `c.out.setErrorLocked`, and this error is
checked only in `(*Conn).Write`, not in `writeRecordLocked`.
In other words,
there is no actual alert transmission or handshake abort at this point.
So this check never prevented any behavior in practice.
It looked like a state validation, but without a return (or a QUIC-level abort), it had no real effect.

Coia Prant

This check is still present in other places where it was removed, and the same lack of return does not interrupt the handshake process.

Coia Prant

According to the QUIC specification, QUIC removes legacy TLS 1.3 compatibility layers (for middlebox),
such as explicit session_id, Alert, and ChangeCipherSpec messages.

This check aligns with what we are trying to do, but unfortunately, because it lacks `return`, it has no effect in practice.

Therefore, removing this check is safe and does not affect correctness or security.

I think this might answer your question.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Nov 26, 2025, 8:55:17 AMNov 26

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Roland Shoemaker

Coia Prant added 1 comment

File src/crypto/tls/handshake_client_tls13.go

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . unresolved

setWriteTrafficSecret doesn't do the check, so this check is being removed.
I don't actually get why this check is here, since we are changing write secrets, but we should be sure we don't need it / know why it was there.

Coia Prant

I also have doubts about this check.
Even though it exists, it lacked return, so the flow continues as if nothing happened.
For QUIC, `sendAlert` only calls `c.out.setErrorLocked`, and this error is
checked only in `(*Conn).Write`, not in `writeRecordLocked`.
In other words,
there is no actual alert transmission or handshake abort at this point.
So this check never prevented any behavior in practice.
It looked like a state validation, but without a return (or a QUIC-level abort), it had no real effect.

Coia Prant

This check is still present in other places where it was removed, and the same lack of return does not interrupt the handshake process.

Coia Prant

According to the QUIC specification, QUIC removes legacy TLS 1.3 compatibility layers (for middlebox),
such as explicit session_id, Alert, and ChangeCipherSpec messages.
This check aligns with what we are trying to do, but unfortunately, because it lacks `return`, it has no effect in practice.
Therefore, removing this check is safe and does not affect correctness or security.
I think this might answer your question.

Coia Prant

After reviewing the original QUIC CL (https://go.dev/cl/493655):

QUIC has two issues that were already raised in the current CL, and I don’t see additional problems.

However, I should clarify one detail:
`c.out.err` is checked when `c.handshakeErr` is non-nil on QUIC, but because the check lacked return, the handshake flow would continue executing and `c.handshakeErr` will not be set.
Unless another error is returned later, and the new error will overwrite `c.out.err`.

Open in Gerrit

Related details

Attention is currently required from:

Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 3, 2025, 3:24:34 PM (13 days ago) Dec 3

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Coia Prant and Filippo Valsorda

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #4 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Related details

Attention is currently required from:

Coia Prant
Filippo Valsorda

Submit Requirements:

Code-Review

No-Unresolved-Comments

Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 3, 2025, 3:24:34 PM (13 days ago) Dec 3

to goph...@pubsubhelper.golang.org, Coia Prant, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Coia Prant and Filippo Valsorda

Roland Shoemaker added 9 comments

File src/crypto/tls/conn.go

Line 227, Patchset 3:func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {

Filippo Valsorda . resolved

Add a comment saying this must not be called directly, but only through the Conn wrappers.

Roland Shoemaker

Done

Line 983, Patchset 3: if !c.buffering {

Coia Prant . resolved

I don't understand why this branch exists.
`c.flush` will attempt to flush the out buffer into `c.conn`.
But for QUIC:
we never use the record-layer buffer, and
`c.conn` is always nil, if `c.flush` calling `c.conn.Write` would panic.
This path should be unreachable for QUIC, and its presence is confusing.
I think we probably need a separate CL to clean this up.

Roland Shoemaker

Lets address this in a follow-up.

Line 1678, Patchset 3:func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Filippo Valsorda . resolved

Add a comment saying this must always be called after setWriteTrafficSecret, if they are both being called.

Roland Shoemaker

Done

Line 1678, Patchset 3:func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {

Coia Prant . resolved

Roland Shoemaker

Seems fine to add this additional check.

File src/crypto/tls/handshake_client_tls13.go

Line 510, Patchset 3: if c.hand.Len() != 0 {

Coia Prant . resolved

This check is performed in `setReadTrafficSecret`, which is unnecessary here; please remove it.

Roland Shoemaker

Done

Line 850, Patchset 3 (Parent): }

Filippo Valsorda . resolved

Roland Shoemaker

I think it depends on how the higher-level QUIC implementation handled alerts. In the experimental x/net QUIC impl, seeing an alert is fatal, so the return was not strictly necessary because the handshake would immediately terminate anyway and the connection would be torn down.

That said, I think we are all in agreement that this didn't really make sense to begin with, so removing it is fine.

File src/crypto/tls/handshake_server_tls13.go

Line 773, Patchset 3: }

Filippo Valsorda . resolved

This is also redundant with setReadTrafficSecret.

Roland Shoemaker

Done

Line 936, Patchset 3 (Parent): }

Filippo Valsorda . resolved

Same.

Roland Shoemaker

Done

File src/crypto/tls/quic.go

Open in Gerrit

Related details

Attention is currently required from:

Coia Prant
Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 3, 2025, 3:24:43 PM (13 days ago) Dec 3

to goph...@pubsubhelper.golang.org, Coia Prant, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Coia Prant and Filippo Valsorda

Roland Shoemaker voted Commit-Queue+1

Commit-Queue

+1

unsatisfied_requirement

satisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Dec 3, 2025, 3:46:58 PM (13 days ago) Dec 3

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant added 2 comments

File src/crypto/tls/handshake_client_tls13.go

Coia Prant

This is true for received alerts.

But for the sent alert, after `handshakeFn` exits at handshakeContext, if the `c.handshakeErr != nil` will report a wrapped error (`c.out.err`) to the quic layer.

That is, if the return is missing here, the `c.handshakeErr` is not set and no handshake error is thrown

I think you can force an error to be thrown here without return to see if `quic-go` works.

However, this code has been removed, and there seems to be no need to worry about it.

My suggestion: For future work, all sendAlert should be followed by a return to avoid this "empty check" problem.

File src/crypto/tls/quic.go

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 3, 2025, 4:06:43 PM (13 days ago) Dec 3

to goph...@pubsubhelper.golang.org, Go LUCI, Coia Prant, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted and added 1 comment

Votes added by Roland Shoemaker

TryBot-Bypass

+1

1 comment

Patchset-level comments

File-level comment, Patchset 4 (Latest):

Roland Shoemaker . resolved

Unrelated failure.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Daniel McCarney (Gerrit)

unread,

Dec 10, 2025, 1:54:52 PM (6 days ago) Dec 10

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Coia Prant, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Daniel McCarney voted and added 9 comments

Votes added by Daniel McCarney

Code-Review

+2

9 comments

File src/crypto/tls/conn.go

Line 1343, Patchset 4 (Parent): c.in.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)

Daniel McCarney . unresolved

I think moving this to L1365 is to address the case called out in the comment on `setWriteTrafficSecret` and in earlier reviews w.r.t alerts. If that's accurate, then this it feels like an independent bug fix separate from the trailing message content and probably deserves some explicit mention in the commit message. In an ideal world it might even be fixed ahead of this CR in a separate commit.

A similar reordering happens for the `c.out` vs `c.in` traffic secret assignment in `handshake_server_tls13.go`.

Line 1584, Patchset 4 (Latest): if err := c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret); err != nil {

Daniel McCarney . unresolved

nit: this is pre-existing, but it seems a little awkward that `Conn.quicSet[Read|Write]Secret` and `halfConn.setTrafficSecret`/`Conn.set[Read|Write]TrafficSecret` all take the same three args (a ciphersuite, a quic enc level, and a secret) but do it in different order; the QUIC version puts the the QUIC enc level first, and the halfConn/Conn functions put it second.

I don't know that it's worth fixing here/now, but occurred to me while looking at the diff.

Line 1688, Patchset 4 (Latest): // read keys, since that can cause messags to be parsed that were encrypted

Daniel McCarney . unresolved

typo: messags -> messages

File src/crypto/tls/handshake_server_tls13.go

Line 562, Patchset 4 (Latest): if c.hand.Len() != 0 {

Daniel McCarney . unresolved

WDYT about adding unit test coverage for this new HRR check as well?

Line 934, Patchset 4 (Parent): // TODO: Handle this in setTrafficSecret?

Daniel McCarney . resolved

Prophetic :-)

File src/crypto/tls/handshake_test.go

Line 673, Patchset 4 (Latest): m := len(data) + len(eemData)

Daniel McCarney . unresolved

Maybe worth a comment here, or on the `func TestServerHelloTrailingMessage(...)` def, to describe that this is the key part of the test: concatting a single record that contains both the expected server hello and a trailing unencrypted encrypted extensions message, and that `eemData` will be left in the conn buffer after the client processes the expected server hello.

Alternatively, it might be clearer (and reduce some duplication between the client/server tests) if you pulled out a helper to do the `outBuf` construction for two input messages and gave it a name like `conjoinedRecord`?

Line 699, Patchset 4 (Latest):func TestClientHelloTrailingMessage(t *testing.T) {

Daniel McCarney . unresolved

ditto for this test: maybe worth a comment summarizing the overall approach being used slash switching to a helper for the triggering record construction.

File src/crypto/tls/quic.go

Line 407, Patchset 4 (Latest): // read keys, since that can cause messags to be parsed that were encrypted

Daniel McCarney . unresolved

typo: messags -> messages

Line 409, Patchset 4 (Latest): // TODO(roland): we should merge this check with the similar one in setReadTrafficSecret.

Daniel McCarney . unresolved

Should this TODO be addressed before merge? It seems like a small change.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 2:27:24 PM (yesterday) Dec 15

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #5 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI, TryBot-Bypass+1 by Roland Shoemaker

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement

TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 2:27:25 PM (yesterday) Dec 15

to goph...@pubsubhelper.golang.org, Daniel McCarney, Go LUCI, Coia Prant, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Roland Shoemaker added 8 comments

File src/crypto/tls/conn.go

Line 1343, Patchset 4 (Parent): c.in.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)

Daniel McCarney . resolved

I think moving this to L1365 is to address the case called out in the comment on `setWriteTrafficSecret` and in earlier reviews w.r.t alerts. If that's accurate, then this it feels like an independent bug fix separate from the trailing message content and probably deserves some explicit mention in the commit message. In an ideal world it might even be fixed ahead of this CR in a separate commit.
A similar reordering happens for the `c.out` vs `c.in` traffic secret assignment in `handshake_server_tls13.go`.

Roland Shoemaker

I think its fine to do these together, since its tightly coupled. I'll add a note to the commit noting this change.

Line 1584, Patchset 4: if err := c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret); err != nil {

Daniel McCarney . resolved

nit: this is pre-existing, but it seems a little awkward that `Conn.quicSet[Read|Write]Secret` and `halfConn.setTrafficSecret`/`Conn.set[Read|Write]TrafficSecret` all take the same three args (a ciphersuite, a quic enc level, and a secret) but do it in different order; the QUIC version puts the the QUIC enc level first, and the halfConn/Conn functions put it second.
I don't know that it's worth fixing here/now, but occurred to me while looking at the diff.

Roland Shoemaker

I agree its weird. I think if we collapse `quicSet[Read|Write]Secret` and `set[Read|Write]TrafficSecret` we can resolve this, but I think we should do this as a follow up.

Line 1688, Patchset 4: // read keys, since that can cause messags to be parsed that were encrypted

Daniel McCarney . resolved

typo: messags -> messages

Roland Shoemaker

Done

File src/crypto/tls/handshake_server_tls13.go

Line 562, Patchset 4: if c.hand.Len() != 0 {

Daniel McCarney . resolved

WDYT about adding unit test coverage for this new HRR check as well?

Roland Shoemaker

Done

File src/crypto/tls/handshake_test.go

Line 673, Patchset 4: m := len(data) + len(eemData)

Daniel McCarney . resolved

Maybe worth a comment here, or on the `func TestServerHelloTrailingMessage(...)` def, to describe that this is the key part of the test: concatting a single record that contains both the expected server hello and a trailing unencrypted encrypted extensions message, and that `eemData` will be left in the conn buffer after the client processes the expected server hello.
Alternatively, it might be clearer (and reduce some duplication between the client/server tests) if you pulled out a helper to do the `outBuf` construction for two input messages and gave it a name like `conjoinedRecord`?

Roland Shoemaker

Done, I don't think these tests can be reasonably collapsed, since we need to do some confusing setup in a couple of the cases which makes making it generic a bit complicated.

Line 699, Patchset 4:func TestClientHelloTrailingMessage(t *testing.T) {

Daniel McCarney . resolved

ditto for this test: maybe worth a comment summarizing the overall approach being used slash switching to a helper for the triggering record construction.

Roland Shoemaker

Done

File src/crypto/tls/quic.go

Line 407, Patchset 4: // read keys, since that can cause messags to be parsed that were encrypted

Daniel McCarney . resolved

typo: messags -> messages

Roland Shoemaker

Done

Line 409, Patchset 4: // TODO(roland): we should merge this check with the similar one in setReadTrafficSecret.

Daniel McCarney . resolved

Should this TODO be addressed before merge? It seems like a small change.

Roland Shoemaker

I think it's actually a little more complicated to do than it seems, since we don't always do the quic versions in the same places as the pure-TLS versions. We should definitely collapse these, but I don't think it's urgent enough to do now.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 2:27:40 PM (yesterday) Dec 15

to goph...@pubsubhelper.golang.org, Daniel McCarney, Go LUCI, Coia Prant, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted

Auto-Submit	+1
Commit-Queue	+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 2:46:04 PM (24 hours ago) Dec 15

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #6 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 2:46:12 PM (24 hours ago) Dec 15

to goph...@pubsubhelper.golang.org, Go LUCI, Daniel McCarney, Coia Prant, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Coia Prant (Gerrit)

unread,

Dec 15, 2025, 2:53:10 PM (24 hours ago) Dec 15

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Daniel McCarney, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Coia Prant voted and added 1 comment

Votes added by Coia Prant

Code-Review

+1

1 comment

File src/crypto/tls/handshake_client_tls13.go

Line 234, Patchset 6 (Parent):func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {

Coia Prant . resolved

Perhaps we should add HRR checks to the client as well, but I'm unsure if this will lead to patch fingerprinting.

Let's leave it as it is for now.

Perhaps we should determine BoringSSL's actual behavior on this for reference.

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 4:29:05 PM (22 hours ago) Dec 15

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Roland Shoemaker uploaded new patchset

Roland Shoemaker uploaded patch set #7 to this change.

Following approvals got outdated and were removed:

TryBots-Pass: LUCI-TryBot-Result-1 by Go LUCI

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

Dec 15, 2025, 4:30:13 PM (22 hours ago) Dec 15

to goph...@pubsubhelper.golang.org, Go LUCI, Coia Prant, Daniel McCarney, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda

Roland Shoemaker voted Commit-Queue+1

Commit-Queue

+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda

Submit Requirements:

Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Michael Knyszek (Gerrit)

unread,

11:17 AM (3 hours ago) 11:17 AM

to Roland Shoemaker, goph...@pubsubhelper.golang.org, Go LUCI, Coia Prant, Daniel McCarney, Filippo Valsorda, golang-co...@googlegroups.com

Attention needed from Filippo Valsorda and Roland Shoemaker

Michael Knyszek voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Filippo Valsorda
Roland Shoemaker

Submit Requirements:

Code-Review
No-Unresolved-Comments

Review-Enforcement
TryBots-Pass

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Roland Shoemaker (Gerrit)

unread,

2:23 PM (14 minutes ago) 2:23 PM

to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Michael Knyszek, Go LUCI, Coia Prant, Daniel McCarney, Filippo Valsorda, golang-co...@googlegroups.com

Roland Shoemaker submitted the change with unreviewed changes

Unreviewed changes

4 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: src/crypto/tls/handshake_test.go
Insertions: 71, Deletions: 39.

The diff is too large to show. Please review the diff.
```
```
The name of the file: src/crypto/tls/quic.go
Insertions: 1, Deletions: 1.

The diff is too large to show. Please review the diff.
```
```
The name of the file: src/crypto/tls/conn.go
Insertions: 1, Deletions: 1.

The diff is too large to show. Please review the diff.
```

Change information

Commit message:

crypto/tls: reject trailing messages after client/server hello

For TLS 1.3, after procesesing the server/client hello, if there isn't a
CCS message, reject the trailing messages which were appended to the
hello messages. This prevents an on-path attacker from injecting
plaintext messages into the handshake.

Additionally, check that we don't have any buffered messages before we
switch the read traffic secret regardless, since any buffered messages
would have been under an old key which is no longer appropriate.

We also invert the ordering of setting the read/write secrets so that if
we fail when changing the read secret we send the alert using the
correct write secret.

Fixes #76443
Fixes CVE-2025-61730

Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52

Reviewed-on: https://go-review.googlesource.com/c/go/+/724120

LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: Michael Knyszek <mkny...@google.com>

Reviewed-by: Daniel McCarney <dan...@binaryparadox.net>

Reviewed-by: Coia Prant <coia...@gmail.com>

Files:

M src/crypto/tls/conn.go
M src/crypto/tls/handshake_client_tls13.go
M src/crypto/tls/handshake_server_tls13.go
M src/crypto/tls/handshake_test.go
M src/crypto/tls/quic.go

Change size: M

Delta: 5 files changed, 218 insertions(+), 31 deletions(-)

Branch: refs/heads/master

Submit Requirements:

Code-Review: +2 by Daniel McCarney, +1 by Coia Prant, +1 by Michael Knyszek
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[go] crypto/tls: reject trailing messages after client/server hello

Roland Shoemaker (Gerrit)

Roland Shoemaker has uploaded the change for review

Commit message

Change diff

Change information

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker voted Commit-Queue+1

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker uploaded new patchset

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker uploaded new patchset

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker voted Commit-Queue+1

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Roland Shoemaker (Gerrit)

Roland Shoemaker added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Filippo Valsorda (Gerrit)

Filippo Valsorda added 7 comments

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Related details

Coia Prant (Gerrit)

Coia Prant added 2 comments

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Coia Prant (Gerrit)

Coia Prant added 1 comment

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker uploaded new patchset

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker added 9 comments

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker voted Commit-Queue+1

Coia Prant (Gerrit)

Coia Prant added 2 comments

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker voted and added 1 comment

Votes added by Roland Shoemaker

1 comment

Related details

Daniel McCarney (Gerrit)

Daniel McCarney voted and added 9 comments

Votes added by Daniel McCarney

9 comments

Related details

Roland Shoemaker (Gerrit)

Roland Shoemaker uploaded new patchset

Related details

Roland Shoemaker (Gerrit)