git.feebdaed.xyz Git - 0xmirror/go.git/commit

author	Roland Shoemaker <roland@golang.org>
	Mon, 24 Nov 2025 22:03:10 +0000 (14:03 -0800)
committer	Roland Shoemaker <roland@golang.org>
	Tue, 16 Dec 2025 19:23:02 +0000 (11:23 -0800)
commit	5046bdf8a612b35a2c1a9e168054c1d5c65e7dd7
tree	da756b9a7a1ba33ee86dcbda52f89c1e53c80662	tree \| snapshot
parent	3f6eabdf09cd660c7881b75c5dfaef09609ba7e6	commit \| diff

crypto/tls: reject trailing messages after client/server hello

For TLS 1.3, after procesesing the server/client hello, if there isn't a
CCS message, reject the trailing messages which were appended to the
hello messages. This prevents an on-path attacker from injecting
plaintext messages into the handshake.

Additionally, check that we don't have any buffered messages before we
switch the read traffic secret regardless, since any buffered messages
would have been under an old key which is no longer appropriate.

We also invert the ordering of setting the read/write secrets so that if
we fail when changing the read secret we send the alert using the
correct write secret.

Fixes #76443
Fixes CVE-2025-61730

Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52
Reviewed-on: https://go-review.googlesource.com/c/go/+/724120
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Coia Prant <coiaprant@gmail.com>

src/crypto/tls/conn.go		diff \| blob \| history
src/crypto/tls/handshake_client_tls13.go		diff \| blob \| history
src/crypto/tls/handshake_server_tls13.go		diff \| blob \| history
src/crypto/tls/handshake_test.go		diff \| blob \| history
src/crypto/tls/quic.go		diff \| blob \| history