diff options
author | Tatiana Bradley <tatiana@golang.org> | 2022-05-12 14:58:29 -0400 |
---|---|---|
committer | Alex Rakoczy <alex@golang.org> | 2022-05-27 14:58:10 +0000 |
commit | c15a8e2dbb5ac376a6ed890735341b812d6b965c (patch) | |
tree | 5739f8d68f487d47b156d70ce324c38421ca275e | |
parent | 590b53fac9ebdb259b32e82805dec1cc96987930 (diff) | |
download | go-c15a8e2dbb5ac376a6ed890735341b812d6b965c.tar.gz go-c15a8e2dbb5ac376a6ed890735341b812d6b965c.zip |
[release-branch.go1.17] crypto/tls: randomly generate ticket_age_add
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a
random 32-bit value. Before this change, this value was always set
to 0.
This change also documents the reasoning for always setting
ticket_nonce to 0. The value ticket_nonce must be unique per
connection, but we only ever send one ticket per connection.
Updates #52814
Fixes #52832
Fixes CVE-2022-30629
Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/405994
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit fe4de36198794c447fbd9d7cc2d7199a506c76a5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/408574
Run-TryBot: Roland Shoemaker <roland@golang.org>
-rw-r--r-- | src/crypto/tls/handshake_server_tls13.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go index 08251b84de..6aa52698a3 100644 --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go @@ -10,6 +10,7 @@ import ( "crypto" "crypto/hmac" "crypto/rsa" + "encoding/binary" "errors" "hash" "io" @@ -741,6 +742,19 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { } m.lifetime = uint32(maxSessionTicketLifetime / time.Second) + // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1 + // The value is not stored anywhere; we never need to check the ticket age + // because 0-RTT is not supported. + ageAdd := make([]byte, 4) + _, err = hs.c.config.rand().Read(ageAdd) + if err != nil { + return err + } + m.ageAdd = binary.LittleEndian.Uint32(ageAdd) + + // ticket_nonce, which must be unique per connection, is always left at + // zero because we only ever send one ticket per connection. + if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { return err } |