diff options
| author | Daniel McCarney <daniel@binaryparadox.net> | 2025-04-29 15:10:10 -0400 |
|---|---|---|
| committer | Daniel McCarney <daniel@binaryparadox.net> | 2025-05-09 13:38:31 -0700 |
| commit | 992d1547178fe0d18c2827e34d62fbc545ace64c (patch) | |
| tree | 2db54552aea9b83e90f78e88acb70f72294c0323 /src/crypto | |
| parent | d382f1467960d67a6b5eb25447f689a0ccac371e (diff) | |
| download | go-992d1547178fe0d18c2827e34d62fbc545ace64c.tar.xz | |
crypto/tls: update TLS 1.3 client compression validation
Unlike in earlier TLS versions, in TLS 1.3 when processing a server
hello the legacy_compression_method MUST have the value 0. It is no
longer a parameter that offers a choice of compression method.
With this in mind, it seems more appropriate to return a decode error
when we encounter a non-zero compression method in a server hello
message. We haven't found a parameter value we reject, we've found
a message that doesn't decode according to its specification.
Making this change also aligns with BoringSSL and allows enabling the
TLS13-HRR-InvalidCompressionMethod bogo test.
Updates #72006
Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c4
Reviewed-on: https://go-review.googlesource.com/c/go/+/669156
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/tls/bogo_config.json | 1 | ||||
| -rw-r--r-- | src/crypto/tls/handshake_client_tls13.go | 4 |
2 files changed, 2 insertions, 3 deletions
diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json index 7184f56b05..81601d22c0 100644 --- a/src/crypto/tls/bogo_config.json +++ b/src/crypto/tls/bogo_config.json @@ -64,7 +64,6 @@ "SupportTicketsWithSessionID": "TODO: first pass, this should be fixed", "NoNullCompression-TLS12": "TODO: first pass, this should be fixed", "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed", - "TLS13-HRR-InvalidCompressionMethod": "TODO: first pass, this should be fixed", "TLS-TLS12-RSA_WITH_AES_128_GCM_SHA256-LargeRecord": "TODO: first pass, this should be fixed", "TLS-TLS1-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed", "TLS-TLS11-RSA_WITH_AES_128_CBC_SHA-LargeRecord": "TODO: first pass, this should be fixed", diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go index 66dc76f72d..444c6f311c 100644 --- a/src/crypto/tls/handshake_client_tls13.go +++ b/src/crypto/tls/handshake_client_tls13.go @@ -197,8 +197,8 @@ func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { } if hs.serverHello.compressionMethod != compressionNone { - c.sendAlert(alertIllegalParameter) - return errors.New("tls: server selected unsupported compression format") + c.sendAlert(alertDecodeError) + return errors.New("tls: server sent non-zero legacy TLS compression method") } selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) |