]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3128ebf)
crypto/tls: ensure GODEBUGs are initialized
authorFilippo Valsorda <filippo@golang.org>
Mon, 20 May 2024 09:07:28 +0000 (11:07 +0200)
committerGopher Robot <gobot@golang.org>
Wed, 22 May 2024 14:20:03 +0000 (14:20 +0000)
IncNonDefault panics if Value was not called. That's too much DoS risk
in crypto/tls, when the call to Value is distant from the call to
IncNonDefault (see #65991). Value is cheap, though, so we can just call
it before each isolated IncNonDefault.

Change-Id: I6dbed345381e60e029b0a5ef2232e846aa089736
Reviewed-on: https://go-review.googlesource.com/c/go/+/586755
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

src/crypto/tls/handshake_client.go patch | blob | history
src/crypto/tls/handshake_server.go patch | blob | history

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index d046c86679ea51244cc8b86a63dc4f33517429c4..cc3efe1a79df4a506eb31a465daa1e756de4921b 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -527,6 +527,7 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
        }
 
        if hs.c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
+               tlsrsakex.Value() // ensure godebug is initialized
                tlsrsakex.IncNonDefault()
        }
 
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index d5f8cc843ed6dadfd5d2d52e2f3533cc22593181..f5d3c5b98af69272b12f701bee7c267e92d18435 100644 (file)
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -169,6 +169,7 @@ func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
        c.out.version = c.vers
 
        if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
+               tls10server.Value() // ensure godebug is initialized
                tls10server.IncNonDefault()
        }
 
@@ -371,6 +372,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
        c.cipherSuite = hs.suite.id
 
        if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
+               tlsrsakex.Value() // ensure godebug is initialized
                tlsrsakex.IncNonDefault()
        }
 
Go GOST TLS 1.3