From: Filippo Valsorda Date: Mon, 20 May 2024 09:07:28 +0000 (+0200) Subject: crypto/tls: ensure GODEBUGs are initialized X-Git-Tag: go1.23rc1~225 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=1d3d7d395e6081c0cdc437c56c4c0318b70fb685;p=gostls13.git crypto/tls: ensure GODEBUGs are initialized IncNonDefault panics if Value was not called. That's too much DoS risk in crypto/tls, when the call to Value is distant from the call to IncNonDefault (see #65991). Value is cheap, though, so we can just call it before each isolated IncNonDefault. Change-Id: I6dbed345381e60e029b0a5ef2232e846aa089736 Reviewed-on: https://go-review.googlesource.com/c/go/+/586755 Reviewed-by: Roland Shoemaker Reviewed-by: Dmitri Shuralyov Auto-Submit: Filippo Valsorda LUCI-TryBot-Result: Go LUCI --- diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index d046c86679..cc3efe1a79 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -527,6 +527,7 @@ func (hs *clientHandshakeState) pickCipherSuite() error { } if hs.c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] { + tlsrsakex.Value() // ensure godebug is initialized tlsrsakex.IncNonDefault() } diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index d5f8cc843e..f5d3c5b98a 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -169,6 +169,7 @@ func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { c.out.version = c.vers if c.config.MinVersion == 0 && c.vers < VersionTLS12 { + tls10server.Value() // ensure godebug is initialized tls10server.IncNonDefault() } @@ -371,6 +372,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error { c.cipherSuite = hs.suite.id if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] { + tlsrsakex.Value() // ensure godebug is initialized tlsrsakex.IncNonDefault() }