Skip to content

crypto/tls: client requires HelloRetryRequest to change curve #30149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sergeyfrolov opened this issue Feb 10, 2019 · 1 comment
Closed

crypto/tls: client requires HelloRetryRequest to change curve #30149

sergeyfrolov opened this issue Feb 10, 2019 · 1 comment
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.15

Comments

@sergeyfrolov
Copy link
Contributor

What version of Go are you using (go version)?

master @ ca7c12d

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/user/go"
GOPROXY=""
GORACE=""
GOROOT="/home/user/opt/go"
GOTMPDIR=""
GOTOOLDIR="/home/user/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build262703332=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Read the source code.

What did you expect to see?

HelloRetryRequest may be sent to the client for a range of reasons, for example, to set TLS 1.3 "Cookie" extension and "demonstrate reachability at their apparent network address (thus providing a measure of DoS protection)". Client is expected to handle this case correctly.

What did you see instead?

Client has following checks:

	curveID := hs.serverHello.selectedGroup
	if curveID == 0 {
		c.sendAlert(alertMissingExtension)
		return errors.New("tls: received HelloRetryRequest without selected group")
	}

and

	if hs.ecdheParams.CurveID() == curveID {
		c.sendAlert(alertIllegalParameter)
		return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
	}

which essentially require HelloRetryRequest to switch curve ID. However, as mentioned above, there are other use-cases for that complicated HelloRetryRequest.

Cookie seems to be correctly added to the follow-up ClientHello, if curve changes as well.

I am not aware of any servers on the internet that actually send HelloRetryRequest for any reason other than to switch curve in Key Share (are there any such servers?), so not sure if there's any real-world impact.
@FiloSottile FiloSottile self-assigned this Feb 11, 2019
@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Feb 11, 2019
@FiloSottile FiloSottile added this to the Go1.13 milestone Feb 11, 2019
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@FiloSottile FiloSottile modified the milestones: Backlog, Go1.15 Nov 22, 2019
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/231039 mentions this issue: crypto/tls: accept HelloRetryRequest messages with only a cookie

xujianhai666 pushed a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
@FiloSottile @xujianhai666
crypto/tls: accept HelloRetryRequest messages with only a cookie
eb29559 
Clients have to reject any HelloRetryRequest message that doesn't lead
to a change in the ClientHello. Instead, we were rejecting any HRR that
didn't select an alternative group, even if it sent a cookie, which
would change the CH.

The good news is that I know of no TLS servers that use or need HRRs
exclusively for cookies (which are mostly useful in DTLS as a way to
verify the source address). The bad news is that we poisoned the
ecosystem as Go 1.12 to 1.14 will reject such HRRs. Oops, hopefully no
one needed this.

No tests because neither Go nor s_server support cookies. This would
presumably get covered once we integrate BoGo.

Fixes golang#30149

Change-Id: I760fb1ded81148ac3096cf201cbc1e941374b83d
Reviewed-on: https://go-review.googlesource.com/c/go/+/231039
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
@golang golang locked and limited conversation to collaborators May 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.15
Development

No branches or pull requests
5 participants
@rsc @andybons @FiloSottile @sergeyfrolov @gopherbot