Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: randomly generate ticket_age_add [1.18 backport] #52833

Closed
gopherbot opened this issue May 10, 2022 · 3 comments
Closed

crypto/tls: randomly generate ticket_age_add [1.18 backport] #52833

gopherbot opened this issue May 10, 2022 · 3 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Milestone
Go1.18.3

Comments

@gopherbot
Copy link

@rolandshoemaker requested issue #52814 to be considered for backport to the next 1.18 minor release.

We will work to get a CL in this week. Backporting seems reasonable given how small the fix is.

@gopherbot Please open backport issues for Go 1.17 and Go 1.18, this is a privacy issue.
@gopherbot gopherbot added the CherryPickCandidate Used during the release process for point releases label May 10, 2022
@gopherbot gopherbot mentioned this issue May 10, 2022
Closed
@gopherbot gopherbot added this to the Go1.18.3 milestone May 10, 2022
@dmitshur dmitshur changed the title crypto/tls: randomly generate ticket_age_add [freeze exception] [1.18 backport] crypto/tls: randomly generate ticket_age_add [1.18 backport] May 17, 2022
@toothrot toothrot added the CherryPickApproved Used during the release process for point releases label May 25, 2022
@gopherbot gopherbot removed the CherryPickCandidate Used during the release process for point releases label May 25, 2022
@toothrot
Copy link
Contributor

Approved. This is a serious issue with no workaround.

@gopherbot
Copy link
Author

Change https://go.dev/cl/408575 mentions this issue: [release-branch.go1.18 crypto/tls: randomly generate ticket_age_add

@gopherbot
Copy link
Author

Closed by merging c838098 to release-branch.go1.18.

gopherbot pushed a commit that referenced this issue May 27, 2022
@toothrot
[release-branch.go1.18 crypto/tls: randomly generate ticket_age_add
c838098 
As required by RFC 8446, section 4.6.1, ticket_age_add now holds a
random 32-bit value. Before this change, this value was always set
to 0.

This change also documents the reasoning for always setting
ticket_nonce to 0. The value ticket_nonce must be unique per
connection, but we only ever send one ticket per connection.

Updates #52814
Fixes #52833
Fixes CVE-2022-30629

Change-Id: I6c2fc6ca0376b7b968abd59d6d3d3854c1ab68bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/405994
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit fe4de36)
Reviewed-on: https://go-review.googlesource.com/c/go/+/408575
Run-TryBot: Roland Shoemaker <roland@golang.org>
@golang golang locked and limited conversation to collaborators May 27, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge Security
Projects
None yet
Milestone
Go1.18.3
Development

No branches or pull requests
3 participants
@toothrot @dmitshur @gopherbot