crypto/tls: reject duplicate TLS 1.3 EncryptedExtensions

When a TLS 1.3 client processes the server's encryptedExtensionsMsg it should reject instances that contain duplicate extension types. RFC 8446 §4.2 says: There MUST NOT be more than one extension of the same type in a given extension block. This update matches enforcement done in the client hello unmarshalling, but applied to the TLS 1.3 encrypted extensions message unmarshalling. Making this change also allows enabling the DuplicateExtensionClient-TLS-TLS13 BoGo test. Updates #72006 Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5d2 Reviewed-on: https://go-review.googlesource.com/c/go/+/673757 Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-08-22 14:38:35 +00:00 · 2025-05-25 16:04:50 -04:00 · 2025-05-25 16:04:50 -04:00 · 93949685ac
commit 93949685ac
parent 7514c91fe9
1 changed files with 6 additions and 0 deletions
--- a/handshake_messages.go
+++ b/handshake_messages.go
@ -1056,6 +1056,7 @@ func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
 		return false
 	}

+	seenExts := make(map[uint16]bool)
 	for !extensions.Empty() {
 		var extension uint16
 		var extData cryptobyte.String
@ -1064,6 +1065,11 @@ func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
 			return false
 		}

+		if seenExts[extension] {
+			return false
+		}
+		seenExts[extension] = true
+
 		switch extension {
 		case extensionALPN:
 			var protoList cryptobyte.String