From eef41364b342b01b53f4f3c728ba1dc5fed22bee Mon Sep 17 00:00:00 2001 From: yuhan6665 <1588741+yuhan6665@users.noreply.github.com> Date: Sat, 10 May 2025 23:41:59 -0400 Subject: [PATCH] crypto/tls: update TLS 1.3 client compression validation Unlike in earlier TLS versions, in TLS 1.3 when processing a server hello the legacy_compression_method MUST have the value 0. It is no longer a parameter that offers a choice of compression method. With this in mind, it seems more appropriate to return a decode error when we encounter a non-zero compression method in a server hello message. We haven't found a parameter value we reject, we've found a message that doesn't decode according to its specification. Making this change also aligns with BoringSSL and allows enabling the TLS13-HRR-InvalidCompressionMethod bogo test. Updates #72006 Change-Id: I27a2cd231e4b8762b0d9e2dbd3d8ddd5b87fd5c4 Reviewed-on: https://go-review.googlesource.com/c/go/+/669156 Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI Reviewed-by: Cherry Mui --- handshake_client_tls13.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go index f2f88b5..df14c3e 100644 --- a/handshake_client_tls13.go +++ b/handshake_client_tls13.go @@ -197,8 +197,8 @@ func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { } if hs.serverHello.compressionMethod != compressionNone { - c.sendAlert(alertIllegalParameter) - return errors.New("tls: server selected unsupported compression format") + c.sendAlert(alertDecodeError) + return errors.New("tls: server sent non-zero legacy TLS compression method") } selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)