crypto/tls: allow 256KiB certificate messages

During handshake, lift the message length limit, but only for certificate messages. Fixes #50773 Change-Id: Ida9d83f4219c4386ca71ed3ef72b22259665a187 Reviewed-on: https://go-review.googlesource.com/c/go/+/585402 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
2025-04-03 20:17:36 +03:00 · 2024-05-15 10:51:44 -07:00 · 2024-05-15 10:51:44 -07:00 · c96cbeb1bf
commit c96cbeb1bf
parent 5bf846b35c
3 changed files with 77 additions and 8 deletions
--- a/tls_test.go
+++ b/tls_test.go
@ -13,6 +13,7 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/asn1"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@ -2002,3 +2003,58 @@ func TestX509KeyPairPopulateCertificate(t *testing.T) {
 		}
 	})
 }
+
+func TestEarlyLargeCertMsg(t *testing.T) {
+	client, server := localPipe(t)
+
+	go func() {
+		if _, err := client.Write([]byte{byte(recordTypeHandshake), 3, 4, 0, 4, typeCertificate, 1, 255, 255}); err != nil {
+			t.Log(err)
+		}
+	}()
+
+	expectedErr := "tls: handshake message of length 131071 bytes exceeds maximum of 65536 bytes"
+	servConn := Server(server, testConfig)
+	err := servConn.Handshake()
+	if err == nil {
+		t.Fatal("unexpected success")
+	}
+	if err.Error() != expectedErr {
+		t.Fatalf("unexpected error: got %q, want %q", err, expectedErr)
+	}
+}
+
+func TestLargeCertMsg(t *testing.T) {
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "test"},
+		ExtraExtensions: []pkix.Extension{
+			{
+				Id: asn1.ObjectIdentifier{1, 2, 3},
+				// Ballast to inflate the certificate beyond the
+				// regular handshake record size.
+				Value: make([]byte, 65536),
+			},
+		},
+	}
+	cert, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientConfig, serverConfig := testConfig.Clone(), testConfig.Clone()
+	clientConfig.InsecureSkipVerify = true
+	serverConfig.Certificates = []Certificate{
+		{
+			Certificate: [][]byte{cert},
+			PrivateKey:  k,
+		},
+	}
+	if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil {
+		t.Fatalf("unexpected failure :%s", err)
+	}
+}