|
| 1 | +From 5f56167b5c866aa8f9fd19cca43621776c99c98e Mon Sep 17 00:00:00 2001 |
| 2 | +From: AllSpark <allspark@microsoft.com> |
| 3 | +Date: Mon, 27 Oct 2025 09:31:02 +0000 |
| 4 | +Subject: [PATCH] vendor/quic-go: drop initial packets when the handshake is |
| 5 | + confirmed |
| 6 | + |
| 7 | +Drop Initial keys at handshake confirmation. On the client side, this should have happened when sending the first Handshake packet, but this is not guaranteed if the server misbehaves. See CVE-2025-59530 for more details. |
| 8 | + |
| 9 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 10 | +Upstream-reference: AI Backport of https://github.com/quic-go/quic-go/pull/5354.patch |
| 11 | +--- |
| 12 | + vendor/github.com/quic-go/quic-go/connection.go | 7 +++++++ |
| 13 | + 1 file changed, 7 insertions(+) |
| 14 | + |
| 15 | +diff --git a/vendor/github.com/quic-go/quic-go/connection.go b/vendor/github.com/quic-go/quic-go/connection.go |
| 16 | +index abae204..4e95dad 100644 |
| 17 | +--- a/vendor/github.com/quic-go/quic-go/connection.go |
| 18 | ++++ b/vendor/github.com/quic-go/quic-go/connection.go |
| 19 | +@@ -761,6 +761,13 @@ func (s *connection) handleHandshakeComplete() error { |
| 20 | + } |
| 21 | + |
| 22 | + func (s *connection) handleHandshakeConfirmed() error { |
| 23 | ++ // Drop initial keys. |
| 24 | ++ // On the client side, this should have happened when sending the first Handshake packet, |
| 25 | ++ // but this is not guaranteed if the server misbehaves. |
| 26 | ++ // See CVE-2025-59530 for more details. |
| 27 | ++ if err := s.dropEncryptionLevel(protocol.EncryptionInitial); err != nil { |
| 28 | ++ return err |
| 29 | ++ } |
| 30 | + if err := s.dropEncryptionLevel(protocol.EncryptionHandshake); err != nil { |
| 31 | + return err |
| 32 | + } |
| 33 | +-- |
| 34 | +2.45.4 |
| 35 | + |
0 commit comments