Skip to content

UPSTREAM PR #30892: Reject empty TLS 1.3 HRR cookie#672

Open
loci-dev wants to merge 1 commit into
mainfrom
loci/pr-30892-fix-empty-hrr-cookie
Open

UPSTREAM PR #30892: Reject empty TLS 1.3 HRR cookie#672
loci-dev wants to merge 1 commit into
mainfrom
loci/pr-30892-fix-empty-hrr-cookie

Conversation

@loci-dev
Copy link
Copy Markdown

@loci-dev loci-dev commented Apr 18, 2026

Note

Source pull request: openssl/openssl#30892

Reject empty TLS 1.3 HelloRetryRequest Cookie extensions.

RFC 8446 defines the TLS 1.3 Cookie extension data as a Cookie structure containing opaque cookie<1..2^16-1>, so a zero-length cookie vector is an out-of-range length and must be rejected with a fatal decode_error.

The client-side HRR cookie parser accepted an empty cookie because PACKET_memdup() succeeds for empty packets, leaving tls13_cookie_len set to 0. The client could then continue after the malformed HRR and fail later with a misleading record-layer error.

Add an explicit empty-cookie check in tls_parse_stoc_cookie() before storing the parsed cookie, matching the handling used by nearby TLS 1.3 extension parsers.

Also extend 70-test_tls13cookie.t with a regression test that rewrites the HRR Cookie extension to an empty vector and verifies that the client rejects it with a fatal decode_error.

Fixes #30868

Testing:

HARNESS_JOBS=1 make test TESTS=test_tls13cookie

@idrassi
Reject empty TLS 1.3 HRR cookie
f69f29c 
RFC 8446 defines the Cookie extension as containing a non-empty cookie vector. The client-side HRR parser accepted a zero-length cookie because PACKET_memdup() treats an empty packet as success, which deferred failure until later in the handshake.

Reject an empty cookie during HRR parsing with decode_error and add a regression test.

Fixes #30868
@loci-review
Copy link
Copy Markdown

loci-review Bot commented Apr 18, 2026

Overview

Analysis of 20,082 functions across 3 binaries reveals minimal performance impact: 1 modified, 0 new, 0 removed, 20,081 unchanged functions.

Power consumption changes:

  • libssl.so: +0.007% (+4.24 nJ)
  • libcrypto.so: -0.0% (noise)
  • openssl: 0.0% (no change)

Function Analysis

tls_parse_stoc_cookie (libssl.so)

  • Response time: 982.5ns → 1005.3ns (+22.8ns, +2.3%)
  • Throughput time: 127.6ns → 150.4ns (+17.8ns, +13.9%)

Source code change: Commit f69f29c adds single-line validation || PACKET_remaining(&cookie) == 0 to reject empty TLS 1.3 HelloRetryRequest cookies, enforcing RFC 8446 compliance and preventing protocol abuse. The 17.8ns increase results from the added validation check and control flow reorganization. This function executes only during HelloRetryRequest scenarios (rare, <1% of connections), making the absolute impact negligible (<0.002% of typical 1-5ms handshake time). The security benefit justifies the microsecond-level performance cost.

💬 Questions? Tag @loci-dev

@loci-dev loci-dev force-pushed the main branch 5 times, most recently from 421b135 to 770bf14 Compare April 28, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loci-dev @idrassi