go 1.22.12: Fix CVE-2025-61730

Upstream Repository: https://github.com/golang/go.git Bug details: https://nvd.nist.gov/vuln/detail/CVE-2025-61730 Type: Security Fix CVE: CVE-2025-61730 Score: 4.2 Patch: https://github.com/golang/go/commit/ad2cd043db66 (From OE-Core rev: 71f645d9ebf77d30744780e777955a6c7e28258b) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Deepak Rathore <deeratho@cisco.com> 2026-02-11 20:58:01 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27 17:45:06 +0000
commit: dde29170e37afe550fecc5da53eebeaa05e3f790 (patch)
tree: a4345b80c00b7d5ac92fbc578f5219a38d9c1b2d /meta
parent: b16633f3c66305be0e4c67363449fd33802a53ba (diff)
download: poky-dde29170e37afe550fecc5da53eebeaa05e3f790.tar.gz
2 files changed, 461 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index ca5016c2f5..e9a1803252 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -31,6 +31,7 @@ SRC_URI += "\
    file://CVE-2025-61724.patch \
    file://CVE-2025-61727.patch \
    file://CVE-2025-61729.patch \
+    file://CVE-2025-61730.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-61730.patch b/meta/recipes-devtools/go/go/CVE-2025-61730.patch
new file mode 100644
index 0000000000..b7234e6bf2
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-61730.patch
@@ -0,0 +1,460 @@
+From 2cfa797798cc982973d194eca3be19fb1f092556 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 24 Nov 2025 14:03:10 -0800
+Subject: [PATCH] [release-branch.go1.24] crypto/tls: reject trailing messages
+ after client/server hello
+For TLS 1.3, after procesesing the server/client hello, if there isn't a
+CCS message, reject the trailing messages which were appended to the
+hello messages. This prevents an on-path attacker from injecting
+plaintext messages into the handshake.
+Additionally, check that we don't have any buffered messages before we
+switch the read traffic secret regardless, since any buffered messages
+would have been under an old key which is no longer appropriate.
+We also invert the ordering of setting the read/write secrets so that if
+we fail when changing the read secret we send the alert using the
+correct write secret.
+Updates #76443
+Fixes #76854
+Fixes CVE-2025-61730
+CVE: CVE-2025-61730
+Upstream-Status: Backport [https://github.com/golang/go/commit/ad2cd043db66]
+Backport Changes:
+- In version 1.24, the doHelloRetryRequest function defined in handshake_server_tls13.go
+  returns keyshare and error, but in version 1.22 it only returns error. The backport
+  was adjusted accordingly and These changes were introduced by commit
+  https://github.com/golang/go/commit/d0edd9acc80a in version 1.24.
+- In file src/crypto/tls/handshake_server_tls13.go, Replaced the function call
+  hs.handshakeSecret.ClientHandshakeTrafficSecret(hs.transcript) with
+  hs.suite.deriveSecret(hs.handshakeSecret, clientHandshakeTrafficLabel, hs.transcript).
+  This change is not present in version v1.22 and it was introduced by commit
+  https://github.com/golang/go/commit/743746a3a52d in version 1.24.
+Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52
+Reviewed-on: https://go-review.googlesource.com/c/go/+/724120
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Michael Knyszek <mknyszek@google.com>
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+Reviewed-by: Coia Prant <coiaprant@gmail.com>
+(cherry picked from commit 5046bdf8a612b35a2c1a9e168054c1d5c65e7dd7)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/731961
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit ad2cd043db66cd36e1f55359638729d2c8ff3d99)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/crypto/tls/conn.go                   |  39 ++++++-
+ src/crypto/tls/handshake_client_tls13.go |  22 ++--
+ src/crypto/tls/handshake_server_tls13.go |  39 ++++---
+ src/crypto/tls/handshake_test.go         | 140 +++++++++++++++++++++++
+ src/crypto/tls/quic.go                   |  11 +-
+ 5 files changed, 219 insertions(+), 32 deletions(-)
+diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
+index 0e4669866e..08609ce17b 100644
+--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
+@@ -225,6 +225,9 @@ func (hc *halfConn) changeCipherSpec() error {
+        return nil
+ }
+// setTrafficSecret sets the traffic secret for the given encryption level. setTrafficSecret
+// should not be called directly, but rather through the Conn setWriteTrafficSecret and
+// setReadTrafficSecret wrapper methods.
+ func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {
+        hc.trafficSecret = secret
+        hc.level = level
+@@ -1321,9 +1324,6 @@ func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error {
+                return c.in.setErrorLocked(c.sendAlert(alertInternalError))
+        }
+-       newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret)
+-       c.in.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
+-
+        if keyUpdate.updateRequested {
+                c.out.Lock()
+                defer c.out.Unlock()
+@@ -1341,7 +1341,12 @@ func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error {
+                }
+                newSecret := cipherSuite.nextTrafficSecret(c.out.trafficSecret)
+-               c.out.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
+               c.setWriteTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
+       }
+
+       newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret)
+       if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret); err != nil {
+               return err
+        }
+        return nil
+@@ -1572,7 +1577,9 @@ func (c *Conn) handshakeContext(ctx context.Context) (ret error) {
+                        // Provide the 1-RTT read secret now that the handshake is complete.
+                        // The QUIC layer MUST NOT decrypt 1-RTT packets prior to completing
+                        // the handshake (RFC 9001, Section 5.7).
+-                       c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret)
+                       if err := c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret); err != nil {
+                               return err
+                       }
+                } else {
+                        var a alert
+                        c.out.Lock()
+@@ -1664,3 +1671,25 @@ func (c *Conn) VerifyHostname(host string) error {
+        }
+        return c.peerCertificates[0].VerifyHostname(host)
+ }
+
+// setReadTrafficSecret sets the read traffic secret for the given encryption level. If
+// being called at the same time as setWriteTrafficSecret, the caller must ensure the call
+// to setWriteTrafficSecret happens first so any alerts are sent at the write level.
+func (c *Conn) setReadTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {
+       // Ensure that there are no buffered handshake messages before changing the
+       // read keys, since that can cause messages to be parsed that were encrypted
+       // using old keys which are no longer appropriate.
+       if c.hand.Len() != 0 {
+               c.sendAlert(alertUnexpectedMessage)
+               return errors.New("tls: handshake buffer not empty before setting read traffic secret")
+       }
+       c.in.setTrafficSecret(suite, level, secret)
+       return nil
+}
+
+// setWriteTrafficSecret sets the write traffic secret for the given encryption level. If
+// being called at the same time as setReadTrafficSecret, the caller must ensure the call
+// to setWriteTrafficSecret happens first so any alerts are sent at the write level.
+func (c *Conn) setWriteTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {
+       c.out.setTrafficSecret(suite, level, secret)
+}
+diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
+index 2f59f6888c..68ff92beda 100644
+--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
+@@ -393,17 +393,18 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
+        clientSecret := hs.suite.deriveSecret(handshakeSecret,
+                clientHandshakeTrafficLabel, hs.transcript)
+-       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
+       c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
+        serverSecret := hs.suite.deriveSecret(handshakeSecret,
+                serverHandshakeTrafficLabel, hs.transcript)
+-       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
+       if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret); err != nil {
+               return err
+       }
+        if c.quic != nil {
+-               if c.hand.Len() != 0 {
+-                       c.sendAlert(alertUnexpectedMessage)
+-               }
+                c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
+-               c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
+               if err := c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret); err != nil {
+                       return err
+               }
+        }
+        err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
+@@ -606,7 +607,9 @@ func (hs *clientHandshakeStateTLS13) readServerFinished() error {
+                clientApplicationTrafficLabel, hs.transcript)
+        serverSecret := hs.suite.deriveSecret(hs.masterSecret,
+                serverApplicationTrafficLabel, hs.transcript)
+-       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
+       if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret); err != nil {
+               return err
+       }
+        err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
+        if err != nil {
+@@ -702,7 +705,7 @@ func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
+                return err
+        }
+-       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
+       c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
+        if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
+                c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
+@@ -710,9 +713,6 @@ func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
+        }
+        if c.quic != nil {
+-               if c.hand.Len() != 0 {
+-                       c.sendAlert(alertUnexpectedMessage)
+-               }
+                c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, hs.trafficSecret)
+        }
+diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
+index 21d798de37..5aa69e9640 100644
+--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
+@@ -380,7 +380,9 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
+                                return err
+                        }
+                        earlyTrafficSecret := hs.suite.deriveSecret(hs.earlySecret, clientEarlyTrafficLabel, transcript)
+-                       c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret)
+                       if err := c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret); err != nil {
+                               return err
+                       }
+                }
+                c.didResume = true
+@@ -477,6 +479,14 @@ func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
+ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
+        c := hs.c
+       // Make sure the client didn't send extra handshake messages alongside
+       // their initial client_hello. If they sent two client_hello messages,
+       // we will consume the second before they respond to the server_hello.
+       if c.hand.Len() != 0 {
+               c.sendAlert(alertUnexpectedMessage)
+               return errors.New("tls: handshake buffer not empty before HelloRetryRequest")
+       }
+
+        // The first ClientHello gets double-hashed into the transcript upon a
+        // HelloRetryRequest. See RFC 8446, Section 4.4.1.
+        if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
+@@ -615,19 +625,20 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
+        hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
+                hs.suite.deriveSecret(earlySecret, "derived", nil))
+-       clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
+-               clientHandshakeTrafficLabel, hs.transcript)
+-       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
+        serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
+                serverHandshakeTrafficLabel, hs.transcript)
+-       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
+       c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
+       clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
+               clientHandshakeTrafficLabel, hs.transcript)
+       if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret); err != nil {
+               return err
+       }
+        if c.quic != nil {
+-               if c.hand.Len() != 0 {
+-                       c.sendAlert(alertUnexpectedMessage)
+-               }
+                c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
+-               c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
+               if err := c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret); err != nil {
+                       return err
+               }
+        }
+        err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
+@@ -751,13 +762,9 @@ func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
+                clientApplicationTrafficLabel, hs.transcript)
+        serverSecret := hs.suite.deriveSecret(hs.masterSecret,
+                serverApplicationTrafficLabel, hs.transcript)
+-       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
+       c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
+        if c.quic != nil {
+-               if c.hand.Len() != 0 {
+-                       // TODO: Handle this in setTrafficSecret?
+-                       c.sendAlert(alertUnexpectedMessage)
+-               }
+                c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret)
+        }
+@@ -992,7 +999,9 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error {
+                return errors.New("tls: invalid client finished hash")
+        }
+-       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
+       if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret); err != nil {
+               return err
+       }
+        return nil
+ }
+diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go
+index 27ab19ef31..4991a0e69b 100644
+--- a/src/crypto/tls/handshake_test.go
+++ b/src/crypto/tls/handshake_test.go
+@@ -6,6 +6,7 @@ package tls
+ import (
+        "bufio"
+       "context"
+        "crypto/ed25519"
+        "crypto/x509"
+        "encoding/hex"
+@@ -533,3 +534,142 @@ var clientEd25519KeyPEM = testingKey(`
+ -----BEGIN TESTING KEY-----
+ MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I
+ -----END TESTING KEY-----`)
+
+func TestServerHelloTrailingMessage(t *testing.T) {
+       // In TLS 1.3 the change cipher spec message is optional. If a CCS message
+       // is not sent, after reading the ServerHello, the read traffic secret is
+       // set, and all following messages must be encrypted. If the server sends
+       // additional unencrypted messages in a record with the ServerHello, the
+       // client must either fail or ignore the additional messages.
+
+       c, s := localPipe(t)
+       go func() {
+               ctx := context.Background()
+               srv := Server(s, testConfig)
+               clientHello, _, err := srv.readClientHello(ctx)
+               if err != nil {
+                       testFatal(t, err)
+               }
+
+               hs := serverHandshakeStateTLS13{
+                       c:           srv,
+                       ctx:         ctx,
+                       clientHello: clientHello,
+               }
+               if err := hs.processClientHello(); err != nil {
+                       testFatal(t, err)
+               }
+               if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
+                       testFatal(t, err)
+               }
+
+               record, err := concatHandshakeMessages(hs.hello, &encryptedExtensionsMsg{alpnProtocol: "h2"})
+               if err != nil {
+                       testFatal(t, err)
+               }
+
+               if _, err := s.Write(record); err != nil {
+                       testFatal(t, err)
+               }
+               srv.Close()
+       }()
+
+       cli := Client(c, testConfig)
+       expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
+       if err := cli.Handshake(); err == nil {
+               t.Fatal("expected error from incomplete handshake, got nil")
+       } else if err.Error() != expectedErr {
+               t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
+       }
+}
+
+func TestClientHelloTrailingMessage(t *testing.T) {
+       // Same as TestServerHelloTrailingMessage but for the client side.
+
+       c, s := localPipe(t)
+       go func() {
+               cli := Client(c, testConfig)
+
+               hello, _, _, err := cli.makeClientHello()
+               if err != nil {
+                       testFatal(t, err)
+               }
+
+               record, err := concatHandshakeMessages(hello, &certificateMsgTLS13{})
+               if err != nil {
+                       testFatal(t, err)
+               }
+
+               if _, err := c.Write(record); err != nil {
+                       testFatal(t, err)
+               }
+               cli.Close()
+       }()
+
+       srv := Server(s, testConfig)
+       expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
+       if err := srv.Handshake(); err == nil {
+               t.Fatal("expected error from incomplete handshake, got nil")
+       } else if err.Error() != expectedErr {
+               t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
+       }
+}
+
+func TestDoubleClientHelloHRR(t *testing.T) {
+       // If a client sends two ClientHello messages in a single record, and the
+       // server sends a HRR after reading the first ClientHello, the server must
+       // either fail or ignore the trailing ClientHello.
+
+       c, s := localPipe(t)
+
+       go func() {
+               cli := Client(c, testConfig)
+
+               hello, _, _, err := cli.makeClientHello()
+               if err != nil {
+                       testFatal(t, err)
+               }
+               hello.keyShares = nil
+
+               record, err := concatHandshakeMessages(hello, hello)
+               if err != nil {
+                       testFatal(t, err)
+               }
+
+               if _, err := c.Write(record); err != nil {
+                       testFatal(t, err)
+               }
+               cli.Close()
+       }()
+
+       srv := Server(s, testConfig)
+       expectedErr := "tls: handshake buffer not empty before HelloRetryRequest"
+       if err := srv.Handshake(); err == nil {
+               t.Fatal("expected error from incomplete handshake, got nil")
+       } else if err.Error() != expectedErr {
+               t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
+       }
+}
+
+// concatHandshakeMessages marshals and concatenates the given handshake
+// messages into a single record.
+func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) {
+       var marshalled []byte
+       for _, msg := range msgs {
+               data, err := msg.marshal()
+               if err != nil {
+                       return nil, err
+               }
+               marshalled = append(marshalled, data...)
+       }
+       m := len(marshalled)
+       outBuf := make([]byte, recordHeaderLen)
+       outBuf[0] = byte(recordTypeHandshake)
+       vers := VersionTLS12
+       outBuf[1] = byte(vers >> 8)
+       outBuf[2] = byte(vers)
+       outBuf[3] = byte(m >> 8)
+       outBuf[4] = byte(m)
+       outBuf = append(outBuf, marshalled...)
+       return outBuf, nil
+}
+diff --git a/src/crypto/tls/quic.go b/src/crypto/tls/quic.go
+index 3518169bf7..aa14f1dadb 100644
+--- a/src/crypto/tls/quic.go
+++ b/src/crypto/tls/quic.go
+@@ -323,13 +323,22 @@ func (c *Conn) quicReadHandshakeBytes(n int) error {
+        return nil
+ }
+-func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) {
+func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) error {
+       // Ensure that there are no buffered handshake messages before changing the
+       // read keys, since that can cause messages to be parsed that were encrypted
+       // using old keys which are no longer appropriate.
+       // TODO(roland): we should merge this check with the similar one in setReadTrafficSecret.
+       if c.hand.Len() != 0 {
+               c.sendAlert(alertUnexpectedMessage)
+               return errors.New("tls: handshake buffer not empty before setting read traffic secret")
+       }
+        c.quic.events = append(c.quic.events, QUICEvent{
+                Kind:  QUICSetReadSecret,
+                Level: level,
+                Suite: suite,
+                Data:  secret,
+        })
+       return nil
+ }
+ func (c *Conn) quicSetWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte) {
+--
+2.35.6
author	Deepak Rathore <deeratho@cisco.com>	2026-02-11 20:58:01 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-27 17:45:06 +0000
commit	dde29170e37afe550fecc5da53eebeaa05e3f790 (patch)
tree	a4345b80c00b7d5ac92fbc578f5219a38d9c1b2d /meta
parent	b16633f3c66305be0e4c67363449fd33802a53ba (diff)
download	poky-dde29170e37afe550fecc5da53eebeaa05e3f790.tar.gz

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ca5016c2f5..e9a1803252 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -31,6 +31,7 @@ SRC_URI += "\
31	file://CVE-2025-61724.patch \	31	file://CVE-2025-61724.patch \
32	file://CVE-2025-61727.patch \	32	file://CVE-2025-61727.patch \
33	file://CVE-2025-61729.patch \	33	file://CVE-2025-61729.patch \
		34	file://CVE-2025-61730.patch \
34	"	35	"
35	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"	36	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
36		37


diff --git a/meta/recipes-devtools/go/go/CVE-2025-61730.patch b/meta/recipes-devtools/go/go/CVE-2025-61730.patch new file mode 100644 index 0000000000..b7234e6bf2 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-61730.patch
@@ -0,0 +1,460 @@
		1	From 2cfa797798cc982973d194eca3be19fb1f092556 Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <roland@golang.org>
		3	Date: Mon, 24 Nov 2025 14:03:10 -0800
		4	Subject: [PATCH] [release-branch.go1.24] crypto/tls: reject trailing messages
		5	after client/server hello
		6
		7	For TLS 1.3, after procesesing the server/client hello, if there isn't a
		8	CCS message, reject the trailing messages which were appended to the
		9	hello messages. This prevents an on-path attacker from injecting
		10	plaintext messages into the handshake.
		11
		12	Additionally, check that we don't have any buffered messages before we
		13	switch the read traffic secret regardless, since any buffered messages
		14	would have been under an old key which is no longer appropriate.
		15
		16	We also invert the ordering of setting the read/write secrets so that if
		17	we fail when changing the read secret we send the alert using the
		18	correct write secret.
		19
		20	Updates #76443
		21	Fixes #76854
		22	Fixes CVE-2025-61730
		23
		24	CVE: CVE-2025-61730
		25	Upstream-Status: Backport [https://github.com/golang/go/commit/ad2cd043db66]
		26
		27	Backport Changes:
		28	- In version 1.24, the doHelloRetryRequest function defined in handshake_server_tls13.go
		29	returns keyshare and error, but in version 1.22 it only returns error. The backport
		30	was adjusted accordingly and These changes were introduced by commit
		31	https://github.com/golang/go/commit/d0edd9acc80a in version 1.24.
		32	- In file src/crypto/tls/handshake_server_tls13.go, Replaced the function call
		33	hs.handshakeSecret.ClientHandshakeTrafficSecret(hs.transcript) with
		34	hs.suite.deriveSecret(hs.handshakeSecret, clientHandshakeTrafficLabel, hs.transcript).
		35	This change is not present in version v1.22 and it was introduced by commit
		36	https://github.com/golang/go/commit/743746a3a52d in version 1.24.
		37
		38	Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52
		39	Reviewed-on: https://go-review.googlesource.com/c/go/+/724120
		40	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		41	Reviewed-by: Michael Knyszek <mknyszek@google.com>
		42	Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
		43	Reviewed-by: Coia Prant <coiaprant@gmail.com>
		44	(cherry picked from commit 5046bdf8a612b35a2c1a9e168054c1d5c65e7dd7)
		45	Reviewed-on: https://go-review.googlesource.com/c/go/+/731961
		46	Reviewed-by: Damien Neil <dneil@google.com>
		47	(cherry picked from commit ad2cd043db66cd36e1f55359638729d2c8ff3d99)
		48	Signed-off-by: Deepak Rathore <deeratho@cisco.com>
		49	---
		50	src/crypto/tls/conn.go \| 39 ++++++-
		51	src/crypto/tls/handshake_client_tls13.go \| 22 ++--
		52	src/crypto/tls/handshake_server_tls13.go \| 39 ++++---
		53	src/crypto/tls/handshake_test.go \| 140 +++++++++++++++++++++++
		54	src/crypto/tls/quic.go \| 11 +-
		55	5 files changed, 219 insertions(+), 32 deletions(-)
		56
		57	diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
		58	index 0e4669866e..08609ce17b 100644
		59	--- a/src/crypto/tls/conn.go
		60	+++ b/src/crypto/tls/conn.go
		61	@@ -225,6 +225,9 @@ func (hc *halfConn) changeCipherSpec() error {
		62	return nil
		63	}
		64
		65	+// setTrafficSecret sets the traffic secret for the given encryption level. setTrafficSecret
		66	+// should not be called directly, but rather through the Conn setWriteTrafficSecret and
		67	+// setReadTrafficSecret wrapper methods.
		68	func (hc halfConn) setTrafficSecret(suite cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {
		69	hc.trafficSecret = secret
		70	hc.level = level
		71	@@ -1321,9 +1324,6 @@ func (c Conn) handleKeyUpdate(keyUpdate keyUpdateMsg) error {
		72	return c.in.setErrorLocked(c.sendAlert(alertInternalError))
		73	}
		74
		75	- newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret)
		76	- c.in.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
		77	-
		78	if keyUpdate.updateRequested {
		79	c.out.Lock()
		80	defer c.out.Unlock()
		81	@@ -1341,7 +1341,12 @@ func (c Conn) handleKeyUpdate(keyUpdate keyUpdateMsg) error {
		82	}
		83
		84	newSecret := cipherSuite.nextTrafficSecret(c.out.trafficSecret)
		85	- c.out.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
		86	+ c.setWriteTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret)
		87	+ }
		88	+
		89	+ newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret)
		90	+ if err := c.setReadTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret); err != nil {
		91	+ return err
		92	}
		93
		94	return nil
		95	@@ -1572,7 +1577,9 @@ func (c *Conn) handshakeContext(ctx context.Context) (ret error) {
		96	// Provide the 1-RTT read secret now that the handshake is complete.
		97	// The QUIC layer MUST NOT decrypt 1-RTT packets prior to completing
		98	// the handshake (RFC 9001, Section 5.7).
		99	- c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret)
		100	+ if err := c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret); err != nil {
		101	+ return err
		102	+ }
		103	} else {
		104	var a alert
		105	c.out.Lock()
		106	@@ -1664,3 +1671,25 @@ func (c *Conn) VerifyHostname(host string) error {
		107	}
		108	return c.peerCertificates[0].VerifyHostname(host)
		109	}
		110	+
		111	+// setReadTrafficSecret sets the read traffic secret for the given encryption level. If
		112	+// being called at the same time as setWriteTrafficSecret, the caller must ensure the call
		113	+// to setWriteTrafficSecret happens first so any alerts are sent at the write level.
		114	+func (c Conn) setReadTrafficSecret(suite cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) error {
		115	+ // Ensure that there are no buffered handshake messages before changing the
		116	+ // read keys, since that can cause messages to be parsed that were encrypted
		117	+ // using old keys which are no longer appropriate.
		118	+ if c.hand.Len() != 0 {
		119	+ c.sendAlert(alertUnexpectedMessage)
		120	+ return errors.New("tls: handshake buffer not empty before setting read traffic secret")
		121	+ }
		122	+ c.in.setTrafficSecret(suite, level, secret)
		123	+ return nil
		124	+}
		125	+
		126	+// setWriteTrafficSecret sets the write traffic secret for the given encryption level. If
		127	+// being called at the same time as setReadTrafficSecret, the caller must ensure the call
		128	+// to setWriteTrafficSecret happens first so any alerts are sent at the write level.
		129	+func (c Conn) setWriteTrafficSecret(suite cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) {
		130	+ c.out.setTrafficSecret(suite, level, secret)
		131	+}
		132	diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
		133	index 2f59f6888c..68ff92beda 100644
		134	--- a/src/crypto/tls/handshake_client_tls13.go
		135	+++ b/src/crypto/tls/handshake_client_tls13.go
		136	@@ -393,17 +393,18 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
		137
		138	clientSecret := hs.suite.deriveSecret(handshakeSecret,
		139	clientHandshakeTrafficLabel, hs.transcript)
		140	- c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
		141	+ c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
		142	serverSecret := hs.suite.deriveSecret(handshakeSecret,
		143	serverHandshakeTrafficLabel, hs.transcript)
		144	- c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
		145	+ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret); err != nil {
		146	+ return err
		147	+ }
		148
		149	if c.quic != nil {
		150	- if c.hand.Len() != 0 {
		151	- c.sendAlert(alertUnexpectedMessage)
		152	- }
		153	c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
		154	- c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
		155	+ if err := c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret); err != nil {
		156	+ return err
		157	+ }
		158	}
		159
		160	err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
		161	@@ -606,7 +607,9 @@ func (hs *clientHandshakeStateTLS13) readServerFinished() error {
		162	clientApplicationTrafficLabel, hs.transcript)
		163	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
		164	serverApplicationTrafficLabel, hs.transcript)
		165	- c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
		166	+ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret); err != nil {
		167	+ return err
		168	+ }
		169
		170	err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
		171	if err != nil {
		172	@@ -702,7 +705,7 @@ func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
		173	return err
		174	}
		175
		176	- c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
		177	+ c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
		178
		179	if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
		180	c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
		181	@@ -710,9 +713,6 @@ func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
		182	}
		183
		184	if c.quic != nil {
		185	- if c.hand.Len() != 0 {
		186	- c.sendAlert(alertUnexpectedMessage)
		187	- }
		188	c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, hs.trafficSecret)
		189	}
		190
		191	diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
		192	index 21d798de37..5aa69e9640 100644
		193	--- a/src/crypto/tls/handshake_server_tls13.go
		194	+++ b/src/crypto/tls/handshake_server_tls13.go
		195	@@ -380,7 +380,9 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
		196	return err
		197	}
		198	earlyTrafficSecret := hs.suite.deriveSecret(hs.earlySecret, clientEarlyTrafficLabel, transcript)
		199	- c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret)
		200	+ if err := c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret); err != nil {
		201	+ return err
		202	+ }
		203	}
		204
		205	c.didResume = true
		206	@@ -477,6 +479,14 @@ func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
		207	func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
		208	c := hs.c
		209
		210	+ // Make sure the client didn't send extra handshake messages alongside
		211	+ // their initial client_hello. If they sent two client_hello messages,
		212	+ // we will consume the second before they respond to the server_hello.
		213	+ if c.hand.Len() != 0 {
		214	+ c.sendAlert(alertUnexpectedMessage)
		215	+ return errors.New("tls: handshake buffer not empty before HelloRetryRequest")
		216	+ }
		217	+
		218	// The first ClientHello gets double-hashed into the transcript upon a
		219	// HelloRetryRequest. See RFC 8446, Section 4.4.1.
		220	if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
		221	@@ -615,19 +625,20 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
		222	hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
		223	hs.suite.deriveSecret(earlySecret, "derived", nil))
		224
		225	- clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
		226	- clientHandshakeTrafficLabel, hs.transcript)
		227	- c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
		228	serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
		229	serverHandshakeTrafficLabel, hs.transcript)
		230	- c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
		231	+ c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
		232	+ clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
		233	+ clientHandshakeTrafficLabel, hs.transcript)
		234	+ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret); err != nil {
		235	+ return err
		236	+ }
		237
		238	if c.quic != nil {
		239	- if c.hand.Len() != 0 {
		240	- c.sendAlert(alertUnexpectedMessage)
		241	- }
		242	c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
		243	- c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
		244	+ if err := c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret); err != nil {
		245	+ return err
		246	+ }
		247	}
		248
		249	err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
		250	@@ -751,13 +762,9 @@ func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
		251	clientApplicationTrafficLabel, hs.transcript)
		252	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
		253	serverApplicationTrafficLabel, hs.transcript)
		254	- c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
		255	+ c.setWriteTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
		256
		257	if c.quic != nil {
		258	- if c.hand.Len() != 0 {
		259	- // TODO: Handle this in setTrafficSecret?
		260	- c.sendAlert(alertUnexpectedMessage)
		261	- }
		262	c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret)
		263	}
		264
		265	@@ -992,7 +999,9 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error {
		266	return errors.New("tls: invalid client finished hash")
		267	}
		268
		269	- c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
		270	+ if err := c.setReadTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret); err != nil {
		271	+ return err
		272	+ }
		273
		274	return nil
		275	}
		276	diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go
		277	index 27ab19ef31..4991a0e69b 100644
		278	--- a/src/crypto/tls/handshake_test.go
		279	+++ b/src/crypto/tls/handshake_test.go
		280	@@ -6,6 +6,7 @@ package tls
		281
		282	import (
		283	"bufio"
		284	+ "context"
		285	"crypto/ed25519"
		286	"crypto/x509"
		287	"encoding/hex"
		288	@@ -533,3 +534,142 @@ var clientEd25519KeyPEM = testingKey(`
		289	-----BEGIN TESTING KEY-----
		290	MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I
		291	-----END TESTING KEY-----`)
		292	+
		293	+func TestServerHelloTrailingMessage(t *testing.T) {
		294	+ // In TLS 1.3 the change cipher spec message is optional. If a CCS message
		295	+ // is not sent, after reading the ServerHello, the read traffic secret is
		296	+ // set, and all following messages must be encrypted. If the server sends
		297	+ // additional unencrypted messages in a record with the ServerHello, the
		298	+ // client must either fail or ignore the additional messages.
		299	+
		300	+ c, s := localPipe(t)
		301	+ go func() {
		302	+ ctx := context.Background()
		303	+ srv := Server(s, testConfig)
		304	+ clientHello, _, err := srv.readClientHello(ctx)
		305	+ if err != nil {
		306	+ testFatal(t, err)
		307	+ }
		308	+
		309	+ hs := serverHandshakeStateTLS13{
		310	+ c: srv,
		311	+ ctx: ctx,
		312	+ clientHello: clientHello,
		313	+ }
		314	+ if err := hs.processClientHello(); err != nil {
		315	+ testFatal(t, err)
		316	+ }
		317	+ if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
		318	+ testFatal(t, err)
		319	+ }
		320	+
		321	+ record, err := concatHandshakeMessages(hs.hello, &encryptedExtensionsMsg{alpnProtocol: "h2"})
		322	+ if err != nil {
		323	+ testFatal(t, err)
		324	+ }
		325	+
		326	+ if _, err := s.Write(record); err != nil {
		327	+ testFatal(t, err)
		328	+ }
		329	+ srv.Close()
		330	+ }()
		331	+
		332	+ cli := Client(c, testConfig)
		333	+ expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
		334	+ if err := cli.Handshake(); err == nil {
		335	+ t.Fatal("expected error from incomplete handshake, got nil")
		336	+ } else if err.Error() != expectedErr {
		337	+ t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
		338	+ }
		339	+}
		340	+
		341	+func TestClientHelloTrailingMessage(t *testing.T) {
		342	+ // Same as TestServerHelloTrailingMessage but for the client side.
		343	+
		344	+ c, s := localPipe(t)
		345	+ go func() {
		346	+ cli := Client(c, testConfig)
		347	+
		348	+ hello, _, _, err := cli.makeClientHello()
		349	+ if err != nil {
		350	+ testFatal(t, err)
		351	+ }
		352	+
		353	+ record, err := concatHandshakeMessages(hello, &certificateMsgTLS13{})
		354	+ if err != nil {
		355	+ testFatal(t, err)
		356	+ }
		357	+
		358	+ if _, err := c.Write(record); err != nil {
		359	+ testFatal(t, err)
		360	+ }
		361	+ cli.Close()
		362	+ }()
		363	+
		364	+ srv := Server(s, testConfig)
		365	+ expectedErr := "tls: handshake buffer not empty before setting read traffic secret"
		366	+ if err := srv.Handshake(); err == nil {
		367	+ t.Fatal("expected error from incomplete handshake, got nil")
		368	+ } else if err.Error() != expectedErr {
		369	+ t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
		370	+ }
		371	+}
		372	+
		373	+func TestDoubleClientHelloHRR(t *testing.T) {
		374	+ // If a client sends two ClientHello messages in a single record, and the
		375	+ // server sends a HRR after reading the first ClientHello, the server must
		376	+ // either fail or ignore the trailing ClientHello.
		377	+
		378	+ c, s := localPipe(t)
		379	+
		380	+ go func() {
		381	+ cli := Client(c, testConfig)
		382	+
		383	+ hello, _, _, err := cli.makeClientHello()
		384	+ if err != nil {
		385	+ testFatal(t, err)
		386	+ }
		387	+ hello.keyShares = nil
		388	+
		389	+ record, err := concatHandshakeMessages(hello, hello)
		390	+ if err != nil {
		391	+ testFatal(t, err)
		392	+ }
		393	+
		394	+ if _, err := c.Write(record); err != nil {
		395	+ testFatal(t, err)
		396	+ }
		397	+ cli.Close()
		398	+ }()
		399	+
		400	+ srv := Server(s, testConfig)
		401	+ expectedErr := "tls: handshake buffer not empty before HelloRetryRequest"
		402	+ if err := srv.Handshake(); err == nil {
		403	+ t.Fatal("expected error from incomplete handshake, got nil")
		404	+ } else if err.Error() != expectedErr {
		405	+ t.Fatalf("expected error %q, got %q", expectedErr, err.Error())
		406	+ }
		407	+}
		408	+
		409	+// concatHandshakeMessages marshals and concatenates the given handshake
		410	+// messages into a single record.
		411	+func concatHandshakeMessages(msgs ...handshakeMessage) ([]byte, error) {
		412	+ var marshalled []byte
		413	+ for _, msg := range msgs {
		414	+ data, err := msg.marshal()
		415	+ if err != nil {
		416	+ return nil, err
		417	+ }
		418	+ marshalled = append(marshalled, data...)
		419	+ }
		420	+ m := len(marshalled)
		421	+ outBuf := make([]byte, recordHeaderLen)
		422	+ outBuf[0] = byte(recordTypeHandshake)
		423	+ vers := VersionTLS12
		424	+ outBuf[1] = byte(vers >> 8)
		425	+ outBuf[2] = byte(vers)
		426	+ outBuf[3] = byte(m >> 8)
		427	+ outBuf[4] = byte(m)
		428	+ outBuf = append(outBuf, marshalled...)
		429	+ return outBuf, nil
		430	+}
		431	diff --git a/src/crypto/tls/quic.go b/src/crypto/tls/quic.go
		432	index 3518169bf7..aa14f1dadb 100644
		433	--- a/src/crypto/tls/quic.go
		434	+++ b/src/crypto/tls/quic.go
		435	@@ -323,13 +323,22 @@ func (c *Conn) quicReadHandshakeBytes(n int) error {
		436	return nil
		437	}
		438
		439	-func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) {
		440	+func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) error {
		441	+ // Ensure that there are no buffered handshake messages before changing the
		442	+ // read keys, since that can cause messages to be parsed that were encrypted
		443	+ // using old keys which are no longer appropriate.
		444	+ // TODO(roland): we should merge this check with the similar one in setReadTrafficSecret.
		445	+ if c.hand.Len() != 0 {
		446	+ c.sendAlert(alertUnexpectedMessage)
		447	+ return errors.New("tls: handshake buffer not empty before setting read traffic secret")
		448	+ }
		449	c.quic.events = append(c.quic.events, QUICEvent{
		450	Kind: QUICSetReadSecret,
		451	Level: level,
		452	Suite: suite,
		453	Data: secret,
		454	})
		455	+ return nil
		456	}
		457
		458	func (c *Conn) quicSetWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte) {
		459	--
		460	2.35.6