Skip to content

fix(tls): bound PSK identity length before decrypt#9

Open
alanhoff wants to merge 2 commits intoendel:mainfrom
alanhoff:fix/tls-psk-identity-bounds
Open

fix(tls): bound PSK identity length before decrypt#9
alanhoff wants to merge 2 commits intoendel:mainfrom
alanhoff:fix/tls-psk-identity-bounds

Conversation

@alanhoff
Copy link
Copy Markdown

@alanhoff alanhoff commented Mar 17, 2026

Summary

  • reject oversized TLS 1.3 PSK ticket identities before copying or decrypting them into fixed-size stack buffers
  • keep invalid oversized identities on the normal PSK rejection path instead of letting them reach @memcpy/AEAD output slices
  • add a regression test that feeds an oversized PSK identity directly into tryProcessPsk

Vulnerability

tryProcessPsk reads identity_len from the client-controlled pre_shared_key extension, then copies that identity into an 80-byte stack buffer and decrypts it into a 64-byte stack buffer without first proving the length fits. A malicious client can keep the extension internally well-formed while choosing an identity length that exceeds those buffers.

Concrete examples:

  • an identity_len of 81 bytes stays extension-valid, but it drives ciphertext_len to 65, which exceeds the 64-byte plaintext buffer
  • a larger identity such as 96 bytes would overrun both the 80-byte ticket buffer and the decrypt output slice
  • because this runs on the server's network-facing ClientHello path, a hostile client can repeatedly trigger remote crashes and, in unchecked builds, memory corruption

Validation

  • zig build test
  • zig build
  • zig build fuzz

References

@alanhoff @codex
fix(tls): bound PSK identity length before decrypt
c05fff5 
Reject oversized TLS 1.3 PSK ticket identities before copying or decrypting them into fixed-size stack buffers, and add a regression test covering the oversized identity case.

Co-authored-by: Codex <noreply@openai.com>
Copilot AI review requested due to automatic review settings March 17, 2026 20:44
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the QUIC TLS 1.3 server-side PSK resumption path by rejecting oversized PSK ticket identities before they can be copied/decrypted into fixed-size stack buffers, and adds a regression test to ensure the oversized case is handled safely.

Changes:

  • Add explicit upper bounds for identity_len/ciphertext_len in tryProcessPsk before any @memcpy or AEAD decrypt output slicing.
  • Keep oversized identities on the normal PSK rejection path (early return; using_psk remains false).
  • Add a unit test that feeds an oversized PSK identity directly into tryProcessPsk.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@alanhoff @codex
refactor(tls): derive PSK bounds from stack buffers
8066dde 
Derive the oversized PSK identity rejection limits from the actual decrypt and ticket buffers used in tryProcessPsk so the guard stays aligned with the implementation.

Co-authored-by: Codex <noreply@openai.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alanhoff