Skip to content

fix: validate protocol version during connection deserialization#5523

Merged
jouho merged 12 commits intoaws:mainfrom
jouho:version-check-deserialization
Oct 2, 2025
Merged

fix: validate protocol version during connection deserialization#5523
jouho merged 12 commits intoaws:mainfrom
jouho:version-check-deserialization

Conversation

@jouho
Copy link
Copy Markdown
Contributor

@jouho jouho commented Sep 24, 2025
edited
Loading

Release Summary:

Fixed a validation issue in s2n_connection_deserialize() where malformed protocol version bytes could result in invalid connection state and inconsistent TLS behavior.

Resolved issues:

Fixes a validation issue in s2n_connection_deserialize() where malformed protocol version bytes could result in invalid connection state and inconsistent TLS behavior.

The issue is that a user controlling serialized connection data could provide malformed protocol version bytes that, when deserialized and used in the connection, would result in invalid protocol versions outside the valid TLS range (30-34). These invalid values can trigger unexpected code paths and cause inconsistent TLS behavior where the connection operates with protocol versions that don't correspond to any legitimate TLS version.

Description of changes:

Added protocol version validation in s2n_connection_deserialize_parse() to ensure deserialized protocol versions are within the valid TLS range (S2N_SSLv3 to s2n_highest_protocol_version(S2N_TLS13))

Call-outs:

This is not considered a security issue. Users are responsible for protecting serialized connection data as documented in Connection Serialization Usage Guide. The serialized data contains sensitive cryptographic material and must be protected by the application.

We also have API documentation for proper usage: s2n_connection_serialize() and s2n_connection_deserialize()

Testing:

Added unit tests for protocol validation

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Sep 24, 2025
@jouho jouho marked this pull request as ready for review September 24, 2025 21:48
lrstewart
lrstewart reviewed Sep 25, 2025
View reviewed changes
lrstewart
lrstewart reviewed Sep 26, 2025
View reviewed changes
@jouho jouho requested a review from lrstewart September 26, 2025 22:13
lrstewart
lrstewart reviewed Sep 27, 2025
View reviewed changes
@jouho jouho mentioned this pull request Sep 30, 2025
Open
@jouho jouho requested a review from lrstewart September 30, 2025 18:58
lrstewart
lrstewart approved these changes Oct 1, 2025
View reviewed changes
@jouho jouho requested a review from lrstewart October 2, 2025 00:22
lrstewart
lrstewart approved these changes Oct 2, 2025
View reviewed changes
@jouho jouho requested a review from lrstewart October 2, 2025 16:41
maddeleine
maddeleine reviewed Oct 2, 2025
View reviewed changes
@jouho jouho added this pull request to the merge queue Oct 2, 2025
Merged via the queue into aws:main with commit 7ba0389 Oct 2, 2025
50 of 51 checks passed
@jouho jouho deleted the version-check-deserialization branch October 2, 2025 22:18
@dougch dougch mentioned this pull request Oct 28, 2025
Closed
@BrewTestBot BrewTestBot mentioned this pull request Oct 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maddeleine maddeleine maddeleine approved these changes

@jmayclin jmayclin Awaiting requested review from jmayclin

@lrstewart lrstewart Awaiting requested review from lrstewart

Assignees

No one assigned

Labels

s2n-core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jouho @lrstewart @maddeleine