首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 78

jing-rui/golang

forked from src-openEuler/golang 
代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
backport-0001-release-branch.go1.21-crypto-x509-make-sure-pub-key-.patch 2.80 KB
一键复制 编辑 原始数据 按行查看 历史
hc 提交于 2024-03-15 13:05 . backport: fix CVE-2024-24783,CVE-2024-24785,CVE-2023-45290,CVE-2023-45289
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
From 5dfc2e6c42724349a9e9ecbcc69be920c18d90e9 Mon Sep 17 00:00:00 2001

From: Roland Shoemaker <bracewell@google.com>

Date: Thu, 18 Jan 2024 12:51:13 -0800

Subject: [PATCH 1/4] [release-branch.go1.21] crypto/x509: make sure pub key is

 non-nil before interface conversion



alreadyInChain assumes all keys fit a interface which contains the

Equal method (which they do), but this ignores that certificates may

have a nil key when PublicKeyAlgorithm is UnknownPublicKeyAlgorithm. In

this case alreadyInChain panics.



Check that the key is non-nil as part of considerCandidate (we are never

going to build a chain containing UnknownPublicKeyAlgorithm anyway).



For #65390

Fixes #65392

Fixes CVE-2024-24783



Change-Id: Ibdccc0a487e3368b6812be35daad2512220243f3

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2137282

Reviewed-by: Damien Neil <dneil@google.com>

Run-TryBot: Roland Shoemaker <bracewell@google.com>

Reviewed-by: Tatiana Bradley <tatianabradley@google.com>

Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173774

Reviewed-by: Roland Shoemaker <bracewell@google.com>

Reviewed-by: Carlos Amedee <amedee@google.com>

Reviewed-on: https://go-review.googlesource.com/c/go/+/569238

Auto-Submit: Michael Knyszek <mknyszek@google.com>

LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Reviewed-by: Carlos Amedee <carlos@golang.org>

---

 src/crypto/x509/verify.go      |  2 +-

 src/crypto/x509/verify_test.go | 19 +++++++++++++++++++

 2 files changed, 20 insertions(+), 1 deletion(-)



diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go

index 345d434453c..56a1a1725cc 100644

--- a/src/crypto/x509/verify.go

+++ b/src/crypto/x509/verify.go

@@ -899,7 +899,7 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o

 	)

 

 	considerCandidate := func(certType int, candidate *Certificate) {

-		if alreadyInChain(candidate, currentChain) {

+		if candidate.PublicKey == nil || alreadyInChain(candidate, currentChain) {

 			return

 		}

 

diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go

index 3551b470ced..d8678d03f93 100644

--- a/src/crypto/x509/verify_test.go

+++ b/src/crypto/x509/verify_test.go

@@ -2693,3 +2693,22 @@ func TestVerifyEKURootAsLeaf(t *testing.T) {

 	}

 

 }

+

+func TestVerifyNilPubKey(t *testing.T) {

+	c := &Certificate{

+		RawIssuer:      []byte{1, 2, 3},

+		AuthorityKeyId: []byte{1, 2, 3},

+	}

+	opts := &VerifyOptions{}

+	opts.Roots = NewCertPool()

+	r := &Certificate{

+		RawSubject:   []byte{1, 2, 3},

+		SubjectKeyId: []byte{1, 2, 3},

+	}

+	opts.Roots.AddCert(r)

+

+	_, err := c.buildChains([]*Certificate{r}, nil, opts)

+	if _, ok := err.(UnknownAuthorityError); !ok {

+		t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})

+	}

+}

-- 

2.33.0
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化