mirror
/
go
mirror of https://github.com/golang/go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
go/src
History
Roland Shoemaker a98589711d crypto/tls: test key type when casting 
When casting the certificate public key in generateClientKeyExchange,
check the type is appropriate. This prevents a panic when a server
agrees to a RSA based key exchange, but then sends an ECDSA (or
other) certificate.

Fixes #47143
Fixes CVE-2021-34558

Thanks to Imre Rad for reporting this issue.

Change-Id: Iabccacca6052769a605cccefa1216a9f7b7f6aea
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1116723
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/334031
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
 		2021-07-12 20:58:00 +00:00
..
archive archive/zip: only preallocate File slice if reasonably sized 2021-05-25 23:41:42 +00:00
bufio
builtin
bytes
cmd Update oudated comment 2021-07-08 16:59:21 +00:00
compress
container
context
crypto crypto/tls: test key type when casting 2021-07-12 20:58:00 +00:00
database/sql database/sql: fix deadlock test in prepare statement 2021-06-21 17:37:23 +00:00
debug debug/elf: don't apply DWARF relocations for ET_EXEC binaries 2021-06-14 22:13:47 +00:00
embed
encoding
errors
expvar
flag
fmt fmt: split package documentation into more sections 2021-06-07 15:17:48 +00:00
go go/types: in TestCheck/issues.src, import regexp/syntax instead of cmd/compile/internal/syntax 2021-06-25 21:05:10 +00:00
hash
html
image image/gif: fix typo in the comment (io.ReadByte -> io.ByteReader) 2021-06-30 17:58:50 +00:00
index/suffixarray
internal Update oudated comment 2021-07-08 16:59:21 +00:00
io io/fs: minor corrections to Sub docs 2021-06-02 18:52:58 +00:00
log
math math/big: fix typo of comment (`BytesScanner` to `ByteScanner`) 2021-06-29 16:57:13 +00:00
mime mime: document use of the Shared MIME-Info Database 2021-05-26 22:41:35 +00:00
net net: filter bad names from Lookup functions instead of hard failing 2021-07-08 17:53:43 +00:00
os os: change example to avoid deprecated function 2021-06-30 16:44:19 +00:00
path path/filepath: deflake TestEvalSymlinksAboveRoot on darwin 2021-06-30 20:03:34 +00:00
plugin
reflect Update oudated comment 2021-07-08 16:59:21 +00:00
regexp regexp: fix repeat of preferred empty match 2021-05-13 14:52:20 +00:00
runtime runtime/pprof: call runtime.GC twice in memory profile test 2021-07-09 18:00:16 +00:00
sort
strconv strconv: document parsing of leading +/- 2021-06-09 18:16:27 +00:00
strings
sync all: add //go:build lines to assembly files 2021-05-13 09:12:17 +00:00
syscall syscall: fix TestGroupCleanupUserNamespace test failure on Fedora 2021-06-16 04:45:46 +00:00
testdata
testing testing: add TB.Setenv 2021-07-01 18:35:33 +00:00
text text/template: fix type bug in eq 2021-05-06 13:39:39 +00:00
time time: handle invalid UTF-8 byte sequences in quote to prevent panic 2021-06-24 03:20:33 +00:00
unicode
unsafe spec, unsafe: clarify unsafe.Slice docs 2021-07-02 19:26:52 +00:00
vendor cmd/internal/moddeps: use filepath.SkipDir only on directories 2021-05-19 15:20:08 +00:00
Make.dist
README.vendor
all.bash
all.bat
all.rc
bootstrap.bash
buildall.bash
clean.bash
clean.bat
clean.rc
cmp.bash
go.mod cmd/internal/moddeps: use filepath.SkipDir only on directories 2021-05-19 15:20:08 +00:00
go.sum cmd/go: add a -compat flag to 'go mod tidy' 2021-05-25 13:18:26 +00:00
make.bash make.bash: fix misuse of continue 2021-05-18 15:00:55 +00:00
make.bat
make.rc
race.bash
race.bat
run.bash
run.bat
run.rc

README.vendor 

Vendoring in std and cmd
========================

The Go command maintains copies of external packages needed by the
standard library in the src/vendor and src/cmd/vendor directories.

In GOPATH mode, imports of vendored packages are resolved to these
directories following normal vendor directory logic
(see golang.org/s/go15vendor).

In module mode, std and cmd are modules (defined in src/go.mod and
src/cmd/go.mod). When a package outside std or cmd is imported
by a package inside std or cmd, the import path is interpreted
as if it had a "vendor/" prefix. For example, within "crypto/tls",
an import of "golang.org/x/crypto/cryptobyte" resolves to
"vendor/golang.org/x/crypto/cryptobyte". When a package with the
same path is imported from a package outside std or cmd, it will
be resolved normally. Consequently, a binary may be built with two
copies of a package at different versions if the package is
imported normally and vendored by the standard library.

Vendored packages are internally renamed with a "vendor/" prefix
to preserve the invariant that all packages have distinct paths.
This is necessary to avoid compiler and linker conflicts. Adding
a "vendor/" prefix also maintains the invariant that standard
library packages begin with a dotless path element.

The module requirements of std and cmd do not influence version
selection in other modules. They are only considered when running
module commands like 'go get' and 'go mod vendor' from a directory
in GOROOT/src.

Maintaining vendor directories
==============================

Before updating vendor directories, ensure that module mode is enabled.
Make sure GO111MODULE=off is not set ('on' or 'auto' should work).

Requirements may be added, updated, and removed with 'go get'.
The vendor directory may be updated with 'go mod vendor'.
A typical sequence might be:

    cd src
    go get -d golang.org/x/net@latest
    go mod tidy
    go mod vendor

Use caution when passing '-u' to 'go get'. The '-u' flag updates
modules providing all transitively imported packages, not only
the module providing the target package.

Note that 'go mod vendor' only copies packages that are transitively
imported by packages in the current module. If a new package is needed,
it should be imported before running 'go mod vendor'.