[release-branch.go1.10] crypto/tls: copy and use adjusted syscall.CertChainPolicyPara

As discussed in issue #21376, it is unsafe to have
syscall.CertChainPolicyPara.ExtraPolicyPara uintptr -
it has to be a pointer type. So copy syscall.CertChainPolicyPara
into crypto/tls package, make ExtraPolicyPara unsafe.Pointer,
and use new struct instead of syscall.CertChainPolicyPara.

Fixes #25033

Change-Id: If914af056cbbb0c4d93ffaa915b3d2cb5ecad0cd
Reviewed-on: https://go-review.googlesource.com/111715
Reviewed-by: Austin Clements <austin@google.com>
Run-TryBot: Austin Clements <austin@google.com>

diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go
index 92cc71692d8195bbc634806310e2f3add67671f8..3621a93abac2e3d63da585202341c1c54ac1695a 100644 (file)
--- a/src/crypto/x509/root_windows.go
+++ b/src/crypto/x509/root_windows.go
@@ -95,6 +95,12 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e
        return nil
 }
 
+type _CertChainPolicyPara struct {
+       Size            uint32
+       Flags           uint32
+       ExtraPolicyPara unsafe.Pointer
+}
+
 // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for
 // use as a certificate chain for a SSL/TLS server.
 func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error {
@@ -108,13 +114,13 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex
        }
        sslPara.Size = uint32(unsafe.Sizeof(*sslPara))
 
-       para := &syscall.CertChainPolicyPara{
-               ExtraPolicyPara: uintptr(unsafe.Pointer(sslPara)),
+       para := &_CertChainPolicyPara{
+               ExtraPolicyPara: unsafe.Pointer(sslPara),
        }
        para.Size = uint32(unsafe.Sizeof(*para))
 
        status := syscall.CertChainPolicyStatus{}
-       err = syscall.CertVerifyCertificateChainPolicy(syscall.CERT_CHAIN_POLICY_SSL, chainCtx, para, &status)
+       err = syscall.CertVerifyCertificateChainPolicy(syscall.CERT_CHAIN_POLICY_SSL, chainCtx, (*syscall.CertChainPolicyPara)(unsafe.Pointer(para)), &status)
        if err != nil {
                return err
        }