]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 76f63ee) | patch
crypto/x509: decouple key usage and policy validation
authorRoland Shoemaker <roland@golang.org>
Tue, 6 May 2025 16:27:10 +0000 (09:27 -0700)
committerRoland Shoemaker <roland@golang.org>
Tue, 13 May 2025 19:09:49 +0000 (12:09 -0700)
commit9bba799955e68972041c4f340ee4ea2d267e5c0e
tree383010f5b1a370f5922d96351875b64f980cd65atree
parent76f63ee890170f4884f4d213e8150d39d6758ad3commit | diff
crypto/x509: decouple key usage and policy validation

Disabling key usage validation (by passing ExtKeyUsageAny)
unintentionally disabled policy validation. This change decouples these
two checks, preventing the user from unintentionally disabling policy
validation.

Thanks to Krzysztof SkrzÄ™tnicki (@Tener) of Teleport for reporting this
issue.

Fixes #73612
Fixes CVE-2025-22874

Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40
Reviewed-on: https://go-review.googlesource.com/c/go/+/670375
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
src/crypto/x509/verify.go diff | blob | history
src/crypto/x509/verify_test.go diff | blob | history
Go GOST TLS 1.3