diff options
| author | Roland Shoemaker <roland@golang.org> | 2026-03-23 12:09:47 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-03-26 13:01:08 -0700 |
| commit | 8028a514303f7cbc818094c05df33d1bbb3adb5a (patch) | |
| tree | ac8c5f92081e7f2d2a21eedaab2508091bbde504 | |
| parent | 4ef278779fcf8548218564020a1050417c923161 (diff) | |
| download | go-8028a514303f7cbc818094c05df33d1bbb3adb5a.tar.xz | |
[release-branch.go1.26] crypto/x509: hoist policy pruning out of loop
We only need to do this once, not once per mapping.
Thanks to Jakub Ciolek for reporting this issue.
Updates #78281
Fixes #78360
Fixes CVE-2026-32281
Change-Id: Ic26f5f14d2a5e42ca8c24b8ae47bc3c5cc601863
Reviewed-on: https://go-review.googlesource.com/c/go/+/758061
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Jakub Ciolek <jakub@ciolek.dev>
(cherry picked from commit 312541b783ceae00471573da83367cae26ca255b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/759220
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
| -rw-r--r-- | src/crypto/x509/verify.go | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 3d9c115dba..5f4fc0b6f3 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -1284,12 +1284,12 @@ func policiesValid(chain []*Certificate, opts VerifyOptions) bool { } else { // 6.1.4 (b) (3) (i) -- as updated by RFC 9618 pg.deleteLeaf(mapping.IssuerDomainPolicy) - - // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 - pg.prune() } } + // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 + pg.prune() + for issuerStr, subjectPolicies := range mappings { // 6.1.4 (b) (1) -- as updated by RFC 9618 if matching := pg.leafWithPolicy(OID{der: []byte(issuerStr)}); matching != nil { |