[release-branch.go1.26] crypto/x509: fix name constraint checking panic - go - Fork of Go programming language with my patches.

diff options

author	Roland Shoemaker <bracewell@google.com>	2026-02-11 14:49:13 -0800
committer	Gopher Robot <gobot@golang.org>	2026-03-05 16:12:58 -0800
commit	e792d6aa952dbfdd3e8eac6f7abc3efd9df09030 (patch)
tree	127726da77f2a6b59fd121ca8691eeaf767c4c4d /src/runtime/malloc_generated.go
parent	a761c9ff70fec8e1089897eebd104a8f31cff2d3 (diff)
download	go-e792d6aa952dbfdd3e8eac6f7abc3efd9df09030.tar.xz

[release-branch.go1.26] crypto/x509: fix name constraint checking panic

Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which causes the excluded domain name wildcard checking to panic, because we assume names are always non-empty. RFC 5280 appears to say the empty string should not be accepted, although confusingly refers to this as " " (a single space). We should probably not allow that when creating certificates, and possibly when creating them as well (1.27 I guess). Thanks to Jakub Ciolek for reporting this issue. Updates #77953 Fixes #77974 Fixes CVE-2026-27138 Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/752083 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>

Diffstat (limited to 'src/runtime/malloc_generated.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: