VERSION | 2 +- src/crypto/x509/root_windows.go | 20 ++++++++++++++++++-- src/go.mod | 2 +- src/go.sum | 4 ++-- src/vendor/golang.org/x/crypto/cryptobyte/asn1.go | 5 +++-- src/vendor/golang.org/x/crypto/cryptobyte/string.go | 7 +------ src/vendor/modules.txt | 2 +- diff --git a/VERSION b/VERSION index a92889e5b6fa1e248191ee1188f9ecec1c72d639..ab1e52b611d6611437555e9a8852fcf720a94d27 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -go1.13.6 \ No newline at end of file +go1.13.7 \ No newline at end of file diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go index 1e3ebe894227d3af730aa12d5547b6bd1cdc3d47..ebf159c178e76b558cae2e1ffccca19122729e50 100644 --- a/src/crypto/x509/root_windows.go +++ b/src/crypto/x509/root_windows.go @@ -219,10 +219,26 @@ chain, err := extractSimpleChain(chainCtx.Chains, int(chainCtx.ChainCount)) if err != nil { return nil, err } + if len(chain) < 1 { + return nil, errors.New("x509: internal error: system verifier returned an empty chain") + } - chains = append(chains, chain) + // Mitigate CVE-2020-0601, where the Windows system verifier might be + // tricked into using custom curve parameters for a trusted root, by + // double-checking all ECDSA signatures. If the system was tricked into + // using spoofed parameters, the signature will be invalid for the correct + // ones we parsed. (We don't support custom curves ourselves.) + for i, parent := range chain[1:] { + if parent.PublicKeyAlgorithm != ECDSA { + continue + } + if err := parent.CheckSignature(chain[i].SignatureAlgorithm, + chain[i].RawTBSCertificate, chain[i].Signature); err != nil { + return nil, err + } + } - return chains, nil + return [][]*Certificate{chain}, nil } func loadSystemRoots() (*CertPool, error) { diff --git a/src/go.mod b/src/go.mod index 90af2a7ea0f80f15596d85d224b9858191d075ac..9c9026f0d800d7888ed0038011439e4e1580e3f7 100644 --- a/src/go.mod +++ b/src/go.mod @@ -3,7 +3,7 @@ go 1.12 require ( - golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 + golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 golang.org/x/sys v0.0.0-20190529130038-5219a1e1c5f8 // indirect golang.org/x/text v0.3.2 // indirect diff --git a/src/go.sum b/src/go.sum index e358118e4cbd6845086f195ad1cf3e43cd6c32df..e408f66328d8879d7a8c8222643363bd7e52fced 100644 --- a/src/go.sum +++ b/src/go.sum @@ -1,6 +1,6 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 h1:1wopBVtVdWnn03fZelqdXTqk7U7zPQCb+T4rbU9ZEoU= -golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0= +golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH9uqVPRCUVUDhs0wnbA= golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= diff --git a/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go b/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go index 528b9bff671e53a9c8b695064f7cebcffcd8469f..f930f7e5266c6cb31f241d7fc94bad603e562c22 100644 --- a/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go +++ b/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go @@ -470,7 +470,8 @@ // ReadASN1BitString decodes an ASN.1 BIT STRING into out and advances. // It reports whether the read was successful. func (s *String) ReadASN1BitString(out *encoding_asn1.BitString) bool { var bytes String - if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 { + if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 || + len(bytes)*8/8 != len(bytes) { return false } @@ -740,7 +741,7 @@ } length = headerLen + len32 } - if uint32(int(length)) != length || !s.ReadBytes((*[]byte)(out), int(length)) { + if int(length) < 0 || !s.ReadBytes((*[]byte)(out), int(length)) { return false } if skipHeader && !out.Skip(int(headerLen)) { diff --git a/src/vendor/golang.org/x/crypto/cryptobyte/string.go b/src/vendor/golang.org/x/crypto/cryptobyte/string.go index 39bf98aeead8160094c007d8edb4066b5720283c..589d297e6be8f6d5f2a179a02f2216536263efb5 100644 --- a/src/vendor/golang.org/x/crypto/cryptobyte/string.go +++ b/src/vendor/golang.org/x/crypto/cryptobyte/string.go @@ -24,7 +24,7 @@ // read advances a String by n bytes and returns them. If less than n bytes // remain, it returns nil. func (s *String) read(n int) []byte { - if len(*s) < n { + if len(*s) < n || n < 0 { return nil } v := (*s)[:n] @@ -104,11 +104,6 @@ var length uint32 for _, b := range lenBytes { length = length << 8 length = length | uint32(b) - } - if int(length) < 0 { - // This currently cannot overflow because we read uint24 at most, but check - // anyway in case that changes in the future. - return false } v := s.read(int(length)) if v == nil { diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index 453a3126613e7007ccf260072fcaf364ce416244..cff8acd02e2159f65580482854f2474d798fb090 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -1,4 +1,4 @@ -# golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 +# golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 golang.org/x/crypto/chacha20poly1305 golang.org/x/crypto/cryptobyte golang.org/x/crypto/cryptobyte/asn1