Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update to go1.20.8 #21

Merged
merged 6 commits into from
Oct 4, 2023
Merged

chore: update to go1.20.8 #21

merged 6 commits into from
Oct 4, 2023

Conversation

bassosimone
Copy link
Contributor

@bassosimone bassosimone commented Oct 4, 2023

This PR updates oocrypto to use go1.20.8.

Here's the check list:

  • check whether hardware capability detection has been improved upstream by reading os_linux.go and update the link to os_linux.go based on the upstream version that we're tracking with this fork: no
  • update UPSTREAM, commit the change, and then run the ./tools/merge.bash script to merge from upstream;
  • fix all the likely merge conflicts
  • delete all the new packages we can safely delete. We can safely delete a package if the package is not tls and:
  1. either the package does not depend on internal/cpu

  2. or the documentation of the package does not explicitly state that the package is only secure depending on the CPU configuration, which currently only holds for aes (see aes/const.go)

  • ensure that every forked package is never imported by using the following checks (we could also use go list as follows GOOS=os GOARCH=arch go list --json ./...):
  1. git grep 'subtle"'
  2. git grep 'tls"'
  3. git grep 'aes"'
  • double check whether we need to add more checks to the list above (you can get a list of packages using tree -d)
  • ensure that stdlibwrapper.go correctly fills tls.ConnectionState in the ConnStdlib.ConnectionState method
  • go build -v ./... must succeed
  • go test -race ./... must succeed
  • run go get -u -v ./... && go mod tidy
  • open a pull request using this check-list as its content and merge it preserving history

rolandshoemaker and others added 6 commits August 1, 2023 19:03
… to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

Thanks to Mateusz Poliwczak for reporting this issue.

Updates #61460
Fixes #61580
Fixes CVE-2023-29409

Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1965747
TryBot-Result: Security TryBots <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/514900
Run-TryBot: David Chase <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
…y size

Add a new GODEBUG setting, tlsmaxrsasize, which allows controlling the
maximum RSA key size we will accept during TLS handshakes.

Fixes #61966

Change-Id: I52f060be132014d219f4cd438f59990011a35c96
Reviewed-on: https://go-review.googlesource.com/c/go/+/517495
Auto-Submit: Roland Shoemaker <[email protected]>
Reviewed-by: Russ Cox <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/518555
Auto-Submit: Dmitri Shuralyov <[email protected]>
The newly added code was using internal/godebug, which we cannot use
because we're not in the standard library.

So, let us remove the internal/godebug dependent code.
@bassosimone bassosimone merged commit 2dfb6ff into main Oct 4, 2023
1 check passed
@bassosimone bassosimone deleted the merged-main branch October 4, 2023 12:58
@bassosimone bassosimone mentioned this pull request Oct 4, 2023
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants