…inel error value

ReOpenFile is documented to return INVALID_HANDLE_VALUE on error,
but the previous definition was checking for 0 instead.

ReOpenFile was added to the go1.25 release branch in CL 715360. This new CL amends it.

Fixes #76360
Updates #75989

Change-Id: Idec5e75e40b9f6c409e068d63a9b606781e80a46
Reviewed-on: https://go-review.googlesource.com/c/go/+/717320
Auto-Submit: Quim Muntal <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Alex Brainman <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
(cherry picked from commit CL 717320)
Reviewed-on: https://go-review.googlesource.com/c/go/+/718000
Reviewed-by: Dmitri Shuralyov <[email protected]>

This CL fixes a bug introduced by CL 666655: isTokenChar would no longer
(but should) report true for '{' and '}'.

Fixes #76245

Change-Id: Ifc0953c30d7cae7bfba9bc4b6bb6951a83c52576
GitHub-Last-Rev: c91a75c
GitHub-Pull-Request: #76243
Reviewed-on: https://go-review.googlesource.com/c/go/+/719380
Reviewed-by: Sean Liao <[email protected]>
Reviewed-by: Jorropo <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
(cherry picked from commit c761b26)
Reviewed-on: https://go-review.googlesource.com/c/go/+/721000
Reviewed-by: Junyang Shao <[email protected]>

…reclude wildcard SANs

When evaluating name constraints in a certificate chain, the presence of
an excluded subdomain constraint (e.g., excluding "test.example.com")
should preclude the use of a wildcard SAN (e.g., "*.example.com").

Fixes #76442
Fixes #76464
Fixes CVE-2025-61727

Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba
Reviewed-on: https://go-review.googlesource.com/c/go/+/724400
Reviewed-by: Nicholas Husin <[email protected]>
Reviewed-by: Nicholas Husin <[email protected]>
Reviewed-by: Daniel McCarney <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Neal Patel <[email protected]>

…om consuming excessive resource

Constructing HostnameError.Error() takes O(N^2) runtime due to using a
string concatenation in a loop. Additionally, there is no limit on how
many names are included in the error message. As a result, a malicious
attacker could craft a certificate with an infinite amount of names to
unfairly consume resource.

To remediate this, we will now use strings.Builder to construct the
error message, preventing O(N^2) runtime. When a certificate has 100 or
more names, we will also not print each name individually.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Updates #76445
Fixes #76461
Fixes CVE-2025-61729

Change-Id: I6343776ec3289577abc76dad71766c491c1a7c81
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3000
Reviewed-by: Neal Patel <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3200
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-on: https://go-review.googlesource.com/c/go/+/725800
TryBot-Bypass: Dmitri Shuralyov <[email protected]>
Reviewed-by: Mark Freeman <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>

Change-Id: If484d63fd8cc5ea0872780019535368afcf4ec5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/725842
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Mark Freeman <[email protected]>
TryBot-Bypass: Gopher Robot <[email protected]>