acme/autocert: always pass AuthzURLs from AuthorizeOrder to deactivatePendingAuthz

Previously, the o.AuthzURLs slice was sometimes used from the call to
client.WaitOrder at the bottom of the for loop.

By that point, o may be nil if client.WaitOrder returned an error,
which would cause a nil pointer dereference panic inside the deferred
function call. If client.WaitOrder did not return an error, then the
call to deactivatePendingAuthz would use its AuthzURLs slice instead
of the one from client.AuthorizeOrder.

Fixes golang/go#35225
Updates golang/go#21081

Change-Id: I7db055ee1149871b6e5d34a8618526899c68f827
Reviewed-by: Alex Vaghin <>
1 file changed
tree: c54ea57e9eaa45e89efeb9f56b89631773e9a83a
  1. .gitattributes
  2. .gitignore
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20poly1305/
  18. codereview.cfg
  19. cryptobyte/
  20. curve25519/
  21. ed25519/
  22. go.mod
  23. go.sum
  24. hkdf/
  25. internal/
  26. md4/
  27. nacl/
  28. ocsp/
  29. openpgp/
  30. otr/
  31. pbkdf2/
  32. pkcs12/
  33. poly1305/
  34. ripemd160/
  35. salsa20/
  36. scrypt/
  37. sha3/
  38. ssh/
  39. tea/
  40. twofish/
  41. xtea/
  42. xts/

Go Cryptography

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.