Upstream merge 2024 04 16 #1535
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Our repository is sometimes copied into other repositories, at which point all the absolute links don't work. README.md used "./whatever", which seems to work most consistently, so copy that. Change-Id: I63bbf01b8f3870112d1df571adaa6cc82f58e5eb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64347 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Hubert Chao <hchao@google.com> Reviewed-by: Bob Beck <bbe@google.com> (cherry picked from commit 90004f080d82cb22d643895add1e5740e9a57945)
Change-Id: I3591d3c0e1d189760352857fe147179a759c98fb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64327 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> (cherry picked from commit 72a2bf4ebde4637223c9351c45cfc074edb2a464)
Change-Id: I0345ab008002ec13e21b315117a73f2b906b6d97 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64247 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit 46a7b4dea1895a50f022868f62f671b2fa2c47b1)
Gain some type-checking. Change-Id: I21524e0507f2c6b12d9f431a8cc6e82e28c94e24 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64248 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit 2ff409e4bdca763654d68da147cef4fe572ee4f8)
This avoids putting the method tables in writable memory. Update-Note: Making X509_LOOKUP_file and X509_LOOKUP_hash_dir return const pointers is not quite source-compatible, but code search suggests nothing cares. If we have to, we can cast const away in those functions, but let's try the more type-safe option first. Change-Id: I562890f9db989c9991bc69b1c2e8174cd04d03a4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64249 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> (cherry picked from commit 5a82702daf7b9f9aac9a7121dc05a4ada4da0625)
It doesn't make sense to binary search over a list of 10 entries. Additionally, the compiler is perfectly capable of optimizing a bunch of equality checks (e.g. by turning it into a bitmask), so just let the compiler do what it wants. Change-Id: Ie7cee62d1ddec1ac1e24f483817b9a67aaff369c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64250 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> (cherry picked from commit 7ff31d3ecf1343eff108e54f5b4448461412f876)
Bug: 426 Change-Id: I423d1471c586764e20c720684e3d225abbf5d662 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64251 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit e6ce79a89f031af791fe0910dc11d811cbfd3bc7)
This allowed the caller to query which DNS SAN actually matched. It's not an unreasonable API, though putting it on X509_VERIFY_PARAM is a little odd, as is not having it for other name types. It just wasn't const-correct. I went to fix that and found no one was using it. We can put it back if we need it. Most of the underlying machinery needs to stay anyway because X509_check_host has an output parameter and Node exposes it. (Unclear if Node actually has a use case. I suspect they just returned it because it was available.) Change-Id: Id7f15016e29189bc4f3cebb33c680279c8cb3178 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64252 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit f78fe19fc98e0e6f760e05c6b9d48725004700d0)
This is used to implement X509_STORE_CTX_set_default and some very messy "default" parameter, which has its own awkward quirks (see https://boringssl-review.googlesource.com/c/boringssl/+/64253/). We can't avoid X509_STORE_CTX_set_default, but if we resolve the mess around "default", then all the defined parameters will just be purpose and trust tuples. If we get to that point, we probably don't need to define actual X509_VERIFY_PARAM objects and can just store the purpose and trust values. But we can only do that if this function is gone. Update-Note: Removed unused function. Change-Id: I118f4a1ebff99f919d0f6ee63175633fe945822b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64487 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> (cherry picked from commit 20f7eb1430ca03712441b78330ad320cb0134055)
Unexport X509V3_EXT_val_prn because no one calls it. One less thing to document. Also add a warning in honor of our favorite bindings libraries about these string-based APIs. Bug: 426 Change-Id: If77f1139a945f234b3b85978aae95e564428aeb8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64139 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> (cherry picked from commit 2d7adaea91627b77b3d560d12703191fa5c434c0)
torben-hansen
force-pushed
the
upstream-merge-2024-04-16
branch
from
546429c
to
46056cf
Compare
torben-hansen
force-pushed
the
upstream-merge-2024-04-16
branch
from
fe9a264
to
2e51629
Compare
samuel40791765
approved these changes
Apr 19, 2024
andrewhop
approved these changes
Apr 19, 2024
skmcgrail
added a commit
that referenced
this pull request
May 2, 2024
d52018b Minor functions to build with Ruby's cipher module (#1564) 364d28b Changed SSL_client_hello_get0_ciphers to align with OpenSSL behavior (#1542) e8eb7de ppc64le: EVP_has_aes_hardware is false w/ no-asm (#1566) d726d06 OpenBSD 7.4 and 7.5 Support (#1437) a66c66e Remove comments about overread for entropy generation (#1551) f8a575f Migrate from __FreeBSD__ to __FreeBSD_version (#1562) c31d1ce Centralize handling of s2n-bignum alt/non-alt function selection (#1547) 00f3c45 CI for other MacOS versions (#1558) 0541314 Cleanup remaing duplicate symbol definitions and turn Wredundant-decls on (#1561) 4d280eb Fix ec2 CI testing framework (#1541) 9a4b43e Update x25519_test.cc array initialization to avoid a bug with a GCC 13 warning (#1555) 388cbe7 Remove duplicate X509_OBJECT_new and X509_OBJECT_free declarations (#1560) 2ea6706 Avoid 'z' format with MSVCRT (#1559) c25dc2a Add dependency to python3-six in github action grpc (#1554) 2bdcba3 Link porting guide table to header documentation (#1540) 311ca38 Basic GH CI build/test with full range of gcc/clang (#1546) 1f19717 Add SHA3-256 KAT to FIPS self-test (#1549) 0f3548a Add EC point add/dbl to speed.cc (#1545) d7ddfc4 Fix the NTP integration test (NTP website changed) (#1548) 8ccd85b Fix skipped tests in Mariadb integration CI (#1533) d940162 Support vpinsrq in delocater (#1543) 4cd6d21 Remove redundant test exec libraries (#1544) 56f3569 [ML-KEM] Add experimental support for ML-KEM-512-IPD (#1516) c295aef Upstream merge 2024 04 16 (#1535) 2e51629 Re-add function 0aebf17 Define OPENSSL_NO_TLS_PHA, typedef PSK callback signatures (#1526) 46056cf Pull the string-based extensions APIs into their own section 960ea42 Unexport X509_VERIFY_PARAM_lookup 3c597b1 Remove X509_VERIFY_PARAM_get0_peername 9c399e5 Document some key usage accessors 2fe70b5 Simplify and document X509_supported_extension 2e04897 Const-correct X509_LOOKUP_METHOD 9826568 Replace X509_LOOKUP_ctrl with real functions e47c056 Tidy up x509_lu.c functions a little 62e019f Clean up the by_file_ctrl x509 code to be slightly less obtuse 45c46c2 Use relative links in markdown files By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.