Revert "Revert "external/boringssl: sync with upstream.""

This reverts commit 03bcf618b7ed811b305845461fbb5497dfe55ac3.

No changes here. trusty build was fixed with the required rules.mk changes.

6 files changed, 36 insertions, 26 deletions

diff --git a/src/crypto/x509v3/CMakeLists.txt b/src/crypto/x509v3/CMakeLists.txt
index 5cc1b490..cf2474a4 100644
--- a/src/crypto/x509v3/CMakeLists.txt
+++ b/src/crypto/x509v3/CMakeLists.txt
@@ -52,6 +52,7 @@ add_executable(
 )
 
 target_link_libraries(v3name_test crypto)
+add_dependencies(all_tests v3name_test)
 
 add_executable(
   tab_test
@@ -62,3 +63,4 @@ add_executable(
 )
 
 target_link_libraries(tab_test crypto)
+add_dependencies(all_tests tab_test)
diff --git a/src/crypto/x509v3/pcy_tree.c b/src/crypto/x509v3/pcy_tree.c
index 682474d8..8e9ef25d 100644
--- a/src/crypto/x509v3/pcy_tree.c
+++ b/src/crypto/x509v3/pcy_tree.c
@@ -426,7 +426,7 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
 		{
 		/* If mapping: matched if one child per expected policy set */
 		STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
-		if (node->nchild == sk_ASN1_OBJECT_num(expset))
+		if ((size_t) node->nchild == sk_ASN1_OBJECT_num(expset))
 			return 1;
 		/* Locate unmatched nodes */
 		for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
diff --git a/src/crypto/x509v3/tab_test.c b/src/crypto/x509v3/tab_test.c
index 6b97e918..c0e0cb61 100644
--- a/src/crypto/x509v3/tab_test.c
+++ b/src/crypto/x509v3/tab_test.c
@@ -73,7 +73,8 @@
 int main(void)
 {
 #if !defined(BORINGSSL_SHARED_LIBRARY)
-	int i, prev = -1, bad = 0;
+	unsigned i;
+	int prev = -1, bad = 0;
 	const X509V3_EXT_METHOD *const *tmp;
         CRYPTO_library_init();
 	i = sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *);
@@ -89,7 +90,7 @@ int main(void)
 		tmp = standard_exts;
 		fprintf(stderr, "Extensions out of order!\n");
 		for(i = 0; i < STANDARD_EXTENSION_COUNT; i++, tmp++)
-		printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
+			printf("%d : %s\n", (*tmp)->ext_nid, OBJ_nid2sn((*tmp)->ext_nid));
 		return 1;
 	} else {
 		printf("PASS\n");
diff --git a/src/crypto/x509v3/v3_alt.c b/src/crypto/x509v3/v3_alt.c
index e639f458..cfc13486 100644
--- a/src/crypto/x509v3/v3_alt.c
+++ b/src/crypto/x509v3/v3_alt.c
@@ -596,25 +596,27 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 
 static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 	{
-	int ret;
-	STACK_OF(CONF_VALUE) *sk;
-	X509_NAME *nm;
-	if (!(nm = X509_NAME_new()))
-		return 0;
+	int ret = 0;
+	STACK_OF(CONF_VALUE) *sk = NULL;
+	X509_NAME *nm = X509_NAME_new();
+	if (nm == NULL)
+		goto err;
 	sk = X509V3_get_section(ctx, value);
-	if (!sk)
+	if (sk == NULL)
 		{
 		OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
 		ERR_add_error_data(2, "section=", value);
-		X509_NAME_free(nm);
-		return 0;
+		goto err;
 		}
 	/* FIXME: should allow other character types... */
-	ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
+	if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC))
+		goto err;
+	gen->d.dirn = nm;
+	ret = 1;
+
+err:
 	if (!ret)
 		X509_NAME_free(nm);
-	gen->d.dirn = nm;
 	X509V3_section_free(ctx, sk);
-		
 	return ret;
 	}
diff --git a/src/crypto/x509v3/v3_purp.c b/src/crypto/x509v3/v3_purp.c
index f53c0f11..9a0a7bc4 100644
--- a/src/crypto/x509v3/v3_purp.c
+++ b/src/crypto/x509v3/v3_purp.c
@@ -70,6 +70,14 @@
 #include "../internal.h"
 
 
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
 static void x509v3_cache_extensions(X509 *x);
 
 static int check_ssl_ca(const X509 *x);
@@ -494,7 +502,8 @@ static void x509v3_cache_extensions(X509 *x)
 			{
 			x->ex_flags |= EXFLAG_SI;
 			/* If SKID matches AKID also indicate self signed */
-			if (X509_check_akid(x, x->akid) == X509_V_OK)
+			if (X509_check_akid(x, x->akid) == X509_V_OK &&
+				!ku_reject(x, KU_KEY_CERT_SIGN))
 				x->ex_flags |= EXFLAG_SS;
 			}
 	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
@@ -531,14 +540,6 @@ static void x509v3_cache_extensions(X509 *x)
  * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
  */
 
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
 static int check_ca(const X509 *x)
 {
 	/* keyUsage if present should allow cert signing */
diff --git a/src/crypto/x509v3/v3_utl.c b/src/crypto/x509v3/v3_utl.c
index aa65c798..6bcb6dab 100644
--- a/src/crypto/x509v3/v3_utl.c
+++ b/src/crypto/x509v3/v3_utl.c
@@ -899,7 +899,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
 	X509_NAME *name = NULL;
 	size_t i;
 	int j;
-	int cnid;
+	int cnid = NID_undef;
 	int alt_type;
 	int san_present = 0;
 	int rv = 0;
@@ -927,7 +927,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
 		}
 	else
 		{
-		cnid = 0;
 		alt_type = V_ASN1_OCTET_STRING;
 		equal = equal_case;
 		}
@@ -957,11 +956,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
 		GENERAL_NAMES_free(gens);
 		if (rv != 0)
 			return rv;
-		if (!cnid
+		if (cnid == NID_undef
 		    || (san_present
 		        && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
 			return 0;
 		}
+
+	/* We're done if CN-ID is not pertinent */
+	if (cnid == NID_undef)
+		return 0;
+
 	j = -1;
 	name = X509_get_subject_name(x);
 	while((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0)