diff options
author | Michael Eastwood <mweastwood@google.com> | 2021-09-30 20:13:43 +0000 |
---|---|---|
committer | Michael Eastwood <mweastwood@google.com> | 2021-09-30 20:13:43 +0000 |
commit | 220a654b699665d1048bc909780e4dc976e02197 (patch) | |
tree | 156af58101b7e540cd5c6761e8a821ae5da4ea07 /src/include | |
parent | 8bb65ff676b006f67cccd75a8f4cd6f8a296409e (diff) | |
download | boringssl-220a654b699665d1048bc909780e4dc976e02197.tar.gz |
Revert "external/boringssl: Sync to 66e61c577d39e757bf491468f651..."
Revert submission 1835013-bssl_update_sep2021
Reason for revert: DroidMonitor: Potential culprit for Bug 201683809 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
I27d7b79e3:Fix wpa_supplicant build with newer BoringSSL
I4f2228ef8:external/boringssl: Sync to 66e61c577d39e757bf4914...
Change-Id: If2184c4aa55b7dc89e037362e4d5cbbea1107ae2
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/openssl/asn1.h | 496 | ||||
-rw-r--r-- | src/include/openssl/asn1t.h | 11 | ||||
-rw-r--r-- | src/include/openssl/base.h | 8 | ||||
-rw-r--r-- | src/include/openssl/bio.h | 4 | ||||
-rw-r--r-- | src/include/openssl/bn.h | 6 | ||||
-rw-r--r-- | src/include/openssl/bytestring.h | 9 | ||||
-rw-r--r-- | src/include/openssl/hkdf.h | 4 | ||||
-rw-r--r-- | src/include/openssl/pem.h | 20 | ||||
-rw-r--r-- | src/include/openssl/pkcs7.h | 17 | ||||
-rw-r--r-- | src/include/openssl/rsa.h | 5 | ||||
-rw-r--r-- | src/include/openssl/span.h | 52 | ||||
-rw-r--r-- | src/include/openssl/ssl.h | 38 | ||||
-rw-r--r-- | src/include/openssl/tls1.h | 63 | ||||
-rw-r--r-- | src/include/openssl/x509.h | 126 | ||||
-rw-r--r-- | src/include/openssl/x509_vfy.h | 126 | ||||
-rw-r--r-- | src/include/openssl/x509v3.h | 56 |
16 files changed, 502 insertions, 539 deletions
diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h index 4f6fb3b4..db467fd8 100644 --- a/src/include/openssl/asn1.h +++ b/src/include/openssl/asn1.h @@ -111,6 +111,10 @@ extern "C" { // V_ASN1_UNDEF is used in some APIs to indicate an ASN.1 element is omitted. #define V_ASN1_UNDEF (-1) +// V_ASN1_APP_CHOOSE is used in some APIs to specify a default ASN.1 type based +// on the context. +#define V_ASN1_APP_CHOOSE (-2) + // V_ASN1_OTHER is used in |ASN1_TYPE| to indicate a non-universal ASN.1 type. #define V_ASN1_OTHER (-3) @@ -153,31 +157,6 @@ extern "C" { #define V_ASN1_NEG_INTEGER (V_ASN1_INTEGER | V_ASN1_NEG) #define V_ASN1_NEG_ENUMERATED (V_ASN1_ENUMERATED | V_ASN1_NEG) -// The following constants are bitmask representations of ASN.1 types. -#define B_ASN1_NUMERICSTRING 0x0001 -#define B_ASN1_PRINTABLESTRING 0x0002 -#define B_ASN1_T61STRING 0x0004 -#define B_ASN1_TELETEXSTRING 0x0004 -#define B_ASN1_VIDEOTEXSTRING 0x0008 -#define B_ASN1_IA5STRING 0x0010 -#define B_ASN1_GRAPHICSTRING 0x0020 -#define B_ASN1_ISO64STRING 0x0040 -#define B_ASN1_VISIBLESTRING 0x0040 -#define B_ASN1_GENERALSTRING 0x0080 -#define B_ASN1_UNIVERSALSTRING 0x0100 -#define B_ASN1_OCTET_STRING 0x0200 -#define B_ASN1_BIT_STRING 0x0400 -#define B_ASN1_BMPSTRING 0x0800 -#define B_ASN1_UNKNOWN 0x1000 -#define B_ASN1_UTF8STRING 0x2000 -#define B_ASN1_UTCTIME 0x4000 -#define B_ASN1_GENERALIZEDTIME 0x8000 -#define B_ASN1_SEQUENCE 0x10000 - -// ASN1_tag2str returns a string representation of |tag|, interpret as a tag -// number for a universal type, or |V_ASN1_NEG_*|. -OPENSSL_EXPORT const char *ASN1_tag2str(int tag); - // Strings. // @@ -253,6 +232,14 @@ struct asn1_string_st { // treated as padding. This behavior is deprecated and should not be used. #define ASN1_STRING_FLAG_BITS_LEFT 0x08 +// ASN1_STRING_FLAG_MSTRING indicates that the |ASN1_STRING| is an MSTRING type, +// which is how this library refers to a CHOICE type of several string types. +// For example, DirectoryString as defined in RFC5280. +// +// TODO(davidben): This is only used in one place within the library and is easy +// to accidentally drop. Can it be removed? +#define ASN1_STRING_FLAG_MSTRING 0x040 + // ASN1_STRING_type_new returns a newly-allocated empty |ASN1_STRING| object of // type |type|, or NULL on error. OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_type_new(int type); @@ -324,52 +311,6 @@ OPENSSL_EXPORT void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); -// The following formats define encodings for use with functions like -// |ASN1_mbstring_copy|. -#define MBSTRING_FLAG 0x1000 -#define MBSTRING_UTF8 (MBSTRING_FLAG) -// |MBSTRING_ASC| refers to Latin-1, not ASCII. -#define MBSTRING_ASC (MBSTRING_FLAG | 1) -#define MBSTRING_BMP (MBSTRING_FLAG | 2) -#define MBSTRING_UNIV (MBSTRING_FLAG | 4) - -// DIRSTRING_TYPE contains the valid string types in an X.509 DirectoryString. -#define DIRSTRING_TYPE \ - (B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING | \ - B_ASN1_UTF8STRING) - -// PKCS9STRING_TYPE contains the valid string types in a PKCS9String. -#define PKCS9STRING_TYPE (DIRSTRING_TYPE | B_ASN1_IA5STRING) - -// ASN1_mbstring_copy converts |len| bytes from |in| to an ASN.1 string. If -// |len| is -1, |in| must be NUL-terminated and the length is determined by -// |strlen|. |in| is decoded according to |inform|, which must be one of -// |MBSTRING_*|. |mask| determines the set of valid output types and is a -// bitmask containing a subset of |B_ASN1_PRINTABLESTRING|, |B_ASN1_IA5STRING|, -// |B_ASN1_T61STRING|, |B_ASN1_BMPSTRING|, |B_ASN1_UNIVERSALSTRING|, and -// |B_ASN1_UTF8STRING|, in that preference order. This function chooses the -// first output type in |mask| which can represent |in|. It interprets T61String -// as Latin-1, rather than T.61. -// -// If |mask| is zero, |DIRSTRING_TYPE| is used by default. -// -// On success, this function returns the |V_ASN1_*| constant corresponding to -// the selected output type and, if |out| and |*out| are both non-NULL, updates -// the object at |*out| with the result. If |out| is non-NULL and |*out| is -// NULL, it instead sets |*out| to a newly-allocated |ASN1_STRING| containing -// the result. If |out| is NULL, it returns the selected output type without -// constructing an |ASN1_STRING|. On error, this function returns -1. -OPENSSL_EXPORT int ASN1_mbstring_copy(ASN1_STRING **out, const uint8_t *in, - int len, int inform, unsigned long mask); - -// ASN1_mbstring_ncopy behaves like |ASN1_mbstring_copy| but returns an error if -// the input is less than |minsize| or greater than |maxsize| codepoints long. A -// |maxsize| value of zero is ignored. Note the sizes are measured in -// codepoints, not output bytes. -OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, - int len, int inform, unsigned long mask, - long minsize, long maxsize); - // TODO(davidben): Expand and document function prototypes generated in macros. @@ -380,7 +321,7 @@ OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, // in several forms: // // Some BIT STRINGs represent a bitmask of named bits, such as the X.509 key -// usage extension in RFC 5280, section 4.2.1.3. For such bit strings, DER +// usage extension in RFC5280, section 4.2.1.3. For such bit strings, DER // imposes an additional restriction that trailing zero bits are removed. Some // functions like |ASN1_BIT_STRING_set_bit| help in maintaining this. // @@ -511,135 +452,6 @@ OPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, // TODO(davidben): Expand and document function prototypes generated in macros. -// Time. -// -// GeneralizedTime and UTCTime values are represented as |ASN1_STRING|s. The -// type field is |V_ASN1_GENERALIZEDTIME| or |V_ASN1_UTCTIME|, respectively. The -// data field contains the DER encoding of the value. For example, the UNIX -// epoch would be "19700101000000Z" for a GeneralizedTime and "700101000000Z" -// for a UTCTime. -// -// ASN.1 does not define how to interpret UTCTime's two-digit year. RFC 5280 -// defines it as a range from 1950 to 2049 for X.509. The library uses the -// RFC 5280 interpretation. It does not currently enforce the restrictions from -// BER, and the additional restrictions from RFC 5280, but future versions may. -// Callers should not rely on fractional seconds and non-UTC time zones. -// -// The |ASN1_TIME| typedef represents the X.509 Time type, which is a CHOICE of -// GeneralizedTime and UTCTime, using UTCTime when the value is in range. - -// ASN1_UTCTIME_check returns one if |a| is a valid UTCTime and zero otherwise. -OPENSSL_EXPORT int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); - -// ASN1_UTCTIME_set represents |t| as a UTCTime and writes the result to |s|. It -// returns |s| on success and NULL on error. If |s| is NULL, it returns a -// newly-allocated |ASN1_UTCTIME| instead. -// -// Note this function may fail if the time is out of range for UTCTime. -OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); - -// ASN1_UTCTIME_adj adds |offset_day| days and |offset_sec| seconds to |t| and -// writes the result to |s| as a UTCTime. It returns |s| on success and NULL on -// error. If |s| is NULL, it returns a newly-allocated |ASN1_UTCTIME| instead. -// -// Note this function may fail if the time overflows or is out of range for -// UTCTime. -OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, - int offset_day, long offset_sec); - -// ASN1_UTCTIME_set_string sets |s| to a UTCTime whose contents are a copy of -// |str|. It returns one on success and zero on error or if |str| is not a valid -// UTCTime. -// -// If |s| is NULL, this function validates |str| without copying it. -OPENSSL_EXPORT int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); - -// ASN1_UTCTIME_cmp_time_t compares |s| to |t|. It returns -1 if |s| < |t|, 0 if -// they are equal, 1 if |s| > |t|, and -2 on error. -OPENSSL_EXPORT int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); - -// ASN1_GENERALIZEDTIME_check returns one if |a| is a valid GeneralizedTime and -// zero otherwise. -OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); - -// ASN1_GENERALIZEDTIME_set represents |t| as a GeneralizedTime and writes the -// result to |s|. It returns |s| on success and NULL on error. If |s| is NULL, -// it returns a newly-allocated |ASN1_GENERALIZEDTIME| instead. -// -// Note this function may fail if the time is out of range for GeneralizedTime. -OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set( - ASN1_GENERALIZEDTIME *s, time_t t); - -// ASN1_GENERALIZEDTIME_adj adds |offset_day| days and |offset_sec| seconds to -// |t| and writes the result to |s| as a GeneralizedTime. It returns |s| on -// success and NULL on error. If |s| is NULL, it returns a newly-allocated -// |ASN1_GENERALIZEDTIME| instead. -// -// Note this function may fail if the time overflows or is out of range for -// GeneralizedTime. -OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj( - ASN1_GENERALIZEDTIME *s, time_t t, int offset_day, long offset_sec); - -// ASN1_GENERALIZEDTIME_set_string sets |s| to a GeneralizedTime whose contents -// are a copy of |str|. It returns one on success and zero on error or if |str| -// is not a valid GeneralizedTime. -// -// If |s| is NULL, this function validates |str| without copying it. -OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, - const char *str); - -// ASN1_TIME_diff computes |to| - |from|. On success, it sets |*out_days| to the -// difference in days, rounded towards zero, sets |*out_seconds| to the -// remainder, and returns one. On error, it returns zero. -// -// If |from| is before |to|, both outputs will be <= 0, with at least one -// negative. If |from| is after |to|, both will be >= 0, with at least one -// positive. If they are equal, ignoring fractional seconds, both will be zero. -// -// Note this function may fail on overflow, or if |from| or |to| cannot be -// decoded. -OPENSSL_EXPORT int ASN1_TIME_diff(int *out_days, int *out_seconds, - const ASN1_TIME *from, const ASN1_TIME *to); - -// ASN1_TIME_set represents |t| as a GeneralizedTime or UTCTime and writes -// the result to |s|. As in RFC 5280, section 4.1.2.5, it uses UTCTime when the -// time fits and GeneralizedTime otherwise. It returns |s| on success and NULL -// on error. If |s| is NULL, it returns a newly-allocated |ASN1_TIME| instead. -// -// Note this function may fail if the time is out of range for GeneralizedTime. -OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); - -// ASN1_TIME_adj adds |offset_day| days and |offset_sec| seconds to -// |t| and writes the result to |s|. As in RFC 5280, section 4.1.2.5, it uses -// UTCTime when the time fits and GeneralizedTime otherwise. It returns |s| on -// success and NULL on error. If |s| is NULL, it returns a newly-allocated -// |ASN1_GENERALIZEDTIME| instead. -// -// Note this function may fail if the time overflows or is out of range for -// GeneralizedTime. -OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, - long offset_sec); - -// ASN1_TIME_check returns one if |t| is a valid UTCTime or GeneralizedTime, and -// zero otherwise. |t|'s type determines which check is performed. This -// function does not enforce that UTCTime was used when possible. -OPENSSL_EXPORT int ASN1_TIME_check(const ASN1_TIME *t); - -// ASN1_TIME_to_generalizedtime converts |t| to a GeneralizedTime. If |out| is -// NULL, it returns a newly-allocated |ASN1_GENERALIZEDTIME| on success, or NULL -// on error. If |out| is non-NULL and |*out| is NULL, it additionally sets -// |*out| to the result. If |out| and |*out| are non-NULL, it instead updates -// the object pointed by |*out| and returns |*out| on success or NULL on error. -OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime( - const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); - -// ASN1_TIME_set_string behaves like |ASN1_UTCTIME_set_string| if |str| is a -// valid UTCTime, and |ASN1_GENERALIZEDTIME_set_string| if |str| is a valid -// GeneralizedTime. If |str| is neither, it returns zero. -OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); - -// TODO(davidben): Expand and document function prototypes generated in macros. - // Arbitrary elements. @@ -746,103 +558,41 @@ OPENSSL_EXPORT int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); // the macros, document them, and move them to this section. -// Human-readable output. -// -// The following functions output types in some human-readable format. These -// functions may be used for debugging and logging. However, the output should -// not be consumed programmatically. They may be ambiguous or lose information. - -// ASN1_UTCTIME_print writes a human-readable representation of |a| to |out|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *out, const ASN1_UTCTIME *a); - -// ASN1_GENERALIZEDTIME_print writes a human-readable representation of |a| to -// |out|. It returns one on success and zero on error. -OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *out, - const ASN1_GENERALIZEDTIME *a); - -// ASN1_TIME_print writes a human-readable representation of |a| to |out|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int ASN1_TIME_print(BIO *out, const ASN1_TIME *a); - -// ASN1_STRING_print writes a human-readable representation of |str| to |out|. -// It returns one on success and zero on error. Unprintable characters are -// replaced with '.'. -OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); - -// ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section -// 2.4. -#define ASN1_STRFLGS_ESC_2253 1 - -// ASN1_STRFLGS_ESC_CTRL causes all control characters to be escaped. -#define ASN1_STRFLGS_ESC_CTRL 2 - -// ASN1_STRFLGS_ESC_MSB causes all characters above 127 to be escaped. -#define ASN1_STRFLGS_ESC_MSB 4 - -// ASN1_STRFLGS_ESC_QUOTE causes the string to be surrounded by quotes, rather -// than using backslashes, when characters are escaped. Fewer characters will -// require escapes in this case. -#define ASN1_STRFLGS_ESC_QUOTE 8 - -// ASN1_STRFLGS_UTF8_CONVERT causes the string to be encoded as UTF-8, with each -// byte in the UTF-8 encoding treated as an individual character for purposes of -// escape sequences. If not set, each Unicode codepoint in the string is treated -// as a character, with wide characters escaped as "\Uxxxx" or "\Wxxxxxxxx". -// Note this can be ambiguous if |ASN1_STRFLGS_ESC_*| are all unset. In that -// case, backslashes are not escaped, but wide characters are. -#define ASN1_STRFLGS_UTF8_CONVERT 0x10 - -// ASN1_STRFLGS_IGNORE_TYPE causes the string type to be ignored. The -// |ASN1_STRING| in-memory representation will be printed directly. -#define ASN1_STRFLGS_IGNORE_TYPE 0x20 - -// ASN1_STRFLGS_SHOW_TYPE causes the string type to be included in the output. -#define ASN1_STRFLGS_SHOW_TYPE 0x40 - -// ASN1_STRFLGS_DUMP_ALL causes all strings to be printed as a hexdump, using -// RFC 2253 hexstring notation, such as "#0123456789ABCDEF". -#define ASN1_STRFLGS_DUMP_ALL 0x80 - -// ASN1_STRFLGS_DUMP_UNKNOWN behaves like |ASN1_STRFLGS_DUMP_ALL| but only -// applies to values of unknown type. If unset, unknown values will print -// their contents as single-byte characters with escape sequences. -#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 - -// ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by -// |ASN1_STRFLGS_DUMP_ALL| or |ASN1_STRFLGS_DUMP_UNKNOWN|) to print the entire -// DER element as in RFC 2253, rather than only the contents of the -// |ASN1_STRING|. -#define ASN1_STRFLGS_DUMP_DER 0x200 - -// ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253, -// additionally escaping control characters. -#define ASN1_STRFLGS_RFC2253 \ - (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | \ - ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN | \ - ASN1_STRFLGS_DUMP_DER) - -// ASN1_STRING_print_ex writes a human-readable representation of |str| to -// |out|. It returns the number of bytes written on success and -1 on error. If -// |out| is NULL, it returns the number of bytes it would have written, without -// writing anything. -// -// The |flags| should be a combination of combination of |ASN1_STRFLGS_*| -// constants. See the documentation for each flag for how it controls the -// output. If unsure, use |ASN1_STRFLGS_RFC2253|. -OPENSSL_EXPORT int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, - unsigned long flags); - -// ASN1_STRING_print_ex_fp behaves like |ASN1_STRING_print_ex| but writes to a -// |FILE| rather than a |BIO|. -OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, - unsigned long flags); - - // Underdocumented functions. // // The following functions are not yet documented and organized. +// For use with d2i_ASN1_type_bytes() +#define B_ASN1_NUMERICSTRING 0x0001 +#define B_ASN1_PRINTABLESTRING 0x0002 +#define B_ASN1_T61STRING 0x0004 +#define B_ASN1_TELETEXSTRING 0x0004 +#define B_ASN1_VIDEOTEXSTRING 0x0008 +#define B_ASN1_IA5STRING 0x0010 +#define B_ASN1_GRAPHICSTRING 0x0020 +#define B_ASN1_ISO64STRING 0x0040 +#define B_ASN1_VISIBLESTRING 0x0040 +#define B_ASN1_GENERALSTRING 0x0080 +#define B_ASN1_UNIVERSALSTRING 0x0100 +#define B_ASN1_OCTET_STRING 0x0200 +#define B_ASN1_BIT_STRING 0x0400 +#define B_ASN1_BMPSTRING 0x0800 +#define B_ASN1_UNKNOWN 0x1000 +#define B_ASN1_UTF8STRING 0x2000 +#define B_ASN1_UTCTIME 0x4000 +#define B_ASN1_GENERALIZEDTIME 0x8000 +#define B_ASN1_SEQUENCE 0x10000 + +// For use with ASN1_mbstring_copy() +#define MBSTRING_FLAG 0x1000 +#define MBSTRING_UTF8 (MBSTRING_FLAG) +// |MBSTRING_ASC| refers to Latin-1, not ASCII. It is used with TeletexString +// which, in turn, is treated as Latin-1 rather than T.61 by OpenSSL and most +// other software. +#define MBSTRING_ASC (MBSTRING_FLAG | 1) +#define MBSTRING_BMP (MBSTRING_FLAG | 2) +#define MBSTRING_UNIV (MBSTRING_FLAG | 4) + DEFINE_STACK_OF(ASN1_OBJECT) // ASN1_ENCODING structure: this is used to save the received @@ -865,6 +615,10 @@ typedef struct ASN1_ENCODING_st { #define STABLE_FLAGS_MALLOC 0x01 #define STABLE_NO_MASK 0x02 +#define DIRSTRING_TYPE \ + (B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING | \ + B_ASN1_UTF8STRING) +#define PKCS9STRING_TYPE (DIRSTRING_TYPE | B_ASN1_IA5STRING) typedef struct asn1_string_table_st { int nid; @@ -874,6 +628,17 @@ typedef struct asn1_string_table_st { unsigned long flags; } ASN1_STRING_TABLE; +// size limits: this stuff is taken straight from RFC2459 + +#define ub_name 32768 +#define ub_common_name 64 +#define ub_locality_name 128 +#define ub_state_name 128 +#define ub_organization_name 64 +#define ub_organization_unit_name 64 +#define ub_title 64 +#define ub_email_address 128 + // Declarations for template structures: for full definitions // see asn1t.h typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; @@ -971,6 +736,75 @@ typedef const ASN1_ITEM ASN1_ITEM_EXP; #define DECLARE_ASN1_ITEM(name) extern OPENSSL_EXPORT const ASN1_ITEM name##_it; +// Parameters used by ASN1_STRING_print_ex() + +// These determine which characters to escape: +// RFC2253 special characters, control characters and +// MSB set characters + +#define ASN1_STRFLGS_ESC_2253 1 +#define ASN1_STRFLGS_ESC_CTRL 2 +#define ASN1_STRFLGS_ESC_MSB 4 + + +// This flag determines how we do escaping: normally +// RC2253 backslash only, set this to use backslash and +// quote. + +#define ASN1_STRFLGS_ESC_QUOTE 8 + + +// These three flags are internal use only. + +// Character is a valid PrintableString character +#define CHARTYPE_PRINTABLESTRING 0x10 +// Character needs escaping if it is the first character +#define CHARTYPE_FIRST_ESC_2253 0x20 +// Character needs escaping if it is the last character +#define CHARTYPE_LAST_ESC_2253 0x40 + +// NB the internal flags are safely reused below by flags +// handled at the top level. + +// If this is set we convert all character strings +// to UTF8 first + +#define ASN1_STRFLGS_UTF8_CONVERT 0x10 + +// If this is set we don't attempt to interpret content: +// just assume all strings are 1 byte per character. This +// will produce some pretty odd looking output! + +#define ASN1_STRFLGS_IGNORE_TYPE 0x20 + +// If this is set we include the string type in the output +#define ASN1_STRFLGS_SHOW_TYPE 0x40 + +// This determines which strings to display and which to +// 'dump' (hex dump of content octets or DER encoding). We can +// only dump non character strings or everything. If we +// don't dump 'unknown' they are interpreted as character +// strings with 1 octet per character and are subject to +// the usual escaping options. + +#define ASN1_STRFLGS_DUMP_ALL 0x80 +#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 + +// These determine what 'dumping' does, we can dump the +// content octets or the DER encoding: both use the +// RFC2253 #XXXXX notation. + +#define ASN1_STRFLGS_DUMP_DER 0x200 + +// All the string flags consistent with RFC2253, +// escaping control characters isn't essential in +// RFC2253 but it is advisable anyway. + +#define ASN1_STRFLGS_RFC2253 \ + (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | \ + ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN | \ + ASN1_STRFLGS_DUMP_DER) + DEFINE_STACK_OF(ASN1_INTEGER) DEFINE_STACK_OF(ASN1_TYPE) @@ -980,6 +814,20 @@ typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SEQUENCE_ANY) DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SET_ANY) +struct X509_algor_st { + ASN1_OBJECT *algorithm; + ASN1_TYPE *parameter; +} /* X509_ALGOR */; + +DECLARE_ASN1_FUNCTIONS(X509_ALGOR) + +// This is used to contain a list of bit names +typedef struct BIT_STRING_BITNAME_st { + int bitnum; + const char *lname; + const char *sname; +} BIT_STRING_BITNAME; + // M_ASN1_* are legacy aliases for various |ASN1_STRING| functions. Use the // functions themselves. #define M_ASN1_STRING_length(x) ASN1_STRING_length(x) @@ -1076,6 +924,26 @@ OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x); DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED) +OPENSSL_EXPORT int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); +OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); +OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, + int offset_day, long offset_sec); +OPENSSL_EXPORT int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); +OPENSSL_EXPORT int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); +#if 0 +time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); +#endif + +OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); +OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set( + ASN1_GENERALIZEDTIME *s, time_t t); +OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj( + ASN1_GENERALIZEDTIME *s, time_t t, int offset_day, long offset_sec); +OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, + const char *str); +OPENSSL_EXPORT int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from, + const ASN1_TIME *to); + DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING) OPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup( const ASN1_OCTET_STRING *a); @@ -1102,6 +970,14 @@ DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) DECLARE_ASN1_FUNCTIONS(ASN1_TIME) +OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); +OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, + long offset_sec); +OPENSSL_EXPORT int ASN1_TIME_check(const ASN1_TIME *t); +OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime( + const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); +OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); + OPENSSL_EXPORT int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); OPENSSL_EXPORT int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a); OPENSSL_EXPORT int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a); @@ -1114,11 +990,9 @@ OPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_create(int nid, int len, const char *sn, const char *ln); -// ASN1_PRINTABLE_type interprets |len| bytes from |s| as a Latin-1 string. It -// returns the first of |V_ASN1_PRINTABLESTRING|, |V_ASN1_IA5STRING|, or -// |V_ASN1_T61STRING| that can represent every character. If |len| is negative, -// |strlen(s)| is used instead. -OPENSSL_EXPORT int ASN1_PRINTABLE_type(const unsigned char *s, int len); +// General +// given a string, return the correct type, max is the maximum length +OPENSSL_EXPORT int ASN1_PRINTABLE_type(const unsigned char *s, int max); OPENSSL_EXPORT unsigned long ASN1_tag2bit(int tag); @@ -1132,11 +1006,23 @@ OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag); OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x); +#ifndef OPENSSL_NO_FP_API OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x); OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x); +OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, + unsigned long flags); +#endif OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x); +OPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a); +OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *fp, + const ASN1_GENERALIZEDTIME *a); +OPENSSL_EXPORT int ASN1_TIME_print(BIO *fp, const ASN1_TIME *a); +OPENSSL_EXPORT int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v); +OPENSSL_EXPORT int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, + unsigned long flags); +OPENSSL_EXPORT const char *ASN1_tag2str(int tag); // Used to load and write netscape format cert @@ -1146,14 +1032,16 @@ OPENSSL_EXPORT void *ASN1_item_unpack(const ASN1_STRING *oct, OPENSSL_EXPORT ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct); -// ASN1_STRING_set_default_mask does nothing. OPENSSL_EXPORT void ASN1_STRING_set_default_mask(unsigned long mask); - -// ASN1_STRING_set_default_mask_asc returns one. OPENSSL_EXPORT int ASN1_STRING_set_default_mask_asc(const char *p); - -// ASN1_STRING_get_default_mask returns |B_ASN1_UTF8STRING|. OPENSSL_EXPORT unsigned long ASN1_STRING_get_default_mask(void); +OPENSSL_EXPORT int ASN1_mbstring_copy(ASN1_STRING **out, + const unsigned char *in, int len, + int inform, unsigned long mask); +OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, + const unsigned char *in, int len, + int inform, unsigned long mask, + long minsize, long maxsize); OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h index 45302ef3..c5e2685e 100644 --- a/src/include/openssl/asn1t.h +++ b/src/include/openssl/asn1t.h @@ -389,6 +389,13 @@ struct ASN1_ADB_TABLE_st { /* Field is a SEQUENCE OF */ #define ASN1_TFLG_SEQUENCE_OF (0x2 << 1) +/* Special case: this refers to a SET OF that + * will be sorted into DER order when encoded *and* + * the corresponding STACK will be modified to match + * the new order. + */ +#define ASN1_TFLG_SET_ORDER (0x3 << 1) + /* Mask for SET OF or SEQUENCE OF */ #define ASN1_TFLG_SK_MASK (0x3 << 1) @@ -595,8 +602,8 @@ typedef struct ASN1_AUX_st { #define ASN1_OP_FREE_POST 3 #define ASN1_OP_D2I_PRE 4 #define ASN1_OP_D2I_POST 5 -/* ASN1_OP_I2D_PRE and ASN1_OP_I2D_POST are not supported. We leave the - * constants undefined so code relying on them does not accidentally compile. */ +#define ASN1_OP_I2D_PRE 6 +#define ASN1_OP_I2D_POST 7 #define ASN1_OP_PRINT_PRE 8 #define ASN1_OP_PRINT_POST 9 #define ASN1_OP_STREAM_PRE 10 diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h index 8be10d1c..ea4366a2 100644 --- a/src/include/openssl/base.h +++ b/src/include/openssl/base.h @@ -145,7 +145,7 @@ extern "C" { // Trusty isn't Linux but currently defines __linux__. As a workaround, we // exclude it here. // TODO(b/169780122): Remove this workaround once Trusty no longer defines it. -#if defined(__linux__) && !defined(__TRUSTY__) +#if defined(__linux__) && !defined(TRUSTY) #define OPENSSL_LINUX #endif @@ -153,7 +153,7 @@ extern "C" { #define OPENSSL_FUCHSIA #endif -#if defined(__TRUSTY__) +#if defined(TRUSTY) #define OPENSSL_TRUSTY #define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif @@ -422,7 +422,6 @@ typedef struct private_key_st X509_PKEY; typedef struct rand_meth_st RAND_METHOD; typedef struct rc4_key_st RC4_KEY; typedef struct rsa_meth_st RSA_METHOD; -typedef struct rsa_pss_params_st RSA_PSS_PARAMS; typedef struct rsa_st RSA; typedef struct sha256_state_st SHA256_CTX; typedef struct sha512_state_st SHA512_CTX; @@ -446,10 +445,9 @@ typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_cert_aux_st X509_CERT_AUX; +typedef struct x509_cinf_st X509_CINF; typedef struct x509_crl_method_st X509_CRL_METHOD; typedef struct x509_lookup_st X509_LOOKUP; -typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; -typedef struct x509_object_st X509_OBJECT; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h index 18bc893f..f25492aa 100644 --- a/src/include/openssl/bio.h +++ b/src/include/openssl/bio.h @@ -377,9 +377,7 @@ OPENSSL_EXPORT int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, OPENSSL_EXPORT const BIO_METHOD *BIO_s_mem(void); // BIO_new_mem_buf creates read-only BIO that reads from |len| bytes at |buf|. -// It returns the BIO or NULL on error. This function does not copy or take -// ownership of |buf|. The caller must ensure the memory pointed to by |buf| -// outlives the |BIO|. +// It does not take ownership of |buf|. It returns the BIO or NULL on error. // // If |len| is negative, then |buf| is treated as a NUL-terminated string, but // don't depend on this in new code. diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h index 5ca8b855..295ca629 100644 --- a/src/include/openssl/bn.h +++ b/src/include/openssl/bn.h @@ -687,9 +687,9 @@ OPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, // BN_prime_checks_for_validation can be used as the |checks| argument to the // primarily testing functions when validating an externally-supplied candidate // prime. It gives a false positive rate of at most 2^{-128}. (The worst case -// false positive rate for a single iteration is 1/4 per -// https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.) -#define BN_prime_checks_for_validation 64 +// false positive rate for a single iteration is 1/4, so we perform 32 +// iterations.) +#define BN_prime_checks_for_validation 32 // BN_prime_checks_for_generation can be used as the |checks| argument to the // primality testing functions when generating random primes. It gives a false diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h index 5ef37420..39b7fb2d 100644 --- a/src/include/openssl/bytestring.h +++ b/src/include/openssl/bytestring.h @@ -154,11 +154,6 @@ OPENSSL_EXPORT int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out); // returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out); -// CBS_get_until_first finds the first instance of |c| in |cbs|. If found, it -// sets |*out| to the text before the match, advances |cbs| over it, and returns -// one. Otherwise, it returns zero and leaves |cbs| unmodified. -OPENSSL_EXPORT int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c); - // Parsing ASN.1 // @@ -468,10 +463,6 @@ OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag); // success and zero otherwise. OPENSSL_EXPORT int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len); -// CBB_add_zeros append |len| bytes with value zero to |cbb|. It returns one on -// success and zero otherwise. -OPENSSL_EXPORT int CBB_add_zeros(CBB *cbb, size_t len); - // CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to // the beginning of that space. The caller must then write |len| bytes of // actual contents to |*out_data|. It returns one on success and zero diff --git a/src/include/openssl/hkdf.h b/src/include/openssl/hkdf.h index 5b27acc6..59aaa493 100644 --- a/src/include/openssl/hkdf.h +++ b/src/include/openssl/hkdf.h @@ -41,10 +41,6 @@ OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, // keying material |secret| and salt |salt| using |digest|, and outputs // |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|. // It returns one on success and zero on error. -// -// WARNING: This function orders the inputs differently from RFC 5869 -// specification. Double-check which parameter is the secret/IKM and which is -// the salt when using. OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *salt, diff --git a/src/include/openssl/pem.h b/src/include/openssl/pem.h index a94f2766..f39989e1 100644 --- a/src/include/openssl/pem.h +++ b/src/include/openssl/pem.h @@ -112,6 +112,15 @@ extern "C" { // write. Now they are all implemented with either: // IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...) +#ifdef OPENSSL_NO_FP_API + +#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) // + +#else #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) \ static void *pem_read_##name##_d2i(void **x, const unsigned char **inp, \ @@ -164,6 +173,7 @@ extern "C" { cb, u); \ } +#endif #define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \ static void *pem_read_bio_##name##_d2i(void **x, const unsigned char **inp, \ @@ -250,6 +260,14 @@ extern "C" { // These are the same except they are for the declarations +#if defined(OPENSSL_NO_FP_API) + +#define DECLARE_PEM_read_fp(name, type) // +#define DECLARE_PEM_write_fp(name, type) // +#define DECLARE_PEM_write_cb_fp(name, type) // + +#else + #define DECLARE_PEM_read_fp(name, type) \ OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \ pem_password_cb *cb, void *u); @@ -265,6 +283,8 @@ extern "C" { FILE *fp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ pem_password_cb *cb, void *u); +#endif + #define DECLARE_PEM_read_bio(name, type) \ OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \ pem_password_cb *cb, void *u); diff --git a/src/include/openssl/pkcs7.h b/src/include/openssl/pkcs7.h index 77e13d7c..8f2a8859 100644 --- a/src/include/openssl/pkcs7.h +++ b/src/include/openssl/pkcs7.h @@ -200,22 +200,15 @@ OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); #define PKCS7_STREAM 0x1000 #define PKCS7_PARTIAL 0x4000 -// PKCS7_sign can operate in two modes to provide some backwards compatibility: -// -// The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with +// PKCS7_sign assembles |certs| into a PKCS#7 signed data ContentInfo with // external data and no signatures. It returns a newly-allocated |PKCS7| on // success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is -// ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally, -// certificates in SignedData structures are unordered. The order of |certs| -// will not be preserved. -// -// The second mode generates a detached RSA SHA-256 signature of |data| using -// |pkey| and produces a PKCS#7 SignedData structure containing it. |certs| -// must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY | -// PKCS7_NOCERTS | PKCS7_DETACHED|. +// ignored. |flags| must be equal to |PKCS7_DETACHED|. // // Note this function only implements a subset of the corresponding OpenSSL -// function. It is provided for backwards compatibility only. +// function. It is provided for backwards compatibility only. Additionally, +// certificates in SignedData structures are unordered. The order of |certs| +// will not be preserved. OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h index 95a478a3..27bc7bf3 100644 --- a/src/include/openssl/rsa.h +++ b/src/include/openssl/rsa.h @@ -684,11 +684,6 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, // on success or zero otherwise. OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent); -// RSA_get0_pss_params returns NULL. In OpenSSL, this function retries RSA-PSS -// parameters associated with |RSA| objects, but BoringSSL does not support -// the id-RSASSA-PSS key encoding. -OPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa); - struct rsa_meth_st { struct openssl_method_common_st common; diff --git a/src/include/openssl/span.h b/src/include/openssl/span.h index 79f1d416..7410bf90 100644 --- a/src/include/openssl/span.h +++ b/src/include/openssl/span.h @@ -94,6 +94,18 @@ class SpanBase { template <typename T> class Span : private internal::SpanBase<const T> { private: + // Heuristically test whether C is a container type that can be converted into + // a Span by checking for data() and size() member functions. + // + // TODO(davidben): Switch everything to std::enable_if_t when we remove + // support for MSVC 2015. Although we could write our own enable_if_t and MSVC + // 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE implementation is + // problematic and does not work below unless we write the ::type at use. + template <typename C> + using EnableIfContainer = std::enable_if< + std::is_convertible<decltype(std::declval<C>().data()), T *>::value && + std::is_integral<decltype(std::declval<C>().size())>::value>; + static const size_t npos = static_cast<size_t>(-1); public: @@ -104,27 +116,12 @@ class Span : private internal::SpanBase<const T> { constexpr Span(T (&array)[N]) : Span(array, N) {} template < - typename C, - // TODO(davidben): Switch everything to std::enable_if_t when we remove - // support for MSVC 2015. Although we could write our own enable_if_t and - // MSVC 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE - // implementation is problematic and does not work below unless we write - // the ::type at use. - // - // TODO(davidben): Move this and the identical copy below into an - // EnableIfContainer alias when we drop MSVC 2015 support. MSVC 2015's - // SFINAE support cannot handle type aliases. - typename = typename std::enable_if< - std::is_convertible<decltype(std::declval<C>().data()), T *>::value && - std::is_integral<decltype(std::declval<C>().size())>::value>::type, + typename C, typename = typename EnableIfContainer<C>::type, typename = typename std::enable_if<std::is_const<T>::value, C>::type> Span(const C &container) : data_(container.data()), size_(container.size()) {} template < - typename C, - typename = typename std::enable_if< - std::is_convertible<decltype(std::declval<C>().data()), T *>::value && - std::is_integral<decltype(std::declval<C>().size())>::value>::type, + typename C, typename = typename EnableIfContainer<C>::type, typename = typename std::enable_if<!std::is_const<T>::value, C>::type> explicit Span(C &container) : data_(container.data()), size_(container.size()) {} @@ -161,30 +158,11 @@ class Span : private internal::SpanBase<const T> { Span subspan(size_t pos = 0, size_t len = npos) const { if (pos > size_) { - // absl::Span throws an exception here. Note std::span and Chromium - // base::span additionally forbid pos + len being out of range, with a - // special case at npos/dynamic_extent, while absl::Span::subspan clips - // the span. For now, we align with absl::Span in case we switch to it in - // the future. - abort(); + abort(); // absl::Span throws an exception here. } return Span(data_ + pos, std::min(size_ - pos, len)); } - Span first(size_t len) { - if (len > size_) { - abort(); - } - return Span(data_, len); - } - - Span last(size_t len) { - if (len > size_) { - abort(); - } - return Span(data_ + size_ - len, len); - } - private: T *data_; size_t size_; diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index 5965cb4b..82e1da8e 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -1649,11 +1649,6 @@ OPENSSL_EXPORT int SSL_export_keying_material( // abbreviated handshake. It is reference-counted and immutable. Once // established, an |SSL_SESSION| may be shared by multiple |SSL| objects on // different threads and must not be modified. -// -// Note the TLS notion of "session" is not suitable for application-level -// session state. It is an optional caching mechanism for the handshake. Not all -// connections within an application-level session will reuse TLS sessions. TLS -// sessions may be dropped by the client or ignored by the server at any time. DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) @@ -1708,19 +1703,6 @@ OPENSSL_EXPORT int SSL_SESSION_set_protocol_version(SSL_SESSION *session, // SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s // session ID and sets |*out_len| to its length. -// -// This function should only be used for implementing a TLS session cache. TLS -// sessions are not suitable for application-level session state, and a session -// ID is an implementation detail of the TLS resumption handshake mechanism. Not -// all resumption flows use session IDs, and not all connections within an -// application-level session will reuse TLS sessions. -// -// To determine if resumption occurred, use |SSL_session_reused| instead. -// Comparing session IDs will not give the right result in all cases. -// -// As a workaround for some broken applications, BoringSSL sometimes synthesizes -// arbitrary session IDs for non-ID-based sessions. This behavior may be -// removed in the future. OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session, unsigned *out_len); @@ -3587,7 +3569,7 @@ OPENSSL_EXPORT const char *SSL_early_data_reason_string( // // ECH support in BoringSSL is still experimental and under development. // -// See https://tools.ietf.org/html/draft-ietf-tls-esni-13. +// See https://tools.ietf.org/html/draft-ietf-tls-esni-10. // SSL_set_enable_ech_grease configures whether the client will send a GREASE // ECH extension when no supported ECHConfig is available. @@ -3619,12 +3601,12 @@ OPENSSL_EXPORT int SSL_set1_ech_config_list(SSL *ssl, const uint8_t *ech_config_list, size_t ech_config_list_len); -// SSL_get0_ech_name_override, if |ssl| is a client and the server rejected ECH, -// sets |*out_name| and |*out_name_len| to point to a buffer containing the ECH -// public name. Otherwise, the buffer will be empty. +// SSL_get0_ech_name_override sets |*out_name| and |*out_name_len| to point to a +// buffer containing the ECH public name, if the server rejected ECH, or the +// empty string otherwise. // -// When offering ECH as a client, this function should be called during the -// certificate verification callback (see |SSL_CTX_set_custom_verify|). If +// This function should be called during the certificate verification callback +// (see |SSL_CTX_set_custom_verify|) if |ssl| is a client offering ECH. If // |*out_name_len| is non-zero, the caller should verify the certificate against // the result, interpreted as a DNS name, rather than the true server name. In // this case, the handshake will never succeed and is only used to authenticate @@ -4912,6 +4894,12 @@ OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key); OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, const char *dir); +// SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|. +// +// TODO(davidben): Remove this function once it has been removed from +// netty-tcnative. +OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result); + // SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx); @@ -5566,8 +5554,6 @@ BSSL_NAMESPACE_END #define SSL_R_INVALID_ECH_PUBLIC_NAME 317 #define SSL_R_INVALID_ECH_CONFIG_LIST 318 #define SSL_R_ECH_REJECTED 319 -#define SSL_R_OUTER_EXTENSION_NOT_FOUND 320 -#define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h index a3136c0d..2886e2cf 100644 --- a/src/include/openssl/tls1.h +++ b/src/include/openssl/tls1.h @@ -179,28 +179,28 @@ extern "C" { #define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 #define TLS1_AD_CERTIFICATE_REQUIRED 116 #define TLS1_AD_NO_APPLICATION_PROTOCOL 120 -#define TLS1_AD_ECH_REQUIRED 121 // draft-ietf-tls-esni-13 +#define TLS1_AD_ECH_REQUIRED 121 // draft-ietf-tls-esni-10 -// ExtensionType values from RFC 6066 +// ExtensionType values from RFC6066 #define TLSEXT_TYPE_server_name 0 #define TLSEXT_TYPE_status_request 5 -// ExtensionType values from RFC 4492 +// ExtensionType values from RFC4492 #define TLSEXT_TYPE_ec_point_formats 11 -// ExtensionType values from RFC 5246 +// ExtensionType values from RFC5246 #define TLSEXT_TYPE_signature_algorithms 13 -// ExtensionType value from RFC 5764 +// ExtensionType value from RFC5764 #define TLSEXT_TYPE_srtp 14 -// ExtensionType value from RFC 7301 +// ExtensionType value from RFC7301 #define TLSEXT_TYPE_application_layer_protocol_negotiation 16 -// ExtensionType value from RFC 7685 +// ExtensionType value from RFC7685 #define TLSEXT_TYPE_padding 21 -// ExtensionType value from RFC 7627 +// ExtensionType value from RFC7627 #define TLSEXT_TYPE_extended_master_secret 23 // ExtensionType value from draft-ietf-quic-tls. Drafts 00 through 32 use @@ -210,7 +210,7 @@ extern "C" { // use the value 57 which was officially registered with IANA. #define TLSEXT_TYPE_quic_transport_parameters_legacy 0xffa5 -// ExtensionType value from RFC 9000 +// ExtensionType value from RFC9000 #define TLSEXT_TYPE_quic_transport_parameters 57 // TLSEXT_TYPE_quic_transport_parameters_standard is an alias for @@ -219,13 +219,13 @@ extern "C" { #define TLSEXT_TYPE_quic_transport_parameters_standard \ TLSEXT_TYPE_quic_transport_parameters -// ExtensionType value from RFC 8879 +// ExtensionType value from RFC8879 #define TLSEXT_TYPE_cert_compression 27 -// ExtensionType value from RFC 4507 +// ExtensionType value from RFC4507 #define TLSEXT_TYPE_session_ticket 35 -// ExtensionType values from RFC 8446 +// ExtensionType values from RFC8446 #define TLSEXT_TYPE_supported_groups 10 #define TLSEXT_TYPE_pre_shared_key 41 #define TLSEXT_TYPE_early_data 42 @@ -236,7 +236,7 @@ extern "C" { #define TLSEXT_TYPE_signature_algorithms_cert 50 #define TLSEXT_TYPE_key_share 51 -// ExtensionType value from RFC 5746 +// ExtensionType value from RFC5746 #define TLSEXT_TYPE_renegotiate 0xff01 // ExtensionType value from draft-ietf-tls-subcerts. @@ -246,12 +246,13 @@ extern "C" { // extension number. #define TLSEXT_TYPE_application_settings 17513 -// ExtensionType values from draft-ietf-tls-esni-13. This is not an IANA defined +// ExtensionType values from draft-ietf-tls-esni-10. This is not an IANA defined // extension number. -#define TLSEXT_TYPE_encrypted_client_hello 0xfe0d +#define TLSEXT_TYPE_encrypted_client_hello 0xfe0a +#define TLSEXT_TYPE_ech_is_inner 0xda09 #define TLSEXT_TYPE_ech_outer_extensions 0xfd00 -// ExtensionType value from RFC 6962 +// ExtensionType value from RFC6962 #define TLSEXT_TYPE_certificate_timestamp 18 // This is not an IANA defined extension number @@ -312,7 +313,7 @@ extern "C" { #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 -// AES ciphersuites from RFC 3268 +// AES ciphersuites from RFC3268 #define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F #define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030 @@ -336,7 +337,7 @@ extern "C" { #define TLS1_CK_DH_RSA_WITH_AES_128_SHA256 0x0300003F #define TLS1_CK_DHE_DSS_WITH_AES_128_SHA256 0x03000040 -// Camellia ciphersuites from RFC 4132 +// Camellia ciphersuites from RFC4132 #define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041 #define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042 #define TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000043 @@ -353,7 +354,7 @@ extern "C" { #define TLS1_CK_ADH_WITH_AES_128_SHA256 0x0300006C #define TLS1_CK_ADH_WITH_AES_256_SHA256 0x0300006D -// Camellia ciphersuites from RFC 4132 +// Camellia ciphersuites from RFC4132 #define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084 #define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085 #define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086 @@ -361,7 +362,7 @@ extern "C" { #define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000088 #define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA 0x03000089 -// SEED ciphersuites from RFC 4162 +// SEED ciphersuites from RFC4162 #define TLS1_CK_RSA_WITH_SEED_SHA 0x03000096 #define TLS1_CK_DH_DSS_WITH_SEED_SHA 0x03000097 #define TLS1_CK_DH_RSA_WITH_SEED_SHA 0x03000098 @@ -369,7 +370,7 @@ extern "C" { #define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A #define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B -// TLS v1.2 GCM ciphersuites from RFC 5288 +// TLS v1.2 GCM ciphersuites from RFC5288 #define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 0x0300009C #define TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 0x0300009D #define TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 0x0300009E @@ -383,7 +384,7 @@ extern "C" { #define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256 0x030000A6 #define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384 0x030000A7 -// ECC ciphersuites from RFC 4492 +// ECC ciphersuites from RFC4492 #define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001 #define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002 #define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C003 @@ -425,7 +426,7 @@ extern "C" { #define TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0x0300C021 #define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0x0300C022 -// ECDH HMAC based ciphersuites from RFC 5289 +// ECDH HMAC based ciphersuites from RFC5289 #define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 0x0300C023 #define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 0x0300C024 @@ -436,7 +437,7 @@ extern "C" { #define TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256 0x0300C029 #define TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384 0x0300C02A -// ECDH GCM based ciphersuites from RFC 5289 +// ECDH GCM based ciphersuites from RFC5289 #define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02B #define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02C #define TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02D @@ -472,7 +473,7 @@ extern "C" { #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA" #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA" -// AES ciphersuites from RFC 3268 +// AES ciphersuites from RFC3268 #define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA" #define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA" #define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA" @@ -487,7 +488,7 @@ extern "C" { #define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA" #define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA" -// ECC ciphersuites from RFC 4492 +// ECC ciphersuites from RFC4492 #define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA "ECDH-ECDSA-NULL-SHA" #define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA "ECDH-ECDSA-RC4-SHA" #define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA "ECDH-ECDSA-DES-CBC3-SHA" @@ -539,7 +540,7 @@ extern "C" { #define TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA "SRP-RSA-AES-256-CBC-SHA" #define TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA "SRP-DSS-AES-256-CBC-SHA" -// Camellia ciphersuites from RFC 4132 +// Camellia ciphersuites from RFC4132 #define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA "CAMELLIA128-SHA" #define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA "DH-DSS-CAMELLIA128-SHA" #define TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA "DH-RSA-CAMELLIA128-SHA" @@ -554,7 +555,7 @@ extern "C" { #define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA "DHE-RSA-CAMELLIA256-SHA" #define TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA "ADH-CAMELLIA256-SHA" -// SEED ciphersuites from RFC 4162 +// SEED ciphersuites from RFC4162 #define TLS1_TXT_RSA_WITH_SEED_SHA "SEED-SHA" #define TLS1_TXT_DH_DSS_WITH_SEED_SHA "DH-DSS-SEED-SHA" #define TLS1_TXT_DH_RSA_WITH_SEED_SHA "DH-RSA-SEED-SHA" @@ -577,7 +578,7 @@ extern "C" { #define TLS1_TXT_ADH_WITH_AES_128_SHA256 "ADH-AES128-SHA256" #define TLS1_TXT_ADH_WITH_AES_256_SHA256 "ADH-AES256-SHA256" -// TLS v1.2 GCM ciphersuites from RFC 5288 +// TLS v1.2 GCM ciphersuites from RFC5288 #define TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 "AES128-GCM-SHA256" #define TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 "AES256-GCM-SHA384" #define TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 "DHE-RSA-AES128-GCM-SHA256" @@ -591,7 +592,7 @@ extern "C" { #define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256 "ADH-AES128-GCM-SHA256" #define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 "ADH-AES256-GCM-SHA384" -// ECDH HMAC based ciphersuites from RFC 5289 +// ECDH HMAC based ciphersuites from RFC5289 #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 "ECDHE-ECDSA-AES128-SHA256" #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 "ECDHE-ECDSA-AES256-SHA384" @@ -602,7 +603,7 @@ extern "C" { #define TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256 "ECDH-RSA-AES128-SHA256" #define TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384 "ECDH-RSA-AES256-SHA384" -// ECDH GCM based ciphersuites from RFC 5289 +// ECDH GCM based ciphersuites from RFC5289 #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \ "ECDHE-ECDSA-AES128-GCM-SHA256" #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \ diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 30ad4d26..dafa6773 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -110,19 +110,28 @@ extern "C" { #define X509v3_KU_DECIPHER_ONLY 0x8000 #define X509v3_KU_UNDEF 0xffff -struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; -} /* X509_ALGOR */; - -DECLARE_ASN1_FUNCTIONS(X509_ALGOR) - DEFINE_STACK_OF(X509_ALGOR) typedef STACK_OF(X509_ALGOR) X509_ALGORS; +struct X509_name_entry_st { + ASN1_OBJECT *object; + ASN1_STRING *value; + int set; +} /* X509_NAME_ENTRY */; + DEFINE_STACK_OF(X509_NAME_ENTRY) +// we always keep X509_NAMEs in 2 forms. +struct X509_name_st { + STACK_OF(X509_NAME_ENTRY) *entries; + int modified; // true if 'bytes' needs to be built + BUF_MEM *bytes; + // unsigned long hash; Keep the hash around for lookups + unsigned char *canon_enc; + int canon_enclen; +} /* X509_NAME */; + DEFINE_STACK_OF(X509_NAME) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; @@ -131,6 +140,20 @@ DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_ATTRIBUTE) +struct x509_cinf_st { + ASN1_INTEGER *version; // [ 0 ] default of v1 + ASN1_INTEGER *serialNumber; + X509_ALGOR *signature; + X509_NAME *issuer; + X509_VAL *validity; + X509_NAME *subject; + X509_PUBKEY *key; + ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 + ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 + STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 + ASN1_ENCODING enc; +} /* X509_CINF */; + // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -139,6 +162,31 @@ DEFINE_STACK_OF(X509_ATTRIBUTE) DECLARE_STACK_OF(DIST_POINT) DECLARE_STACK_OF(GENERAL_NAME) +struct x509_st { + X509_CINF *cert_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + CRYPTO_refcount_t references; + CRYPTO_EX_DATA ex_data; + // These contain copies of various extension values + long ex_pathlen; + long ex_pcpathlen; + unsigned long ex_flags; + unsigned long ex_kusage; + unsigned long ex_xkusage; + unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + AUTHORITY_KEYID *akid; + X509_POLICY_CACHE *policy_cache; + STACK_OF(DIST_POINT) *crldp; + STACK_OF(GENERAL_NAME) *altname; + NAME_CONSTRAINTS *nc; + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + X509_CERT_AUX *aux; + CRYPTO_BUFFER *buf; + CRYPTO_MUTEX lock; +} /* X509 */; + DEFINE_STACK_OF(X509) // This is used for a table of trust checking functions @@ -206,7 +254,7 @@ DEFINE_STACK_OF(X509_TRUST) #define XN_FLAG_SEP_MASK (0xf << 16) #define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print -#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC2253 ,+ #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced #define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field @@ -225,13 +273,13 @@ DEFINE_STACK_OF(X509_TRUST) #define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' // This determines if we dump fields we don't recognise: -// RFC 2253 requires this. +// RFC2253 requires this. #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) #define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters -// Complete set of RFC 2253 flags +// Complete set of RFC2253 flags #define XN_FLAG_RFC2253 \ (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ @@ -408,7 +456,7 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, #define X509_extract_key(x) X509_get_pubkey(x) // X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the +// extension in |x509|. (See RFC5280, section 4.2.1.9.) It returns -1 if the // constraint is not present, or if some extension in |x509| was invalid. // // Note that decoding an |X509| object will not check for invalid extensions. To @@ -676,6 +724,7 @@ OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, // copying parts of it as a normal |d2i_X509| call would do. OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); +#ifndef OPENSSL_NO_FP_API OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); @@ -709,6 +758,7 @@ OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); +#endif OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); @@ -810,30 +860,12 @@ OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, size_t *pderlen); -// X509_cmp_time compares |s| against |*t|. On success, it returns a negative -// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it -// returns zero. If |t| is NULL, it uses the current time instead of |*t|. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); - -// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against -// the current time. OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); - -// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - time_t *t); - -// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If -// |t| is NULL, it uses the current time instead of |*t|. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t); OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *t); - -// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the -// current time. -OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); +OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); @@ -850,15 +882,7 @@ DECLARE_ASN1_FUNCTIONS(X509_VAL) DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) -// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| -// structure. On success, it frees |*x|, sets |*x| to the new object, and -// returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); - -// X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on -// success, or NULL on error. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must -// not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); DECLARE_ASN1_FUNCTIONS(X509_SIG) @@ -880,10 +904,10 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY) DECLARE_ASN1_FUNCTIONS(X509_NAME) -// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| -// to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); +DECLARE_ASN1_FUNCTIONS(X509_CINF) + DECLARE_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -1087,7 +1111,7 @@ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, // a known NID. OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); -// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) +// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC2986) // portion of |req|. If |outp| is NULL, nothing is written. Otherwise, if // |*outp| is not NULL, the result is written to |*outp|, which must have enough // space available, and |*outp| is advanced just past the output. If |outp| is @@ -1114,7 +1138,7 @@ OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type // for carrying extensions and zero otherwise. The supported types are -// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| +// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC2985) and |NID_ms_ext_req| // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); @@ -1122,7 +1146,7 @@ OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); // returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. // It returns NULL on error, or if |req| did not request extensions. // -// This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the +// This function supports both pkcs-9-at-extensionRequest from RFC2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); @@ -1342,6 +1366,7 @@ OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); +#ifndef OPENSSL_NO_FP_API OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, unsigned long cflag); OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x); @@ -1349,6 +1374,7 @@ OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x); OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req); OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags); +#endif OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, @@ -1887,16 +1913,12 @@ OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); -struct rsa_pss_params_st { +typedef struct rsa_pss_params_st { X509_ALGOR *hashAlgorithm; X509_ALGOR *maskGenAlgorithm; ASN1_INTEGER *saltLength; ASN1_INTEGER *trailerField; - // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the - // cases apply to BoringSSL, so this is always NULL, but Node expects the - // field to be present. - X509_ALGOR *maskHash; -} /* RSA_PSS_PARAMS */; +} RSA_PSS_PARAMS; DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) @@ -1936,6 +1958,10 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) +using ScopedX509_STORE_CTX = + internal::StackAllocated<X509_STORE_CTX, void, X509_STORE_CTX_zero, + X509_STORE_CTX_cleanup>; + BSSL_NAMESPACE_END } // extern C++ diff --git a/src/include/openssl/x509_vfy.h b/src/include/openssl/x509_vfy.h index d8781afd..9b99f4a9 100644 --- a/src/include/openssl/x509_vfy.h +++ b/src/include/openssl/x509_vfy.h @@ -99,8 +99,39 @@ certificate chain. #define X509_LU_CRL 2 #define X509_LU_PKEY 3 +typedef struct x509_object_st { + // one of the above types + int type; + union { + char *ptr; + X509 *x509; + X509_CRL *crl; + EVP_PKEY *pkey; + } data; +} X509_OBJECT; + DEFINE_STACK_OF(X509_LOOKUP) DEFINE_STACK_OF(X509_OBJECT) + +// This is a static that defines the function interface +typedef struct x509_lookup_method_st { + const char *name; + int (*new_item)(X509_LOOKUP *ctx); + void (*free)(X509_LOOKUP *ctx); + int (*init)(X509_LOOKUP *ctx); + int (*shutdown)(X509_LOOKUP *ctx); + int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial, X509_OBJECT *ret); + int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, + int len, X509_OBJECT *ret); + int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, + X509_OBJECT *ret); +} X509_LOOKUP_METHOD; + DEFINE_STACK_OF(X509_VERIFY_PARAM) typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); @@ -122,8 +153,103 @@ typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( X509_STORE_CTX *ctx, X509_NAME *nm); typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); +// This is used to hold everything. It is used for all certificate +// validation. Once we have a certificate chain, the 'verify' +// function is then called to actually check the cert chain. +struct x509_store_st { + // The following is a cache of trusted certs + int cache; // if true, stash any hits + STACK_OF(X509_OBJECT) *objs; // Cache of all objects + CRYPTO_MUTEX objs_lock; + STACK_OF(X509) *additional_untrusted; + + // These are external lookup methods + STACK_OF(X509_LOOKUP) *get_cert_methods; + + X509_VERIFY_PARAM *param; + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + CRYPTO_refcount_t references; +} /* X509_STORE */; + OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); +// This is the functions plus an instance of the local variables. +struct x509_lookup_st { + int init; // have we been started + int skip; // don't use us. + X509_LOOKUP_METHOD *method; // the functions + char *method_data; // method data + + X509_STORE *store_ctx; // who owns us +} /* X509_LOOKUP */; + +// This is a used when verifying cert chains. Since the +// gathering of the cert chain can take some time (and have to be +// 'retried', this needs to be kept and passed around. +struct x509_store_ctx_st // X509_STORE_CTX +{ + X509_STORE *ctx; + + // The following are set by the caller + X509 *cert; // The cert to check + STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in + STACK_OF(X509_CRL) *crls; // set of CRLs passed in + + X509_VERIFY_PARAM *param; + void *other_ctx; // Other info for use with get_issuer() + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_check_policy_fn check_policy; + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + // The following is built up + int valid; // if 0, rebuild chain + int last_untrusted; // index of last untrusted cert + STACK_OF(X509) *chain; // chain of X509s - built up and trusted + X509_POLICY_TREE *tree; // Valid policy tree + + int explicit_policy; // Require explicit policy value + + // When something goes wrong, this is why + int error_depth; + int error; + X509 *current_cert; + X509 *current_issuer; // cert currently being tested as valid issuer + X509_CRL *current_crl; // current CRL + + int current_crl_score; // score of current CRL + unsigned int current_reasons; // Reason mask + + X509_STORE_CTX *parent; // For CRL path validation: parent context + + CRYPTO_EX_DATA ex_data; +} /* X509_STORE_CTX */; + OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_STORE_CTX_set_app_data(ctx, data) \ diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h index 8e4a511c..7e65ab33 100644 --- a/src/include/openssl/x509v3.h +++ b/src/include/openssl/x509v3.h @@ -154,6 +154,8 @@ DEFINE_STACK_OF(X509V3_EXT_METHOD) #define X509V3_EXT_CTX_DEP 0x2 #define X509V3_EXT_MULTILINE 0x4 +typedef BIT_STRING_BITNAME ENUMERATED_NAMES; + struct BASIC_CONSTRAINTS_st { int ca; ASN1_INTEGER *pathlen; @@ -483,30 +485,12 @@ OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING( X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *extlist); -// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it -// appends the value to |ret| and returns |ret| on success or NULL on error. If -// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| -// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the -// result. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) -// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is -// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL -// on error. If it returns NULL, the caller is still responsible for freeing -// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the results. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( X509V3_EXT_METHOD *method, GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist); @@ -620,35 +604,15 @@ OPENSSL_EXPORT void X509V3_section_free(X509V3_CTX *ctx, OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, X509_REQ *req, X509_CRL *crl, int flags); -// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to -// |*extlist|. It returns one on success and zero on error. If |*extlist| is -// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the result. Either |name| or |value| may be NULL to omit the -// field. -// -// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the -// function returns. OPENSSL_EXPORT int X509V3_add_value(const char *name, const char *value, STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_uchar behaves like |X509V3_add_value| but takes an -// |unsigned char| pointer. OPENSSL_EXPORT int X509V3_add_value_uchar(const char *name, const unsigned char *value, STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value -// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. OPENSSL_EXPORT int X509V3_add_value_bool(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string -// representation of |aint|. Note this string representation may be decimal or -// hexadecimal, depending on the size of |aint|. -OPENSSL_EXPORT int X509V3_add_value_int(const char *name, - const ASN1_INTEGER *aint, +OPENSSL_EXPORT int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist); - OPENSSL_EXPORT char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint); OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, @@ -695,7 +659,7 @@ OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); // extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions // are not treated as an error. Callers, however, should not rely on this // behavior as it may be removed in the future. Duplicate extensions are -// forbidden in RFC 5280. +// forbidden in RFC5280. // // WARNING: This function is difficult to use correctly. Callers should pass a // non-NULL |out_critical| and check both the return value and |*out_critical| @@ -825,7 +789,7 @@ OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x); OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); // X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. -// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not +// (See RFC5280, section 4.2.1.2.) It returns NULL if the extension is not // present or if some extension in |x509| was invalid. // // Note that decoding an |X509| object will not check for invalid extensions. To @@ -834,7 +798,7 @@ OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); // X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key -// identifier, if the extension and field are present. (See RFC 5280, +// identifier, if the extension and field are present. (See RFC5280, // section 4.2.1.1.) It returns NULL if the extension is not present, if it is // present but lacks a keyIdentifier field, or if some extension in |x509| was // invalid. @@ -846,7 +810,7 @@ OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); // X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s // authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertIssuer field, or if some extension // in |x509| was invalid. // @@ -857,7 +821,7 @@ OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); // X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s // authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertSerialNumber field, or if some // extension in |x509| was invalid. // @@ -938,11 +902,8 @@ BSSL_NAMESPACE_BEGIN BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) -// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. -BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) -BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) @@ -1015,6 +976,5 @@ BSSL_NAMESPACE_END #define X509V3_R_UNSUPPORTED_OPTION 160 #define X509V3_R_UNSUPPORTED_TYPE 161 #define X509V3_R_USER_TOO_LONG 162 -#define X509V3_R_INVALID_VALUE 163 #endif |