Merge BoringSSL through 0f2c55cb748651833af247bbed43e. #1648
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Starting version 2019 16.8 (released November 2020), MSVC actually implements parts of C11, though disabled by default. You have to pass /std:c11, and then alignas, alignof, and noreturn all work. When built that way, better to use the real ones, so check for __STDC_VERSION__ first. It would be nice to mandate that so we can remove the polyfill, but for now just opportunistically use it when we can. Sadly, even in this mode, they still don't implement C11 atomics, so the refcounting implementation will still be slow. Change-Id: I28dab4a339c368f7d8f8da5aa7aee1cb344803d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53006 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
SSL_load_client_CA_file can just call SSL_add_file_cert_subjects_to_stack. SSL_add_file_cert_subjects_to_stack itself is rewritten to use scopers and also give subquadratic running time. Sorting after every insertion does not actually help. (It would have been faster to do a linear search.) Instead, gather the names first, then sort and deduplicate. Finally, add a SSL_add_bio_cert_subjects_to_stack. This is both to simplify testing and because Envoy code copied from SSL_add_file_cert_subjects_to_stack, complete with the quadratic behavior. It is the only external project that depends on the STACK_OF(T) comparison function. To simplify making that const-correct, just export the function they needed anyway. Bug: 498 Change-Id: I00d13c949a535c0d60873fe4ba2e5604bb585cca Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53007 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This results in one change, which is the comparison function goes from:
typedef char *OPENSSL_STRING;
static int sk_strcmp(const OPENSSL_STRING *a,
const OPENSSL_STRING *b);
which is:
static int sk_strcmp(char *const *a, char *const *b)
into:
static int sk_strcmp(const char **a, const char **b)
Neither is correct (both consts should be there), but switching the
defintion is necessary to attach the 'const' to 'char' itself. Otherwise
it wouldn't see through the typedef. Fixing the rest of the calling
convention will finish the job. Plan there is, when
I00d13c949a535c0d60873fe4ba2e5604bb585cca lands, I'll switch Envoy to
call that. Then we should be clear to const-correct the callback.
(While STACK_OF(OPENSSL_STRING) is used externally, nothing external
touches the comparison function.)
Bug: 498
Change-Id: I77bdf2a72b2553bf9409a1d39326890ed5c3582c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53008
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Change-Id: Id5fda00fe27eb9bc8313dd81a5b0c720323e3903 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53045 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Certain applications of Trust Token need to be able to generate a large number of keys, instead of storing them all, we provide an API to take a secret that can be used to generate keys in a deterministic manner. Change-Id: I2b61958d1e949a3a47a3c91ab3a866c2e33a9d1d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53011 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Steven Valdez <svaldez@google.com>
Previously, we did not clang-format a few directories because we had
left them largely untouched. clang-format them now so we're finally more
uniform.
This CL is the result of the following commands:
for d in asn1 x509 x509v3 pem; do
clang-format -i crypto/$d/*.h
clang-format -i crypto/$d/*.c
done
(Written in this funny way because crypto/pem/*.h doesn't match
anything.)
Change-Id: I7f4ca9b3a9c8f07d6556e00e9e84b3c0880ee12e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53085
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
This CL runs the same command as in the preceding CL, but with 'IncludeBraces: true' added to .clang-format. I've split this out separately because the documentation says: > Setting this option to true could lead to incorrect code formatting > due to clang-format’s lack of complete semantic information. As such, > extra care should be taken to review code changes made by this option. I've also kept InsertBraces out of .clang-format for now because it's a fairly recent option, and clang-format fails when it sees unrecognized options. Change-Id: I305ea7bb2633704053a1f8de1e11b037b9fc8a76 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53086 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
This CL is the result of the following commands:
for d in asn1 x509 x509v3 pem; do
go run util/convert_comments.go crypto/$d/*.h
go run util/convert_comments.go crypto/$d/*.c
done
Change-Id: If78433f68cb2f913b0de06ded744a5a65540e1cf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53087
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Some things that I noticed paging through. Change-Id: I41e5e12b743fd996f5ff91d19f6edc074169f629 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53088 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
This is a mechanical change generated from the following command:
find crypto/{asn1,pem,x509,x509v3} -name '*.c' -o -name '*.h' | xargs sed -i -e 's/return (\([^;()]*\));/return \1;/'
Change-Id: I957295af96c4aa08d6006e27093fd3a07fb6fe75
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53089
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
The comment says (in the now outdated orflags terms) that we don't need to worry about this case because is_first/is_last only affect ASCII codepoints, but it's easier to just set it correctly. Change-Id: Ib6db66adb162a555da50f563ffc9af9da4a878ec Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53126 Reviewed-by: Adam Langley <agl@google.com>
This may be okay because of the strict aliasing character type rule, but easier not to think about it. Bug: 301 Change-Id: I5eec356a5411a67036425e953e56529bac81ad4a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53091 Reviewed-by: Adam Langley <agl@google.com>
Bug: 301 Change-Id: I896307cd035652c8d36f0bf6b51f2c2b7ba281df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53092 Reviewed-by: Adam Langley <agl@google.com>
Take the changes from BoringSSL, except use `limbs_copy` and `limbs_zero`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.