Chiebot-Mirror/boringssl - boringssl - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
David Benjamin	09b8fd44c3	Const-correct X509_EXTENSION functions, as best we can. Some of these were non-const because dup functions weren't const-correct, but they are now. Once nuisance is the accessors. Ideally they'd return non-const pointers, but that'll break OpenSSL consumers. Bug: 407 Change-Id: I52b939a846b726d1d84dd2d5fdf71a7a7284d49e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53336 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>	3 years ago
David Benjamin	28c5354806	Accept invalid "v3" CSRs. Although not defined, older versions of certbot use numeric value 2, which would be a hypothetical v3(2). See https://github.com/certbot/certbot/pull/9334. Accept these for compatibility. Bug: 467 Change-Id: I47cc64503569992595bdb42baa6333058d560242 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53229 Reviewed-by: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>	3 years ago
David Benjamin	260a10cccb	clang-format remaining directories. Previously, we did not clang-format a few directories because we had left them largely untouched. clang-format them now so we're finally more uniform. This CL is the result of the following commands: for d in asn1 x509 x509v3 pem; do clang-format -i crypto/$d/.h clang-format -i crypto/$d/.c done (Written in this funny way because crypto/pem/*.h doesn't match anything.) Change-Id: I7f4ca9b3a9c8f07d6556e00e9e84b3c0880ee12e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53085 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>	3 years ago
David Benjamin	7fd831c44c	Enforce X.509 version invariants more consistently. This aligns X509_REQ's and X509_CRL's parsers to the changes already made with X509; we reject invalid versions and check that extensions are only with the corresponding version. For now, we still allow X509v1 CRLs with an explicit version, matching certificates. (The DEFAULT question is moot for X509_REQ because CSRs always encode their version, see RFC 2986.) In addition to rejecting garbage, this allows for a more efficient representation once we stop using the table-based parser: X509 and X509_CRL can just store a small enum. X509_REQ doesn't need to store anything because the single version is information-less. Update-Note: Invalid CRL and CSR versions will no longer be accepted. X509_set_version, etc., no longer allow invalid versions. Fixed: 467 Change-Id: I33f3aec747d8060ab80e0cbb8ddf97672e07642c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52605 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>	3 years ago
David Benjamin	94089a8b53	Silence -Wformat-signedness when printing X.509 versions. This fix isn't ideal, given the current space of possible version values. But rather than make the printing code complicated, we should make invalid versions impossible. I've left TODOs where that would be needed. Bug: 467, 450 Change-Id: I6c9ae97b8454182b0c1ab6ba2e070dc6d7d8b3f4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50767 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>	3 years ago
David Benjamin	e60893c098	Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. Change-Id: Ib325782867478fb548da1bf5ef0023cf989f125b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46944 Reviewed-by: Adam Langley <agl@google.com>	4 years ago
Adam Langley	fb0c05cac2	acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>	5 years ago