Upstream merge 2024-03-11 #1488
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1488 +/- ##
==========================================
+ Coverage 77.00% 77.12% +0.12%
==========================================
Files 425 425
Lines 71644 71517 -127
==========================================
- Hits 55168 55159 -9
+ Misses 16476 16358 -118 ☔ View full report in Codecov by Sentry. |
andrewhop
force-pushed
the
upstream-merge-2024-03-11
branch
from
5de3557
to
43ed2a7
Compare
nebeid
reviewed
Mar 14, 2024
justsmth
requested review from
justsmth and
dkostic
and removed request for
justsmth
andrewhop
force-pushed
the
upstream-merge-2024-03-11
branch
from
43ed2a7
to
afa95fa
Compare
nebeid
approved these changes
Mar 25, 2024
dkostic
approved these changes
Mar 25, 2024
OPENSSL_memcpy already internally checks for empty lengths. Change-Id: I0015758fd5410e036b532ae727341ae0c0edbdbf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63826 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit a1263228b8b21d9c9e8d959c0b027da0690c188c)
Change-Id: Ib46d58de31a2c3edd8bcc0652f2f5f03ca4caf1a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63827 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Bob Beck <[email protected]> (cherry picked from commit ad57528d2c978543106f9b115bd0eb658f3ebdd2)
This'll probably need another pass once we figure out what to do with X509_TRUST, but put it with the other aux functions. Bug: 426 Change-Id: I6ae2e45b94bace40307dd4dcc1c8702fc8baa8eb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63925 Reviewed-by: Bob Beck <[email protected]> Auto-Submit: David Benjamin <[email protected]> Commit-Queue: Bob Beck <[email protected]> (cherry picked from commit 240b73adcdc175804712f26802c6d354ee9df9a0)
Also move a few functions into the correct sections. Bug: 426 Change-Id: I81c4e65bd7f248251a2a85b9934abe500798532a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63926 Commit-Queue: David Benjamin <[email protected]> Auto-Submit: David Benjamin <[email protected]> Reviewed-by: Bob Beck <[email protected]> (cherry picked from commit dd8ffe1db3bc83ba0c5b2ebba3dd9537c39bbcf8)
Bug: 426 Change-Id: I82820de3048af0d9280d37b89ebf98cb07c746d8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63927 Reviewed-by: Bob Beck <[email protected]> Auto-Submit: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit 5d1c612a8b66fafabf759e47b36b6244dda8444c)
Update-Note: Removed an unused function. This has no callers and is only useful to create delta CRLs, which are similarly unused and being removed. Bug: 601 Change-Id: I22abf36e723d19b9759bcabf28fddf7f2ffe7379 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63928 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> Auto-Submit: David Benjamin <[email protected]> (cherry picked from commit 827c7ddbc9a1e2eadf13c245ec436e511272d644)
Update-Note: The X509_V_FLAG_EXTENDED_CRL_SUPPORT and X509_V_FLAG_USE_DELTAS flags now cause verification to fail. They weren't enabled by any caller. This broadly is meant to disable: - Delta CRLs - Indirect CRLs (When the CRL's issuer is somehow different from the certificate. The security properties for this is very interesting, since it refers to just any other random name under the same trust anchor. Very clearly a remnant of when X.509 was meant to authenticate a global directory. See the rather worrisome comment over check_crl_chain.) - Merging together multiple CRLs that are partitioned by reasons There's some other code we can now unwind, which will be handled in follow-up changes. This CL is meant to be a minimal change to disable them. Though even this minimal change requires we delete a bunch of functions. Bug: 601 Change-Id: I319ab793f480c6b99de86da6077b616f18edf06b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63929 Reviewed-by: Bob Beck <[email protected]> Auto-Submit: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit f86149982323e57050f853c278ce8aa955b681dc)
x509.h isn't ready for doc.go yet, but fix a few mistakes caught by previewing it. Bug: 426 Change-Id: I79630cc1cbe5737cea96143b54c2fa42882077a0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64140 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]>
andrewhop
force-pushed
the
upstream-merge-2024-03-11
branch
from
afa95fa
to
506d411
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.