Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upstream merge 2024 09 16 #1862

Merged
merged 9 commits into from
Oct 7, 2024
Merged

Upstream merge 2024 09 16 #1862

merged 9 commits into from
Oct 7, 2024

Conversation

andrewhop
Copy link
Contributor

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@andrewhop andrewhop requested a review from a team as a code owner September 18, 2024 17:31
@andrewhop andrewhop force-pushed the upstream-merge-2024-09-16 branch from 8642d88 to 3c12d5d Compare September 23, 2024 21:58
@codecov-commenter
Copy link

codecov-commenter commented Sep 23, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.85714% with 1 line in your changes missing coverage. Please review.

Project coverage is 78.52%. Comparing base (bda01b4) to head (d38221b).

Files with missing lines Patch % Lines
ssl/ssl_cert.cc 80.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1862      +/-   ##
==========================================
+ Coverage   78.49%   78.52%   +0.02%     
==========================================
  Files         585      585              
  Lines       99630    99635       +5     
  Branches    14253    14256       +3     
==========================================
+ Hits        78201    78234      +33     
+ Misses      20794    20765      -29     
- Partials      635      636       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@andrewhop andrewhop force-pushed the upstream-merge-2024-09-16 branch 2 times, most recently from b44b8c9 to 6a4a6ab Compare October 1, 2024 18:09
@andrewhop andrewhop force-pushed the upstream-merge-2024-09-16 branch 2 times, most recently from 8b94671 to 093d503 Compare October 4, 2024 20:27
davidben and others added 9 commits October 7, 2024 11:10
@davidben @andrewhop
Remove X509_TRUST_DEFAULT
01a0dcd 
This is only used internally, for X509_PURPOSE_ANY to mark that it has
no corresponding trust value. Countrary to the name, this doesn't mean
to use the default X509_TRUST behavior, but to make it impossible to
configure via X509_STORE_CTX_set_purpose.

Since it's only used in one place, as any value that fails lookup, I've
just put a local define in v3_purp.c.

Change-Id: Id3e44c08528a303132ef09d0a94521af67cc2230
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65212
Auto-Submit: David Benjamin <[email protected]>
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit 5a1a5fbdb865fa58f1da0fd8bf6426f801ea37ac)
@davidben @andrewhop
Document X509_V_FLAG_*
a5e94f7 
These were mostly already documented, but fit the current style. Add a
couple tests for some interesting cases.

With this, all we have left to document are:
- Built-in and custom extensions
- Filesystem-based X509_STORE bits
- The APIs to query X509_STORE (mildly annoying because the
  sort-of-a-cache-sort-of-not thing is exposed)

Bug: 426
Change-Id: I68c16071b8781f560e6601fd65a7fba9b6efe862
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65790
Commit-Queue: David Benjamin <[email protected]>
Reviewed-by: Bob Beck <[email protected]>
(cherry picked from commit a028a23fe5fe8390389b05d2740f0576908fe25d)
@davidben @andrewhop
Rewrite the warning about X509_AUX
90f3865 
It's less bad than I originally wrote because trust properties only
matter if configured on the X509_STORE. Add a test for this.

This is good because lots of functions trigger d2i_X509_AUX, so I think
we have to assume attackers can specify these values. Nonetheless, this
is surprising, so document which functions trigger this.

Change-Id: I73ce44acfa2a373ef3f3ef09c3e46cea98124f33
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65791
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit 0568c2c1dbff4e1de4d5a63fbaf7d13925df27fa)
@davidben @andrewhop
Unexport DIST_POINT_set_dpname
5244fd0 
Probably we could remove this altogether. The new verifier doesn't
support nameRelativeToCRLIssuer.

Change-Id: Ibb2210d513827577656d816fad90f658c2875601
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65792
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit 46ff4f7f73304a0ccf65109a2ff47469cf4cfb26)
@davidben @andrewhop
Add x509.h to doc.config
dc12c83 
There are still a pile of functions left to document, but we're far
enough now that the doc generation is happy to run on this header. Go
ahead and start generating output.

Bug: 426
Change-Id: I4c807d625df3a4a881936e99b5a3fc6559cda6c9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65793
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit ea003bdaab1a6611b1a09f4e7f4cae3fa7390588)
@davidben @andrewhop
Update delegated credentials to the final RFC
c0c696f 
Although the comments say draft-03, we're currently on draft-06.
dcd6e44 forgot to update all the
comments.

The final RFC is identical to draft-06, except
expected_cert_verify_algorithm was renamed to dc_cert_verify_algorithm,
so this is just changing comment and renaming something.

While I'm here, write the codepoint in decimal instead of hex, to match
the document and how the other IANA codepoints are written out.

Change-Id: I6d1f362a21eecafeef5bba5879f4158e31c8def4
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66367
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: Bob Beck <[email protected]>
Auto-Submit: David Benjamin <[email protected]>
(cherry picked from commit 48b0edfdf2dd9f38650d2ec13fa72cc0407a0d84)
@davidben @andrewhop
Remove OPENSSL_IA32_SSE2 checks in x86 perlasm
9cb011d 
We always pass this, so checks are redundant. Note this doesn't control
the SSE2 runtime checks, just whether SSE2 code is emitted.

Change-Id: I159806928643915afecf738dcac218007ba94600
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65869
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit 20c93abd47726624ab3e479466078f7e63f081f7)
@davidben @andrewhop
Move capability checks in chacha-x86.pl to C
8535c31 
Bug: 673
Change-Id: I7e213dc1bbb62553499666c1b271d97f8c43a3ce
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65870
Reviewed-by: Bob Beck <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
(cherry picked from commit 6d0caa1a0aad0b035ff1a63f9e292fec45ad3b35)
@andrewhop
Update generated-src
d38221b
@andrewhop andrewhop force-pushed the upstream-merge-2024-09-16 branch from 093d503 to d38221b Compare October 7, 2024 18:10
@andrewhop andrewhop merged commit 3c81298 into aws:main Oct 7, 2024
107 of 111 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smittals2 smittals2 smittals2 approved these changes

@samuel40791765 samuel40791765 samuel40791765 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewhop @codecov-commenter @samuel40791765 @smittals2 @davidben