Skip to content

Commit

Permalink
Upstream merge 2024 08 02 (#1738)
Browse files Browse the repository at this point in the history
Merging from Upstream considering commits between

google/boringssl@4972efd
(Jan 22, 2024) and

google/boringssl@100e212
(Jan 23, 2024).

See "AWS-LC" notes inserted in some of the commit messages 
for additions/deviations from the upstream commit.
  • Loading branch information
smittals2 authored Aug 6, 2024
2 parents 98eeccf + 4faeee7 commit 5fd0f08
Show file tree
Hide file tree
Showing 10 changed files with 2,355 additions and 1,539 deletions.
6 changes: 5 additions & 1 deletion crypto/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -701,7 +701,11 @@ else()
build_libcrypto(crypto $<TARGET_OBJECTS:fipsmodule>)
endif()

if(NOT ANDROID)
# CMAKE_SYSTEM_NAME is "Generic" for embedded OSes:
# https://cmake.org/cmake/help/book/mastering-cmake/chapter/Cross%20Compiling%20With%20CMake.html#toolchain-files
#
# For now we assume embedded OSes do not have threads.
if(NOT (ANDROID OR CMAKE_SYSTEM_NAME STREQUAL "Generic"))
find_package(Threads REQUIRED)
target_link_libraries(crypto PUBLIC Threads::Threads)
endif()
Expand Down
19 changes: 9 additions & 10 deletions crypto/x509/v3_purp.c
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,10 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
return 0;
}
if (ca) {
// TODO(davidben): Move the various |check_ca| calls out of the
// |check_purpose| callbacks. Those checks are purpose-independent. They are
// also redundant when called from |X509_verify_cert|, though
// not when |X509_check_purpose| is called directly.
return check_ca(x);
}
// We need to do digital signatures or key agreement
Expand Down Expand Up @@ -478,8 +482,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,

static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
int ca) {
int ret;
ret = check_purpose_ssl_server(xp, x, ca);
int ret = check_purpose_ssl_server(xp, x, ca);
if (!ret || ca) {
return ret;
}
Expand Down Expand Up @@ -512,8 +515,7 @@ static int purpose_smime(const X509 *x, int ca) {

static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
int ca) {
int ret;
ret = purpose_smime(x, ca);
int ret = purpose_smime(x, ca);
if (!ret || ca) {
return ret;
}
Expand All @@ -525,8 +527,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,

static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
int ca) {
int ret;
ret = purpose_smime(x, ca);
int ret = purpose_smime(x, ca);
if (!ret || ca) {
return ret;
}
Expand Down Expand Up @@ -560,8 +561,6 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) {

static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
int ca) {
int i_ext;

// If ca is true we must return if this is a valid CA certificate.
if (ca) {
return check_ca(x);
Expand All @@ -585,9 +584,9 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
}

// Extended Key Usage MUST be critical
i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
int i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
if (i_ext >= 0) {
const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
const X509_EXTENSION *ext = X509_get_ext(x, i_ext);
if (!X509_EXTENSION_get_critical(ext)) {
return 0;
}
Expand Down
Loading

0 comments on commit 5fd0f08

Please sign in to comment.