Upstream merge 2024 06 24 #1661
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1661 +/- ##
==========================================
+ Coverage 78.25% 78.27% +0.01%
==========================================
Files 571 571
Lines 95698 95730 +32
Branches 13725 13729 +4
==========================================
+ Hits 74889 74929 +40
+ Misses 20205 20199 -6
+ Partials 604 602 -2 ☔ View full report in Codecov by Sentry. |
nebeid
force-pushed
the
upstream-merge-2024-06-24
branch
from
5765450
to
0110733
Compare
andrewhop
approved these changes
Jul 8, 2024
nebeid
force-pushed
the
upstream-merge-2024-06-24
branch
from
0110733
to
71e6488
Compare
nebeid
force-pushed
the
upstream-merge-2024-06-24
branch
from
71e6488
to
7b3d67e
Compare
nebeid
force-pushed
the
upstream-merge-2024-06-24
branch
from
7b3d67e
to
0c880f7
Compare
skmcgrail
approved these changes
Jul 18, 2024
These are unused and are the only options that remove the "compat" self-signed fallback. X509_TRUST_OCSP_REQUEST was intended for checking signed OCSP requests. While OpenSSL's OCSP implementation (which we've dropped) does attempt to configure it, it actually does nothing. They call X509_STORE_CTX_set_trust after X509_STORE_CTX_set_purpose, but X509_STORE_CTX_set_purpose already sets the trust parameter and X509_STORE_CTX_set_trust only acts when trust is not configured. X509_TRUST_OCSP_SIGN was briefly used in upstream's 30c278aa6bb614f4cfc5a26c7cbe66ad090f6896, by way of X509_PURPOSE_OCSP_HELPER, but then immediately undone in e9754726d236b74476cd0be5fa60acfef0c7024f. Change-Id: I6d2cf9b88a6b013e74fe95cd88f94051111086df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65151 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit 74bab4cf7b9c7c2fd9c37b3eecfa059f1ffc218a)
CrOS EC and Zephyr build "emulation" targets that run in Linux userspace. Although running on Linux, we want boringssl to run the same as if it were running on the embedded target. BUG=b/273639386 Change-Id: Id5f13391f09889e955d2a86e2c5317903b2a8bd6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65182 Reviewed-by: David Benjamin <[email protected]> Reviewed-by: Tom Hughes <[email protected]> Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit fcca096315377c8ed18bd8cbecf66c85bc63ad2d)
Test CRL handling, leave a TODO for bug 600, and also test that one can add to an X509_STORE while verifying, as that's meant to work. As part of this, I refreshed the test CRL so the sort wasn't degenerate. When I inject a bug in generating the sorted CRL, TSan still only flakily notices, but it does eventually notice. Bug: 600 Change-Id: I0ae92651dcac9971b034cf9f1c127e9a25332bf5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65152 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> (cherry picked from commit d62bd8ebd7f0e5eab1eb03197fd042094f7d0f45)
Of external callers of this function, almost all are not actually doing anything with this operation and are just trying to trigger x509v3_cache_extensions. Triggering that is no longer necessarily now that the structure is opaque and accessors do it for you. There were three callers that wanted the actual operation here. One of them correctly handled the tri-state return, but did not distinguish 0 from -1. The other two did not and would misinterpret -1 as success! So this change is actually more compatible with OpenSSL callers than OpenSSL's actual behavior. Change-Id: Ifedba52dd9d4e031fc919276fd08ec22cfd33bf2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65153 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Bob Beck <[email protected]> (cherry picked from commit 0c8bc4653e34892dc291b48fb38e180ce92b5921)
nebeid
force-pushed
the
upstream-merge-2024-06-24
branch
from
0c880f7
to
5e1522d
Compare
skmcgrail
added a commit
that referenced
this pull request
Aug 1, 2024
## What's Changed * Added options to x509 tool by @ecdeye in #1696 * Add support to detect Neoverse V2 cores by @andrewhop in #1706 * Move OCSP functions for Ruby out of internal.h by @samuel40791765 in #1704 * Add aes-256-xts to EVP_get_cipherbyname by @torben-hansen in #1707 * Match using CMAKE_SYSTEM_PROCESSOR_LOWER by @justsmth in #1709 * Update MySQL to 9.0.0 by @skmcgrail in #1685 * [EC] Unify scalar multiplication for P-256/384/521 by @dkostic in #1693 * Adds const qualifier to ciphertext parameter in EVP_PKEY_decapsulate by @maddeleine in #1713 * Upstream merge 2024 06 24 by @nebeid in #1661 * NIST SP 800-108r1-upd1: KDF Counter Implementation by @skmcgrail in #1644 * Upstream merge 2024 07 09 by @nebeid in #1694 * Design for support of HMAC precomputed keys by @fabrice102 in #1574 * Fix for select point from table in ec_nistp scalar_mul by @dkostic in #1719 * X509toolcomparison by @ecdeye in #1714 * AWS-LC s2n-bignum update 2024-07-22 by @dkostic in #1718 * Add OpenVPN to CI by @smittals2 in #1705 * Lower required Go version, add CI test for specific version by @andrewhop in #1717 * ec2-test-framework enhancements and graviton 4 testing by @samuel40791765 in #1715 * sha + chacha: Move AArch64/X86-64 dispatching to C. by @justsmth in #1625 * Show number of pruned ec2 instances in dashboard by @samuel40791765 in #1728 * rsa and md5 tools by @ecdeye in #1722 * FIPS 203 IPD update: ML-KEM-IPD-768 and ML-KEM-IPD-1024 by @jakemas in #1724 * bump mysql CI to 9.0.1 by @samuel40791765 in #1727 * Support utility OCSP request functions by @samuel40791765 in #1708 * add support for OCSP_SINGLERESP functions by @samuel40791765 in #1703
This was referenced Aug 1, 2024
lilpoozie2005
approved these changes
Sep 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
Merging from Upstream considering commits between google/boringssl@74bab4c (Jan 10, 2024) and google/boringssl@518172c (Jan 13, 2024).
Call-outs:
See internal document as well as "AWS-LC" notes inserted in some of the commit messages for additions/deviations from the upstream commit.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.