Upstream merge 2024 05 10

crypto/fipsmodule/ec/ec_key.c

@@ -163,12 +163,12 @@ void EC_KEY_free(EC_KEY *r) {
     METHOD_unref(r->ecdsa_meth);
   }
 
+  CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
+
   EC_GROUP_free(r->group);
   EC_POINT_free(r->pub_key);
   ec_wrapped_scalar_free(r->priv_key);
 
-  CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);
-
   OPENSSL_free(r);
 }
 

crypto/fipsmodule/sha/sha_test.cc

@@ -14,6 +14,8 @@
 
 #include <openssl/sha.h>
 
+#include <vector>
+
 #include <gtest/gtest.h>
 
 #include "../../test/abi_test.h"

crypto/ocsp/ocsp_asn.c

@@ -11,6 +11,7 @@
 // https://tools.ietf.org/html/rfc6960#section-4.2.1
 
 #include "internal.h"
+#include "../x509/internal.h"
 
 ASN1_SEQUENCE(OCSP_SIGNATURE) = {
     ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),

crypto/x509/internal.h

@@ -246,9 +246,16 @@ struct X509_crl_st {
   unsigned char crl_hash[SHA256_DIGEST_LENGTH];
 } /* X509_CRL */;
 
+// GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is
+// |GENERAL_NAME*|.
+DECLARE_ASN1_ITEM(GENERAL_NAME)
+
+// GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName
+// and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|.
+DECLARE_ASN1_ITEM(GENERAL_NAMES)
+
 struct X509_VERIFY_PARAM_st {
   int64_t check_time;               // POSIX time to use
-  unsigned long inh_flags;          // Inheritance flags
   unsigned long flags;              // Various verify flags
   int purpose;                      // purpose to check untrusted certificates
   int trust;                        // trust setting to check
@@ -285,6 +292,8 @@ struct x509_lookup_method_st {
                         X509_OBJECT *ret);
 } /* X509_LOOKUP_METHOD */;
 
+DEFINE_STACK_OF(X509_LOOKUP)
+
 // This is used to hold everything.  It is used for all certificate
 // validation.  Once we have a certificate chain, the 'verify'
 // function is then called to actually check the cert chain.
@@ -544,6 +553,16 @@ OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a,
 // |name|, or NULL if no such name is defined.
 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
 
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
+                               const X509V3_CTX *ctx, const CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+                                  const X509V3_EXT_METHOD *method,
+                                  const X509V3_CTX *ctx, const CONF_VALUE *cnf,
+                                  int is_nc);
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+                                 const X509V3_CTX *ctx,
+                                 const STACK_OF(CONF_VALUE) *nval);
+
 
 #if defined(__cplusplus)
 }  // extern C

crypto/x509/v3_akeya.c

@@ -61,6 +61,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509.h>
 
+#include "internal.h"
+
 
 ASN1_SEQUENCE(AUTHORITY_KEYID) = {
     ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),

crypto/x509/v3_alt.c

@@ -446,10 +446,10 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
   return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
 }
 
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-                               const X509V3_EXT_METHOD *method,
-                               const X509V3_CTX *ctx, int gen_type,
-                               const char *value, int is_nc) {
+static GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
+                                      const X509V3_EXT_METHOD *method,
+                                      const X509V3_CTX *ctx, int gen_type,
+                                      const char *value, int is_nc) {
   if (!value) {
     OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
     return NULL;

crypto/x509/v3_genn.c

@@ -70,15 +70,15 @@ ASN1_SEQUENCE(OTHERNAME) = {
     ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0),
 } ASN1_SEQUENCE_END(OTHERNAME)
 
-IMPLEMENT_ASN1_FUNCTIONS_const(OTHERNAME)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OTHERNAME)
 
 ASN1_SEQUENCE(EDIPARTYNAME) = {
     // DirectoryString is a CHOICE type, so use explicit tagging.
     ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
     ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1),
 } ASN1_SEQUENCE_END(EDIPARTYNAME)
 
-IMPLEMENT_ASN1_FUNCTIONS_const(EDIPARTYNAME)
+IMPLEMENT_ASN1_ALLOC_FUNCTIONS(EDIPARTYNAME)
 
 ASN1_CHOICE(GENERAL_NAME) = {
     ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
@@ -208,9 +208,9 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) {
   a->type = type;
 }
 
-void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) {
-  if (ptype) {
-    *ptype = a->type;
+void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *out_type) {
+  if (out_type) {
+    *out_type = a->type;
   }
   switch (a->type) {
     case GEN_X400:
@@ -255,16 +255,16 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
   return 1;
 }
 
-int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **poid,
-                                ASN1_TYPE **pvalue) {
+int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **out_oid,
+                                ASN1_TYPE **out_value) {
   if (gen->type != GEN_OTHERNAME) {
     return 0;
   }
-  if (poid) {
-    *poid = gen->d.otherName->type_id;
+  if (out_oid != NULL) {
+    *out_oid = gen->d.otherName->type_id;
   }
-  if (pvalue) {
-    *pvalue = gen->d.otherName->value;
+  if (out_value != NULL) {
+    *out_value = gen->d.otherName->value;
   }
   return 1;
 }

crypto/x509/v3_info.c

@@ -67,6 +67,9 @@
 #include <openssl/obj.h>
 #include <openssl/x509.h>
 
+#include "internal.h"
+
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
     const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret);
 static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
@@ -206,8 +209,3 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
   sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
   return NULL;
 }
-
-int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a) {
-  i2a_ASN1_OBJECT(bp, a->method);
-  return 2;
-}