Upstream merge 2024 08 02 (aws#1738)

Merging from Upstream considering commits between google/boringssl@4972efd (Jan 22, 2024) and google/boringssl@100e212 (Jan 23, 2024). See "AWS-LC" notes inserted in some of the commit messages for additions/deviations from the upstream commit.
justsmth · Aug 6, 2024 · 5fd0f08 · 5fd0f08
2 parents 98eeccf + 4faeee7
commit 5fd0f08
Show file tree

Hide file tree

Showing 10 changed files with 2,355 additions and 1,539 deletions.
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
@@ -701,7 +701,11 @@ else()
   build_libcrypto(crypto $<TARGET_OBJECTS:fipsmodule>)
 endif()
 
-if(NOT ANDROID)
+# CMAKE_SYSTEM_NAME is "Generic" for embedded OSes:
+# https://cmake.org/cmake/help/book/mastering-cmake/chapter/Cross%20Compiling%20With%20CMake.html#toolchain-files
+#
+# For now we assume embedded OSes do not have threads.
+if(NOT (ANDROID OR CMAKE_SYSTEM_NAME STREQUAL "Generic"))
   find_package(Threads REQUIRED)
   target_link_libraries(crypto PUBLIC Threads::Threads)
 endif()

diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
@@ -437,6 +437,10 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
     return 0;
   }
   if (ca) {
+    // TODO(davidben): Move the various |check_ca| calls out of the
+    // |check_purpose| callbacks. Those checks are purpose-independent. They are
+    // also redundant when called from |X509_verify_cert|, though
+    // not when |X509_check_purpose| is called directly.
     return check_ca(x);
   }
   // We need to do digital signatures or key agreement
@@ -478,8 +482,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
 
 static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
                                        int ca) {
-  int ret;
-  ret = check_purpose_ssl_server(xp, x, ca);
+  int ret = check_purpose_ssl_server(xp, x, ca);
   if (!ret || ca) {
     return ret;
   }
@@ -512,8 +515,7 @@ static int purpose_smime(const X509 *x, int ca) {
 
 static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
                                     int ca) {
-  int ret;
-  ret = purpose_smime(x, ca);
+  int ret = purpose_smime(x, ca);
   if (!ret || ca) {
     return ret;
   }
@@ -525,8 +527,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
 
 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
                                        int ca) {
-  int ret;
-  ret = purpose_smime(x, ca);
+  int ret = purpose_smime(x, ca);
   if (!ret || ca) {
     return ret;
   }
@@ -560,8 +561,6 @@ static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) {
 
 static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
                                         int ca) {
-  int i_ext;
-
   // If ca is true we must return if this is a valid CA certificate.
   if (ca) {
     return check_ca(x);
@@ -585,9 +584,9 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
   }
 
   // Extended Key Usage MUST be critical
-  i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
+  int i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);
   if (i_ext >= 0) {
-    const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
+    const X509_EXTENSION *ext = X509_get_ext(x, i_ext);
     if (!X509_EXTENSION_get_critical(ext)) {
       return 0;
     }