)]}' { "commit": "029d0e77fb64625469cc02c8df26767c72081dfd", "tree": "335109944ebf6cab76fca10a3a1d6adc8c47458d", "parents": [ "45b8d7bbd771cbf7e116db2ba1f1cc7af959497e" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Mon Dec 26 19:38:40 2022 -0500" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Thu Jan 19 23:01:04 2023 +0000" }, "message": "Rewrite X.509 policy tree logic.\n\nThis reimplements policy handling using a similar DAG structure as in\nhttps://chromium-review.googlesource.com/c/chromium/src/+/4111415. The\nmain difference is that, being C, we don\u0027t have std::set or std::map\neasily available. But the algorithm can be implemented purely with\nsorted lists, while remaining subquadratic.\n\nThis implementation relies on two assumptions:\n\n1. We do not return the policy tree. This was removed in\n https://boringssl-review.googlesource.com/c/boringssl/+/53327\n\n2. We do not return the final set of certificate policies. I.e.,\n certificate policy checking is only used for evaluating policy\n constraints and X509_V_FLAG_EXPLICIT_POLICY.\n\nThe second assumption is not very important. It mostly simplifies\nhas_explicit_policy slightly.\n\nIn addition, this new implementation removes the per-certificate policy\ncache. Instead, we just process the policy extensions anew on\ncertificate verification. This avoids a mess of threading complexity,\nincluding a race condition in the old logic. See\nhttps://boringssl-review.googlesource.com/c/boringssl/+/55762 for a\ndescription of the race condition.\n\nChange-Id: Ifba9037588ecff5eb6ed3c34c8bd7611f60013a6\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56036\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "0631971a9d0dcdb6d5f758ba6475d2407a7e8ea8", "old_mode": 33188, "old_path": "crypto/CMakeLists.txt", "new_id": "c83d1e3ab087ab1c34bb01f04e2f8ffaa5460b54", "new_mode": 33188, "new_path": "crypto/CMakeLists.txt" }, { "type": "modify", "old_id": "65181bfe6772362f97babc648b35cfbeedd4a14c", "old_mode": 33188, "old_path": "crypto/err/x509.errordata", "new_id": "e30d667bd7290b8d411c323ebf8bdb11e95b300d", "new_mode": 33188, "new_path": "crypto/err/x509.errordata" }, { "type": "modify", "old_id": "e102842b0b56b2b52ff7224a01c2502f996ae070", "old_mode": 33188, "old_path": "crypto/x509/internal.h", "new_id": "7bf14c9091214ff78bd040d68326238b79d167e3", "new_mode": 33188, "new_path": "crypto/x509/internal.h" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "5f9fe9c65c49cdf22845ab17d159ec7a493e48ff", "new_mode": 33188, "new_path": "crypto/x509/policy.c" }, { "type": "modify", "old_id": "aba608e59778ebe26c4b735e4b6d174bc55be92c", "old_mode": 33188, "old_path": "crypto/x509/x509_test.cc", "new_id": "e4af13ee9b7cd5c00286ab12abbab5f7a2ba7e42", "new_mode": 33188, "new_path": "crypto/x509/x509_test.cc" }, { "type": "modify", "old_id": "ce110e65be76c098596fc5edba5068f2bf233b15", "old_mode": 33188, "old_path": "crypto/x509/x509_vfy.c", "new_id": "7638d0d814c4f20ada7e52c4833f385e033029e6", "new_mode": 33188, "new_path": "crypto/x509/x509_vfy.c" }, { "type": "modify", "old_id": "c6c48feb778ebe2ad3d7e8fc2640be3489c21d97", "old_mode": 33188, "old_path": "crypto/x509/x_x509.c", "new_id": "4f23fd68bbf1a424711eb4657d2d9a5889ff92bf", "new_mode": 33188, "new_path": "crypto/x509/x_x509.c" }, { "type": "modify", "old_id": "a7bcb4e33d01b079e3221bcb7d8e1899ce9f2dad", "old_mode": 33188, "old_path": "crypto/x509v3/internal.h", "new_id": "0632f2394d0d37fbc0b0829eca5852334b1e5540", "new_mode": 33188, "new_path": "crypto/x509v3/internal.h" }, { "type": "delete", "old_id": "3a351dc71fee4081cf5595353822a8ec94184664", "old_mode": 33188, "old_path": "crypto/x509v3/pcy_cache.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "91ba714ef220d9061431f5c60719619aa0461e53", "old_mode": 33188, "old_path": "crypto/x509v3/pcy_data.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "06c70b2199833ac0ff1626a33dc2ca30264e4e8c", "old_mode": 33188, "old_path": "crypto/x509v3/pcy_map.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "8966b065d9586afc8e047f6f51e8c2f00e8a7860", "old_mode": 33188, "old_path": "crypto/x509v3/pcy_node.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "delete", "old_id": "7211e016313db7e74f35280019268ffd1de5c3cc", "old_mode": 33188, "old_path": "crypto/x509v3/pcy_tree.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "modify", "old_id": "e723cf33804ede05a16765a2b163d301016f6635", "old_mode": 33188, "old_path": "crypto/x509v3/v3_cpols.c", "new_id": "84d458c65a0b24cd5f582d53cdaffa1673417444", "new_mode": 33188, "new_path": "crypto/x509v3/v3_cpols.c" }, { "type": "modify", "old_id": "ee103ca884b796a10a86b79852a5dc57064cec4a", "old_mode": 33188, "old_path": "include/openssl/x509.h", "new_id": "ec65cc53241d2b5db3707c537e69ba8cb2948594", "new_mode": 33188, "new_path": "include/openssl/x509.h" }, { "type": "modify", "old_id": "25a72d45eeb61b86d126706ba052862b5d31571e", "old_mode": 33188, "old_path": "include/openssl/x509v3.h", "new_id": "530444b92c8d451c914bd08bd416f58a1d289db3", "new_mode": 33188, "new_path": "include/openssl/x509v3.h" } ] }