update main-with-bazel from master branch
diff --git a/err_data.c b/err_data.c
index a037f9f..98bc22a 100644
--- a/err_data.c
+++ b/err_data.c
@@ -55,185 +55,185 @@
OPENSSL_STATIC_ASSERT(ERR_NUM_LIBS == 34, "number of libraries changed");
const uint32_t kOpenSSLReasonValues[] = {
- 0xc320847,
- 0xc328861,
- 0xc330870,
- 0xc338880,
- 0xc34088f,
- 0xc3488a8,
- 0xc3508b4,
- 0xc3588d1,
- 0xc3608f1,
- 0xc3688ff,
- 0xc37090f,
- 0xc37891c,
- 0xc38092c,
- 0xc388937,
- 0xc39094d,
- 0xc39895c,
- 0xc3a0970,
- 0xc3a8854,
+ 0xc320862,
+ 0xc32887c,
+ 0xc33088b,
+ 0xc33889b,
+ 0xc3408aa,
+ 0xc3488c3,
+ 0xc3508cf,
+ 0xc3588ec,
+ 0xc36090c,
+ 0xc36891a,
+ 0xc37092a,
+ 0xc378937,
+ 0xc380947,
+ 0xc388952,
+ 0xc390968,
+ 0xc398977,
+ 0xc3a098b,
+ 0xc3a886f,
0xc3b00f7,
- 0xc3b88e3,
- 0x10320854,
- 0x103295ca,
- 0x103315d6,
- 0x103395ef,
- 0x10341602,
- 0x10348f34,
- 0x10350c6d,
- 0x10359615,
- 0x1036163f,
- 0x10369652,
- 0x10371671,
- 0x1037968a,
- 0x1038169f,
- 0x103896bd,
- 0x103916cc,
- 0x103996e8,
- 0x103a1703,
- 0x103a9712,
- 0x103b172e,
- 0x103b9749,
- 0x103c176f,
+ 0xc3b88fe,
+ 0x1032086f,
+ 0x103295e5,
+ 0x103315f1,
+ 0x1033960a,
+ 0x1034161d,
+ 0x10348f4f,
+ 0x10350c88,
+ 0x10359630,
+ 0x1036165a,
+ 0x1036966d,
+ 0x1037168c,
+ 0x103796a5,
+ 0x103816ba,
+ 0x103896d8,
+ 0x103916e7,
+ 0x10399703,
+ 0x103a171e,
+ 0x103a972d,
+ 0x103b1749,
+ 0x103b9764,
+ 0x103c178a,
0x103c80f7,
- 0x103d1780,
- 0x103d9794,
- 0x103e17b3,
- 0x103e97c2,
- 0x103f17d9,
- 0x103f97ec,
- 0x10400c31,
- 0x104097ff,
- 0x1041181d,
- 0x10419830,
- 0x1042184a,
- 0x1042985a,
- 0x1043186e,
- 0x10439884,
- 0x1044189c,
- 0x104498b1,
- 0x104518c5,
- 0x104598d7,
- 0x1046060a,
- 0x1046895c,
- 0x104718ec,
- 0x10479903,
- 0x10481918,
- 0x10489926,
- 0x10490e80,
- 0x10499760,
- 0x104a162a,
- 0x14320c14,
- 0x14328c22,
- 0x14330c31,
- 0x14338c43,
+ 0x103d179b,
+ 0x103d97af,
+ 0x103e17ce,
+ 0x103e97dd,
+ 0x103f17f4,
+ 0x103f9807,
+ 0x10400c4c,
+ 0x1040981a,
+ 0x10411838,
+ 0x1041984b,
+ 0x10421865,
+ 0x10429875,
+ 0x10431889,
+ 0x1043989f,
+ 0x104418b7,
+ 0x104498cc,
+ 0x104518e0,
+ 0x104598f2,
+ 0x10460625,
+ 0x10468977,
+ 0x10471907,
+ 0x1047991e,
+ 0x10481933,
+ 0x10489941,
+ 0x10490e9b,
+ 0x1049977b,
+ 0x104a1645,
+ 0x14320c2f,
+ 0x14328c3d,
+ 0x14330c4c,
+ 0x14338c5e,
0x143400b9,
0x143480f7,
0x18320090,
- 0x18328f8a,
+ 0x18328fa5,
0x183300b9,
- 0x18338fa0,
- 0x18340fb4,
+ 0x18338fbb,
+ 0x18340fcf,
0x183480f7,
- 0x18350fd3,
- 0x18358feb,
- 0x18361000,
- 0x18369014,
- 0x1837104c,
- 0x18379062,
- 0x18381076,
- 0x18389086,
- 0x18390a82,
- 0x18399096,
- 0x183a10bc,
- 0x183a90e2,
- 0x183b0c8c,
- 0x183b9131,
- 0x183c1143,
- 0x183c914e,
- 0x183d115e,
- 0x183d916f,
- 0x183e1180,
- 0x183e9192,
- 0x183f11bb,
- 0x183f91d4,
- 0x184011ec,
- 0x184086e2,
- 0x18411105,
- 0x184190d0,
- 0x184210ef,
- 0x18428c79,
- 0x184310ab,
- 0x18439117,
- 0x18440fc9,
- 0x18449038,
- 0x20321226,
- 0x20329213,
- 0x24321232,
- 0x243289a2,
- 0x24331244,
- 0x24339251,
- 0x2434125e,
- 0x24349270,
- 0x2435127f,
- 0x2435929c,
- 0x243612a9,
- 0x243692b7,
- 0x243712c5,
- 0x243792d3,
- 0x243812dc,
- 0x243892e9,
- 0x243912fc,
- 0x28320c61,
- 0x28328c8c,
- 0x28330c31,
- 0x28338c9f,
- 0x28340c6d,
+ 0x18350fee,
+ 0x18359006,
+ 0x1836101b,
+ 0x1836902f,
+ 0x18371067,
+ 0x1837907d,
+ 0x18381091,
+ 0x183890a1,
+ 0x18390a9d,
+ 0x183990b1,
+ 0x183a10d7,
+ 0x183a90fd,
+ 0x183b0ca7,
+ 0x183b914c,
+ 0x183c115e,
+ 0x183c9169,
+ 0x183d1179,
+ 0x183d918a,
+ 0x183e119b,
+ 0x183e91ad,
+ 0x183f11d6,
+ 0x183f91ef,
+ 0x18401207,
+ 0x184086fd,
+ 0x18411120,
+ 0x184190eb,
+ 0x1842110a,
+ 0x18428c94,
+ 0x184310c6,
+ 0x18439132,
+ 0x18440fe4,
+ 0x18449053,
+ 0x20321241,
+ 0x2032922e,
+ 0x2432124d,
+ 0x243289bd,
+ 0x2433125f,
+ 0x2433926c,
+ 0x24341279,
+ 0x2434928b,
+ 0x2435129a,
+ 0x243592b7,
+ 0x243612c4,
+ 0x243692d2,
+ 0x243712e0,
+ 0x243792ee,
+ 0x243812f7,
+ 0x24389304,
+ 0x24391317,
+ 0x28320c7c,
+ 0x28328ca7,
+ 0x28330c4c,
+ 0x28338cba,
+ 0x28340c88,
0x283480b9,
0x283500f7,
- 0x28358c79,
- 0x2c32326b,
- 0x2c329313,
- 0x2c333279,
- 0x2c33b28b,
- 0x2c34329f,
- 0x2c34b2b1,
- 0x2c3532cc,
- 0x2c35b2de,
- 0x2c36330e,
+ 0x28358c94,
+ 0x2c323286,
+ 0x2c32932e,
+ 0x2c333294,
+ 0x2c33b2a6,
+ 0x2c3432ba,
+ 0x2c34b2cc,
+ 0x2c3532e7,
+ 0x2c35b2f9,
+ 0x2c363329,
0x2c36833a,
- 0x2c37331b,
- 0x2c37b347,
- 0x2c38336c,
- 0x2c38b383,
- 0x2c3933a1,
- 0x2c39b3b1,
- 0x2c3a33c3,
- 0x2c3ab3d7,
- 0x2c3b33e8,
- 0x2c3bb407,
- 0x2c3c1325,
- 0x2c3c933b,
- 0x2c3d341b,
- 0x2c3d9354,
- 0x2c3e3438,
- 0x2c3eb446,
- 0x2c3f345e,
- 0x2c3fb476,
- 0x2c4034a0,
- 0x2c409226,
- 0x2c4134b1,
- 0x2c41b4c4,
- 0x2c4211ec,
- 0x2c42b4d5,
- 0x2c43072f,
- 0x2c43b3f9,
- 0x2c44335a,
- 0x2c44b483,
- 0x2c4532f1,
- 0x2c45b32d,
- 0x2c463391,
+ 0x2c373336,
+ 0x2c37b362,
+ 0x2c383387,
+ 0x2c38b39e,
+ 0x2c3933bc,
+ 0x2c39b3cc,
+ 0x2c3a33de,
+ 0x2c3ab3f2,
+ 0x2c3b3403,
+ 0x2c3bb422,
+ 0x2c3c1340,
+ 0x2c3c9356,
+ 0x2c3d3436,
+ 0x2c3d936f,
+ 0x2c3e3453,
+ 0x2c3eb461,
+ 0x2c3f3479,
+ 0x2c3fb491,
+ 0x2c4034bb,
+ 0x2c409241,
+ 0x2c4134cc,
+ 0x2c41b4df,
+ 0x2c421207,
+ 0x2c42b4f0,
+ 0x2c43074a,
+ 0x2c43b414,
+ 0x2c443375,
+ 0x2c44b49e,
+ 0x2c45330c,
+ 0x2c45b348,
+ 0x2c4633ac,
0x30320000,
0x30328015,
0x3033001f,
@@ -276,529 +276,530 @@
0x30458306,
0x3046031f,
0x3046833a,
- 0x30470357,
- 0x30478369,
- 0x30480377,
- 0x30488388,
- 0x30490397,
- 0x304983af,
- 0x304a03c1,
- 0x304a83d5,
- 0x304b03ed,
- 0x304b8400,
- 0x304c040b,
- 0x304c841c,
- 0x304d0428,
- 0x304d843e,
- 0x304e044c,
- 0x304e8462,
- 0x304f0474,
- 0x304f8486,
- 0x305004a9,
- 0x305084bc,
- 0x305104cd,
- 0x305184dd,
- 0x305204f5,
- 0x3052850a,
- 0x30530522,
- 0x30538536,
- 0x3054054e,
- 0x30548567,
- 0x30550580,
- 0x3055859d,
- 0x305605a8,
- 0x305685c0,
- 0x305705d0,
- 0x305785e1,
- 0x305805f4,
- 0x3058860a,
- 0x30590613,
- 0x30598628,
- 0x305a063b,
- 0x305a864a,
- 0x305b066a,
- 0x305b8679,
- 0x305c069a,
- 0x305c86b6,
- 0x305d06c2,
- 0x305d86e2,
- 0x305e06fe,
- 0x305e870f,
- 0x305f0725,
- 0x305f872f,
- 0x30600499,
+ 0x30470372,
+ 0x30478384,
+ 0x30480392,
+ 0x304883a3,
+ 0x304903b2,
+ 0x304983ca,
+ 0x304a03dc,
+ 0x304a83f0,
+ 0x304b0408,
+ 0x304b841b,
+ 0x304c0426,
+ 0x304c8437,
+ 0x304d0443,
+ 0x304d8459,
+ 0x304e0467,
+ 0x304e847d,
+ 0x304f048f,
+ 0x304f84a1,
+ 0x305004c4,
+ 0x305084d7,
+ 0x305104e8,
+ 0x305184f8,
+ 0x30520510,
+ 0x30528525,
+ 0x3053053d,
+ 0x30538551,
+ 0x30540569,
+ 0x30548582,
+ 0x3055059b,
+ 0x305585b8,
+ 0x305605c3,
+ 0x305685db,
+ 0x305705eb,
+ 0x305785fc,
+ 0x3058060f,
+ 0x30588625,
+ 0x3059062e,
+ 0x30598643,
+ 0x305a0656,
+ 0x305a8665,
+ 0x305b0685,
+ 0x305b8694,
+ 0x305c06b5,
+ 0x305c86d1,
+ 0x305d06dd,
+ 0x305d86fd,
+ 0x305e0719,
+ 0x305e872a,
+ 0x305f0740,
+ 0x305f874a,
+ 0x306004b4,
0x3060804a,
- 0x34320b72,
- 0x34328b86,
- 0x34330ba3,
- 0x34338bb6,
- 0x34340bc5,
- 0x34348bfe,
- 0x34350be2,
+ 0x30610357,
+ 0x34320b8d,
+ 0x34328ba1,
+ 0x34330bbe,
+ 0x34338bd1,
+ 0x34340be0,
+ 0x34348c19,
+ 0x34350bfd,
0x3c320090,
- 0x3c328cc9,
- 0x3c330ce2,
- 0x3c338cfd,
- 0x3c340d1a,
- 0x3c348d44,
- 0x3c350d5f,
- 0x3c358d85,
- 0x3c360d9e,
- 0x3c368db6,
- 0x3c370dc7,
- 0x3c378dd5,
- 0x3c380de2,
- 0x3c388df6,
- 0x3c390c8c,
- 0x3c398e19,
- 0x3c3a0e2d,
- 0x3c3a891c,
- 0x3c3b0e3d,
- 0x3c3b8e58,
- 0x3c3c0e6a,
- 0x3c3c8e9d,
- 0x3c3d0ea7,
- 0x3c3d8ebb,
- 0x3c3e0ec9,
- 0x3c3e8eee,
- 0x3c3f0cb5,
- 0x3c3f8ed7,
+ 0x3c328ce4,
+ 0x3c330cfd,
+ 0x3c338d18,
+ 0x3c340d35,
+ 0x3c348d5f,
+ 0x3c350d7a,
+ 0x3c358da0,
+ 0x3c360db9,
+ 0x3c368dd1,
+ 0x3c370de2,
+ 0x3c378df0,
+ 0x3c380dfd,
+ 0x3c388e11,
+ 0x3c390ca7,
+ 0x3c398e34,
+ 0x3c3a0e48,
+ 0x3c3a8937,
+ 0x3c3b0e58,
+ 0x3c3b8e73,
+ 0x3c3c0e85,
+ 0x3c3c8eb8,
+ 0x3c3d0ec2,
+ 0x3c3d8ed6,
+ 0x3c3e0ee4,
+ 0x3c3e8f09,
+ 0x3c3f0cd0,
+ 0x3c3f8ef2,
0x3c4000b9,
0x3c4080f7,
- 0x3c410d35,
- 0x3c418d74,
- 0x3c420e80,
- 0x3c428e0a,
- 0x403219b8,
- 0x403299ce,
- 0x403319fc,
- 0x40339a06,
- 0x40341a1d,
- 0x40349a3b,
- 0x40351a4b,
- 0x40359a5d,
- 0x40361a6a,
- 0x40369a76,
- 0x40371a8b,
- 0x40379a9d,
- 0x40381aa8,
- 0x40389aba,
- 0x40390f34,
- 0x40399aca,
- 0x403a1add,
- 0x403a9afe,
- 0x403b1b0f,
- 0x403b9b1f,
+ 0x3c410d50,
+ 0x3c418d8f,
+ 0x3c420e9b,
+ 0x3c428e25,
+ 0x403219d3,
+ 0x403299e9,
+ 0x40331a17,
+ 0x40339a21,
+ 0x40341a38,
+ 0x40349a56,
+ 0x40351a66,
+ 0x40359a78,
+ 0x40361a85,
+ 0x40369a91,
+ 0x40371aa6,
+ 0x40379ab8,
+ 0x40381ac3,
+ 0x40389ad5,
+ 0x40390f4f,
+ 0x40399ae5,
+ 0x403a1af8,
+ 0x403a9b19,
+ 0x403b1b2a,
+ 0x403b9b3a,
0x403c0071,
0x403c8090,
- 0x403d1b80,
- 0x403d9b96,
- 0x403e1ba5,
- 0x403e9bdd,
- 0x403f1bf7,
- 0x403f9c1f,
- 0x40401c34,
- 0x40409c48,
- 0x40411c83,
- 0x40419c9e,
- 0x40421cb7,
- 0x40429cca,
- 0x40431cde,
- 0x40439d0c,
- 0x40441d23,
+ 0x403d1b9b,
+ 0x403d9bb1,
+ 0x403e1bc0,
+ 0x403e9bf8,
+ 0x403f1c12,
+ 0x403f9c3a,
+ 0x40401c4f,
+ 0x40409c63,
+ 0x40411c9e,
+ 0x40419cb9,
+ 0x40421cd2,
+ 0x40429ce5,
+ 0x40431cf9,
+ 0x40439d27,
+ 0x40441d3e,
0x404480b9,
- 0x40451d38,
- 0x40459d4a,
- 0x40461d6e,
- 0x40469d8e,
- 0x40471d9c,
- 0x40479dc3,
- 0x40481e34,
- 0x40489eee,
- 0x40491f05,
- 0x40499f1f,
- 0x404a1f36,
- 0x404a9f54,
- 0x404b1f6c,
- 0x404b9f99,
- 0x404c1faf,
- 0x404c9fc1,
- 0x404d1fe2,
- 0x404da01b,
- 0x404e202f,
- 0x404ea03c,
- 0x404f20d6,
- 0x404fa14c,
- 0x405021a3,
- 0x4050a1b7,
- 0x405121ea,
- 0x405221fa,
- 0x4052a21e,
- 0x40532236,
- 0x4053a249,
- 0x4054225e,
- 0x4054a281,
- 0x405522ac,
- 0x4055a2e9,
- 0x4056230e,
- 0x4056a327,
- 0x4057233f,
- 0x4057a352,
- 0x40582367,
- 0x4058a38e,
- 0x405923bd,
- 0x4059a3ea,
- 0x405a23fe,
- 0x405aa40e,
- 0x405b2426,
- 0x405ba437,
- 0x405c244a,
- 0x405ca489,
- 0x405d2496,
- 0x405da4bb,
- 0x405e24f9,
- 0x405e8ac0,
- 0x405f2534,
- 0x405fa541,
- 0x4060254f,
- 0x4060a571,
- 0x406125d2,
- 0x4061a60a,
- 0x40622621,
- 0x4062a632,
- 0x4063267f,
- 0x4063a694,
- 0x406426ab,
- 0x4064a6d7,
- 0x406526f2,
- 0x4065a709,
- 0x40662721,
- 0x4066a74b,
- 0x40672776,
- 0x4067a7bb,
- 0x40682803,
- 0x4068a824,
- 0x40692856,
- 0x4069a884,
- 0x406a28a5,
- 0x406aa8c5,
- 0x406b2a4d,
- 0x406baa70,
- 0x406c2a86,
- 0x406cad90,
- 0x406d2dbf,
- 0x406dade7,
- 0x406e2e15,
- 0x406eae62,
- 0x406f2ebb,
- 0x406faef3,
- 0x40702f06,
- 0x4070af23,
- 0x4071080f,
- 0x4071af35,
- 0x40722f48,
- 0x4072af7e,
- 0x40732f96,
- 0x40739525,
- 0x40742faa,
- 0x4074afc4,
- 0x40752fd5,
- 0x4075afe9,
- 0x40762ff7,
- 0x407692e9,
- 0x4077301c,
- 0x4077b05c,
- 0x40783077,
- 0x4078b0b0,
- 0x407930c7,
- 0x4079b0dd,
- 0x407a3109,
- 0x407ab11c,
- 0x407b3131,
- 0x407bb143,
- 0x407c3174,
- 0x407cb17d,
- 0x407d283f,
- 0x407da15c,
- 0x407e308c,
- 0x407ea39e,
- 0x407f1db0,
- 0x407f9f83,
- 0x408020e6,
- 0x40809dd8,
- 0x4081220c,
- 0x4081a08a,
- 0x40822e00,
- 0x40829b2b,
- 0x40832379,
- 0x4083a6bc,
- 0x40841dec,
- 0x4084a3d6,
- 0x4085245b,
- 0x4085a599,
- 0x408624db,
- 0x4086a176,
- 0x40872e46,
- 0x4087a5e7,
- 0x40881b69,
- 0x4088a7ce,
- 0x40891bb8,
- 0x40899b45,
- 0x408a2abe,
- 0x408a993d,
- 0x408b3158,
- 0x408baed0,
- 0x408c246b,
- 0x408c9975,
- 0x408d1ed4,
- 0x408d9e1e,
- 0x408e2004,
- 0x408ea2c9,
- 0x408f27e2,
- 0x408fa5b5,
- 0x40902797,
- 0x4090a4ad,
- 0x40912aa6,
- 0x4091999b,
- 0x40921c05,
- 0x4092ae81,
- 0x40932f61,
- 0x4093a187,
- 0x40941e00,
- 0x4094aad7,
- 0x40952643,
- 0x4095b0e9,
- 0x40962e2d,
- 0x4096a0ff,
- 0x409721d2,
- 0x4097a053,
- 0x40981c65,
- 0x4098a657,
- 0x40992e9d,
- 0x4099a2f6,
- 0x409a228f,
- 0x409a9959,
- 0x409b1e5a,
- 0x409b9e85,
- 0x409c303e,
- 0x409c9ead,
- 0x409d20bb,
- 0x409da0a0,
- 0x409e1cf6,
- 0x409ea134,
- 0x409f211c,
- 0x409f9e4d,
- 0x40a0251a,
- 0x40a0a06d,
- 0x41f42978,
- 0x41f92a0a,
- 0x41fe28fd,
- 0x41feabb3,
- 0x41ff2ce1,
- 0x42032991,
- 0x420829b3,
- 0x4208a9ef,
- 0x420928e1,
- 0x4209aa29,
- 0x420a2938,
- 0x420aa918,
- 0x420b2958,
- 0x420ba9d1,
- 0x420c2cfd,
- 0x420caae7,
- 0x420d2b9a,
- 0x420dabd1,
- 0x42122c04,
- 0x42172cc4,
- 0x4217ac46,
- 0x421c2c68,
- 0x421f2c23,
- 0x42212d75,
- 0x42262ca7,
- 0x422b2d53,
- 0x422bab75,
- 0x422c2d35,
- 0x422cab28,
- 0x422d2b01,
- 0x422dad14,
- 0x422e2b54,
- 0x42302c83,
- 0x4230abeb,
- 0x4432073a,
- 0x44328749,
- 0x44330755,
- 0x44338763,
- 0x44340776,
- 0x44348787,
- 0x4435078e,
- 0x44358798,
- 0x443607ab,
- 0x443687c1,
- 0x443707d3,
- 0x443787e0,
- 0x443807ef,
- 0x443887f7,
- 0x4439080f,
- 0x4439881d,
- 0x443a0830,
- 0x48321313,
- 0x48329325,
- 0x4833133b,
- 0x48339354,
- 0x4c321379,
- 0x4c329389,
- 0x4c33139c,
- 0x4c3393bc,
+ 0x40451d53,
+ 0x40459d65,
+ 0x40461d89,
+ 0x40469da9,
+ 0x40471db7,
+ 0x40479dde,
+ 0x40481e4f,
+ 0x40489f09,
+ 0x40491f20,
+ 0x40499f3a,
+ 0x404a1f51,
+ 0x404a9f6f,
+ 0x404b1f87,
+ 0x404b9fb4,
+ 0x404c1fca,
+ 0x404c9fdc,
+ 0x404d1ffd,
+ 0x404da036,
+ 0x404e204a,
+ 0x404ea057,
+ 0x404f20f1,
+ 0x404fa167,
+ 0x405021be,
+ 0x4050a1d2,
+ 0x40512205,
+ 0x40522215,
+ 0x4052a239,
+ 0x40532251,
+ 0x4053a264,
+ 0x40542279,
+ 0x4054a29c,
+ 0x405522c7,
+ 0x4055a304,
+ 0x40562329,
+ 0x4056a342,
+ 0x4057235a,
+ 0x4057a36d,
+ 0x40582382,
+ 0x4058a3a9,
+ 0x405923d8,
+ 0x4059a405,
+ 0x405a2419,
+ 0x405aa429,
+ 0x405b2441,
+ 0x405ba452,
+ 0x405c2465,
+ 0x405ca4a4,
+ 0x405d24b1,
+ 0x405da4d6,
+ 0x405e2514,
+ 0x405e8adb,
+ 0x405f254f,
+ 0x405fa55c,
+ 0x4060256a,
+ 0x4060a58c,
+ 0x406125ed,
+ 0x4061a625,
+ 0x4062263c,
+ 0x4062a64d,
+ 0x4063269a,
+ 0x4063a6af,
+ 0x406426c6,
+ 0x4064a6f2,
+ 0x4065270d,
+ 0x4065a724,
+ 0x4066273c,
+ 0x4066a766,
+ 0x40672791,
+ 0x4067a7d6,
+ 0x4068281e,
+ 0x4068a83f,
+ 0x40692871,
+ 0x4069a89f,
+ 0x406a28c0,
+ 0x406aa8e0,
+ 0x406b2a68,
+ 0x406baa8b,
+ 0x406c2aa1,
+ 0x406cadab,
+ 0x406d2dda,
+ 0x406dae02,
+ 0x406e2e30,
+ 0x406eae7d,
+ 0x406f2ed6,
+ 0x406faf0e,
+ 0x40702f21,
+ 0x4070af3e,
+ 0x4071082a,
+ 0x4071af50,
+ 0x40722f63,
+ 0x4072af99,
+ 0x40732fb1,
+ 0x40739540,
+ 0x40742fc5,
+ 0x4074afdf,
+ 0x40752ff0,
+ 0x4075b004,
+ 0x40763012,
+ 0x40769304,
+ 0x40773037,
+ 0x4077b077,
+ 0x40783092,
+ 0x4078b0cb,
+ 0x407930e2,
+ 0x4079b0f8,
+ 0x407a3124,
+ 0x407ab137,
+ 0x407b314c,
+ 0x407bb15e,
+ 0x407c318f,
+ 0x407cb198,
+ 0x407d285a,
+ 0x407da177,
+ 0x407e30a7,
+ 0x407ea3b9,
+ 0x407f1dcb,
+ 0x407f9f9e,
+ 0x40802101,
+ 0x40809df3,
+ 0x40812227,
+ 0x4081a0a5,
+ 0x40822e1b,
+ 0x40829b46,
+ 0x40832394,
+ 0x4083a6d7,
+ 0x40841e07,
+ 0x4084a3f1,
+ 0x40852476,
+ 0x4085a5b4,
+ 0x408624f6,
+ 0x4086a191,
+ 0x40872e61,
+ 0x4087a602,
+ 0x40881b84,
+ 0x4088a7e9,
+ 0x40891bd3,
+ 0x40899b60,
+ 0x408a2ad9,
+ 0x408a9958,
+ 0x408b3173,
+ 0x408baeeb,
+ 0x408c2486,
+ 0x408c9990,
+ 0x408d1eef,
+ 0x408d9e39,
+ 0x408e201f,
+ 0x408ea2e4,
+ 0x408f27fd,
+ 0x408fa5d0,
+ 0x409027b2,
+ 0x4090a4c8,
+ 0x40912ac1,
+ 0x409199b6,
+ 0x40921c20,
+ 0x4092ae9c,
+ 0x40932f7c,
+ 0x4093a1a2,
+ 0x40941e1b,
+ 0x4094aaf2,
+ 0x4095265e,
+ 0x4095b104,
+ 0x40962e48,
+ 0x4096a11a,
+ 0x409721ed,
+ 0x4097a06e,
+ 0x40981c80,
+ 0x4098a672,
+ 0x40992eb8,
+ 0x4099a311,
+ 0x409a22aa,
+ 0x409a9974,
+ 0x409b1e75,
+ 0x409b9ea0,
+ 0x409c3059,
+ 0x409c9ec8,
+ 0x409d20d6,
+ 0x409da0bb,
+ 0x409e1d11,
+ 0x409ea14f,
+ 0x409f2137,
+ 0x409f9e68,
+ 0x40a02535,
+ 0x40a0a088,
+ 0x41f42993,
+ 0x41f92a25,
+ 0x41fe2918,
+ 0x41feabce,
+ 0x41ff2cfc,
+ 0x420329ac,
+ 0x420829ce,
+ 0x4208aa0a,
+ 0x420928fc,
+ 0x4209aa44,
+ 0x420a2953,
+ 0x420aa933,
+ 0x420b2973,
+ 0x420ba9ec,
+ 0x420c2d18,
+ 0x420cab02,
+ 0x420d2bb5,
+ 0x420dabec,
+ 0x42122c1f,
+ 0x42172cdf,
+ 0x4217ac61,
+ 0x421c2c83,
+ 0x421f2c3e,
+ 0x42212d90,
+ 0x42262cc2,
+ 0x422b2d6e,
+ 0x422bab90,
+ 0x422c2d50,
+ 0x422cab43,
+ 0x422d2b1c,
+ 0x422dad2f,
+ 0x422e2b6f,
+ 0x42302c9e,
+ 0x4230ac06,
+ 0x44320755,
+ 0x44328764,
+ 0x44330770,
+ 0x4433877e,
+ 0x44340791,
+ 0x443487a2,
+ 0x443507a9,
+ 0x443587b3,
+ 0x443607c6,
+ 0x443687dc,
+ 0x443707ee,
+ 0x443787fb,
+ 0x4438080a,
+ 0x44388812,
+ 0x4439082a,
+ 0x44398838,
+ 0x443a084b,
+ 0x4832132e,
+ 0x48329340,
+ 0x48331356,
+ 0x4833936f,
+ 0x4c321394,
+ 0x4c3293a4,
+ 0x4c3313b7,
+ 0x4c3393d7,
0x4c3400b9,
0x4c3480f7,
- 0x4c3513c8,
- 0x4c3593d6,
- 0x4c3613f2,
- 0x4c369418,
- 0x4c371427,
- 0x4c379435,
- 0x4c38144a,
- 0x4c389456,
- 0x4c391476,
- 0x4c3994a0,
- 0x4c3a14b9,
- 0x4c3a94d2,
- 0x4c3b060a,
- 0x4c3b94eb,
- 0x4c3c14fd,
- 0x4c3c950c,
- 0x4c3d1525,
- 0x4c3d8c54,
- 0x4c3e1592,
- 0x4c3e9534,
- 0x4c3f15b4,
- 0x4c3f92e9,
- 0x4c40154a,
- 0x4c409365,
- 0x4c411582,
- 0x4c419405,
- 0x4c42156e,
- 0x503234e7,
- 0x5032b4f6,
- 0x50333501,
- 0x5033b511,
- 0x5034352a,
- 0x5034b544,
- 0x50353552,
- 0x5035b568,
- 0x5036357a,
- 0x5036b590,
- 0x503735a9,
- 0x5037b5bc,
- 0x503835d4,
- 0x5038b5e5,
- 0x503935fa,
- 0x5039b60e,
- 0x503a362e,
- 0x503ab644,
- 0x503b365c,
- 0x503bb66e,
- 0x503c368a,
- 0x503cb6a1,
- 0x503d36ba,
- 0x503db6d0,
- 0x503e36dd,
- 0x503eb6f3,
- 0x503f3705,
- 0x503f8388,
- 0x50403718,
- 0x5040b728,
- 0x50413742,
- 0x5041b751,
- 0x5042376b,
- 0x5042b788,
- 0x50433798,
- 0x5043b7a8,
- 0x504437c5,
- 0x5044843e,
- 0x504537d9,
- 0x5045b7f7,
- 0x5046380a,
- 0x5046b820,
- 0x50473832,
- 0x5047b847,
- 0x5048386d,
- 0x5048b87b,
- 0x5049388e,
- 0x5049b8a3,
- 0x504a38b9,
- 0x504ab8c9,
- 0x504b38e9,
- 0x504bb8fc,
- 0x504c391f,
- 0x504cb94d,
- 0x504d397a,
- 0x504db997,
- 0x504e39b2,
- 0x504eb9ce,
- 0x504f39e0,
- 0x504fb9f7,
- 0x50503a06,
- 0x505086fe,
- 0x50513a19,
- 0x5051b7b7,
- 0x5052395f,
- 0x58320f72,
- 0x68320f34,
- 0x68328c8c,
- 0x68330c9f,
- 0x68338f42,
- 0x68340f52,
+ 0x4c3513e3,
+ 0x4c3593f1,
+ 0x4c36140d,
+ 0x4c369433,
+ 0x4c371442,
+ 0x4c379450,
+ 0x4c381465,
+ 0x4c389471,
+ 0x4c391491,
+ 0x4c3994bb,
+ 0x4c3a14d4,
+ 0x4c3a94ed,
+ 0x4c3b0625,
+ 0x4c3b9506,
+ 0x4c3c1518,
+ 0x4c3c9527,
+ 0x4c3d1540,
+ 0x4c3d8c6f,
+ 0x4c3e15ad,
+ 0x4c3e954f,
+ 0x4c3f15cf,
+ 0x4c3f9304,
+ 0x4c401565,
+ 0x4c409380,
+ 0x4c41159d,
+ 0x4c419420,
+ 0x4c421589,
+ 0x50323502,
+ 0x5032b511,
+ 0x5033351c,
+ 0x5033b52c,
+ 0x50343545,
+ 0x5034b55f,
+ 0x5035356d,
+ 0x5035b583,
+ 0x50363595,
+ 0x5036b5ab,
+ 0x503735c4,
+ 0x5037b5d7,
+ 0x503835ef,
+ 0x5038b600,
+ 0x50393615,
+ 0x5039b629,
+ 0x503a3649,
+ 0x503ab65f,
+ 0x503b3677,
+ 0x503bb689,
+ 0x503c36a5,
+ 0x503cb6bc,
+ 0x503d36d5,
+ 0x503db6eb,
+ 0x503e36f8,
+ 0x503eb70e,
+ 0x503f3720,
+ 0x503f83a3,
+ 0x50403733,
+ 0x5040b743,
+ 0x5041375d,
+ 0x5041b76c,
+ 0x50423786,
+ 0x5042b7a3,
+ 0x504337b3,
+ 0x5043b7c3,
+ 0x504437e0,
+ 0x50448459,
+ 0x504537f4,
+ 0x5045b812,
+ 0x50463825,
+ 0x5046b83b,
+ 0x5047384d,
+ 0x5047b862,
+ 0x50483888,
+ 0x5048b896,
+ 0x504938a9,
+ 0x5049b8be,
+ 0x504a38d4,
+ 0x504ab8e4,
+ 0x504b3904,
+ 0x504bb917,
+ 0x504c393a,
+ 0x504cb968,
+ 0x504d3995,
+ 0x504db9b2,
+ 0x504e39cd,
+ 0x504eb9e9,
+ 0x504f39fb,
+ 0x504fba12,
+ 0x50503a21,
+ 0x50508719,
+ 0x50513a34,
+ 0x5051b7d2,
+ 0x5052397a,
+ 0x58320f8d,
+ 0x68320f4f,
+ 0x68328ca7,
+ 0x68330cba,
+ 0x68338f5d,
+ 0x68340f6d,
0x683480f7,
- 0x6c320efa,
- 0x6c328c43,
- 0x6c330f05,
- 0x6c338f1e,
- 0x74320a28,
+ 0x6c320f15,
+ 0x6c328c5e,
+ 0x6c330f20,
+ 0x6c338f39,
+ 0x74320a43,
0x743280b9,
- 0x74330c54,
- 0x7832098d,
- 0x783289a2,
- 0x783309ae,
+ 0x74330c6f,
+ 0x783209a8,
+ 0x783289bd,
+ 0x783309c9,
0x78338090,
- 0x783409bd,
- 0x783489d2,
- 0x783509f1,
- 0x78358a13,
- 0x78360a28,
- 0x78368a3e,
- 0x78370a4e,
- 0x78378a6f,
- 0x78380a82,
- 0x78388a94,
- 0x78390aa1,
- 0x78398ac0,
- 0x783a0ad5,
- 0x783a8ae3,
- 0x783b0aed,
- 0x783b8b01,
- 0x783c0b18,
- 0x783c8b2d,
- 0x783d0b44,
- 0x783d8b59,
- 0x783e0aaf,
- 0x783e8a61,
- 0x7c321202,
- 0x80321418,
+ 0x783409d8,
+ 0x783489ed,
+ 0x78350a0c,
+ 0x78358a2e,
+ 0x78360a43,
+ 0x78368a59,
+ 0x78370a69,
+ 0x78378a8a,
+ 0x78380a9d,
+ 0x78388aaf,
+ 0x78390abc,
+ 0x78398adb,
+ 0x783a0af0,
+ 0x783a8afe,
+ 0x783b0b08,
+ 0x783b8b1c,
+ 0x783c0b33,
+ 0x783c8b48,
+ 0x783d0b5f,
+ 0x783d8b74,
+ 0x783e0aca,
+ 0x783e8a7c,
+ 0x7c32121d,
+ 0x80321433,
0x80328090,
- 0x8033323a,
+ 0x80333255,
0x803380b9,
- 0x80343249,
- 0x8034b1b1,
- 0x803531cf,
- 0x8035b25d,
- 0x80363211,
- 0x8036b1c0,
- 0x80373203,
- 0x8037b19e,
- 0x80383224,
- 0x8038b1e0,
- 0x803931f5,
+ 0x80343264,
+ 0x8034b1cc,
+ 0x803531ea,
+ 0x8035b278,
+ 0x8036322c,
+ 0x8036b1db,
+ 0x8037321e,
+ 0x8037b1b9,
+ 0x8038323f,
+ 0x8038b1fb,
+ 0x80393210,
};
const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]);
@@ -847,6 +848,7 @@
"INTEGER_NOT_ASCII_FORMAT\0"
"INTEGER_TOO_LARGE_FOR_LONG\0"
"INVALID_BIT_STRING_BITS_LEFT\0"
+ "INVALID_BIT_STRING_PADDING\0"
"INVALID_BMPSTRING\0"
"INVALID_DIGIT\0"
"INVALID_MODIFIER\0"
diff --git a/src/crypto/asn1/a_bitstr.c b/src/crypto/asn1/a_bitstr.c
index 7ce8cca..1bb58e2 100644
--- a/src/crypto/asn1/a_bitstr.c
+++ b/src/crypto/asn1/a_bitstr.c
@@ -159,11 +159,20 @@
p = *pp;
padding = *(p++);
+ len--;
if (padding > 7) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
goto err;
}
+ /* Unused bits in a BIT STRING must be zero. */
+ uint8_t padding_mask = (1 << padding) - 1;
+ if (padding != 0 &&
+ (len < 1 || (p[len - 1] & padding_mask) != 0)) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_PADDING);
+ goto err;
+ }
+
/*
* We do this to preserve the settings. If we modify the settings, via
* the _set_bit function, we will recalculate on output
@@ -171,21 +180,19 @@
ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear */
ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | padding); /* set */
- if (len-- > 1) { /* using one because of the bits left byte */
- s = (unsigned char *)OPENSSL_malloc((int)len);
+ if (len > 0) {
+ s = OPENSSL_memdup(p, len);
if (s == NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
goto err;
}
- OPENSSL_memcpy(s, p, (int)len);
- s[len - 1] &= (0xff << padding);
p += len;
- } else
+ } else {
s = NULL;
+ }
ret->length = (int)len;
- if (ret->data != NULL)
- OPENSSL_free(ret->data);
+ OPENSSL_free(ret->data);
ret->data = s;
ret->type = V_ASN1_BIT_STRING;
if (a != NULL)
diff --git a/src/crypto/asn1/a_object.c b/src/crypto/asn1/a_object.c
index 0de3141..30a656d 100644
--- a/src/crypto/asn1/a_object.c
+++ b/src/crypto/asn1/a_object.c
@@ -146,29 +146,29 @@
ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
long length)
{
- const unsigned char *p;
long len;
int tag, xclass;
- int inf, i;
- ASN1_OBJECT *ret = NULL;
- p = *pp;
- inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
+ const unsigned char *p = *pp;
+ int inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
if (inf & 0x80) {
- i = ASN1_R_BAD_OBJECT_HEADER;
- goto err;
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);
+ return NULL;
}
- if (tag != V_ASN1_OBJECT) {
- i = ASN1_R_EXPECTING_AN_OBJECT;
- goto err;
+ if (inf & V_ASN1_CONSTRUCTED) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
+ return NULL;
}
- ret = c2i_ASN1_OBJECT(a, &p, len);
- if (ret)
+
+ if (tag != V_ASN1_OBJECT || xclass != V_ASN1_UNIVERSAL) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPECTING_AN_OBJECT);
+ return NULL;
+ }
+ ASN1_OBJECT *ret = c2i_ASN1_OBJECT(a, &p, len);
+ if (ret) {
*pp = p;
+ }
return ret;
- err:
- OPENSSL_PUT_ERROR(ASN1, i);
- return (NULL);
}
ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
diff --git a/src/crypto/asn1/asn1_lib.c b/src/crypto/asn1/asn1_lib.c
index 1954bea..fbf4d68 100644
--- a/src/crypto/asn1/asn1_lib.c
+++ b/src/crypto/asn1/asn1_lib.c
@@ -104,8 +104,7 @@
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG)
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE)
-static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- long max);
+static int asn1_get_length(const unsigned char **pp, long *rl, long max);
static void asn1_put_length(unsigned char **pp, int length);
int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
@@ -114,7 +113,7 @@
int i, ret;
long l;
const unsigned char *p = *pp;
- int tag, xclass, inf;
+ int tag, xclass;
long max = omax;
if (!max)
@@ -153,54 +152,43 @@
*ptag = tag;
*pclass = xclass;
- if (!asn1_get_length(&p, &inf, plength, max))
+ if (!asn1_get_length(&p, plength, max))
goto err;
- if (inf && !(ret & V_ASN1_CONSTRUCTED))
- goto err;
-
-#if 0
- fprintf(stderr, "p=%d + *plength=%ld > omax=%ld + *pp=%d (%d > %d)\n",
- (int)p, *plength, omax, (int)*pp, (int)(p + *plength),
- (int)(omax + *pp));
-
-#endif
if (*plength > (omax - (p - *pp))) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
return 0x80;
}
*pp = p;
- return (ret | inf);
+ return ret;
err:
OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
return 0x80;
}
-static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
- long max)
+static int asn1_get_length(const unsigned char **pp, long *rl, long max)
{
const unsigned char *p = *pp;
unsigned long ret = 0;
unsigned long i;
- if (max-- < 1)
+ if (max-- < 1) {
return 0;
+ }
if (*p == 0x80) {
- *inf = 1;
- ret = 0;
- p++;
+ /* We do not support BER indefinite-length encoding. */
+ return 0;
+ }
+ i = *p & 0x7f;
+ if (*(p++) & 0x80) {
+ if (i > sizeof(ret) || max < (long)i)
+ return 0;
+ while (i-- > 0) {
+ ret <<= 8L;
+ ret |= *(p++);
+ }
} else {
- *inf = 0;
- i = *p & 0x7f;
- if (*(p++) & 0x80) {
- if (i > sizeof(ret) || max < (long)i)
- return 0;
- while (i-- > 0) {
- ret <<= 8L;
- ret |= *(p++);
- }
- } else
- ret = i;
+ ret = i;
}
/*
* Bound the length to comfortably fit in an int. Lengths in this module
diff --git a/src/crypto/asn1/asn1_test.cc b/src/crypto/asn1/asn1_test.cc
index 96f9f9c..ab9cb01 100644
--- a/src/crypto/asn1/asn1_test.cc
+++ b/src/crypto/asn1/asn1_test.cc
@@ -266,7 +266,7 @@
EXPECT_FALSE(val->value.ptr);
}
-TEST(ASN1Test, ASN1ObjectReuse) {
+TEST(ASN1Test, ParseASN1Object) {
// 1.2.840.113554.4.1.72585.2, an arbitrary unknown OID.
static const uint8_t kOID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
0x04, 0x01, 0x84, 0xb7, 0x09, 0x02};
@@ -277,16 +277,48 @@
// OBJECT_IDENTIFIER { 1.3.101.112 }
static const uint8_t kDER[] = {0x06, 0x03, 0x2b, 0x65, 0x70};
const uint8_t *ptr = kDER;
+ // Parse an |ASN1_OBJECT| with object reuse.
EXPECT_TRUE(d2i_ASN1_OBJECT(&obj, &ptr, sizeof(kDER)));
EXPECT_EQ(NID_ED25519, OBJ_obj2nid(obj));
ASN1_OBJECT_free(obj);
- // Repeat the test, this time overriding a static |ASN1_OBJECT|.
+ // Repeat the test, this time overriding a static |ASN1_OBJECT|. It should
+ // detect this and construct a new one.
obj = OBJ_nid2obj(NID_rsaEncryption);
ptr = kDER;
EXPECT_TRUE(d2i_ASN1_OBJECT(&obj, &ptr, sizeof(kDER)));
EXPECT_EQ(NID_ED25519, OBJ_obj2nid(obj));
ASN1_OBJECT_free(obj);
+
+ const std::vector<uint8_t> kInvalidObjects[] = {
+ // No tag header.
+ {},
+ // No length.
+ {0x06},
+ // Truncated contents.
+ {0x06, 0x01},
+ // An OID may not be empty.
+ {0x06, 0x00},
+ // The last byte may not be a continuation byte (high bit set).
+ {0x06, 0x03, 0x2b, 0x65, 0xf0},
+ // Each component must be minimally-encoded.
+ {0x06, 0x03, 0x2b, 0x65, 0x80, 0x70},
+ {0x06, 0x03, 0x80, 0x2b, 0x65, 0x70},
+ // Wrong tag number.
+ {0x01, 0x03, 0x2b, 0x65, 0x70},
+ // Wrong tag class.
+ {0x86, 0x03, 0x2b, 0x65, 0x70},
+ // Element is constructed.
+ {0x26, 0x03, 0x2b, 0x65, 0x70},
+ };
+ for (const auto &invalid : kInvalidObjects) {
+ SCOPED_TRACE(Bytes(invalid));
+ ptr = invalid.data();
+ obj = d2i_ASN1_OBJECT(nullptr, &ptr, invalid.size());
+ EXPECT_FALSE(obj);
+ ASN1_OBJECT_free(obj);
+ ERR_clear_error();
+ }
}
TEST(ASN1Test, BitString) {
@@ -337,11 +369,10 @@
// Leading byte too high
{0x03, 0x02, 0x08, 0x00},
{0x03, 0x02, 0xff, 0x00},
- // TODO(https://crbug.com/boringssl/354): Reject these inputs.
// Empty bit strings must have a zero leading byte.
- // {0x03, 0x01, 0x01},
+ {0x03, 0x01, 0x01},
// Unused bits must all be zero.
- // {0x03, 0x02, 0x06, 0xc1 /* 0b11000001 */},
+ {0x03, 0x02, 0x06, 0xc1 /* 0b11000001 */},
};
for (const auto &test : kInvalidInputs) {
SCOPED_TRACE(Bytes(test));
@@ -1678,6 +1709,11 @@
int tag_class;
EXPECT_EQ(0x80, ASN1_get_object(&ptr, &length, &tag, &tag_class,
sizeof(kTruncated)));
+
+ static const uint8_t kIndefinite[] = {0x30, 0x80, 0x00, 0x00};
+ ptr = kIndefinite;
+ EXPECT_EQ(0x80, ASN1_get_object(&ptr, &length, &tag, &tag_class,
+ sizeof(kIndefinite)));
}
// The ASN.1 macros do not work on Windows shared library builds, where usage of
diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c
index c45be7a..beb9a0b 100644
--- a/src/crypto/asn1/tasn_dec.c
+++ b/src/crypto/asn1/tasn_dec.c
@@ -75,11 +75,9 @@
#define ASN1_MAX_CONSTRUCTED_NEST 30
static int asn1_check_eoc(const unsigned char **in, long len);
-static int asn1_find_end(const unsigned char **in, long len, char inf);
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
- char *inf, char *cst,
- const unsigned char **in, long len,
+ char *cst, const unsigned char **in, long len,
int exptag, int expclass, char opt, ASN1_TLC *ctx);
static int asn1_template_ex_d2i(ASN1_VALUE **pval,
@@ -166,7 +164,7 @@
const ASN1_EXTERN_FUNCS *ef;
const unsigned char *p = NULL, *q;
unsigned char oclass;
- char seq_eoc, seq_nolen, cst, isopt;
+ char cst, isopt;
int i;
int otag;
int ret = 0;
@@ -222,7 +220,7 @@
p = *in;
/* Just read in tag and class */
- ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
+ ret = asn1_check_tlen(NULL, &otag, &oclass, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -328,15 +326,13 @@
aclass = V_ASN1_UNIVERSAL;
}
/* Get SEQUENCE length and update len, p */
- ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
+ ret = asn1_check_tlen(&len, NULL, NULL, &cst,
&p, len, tag, aclass, opt, ctx);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
} else if (ret == -1)
return -1;
- /* If indefinite we don't do a length check */
- seq_nolen = seq_eoc;
if (!cst) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
goto err;
@@ -377,15 +373,12 @@
if (!len)
break;
q = p;
+ /* TODO(https://crbug.com/boringssl/455): Although we've removed
+ * indefinite-length support, this check is not quite a no-op.
+ * Reject [UNIVERSAL 0] in the tag parsers themselves. */
if (asn1_check_eoc(&p, len)) {
- if (!seq_eoc) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
- goto err;
- }
- len -= p - q;
- seq_eoc = 0;
- q = p;
- break;
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
+ goto err;
}
/*
* This determines the OPTIONAL flag value. The field cannot be
@@ -417,13 +410,8 @@
len -= p - q;
}
- /* Check for EOC if expecting one */
- if (seq_eoc && !asn1_check_eoc(&p, len)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
- goto err;
- }
/* Check all data read */
- if (!seq_nolen && len) {
+ if (len) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
goto err;
}
@@ -494,7 +482,6 @@
int ret;
long len;
const unsigned char *p, *q;
- char exp_eoc;
if (!val)
return 0;
flags = tt->flags;
@@ -509,7 +496,7 @@
* Need to work out amount of data available to the inner content and
* where it starts: so read in EXPLICIT header to get the info.
*/
- ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
+ ret = asn1_check_tlen(&len, NULL, NULL, &cst,
&p, inlen, tt->tag, aclass, opt, ctx);
q = p;
if (!ret) {
@@ -529,20 +516,10 @@
}
/* We read the field in OK so update length */
len -= p - q;
- if (exp_eoc) {
- /* If NDEF we must have an EOC here */
- if (!asn1_check_eoc(&p, len)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
- goto err;
- }
- } else {
- /*
- * Otherwise we must hit the EXPLICIT tag end or its an error
- */
- if (len) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
- goto err;
- }
+ /* Check for trailing data. */
+ if (len) {
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+ goto err;
}
} else
return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
@@ -573,7 +550,6 @@
if (flags & ASN1_TFLG_SK_MASK) {
/* SET OF, SEQUENCE OF */
int sktag, skaclass;
- char sk_eoc;
/* First work out expected inner tag value */
if (flags & ASN1_TFLG_IMPTAG) {
sktag = tt->tag;
@@ -586,7 +562,7 @@
sktag = V_ASN1_SEQUENCE;
}
/* Get the tag */
- ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
+ ret = asn1_check_tlen(&len, NULL, NULL, NULL,
&p, len, sktag, skaclass, opt, ctx);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -616,15 +592,12 @@
while (len > 0) {
ASN1_VALUE *skfield;
const unsigned char *q = p;
- /* See if EOC found */
+ /* TODO(https://crbug.com/boringssl/455): Although we've removed
+ * indefinite-length support, this check is not quite a no-op.
+ * Reject [UNIVERSAL 0] in the tag parsers themselves. */
if (asn1_check_eoc(&p, len)) {
- if (!sk_eoc) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
- goto err;
- }
- len -= p - q;
- sk_eoc = 0;
- break;
+ OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
+ goto err;
}
skfield = NULL;
if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
@@ -639,10 +612,6 @@
goto err;
}
}
- if (sk_eoc) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
- goto err;
- }
} else if (flags & ASN1_TFLG_IMPTAG) {
/* IMPLICIT tagging */
ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
@@ -679,7 +648,7 @@
{
int ret = 0, utype;
long plen;
- char cst, inf;
+ char cst;
const unsigned char *p;
const unsigned char *cont = NULL;
long len;
@@ -706,7 +675,7 @@
return 0;
}
p = *in;
- ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
+ ret = asn1_check_tlen(NULL, &utype, &oclass, NULL,
&p, inlen, -1, 0, 0, ctx);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -721,7 +690,7 @@
}
p = *in;
/* Check header */
- ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
+ ret = asn1_check_tlen(&plen, NULL, NULL, &cst,
&p, inlen, tag, aclass, opt, ctx);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -746,15 +715,8 @@
}
cont = *in;
- /* If indefinite length constructed find the real end */
- if (inf) {
- if (!asn1_find_end(&p, plen, inf))
- goto err;
- len = p - cont;
- } else {
- len = p - cont + plen;
- p += plen;
- }
+ len = p - cont + plen;
+ p += plen;
} else if (cst) {
/* This parser historically supported BER constructed strings. We no
* longer do and will gradually tighten this parser into a DER
@@ -906,59 +868,6 @@
return ret;
}
-/*
- * This function finds the end of an ASN1 structure when passed its maximum
- * length, whether it is indefinite length and a pointer to the content. This
- * is more efficient than calling asn1_collect because it does not recurse on
- * each indefinite length header.
- */
-
-static int asn1_find_end(const unsigned char **in, long len, char inf)
-{
- int expected_eoc;
- long plen;
- const unsigned char *p = *in, *q;
- /* If not indefinite length constructed just add length */
- if (inf == 0) {
- *in += len;
- return 1;
- }
- expected_eoc = 1;
- /*
- * Indefinite length constructed form. Find the end when enough EOCs are
- * found. If more indefinite length constructed headers are encountered
- * increment the expected eoc count otherwise just skip to the end of the
- * data.
- */
- while (len > 0) {
- if (asn1_check_eoc(&p, len)) {
- expected_eoc--;
- if (expected_eoc == 0)
- break;
- len -= 2;
- continue;
- }
- q = p;
- /* Just read in a header: only care about the length */
- if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
- -1, 0, 0, NULL)) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
- return 0;
- }
- if (inf)
- expected_eoc++;
- else
- p += plen;
- len -= p - q;
- }
- if (expected_eoc) {
- OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
- return 0;
- }
- *in = p;
- return 1;
-}
-
/* Check for ASN1 EOC and swallow it if found */
static int asn1_check_eoc(const unsigned char **in, long len)
@@ -975,15 +884,12 @@
}
/*
- * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
- * length for indefinite length constructed form, we don't know the exact
- * length but we can set an upper bound to the amount of data available minus
- * the header length just read.
+ * Check an ASN1 tag and length: a bit like ASN1_get_object but it handles
+ * the ASN1_TLC cache and checks the expected tag.
*/
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
- char *inf, char *cst,
- const unsigned char **in, long len,
+ char *cst, const unsigned char **in, long len,
int exptag, int expclass, char opt, ASN1_TLC *ctx)
{
int i;
@@ -1009,10 +915,13 @@
ctx->hdrlen = p - q;
ctx->valid = 1;
/*
- * If definite length, and no error, length + header can't exceed
- * total amount of data available.
+ * If no error, length + header can't exceed total amount of data
+ * available.
+ *
+ * TODO(davidben): Is this check necessary? |ASN1_get_object|
+ * should already guarantee this.
*/
- if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
+ if (!(i & 0x80) && ((plen + ctx->hdrlen) > len)) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
asn1_tlc_clear(ctx);
return 0;
@@ -1043,12 +952,6 @@
asn1_tlc_clear(ctx);
}
- if (i & 1)
- plen = len - (p - q);
-
- if (inf)
- *inf = i & 1;
-
if (cst)
*cst = i & V_ASN1_CONSTRUCTED;
diff --git a/src/crypto/bytestring/ber.c b/src/crypto/bytestring/ber.c
index fd35e97..e7f67dd 100644
--- a/src/crypto/bytestring/ber.c
+++ b/src/crypto/bytestring/ber.c
@@ -29,11 +29,10 @@
// is_string_type returns one if |tag| is a string type and zero otherwise. It
// ignores the constructed bit.
static int is_string_type(unsigned tag) {
+ // While BER supports constructed BIT STRINGS, OpenSSL misparses them. To
+ // avoid acting on an ambiguous input, we do not support constructed BIT
+ // STRINGS. See https://github.com/openssl/openssl/issues/12810.
switch (tag & ~CBS_ASN1_CONSTRUCTED) {
- // TODO(davidben): Reject constructed BIT STRINGs. The current handling
- // matches OpenSSL but is incorrect. See
- // https://github.com/openssl/openssl/issues/12810.
- case CBS_ASN1_BITSTRING:
case CBS_ASN1_OCTETSTRING:
case CBS_ASN1_UTF8STRING:
case CBS_ASN1_NUMERICSTRING:
diff --git a/src/crypto/bytestring/bytestring_test.cc b/src/crypto/bytestring/bytestring_test.cc
index 0877a2e..985e38c 100644
--- a/src/crypto/bytestring/bytestring_test.cc
+++ b/src/crypto/bytestring/bytestring_test.cc
@@ -22,6 +22,7 @@
#include <openssl/bytestring.h>
#include <openssl/crypto.h>
+#include <openssl/span.h>
#include "internal.h"
#include "../internal.h"
@@ -594,22 +595,22 @@
EXPECT_EQ(Bytes(test_data.data(), test_data.size()), Bytes(buf + 10, 100000));
}
-static void ExpectBerConvert(const char *name, const uint8_t *der_expected,
- size_t der_len, const uint8_t *ber,
- size_t ber_len) {
+static void ExpectBerConvert(const char *name,
+ bssl::Span<const uint8_t> der_expected,
+ bssl::Span<const uint8_t> ber) {
SCOPED_TRACE(name);
CBS in, out;
uint8_t *storage;
- CBS_init(&in, ber, ber_len);
+ CBS_init(&in, ber.data(), ber.size());
ASSERT_TRUE(CBS_asn1_ber_to_der(&in, &out, &storage));
bssl::UniquePtr<uint8_t> scoper(storage);
- EXPECT_EQ(Bytes(der_expected, der_len), Bytes(CBS_data(&out), CBS_len(&out)));
+ EXPECT_EQ(Bytes(der_expected), Bytes(CBS_data(&out), CBS_len(&out)));
if (storage != nullptr) {
- EXPECT_NE(Bytes(der_expected, der_len), Bytes(ber, ber_len));
+ EXPECT_NE(Bytes(der_expected), Bytes(ber));
} else {
- EXPECT_EQ(Bytes(der_expected, der_len), Bytes(ber, ber_len));
+ EXPECT_EQ(Bytes(der_expected), Bytes(ber));
}
}
@@ -670,22 +671,22 @@
0xa0, 0x08, 0x04, 0x02, 0x00, 0x01, 0x04, 0x02, 0x02, 0x03,
};
- ExpectBerConvert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER), kSimpleBER,
- sizeof(kSimpleBER));
+ // kConstructedBitString contains a BER constructed BIT STRING. These are not
+ // supported and thus are left unchanged.
+ static const uint8_t kConstructedBitStringBER[] = {
+ 0x23, 0x0a, 0x03, 0x03, 0x00, 0x12, 0x34, 0x03, 0x03, 0x00, 0x56, 0x78};
+
+ ExpectBerConvert("kSimpleBER", kSimpleBER, kSimpleBER);
ExpectBerConvert("kNonMinimalLengthBER", kNonMinimalLengthDER,
- sizeof(kNonMinimalLengthDER), kNonMinimalLengthBER,
- sizeof(kNonMinimalLengthBER));
- ExpectBerConvert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
- sizeof(kIndefBER));
- ExpectBerConvert("kIndefBER2", kIndefDER2, sizeof(kIndefDER2), kIndefBER2,
- sizeof(kIndefBER2));
- ExpectBerConvert("kOctetStringBER", kOctetStringDER, sizeof(kOctetStringDER),
- kOctetStringBER, sizeof(kOctetStringBER));
- ExpectBerConvert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
- sizeof(kNSSBER));
+ kNonMinimalLengthBER);
+ ExpectBerConvert("kIndefBER", kIndefDER, kIndefBER);
+ ExpectBerConvert("kIndefBER2", kIndefDER2, kIndefBER2);
+ ExpectBerConvert("kOctetStringBER", kOctetStringDER, kOctetStringBER);
+ ExpectBerConvert("kNSSBER", kNSSDER, kNSSBER);
ExpectBerConvert("kConstructedStringBER", kConstructedStringDER,
- sizeof(kConstructedStringDER), kConstructedStringBER,
- sizeof(kConstructedStringBER));
+ kConstructedStringBER);
+ ExpectBerConvert("kConstructedBitStringBER", kConstructedBitStringBER,
+ kConstructedBitStringBER);
}
struct BERTest {
diff --git a/src/crypto/err/asn1.errordata b/src/crypto/err/asn1.errordata
index 5674bda..9344621 100644
--- a/src/crypto/err/asn1.errordata
+++ b/src/crypto/err/asn1.errordata
@@ -41,6 +41,7 @@
ASN1,139,INTEGER_NOT_ASCII_FORMAT
ASN1,140,INTEGER_TOO_LARGE_FOR_LONG
ASN1,141,INVALID_BIT_STRING_BITS_LEFT
+ASN1,194,INVALID_BIT_STRING_PADDING
ASN1,142,INVALID_BMPSTRING
ASN1,143,INVALID_DIGIT
ASN1,144,INVALID_MODIFIER
diff --git a/src/crypto/x509/asn1_gen.c b/src/crypto/x509/asn1_gen.c
index f1a20e0..cd8185b 100644
--- a/src/crypto/x509/asn1_gen.c
+++ b/src/crypto/x509/asn1_gen.c
@@ -215,13 +215,7 @@
* For IMPLICIT tagging the length should match the original length
* and constructed flag should be consistent.
*/
- if (r & 0x1) {
- /* Indefinite length constructed */
- hdr_constructed = 2;
- hdr_len = 0;
- } else
- /* Just retain constructed flag */
- hdr_constructed = r & V_ASN1_CONSTRUCTED;
+ hdr_constructed = r & V_ASN1_CONSTRUCTED;
/*
* Work out new length with IMPLICIT tag: ignore constructed because
* it will mess up if indefinite length
diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc
index 477e5a1..77c383a 100644
--- a/src/crypto/x509/x509_test.cc
+++ b/src/crypto/x509/x509_test.cc
@@ -3493,8 +3493,43 @@
-----END CERTIFICATE-----
)";
+// kIndefiniteLength is an X.509 certificate where the outermost SEQUENCE uses
+// BER indefinite-length encoding.
+static const char kIndefiniteLength[] = R"(
+-----BEGIN CERTIFICATE-----
+MIAwgcagAwIBAgICBNIwCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEVGVzdDAgFw0w
+MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowDzENMAsGA1UEAxMEVGVzdDBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOYraeK/ZZ+Xvi8eDZSKTNWXa7epHg1G
++92pqR6d3LpaAefWl6gKGPnDxKMeVuJ8g0jbFhoc9R1+8ZQtS89yIsGjEDAOMAwG
+A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKnSIhfmzfQpeOKFHiAqcml3
+ex6oaVVGoJWCsPQoZjVAAiEAqTHS9HzZBTQ20cMPXUpf8u5AXZP7adeh4qnksoBs
+xWIAAA==
+-----END CERTIFICATE-----
+)";
+
+// kNonZeroPadding is an X.09 certificate where the BIT STRING signature field
+// has non-zero padding values.
+static const char kNonZeroPadding[] = R"(
+-----BEGIN CERTIFICATE-----
+MIIB0DCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni
+v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa
+HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw
+HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ
+BgcqhkjOPQQBA0kBMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E
+BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQB
+-----END CERTIFICATE-----
+)";
+
TEST(X509Test, BER) {
// Constructed strings are forbidden in DER.
EXPECT_FALSE(CertFromPEM(kConstructedBitString));
EXPECT_FALSE(CertFromPEM(kConstructedOctetString));
+ // Indefinite lengths are forbidden in DER.
+ EXPECT_FALSE(CertFromPEM(kIndefiniteLength));
+ // Padding bits in BIT STRINGs must be zero in BER.
+ EXPECT_FALSE(CertFromPEM(kNonZeroPadding));
}
diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h
index 0cf0604..d8a371c 100644
--- a/src/include/openssl/asn1.h
+++ b/src/include/openssl/asn1.h
@@ -1720,25 +1720,20 @@
// Low-level encoding functions.
-// ASN1_get_object parses a BER element from up to |max_len| bytes at |*inp|.
+// ASN1_get_object parses a BER element from up to |max_len| bytes at |*inp|. It
+// returns |V_ASN1_CONSTRUCTED| if it successfully parsed a constructed element,
+// zero if it successfully parsed a primitive element, and 0x80 on error. On
+// success, it additionally advances |*inp| to the element body, sets
+// |*out_length|, |*out_tag|, and |*out_class| to the element's length, tag
+// number, and tag class, respectively,
//
-// If the return value is 0x80, the function failed to parse an element.
-// The contents of |*inp|, |*out_length|, |*out_tag|, and |*out_class| are
-// undefined.
+// Unlike OpenSSL, this function does not support indefinite-length elements.
//
-// Otherwise, the function successfully parsed a element. The return value has
-// bit 0x01 set if the length is indefinite, and |V_ASN1_CONSTRUCTED| set if the
-// element was constructed. The function additionally advances |*inp| to the
-// element body and sets |*out_length|, |*out_tag|, and |*out_class| to the
-// element's length, tag number, and tag class, respectively. If the length is
-// indefinite, |*out_length| will be zero and the caller is responsible for
-// finding the end-of-contents.
+// This function is difficult to use correctly. Use |CBS_get_asn1| and related
+// functions from bytestring.h.
//
-// This function is very difficult to use correctly. Use |CBS_get_asn1| and
-// related functions from bytestring.h.
-//
-// TODO(https://crbug.com/boringssl/354): Remove support for indefinite lengths
-// and non-minimal lengths.
+// TODO(https://crbug.com/boringssl/354): Remove support for non-minimal
+// lengths.
OPENSSL_EXPORT int ASN1_get_object(const unsigned char **inp, long *out_length,
int *out_tag, int *out_class, long max_len);
@@ -2039,5 +2034,6 @@
#define ASN1_R_WRONG_TYPE 191
#define ASN1_R_NESTED_TOO_DEEP 192
#define ASN1_R_BAD_TEMPLATE 193
+#define ASN1_R_INVALID_BIT_STRING_PADDING 194
#endif