)]}' { "commit": "52067828463443821e175975d19085b2c8bf2f54", "tree": "ac9a421063e84c1a3e23146bbe18af71097bb23e", "parents": [ "cafb9921149dd713ce2c2de2d057664575bedd93" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Sat Jun 19 16:28:04 2021 -0400" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Tue Jun 22 23:42:40 2021 +0000" }, "message": "Compute ASN.1 BIT STRING sizes more consistently.\n\nOpenSSL\u0027s BIT STRING representation has two modes, one where it\nimplicitly trims trailing zeros and the other where the number of unused\nbits is explicitly set. This means logic in ASN1_item_verify, or\nelsewhere in callers, that checks flags and ASN1_STRING_length is\ninconsistent with i2c_ASN1_BIT_STRING.\n\nAdd ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509\nusing BIT STRING for some fields instead of OCTET STRING. Switch\nASN1_item_verify to it. Some external code does this too, so export it\nas public API.\n\nThis is mostly a theoretical issue. All parsed BIT STRINGS use explicit\nbyte strings, and there are no APIs (apart from not-yet-opaquified\nstructs) to specify the ASN1_STRING in X509, etc., structures. We\nintentionally made X509_set1_signature_value, etc., internally construct\nthe ASN1_STRING. Still having an API is more consistent and helps nudge\ncallers towards rejecting excess bits when they want bytes.\n\nIt may also be worth a public API for consistently accessing the bit\ncount. I\u0027ve left it alone for now because I\u0027ve not seen callers that\nneed it, and it saves worrying about bytes-to-bits overflows.\n\nThis also fixes a bug in the original version of the truncating logic\nwhen the entire string was all zeros, and const-corrects a few\nparameters.\n\nChange-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "b945cb188e8dad01c80c948c48c2cd6f8ba89c90", "old_mode": 33188, "old_path": "crypto/asn1/a_bitstr.c", "new_id": "d45a73ec6d4ad2aa14b7562d93d9a3e133971a38", "new_mode": 33188, "new_path": "crypto/asn1/a_bitstr.c" }, { "type": "modify", "old_id": "30d6091db28c94017686cc39ae7b49bedcd403ce", "old_mode": 33188, "old_path": "crypto/asn1/asn1_test.cc", "new_id": "a14a5cccfb74e8ae1a83a38bd888811ed056dc6e", "new_mode": 33188, "new_path": "crypto/asn1/asn1_test.cc" }, { "type": "modify", "old_id": "8587b5906fb0e7f73eb8018206af30f15e7a1c42", "old_mode": 33188, "old_path": "crypto/x509/a_verify.c", "new_id": "3cda5d0c5344e638e6d9f517aa4aae293dbe0344", "new_mode": 33188, "new_path": "crypto/x509/a_verify.c" }, { "type": "modify", "old_id": "0347d0d66be8f2a504a8235be8b311cb08040f0f", "old_mode": 33188, "old_path": "include/openssl/asn1.h", "new_id": "fe2f29d888828b710c91e20603c393e32500fd99", "new_mode": 33188, "new_path": "include/openssl/asn1.h" }, { "type": "modify", "old_id": "d06e1c6f9f988ec6a05c7562cced44b54a55f91a", "old_mode": 33188, "old_path": "include/openssl/x509.h", "new_id": "97b3ccba594beef502cbaa5ce3871a3b70d1971c", "new_mode": 33188, "new_path": "include/openssl/x509.h" } ] }