)]}'
{
  "commit": "8ab77eefc83ea4d879fd0afe162b0be080d5de06",
  "tree": "9d1fdd995598c3de8f24e9e4241053081a57eec4",
  "parents": [
    "7a813621dac6878ab53b6ed7392939a8982226e8"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Thu Dec 21 22:34:59 2023 -0500"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Tue Jan 09 18:47:08 2024 +0000"
  },
  "message": "Fix error-handling convention in x509_vfy.c and avoid -1 returns\n\nThis CL makes two changes. First, it removes the couple of places where\nX509_verify_cert may return -1 and switches to our standard 0/1 return\nconvention. The only -1 cases were get_issuer returning \u003c 0 and the\ncaller error cases at the top. It seems implausible that any caller\nwould care about the latter and the former is actually impossible.\nget_issuer never returns \u003c 0.\n\nSecond, OpenSSL\u0027s original implementation did not follow the usual\nerror-handling convention. The usual convention is that there\u0027s a\ncleanup epilog, and a variable (usually called \u0027ret\u0027 or \u0027ok\u0027) that\nstores the return value. This variable is initialized in the failure\ncase and may only be modified immediately before a goto or when falling\nthrough to the epilog. This allows error conditions to simply \u0027goto err\u0027\nand rely on the variable\u0027s value.\n\nX509_verify_cert instead overwrite \u0027ok\u0027 throughout the function, which\nis tedious and error-prone. Fix this to follow the usual convention.\nAlso remove uses of this pattern when there isn\u0027t anything to cleanup.\n\nAs part of this cleanup, we fix a near miss: the three cert_self_signed\ncall sites did not correctly account for this non-standard pattern.\nFortunately (as demonstrated by existing unit tests), the first call\nsite is fine. The remainder are only called on \"trusted\" certificates\nfrom the X509_STORE. An attacker with control over trust anchors already\ncontrols certificate verification, so this is moot. Moreover, all such\ncertificates first go through get_issuer, which calls X509_check_issued,\nwhich already handles EXFLAG_INVALID, so the error condition was\nredundant.\n\nUpdate-Note: X509_verify_cert no longer returns -1 on some error\nconditions, only zero.\n\nChange-Id: I88d5e845cd4cb8f48d5c5df6782bf6730c682642\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/65067\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\nCommit-Queue: Bob Beck \u003cbbe@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "35fa3e1c36606fdd3792a417b3b3468a7eeb19b3",
      "old_mode": 33188,
      "old_path": "crypto/x509/x509_vfy.c",
      "new_id": "f64cfeb3d746bd383211665338ab4d1d9bb2909d",
      "new_mode": 33188,
      "new_path": "crypto/x509/x509_vfy.c"
    },
    {
      "type": "modify",
      "old_id": "d3f4493d85be95cb3ddb979464b701cad0dcb2e3",
      "old_mode": 33188,
      "old_path": "include/openssl/x509.h",
      "new_id": "0f5a222328dbafc645bf94342fce62df6569a004",
      "new_mode": 33188,
      "new_path": "include/openssl/x509.h"
    }
  ]
}