Update BoringSSL to dbad745811195c00b729efd0ee0a09b7d9fce1d2 (#222)

* Update vendoring script for changed layout

* Update BoringSSL to dbad745811195c00b729efd0ee0a09b7d9fce1d2

Package.swift

@@ -20,7 +20,7 @@
 // Sources/CCryptoBoringSSL directory. The source repository is at
 // https://boringssl.googlesource.com/boringssl.
 //
-// BoringSSL Commit: 7a813621dac6878ab53b6ed7392939a8982226e8
+// BoringSSL Commit: dbad745811195c00b729efd0ee0a09b7d9fce1d2
 
 import PackageDescription
 

Sources/CCryptoBoringSSL/crypto/asn1/a_gentm.c

@@ -58,7 +58,7 @@
 #include <CCryptoBoringSSL_bytestring.h>
 #include <CCryptoBoringSSL_err.h>
 #include <CCryptoBoringSSL_mem.h>
-#include <CCryptoBoringSSL_time.h>
+#include <CCryptoBoringSSL_posix_time.h>
 
 #include <stdlib.h>
 #include <string.h>

Sources/CCryptoBoringSSL/crypto/asn1/a_time.c

@@ -55,7 +55,7 @@
  * [including the GNU Public Licence.] */
 
 #include <CCryptoBoringSSL_asn1.h>
-#include <CCryptoBoringSSL_time.h>
+#include <CCryptoBoringSSL_posix_time.h>
 
 #include <string.h>
 #include <time.h>

Sources/CCryptoBoringSSL/crypto/asn1/a_utctm.c

@@ -58,7 +58,7 @@
 #include <CCryptoBoringSSL_bytestring.h>
 #include <CCryptoBoringSSL_err.h>
 #include <CCryptoBoringSSL_mem.h>
-#include <CCryptoBoringSSL_time.h>
+#include <CCryptoBoringSSL_posix_time.h>
 
 #include <stdlib.h>
 #include <string.h>

Sources/CCryptoBoringSSL/crypto/asn1/internal.h

@@ -76,18 +76,12 @@ extern "C" {
 // returned. On failure NULL is returned.
 OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);
 
-// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to
-// a time_t value in |out|. One is returned on success, zero is returned on
-// failure. It is a failure if the converted time can not be represented in a
-// time_t, or if the tm contains out of range values.
-OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out);
-
 // OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding
 // |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm|
 // must be in the range of year 0000 to 9999 both before and after the update or
 // a failure will be returned.
 OPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day,
-                                      long offset_sec);
+                                      int64_t offset_sec);
 
 // OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It
 // returns one, and outputs the difference as a number of days and seconds in

Sources/CCryptoBoringSSL/crypto/asn1/posix_time.c

@@ -15,7 +15,7 @@
 // Time conversion to/from POSIX time_t and struct tm, with no support
 // for time zones other than UTC
 
-#include <CCryptoBoringSSL_time.h>
+#include <CCryptoBoringSSL_posix_time.h>
 
 #include <assert.h>
 #include <inttypes.h>
@@ -26,12 +26,12 @@
 #include "internal.h"
 
 #define SECS_PER_HOUR (60 * 60)
-#define SECS_PER_DAY (24 * SECS_PER_HOUR)
+#define SECS_PER_DAY (INT64_C(24) * SECS_PER_HOUR)
 
 
 // Is a year/month/day combination valid, in the range from year 0000
 // to 9999?
-static int is_valid_date(int year, int month, int day) {
+static int is_valid_date(int64_t year, int64_t month, int64_t day) {
   if (day < 1 || month < 1 || year < 0 || year > 9999) {
     return 0;
   }
@@ -62,25 +62,30 @@ static int is_valid_date(int year, int month, int day) {
 
 // Is a time valid? Leap seconds of 60 are not considered valid, as
 // the POSIX time in seconds does not include them.
-static int is_valid_time(int hours, int minutes, int seconds) {
+static int is_valid_time(int64_t hours, int64_t minutes, int64_t seconds) {
   if (hours < 0 || minutes < 0 || seconds < 0 || hours > 23 || minutes > 59 ||
       seconds > 59) {
     return 0;
   }
   return 1;
 }
 
-// Is a int64 time representing a time within our expected range?
-static int is_valid_epoch_time(int64_t time) {
-  // 0000-01-01 00:00:00 UTC to 9999-12-31 23:59:59 UTC
-  return (int64_t)-62167219200 <= time && time <= (int64_t)253402300799;
+// 0000-01-01 00:00:00 UTC
+#define MIN_POSIX_TIME INT64_C(-62167219200)
+// 9999-12-31 23:59:59 UTC
+#define MAX_POSIX_TIME INT64_C(253402300799)
+
+// Is an int64 time within our expected range?
+static int is_valid_posix_time(int64_t time) {
+  return MIN_POSIX_TIME <= time && time <= MAX_POSIX_TIME;
 }
 
 // Inspired by algorithms presented in
 // https://howardhinnant.github.io/date_algorithms.html
 // (Public Domain)
-static int posix_time_from_utc(int year, int month, int day, int hours,
-                               int minutes, int seconds, int64_t *out_time) {
+static int posix_time_from_utc(int64_t year, int64_t month, int64_t day,
+                               int64_t hours, int64_t minutes, int64_t seconds,
+                               int64_t *out_time) {
   if (!is_valid_date(year, month, day) ||
       !is_valid_time(hours, minutes, seconds)) {
     return 0;
@@ -108,7 +113,7 @@ static int posix_time_from_utc(int year, int month, int day, int hours,
 static int utc_from_posix_time(int64_t time, int *out_year, int *out_month,
                                int *out_day, int *out_hours, int *out_minutes,
                                int *out_seconds) {
-  if (!is_valid_epoch_time(time)) {
+  if (!is_valid_posix_time(time)) {
     return 0;
   }
   int64_t days = time / SECS_PER_DAY;
@@ -143,19 +148,21 @@ static int utc_from_posix_time(int64_t time, int *out_year, int *out_month,
 }
 
 int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out) {
-  return posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
-                             tm->tm_hour, tm->tm_min, tm->tm_sec, out);
+  return posix_time_from_utc(tm->tm_year + INT64_C(1900),
+                             tm->tm_mon + INT64_C(1), tm->tm_mday, tm->tm_hour,
+                             tm->tm_min, tm->tm_sec, out);
 }
 
 int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm) {
-  memset(out_tm, 0, sizeof(struct tm));
-  if (!utc_from_posix_time(time, &out_tm->tm_year, &out_tm->tm_mon,
-                           &out_tm->tm_mday, &out_tm->tm_hour, &out_tm->tm_min,
-                           &out_tm->tm_sec)) {
+  struct tm tmp_tm = {0};
+  if (!utc_from_posix_time(time, &tmp_tm.tm_year, &tmp_tm.tm_mon,
+                           &tmp_tm.tm_mday, &tmp_tm.tm_hour, &tmp_tm.tm_min,
+                           &tmp_tm.tm_sec)) {
     return 0;
   }
-  out_tm->tm_year -= 1900;
-  out_tm->tm_mon -= 1;
+  tmp_tm.tm_year -= 1900;
+  tmp_tm.tm_mon -= 1;
+  *out_tm = tmp_tm;
 
   return 1;
 }
@@ -187,43 +194,47 @@ struct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm) {
   return out_tm;
 }
 
-int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
+int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) {
   int64_t posix_time;
-  if (!posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
-                           tm->tm_hour, tm->tm_min, tm->tm_sec, &posix_time)) {
+  if (!OPENSSL_tm_to_posix(tm, &posix_time)) {
+    return 0;
+  }
+  static_assert(INT_MAX <= INT64_MAX / SECS_PER_DAY,
+                "day offset in seconds cannot overflow");
+  static_assert(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY,
+                "addition cannot overflow");
+  static_assert(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY,
+                "addition cannot underflow");
+  posix_time += offset_day * SECS_PER_DAY;
+  if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) {
     return 0;
   }
-  if (!utc_from_posix_time(
-          posix_time + (int64_t)off_day * SECS_PER_DAY + offset_sec,
-          &tm->tm_year, &tm->tm_mon, &tm->tm_mday, &tm->tm_hour, &tm->tm_min,
-          &tm->tm_sec)) {
+  if (posix_time < 0 && offset_sec < INT64_MIN - posix_time) {
+    return 0;
+  }
+  posix_time += offset_sec;
+
+  if (!OPENSSL_posix_to_tm(posix_time, tm)) {
     return 0;
   }
-  tm->tm_year -= 1900;
-  tm->tm_mon -= 1;
 
   return 1;
 }
 
 int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
                         const struct tm *to) {
-  int64_t time_to;
-  if (!posix_time_from_utc(to->tm_year + 1900, to->tm_mon + 1, to->tm_mday,
-                           to->tm_hour, to->tm_min, to->tm_sec, &time_to)) {
-    return 0;
-  }
-  int64_t time_from;
-  if (!posix_time_from_utc(from->tm_year + 1900, from->tm_mon + 1,
-                           from->tm_mday, from->tm_hour, from->tm_min,
-                           from->tm_sec, &time_from)) {
+  int64_t time_to, time_from;
+  if (!OPENSSL_tm_to_posix(to, &time_to) ||
+      !OPENSSL_tm_to_posix(from, &time_from)) {
     return 0;
   }
+  // Times are in range, so these calculations can not overflow.
+  static_assert(SECS_PER_DAY <= INT_MAX, "seconds per day does not fit in int");
+  static_assert((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX,
+                "range of valid POSIX times, in days, does not fit in int");
   int64_t timediff = time_to - time_from;
   int64_t daydiff = timediff / SECS_PER_DAY;
   timediff %= SECS_PER_DAY;
-  if (daydiff > INT_MAX || daydiff < INT_MIN) {
-    return 0;
-  }
   *out_secs = (int)timediff;
   *out_days = (int)daydiff;
   return 1;

Sources/CCryptoBoringSSL/crypto/bio/bio.c

@@ -345,11 +345,11 @@ int BIO_set_close(BIO *bio, int close_flag) {
   return (int)BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);
 }
 
-OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) {
+OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio) {
   return bio->num_read;
 }
 
-OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio) {
+OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio) {
   return bio->num_write;
 }
 
@@ -714,12 +714,7 @@ int BIO_get_ex_new_index(long argl, void *argp,
                                     CRYPTO_EX_unused *unused,
                                     CRYPTO_EX_dup *dup_unused,
                                     CRYPTO_EX_free *free_func) {
-  int index;
-  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
-                               free_func)) {
-    return -1;
-  }
-  return index;
+  return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);
 }
 
 int BIO_set_ex_data(BIO *bio, int idx, void *data) {

Sources/CCryptoBoringSSL/crypto/bio/file.c

@@ -73,6 +73,7 @@
 
 #include <CCryptoBoringSSL_bio.h>
 
+#include <assert.h>
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
@@ -82,6 +83,10 @@
 
 #include "../internal.h"
 
+#if defined(OPENSSL_WINDOWS)
+#include <fcntl.h>
+#include <io.h>
+#endif
 
 #define BIO_FP_READ 0x02
 #define BIO_FP_WRITE 0x04
@@ -122,14 +127,13 @@ BIO *BIO_new_file(const char *filename, const char *mode) {
   return ret;
 }
 
-BIO *BIO_new_fp(FILE *stream, int close_flag) {
+BIO *BIO_new_fp(FILE *stream, int flags) {
   BIO *ret = BIO_new(BIO_s_file());
-
   if (ret == NULL) {
     return NULL;
   }
 
-  BIO_set_fp(ret, stream, close_flag);
+  BIO_set_fp(ret, stream, flags);
   return ret;
 }
 
@@ -196,6 +200,17 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
       break;
     case BIO_C_SET_FILE_PTR:
       file_free(b);
+      static_assert((BIO_CLOSE & BIO_FP_TEXT) == 0,
+                    "BIO_CLOSE and BIO_FP_TEXT must not collide");
+#if defined(OPENSSL_WINDOWS)
+      // If |BIO_FP_TEXT| is not set, OpenSSL will switch the file to binary
+      // mode. BoringSSL intentionally diverges here because it means code
+      // tested under POSIX will inadvertently change the state of |FILE|
+      // objects when wrapping them in a |BIO|.
+      if (num & BIO_FP_TEXT) {
+        _setmode(_fileno(ptr), _O_TEXT);
+      }
+#endif
       b->shutdown = (int)num & BIO_CLOSE;
       b->ptr = ptr;
       b->init = 1;
@@ -206,16 +221,16 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
       const char *mode;
       if (num & BIO_FP_APPEND) {
         if (num & BIO_FP_READ) {
-          mode = "a+";
+          mode = "ab+";
         } else {
-          mode = "a";
+          mode = "ab";
         }
       } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) {
-        mode = "r+";
+        mode = "rb+";
       } else if (num & BIO_FP_WRITE) {
-        mode = "w";
+        mode = "wb";
       } else if (num & BIO_FP_READ) {
-        mode = "r";
+        mode = "rb";
       } else {
         OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE);
         ret = 0;
@@ -287,8 +302,8 @@ int BIO_get_fp(BIO *bio, FILE **out_file) {
   return (int)BIO_ctrl(bio, BIO_C_GET_FILE_PTR, 0, (char *)out_file);
 }
 
-int BIO_set_fp(BIO *bio, FILE *file, int close_flag) {
-  return (int)BIO_ctrl(bio, BIO_C_SET_FILE_PTR, close_flag, (char *)file);
+int BIO_set_fp(BIO *bio, FILE *file, int flags) {
+  return (int)BIO_ctrl(bio, BIO_C_SET_FILE_PTR, flags, (char *)file);
 }
 
 int BIO_read_filename(BIO *bio, const char *filename) {

Sources/CCryptoBoringSSL/crypto/bytestring/ber.c

@@ -18,13 +18,10 @@
 #include <string.h>
 
 #include "internal.h"
-#include "../internal.h"
 
 
-// kMaxDepth is a just a sanity limit. The code should be such that the length
-// of the input being processes always decreases. None the less, a very large
-// input could otherwise cause the stack to overflow.
-static const uint32_t kMaxDepth = 2048;
+// kMaxDepth limits the recursion depth to avoid overflowing the stack.
+static const uint32_t kMaxDepth = 128;
 
 // is_string_type returns one if |tag| is a string type and zero otherwise. It
 // ignores the constructed bit.
@@ -56,13 +53,11 @@ static int is_string_type(CBS_ASN1_TAG tag) {
 // found. The value of |orig_in| is not changed. It returns one on success (i.e.
 // |*ber_found| was set) and zero on error.
 static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) {
-  CBS in;
-
   if (depth > kMaxDepth) {
     return 0;
   }
 
-  CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in));
+  CBS in = *orig_in;
   *ber_found = 0;
 
   while (CBS_len(&in) > 0) {
@@ -87,6 +82,10 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) {
           !cbs_find_ber(&contents, ber_found, depth + 1)) {
         return 0;
       }
+      if (*ber_found) {
+        // We already found BER. No need to continue parsing.
+        return 1;
+      }
     }
   }