Merge branch 'main' into ml-kem-derand

crypto/conf/conf.c

@@ -642,6 +642,10 @@ int CONF_modules_load_file(const char *filename, const char *appname,
   return 1;
 }
 
+char *CONF_get1_default_config_file(void) {
+  return OPENSSL_strdup("No support for Config files in AWS-LC.");
+}
+
 void CONF_modules_free(void) {}
 
 void CONF_modules_unload(int all) {}

crypto/conf/conf_test.cc

@@ -401,3 +401,8 @@ TEST(ConfTest, ParseList) {
     EXPECT_EQ(result, t.expected);
   }
 }
+
+TEST(ConfTest, NoopString) {
+  bssl::UniquePtr<char> string(CONF_get1_default_config_file());
+  EXPECT_STREQ("No support for Config files in AWS-LC.", string.get());
+}

crypto/pkcs8/pkcs12_test.cc

@@ -674,3 +674,9 @@ TEST(PKCS12Test, CreateWithAlias) {
   ASSERT_EQ(alias, std::string(reinterpret_cast<const char *>(parsed_alias),
                                static_cast<size_t>(alias_len)));
 }
+
+TEST(PKCS12Test, BasicAlloc) {
+  // Test direct allocation of |PKCS12_new| and |PKCS12_free|.
+  bssl::UniquePtr<PKCS12> p12(PKCS12_new());
+  ASSERT_TRUE(p12);
+}

crypto/pkcs8/pkcs8_x509.c

@@ -741,7 +741,7 @@ struct pkcs12_st {
 
 PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,
                    size_t ber_len) {
-  PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12));
+  PKCS12 *p12 = PKCS12_new();
   if (!p12) {
     return NULL;
   }
@@ -1328,7 +1328,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name,
     goto err;
   }
 
-  ret = OPENSSL_malloc(sizeof(PKCS12));
+  ret = PKCS12_new();
   if (ret == NULL ||
       !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) {
     OPENSSL_free(ret);
@@ -1342,6 +1342,10 @@ PKCS12 *PKCS12_create(const char *password, const char *name,
   return ret;
 }
 
+PKCS12 *PKCS12_new(void) {
+  return OPENSSL_zalloc(sizeof(PKCS12));
+}
+
 void PKCS12_free(PKCS12 *p12) {
   if (p12 == NULL) {
     return;

crypto/x509/v3_purp.c

@@ -54,8 +54,8 @@
  * ([email protected]).  This product includes software written by Tim
  * Hudson ([email protected]). */
 
-#include <stdio.h>
-
+#include <assert.h>
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/digest.h>
@@ -171,8 +171,12 @@ int X509_PURPOSE_get_by_sname(const char *sname) {
 }
 
 int X509_PURPOSE_get_by_id(int purpose) {
-  if (purpose >= X509_PURPOSE_MIN && purpose <= X509_PURPOSE_MAX) {
-    return purpose - X509_PURPOSE_MIN;
+  for (size_t i = 0; i <OPENSSL_ARRAY_SIZE(xstandard); i++) {
+    if (xstandard[i].purpose == purpose) {
+      OPENSSL_STATIC_ASSERT(OPENSSL_ARRAY_SIZE(xstandard) <= INT_MAX,
+                    indices_must_fit_in_int);
+      return (int)i;
+    }
   }
   return -1;
 }

crypto/x509/x509_trs.c

@@ -54,6 +54,9 @@
  * ([email protected]).  This product includes software written by Tim
  * Hudson ([email protected]). */
 
+#include <assert.h>
+#include <limits.h>
+
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
@@ -69,10 +72,6 @@ static int trust_compat(const X509_TRUST *trust, X509 *x, int flags);
 
 static int obj_trust(int id, X509 *x, int flags);
 
-// WARNING: the following table should be kept in order of trust and without
-// any gaps so we can just subtract the minimum trust value to get an index
-// into the table
-
 static const X509_TRUST trstandard[] = {
     {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL},
     {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client",
@@ -122,8 +121,12 @@ const X509_TRUST *X509_TRUST_get0(int idx) {
 }
 
 int X509_TRUST_get_by_id(int id) {
-  if (id >= X509_TRUST_MIN && id <= X509_TRUST_MAX) {
-    return id - X509_TRUST_MIN;
+  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) {
+    if (trstandard[i].trust == id) {
+      OPENSSL_STATIC_ASSERT(OPENSSL_ARRAY_SIZE(trstandard) <= INT_MAX,
+                    indices_must_fit_in_int);
+      return (int)i;
+    }
   }
   return -1;
 }