diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c index 47f412993e..584bb49e2f 100644 --- a/crypto/x509/v3_utl.c +++ b/crypto/x509/v3_utl.c @@ -172,7 +172,8 @@ static char *bignum_to_string(const BIGNUM *bn) { // Display large numbers in hex and small numbers in decimal. Converting to // decimal takes quadratic time and is no more useful than hex for large // numbers. - if (BN_num_bits(bn) < 32) { + // The threshold for large numbers is set at 128 bits to align with OpenSSL. + if (BN_num_bits(bn) < 128) { return BN_bn2dec(bn); } diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index 313141e5e8..4a9a1191dc 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc @@ -3190,9 +3190,11 @@ TEST(X509Test, PrettyPrintIntegers) { "-42", "256", "-256", + "4886718345", + "-4886718345", // Large numbers are pretty-printed in hex to avoid taking quadratic time. - "0x0123456789", - "-0x0123456789", + "0x0123456789012345678901234567890123", + "-0x0123456789012345678901234567890123", }; for (const char *in : kTests) { SCOPED_TRACE(in); diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 2f7d249f62..ea99f314d2 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -39,6 +39,10 @@ extern "C" { // aACompromise (10) } // // Reason Code RFC: https://www.rfc-editor.org/rfc/rfc5280#section-5.3.1 +// +// Note: OCSP_REVOKED_STATUS_NOSTATUS is defined by OpenSSL and is not defined +// within the RFC. +#define OCSP_REVOKED_STATUS_NOSTATUS -1 #define OCSP_REVOKED_STATUS_UNSPECIFIED 0 #define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1 #define OCSP_REVOKED_STATUS_CACOMPROMISE 2 @@ -58,6 +62,9 @@ extern "C" { // Certificates included within |bs| or |req| will be included in the // search for the signing certificate by default, unless |OCSP_NOINTERN| is set. #define OCSP_NOINTERN 0x2 +// OCSP_NOSIGS does nothing. In OpenSSL, this skips signature verification in +// |OCSP_basic_verify| and |OCSP_request_verify|. +#define OCSP_NOSIGS // OCSP_NOCHAIN is for |OCSP_basic_verify| and |OCSP_request_verify|. // For |OCSP_basic_verify|, certificates in both |certs| and in |bs| are // considered as certificates for the construction of the validation path for diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 31a24b140a..0aea0cbd6b 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -2906,6 +2906,10 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, // X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for // validating code signing certificates. #define X509_TRUST_OBJECT_SIGN 5 +// X509_TRUST_OCSP_SIGN does nothing. It's unused in OpenSSL and AWS-LC. +#define X509_TRUST_OCSP_SIGN 6 +// X509_TRUST_OCSP_REQUEST does nothing. It's unused in OpenSSL and AWS-LC. +#define X509_TRUST_OCSP_REQUEST 7 // X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating // Time Stamping Authority (RFC 3161) certificates. #define X509_TRUST_TSA 8