boringssl/crypto/err/x509.errordata

X509,100,AKID_MISMATCH
X509,101,BAD_PKCS7_VERSION
X509,102,BAD_X509_FILETYPE
X509,103,BASE64_DECODE_ERROR
X509,104,CANT_CHECK_DH_KEY
X509,105,CERT_ALREADY_IN_HASH_TABLE
X509,106,CRL_ALREADY_DELTA
X509,107,CRL_VERIFY_FAILURE
X509,108,IDP_MISMATCH
X509,109,INVALID_BIT_STRING_BITS_LEFT
X509,110,INVALID_DIRECTORY
X509,111,INVALID_FIELD_NAME
X509,136,INVALID_PARAMETER
X509,112,INVALID_PSS_PARAMETERS
X509,113,INVALID_TRUST
X509,114,ISSUER_MISMATCH
X509,115,KEY_TYPE_MISMATCH
X509,116,KEY_VALUES_MISMATCH
X509,117,LOADING_CERT_DIR
X509,118,LOADING_DEFAULTS
X509,135,NAME_TOO_LONG
X509,119,NEWER_CRL_NOT_NEWER
X509,120,NOT_PKCS7_SIGNED_DATA
X509,121,NO_CERTIFICATES_INCLUDED
X509,122,NO_CERT_SET_FOR_US_TO_VERIFY
X509,123,NO_CRLS_INCLUDED
X509,124,NO_CRL_NUMBER
X509,125,PUBLIC_KEY_DECODE_ERROR
X509,126,PUBLIC_KEY_ENCODE_ERROR
X509,127,SHOULD_RETRY
X509,137,SIGNATURE_ALGORITHM_MISMATCH
X509,128,UNKNOWN_KEY_TYPE
X509,129,UNKNOWN_NID
X509,130,UNKNOWN_PURPOSE_ID
X509,131,UNKNOWN_TRUST_ID
X509,132,UNSUPPORTED_ALGORITHM
X509,133,WRONG_LOOKUP_TYPE
X509,134,WRONG_TYPE
Get rid of err function codes. Running make_errors.go every time a function is renamed is incredibly tedious. Plus we keep getting them wrong. Instead, sample __func__ (__FUNCTION__ in MSVC) in the OPENSSL_PUT_ERROR macro and store it alongside file and line number. This doesn't change the format of ERR_print_errors, however ERR_error_string_n now uses the placeholder "OPENSSL_internal" rather than an actual function name since that only takes the uint32_t packed error code as input. This updates err scripts to not emit the function string table. The OPENSSL_PUT_ERROR invocations, for now, still include the extra parameter. That will be removed in a follow-up. BUG=468039 Change-Id: Iaa2ef56991fb58892fa8a1283b3b8b995fbb308d Reviewed-on: https://boringssl-review.googlesource.com/5275 Reviewed-by: Adam Langley <agl@google.com> 2015-06-29 04:36:21 +01:00			`X509,100,AKID_MISMATCH`
			`X509,101,BAD_PKCS7_VERSION`
			`X509,102,BAD_X509_FILETYPE`
			`X509,103,BASE64_DECODE_ERROR`
			`X509,104,CANT_CHECK_DH_KEY`
			`X509,105,CERT_ALREADY_IN_HASH_TABLE`
			`X509,106,CRL_ALREADY_DELTA`
			`X509,107,CRL_VERIFY_FAILURE`
			`X509,108,IDP_MISMATCH`
			`X509,109,INVALID_BIT_STRING_BITS_LEFT`
			`X509,110,INVALID_DIRECTORY`
			`X509,111,INVALID_FIELD_NAME`
Teach crypto/x509 how to verify an Ed25519 signature. BUG=187 Change-Id: I5775ce0886041b0c12174a7d665f3af1e8bce511 Reviewed-on: https://boringssl-review.googlesource.com/14505 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> 2017-03-29 22:08:50 +01:00			`X509,136,INVALID_PARAMETER`
Align with upstream's error strings, take two. I messed up a few of these. ASN1_R_UNSUPPORTED_ALGORITHM doesn't exist. X509_R_UNSUPPORTED_ALGORITHM does exist as part of X509_PUBKEY_set, but the SPKI parser doesn't emit this. (I don't mind the legacy code having really weird errors, but since EVP is now limited to things we like, let's try to keep that clean.) To avoid churn in Conscrypt, we'll keep defining X509_R_UNSUPPORTED_ALGORITHM, but not actually do anything with it anymore. Conscrypt was already aware of EVP_R_UNSUPPORTED_ALGORITHM, so this should be fine. (I don't expect EVP_R_UNSUPPORTED_ALGORITHM to go away. The SPKI parsers we like live in EVP now.) A few other ASN1_R_* values didn't quite match upstream, so make those match again. Finally, I got some of the rsa_pss.c values wrong. Each of those corresponds to an (overly specific) RSA_R_* value in upstream. However, those were gone in BoringSSL since even the initial commit. We placed the RSA <-> EVP glue in crypto/evp (so crypto/rsa wouldn't depend on crypto/evp) while upstream placed them in crypto/rsa. Since no one seemed to notice the loss of RSA_R_INVALID_SALT_LENGTH, let's undo all the cross-module errors inserted in crypto/rsa. Instead, since that kind of specificity is not useful, funnel it all into X509_R_INVALID_PSS_PARAMETERS (formerly EVP_R_INVALID_PSS_PARAMETERS, formerly RSA_R_INVALID_PSS_PARAMETERS). Reset the error codes for all affected modules. (That our error code story means error codes are not stable across this kind of refactoring is kind of a problem. Hopefully this will be the last of it.) Change-Id: Ibfb3a0ac340bfc777bc7de6980ef3ddf0a8c84bc Reviewed-on: https://boringssl-review.googlesource.com/7458 Reviewed-by: Emily Stark (Dunn) <estark@google.com> Reviewed-by: David Benjamin <davidben@google.com> 2016-03-14 21:13:54 +00:00			`X509,112,INVALID_PSS_PARAMETERS`
			`X509,113,INVALID_TRUST`
			`X509,114,ISSUER_MISMATCH`
			`X509,115,KEY_TYPE_MISMATCH`
			`X509,116,KEY_VALUES_MISMATCH`
			`X509,117,LOADING_CERT_DIR`
			`X509,118,LOADING_DEFAULTS`
Add checks to X509_NAME_oneline() Sanity check field lengths and sums to avoid potential overflows and reject excessively large X509_NAME structures. Issue reported by Guido Vranken. (Imported from upstream's 9b08619cb45e75541809b1154c90e1a00450e537.) Change-Id: Ib2e1e7cd086f9c3f0d689d61947f8ec3e9220049 Reviewed-on: https://boringssl-review.googlesource.com/7842 Reviewed-by: Adam Langley <agl@google.com> 2016-05-03 12:50:44 +01:00			`X509,135,NAME_TOO_LONG`
Align with upstream's error strings, take two. I messed up a few of these. ASN1_R_UNSUPPORTED_ALGORITHM doesn't exist. X509_R_UNSUPPORTED_ALGORITHM does exist as part of X509_PUBKEY_set, but the SPKI parser doesn't emit this. (I don't mind the legacy code having really weird errors, but since EVP is now limited to things we like, let's try to keep that clean.) To avoid churn in Conscrypt, we'll keep defining X509_R_UNSUPPORTED_ALGORITHM, but not actually do anything with it anymore. Conscrypt was already aware of EVP_R_UNSUPPORTED_ALGORITHM, so this should be fine. (I don't expect EVP_R_UNSUPPORTED_ALGORITHM to go away. The SPKI parsers we like live in EVP now.) A few other ASN1_R_* values didn't quite match upstream, so make those match again. Finally, I got some of the rsa_pss.c values wrong. Each of those corresponds to an (overly specific) RSA_R_* value in upstream. However, those were gone in BoringSSL since even the initial commit. We placed the RSA <-> EVP glue in crypto/evp (so crypto/rsa wouldn't depend on crypto/evp) while upstream placed them in crypto/rsa. Since no one seemed to notice the loss of RSA_R_INVALID_SALT_LENGTH, let's undo all the cross-module errors inserted in crypto/rsa. Instead, since that kind of specificity is not useful, funnel it all into X509_R_INVALID_PSS_PARAMETERS (formerly EVP_R_INVALID_PSS_PARAMETERS, formerly RSA_R_INVALID_PSS_PARAMETERS). Reset the error codes for all affected modules. (That our error code story means error codes are not stable across this kind of refactoring is kind of a problem. Hopefully this will be the last of it.) Change-Id: Ibfb3a0ac340bfc777bc7de6980ef3ddf0a8c84bc Reviewed-on: https://boringssl-review.googlesource.com/7458 Reviewed-by: Emily Stark (Dunn) <estark@google.com> Reviewed-by: David Benjamin <davidben@google.com> 2016-03-14 21:13:54 +00:00			`X509,119,NEWER_CRL_NOT_NEWER`
			`X509,120,NOT_PKCS7_SIGNED_DATA`
			`X509,121,NO_CERTIFICATES_INCLUDED`
			`X509,122,NO_CERT_SET_FOR_US_TO_VERIFY`
			`X509,123,NO_CRLS_INCLUDED`
			`X509,124,NO_CRL_NUMBER`
			`X509,125,PUBLIC_KEY_DECODE_ERROR`
			`X509,126,PUBLIC_KEY_ENCODE_ERROR`
			`X509,127,SHOULD_RETRY`
Push an error on sigalg mismatch in X509_verify. It was failing but not pushing an error. See https://github.com/google/conscrypt/pull/537 Change-Id: Iafba1a5c0c7ef8e0535b335aa93df6f520c3803e Reviewed-on: https://boringssl-review.googlesource.com/32044 Reviewed-by: Adam Langley <agl@google.com> 2018-09-18 21:14:53 +01:00			`X509,137,SIGNATURE_ALGORITHM_MISMATCH`
Align with upstream's error strings, take two. I messed up a few of these. ASN1_R_UNSUPPORTED_ALGORITHM doesn't exist. X509_R_UNSUPPORTED_ALGORITHM does exist as part of X509_PUBKEY_set, but the SPKI parser doesn't emit this. (I don't mind the legacy code having really weird errors, but since EVP is now limited to things we like, let's try to keep that clean.) To avoid churn in Conscrypt, we'll keep defining X509_R_UNSUPPORTED_ALGORITHM, but not actually do anything with it anymore. Conscrypt was already aware of EVP_R_UNSUPPORTED_ALGORITHM, so this should be fine. (I don't expect EVP_R_UNSUPPORTED_ALGORITHM to go away. The SPKI parsers we like live in EVP now.) A few other ASN1_R_* values didn't quite match upstream, so make those match again. Finally, I got some of the rsa_pss.c values wrong. Each of those corresponds to an (overly specific) RSA_R_* value in upstream. However, those were gone in BoringSSL since even the initial commit. We placed the RSA <-> EVP glue in crypto/evp (so crypto/rsa wouldn't depend on crypto/evp) while upstream placed them in crypto/rsa. Since no one seemed to notice the loss of RSA_R_INVALID_SALT_LENGTH, let's undo all the cross-module errors inserted in crypto/rsa. Instead, since that kind of specificity is not useful, funnel it all into X509_R_INVALID_PSS_PARAMETERS (formerly EVP_R_INVALID_PSS_PARAMETERS, formerly RSA_R_INVALID_PSS_PARAMETERS). Reset the error codes for all affected modules. (That our error code story means error codes are not stable across this kind of refactoring is kind of a problem. Hopefully this will be the last of it.) Change-Id: Ibfb3a0ac340bfc777bc7de6980ef3ddf0a8c84bc Reviewed-on: https://boringssl-review.googlesource.com/7458 Reviewed-by: Emily Stark (Dunn) <estark@google.com> Reviewed-by: David Benjamin <davidben@google.com> 2016-03-14 21:13:54 +00:00			`X509,128,UNKNOWN_KEY_TYPE`
			`X509,129,UNKNOWN_NID`
			`X509,130,UNKNOWN_PURPOSE_ID`
			`X509,131,UNKNOWN_TRUST_ID`
			`X509,132,UNSUPPORTED_ALGORITHM`
			`X509,133,WRONG_LOOKUP_TYPE`
			`X509,134,WRONG_TYPE`