sync inclusion of <stdlib.h> from libcrypto

Provide various CBS_peek_* functions.

These will be used in libcrypto.

With input from and ok tb@

Provide CBS_get_u64().

This will be used in the libcrypto certificate transparency code.

ok tb@

Provide CBS_get_last_u8().

This will be used in the TLSv1.3 record layer.

From BoringSSL.

ok tb@

Add explicit CBS_contains_zero_byte() check in CBS_strdup().

If the CBS data contains a zero byte, then CBS_strdup() is only going to
return part of the data - add an explicit CBS_contains_zero_byte() and
treat such data as an error case.

ok tb@

Fix formatting of multi-line license comment per style(9).

Remove unnecessary includes from the bytestring APIs.

The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

Provide various CBS_peek_* functions.

These will be used in libcrypto.

With input from and ok tb@

Provide CBS_get_u64().

This will be used in the libcrypto certificate transparency code.

ok tb@

Provide CBS_get_last_u8().

This will be used in the TLSv1.3 record layer.

From BoringSSL.

ok tb@

Add explicit CBS_contains_zero_byte() check in CBS_strdup().

If the CBS data contains a zero byte, then CBS_strdup() is only going to
return part of the data - add an explicit CBS_contains_zero_byte() and
treat such data as an error case.

ok tb@

Fix formatting of multi-line license comment per style(9).

Remove unnecessary includes from the bytestring APIs.

The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

Add explicit CBS_contains_zero_byte() check in CBS_strdup().

If the CBS data contains a zero byte, then CBS_strdup() is only going to
return part of the data - add an explicit CBS_contains_zero_byte() and
treat such data as an error case.

ok tb@

Fix formatting of multi-line license comment per style(9).

Remove unnecessary includes from the bytestring APIs.

The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

Fix formatting of multi-line license comment per style(9).

Remove unnecessary includes from the bytestring APIs.

The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

Fix formatting of multi-line license comment per style(9).

Remove unnecessary includes from the bytestring APIs.

The bytestring APIs are self contained, hence including openssl headers
here is unnecessary.

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

assert.h is often misused. It should not be used in a library
ok bcook@ jsing@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@

Stop using BUF_memdup() within the LibreSSL code base - it is correctly
spelt malloc+memcpy, which is what is used in all except two places.

ok deraadt@ doug@

Change CBS_dup() to also sync the offset.

Previously, CBS_dup() had its own offset. However, it is more consistent
to copy everything.

ok miod@ jsing@

Replace internal call to CRYPTO_memcmp with timingsafe_memcmp.

Suggested by jsing@.

ok jsing@ miod@

Add CBS_dup() to initialize a new CBS with the same values.

This is useful for when you need to check the data ahead and then continue
on from the same spot.

input + ok jsing@ miod@

Use explicit int in bs_cbs.c.

ok miod@ jsing@

Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.

This is a common operation when dealing with CBS.

ok miod@ jsing@

Add a new function CBS_offset() to report the current offset in the data.

"why not" miod@, sure jsing@

Simplify cbs_get_any_asn1_element_internal based on comments from jsing@

Make CBS_get_any_asn1_element() more compliant with DER encoding.

CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.

Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.

While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.

ok miod@

Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@

Add whitespace and replace OPENSSL_free with free in documentation.

ok jsing@

Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

Added error checking for len argument in cbs_get_u().

tweak + ok jsing@

free() can handle NULL.

ok jsing@

Check for invalid leading zeros in CBS_get_asn1_uint64.

ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).

Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16

ok deraadt@ jsing@

KNF bytestring files.

I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.

miod is ok with the general process.

Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.

This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.

BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.

Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.

input + ok jsing@, miod@