Unwind ASN1_TFLG_NDEF.

Sadly we need to keep ASN1_put_eoc. Ruby uses it.

OpenSSL's PKCS#7 implementation generated an "ndef" variant of the
encoding functions, to request indefinite-length encoding. Remove the
support code for this.

Update-Note: Types that use one of the NDEF macros in asn1t.h will fail
to compile. This CL should not affect certificate parsing.

Change-Id: I6e03f6927ea4b7a6acd73ac58bf49512b39baab8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43889
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 128d28f..481a4d7 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -251,6 +251,8 @@
 
 int ASN1_put_eoc(unsigned char **pp)
 {
+    /* This function is no longer used in the library, but some external code
+     * uses it. */
     unsigned char *p = *pp;
     *p++ = 0;
     *p++ = 0;
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 375d103..1512bfc 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -307,7 +307,6 @@
         *in = p;
         return 1;
 
-    case ASN1_ITYPE_NDEF_SEQUENCE:
     case ASN1_ITYPE_SEQUENCE:
         p = *in;
 
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 7487833..c02f3c5 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -76,16 +76,9 @@
                                const ASN1_ITEM *it, int flags);
 
 /*
- * Top level i2d equivalents: the 'ndef' variant instructs the encoder to use
- * indefinite length constructed encoding, where appropriate
+ * Top level i2d equivalents
  */
 
-int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out,
-                       const ASN1_ITEM *it)
-{
-    return asn1_item_flags_i2d(val, out, it, ASN1_TFLG_NDEF);
-}
-
 int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
 {
     return asn1_item_flags_i2d(val, out, it, 0);
@@ -128,7 +121,7 @@
                      const ASN1_ITEM *it, int tag, int aclass)
 {
     const ASN1_TEMPLATE *tt = NULL;
-    int i, seqcontlen, seqlen, ndef = 1;
+    int i, seqcontlen, seqlen;
     const ASN1_EXTERN_FUNCS *ef;
     const ASN1_AUX *aux = it->funcs;
     ASN1_aux_cb *asn1_cb = 0;
@@ -172,12 +165,6 @@
         ef = it->funcs;
         return ef->asn1_ex_i2d(pval, out, it, tag, aclass);
 
-    case ASN1_ITYPE_NDEF_SEQUENCE:
-        /* Use indefinite length constructed if requested */
-        if (aclass & ASN1_TFLG_NDEF)
-            ndef = 2;
-        OPENSSL_FALLTHROUGH;
-
     case ASN1_ITYPE_SEQUENCE:
         i = asn1_enc_restore(&seqcontlen, out, pval, it);
         /* An error occurred */
@@ -212,11 +199,11 @@
             seqcontlen += tmplen;
         }
 
-        seqlen = ASN1_object_size(ndef, seqcontlen, tag);
+        seqlen = ASN1_object_size(/*constructed=*/1, seqcontlen, tag);
         if (!out || seqlen == -1)
             return seqlen;
         /* Output SEQUENCE header */
-        ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
+        ASN1_put_object(out, /*constructed=*/1, seqcontlen, tag, aclass);
         for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
             const ASN1_TEMPLATE *seqtt;
             ASN1_VALUE **pseqval;
@@ -227,8 +214,6 @@
             /* FIXME: check for errors in enhanced version */
             asn1_template_ex_i2d(pseqval, out, seqtt, -1, aclass);
         }
-        if (ndef == 2)
-            ASN1_put_eoc(out);
         if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it, NULL))
             return 0;
         return seqlen;
@@ -243,7 +228,7 @@
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                 const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
-    int i, ret, flags, ttag, tclass, ndef;
+    int i, ret, flags, ttag, tclass;
     size_t j;
     flags = tt->flags;
     /*
@@ -279,12 +264,6 @@
      * class and iclass is any flags passed to this function.
      */
 
-    /* if template and arguments require ndef, use it */
-    if ((flags & ASN1_TFLG_NDEF) && (iclass & ASN1_TFLG_NDEF))
-        ndef = 2;
-    else
-        ndef = 1;
-
     if (flags & ASN1_TFLG_SK_MASK) {
         /* SET OF, SEQUENCE OF */
         STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
@@ -329,12 +308,12 @@
                 return -1;
             skcontlen += tmplen;
         }
-        sklen = ASN1_object_size(ndef, skcontlen, sktag);
+        sklen = ASN1_object_size(/*constructed=*/1, skcontlen, sktag);
         if (sklen == -1)
             return -1;
         /* If EXPLICIT need length of surrounding tag */
         if (flags & ASN1_TFLG_EXPTAG)
-            ret = ASN1_object_size(ndef, sklen, ttag);
+            ret = ASN1_object_size(/*constructed=*/1, sklen, ttag);
         else
             ret = sklen;
 
@@ -344,18 +323,12 @@
         /* Now encode this lot... */
         /* EXPLICIT tag */
         if (flags & ASN1_TFLG_EXPTAG)
-            ASN1_put_object(out, ndef, sklen, ttag, tclass);
+            ASN1_put_object(out, /*constructed=*/1, sklen, ttag, tclass);
         /* SET or SEQUENCE and IMPLICIT tag */
-        ASN1_put_object(out, ndef, skcontlen, sktag, skaclass);
+        ASN1_put_object(out, /*constructed=*/1, skcontlen, sktag, skaclass);
         /* And the stuff itself */
         asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item),
                          isset, iclass);
-        if (ndef == 2) {
-            ASN1_put_eoc(out);
-            if (flags & ASN1_TFLG_EXPTAG)
-                ASN1_put_eoc(out);
-        }
-
         return ret;
     }
 
@@ -366,13 +339,11 @@
         if (!i)
             return 0;
         /* Find length of EXPLICIT tag */
-        ret = ASN1_object_size(ndef, i, ttag);
+        ret = ASN1_object_size(/*constructed=*/1, i, ttag);
         if (out && ret != -1) {
             /* Output tag and item */
-            ASN1_put_object(out, ndef, i, ttag, tclass);
+            ASN1_put_object(out, /*constructed=*/1, i, ttag, tclass);
             ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass);
-            if (ndef == 2)
-                ASN1_put_eoc(out);
         }
         return ret;
     }
@@ -471,7 +442,6 @@
     int len;
     int utype;
     int usetag;
-    int ndef = 0;
 
     utype = it->utype;
 
@@ -497,12 +467,6 @@
     if (len == -1)
         return 0;
 
-    /* -2 return is special meaning use ndef */
-    if (len == -2) {
-        ndef = 2;
-        len = 0;
-    }
-
     /* If not implicitly tagged get tag from underlying type */
     if (tag == -1)
         tag = utype;
@@ -510,16 +474,13 @@
     /* Output tag+length followed by content octets */
     if (out) {
         if (usetag)
-            ASN1_put_object(out, ndef, len, tag, aclass);
+            ASN1_put_object(out, /*constructed=*/0, len, tag, aclass);
         asn1_ex_i2c(pval, *out, &utype, it);
-        if (ndef)
-            ASN1_put_eoc(out);
-        else
-            *out += len;
+        *out += len;
     }
 
     if (usetag)
-        return ASN1_object_size(ndef, len, tag);
+        return ASN1_object_size(/*constructed=*/0, len, tag);
     return len;
 }
 
@@ -626,16 +587,6 @@
     default:
         /* All based on ASN1_STRING and handled the same */
         strtmp = (ASN1_STRING *)*pval;
-        /* Special handling for NDEF */
-        if ((it->size == ASN1_TFLG_NDEF)
-            && (strtmp->flags & ASN1_STRING_FLAG_NDEF)) {
-            if (cout) {
-                strtmp->data = cout;
-                strtmp->length = 0;
-            }
-            /* Special return code */
-            return -2;
-        }
         cont = strtmp->data;
         len = strtmp->length;
 
diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c
index 82431d7..78d6626 100644
--- a/crypto/asn1/tasn_fre.c
+++ b/crypto/asn1/tasn_fre.c
@@ -129,7 +129,6 @@
             ef->asn1_ex_free(pval, it);
         break;
 
-    case ASN1_ITYPE_NDEF_SEQUENCE:
     case ASN1_ITYPE_SEQUENCE:
         if (!asn1_refcount_dec_and_test_zero(pval, it))
             return;
diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index 5f7f94e..139a044 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -154,7 +154,6 @@
             goto auxerr2;
         break;
 
-    case ASN1_ITYPE_NDEF_SEQUENCE:
     case ASN1_ITYPE_SEQUENCE:
         if (asn1_cb) {
             i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);
@@ -240,7 +239,6 @@
 
     case ASN1_ITYPE_CHOICE:
     case ASN1_ITYPE_SEQUENCE:
-    case ASN1_ITYPE_NDEF_SEQUENCE:
         *pval = NULL;
         break;
     }
diff --git a/crypto/asn1/tasn_typ.c b/crypto/asn1/tasn_typ.c
index 7c5bfd5..44399ea 100644
--- a/crypto/asn1/tasn_typ.c
+++ b/crypto/asn1/tasn_typ.c
@@ -117,8 +117,6 @@
 
 /* Special, OCTET STRING with indefinite length constructed support */
 
-IMPLEMENT_ASN1_TYPE_ex(ASN1_OCTET_STRING_NDEF, ASN1_OCTET_STRING, ASN1_TFLG_NDEF)
-
 ASN1_ITEM_TEMPLATE(ASN1_SEQUENCE_ANY) =
         ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, ASN1_SEQUENCE_ANY, ASN1_ANY)
 ASN1_ITEM_TEMPLATE_END(ASN1_SEQUENCE_ANY)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index a7516f6..91e0842 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -91,8 +91,7 @@
 
 static CRYPTO_refcount_t *asn1_get_references(ASN1_VALUE **pval,
                                               const ASN1_ITEM *it) {
-  if (it->itype != ASN1_ITYPE_SEQUENCE &&
-      it->itype != ASN1_ITYPE_NDEF_SEQUENCE) {
+  if (it->itype != ASN1_ITYPE_SEQUENCE) {
     return NULL;
   }
   const ASN1_AUX *aux = it->funcs;
diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h
index 0cffd57..b6d1441 100644
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h
@@ -280,9 +280,6 @@
 	OPENSSL_EXPORT int i2d_##name(const type *a, unsigned char **out); \
 	DECLARE_ASN1_ITEM(name)
 
-#define	DECLARE_ASN1_NDEF_FUNCTION(name) \
-	OPENSSL_EXPORT int i2d_##name##_NDEF(name *a, unsigned char **out);
-
 #define DECLARE_ASN1_FUNCTIONS_const(name) \
 	DECLARE_ASN1_ALLOC_FUNCTIONS(name) \
 	DECLARE_ASN1_ENCODE_FUNCTIONS_const(name, name)
@@ -707,8 +704,6 @@
 DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)
 
-DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF)
-
 OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
 OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s,time_t t, int offset_day, long offset_sec);
 OPENSSL_EXPORT int ASN1_TIME_check(const ASN1_TIME *t);
@@ -789,7 +784,6 @@
 OPENSSL_EXPORT void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it);
 OPENSSL_EXPORT ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it);
 OPENSSL_EXPORT int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
-OPENSSL_EXPORT int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
 
 OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf);
 OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);
diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h
index 540ca06..7e55ecd 100644
--- a/include/openssl/asn1t.h
+++ b/include/openssl/asn1t.h
@@ -141,12 +141,6 @@
 		#stname \
 	ASN1_ITEM_end(tname)
 
-#define ASN1_NDEF_SEQUENCE(tname) \
-	ASN1_SEQUENCE(tname)
-
-#define ASN1_NDEF_SEQUENCE_cb(tname, cb) \
-	ASN1_SEQUENCE_cb(tname, cb)
-
 #define ASN1_SEQUENCE_cb(tname, cb) \
 	static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \
 	ASN1_SEQUENCE(tname)
@@ -159,18 +153,6 @@
 	static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, cb, offsetof(tname, enc)}; \
 	ASN1_SEQUENCE(tname)
 
-#define ASN1_NDEF_SEQUENCE_END(tname) \
-	;\
-	ASN1_ITEM_start(tname) \
-		ASN1_ITYPE_NDEF_SEQUENCE,\
-		V_ASN1_SEQUENCE,\
-		tname##_seq_tt,\
-		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-		NULL,\
-		sizeof(tname),\
-		#tname \
-	ASN1_ITEM_end(tname)
-
 #define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
 
 #define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
@@ -187,18 +169,6 @@
 		#stname \
 	ASN1_ITEM_end(tname)
 
-#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \
-	;\
-	ASN1_ITEM_start(tname) \
-		ASN1_ITYPE_NDEF_SEQUENCE,\
-		V_ASN1_SEQUENCE,\
-		tname##_seq_tt,\
-		sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-		&tname##_aux,\
-		sizeof(stname),\
-		#stname \
-	ASN1_ITEM_end(tname)
-
 
 /* This pair helps declare a CHOICE type. We can do:
  *
@@ -347,14 +317,6 @@
 #define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
 			ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
 
-/* EXPLICIT using indefinite length constructed form */
-#define ASN1_NDEF_EXP(stname, field, type, tag) \
-			ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF)
-
-/* EXPLICIT OPTIONAL using indefinite length constructed form */
-#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \
-			ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
-
 /* Macros for the ASN1_ADB structure */
 
 #define ASN1_ADB(name) \
@@ -498,13 +460,6 @@
 
 #define ASN1_TFLG_COMBINE	(0x1<<10)
 
-/* This flag when present in a SEQUENCE OF, SET OF
- * or EXPLICIT causes indefinite length constructed
- * encoding to be used if required.
- */
-
-#define ASN1_TFLG_NDEF		(0x1<<11)
-
 /* This is the actual ASN1 item itself */
 
 struct ASN1_ITEM_st {
@@ -553,10 +508,6 @@
  * has a special meaning, it is used as a mask
  * of acceptable types using the B_ASN1 constants.
  *
- * NDEF_SEQUENCE is the same as SEQUENCE except
- * that it will use indefinite length constructed
- * encoding if requested.
- *
  */
 
 #define ASN1_ITYPE_PRIMITIVE		0x0
@@ -569,8 +520,6 @@
 
 #define ASN1_ITYPE_MSTRING		0x5
 
-#define ASN1_ITYPE_NDEF_SEQUENCE	0x6
-
 /* Cache for ASN1 tag and length, so we
  * don't keep re-reading it for things
  * like CHOICE
@@ -771,12 +720,6 @@
 		return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
 	} 
 
-#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \
-	int i2d_##stname##_NDEF(stname *a, unsigned char **out) \
-	{ \
-		return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\
-	} 
-
 /* This includes evil casts to remove const: they will go away when full
  * ASN1 constification is done.
  */