Google Git
Sign in
boringssl/boringssl.git/16bb6cde3f7d7517b859df01320f9bcdb8c8567b
commit
16bb6cde3f7d7517b859df01320f9bcdb8c8567b
[log]
author
David Benjamin <davidben@google.com>
Mon May 11 12:06:51 2026 -0400
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Mon May 11 09:35:33 2026 -0700
tree
39b6bea9f8610ced9e67638cfc242a59e245b20e
parent
df41163cb2463d62c9b217ea06aa667a1a01b706 [diff]
Fixup some minor issues in HPKE P-256 key derivation

p256_private_key_from_seed should reject the zero scalar. It is
computationally infeasible to find any input that hits this case, so no
unit test or practical consequence, but we should match the spec I
suppose.

See https://www.rfc-editor.org/rfc/rfc9180.html#name-derivekeypair

Also add some missing error checks for p256_public_from_private. Other
than the computationally infeasible zero scalar above, this is
impossible except for ec_point_mul_scalar_base's fault protection logic
(which is impossible unless there's another bug or CPU fault).

Change-Id: I6961601f4036829c8dba990922b4135c0e141df8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/95188
Auto-Submit: David Benjamin <davidben@google.com>
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
1 file changed
tree: 39b6bea9f8610ced9e67638cfc242a59e245b20e
  1. .bcr/
  2. .github/
  3. bench/
  4. cmake/
  5. crypto/
  6. decrepit/
  7. docs/
  8. fuzz/
  9. gen/
  10. include/
  11. infra/
  12. pki/
  13. rust/
  14. ssl/
  15. third_party/
  16. tool/
  17. util/
  18. .bazelignore
  19. .bazelrc
  20. .bazelversion
  21. .clang-format
  22. .clang-format-ignore
  23. .clangd
  24. .gitattributes
  25. .gitignore
  26. API-CONVENTIONS.md
  27. AUTHORS
  28. BREAKING-CHANGES.md
  29. BUILD.bazel
  30. build.json
  31. BUILDING.md
  32. CMakeLists.txt
  33. codereview.settings
  34. CONTRIBUTING.md
  35. FUZZING.md
  36. go.mod
  37. go.sum
  38. INCORPORATING.md
  39. LICENSE
  40. MODULE.bazel
  41. MODULE.bazel.lock
  42. PORTING.md
  43. PRESUBMIT.py
  44. PrivacyInfo.xcprivacy
  45. README.md
  46. SANDBOXING.md
  47. SECURITY.md
  48. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: