|author||David Benjamin <firstname.lastname@example.org>||Wed Sep 08 16:50:24 2021 -0400|
|committer||Boringssl LUCI CQ <email@example.com>||Mon Sep 20 15:16:05 2021 +0000|
Unwind remnants of ASN1_TFLG_NDEF. The i2d functions internally take a tag/class pair of parameters. If tag is not -1, we override the tag with (tag, class). Otherwise, class is ignored. (class is inconsistently called aclass or iclass.) Historically, the remaning bits of class were repurposed to pass extra flags down the structure. These had to be preserved in all recursive calls, so the functions take apart and reassemble the two halves of aclass/iclass. The only such flag was ASN1_TFLG_NDEF, which on certain types, caused OpenSSL to encode indefinite-length encoding. We removed this in https://boringssl-review.googlesource.com/c/boringssl/+/43889. Due to these flags, if tag == -1, class should default to zero. However, X509_NAME's callbacks pass -1, -1, instead of -1, 0, effectively setting all flags. This wasn't noticed because none of the types below X509_NAME pay attention to ASN1_TFLG_NDEF. This CL does two things: First, it unwinds the remainder of the flags machinery. If we ever need flags, we should pass it as a distinct argument. Second, it fixes the X509_NAME calls and asserts that -1 is always paired with 0. Change-Id: I285a73a06ad16980617fe23d5ea7f260fc5dbf16 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49385 Commit-Queue: David Benjamin <firstname.lastname@example.org> Reviewed-by: Adam Langley <email@example.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: