Google Git
Sign in
boringssl / boringssl / b2a2955da7ed3190f099817b8e3daabe322a1078
commitb2a2955da7ed3190f099817b8e3daabe322a1078[log] [tgz]
authorDavid Benjamin <davidben@google.com>Fri Sep 26 13:14:58 2025 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Mon Sep 29 11:54:16 2025 -0700
tree3af8b84a347b59e4e115693031a8608fff8191c6
parent91f3df0a20f6d3dd3e2f749b4a2730b68c3d585e [diff]
Introduce cipher constants without the leading 0x03

It is confusing to always have to explain that our API believes
different notion of cipher suite ID than the IETF does. The only gap at
this point is that we don't have constants defined.

Define the constants for the cipher suites we implement, then deprecate
all the old stuff. Switch ourselves internally to only pass the 16-bit
IDs around, which avoids some confusing 0xffffs. The leading 0x03 can be
pasted on at the legacy SSL_CIPHER_get_id function.

The new constants were named to match the IANA names, minus the leading
TLS_. This means a few constants don't match their CK values in name.

There are TLS1_CK_ constants for a host of cipher suites we don't
implement. I've left them alone for now, but I think we can remove them
in a follow-up commit.

Change-Id: Ifeb9cdceb351610fab7633c4068a8729a64ff11b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/82307
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Lily Chen <chlily@google.com>
Commit-Queue: Lily Chen <chlily@google.com>
13 files changed
tree: 3af8b84a347b59e4e115693031a8608fff8191c6
  1. .bcr/
  2. .github/
  3. cmake/
  4. crypto/
  5. decrepit/
  6. docs/
  7. fuzz/
  8. gen/
  9. include/
  10. infra/
  11. pki/
  12. rust/
  13. ssl/
  14. third_party/
  15. tool/
  16. util/
  17. .bazelignore
  18. .bazelrc
  19. .bazelversion
  20. .clang-format
  21. .gitignore
  22. API-CONVENTIONS.md
  23. AUTHORS
  24. BREAKING-CHANGES.md
  25. BUILD.bazel
  26. build.json
  27. BUILDING.md
  28. CMakeLists.txt
  29. codereview.settings
  30. CONTRIBUTING.md
  31. FUZZING.md
  32. go.mod
  33. go.sum
  34. INCORPORATING.md
  35. LICENSE
  36. MODULE.bazel
  37. MODULE.bazel.lock
  38. PORTING.md
  39. PrivacyInfo.xcprivacy
  40. README.md
  41. SANDBOXING.md
  42. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: