|author||David Benjamin <firstname.lastname@example.org>||Wed Nov 16 17:08:23 2016 +0900|
|committer||CQ bot account: email@example.com <firstname.lastname@example.org>||Wed Nov 16 23:58:02 2016 +0000|
Parse ClientHello extensions before deciding on resumption. This simplifies a little code around EMS and PSK KE modes, but requires tweaking the SNI code. The extensions that are more tightly integrated with the handshake are still processed inline for now. It does, however, require an extra state in 1.2 so the asynchronous session callback does not cause extensions to be processed twice. Tweak a test enforce this. This and a follow-up to move cert_cb before resumption are done in preparation for resolving the cipher suite before resumption and only resuming on match. Note this has caller-visible effects: - The legacy SNI callback happens before resumption. - The ALPN callback happens before resumption. - Custom extension ClientHello parsing callbacks also cannot depend on resumption state. - The DoS protection callback now runs after all the extension callbacks as it is documented to be called after the resumption decision. BUG=116 Change-Id: I1281a3b61789b95c370314aaed4f04c1babbc65f Reviewed-on: https://boringssl-review.googlesource.com/11845 Reviewed-by: Adam Langley <email@example.com> Commit-Queue: Adam Langley <firstname.lastname@example.org> CQ-Verified: CQ bot account: email@example.com <firstname.lastname@example.org>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: