Google Git
Sign in
boringssl / boringssl / 51ae958ff7c99103932e07905c40cbc71a22b389
commit51ae958ff7c99103932e07905c40cbc71a22b389[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sat Nov 25 12:06:49 2023 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Dec 05 15:45:23 2023 +0000
tree8620ff94f03ecd3e8f3407ad04da4cff05a10332
parent1fa9cc20f6601f471f80d3debdaa084fc23c4f69 [diff]
Simplify and document X509_VERIFY_PARAM inheritance

X509_VERIFY_PARAM inheritance is unbelievably thorny, and I'm not sure
it was ever thought through very well.

We can make it slightly less complicated by removing the internal
inh_flags value. We don't support X509_VERIFY_PARAM_set_inh_flags (and
really should keep it that way!), so there are actually only two
possible values, zero and X509_VP_FLAG_DEFAULT, used to implement
X509_VERIFY_PARAM_inherit, and X509_VERIFY_PARAM_set1, respectively.

This still leaves some weird behaviors that are expected through the
public API, which I've documented in the headers. They'll probably need
another pass when they're grouped into sections and whatnot.

Bug: 441, 426
Change-Id: Ib0a855afd35e597c65c249627addfef76ed7099d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64253
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
5 files changed
tree: 8620ff94f03ecd3e8f3407ad04da4cff05a10332
  1. .github/
  2. cmake/
  3. crypto/
  4. decrepit/
  5. fuzz/
  6. include/
  7. pki/
  8. rust/
  9. ssl/
  10. third_party/
  11. tool/
  12. util/
  13. .clang-format
  14. .gitignore
  15. API-CONVENTIONS.md
  16. BREAKING-CHANGES.md
  17. BUILDING.md
  18. CMakeLists.txt
  19. codereview.settings
  20. CONTRIBUTING.md
  21. FUZZING.md
  22. go.mod
  23. go.sum
  24. INCORPORATING.md
  25. LICENSE
  26. PORTING.md
  27. README.md
  28. SANDBOXING.md
  29. sources.cmake
  30. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

There are other files in this directory which might be helpful: