)]}' { "commit": "5d880140674cd36d84331de7df95c2dc00dc7686", "tree": "2ae3f65583cd7b379216559f3fe54368beff82cd", "parents": [ "bca5875eb3c25348ec07758cde66ebec27031ce4" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Tue Feb 20 17:34:14 2024 -0500" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Fri Feb 23 16:35:04 2024 +0000" }, "message": "Deprecate and simplify SSL_CTX_check_private_key\n\nIt is not actually possible to configure an inconsistent certificate and\nprivate key pair (short of mutating the objects after you\u0027ve configured\nthem). The functions that configure certificates and private keys will\nrefuse to get CERT into an inconsistent state.\n\nSSL_CTX_check_private_key is really just checking that you have a\ncertificate and private key at all. Some callers (notably pyOpenSSL\u0027s\ntests) are written as if SSL_CTX_check_private_key does something more,\nbut that\u0027s only because they also configure certificate and private key\nin the wrong order. If you configure the key first, configuring the\ncertificate silently drops the mismatched private key because OpenSSL\nthinks you\u0027re overwriting an identity. SSL_CTX_check_private_key is\nreally just detecting this case.\n\nAdd tests for all this behavior, document that certificates should be\nconfigured first, and then deprecate SSL_CTX_check_private_key because,\nin the correct order, this function is superfluous.\n\nThis will get shuffled around with SSL_CREDENTIAL, so add some tests\nfirst.\n\nBug: 249\nChange-Id: I3fcc0f51add1826d581583b43ff003c0dea979dd\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66447\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Bob Beck \u003cbbe@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "97fe96e201ec047c9bb893b5afd5716fa5786549", "old_mode": 33188, "old_path": "include/openssl/ssl.h", "new_id": "04f187362b42379027a4d028d33b415a123952a8", "new_mode": 33188, "new_path": "include/openssl/ssl.h" }, { "type": "modify", "old_id": "13b97daa4ce05b5375dd6e217b1f372f7d166163", "old_mode": 33188, "old_path": "ssl/internal.h", "new_id": "9e7a05b1c3d07db8caa10d1ceaf1e208b4167776", "new_mode": 33188, "new_path": "ssl/internal.h" }, { "type": "modify", "old_id": "d635fb35be4af90fa14df4634b28ba3d8dc15ea2", "old_mode": 33188, "old_path": "ssl/ssl_cert.cc", "new_id": "dbc4818eb59861a5037c04838d0913386045d08a", "new_mode": 33188, "new_path": "ssl/ssl_cert.cc" }, { "type": "modify", "old_id": "81a98071315214e3cf446b340fa9186f760bf370", "old_mode": 33188, "old_path": "ssl/ssl_lib.cc", "new_id": "f95cd5db2ad891baf83a927ed8ffcfbce71e3802", "new_mode": 33188, "new_path": "ssl/ssl_lib.cc" }, { "type": "modify", "old_id": "57116cd6cb7f87bad24c22847398d3136347da3b", "old_mode": 33188, "old_path": "ssl/ssl_privkey.cc", "new_id": "b3bb2c802fa2e46e394b2e4e4311590462a62842", "new_mode": 33188, "new_path": "ssl/ssl_privkey.cc" }, { "type": "modify", "old_id": "0b4ad3ccde699ebc19db7f17bcfb95a71d3005a0", "old_mode": 33188, "old_path": "ssl/ssl_test.cc", "new_id": "d12d49c78d57840a78d252456efdada5392982f5", "new_mode": 33188, "new_path": "ssl/ssl_test.cc" } ] }