commit | 97d48dbeb8010365a1d5cb029bee29617261d8a0 | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Wed Mar 29 03:09:15 2023 +0900 |
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | Tue Mar 28 22:02:15 2023 +0000 |
tree | a510719d3366e15c747e69864b8ecd84ff1d3ac6 | |
parent | 0e8e3c682fd5459cca3d12466dc35bdf9b483ffa [diff] |
Sort various X.509 global lists sooner These functions need a lot more work, documentation, warnings that using them isn't a good idea, and really we should just remove them entirely. But, for now, this is a minimal fix to the most egregious of issues: not only are the functions themselves not thread-safe (i.e. you must call it in some program-global initialization), but using them puts you in a state where future uses of the X.509 library are not thread-safe! Fix the latter by sorting the list at the point we're already mutating things. Re-sorting a list after every addition is not a particularly sensible implementation, but we can assume these lists will only ever contain O(1) entries. (The sort calls date to https://boringssl-review.googlesource.com/c/boringssl/+/27304, but the issue was there before. Prior to that CL, sk_FOO_find implicitly sorted the list. That CL made sk_FOO_find itself a const operation, necessary for this, and just added explicit sk_FOO_sort calls to preserve the existing behavior, initially.) Change-Id: I063b8e708eaf17dfe66c5a3e8d33733adb3297e9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58385 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
Project links:
There are other files in this directory which might be helpful: