Google Git
Sign in
boringssl/boringssl/HEAD
commit
aef0e2df53d9b2357c2e7ee7e93fc869214a00b4
[log]
author
David Benjamin <davidben@google.com>
Thu Apr 30 11:55:09 2026 -0400
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fri May 01 15:08:45 2026 -0700
tree
9dcb942ef347fcaaaee5a64342373abba3f8f1c8
parent
7a441c6bba12b1dee1dc39b362f73caa4d0cd4d3 [diff]
Reference-count CRYPTO_BUFFER_POOLs

SSL_CTX_set0_buffer_pool was a difficult API to use correctly, if you
tried to free your buffer pools. (It was envisioned as being mostly used
with global pools.)

You had to ensure the pool outlives the SSL_CTX, but the SSL_CTX is
reference-counted, so it is hard to be sure when the SSL_CTX will be
destroyed. SSL objects, in particular, extend the lifetime.

Instead, just reference-count the pools. Note that buffers still do not
own references to their pools. That is still a weak reference. We
probably could promote it to a strong reference now, but no need to keep
the hash table around when we don't need to.

With that, deprecated SSL_CTX_set0_buffer_pool in favor of
SSL_CTX_set1_buffer_pool, though SSL_CTX_set0_buffer_pool now internally
takes the refcount to and becomes safer automatically. (This should be
backwards-compatible.) I've switched calls within the library to the
set1 spelling but left bssl-tls alone for now, since bssl-tls can
probably take other simplifications at the same time.

Change-Id: I1421b44cc129c7f2d7090538ac595a5530688f2f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/94467
Reviewed-by: Xiangfei Ding <xfding@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Xiangfei Ding <xfding@google.com>
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
19 files changed
tree: 9dcb942ef347fcaaaee5a64342373abba3f8f1c8
  1. .bcr/
  2. .github/
  3. bench/
  4. cmake/
  5. crypto/
  6. decrepit/
  7. docs/
  8. fuzz/
  9. gen/
  10. include/
  11. infra/
  12. pki/
  13. rust/
  14. ssl/
  15. third_party/
  16. tool/
  17. util/
  18. .bazelignore
  19. .bazelrc
  20. .bazelversion
  21. .clang-format
  22. .clang-format-ignore
  23. .clangd
  24. .gitattributes
  25. .gitignore
  26. API-CONVENTIONS.md
  27. AUTHORS
  28. BREAKING-CHANGES.md
  29. BUILD.bazel
  30. build.json
  31. BUILDING.md
  32. CMakeLists.txt
  33. codereview.settings
  34. CONTRIBUTING.md
  35. FUZZING.md
  36. go.mod
  37. go.sum
  38. INCORPORATING.md
  39. LICENSE
  40. MODULE.bazel
  41. MODULE.bazel.lock
  42. PORTING.md
  43. PRESUBMIT.py
  44. PrivacyInfo.xcprivacy
  45. README.md
  46. SANDBOXING.md
  47. SECURITY.md
  48. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: