Google Git
Sign in
boringssl / boringssl / 00d7a7cee7e4c483cf326e19e32aa9065f33dc0a
commit00d7a7cee7e4c483cf326e19e32aa9065f33dc0a[log] [tgz]
authorDavid Benjamin <davidben@google.com>Thu Jul 21 02:21:48 2016 +0200
committerAdam Langley <agl@google.com>Thu Jul 21 17:46:15 2016 +0000
tree52d5f38c5c5b2b35b7dbebf4945dea5b4a15768b
parent84f855175379f663491d28d89ba00d4a3e64fb7b [diff]
Drop cached certificate signature validity flag

It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

(Imported from upstream's 0e76014e584ba78ef1d6ecb4572391ef61c4fb51.)

This is in master and not 1.0.2, but having a per-certificate signature
cache when this is a function of signature and issuer seems dubious at
best. Thanks to Viktor Dukhovni for pointing this change out to me.
(And for making the original change upstream, of course.)

Change-Id: Ie692d651726f14aeba6eaab03ac918fcaedb4eeb
Reviewed-on: https://boringssl-review.googlesource.com/8880
Reviewed-by: Adam Langley <agl@google.com>
3 files changed
tree: 52d5f38c5c5b2b35b7dbebf4945dea5b4a15768b
  1. .github/
  2. crypto/
  3. decrepit/
  4. fuzz/
  5. include/
  6. infra/
  7. ssl/
  8. third_party/
  9. tool/
  10. util/
  11. .clang-format
  12. .gitignore
  13. BUILDING.md
  14. CMakeLists.txt
  15. codereview.settings
  16. CONTRIBUTING.md
  17. FUZZING.md
  18. INCORPORATING.md
  19. LICENSE
  20. PORTING.md
  21. README.md
  22. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful: