Google Git
Sign in
boringssl/boringssl/c2c9f2f3e5c5d57d0186b14ce2463f9c4a8f8cde
commit
c2c9f2f3e5c5d57d0186b14ce2463f9c4a8f8cde
[log]
author
Rudolf Polzer <rpolzer@google.com>
Tue May 19 04:01:27 2026 -0700
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Wed May 20 00:38:41 2026 -0700
tree
d6e583d0352acb8b38e5ffb964214636e7d1f8b4
parent
3fff7111b0eca817466e121059cb4e8b67ade35b [diff]
X509_VERIFY_PARAM_inherit/_set1: refuse if either params are poisoned.

Before, these functions would unconditionally copy the src's poison flag
to the dst, potentially resulting in an unpoisoned context even if the
reason for poisoning (e.g. a field with invalid value) remains.

After this change, copying always fails if any of the two params is
poisoned.

The most relevant code path for this is when `X509_STORE_CTX_init` is
called with a poisoned `X509_STORE`; it happily copied the poisoned
context and then cleared the poison flag while inheriting from defaults.

Yes, instead the calls in `X509_STORE_CTX_init` could be reversed to
first `inherit` from the defaults and then to `set1` from the user
provided context, which then would yield the correct copied poison flag;
however it seems prudent to instead harden the public APIs, as there
could be more issues of this kind.

Not considering a vulnerability as the poison flag can only ever be set
on a call to us if a caller used an API wrong by ignoring its return
value. Of course, the whole purpose of the flag is to detect and fail
such callers so no damage happens.

Change-Id: Iaed97dfa21863c882a0d46b1b8439ec06a6a6964
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/95527
Commit-Queue: Rudolf Polzer <rpolzer@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
2 files changed
tree: d6e583d0352acb8b38e5ffb964214636e7d1f8b4
  1. .bcr/
  2. .github/
  3. bench/
  4. cmake/
  5. crypto/
  6. decrepit/
  7. docs/
  8. fuzz/
  9. gen/
  10. include/
  11. infra/
  12. pki/
  13. rust/
  14. ssl/
  15. third_party/
  16. tool/
  17. util/
  18. .bazelignore
  19. .bazelrc
  20. .bazelversion
  21. .clang-format
  22. .clang-format-ignore
  23. .clangd
  24. .gitattributes
  25. .gitignore
  26. API-CONVENTIONS.md
  27. AUTHORS
  28. BREAKING-CHANGES.md
  29. BUILD.bazel
  30. build.json
  31. BUILDING.md
  32. CMakeLists.txt
  33. codereview.settings
  34. CONTRIBUTING.md
  35. FUZZING.md
  36. go.mod
  37. go.sum
  38. INCORPORATING.md
  39. LICENSE
  40. MODULE.bazel
  41. MODULE.bazel.lock
  42. PORTING.md
  43. PRESUBMIT.py
  44. PrivacyInfo.xcprivacy
  45. README.md
  46. SANDBOXING.md
  47. SECURITY.md
  48. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: