BoringSSL is an OpenSSL derivative and is mostly source-compatible, for the subset of OpenSSL retained. Libraries ideally need little to no changes for BoringSSL support, provided they do not use removed APIs. In general, see if the library compiles and, on failure, consult the documentation in the header files and see if problematic features can be removed.
OPENSSL_VERSION_NUMBER matches the OpenSSL version it targets. Version checks for OpenSSL should ideally work as-is in BoringSSL. BoringSSL also defines upstream’s
OPENSSL_NO_* feature macros corresponding to removed features. If the preprocessor is needed, use these version checks or feature macros where possible, especially when patching third-party projects. Such patches are more generally useful to OpenSSL consumers and thus more appropriate to send upstream.
In some cases, BoringSSL-specific code may be necessary. Use the
OPENSSL_IS_BORINGSSL preprocessor macro in
#ifdefs. However, first contact the BoringSSL maintainers about the missing APIs. We will typically add compatibility functions for convenience. In particular, contact BoringSSL maintainers before working around missing OpenSSL 1.1.0 accessors. BoringSSL was originally derived from OpenSSL 1.0.2 but now targets OpenSSL 1.1.0. Some newer APIs may be missing but can be added on request. (Not all projects have been ported to OpenSSL 1.1.0, so BoringSSL also remains largely compatible with OpenSSL 1.0.2.)
OPENSSL_IS_BORINGSSL macro may also be used to distinguish OpenSSL from BoringSSL in configure scripts. Do not use the presence or absence of particular symbols to detect BoringSSL.
Note: BoringSSL does not have a stable API or ABI. It must be updated with its consumers. It is not suitable for, say, a system library in a traditional Linux distribution. For instance, Chromium statically links the specific revision of BoringSSL it was built against. Likewise, Android's system-internal copy of BoringSSL is not exposed by the NDK and must not be used by third-party applications.
Some APIs have been converted to use
size_t for consistency and to avoid integer overflows at the API boundary. (Existing logic uses a mismash of
unsigned.) For the most part, implicit casts mean that existing code continues to compile. In some cases, this may require BoringSSL-specific code, particularly to avoid compiler warnings.
Most notably, the
STACK_OF(T) types have all been converted to use
size_t instead of
int for indices and lengths.
Some external consumers increment reference counts directly by calling
CRYPTO_add with the corresponding
CRYPTO_LOCK_* value. These APIs no longer exist in BoringSSL. Instead, code which increments reference counts should call the corresponding
FOO_up_ref function, such as
BoringSSL also hides some structs which were previously exposed in OpenSSL 1.0.2, particularly in libssl. Use the relevant accessors instead.
Note that some of these APIs were added in OpenSSL 1.1.0, so projects which do not yet support 1.1.0 may need additional
#ifdefs. Projects supporting OpenSSL 1.1.0 should not require modification.
OpenSSL's errors are extremely specific, leaking internals of the library, including even a function code for the function which emitted the error! As some logic in BoringSSL has been rewritten, code which conditions on the error may break (grep for
ERR_GET_FUNC). This danger also exists when upgrading OpenSSL versions.
Where possible, avoid conditioning on the exact error reason. Otherwise, a BoringSSL
#ifdef may be necessary. Exactly how best to resolve this issue is still being determined. It's possible some new APIs will be added in the future.
Function codes have been completely removed. Remove code which conditions on these as it will break with the slightest change in the library, OpenSSL or BoringSSL.
Some OpenSSL APIs are implemented with
ioctl-style functions such as
EVP_PKEY_CTX_ctrl, combined with convenience macros, such as
# define SSL_CTX_set_mode(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
In BoringSSL, these macros have been replaced with proper functions. The underlying
_ctrl functions have been removed.
SSL_CTRL_* values are retained as macros to
doesnt_exist so existing code which uses them (or the wrapper macros) in
#ifdef expressions will continue to function. However, the macros themselves will not work.
*_ctrl callers to the macro/function versions. This works in both OpenSSL and BoringSSL. Note that BoringSSL's function versions will be type-checked and may require more care with types. See the end of this document for a table of functions to use.
EVP_PKEY_HMAC is removed. Use the
HMAC_* functions in
hmac.h instead. This is compatible with OpenSSL.
EVP_PKEY_DSA is deprecated. It is currently still possible to parse DER into a DSA
EVP_PKEY, but signing or verifying with those objects will not work.
DES_cblock type has been switched from an array to a struct to avoid the pitfalls around array types in C. Where features which require DES cannot be disabled, BoringSSL-specific codepaths may be necessary.
OpenSSL enables TLS renegotiation by default and accepts renegotiation requests from the peer transparently. Renegotiation is an extremely problematic protocol feature, so BoringSSL rejects peer renegotiations by default.
To enable renegotiation, call
SSL_set_renegotiate_mode and set it to
ssl_renegotiate_freely. Renegotiation is only supported as a client in TLS and the HelloRequest must be received at a quiet point in the application protocol. This is sufficient to support the common use of requesting a new client certificate between an HTTP request and response in (unpipelined) HTTP/1.1.
Things which do not work:
There is no support for renegotiation as a server. (Attempts by clients will result in a fatal alert so that ClientHello messages cannot be used to flood a server and escape higher-level limits.)
There is no support for renegotiation in DTLS.
There is no support for initiating renegotiation;
SSL_renegotiate always fails and
SSL_set_state does nothing.
Interleaving application data with the new handshake is forbidden.
If a HelloRequest is received while
SSL_write has unsent application data, the renegotiation is rejected.
Renegotiation does not participate in session resumption. The client will not offer a session on renegotiation or resume any session established by a renegotiation handshake.
The server may not change its certificate in the renegotiation. This mitigates the triple handshake attack. Any new stapled OCSP response and SCT list will be ignored. As no authentication state may change, BoringSSL will not re-verify the certificate on a renegotiation. Callbacks such as
SSL_CTX_set_custom_verify will only run on the initial handshake.
BN_bn2hex function uses lowercase hexadecimal digits instead of uppercase. Some code may require changes to avoid being sensitive to this difference.
OpenSSL's ASN.1 stack uses
d2i functions for parsing. They have the form:
RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
In addition to returning the result, OpenSSL places it in
out is not
NULL. On input, if
*out is not
NULL, OpenSSL will usually (but not always) reuse that object rather than allocating a new one. In BoringSSL, these functions are compatibility wrappers over a newer ASN.1 stack. Even if
*out is not
NULL, these wrappers will always allocate a new object and free the previous one.
Ensure that callers do not rely on this object reuse behavior. It is recommended to avoid the
out parameter completely and always pass in
NULL. Note that less error-prone APIs are available for BoringSSL-specific code (see below).
OpenSSL provides wrappers
OPENSSL_free over the standard
free. Memory allocated by OpenSSL should be released with
OPENSSL_free, not the standard
free. However, by default, they are implemented directly using
free, so code which mixes them up usually works.
In BoringSSL, these functions maintain additional book-keeping to zero memory on
OPENSSL_free, so any mixups must be fixed.
BoringSSL makes some changes to OpenSSL which simplify the API but remain compatible with OpenSSL consumers. In general, consult the BoringSSL documentation for any functions in new BoringSSL-only code.
Most OpenSSL APIs return 1 on success and either 0 or -1 on failure. BoringSSL has narrowed most of these to 1 on success and 0 on failure. BoringSSL-specific code may take advantage of the less error-prone APIs and use
! to check for errors.
OpenSSL has a number of different initialization functions for setting up error strings and loading algorithms, etc. All of these functions still exist in BoringSSL for convenience, but they do nothing and are not necessary.
The one exception is
BORINGSSL_NO_STATIC_INITIALIZER builds, it must be called to query CPU capabilities before the rest of the library. In the default configuration, this is done with a static initializer and is also unnecessary.
OpenSSL provides a number of APIs to configure threading callbacks and set up locks. Without initializing these, the library is not thread-safe. Configuring these does nothing in BoringSSL. Instead, BoringSSL calls pthreads and the corresponding Windows APIs internally and is always thread-safe where the API guarantees it.
BoringSSL is in the process of deprecating OpenSSL's
i2d in favor of new functions using the much less error-prone
CBB types. BoringSSL-only code should use those functions where available.
When porting code which uses
SSL_ctrl, use the replacement functions below. If a function has both
SSL variants, only the
SSL_CTX version is listed.
Note some values correspond to multiple functions depending on the
In some places, BoringSSL has added significant APIs. Use of these APIs goes beyound “porting” and means giving up on OpenSSL compatibility.
One example of this has already been mentioned: the CBS and CBB functions should be used whenever parsing or serialising data.
With the standard OpenSSL APIs, when making many TLS connections, the certificate data for each connection is retained in memory in an expensive
X509 structure. Additionally, common certificates often appear in the chains for multiple connections and are needlessly duplicated in memory.
CRYPTO_BUFFER is just an opaque byte string. A
CRYPTO_BUFFER_POOL is an intern table for these buffers, i.e. it ensures that only a single copy of any given byte string is kept for each pool.
TLS_with_buffers_method returns an
SSL_METHOD that avoids creating
X509 objects for certificates. Additionally,
SSL_CTX_set0_buffer_pool can be used to install a pool on an
SSL_CTX so that certificates can be deduplicated across connections and across
When using these functions, the application also needs to ensure that it doesn't call other functions that deal with
X509_NAME objects. For example,
SSL_get_peer_cert_chain. Doing so will trigger an assert in debug mode and will result in NULLs in release mode. Instead, call the buffer-based alternatives such as
SSL_get0_peer_certificates. (See ssl.h for functions taking or returning
CRYPTO_BUFFER.) The buffer-based alternative functions will work even when not using
TLS_with_buffers_method, thus application code can transition gradually.
In order to use buffers, the application code also needs to implement its own certificate verification using
SSL_[CTX_]set_custom_verify. Otherwise all connections will fail with a verification error. Auto-chaining is also disabled when using buffers.
Once those changes have been completed, the whole of the OpenSSL X.509 and ASN.1 code should be eliminated by the linker if BoringSSL is linked statically.
OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using
SSL[_CTX]_set_private_key_method. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.