commit | 671ccb1a98fae26bf9c115068b2993418cecc800 | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@google.com> | Thu Oct 20 16:16:50 2022 -0400 |
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | Sat Oct 22 02:17:31 2022 +0000 |
tree | 3492f5bf2459b8cff97e924e67a1db550c4b5bb0 | |
parent | b819f7e9392d25db6705a6bd3c92be3bb91775e2 [diff] |
Make EVP_PKEY_*_tls_encodedpoint work with EVP_PKEY_EC. Some third-party code requires it. For now, I've just introduced a new hook on the method table. This is rather goofy though. First, making EVP know about TLS is a layering violation that OpenSSL introduced. They've since fixed this and added EVP_PKEY_get1_encoded_public_key in OpenSSL 3.0, but callers expect the TLS one to exist in OpenSSL 1.1.1, so implement that one. Along the way, implement EC_KEY_oct2key from upstream, which is slightly less tedious when you're already working in EC_KEY. To make this third-party code work (and to write a test without dipping out of EVP, or using the very tedious EVP_PKEY_paramgen API), we also need to change EVP_PKEY_copy_parameters to work when the source EVP_PKEY is empty, per upstream's 2986ecdc08016de978f1134315623778420b51e5. OpenSSL's API has *multiple* levels of empty states to worry about! Something to avoid when we get to rethinking this error-prone API. Bug: b:238920520 Change-Id: I3fd99be560db313c1bf549a4e46ffccc31e746e1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/54905 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
Project links:
There are other files in this directory which might be helpful: