Google Git
Sign in
pigweed / third_party / github / google / boringssl / 94fddaedb3f0c8e0ef6bf3926e20be7bdba1925a
commit94fddaedb3f0c8e0ef6bf3926e20be7bdba1925a[log] [tgz]
authorLily Chen <chlily@google.com>Tue Sep 09 17:34:19 2025 -0400
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Sep 09 14:51:46 2025 -0700
treef73bff8f6234c211b13727b6eed99abf20d67dbd
parent0226f30467f540a3f62ef48d453f93927da199b6 [diff]
Require configured groups for key exchange to be unique

There is no reason for the list of supported groups for key exchange to
contain duplicates, because a group is either supported or not, and
specifying it multiple times has no additional effect. Also it is a
syntax error on the wire. Allowing duplicates in the SSL_CTX and
SSL_CONFIG members that track this list would create problems because we
will soon require other inputs (explicitly configured client key shares)
to be a subset of the supported groups. This CL requires the groups
configured via SSL_{,CTX_}set1_{groups,group_ids,groups_list} to be
unique.

Update-Note: The setters for supported groups,
SSL_{,CTX_}set1_{groups,group_ids,groups_list} will now fail if the
provided list of groups contains duplicates.

Change-Id: I67aa3bac811da6239e8f89fe501218a7a60dba11
Bug: 437414371
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/81467
Auto-Submit: Lily Chen <chlily@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Lily Chen <chlily@google.com>
5 files changed
tree: f73bff8f6234c211b13727b6eed99abf20d67dbd
  1. .bcr/
  2. .github/
  3. cmake/
  4. crypto/
  5. decrepit/
  6. docs/
  7. fuzz/
  8. gen/
  9. include/
  10. infra/
  11. pki/
  12. rust/
  13. ssl/
  14. third_party/
  15. tool/
  16. util/
  17. .bazelignore
  18. .bazelrc
  19. .bazelversion
  20. .clang-format
  21. .gitignore
  22. API-CONVENTIONS.md
  23. AUTHORS
  24. BREAKING-CHANGES.md
  25. BUILD.bazel
  26. build.json
  27. BUILDING.md
  28. CMakeLists.txt
  29. codereview.settings
  30. CONTRIBUTING.md
  31. FUZZING.md
  32. go.mod
  33. go.sum
  34. INCORPORATING.md
  35. LICENSE
  36. MODULE.bazel
  37. MODULE.bazel.lock
  38. PORTING.md
  39. PrivacyInfo.xcprivacy
  40. README.md
  41. SANDBOXING.md
  42. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: