David Benjamin 6965d25602 Work around a JDK 11 TLS 1.3 bug. JDK 11 shipped with a TLS 1.3 implementation enabled by default. Unfortunately, that implementation does not work and fails to send the SNI extension on resumption. See https://bugs.openjdk.java.net/browse/JDK-8211806. This means servers which enable TLS 1.3 will see JDK 11 clients work on the first connection and then fail on all subsequent connections. Add SSL_set_jdk11_workaround which configures a workaround to fingerprint JDK 11 and disable TLS 1.3 with the faulty clients. JDK 11 also implemented the downgrade signal, which means that connections that trigger the workaround also must not send the downgrade signal. Unfortunately, the downgrade signal's security properties are sensitive to the existence of any unmarked TLS 1.2 ServerHello paths. To salvage this, pick a new random downgrade marker for this scenario and modify the client to treat it as an alias of the standard one. Per the link above, JDK 11.0.2 will fix this bug. Hopefully the workaround can be retired sometime after it is released. Change-Id: I0627609a8cadf7cc214073eb7f1e880acdf613ef Reviewed-on: https://boringssl-review.googlesource.com/c/33284 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>		6 anos atrás
.github	Add a PULL_REQUEST_TEMPLATE.	8 anos atrás
crypto	Move ARM cpuinfo functions to the header.	6 anos atrás
decrepit	Undo recent changes to \|X509V3_EXT_conf_nid\|.	6 anos atrás
fipstools	Support symbol prefixes	6 anos atrás
fuzz	Refresh fuzzer corpora for changes to split-handshake serialization.	6 anos atrás
include/openssl	Work around a JDK 11 TLS 1.3 bug.	6 anos atrás
infra/config	No longer set CQ-Verified label on CQ success/failure.	6 anos atrás
ssl	Work around a JDK 11 TLS 1.3 bug.	6 anos atrás
third_party	Modernize OPENSSL_COMPILE_ASSERT, part 2.	6 anos atrás
tool	Work around a JDK 11 TLS 1.3 bug.	6 anos atrás
util	Move JSON test results code into a common module.	6 anos atrás
.clang-format	Import `newhope' (post-quantum key exchange).	8 anos atrás
.gitignore	Update tools.	6 anos atrás
API-CONVENTIONS.md	Clarify "reference" and fix typo.	6 anos atrás
BREAKING-CHANGES.md	Add some notes on how to handle breaking changes.	6 anos atrás
BUILDING.md	Switch docs to recommending NASM.	6 anos atrás
CMakeLists.txt	Support assembly building for arm64e architecture.	6 anos atrás
CONTRIBUTING.md	Add a CONTRIBUTING.md file.	8 anos atrás
FUZZING.md	Switch to Clang 6.0's fuzzer support.	6 anos atrás
INCORPORATING.md	Update URL for GN quick start guide.	6 anos atrás
LICENSE	Note licenses for support code in the top-level LICENSE file.	6 anos atrás
PORTING.md	Remove reference to SSL3 in PORTING.md.	6 anos atrás
README.md	Add some notes on how to handle breaking changes.	6 anos atrás
STYLE.md	Fix some style guide samples.	7 anos atrás
codereview.settings	Comment change in codereview.settings	6 anos atrás
go.mod	Set up Go modules.	6 anos atrás
sources.cmake	Add new curve/hash ECDSA combinations from Wycheproof.	6 anos atrás

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google’s product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it’s not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.
BREAKING-CHANGES.md: notes on potentially-breaking changes.