a660e7ab67
Instead, add ssl_has_certificate to the ssl3_send_cert_verify check. If writing the empty Certificate does not complete synchronously (it almost always does due to the buffer BIO), but if the buffer boundary is at exactly the wrong place, write_message will need a retry but, having cleared cert_request, we never re-enter ssl3_send_client_certificate. This will later be moot when we've gotten rid of the buffer BIO, but this is cleaner anyway and is closer to the TLS 1.3 code. With this change, blindly taking away the BIO buffer in TLS (which is not what we want since we want the entire flight in one write but is a nice sanity check), only the SSL 3.0 no client certificate tests fail. They too rely on some writes completing synchronously due to SSL 3.0 sending a warning alert. There is a similar bug when tlsext_servername_callback returns SSL_TLSEXT_ERR_ALERT_WARNING. Those will be resolved after reworking the write path since it's a bit of a mess. Change-Id: I56b4df6163cae1df263cf36f0d93046d0375a5ac Reviewed-on: https://boringssl-review.googlesource.com/13052 Reviewed-by: David Benjamin <davidben@google.com> |
||
|---|---|---|
| .github | ||
| crypto | ||
| decrepit | ||
| fuzz | ||
| include/openssl | ||
| infra/config | ||
| ssl | ||
| third_party/android-cmake | ||
| tool | ||
| util | ||
| .clang-format | ||
| .gitignore | ||
| API-CONVENTIONS.md | ||
| BUILDING.md | ||
| CMakeLists.txt | ||
| codereview.settings | ||
| CONTRIBUTING.md | ||
| FUZZING.md | ||
| INCORPORATING.md | ||
| LICENSE | ||
| PORTING.md | ||
| README.md | ||
| STYLE.md | ||
BoringSSL
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful:
- PORTING.md: how to port OpenSSL-using code to BoringSSL.
- BUILDING.md: how to build BoringSSL
- INCORPORATING.md: how to incorporate BoringSSL into a project.
- API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
- STYLE.md: rules and guidelines for coding style.
- include/openssl: public headers with API documentation in comments. Also available online.
- FUZZING.md: information about fuzzing BoringSSL.
- CONTRIBUTING.md: how to contribute to BoringSSL.