Go to file

David Benjamin ebd87230ac Bring ERR_ERROR_STRING_BUF_LEN down to 120. Originally, the only OpenSSL API to stringify errors was: char ERR_error_string(unsigned long e, char buf); This API leaves callers a choice to either be thread unsafe (buf = NULL) or pass in a buffer with unknown size. Indeed the original implementation was just a bunch of unchecked sprintfs with, in the buf = NULL case, a static 256-byte buffer. `388f2f56f2/crypto/err/err.c (L374)` Then ERR_error_string was documented that the buffer must be size 120. Nowhere in the code was 120 significant. I expect OpenSSL just made up a number. `388f2f56f2` Then upstream added the ERR_error_string_n API. Although the documentation stated 120 bytes, the internal buffer was 256, so the code actually translates ERR_error_string to ERR_error_string_n(e, buf, 256), not ERR_error_string_n(e, buf, 120)! `e5c84d5152` So the documentation was wrong all this time! OpenSSL 1.1.0 corrected the documentation to 256, but, alas, a lot of code used the documentation and sized the buffer at 120. We should fix all ERR_error_string callers to ERR_error_string_n but, in the meantime, using 120 is probably less effort. Note this also affects ERR_print_errors_cb right now. We don't have function codes, so 120 bytes leaves 60 bytes for the reason code. Our longest one, TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST is 46 bytes, so it's a little tight, but, if needed, we can recover 20-ish bytes by shrinking the library names. We can also always make ERR_print_errors_cb use a larger buffer. Change-Id: I472a1a802f2e6281cc7515d2a452208d6bac1200 Reviewed-on: https://boringssl-review.googlesource.com/24184 Reviewed-by: Adam Langley <agl@google.com>		2017-12-14 19:47:23 +00:00
.github
crypto	Silence ARMv8 deprecated IT instruction warnings.	2017-12-14 01:56:22 +00:00
decrepit	Explicit fallthrough on switch	2017-09-20 19:58:25 +00:00
fipstools	Have run_cavp.go create “resp” directories as needed.	2017-06-08 19:13:01 +00:00
fuzz	Bound the input to the bn_mod_exp fuzzer.	2017-11-28 21:48:00 +00:00
include/openssl	Bring ERR_ERROR_STRING_BUF_LEN down to 120.	2017-12-14 19:47:23 +00:00
infra/config	Revert "Add new bots to the CQ."	2017-10-09 21:38:10 +00:00
ssl	Fix tls13_variant check to check max_version.	2017-12-12 17:20:07 +00:00
third_party	Enable __asm__ and uint128_t code in clang-cl.	2017-12-11 22:46:26 +00:00
tool	Add early data input from file.	2017-11-30 17:29:45 +00:00
util	Roll back CMake update on Windows bots.	2017-12-13 21:56:50 +00:00
.clang-format	Import `newhope' (post-quantum key exchange).	2016-04-26 22:53:59 +00:00
.gitignore	Add sde-linux64 to .gitignore.	2017-05-12 14:53:07 +00:00
API-CONVENTIONS.md	Fix API-CONVENTIONS.md typos.	2017-01-04 01:46:32 +00:00
BUILDING.md	Document the NDK's built-in toolchain file.	2017-12-14 01:54:47 +00:00
CMakeLists.txt	Scope CMAKE_ASM_FLAGS workaround to the old NDK toolchain.	2017-12-14 01:55:26 +00:00
codereview.settings	No-op change to trigger the new Bazel bot.	2016-07-07 12:07:04 -07:00
CONTRIBUTING.md
FUZZING.md	Fix typo in FUZZING.md.	2017-07-06 18:25:07 +00:00
INCORPORATING.md	Update links to Bazel's site.	2016-10-31 18:16:58 +00:00
LICENSE	curve25519: fiat-crypto field arithmetic.	2017-11-03 22:39:31 +00:00
PORTING.md	Switch OPENSSL_VERSION_NUMBER to 1.1.0.	2017-09-29 04:51:27 +00:00
README.md	Add an API-CONVENTIONS.md document.	2016-08-04 23:27:49 +00:00
sources.cmake	Add a test for lots of names and constraints.	2017-09-20 19:58:48 +00:00
STYLE.md	Fix some style guide samples.	2017-08-31 14:24:45 +00:00

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.