Lines Matching +full:linux +full:- +full:stable +full:- +full:openssl

1 # Porting from OpenSSL to BoringSSL
3 BoringSSL is an OpenSSL derivative and is mostly source-compatible, for the
4 subset of OpenSSL retained. Libraries ideally need little to no changes for
9 BoringSSL's `OPENSSL_VERSION_NUMBER` matches the OpenSSL version it targets.
10 Version checks for OpenSSL should ideally work as-is in BoringSSL. BoringSSL
13 macros where possible, especially when patching third-party projects. Such
14 patches are more generally useful to OpenSSL consumers and thus more
17 In some cases, BoringSSL-specific code may be necessary. Use the
21 maintainers before working around missing OpenSSL 1.1.0 accessors*. BoringSSL
22 was originally derived from OpenSSL 1.0.2 but now targets OpenSSL 1.1.0. Some
24 been ported to OpenSSL 1.1.0, so BoringSSL also remains largely compatible with
25 OpenSSL 1.0.2.)
27 The `OPENSSL_IS_BORINGSSL` macro may also be used to distinguish OpenSSL from
31 Note: BoringSSL does *not* have a stable API or ABI. It must be updated with its
32 consumers. It is not suitable for, say, a system library in a traditional Linux
34 BoringSSL it was built against. Likewise, Android's system-internal copy of
35 BoringSSL is not exposed by the NDK and must not be used by third-party
46 code continues to compile. In some cases, this may require BoringSSL-specific
59 BoringSSL also hides some structs which were previously exposed in OpenSSL
62 Note that some of these APIs were added in OpenSSL 1.1.0, so projects which do
63 not yet support 1.1.0 may need additional `#ifdef`s. Projects supporting OpenSSL
68 OpenSSL's errors are extremely specific, leaking internals of the library,
72 when upgrading OpenSSL versions.
79 these as it will break with the slightest change in the library, OpenSSL or
84 Some OpenSSL APIs are implemented with `ioctl`-style functions such as
98 OpenSSL and BoringSSL. Note that BoringSSL's function versions will be
99 type-checked and may require more care with types. See the end of this
105 is compatible with OpenSSL.
116 disabled, BoringSSL-specific codepaths may be necessary.
120 OpenSSL enables TLS renegotiation by default and accepts renegotiation requests
135   a server and escape higher-level limits.)
154   may change, BoringSSL will not re-verify the certificate on a renegotiation.
166 OpenSSL's ASN.1 stack uses `d2i` functions for parsing. They have the form:
170 In addition to returning the result, OpenSSL places it in `*out` if `out` is
171 not `NULL`. On input, if `*out` is not `NULL`, OpenSSL will usually (but not
177 In most cases, even in OpenSSL, relying on object reuse is not safe because, on
178 parse error, OpenSSL will free the reused object. Note that less error-prone
179 APIs are available for BoringSSL-specific code (see below).
183 OpenSSL provides wrappers `OPENSSL_malloc` and `OPENSSL_free` over the standard
184 `malloc` and `free`. Memory allocated by OpenSSL should be released with
189 In BoringSSL, these functions maintain additional book-keeping to zero memory
192 ## Optional BoringSSL-specific simplifications
194 BoringSSL makes some changes to OpenSSL which simplify the API but remain
195 compatible with OpenSSL consumers. In general, consult the BoringSSL
196 documentation for any functions in new BoringSSL-only code.
200 Most OpenSSL APIs return 1 on success and either 0 or -1 on failure. BoringSSL
201 has narrowed most of these to 1 on success and 0 on failure. BoringSSL-specific
202 code may take advantage of the less error-prone APIs and use `!` to check for
207 OpenSSL has a number of different initialization functions for setting up error
218 OpenSSL provides a number of APIs to configure threading callbacks and set up
219 locks. Without initializing these, the library is not thread-safe. Configuring
221 corresponding Windows APIs internally and is always thread-safe where the API
226 BoringSSL is in the process of deprecating OpenSSL's `d2i` and `i2d` in favor of
227 new functions using the much less error-prone `CBS` and `CBB` types.
228 BoringSSL-only code should use those functions where available.
241 -------------|-------------------------
263 …uivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
285 …uivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
286 …uivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
290 …ficant APIs. Use of these APIs goes beyound “porting” and means giving up on OpenSSL compatibility.
292 …ed: the [CBS and CBB](https://commondatastorage.googleapis.com/chromium-boringssl-docs/bytestring.…
296 With the standard OpenSSL APIs, when making many TLS connections, the certificate data for each con…
298 A [`CRYPTO_BUFFER`](https://commondatastorage.googleapis.com/chromium-boringssl-docs/pool.h.html) i…
302 …-based alternatives such as `SSL_get0_peer_certificates`. (See [ssl.h](https://commondatastorage.g…
304 …verify`. Otherwise all connections will fail with a verification error. Auto-chaining is also disa…
306 Once those changes have been completed, the whole of the OpenSSL X.509 and ASN.1 code should be eli…
310 OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where softwar…